{ "log": { "version": "1.2", "creator": { "name": "WebInspector", "version": "537.36" }, "pages": [], "entries": [ { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "fetchResponse", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19594, "columnNumber": 30 }, { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19518, "columnNumber": 39 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19514, "columnNumber": 13 }, { "functionName": "fetchActiveMaintenanceWindows", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 80723, "columnNumber": 28 }, { "functionName": "Object.enabled.enabled", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 80994, "columnNumber": 82 }, { "functionName": "fetchFn", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197509, "columnNumber": 26 }, { "functionName": "run", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198971, "columnNumber": 30 }, { "functionName": "createRetryer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 199019, "columnNumber": 4 }, { "functionName": "fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197564, "columnNumber": 88 }, { "functionName": "executeFetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198444, "columnNumber": 36 }, { "functionName": "fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198432, "columnNumber": 16 }, { "functionName": "refetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198415, "columnNumber": 16 }, { "functionName": "onFocus", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197360, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197861, "columnNumber": 14 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197860, "columnNumber": 19 }, { "functionName": "batch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196861, "columnNumber": 15 }, { "functionName": "onFocus", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197859, "columnNumber": 72 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197932, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 195764, "columnNumber": 6 }, { "functionName": "onFocus", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 195761, "columnNumber": 19 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 195747, "columnNumber": 13 }, { "functionName": "listener", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 195707, "columnNumber": 31 } ] } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "connection": "2395214", "request": { "method": "GET", "url": "http://localhost:5601/internal/alerting/rules/maintenance_window/_active", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Accept", "value": "*/*" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br, zstd" }, { "name": "Accept-Language", "value": "en-US,en;q=0.9" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Content-Type", "value": "application/json" }, { "name": "Host", "value": "localhost:5601" }, { "name": "Referer", "value": "http://localhost:5601/app/security/rules/updates?rulesTable=(searchTerm:%27Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%27)&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(.alerts-security.alerts-default)))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)),timeline:(linkTo:!(global),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)))&timeline=(activeTab:query,graphEventId:%27%27,isOpen:!f)" }, { "name": "Sec-Fetch-Dest", "value": "empty" }, { "name": "Sec-Fetch-Mode", "value": "cors" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "kbn-build-number", "value": "9007199254740991" }, { "name": "kbn-version", "value": "9.0.0" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "x-elastic-internal-origin", "value": "Kibana" }, { "name": "x-kbn-context", "value": "%7B%22type%22%3A%22application%22%2C%22name%22%3A%22securitySolutionUI%22%2C%22url%22%3A%22%2Fapp%2Fsecurity%2Frules%2Fid%2F52c14042-8edf-4151-b8dd-5b0fe95da87d%2Falerts%22%2C%22page%22%3A%22%2Frules%2Fupdates%22%7D" } ], "queryString": [], "cookies": [], "headersSize": 1984, "bodySize": 0 }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Connection", "value": "keep-alive" }, { "name": "Date", "value": "Fri, 06 Dec 2024 16:51:09 GMT" }, { "name": "Keep-Alive", "value": "timeout=120" }, { "name": "accept-ranges", "value": "bytes" }, { "name": "cache-control", "value": "private, no-cache, no-store, must-revalidate" }, { "name": "content-length", "value": "2" }, { "name": "content-security-policy", "value": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'" }, { "name": "content-security-policy-report-only", "value": "form-action 'report-sample' 'self'" }, { "name": "content-type", "value": "application/json; charset=utf-8" }, { "name": "cross-origin-opener-policy", "value": "same-origin" }, { "name": "kbn-license-sig", "value": "c34833e07d48ee883c2bd846933c4c336916c9888243f9e5a9793597b858595c" }, { "name": "kbn-name", "value": "Paulas-MacBook-Pro.local" }, { "name": "permissions-policy", "value": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()" }, { "name": "referrer-policy", "value": "strict-origin-when-cross-origin" }, { "name": "x-content-type-options", "value": "nosniff" } ], "cookies": [], "content": { "size": 2, "mimeType": "application/json", "compression": 0, "text": "[]" }, "redirectURL": "", "headersSize": 1334, "bodySize": 2, "_transferSize": 1336, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "127.0.0.1", "startedDateTime": "2024-12-06T16:51:09.358Z", "time": 58.441000001039356, "timings": { "blocked": 1.9420000374875963, "dns": -1, "ssl": -1, "connect": -1, "send": 0.11099999999999999, "wait": 56.080000004801896, "receive": 0.3079999587498605, "_blocked_queueing": 0.7770000374875963, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } }, { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "fetchResponse", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19594, "columnNumber": 30 }, { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19518, "columnNumber": 39 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19514, "columnNumber": 13 }, { "functionName": "fetchRules", "scriptId": "9051", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js", "lineNumber": 141804, "columnNumber": 86 }, { "functionName": "Object", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 277380, "columnNumber": 82 }, { "functionName": "fetchFn", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197509, "columnNumber": 26 }, { "functionName": "run", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198971, "columnNumber": 30 }, { "functionName": "createRetryer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 199019, "columnNumber": 4 }, { "functionName": "fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197564, "columnNumber": 88 }, { "functionName": "executeFetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198444, "columnNumber": 36 }, { "functionName": "fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198432, "columnNumber": 16 }, { "functionName": "refetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198415, "columnNumber": 16 }, { "functionName": "onFocus", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197360, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197861, "columnNumber": 14 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197860, "columnNumber": 19 }, { "functionName": "batch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196861, "columnNumber": 15 }, { "functionName": "onFocus", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197859, "columnNumber": 72 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197932, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 195764, "columnNumber": 6 }, { "functionName": "onFocus", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 195761, "columnNumber": 19 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 195747, "columnNumber": 13 }, { "functionName": "listener", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 195707, "columnNumber": 31 } ] } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "connection": "2396293", "request": { "method": "GET", "url": "http://localhost:5601/api/detection_engine/rules/_find?page=1&per_page=20&sort_field=enabled&sort_order=desc&filter=(alert.attributes.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.index%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.tactic.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.tactic.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.subtechnique.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.subtechnique.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22)", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Accept", "value": "*/*" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br, zstd" }, { "name": "Accept-Language", "value": "en-US,en;q=0.9" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Content-Type", "value": "application/json" }, { "name": "Host", "value": "localhost:5601" }, { "name": "Referer", "value": "http://localhost:5601/app/security/rules/updates?rulesTable=(searchTerm:%27Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%27)&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(.alerts-security.alerts-default)))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)),timeline:(linkTo:!(global),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)))&timeline=(activeTab:query,graphEventId:%27%27,isOpen:!f)" }, { "name": "Sec-Fetch-Dest", "value": "empty" }, { "name": "Sec-Fetch-Mode", "value": "cors" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "elastic-api-version", "value": "2023-10-31" }, { "name": "kbn-build-number", "value": "9007199254740991" }, { "name": "kbn-version", "value": "9.0.0" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "x-elastic-internal-origin", "value": "Kibana" }, { "name": "x-kbn-context", "value": "%7B%22type%22%3A%22application%22%2C%22name%22%3A%22securitySolutionUI%22%2C%22url%22%3A%22%2Fapp%2Fsecurity%2Frules%2Fid%2F52c14042-8edf-4151-b8dd-5b0fe95da87d%2Falerts%22%2C%22page%22%3A%22%2Frules%2Fupdates%22%7D" } ], "queryString": [ { "name": "page", "value": "1" }, { "name": "per_page", "value": "20" }, { "name": "sort_field", "value": "enabled" }, { "name": "sort_order", "value": "desc" }, { "name": "filter", "value": "(alert.attributes.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.index%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.tactic.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.tactic.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.subtechnique.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.subtechnique.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22)" } ], "cookies": [], "headersSize": 2941, "bodySize": 0 }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Connection", "value": "keep-alive" }, { "name": "Date", "value": "Fri, 06 Dec 2024 16:51:09 GMT" }, { "name": "Keep-Alive", "value": "timeout=120" }, { "name": "Transfer-Encoding", "value": "chunked" }, { "name": "cache-control", "value": "private, no-cache, no-store, must-revalidate" }, { "name": "content-encoding", "value": "gzip" }, { "name": "content-security-policy", "value": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'" }, { "name": "content-security-policy-report-only", "value": "form-action 'report-sample' 'self'" }, { "name": "content-type", "value": "application/json; charset=utf-8" }, { "name": "cross-origin-opener-policy", "value": "same-origin" }, { "name": "elastic-api-version", "value": "2023-10-31" }, { "name": "kbn-license-sig", "value": "c34833e07d48ee883c2bd846933c4c336916c9888243f9e5a9793597b858595c" }, { "name": "kbn-name", "value": "Paulas-MacBook-Pro.local" }, { "name": "permissions-policy", "value": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()" }, { "name": "referrer-policy", "value": "strict-origin-when-cross-origin" }, { "name": "vary", "value": "accept-encoding" }, { "name": "x-content-type-options", "value": "nosniff" } ], "cookies": [], "content": { "size": 5020, "mimeType": "application/json", "compression": 2729, "text": "{\"page\":1,\"perPage\":20,\"total\":1,\"data\":[{\"id\":\"561cb5f3-6c26-4547-8959-681ac9b83e2b\",\"updated_at\":\"2024-12-06T16:50:24.690Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.284Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Modify an Okta Policy Rule\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Defense Evasion\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":1,\"description\":\"Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Modify an Okta Policy Rule\\n\\nThe modification of an Okta policy rule can be an indication of malicious activity as it may aim to weaken an organization's security controls.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\\n- Check the `okta.outcome.result` field to confirm the rule modification attempt.\\n- Check if there are multiple rule modification attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the modification attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized modification is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization.\"],\"from\":\"now-6m\",\"rule_id\":\"000047bb-b27a-47ec-8b62-ef1a5d2c9e19\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":207,\"exceptions_list\":[{\"id\":\"82679834-e475-499c-a873-2bc20692221e\",\"list_id\":\"6e519c12-80ab-4e69-894f-e5cec55be127\",\"type\":\"rule_default\",\"namespace_type\":\"single\"}],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":true},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.rule.update\\n\",\"actions\":[]}]}" }, "redirectURL": "", "headersSize": 1401, "bodySize": 2291, "_transferSize": 3692, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "127.0.0.1", "startedDateTime": "2024-12-06T16:51:09.358Z", "time": 88.20100000593811, "timings": { "blocked": 1.5639999941550196, "dns": -1, "ssl": -1, "connect": -1, "send": 0.061999999999999944, "wait": 86.14100002492964, "receive": 0.43399998685345054, "_blocked_queueing": 0.6489999941550195, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } }, { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "fetchResponse", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19594, "columnNumber": 30 }, { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19518, "columnNumber": 39 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19514, "columnNumber": 13 }, { "functionName": "performUpgradeSpecificRules", "scriptId": "9051", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js", "lineNumber": 142168, "columnNumber": 83 }, { "functionName": "Object", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 276596, "columnNumber": 83 }, { "functionName": "fn", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196387, "columnNumber": 30 }, { "functionName": "run", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198971, "columnNumber": 30 }, { "functionName": "createRetryer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 199019, "columnNumber": 4 }, { "functionName": "executeMutation", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196381, "columnNumber": 90 }, { "functionName": "execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196438, "columnNumber": 25 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "mutate", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196777, "columnNumber": 32 }, { "functionName": "", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299145, "columnNumber": 12 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "onClick", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299204, "columnNumber": 10 }, { "functionName": "callCallback", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335355, "columnNumber": 13 }, { "functionName": "invokeGuardedCallbackDev", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335404, "columnNumber": 15 }, { "functionName": "invokeGuardedCallback", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335466, "columnNumber": 30 }, { "functionName": "invokeGuardedCallbackAndCatchFirstError", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335480, "columnNumber": 24 }, { "functionName": "executeDispatch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339653, "columnNumber": 2 }, { "functionName": "processDispatchQueueItemsInOrder", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339685, "columnNumber": 6 }, { "functionName": "processDispatchQueue", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339698, "columnNumber": 4 }, { "functionName": "dispatchEventsForPlugins", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339709, "columnNumber": 2 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339918, "columnNumber": 11 }, { "functionName": "batchedEventUpdates$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 353801, "columnNumber": 11 }, { "functionName": "batchedEventUpdates", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335155, "columnNumber": 11 }, { "functionName": "dispatchEventForPluginEventSystem", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339917, "columnNumber": 2 }, { "functionName": "attemptToDispatchEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337415, "columnNumber": 2 }, { "functionName": "dispatchEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337334, "columnNumber": 18 }, { "functionName": "unstable_runWithPriority", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 416192, "columnNumber": 11 }, { "functionName": "runWithPriority$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 342686, "columnNumber": 9 }, { "functionName": "discreteUpdates$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 353818, "columnNumber": 13 }, { "functionName": "discreteUpdates", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335166, "columnNumber": 11 }, { "functionName": "dispatchDiscreteEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337299, "columnNumber": 2 } ] } } } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "connection": "2396293", "request": { "method": "POST", "url": "http://localhost:5601/internal/detection_engine/prebuilt_rules/upgrade/_perform", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Accept", "value": "*/*" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br, zstd" }, { "name": "Accept-Language", "value": "en-US,en;q=0.9" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Content-Length", "value": "760" }, { "name": "Content-Type", "value": "application/json" }, { "name": "Host", "value": "localhost:5601" }, { "name": "Origin", "value": "http://localhost:5601" }, { "name": "Referer", "value": "http://localhost:5601/app/security/rules/updates?rulesTable=(searchTerm:%27Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%27)&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(.alerts-security.alerts-default)))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)),timeline:(linkTo:!(global),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)))&timeline=(activeTab:query,graphEventId:%27%27,isOpen:!f)" }, { "name": "Sec-Fetch-Dest", "value": "empty" }, { "name": "Sec-Fetch-Mode", "value": "cors" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "elastic-api-version", "value": "1" }, { "name": "kbn-build-number", "value": "9007199254740991" }, { "name": "kbn-version", "value": "9.0.0" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "x-elastic-internal-origin", "value": "Kibana" }, { "name": "x-kbn-context", "value": "%7B%22type%22%3A%22application%22%2C%22name%22%3A%22securitySolutionUI%22%2C%22url%22%3A%22%2Fapp%2Fsecurity%2Frules%2Fid%2F52c14042-8edf-4151-b8dd-5b0fe95da87d%2Falerts%22%2C%22page%22%3A%22%2Frules%2Fupdates%22%7D" } ], "queryString": [], "cookies": [], "headersSize": 2068, "bodySize": 760, "postData": { "mimeType": "application/json", "text": "{\"mode\":\"SPECIFIC_RULES\",\"rules\":[{\"rule_id\":\"000047bb-b27a-47ec-8b62-ef1a5d2c9e19\",\"version\":310,\"revision\":0,\"fields\":{\"references\":{\"pick_version\":\"RESOLVED\",\"resolved_value\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"]},\"related_integrations\":{\"pick_version\":\"RESOLVED\",\"resolved_value\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}]}}}],\"pick_version\":\"MERGED\"}" } }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Connection", "value": "keep-alive" }, { "name": "Date", "value": "Fri, 06 Dec 2024 16:51:09 GMT" }, { "name": "Keep-Alive", "value": "timeout=120" }, { "name": "cache-control", "value": "private, no-cache, no-store, must-revalidate" }, { "name": "content-length", "value": "270" }, { "name": "content-security-policy", "value": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'" }, { "name": "content-security-policy-report-only", "value": "form-action 'report-sample' 'self'" }, { "name": "content-type", "value": "application/json; charset=utf-8" }, { "name": "cross-origin-opener-policy", "value": "same-origin" }, { "name": "elastic-api-version", "value": "1" }, { "name": "kbn-license-sig", "value": "c34833e07d48ee883c2bd846933c4c336916c9888243f9e5a9793597b858595c" }, { "name": "kbn-name", "value": "Paulas-MacBook-Pro.local" }, { "name": "permissions-policy", "value": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()" }, { "name": "referrer-policy", "value": "strict-origin-when-cross-origin" }, { "name": "x-content-type-options", "value": "nosniff" } ], "cookies": [], "content": { "size": 270, "mimeType": "application/json", "compression": 0, "text": "{\"summary\":{\"total\":1,\"skipped\":0,\"succeeded\":0,\"failed\":1},\"results\":{\"updated\":[],\"skipped\":[]},\"errors\":[{\"message\":\"Revision mismatch for rule_id 000047bb-b27a-47ec-8b62-ef1a5d2c9e19: expected 1, got 0\",\"rules\":[{\"rule_id\":\"000047bb-b27a-47ec-8b62-ef1a5d2c9e19\"}]}]}" }, "redirectURL": "", "headersSize": 1338, "bodySize": 270, "_transferSize": 1608, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "127.0.0.1", "startedDateTime": "2024-12-06T16:51:09.577Z", "time": 161.19200002867728, "timings": { "blocked": 0.9720000527165831, "dns": -1, "ssl": -1, "connect": -1, "send": 0.04199999999999998, "wait": 159.88199999216943, "receive": 0.2959999837912619, "_blocked_queueing": 0.779000052716583, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } }, { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "fetchResponse", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19594, "columnNumber": 30 }, { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19518, "columnNumber": 39 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19514, "columnNumber": 13 }, { "functionName": "fetchRules", "scriptId": "9051", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js", "lineNumber": 141804, "columnNumber": 86 }, { "functionName": "Object", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 277380, "columnNumber": 82 }, { "functionName": "fetchFn", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197509, "columnNumber": 26 }, { "functionName": "run", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198971, "columnNumber": 30 }, { "functionName": "createRetryer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 199019, "columnNumber": 4 }, { "functionName": "fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197564, "columnNumber": 88 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198077, "columnNumber": 19 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198074, "columnNumber": 171 }, { "functionName": "batch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196861, "columnNumber": 15 }, { "functionName": "refetchQueries", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198074, "columnNumber": 89 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198068, "columnNumber": 18 }, { "functionName": "batch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196861, "columnNumber": 15 }, { "functionName": "invalidateQueries", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198054, "columnNumber": 79 }, { "functionName": "", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 277411, "columnNumber": 16 }, { "functionName": "onSettled", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 276602, "columnNumber": 6 }, { "functionName": "execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196444, "columnNumber": 122 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "mutate", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196777, "columnNumber": 32 }, { "functionName": "", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299145, "columnNumber": 12 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "onClick", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299204, "columnNumber": 10 }, { "functionName": "callCallback", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335355, "columnNumber": 13 }, { "functionName": "invokeGuardedCallbackDev", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335404, "columnNumber": 15 }, { "functionName": "invokeGuardedCallback", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335466, "columnNumber": 30 }, { "functionName": "invokeGuardedCallbackAndCatchFirstError", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335480, "columnNumber": 24 }, { "functionName": "executeDispatch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339653, "columnNumber": 2 }, { "functionName": "processDispatchQueueItemsInOrder", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339685, "columnNumber": 6 }, { "functionName": "processDispatchQueue", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339698, "columnNumber": 4 }, { "functionName": "dispatchEventsForPlugins", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339709, "columnNumber": 2 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339918, "columnNumber": 11 }, { "functionName": "batchedEventUpdates$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 353801, "columnNumber": 11 }, { "functionName": "batchedEventUpdates", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335155, "columnNumber": 11 }, { "functionName": "dispatchEventForPluginEventSystem", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339917, "columnNumber": 2 }, { "functionName": "attemptToDispatchEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337415, "columnNumber": 2 }, { "functionName": "dispatchEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337334, "columnNumber": 18 }, { "functionName": "unstable_runWithPriority", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 416192, "columnNumber": 11 }, { "functionName": "runWithPriority$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 342686, "columnNumber": 9 }, { "functionName": "discreteUpdates$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 353818, "columnNumber": 13 }, { "functionName": "discreteUpdates", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335166, "columnNumber": 11 }, { "functionName": "dispatchDiscreteEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337299, "columnNumber": 2 } ] } } } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "connection": "2396293", "request": { "method": "GET", "url": "http://localhost:5601/api/detection_engine/rules/_find?page=1&per_page=20&sort_field=enabled&sort_order=desc&filter=(alert.attributes.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.index%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.tactic.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.tactic.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.subtechnique.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.subtechnique.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22)", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Accept", "value": "*/*" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br, zstd" }, { "name": "Accept-Language", "value": "en-US,en;q=0.9" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Content-Type", "value": "application/json" }, { "name": "Host", "value": "localhost:5601" }, { "name": "Referer", "value": "http://localhost:5601/app/security/rules/updates?rulesTable=(searchTerm:%27Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%27)&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(.alerts-security.alerts-default)))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)),timeline:(linkTo:!(global),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)))&timeline=(activeTab:query,graphEventId:%27%27,isOpen:!f)" }, { "name": "Sec-Fetch-Dest", "value": "empty" }, { "name": "Sec-Fetch-Mode", "value": "cors" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "elastic-api-version", "value": "2023-10-31" }, { "name": "kbn-build-number", "value": "9007199254740991" }, { "name": "kbn-version", "value": "9.0.0" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "x-elastic-internal-origin", "value": "Kibana" }, { "name": "x-kbn-context", "value": "%7B%22type%22%3A%22application%22%2C%22name%22%3A%22securitySolutionUI%22%2C%22url%22%3A%22%2Fapp%2Fsecurity%2Frules%2Fid%2F52c14042-8edf-4151-b8dd-5b0fe95da87d%2Falerts%22%2C%22page%22%3A%22%2Frules%2Fupdates%22%7D" } ], "queryString": [ { "name": "page", "value": "1" }, { "name": "per_page", "value": "20" }, { "name": "sort_field", "value": "enabled" }, { "name": "sort_order", "value": "desc" }, { "name": "filter", "value": "(alert.attributes.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.index%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.tactic.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.tactic.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.subtechnique.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.subtechnique.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22)" } ], "cookies": [], "headersSize": 2941, "bodySize": 0 }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Connection", "value": "keep-alive" }, { "name": "Date", "value": "Fri, 06 Dec 2024 16:51:09 GMT" }, { "name": "Keep-Alive", "value": "timeout=120" }, { "name": "Transfer-Encoding", "value": "chunked" }, { "name": "cache-control", "value": "private, no-cache, no-store, must-revalidate" }, { "name": "content-encoding", "value": "gzip" }, { "name": "content-security-policy", "value": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'" }, { "name": "content-security-policy-report-only", "value": "form-action 'report-sample' 'self'" }, { "name": "content-type", "value": "application/json; charset=utf-8" }, { "name": "cross-origin-opener-policy", "value": "same-origin" }, { "name": "elastic-api-version", "value": "2023-10-31" }, { "name": "kbn-license-sig", "value": "c34833e07d48ee883c2bd846933c4c336916c9888243f9e5a9793597b858595c" }, { "name": "kbn-name", "value": "Paulas-MacBook-Pro.local" }, { "name": "permissions-policy", "value": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()" }, { "name": "referrer-policy", "value": "strict-origin-when-cross-origin" }, { "name": "vary", "value": "accept-encoding" }, { "name": "x-content-type-options", "value": "nosniff" } ], "cookies": [], "content": { "size": 5020, "mimeType": "application/json", "compression": 2729, "text": "{\"page\":1,\"perPage\":20,\"total\":1,\"data\":[{\"id\":\"561cb5f3-6c26-4547-8959-681ac9b83e2b\",\"updated_at\":\"2024-12-06T16:50:24.690Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.284Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Modify an Okta Policy Rule\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Defense Evasion\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":1,\"description\":\"Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Modify an Okta Policy Rule\\n\\nThe modification of an Okta policy rule can be an indication of malicious activity as it may aim to weaken an organization's security controls.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\\n- Check the `okta.outcome.result` field to confirm the rule modification attempt.\\n- Check if there are multiple rule modification attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the modification attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized modification is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization.\"],\"from\":\"now-6m\",\"rule_id\":\"000047bb-b27a-47ec-8b62-ef1a5d2c9e19\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":207,\"exceptions_list\":[{\"id\":\"82679834-e475-499c-a873-2bc20692221e\",\"list_id\":\"6e519c12-80ab-4e69-894f-e5cec55be127\",\"type\":\"rule_default\",\"namespace_type\":\"single\"}],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":true},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.rule.update\\n\",\"actions\":[]}]}" }, "redirectURL": "", "headersSize": 1401, "bodySize": 2291, "_transferSize": 3692, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "127.0.0.1", "startedDateTime": "2024-12-06T16:51:09.770Z", "time": 909.5240000169724, "timings": { "blocked": 0.7380000261031091, "dns": -1, "ssl": -1, "connect": -1, "send": 0.057999999999999996, "wait": 884.6169999847822, "receive": 24.111000006087124, "_blocked_queueing": 0.3780000261031091, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } }, { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "fetchResponse", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19594, "columnNumber": 30 }, { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19518, "columnNumber": 39 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19514, "columnNumber": 13 }, { "functionName": "fetchRulesSnoozeSettings", "scriptId": "9051", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js", "lineNumber": 141850, "columnNumber": 102 }, { "functionName": "Object", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 277303, "columnNumber": 77 }, { "functionName": "fetchFn", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197509, "columnNumber": 26 }, { "functionName": "run", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198971, "columnNumber": 30 }, { "functionName": "createRetryer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 199019, "columnNumber": 4 }, { "functionName": "fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197564, "columnNumber": 88 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198077, "columnNumber": 19 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198074, "columnNumber": 171 }, { "functionName": "batch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196861, "columnNumber": 15 }, { "functionName": "refetchQueries", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198074, "columnNumber": 89 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198068, "columnNumber": 18 }, { "functionName": "batch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196861, "columnNumber": 15 }, { "functionName": "invalidateQueries", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198054, "columnNumber": 79 }, { "functionName": "", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 277325, "columnNumber": 23 }, { "functionName": "onSettled", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 276603, "columnNumber": 6 }, { "functionName": "execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196444, "columnNumber": 122 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "mutate", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196777, "columnNumber": 32 }, { "functionName": "", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299145, "columnNumber": 12 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "onClick", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299204, "columnNumber": 10 }, { "functionName": "callCallback", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335355, "columnNumber": 13 }, { "functionName": "invokeGuardedCallbackDev", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335404, "columnNumber": 15 }, { "functionName": "invokeGuardedCallback", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335466, "columnNumber": 30 }, { "functionName": "invokeGuardedCallbackAndCatchFirstError", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335480, "columnNumber": 24 }, { "functionName": "executeDispatch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339653, "columnNumber": 2 }, { "functionName": "processDispatchQueueItemsInOrder", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339685, "columnNumber": 6 }, { "functionName": "processDispatchQueue", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339698, "columnNumber": 4 }, { "functionName": "dispatchEventsForPlugins", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339709, "columnNumber": 2 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339918, "columnNumber": 11 }, { "functionName": "batchedEventUpdates$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 353801, "columnNumber": 11 }, { "functionName": "batchedEventUpdates", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335155, "columnNumber": 11 }, { "functionName": "dispatchEventForPluginEventSystem", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339917, "columnNumber": 2 }, { "functionName": "attemptToDispatchEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337415, "columnNumber": 2 }, { "functionName": "dispatchEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337334, "columnNumber": 18 }, { "functionName": "unstable_runWithPriority", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 416192, "columnNumber": 11 }, { "functionName": "runWithPriority$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 342686, "columnNumber": 9 }, { "functionName": "discreteUpdates$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 353818, "columnNumber": 13 }, { "functionName": "discreteUpdates", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335166, "columnNumber": 11 }, { "functionName": "dispatchDiscreteEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337299, "columnNumber": 2 } ] } } } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "connection": "2395214", "request": { "method": "POST", "url": "http://localhost:5601/internal/alerting/rules/_find", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Accept", "value": "*/*" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br, zstd" }, { "name": "Accept-Language", "value": "en-US,en;q=0.9" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Content-Length", "value": "162" }, { "name": "Content-Type", "value": "application/json" }, { "name": "Host", "value": "localhost:5601" }, { "name": "Origin", "value": "http://localhost:5601" }, { "name": "Referer", "value": "http://localhost:5601/app/security/rules/updates?rulesTable=(searchTerm:%27Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%27)&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(.alerts-security.alerts-default)))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)),timeline:(linkTo:!(global),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)))&timeline=(activeTab:query,graphEventId:%27%27,isOpen:!f)" }, { "name": "Sec-Fetch-Dest", "value": "empty" }, { "name": "Sec-Fetch-Mode", "value": "cors" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "kbn-build-number", "value": "9007199254740991" }, { "name": "kbn-version", "value": "9.0.0" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "x-elastic-internal-origin", "value": "Kibana" }, { "name": "x-kbn-context", "value": "%7B%22type%22%3A%22application%22%2C%22name%22%3A%22securitySolutionUI%22%2C%22url%22%3A%22%2Fapp%2Fsecurity%2Frules%2Fid%2F52c14042-8edf-4151-b8dd-5b0fe95da87d%2Falerts%22%2C%22page%22%3A%22%2Frules%2Fupdates%22%7D" } ], "queryString": [], "cookies": [], "headersSize": 2016, "bodySize": 162, "postData": { "mimeType": "application/json", "text": "{\"filter\":\"alert.id:\\\"alert:561cb5f3-6c26-4547-8959-681ac9b83e2b\\\"\",\"fields\":\"[\\\"muteAll\\\",\\\"activeSnoozes\\\",\\\"isSnoozedUntil\\\",\\\"snoozeSchedule\\\"]\",\"per_page\":1}" } }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Connection", "value": "keep-alive" }, { "name": "Date", "value": "Fri, 06 Dec 2024 16:51:09 GMT" }, { "name": "Keep-Alive", "value": "timeout=120" }, { "name": "cache-control", "value": "private, no-cache, no-store, must-revalidate" }, { "name": "content-length", "value": "163" }, { "name": "content-security-policy", "value": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'" }, { "name": "content-security-policy-report-only", "value": "form-action 'report-sample' 'self'" }, { "name": "content-type", "value": "application/json; charset=utf-8" }, { "name": "cross-origin-opener-policy", "value": "same-origin" }, { "name": "kbn-license-sig", "value": "c34833e07d48ee883c2bd846933c4c336916c9888243f9e5a9793597b858595c" }, { "name": "kbn-name", "value": "Paulas-MacBook-Pro.local" }, { "name": "permissions-policy", "value": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()" }, { "name": "referrer-policy", "value": "strict-origin-when-cross-origin" }, { "name": "x-content-type-options", "value": "nosniff" } ], "cookies": [], "content": { "size": 163, "mimeType": "application/json", "compression": 0, "text": "{\"page\":1,\"per_page\":1,\"total\":1,\"data\":[{\"id\":\"561cb5f3-6c26-4547-8959-681ac9b83e2b\",\"actions\":[],\"mute_all\":false,\"snooze_schedule\":[],\"is_snoozed_until\":null}]}" }, "redirectURL": "", "headersSize": 1314, "bodySize": 163, "_transferSize": 1477, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "127.0.0.1", "startedDateTime": "2024-12-06T16:51:09.771Z", "time": 125.02799998037517, "timings": { "blocked": 0.7329999587498606, "dns": -1, "ssl": -1, "connect": -1, "send": 0.030000000000000027, "wait": 123.93799997640774, "receive": 0.32700004521757364, "_blocked_queueing": 0.3079999587498605, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } }, { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "fetchResponse", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19594, "columnNumber": 30 }, { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19518, "columnNumber": 39 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19514, "columnNumber": 13 }, { "functionName": "fetchRuleManagementFilters", "scriptId": "9051", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js", "lineNumber": 142020, "columnNumber": 83 }, { "functionName": "Object", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 277231, "columnNumber": 98 }, { "functionName": "fetchFn", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197509, "columnNumber": 26 }, { "functionName": "run", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198971, "columnNumber": 30 }, { "functionName": "createRetryer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 199019, "columnNumber": 4 }, { "functionName": "fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197564, "columnNumber": 88 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198077, "columnNumber": 19 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198074, "columnNumber": 171 }, { "functionName": "batch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196861, "columnNumber": 15 }, { "functionName": "refetchQueries", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198074, "columnNumber": 89 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198068, "columnNumber": 18 }, { "functionName": "batch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196861, "columnNumber": 15 }, { "functionName": "invalidateQueries", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198054, "columnNumber": 79 }, { "functionName": "", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 277251, "columnNumber": 16 }, { "functionName": "onSettled", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 276604, "columnNumber": 6 }, { "functionName": "execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196444, "columnNumber": 122 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "mutate", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196777, "columnNumber": 32 }, { "functionName": "", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299145, "columnNumber": 12 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "onClick", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299204, "columnNumber": 10 }, { "functionName": "callCallback", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335355, "columnNumber": 13 }, { "functionName": "invokeGuardedCallbackDev", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335404, "columnNumber": 15 }, { "functionName": "invokeGuardedCallback", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335466, "columnNumber": 30 }, { "functionName": "invokeGuardedCallbackAndCatchFirstError", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335480, "columnNumber": 24 }, { "functionName": "executeDispatch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339653, "columnNumber": 2 }, { "functionName": "processDispatchQueueItemsInOrder", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339685, "columnNumber": 6 }, { "functionName": "processDispatchQueue", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339698, "columnNumber": 4 }, { "functionName": "dispatchEventsForPlugins", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339709, "columnNumber": 2 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339918, "columnNumber": 11 }, { "functionName": "batchedEventUpdates$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 353801, "columnNumber": 11 }, { "functionName": "batchedEventUpdates", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335155, "columnNumber": 11 }, { "functionName": "dispatchEventForPluginEventSystem", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339917, "columnNumber": 2 }, { "functionName": "attemptToDispatchEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337415, "columnNumber": 2 }, { "functionName": "dispatchEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337334, "columnNumber": 18 }, { "functionName": "unstable_runWithPriority", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 416192, "columnNumber": 11 }, { "functionName": "runWithPriority$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 342686, "columnNumber": 9 }, { "functionName": "discreteUpdates$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 353818, "columnNumber": 13 }, { "functionName": "discreteUpdates", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335166, "columnNumber": 11 }, { "functionName": "dispatchDiscreteEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337299, "columnNumber": 2 } ] } } } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "connection": "2395210", "request": { "method": "GET", "url": "http://localhost:5601/internal/detection_engine/rules/_rule_management_filters", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Accept", "value": "*/*" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br, zstd" }, { "name": "Accept-Language", "value": "en-US,en;q=0.9" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Content-Type", "value": "application/json" }, { "name": "Host", "value": "localhost:5601" }, { "name": "Referer", "value": "http://localhost:5601/app/security/rules/updates?rulesTable=(searchTerm:%27Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%27)&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(.alerts-security.alerts-default)))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)),timeline:(linkTo:!(global),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)))&timeline=(activeTab:query,graphEventId:%27%27,isOpen:!f)" }, { "name": "Sec-Fetch-Dest", "value": "empty" }, { "name": "Sec-Fetch-Mode", "value": "cors" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "elastic-api-version", "value": "1" }, { "name": "kbn-build-number", "value": "9007199254740991" }, { "name": "kbn-version", "value": "9.0.0" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "x-elastic-internal-origin", "value": "Kibana" }, { "name": "x-kbn-context", "value": "%7B%22type%22%3A%22application%22%2C%22name%22%3A%22securitySolutionUI%22%2C%22url%22%3A%22%2Fapp%2Fsecurity%2Frules%2Fid%2F52c14042-8edf-4151-b8dd-5b0fe95da87d%2Falerts%22%2C%22page%22%3A%22%2Frules%2Fupdates%22%7D" } ], "queryString": [], "cookies": [], "headersSize": 2014, "bodySize": 0 }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Connection", "value": "keep-alive" }, { "name": "Date", "value": "Fri, 06 Dec 2024 16:51:09 GMT" }, { "name": "Keep-Alive", "value": "timeout=120" }, { "name": "Transfer-Encoding", "value": "chunked" }, { "name": "cache-control", "value": "private, no-cache, no-store, must-revalidate" }, { "name": "content-encoding", "value": "gzip" }, { "name": "content-security-policy", "value": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'" }, { "name": "content-security-policy-report-only", "value": "form-action 'report-sample' 'self'" }, { "name": "content-type", "value": "application/json; charset=utf-8" }, { "name": "cross-origin-opener-policy", "value": "same-origin" }, { "name": "elastic-api-version", "value": "1" }, { "name": "kbn-license-sig", "value": "c34833e07d48ee883c2bd846933c4c336916c9888243f9e5a9793597b858595c" }, { "name": "kbn-name", "value": "Paulas-MacBook-Pro.local" }, { "name": "permissions-policy", "value": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()" }, { "name": "referrer-policy", "value": "strict-origin-when-cross-origin" }, { "name": "vary", "value": "accept-encoding" }, { "name": "x-content-type-options", "value": "nosniff" } ], "cookies": [], "content": { "size": 2972, "mimeType": "application/json", "compression": 1962, "text": "{\"rules_summary\":{\"custom_count\":0,\"prebuilt_installed_count\":1191},\"aggregated_fields\":{\"tags\":[\"Data Source: APM\",\"Data Source: AWS\",\"Data Source: AWS Bedrock\",\"Data Source: AWS CloudWatch\",\"Data Source: AWS Cloudtrail\",\"Data Source: AWS EC2\",\"Data Source: AWS IAM\",\"Data Source: AWS KMS\",\"Data Source: AWS Lambda\",\"Data Source: AWS RDS\",\"Data Source: AWS Redshift\",\"Data Source: AWS Route53\",\"Data Source: AWS S3\",\"Data Source: AWS SSM\",\"Data Source: AWS STS\",\"Data Source: AWS Secrets Manager\",\"Data Source: AWS Signin\",\"Data Source: AWS Systems Manager\",\"Data Source: Active Directory\",\"Data Source: Amazon EC2\",\"Data Source: Amazon Route53\",\"Data Source: Amazon S3\",\"Data Source: Amazon Web Services\",\"Data Source: Auditd Manager\",\"Data Source: Azure\",\"Data Source: Cloudformation\",\"Data Source: CyberArk PAS\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Defend for Containers\",\"Data Source: Elastic Endgame\",\"Data Source: File Integrity Monitoring\",\"Data Source: GCP\",\"Data Source: Github\",\"Data Source: Google Cloud Platform\",\"Data Source: Google Workspace\",\"Data Source: Kubernetes\",\"Data Source: Microsoft 365\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Microsoft Entra ID\",\"Data Source: Network\",\"Data Source: Okta\",\"Data Source: PowerShell Logs\",\"Data Source: Rapid7 Threat Command\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: System\",\"Data Source: Windows\",\"Data Source: Zoom\",\"Domain: Cloud\",\"Domain: Container\",\"Domain: Endpoint\",\"Domain: LLM\",\"Domain: Network\",\"Domain: SaaS\",\"Mitre Atlas: LLM04\",\"Mitre Atlas: T0015\",\"Mitre Atlas: T0034\",\"Mitre Atlas: T0051\",\"Mitre Atlas: T0054\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Resources: Investigation Guide\",\"Rule Type: BBR\",\"Rule Type: Higher-Order Rule\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Rule Type: Threat Match\",\"Tactic: Collection\",\"Tactic: Command and Control\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Tactic: Discovery\",\"Tactic: Execution\",\"Tactic: Exfiltration\",\"Tactic: Impact\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Tactic: Reconnaissance\",\"Tactic: Resource Development\",\"Tactic:Execution\",\"Threat: BPFDoor\",\"Threat: Cobalt Strike\",\"Threat: Lightning Framework\",\"Threat: Orbit\",\"Threat: Rootkit\",\"Threat: TripleCross\",\"Use Case: Active Directory Monitoring\",\"Use Case: Asset Visibility\",\"Use Case: C2 Beaconing Detection\",\"Use Case: Configuration Audit\",\"Use Case: Continuous Monitoring\",\"Use Case: Data Exfiltration Detection\",\"Use Case: Domain Generation Algorithm Detection\",\"Use Case: Guided Onboarding\",\"Use Case: Identity and Access Audit\",\"Use Case: Lateral Movement Detection\",\"Use Case: Living off the Land Attack Detection\",\"Use Case: Log Auditing\",\"Use Case: Network Security Monitoring\",\"Use Case: Policy Violation\",\"Use Case: Potential Overload\",\"Use Case: Resource Exhaustion\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Use Case: Vulnerability\"]}}" }, "redirectURL": "", "headersSize": 1392, "bodySize": 1010, "_transferSize": 2402, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "127.0.0.1", "startedDateTime": "2024-12-06T16:51:09.771Z", "time": 131.606999959331, "timings": { "blocked": 0.7729999800622464, "dns": -1, "ssl": -1, "connect": -1, "send": 0.018000000000000016, "wait": 125.32999999925866, "receive": 5.485999980010092, "_blocked_queueing": 0.24199998006224632, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } }, { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "fetchResponse", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19594, "columnNumber": 30 }, { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19518, "columnNumber": 39 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19514, "columnNumber": 13 }, { "functionName": "reviewRuleUpgrade", "scriptId": "9051", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js", "lineNumber": 142130, "columnNumber": 83 }, { "functionName": "Object", "scriptId": "9051", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js", "lineNumber": 142370, "columnNumber": 89 }, { "functionName": "fetchFn", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197509, "columnNumber": 26 }, { "functionName": "run", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198971, "columnNumber": 30 }, { "functionName": "createRetryer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 199019, "columnNumber": 4 }, { "functionName": "fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197564, "columnNumber": 88 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198077, "columnNumber": 19 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198074, "columnNumber": 171 }, { "functionName": "batch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196861, "columnNumber": 15 }, { "functionName": "refetchQueries", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198074, "columnNumber": 89 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198068, "columnNumber": 18 }, { "functionName": "batch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196861, "columnNumber": 15 }, { "functionName": "invalidateQueries", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198054, "columnNumber": 79 }, { "functionName": "", "scriptId": "9051", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js", "lineNumber": 142390, "columnNumber": 16 }, { "functionName": "onSettled", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 276605, "columnNumber": 6 }, { "functionName": "execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196444, "columnNumber": 122 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "mutate", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196777, "columnNumber": 32 }, { "functionName": "", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299145, "columnNumber": 12 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "onClick", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299204, "columnNumber": 10 }, { "functionName": "callCallback", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335355, "columnNumber": 13 }, { "functionName": "invokeGuardedCallbackDev", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335404, "columnNumber": 15 }, { "functionName": "invokeGuardedCallback", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335466, "columnNumber": 30 }, { "functionName": "invokeGuardedCallbackAndCatchFirstError", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335480, "columnNumber": 24 }, { "functionName": "executeDispatch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339653, "columnNumber": 2 }, { "functionName": "processDispatchQueueItemsInOrder", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339685, "columnNumber": 6 }, { "functionName": "processDispatchQueue", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339698, "columnNumber": 4 }, { "functionName": "dispatchEventsForPlugins", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339709, "columnNumber": 2 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339918, "columnNumber": 11 }, { "functionName": "batchedEventUpdates$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 353801, "columnNumber": 11 }, { "functionName": "batchedEventUpdates", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335155, "columnNumber": 11 }, { "functionName": "dispatchEventForPluginEventSystem", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339917, "columnNumber": 2 }, { "functionName": "attemptToDispatchEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337415, "columnNumber": 2 }, { "functionName": "dispatchEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337334, "columnNumber": 18 }, { "functionName": "unstable_runWithPriority", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 416192, "columnNumber": 11 }, { "functionName": "runWithPriority$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 342686, "columnNumber": 9 }, { "functionName": "discreteUpdates$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 353818, "columnNumber": 13 }, { "functionName": "discreteUpdates", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335166, "columnNumber": 11 }, { "functionName": "dispatchDiscreteEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337299, "columnNumber": 2 } ] } } } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "connection": "2395198", "request": { "method": "POST", "url": "http://localhost:5601/internal/detection_engine/prebuilt_rules/upgrade/_review", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Accept", "value": "*/*" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br, zstd" }, { "name": "Accept-Language", "value": "en-US,en;q=0.9" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Content-Length", "value": "0" }, { "name": "Content-Type", "value": "application/json" }, { "name": "Host", "value": "localhost:5601" }, { "name": "Origin", "value": "http://localhost:5601" }, { "name": "Referer", "value": "http://localhost:5601/app/security/rules/updates?rulesTable=(searchTerm:%27Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%27)&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(.alerts-security.alerts-default)))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)),timeline:(linkTo:!(global),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)))&timeline=(activeTab:query,graphEventId:%27%27,isOpen:!f)" }, { "name": "Sec-Fetch-Dest", "value": "empty" }, { "name": "Sec-Fetch-Mode", "value": "cors" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "elastic-api-version", "value": "1" }, { "name": "kbn-build-number", "value": "9007199254740991" }, { "name": "kbn-version", "value": "9.0.0" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "x-elastic-internal-origin", "value": "Kibana" }, { "name": "x-kbn-context", "value": "%7B%22type%22%3A%22application%22%2C%22name%22%3A%22securitySolutionUI%22%2C%22url%22%3A%22%2Fapp%2Fsecurity%2Frules%2Fid%2F52c14042-8edf-4151-b8dd-5b0fe95da87d%2Falerts%22%2C%22page%22%3A%22%2Frules%2Fupdates%22%7D" } ], "queryString": [], "cookies": [], "headersSize": 2065, "bodySize": 0 }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Connection", "value": "keep-alive" }, { "name": "Date", "value": "Fri, 06 Dec 2024 16:51:11 GMT" }, { "name": "Keep-Alive", "value": "timeout=120" }, { "name": "Transfer-Encoding", "value": "chunked" }, { "name": "cache-control", "value": "private, no-cache, no-store, must-revalidate" }, { "name": "content-encoding", "value": "gzip" }, { "name": "content-security-policy", "value": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'" }, { "name": "content-security-policy-report-only", "value": "form-action 'report-sample' 'self'" }, { "name": "content-type", "value": "application/json; charset=utf-8" }, { "name": "cross-origin-opener-policy", "value": "same-origin" }, { "name": "elastic-api-version", "value": "1" }, { "name": "kbn-license-sig", "value": "c34833e07d48ee883c2bd846933c4c336916c9888243f9e5a9793597b858595c" }, { "name": "kbn-name", "value": "Paulas-MacBook-Pro.local" }, { "name": "permissions-policy", "value": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()" }, { "name": "referrer-policy", "value": "strict-origin-when-cross-origin" }, { "name": "vary", "value": "accept-encoding" }, { "name": "x-content-type-options", "value": "nosniff" } ], "cookies": [], "content": { "size": 9402899, "mimeType": "application/json", "compression": 8414855, "text": "{\"stats\":{\"num_rules_to_upgrade_total\":661,\"num_rules_with_conflicts\":660,\"num_rules_with_non_solvable_conflicts\":8,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Impact\",\"Data Source: Github\",\"Use Case: Identity and Access Audit\",\"Tactic: Defense Evasion\",\"Data Source: Okta\",\"Tactic: Execution\",\"Rule Type: BBR\",\"Tactic: Initial Access\",\"Tactic: Credential Access\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Rule Type: Higher-Order Rule\",\"Domain: Endpoint\",\"Tactic: Lateral Movement\",\"Use Case: Network Security Monitoring\",\"Domain: SaaS\",\"OS: Windows\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Google Workspace\",\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"OS: Linux\",\"OS: macOS\",\"Data Source: Sysmon\",\"Tactic: Privilege Escalation\",\"Tactic: Collection\",\"Tactic: Exfiltration\",\"Data Source: PowerShell Logs\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Domain: LLM\",\"Data Source: AWS Bedrock\",\"Data Source: AWS S3\",\"Use Case: Policy Violation\",\"Mitre Atlas: T0051\",\"Mitre Atlas: T0054\",\"Use Case: Living off the Land Attack Detection\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS Lambda\",\"Use Case: Asset Visibility\",\"Tactic: Command and Control\",\"Mitre Atlas: T0015\",\"Mitre Atlas: T0034\",\"Data Source: File Integrity Monitoring\",\"Threat: Orbit\",\"Threat: Lightning Framework\",\"Data Source: Auditd Manager\",\"Threat: Rootkit\",\"Use Case: Vulnerability\",\"Data Source: Microsoft 365\",\"Data Source: AWS EC2\",\"Data Source: AWS STS\",\"Data Source: AWS SSM\",\"Use Case: Log Auditing\",\"Use Case: Configuration Audit\",\"Data Source: APM\",\"Data Source: Windows\",\"Data Source: System\",\"Data Source: AWS IAM\",\"Tactic:Execution\",\"Domain: Container\",\"Data Source: AWS KMS\",\"Use Case: Potential Overload\",\"Use Case: Resource Exhaustion\",\"Mitre Atlas: LLM04\",\"Threat: BPFDoor\"]},\"rules\":[{\"id\":\"1c7756fc-ed22-401a-a96e-454a7751ca3f\",\"rule_id\":\"345889c4-23a8-4bc0-b7ca-756bd17ce83b\",\"revision\":0,\"current_rule\":{\"id\":\"1c7756fc-ed22-401a-a96e-454a7751ca3f\",\"updated_at\":\"2024-12-04T19:45:45.870Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.870Z\",\"created_by\":\"elastic\",\"name\":\"GitHub Repository Deleted\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Impact\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component used within an organization to manage work, collaborate with others and release products to the public. Any delete action against a repository should be investigated to determine it's validity. Unauthorized deletion of organization repositories could cause irreversible loss of intellectual property and indicate compromise within your organization.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"345889c4-23a8-4bc0-b7ca-756bd17ce83b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1485\",\"name\":\"Data Destruction\",\"reference\":\"https://attack.mitre.org/techniques/T1485/\"}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.module\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"],\"query\":\"configuration where event.module == \\\"github\\\" and event.action == \\\"repo.destroy\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"GitHub Repository Deleted\",\"description\":\"This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component used within an organization to manage work, collaborate with others and release products to the public. Any delete action against a repository should be investigated to determine it's validity. Unauthorized deletion of organization repositories could cause irreversible loss of intellectual property and indicate compromise within your organization.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":102,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Impact\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1485\",\"name\":\"Data Destruction\",\"reference\":\"https://attack.mitre.org/techniques/T1485/\"}]}],\"setup\":\"\",\"related_integrations\":[],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.module\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1c7756fc-ed22-401a-a96e-454a7751ca3f\",\"rule_id\":\"345889c4-23a8-4bc0-b7ca-756bd17ce83b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.645Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.870Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"configuration where event.module == \\\"github\\\" and event.action == \\\"repo.destroy\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":true,\"base_version\":2,\"current_version\":2,\"target_version\":102,\"merged_version\":102,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=A, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"}},\"num_fields_with_updates\":1,\"num_fields_with_conflicts\":0,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"561cb5f3-6c26-4547-8959-681ac9b83e2b\",\"rule_id\":\"000047bb-b27a-47ec-8b62-ef1a5d2c9e19\",\"revision\":1,\"current_rule\":{\"id\":\"561cb5f3-6c26-4547-8959-681ac9b83e2b\",\"updated_at\":\"2024-12-06T16:50:24.690Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.284Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Modify an Okta Policy Rule\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Defense Evasion\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":1,\"description\":\"Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Modify an Okta Policy Rule\\n\\nThe modification of an Okta policy rule can be an indication of malicious activity as it may aim to weaken an organization's security controls.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\\n- Check the `okta.outcome.result` field to confirm the rule modification attempt.\\n- Check if there are multiple rule modification attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the modification attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized modification is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization.\"],\"from\":\"now-6m\",\"rule_id\":\"000047bb-b27a-47ec-8b62-ef1a5d2c9e19\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":207,\"exceptions_list\":[{\"id\":\"82679834-e475-499c-a873-2bc20692221e\",\"list_id\":\"6e519c12-80ab-4e69-894f-e5cec55be127\",\"type\":\"rule_default\",\"namespace_type\":\"single\"}],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":true},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.rule.update\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Modify an Okta Policy Rule\",\"description\":\"Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Modify an Okta Policy Rule\\n\\nThe modification of an Okta policy rule can be an indication of malicious activity as it may aim to weaken an organization's security controls.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\\n- Check the `okta.outcome.result` field to confirm the rule modification attempt.\\n- Check if there are multiple rule modification attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the modification attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized modification is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Defense Evasion\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization.\"],\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"561cb5f3-6c26-4547-8959-681ac9b83e2b\",\"rule_id\":\"000047bb-b27a-47ec-8b62-ef1a5d2c9e19\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.645Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.284Z\",\"created_by\":\"elastic\",\"revision\":2,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.rule.update\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":207,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"44d3d1d3-17ce-4282-89e2-320ef6d019aa\",\"rule_id\":\"01c49712-25bc-49d2-a27d-d7ce52f5dc49\",\"revision\":0,\"current_rule\":{\"id\":\"44d3d1d3-17ce-4282-89e2-320ef6d019aa\",\"updated_at\":\"2024-12-04T19:46:02.749Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.749Z\",\"created_by\":\"elastic\",\"name\":\"First Occurrence of GitHub User Interaction with Private Repo\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Execution\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects a new private repo interaction for a GitHub user not seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"01c49712-25bc-49d2-a27d-d7ce52f5dc49\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.repo\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.repository_public\",\"type\":\"boolean\",\"ecs\":false},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.repo:* and user.name:* and \\ngithub.repository_public:false\\n\",\"new_terms_fields\":[\"user.name\",\"github.repo\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Occurrence of GitHub User Interaction with Private Repo\",\"description\":\"Detects a new private repo interaction for a GitHub user not seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Execution\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.repo\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.repository_public\",\"type\":\"boolean\",\"ecs\":false},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"44d3d1d3-17ce-4282-89e2-320ef6d019aa\",\"rule_id\":\"01c49712-25bc-49d2-a27d-d7ce52f5dc49\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.645Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.749Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.repo:* and user.name:* and \\ngithub.repository_public:false\\n\",\"new_terms_fields\":[\"user.name\",\"github.repo\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"16e50d16-cc0e-4d7c-adef-a22717be93b5\",\"rule_id\":\"0294f105-d7af-4a02-ae90-35f56763ffa2\",\"revision\":0,\"current_rule\":{\"id\":\"16e50d16-cc0e-4d7c-adef-a22717be93b5\",\"updated_at\":\"2024-12-04T19:46:02.752Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.752Z\",\"created_by\":\"elastic\",\"name\":\"First Occurrence of GitHub Repo Interaction From a New IP\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Execution\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects an interaction with a private GitHub repository from a new IP address not seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"0294f105-d7af-4a02-ae90-35f56763ffa2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.actor_ip\",\"type\":\"ip\",\"ecs\":false},{\"name\":\"github.repo\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.repository_public\",\"type\":\"boolean\",\"ecs\":false}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.actor_ip:* and github.repo:* and \\ngithub.repository_public:false\\n\",\"new_terms_fields\":[\"github.repo\",\"github.actor_ip\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Occurrence of GitHub Repo Interaction From a New IP\",\"description\":\"Detects an interaction with a private GitHub repository from a new IP address not seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Execution\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.actor_ip\",\"type\":\"ip\",\"ecs\":false},{\"name\":\"github.repo\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.repository_public\",\"type\":\"boolean\",\"ecs\":false}],\"id\":\"16e50d16-cc0e-4d7c-adef-a22717be93b5\",\"rule_id\":\"0294f105-d7af-4a02-ae90-35f56763ffa2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.645Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.752Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.actor_ip:* and github.repo:* and \\ngithub.repository_public:false\\n\",\"new_terms_fields\":[\"github.repo\",\"github.actor_ip\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bbb1c48c-459e-4732-bfa6-80a8f649d159\",\"rule_id\":\"07639887-da3a-4fbf-9532-8ce748ff8c50\",\"revision\":0,\"current_rule\":{\"id\":\"bbb1c48c-459e-4732-bfa6-80a8f649d159\",\"updated_at\":\"2024-12-04T19:45:41.470Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.470Z\",\"created_by\":\"elastic\",\"name\":\"GitHub Protected Branch Settings Changed\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in your repository. Changes to these protected branch settings should be investigated and verified as legitimate activity. Unauthorized changes could be used to lower your organization's security posture and leave you exposed for future attacks.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"07639887-da3a-4fbf-9532-8ce748ff8c50\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.category\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"],\"query\":\"configuration where event.dataset == \\\"github.audit\\\" \\n and github.category == \\\"protected_branch\\\" and event.type == \\\"change\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"GitHub Protected Branch Settings Changed\",\"description\":\"This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in your repository. Changes to these protected branch settings should be investigated and verified as legitimate activity. Unauthorized changes could be used to lower your organization's security posture and leave you exposed for future attacks.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.category\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"bbb1c48c-459e-4732-bfa6-80a8f649d159\",\"rule_id\":\"07639887-da3a-4fbf-9532-8ce748ff8c50\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.645Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.470Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"configuration where event.dataset == \\\"github.audit\\\" \\n and github.category == \\\"protected_branch\\\" and event.type == \\\"change\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"78952d71-2968-4cfb-b42f-a04c52ea5ec5\",\"rule_id\":\"095b6a58-8f88-4b59-827c-ab584ad4e759\",\"revision\":0,\"current_rule\":{\"id\":\"78952d71-2968-4cfb-b42f-a04c52ea5ec5\",\"updated_at\":\"2024-12-04T19:46:03.682Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.682Z\",\"created_by\":\"elastic\",\"name\":\"Member Removed From GitHub Organization\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Impact\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A member was removed or their invitation to join was removed from a GitHub Organization.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"095b6a58-8f88-4b59-827c-ab584ad4e759\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"],\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and event.action == \\\"org.remove_member\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Member Removed From GitHub Organization\",\"description\":\"A member was removed or their invitation to join was removed from a GitHub Organization.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Impact\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"78952d71-2968-4cfb-b42f-a04c52ea5ec5\",\"rule_id\":\"095b6a58-8f88-4b59-827c-ab584ad4e759\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.645Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.682Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and event.action == \\\"org.remove_member\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c3dbe726-9b7e-4f6a-bf64-8f01c180e8c8\",\"rule_id\":\"0e4367a0-a483-439d-ad2e-d90500b925fd\",\"revision\":0,\"current_rule\":{\"id\":\"c3dbe726-9b7e-4f6a-bf64-8f01c180e8c8\",\"updated_at\":\"2024-12-04T19:46:03.689Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.689Z\",\"created_by\":\"elastic\",\"name\":\"First Occurrence of User Agent For a GitHub Personal Access Token (PAT)\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Initial Access\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects a new user agent used for a GitHub PAT not previously seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"0e4367a0-a483-439d-ad2e-d90500b925fd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.hashed_token\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.programmatic_access_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.user_agent\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.user_agent:* and github.hashed_token:* and\\ngithub.programmatic_access_type:(\\\"OAuth access token\\\" or \\\"Fine-grained personal access token\\\")\\n\",\"new_terms_fields\":[\"github.hashed_token\",\"github.user_agent\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Occurrence of User Agent For a GitHub Personal Access Token (PAT)\",\"description\":\"Detects a new user agent used for a GitHub PAT not previously seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Initial Access\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.hashed_token\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.programmatic_access_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.user_agent\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"c3dbe726-9b7e-4f6a-bf64-8f01c180e8c8\",\"rule_id\":\"0e4367a0-a483-439d-ad2e-d90500b925fd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.646Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.689Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.user_agent:* and github.hashed_token:* and\\ngithub.programmatic_access_type:(\\\"OAuth access token\\\" or \\\"Fine-grained personal access token\\\")\\n\",\"new_terms_fields\":[\"github.hashed_token\",\"github.user_agent\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"29106a32-8e19-47c0-a497-8966ab272f62\",\"rule_id\":\"1ca62f14-4787-4913-b7af-df11745a49da\",\"revision\":0,\"current_rule\":{\"id\":\"29106a32-8e19-47c0-a497-8966ab272f62\",\"updated_at\":\"2024-12-04T19:46:03.708Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.708Z\",\"created_by\":\"elastic\",\"name\":\"New GitHub App Installed\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects when a new GitHub App has been installed in your organization account. GitHub Apps extend GitHub's functionality both within and outside of GitHub. When an app is installed it is granted permissions to read or modify your repository and organization data. Only trusted apps should be installed and any newly installed apps should be investigated to verify their legitimacy. Unauthorized app installation could lower your organization's security posture and leave you exposed for future attacks.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1ca62f14-4787-4913-b7af-df11745a49da\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1072\",\"name\":\"Software Deployment Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1072/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"],\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and event.action == \\\"integration_installation.create\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"New GitHub App Installed\",\"description\":\"This rule detects when a new GitHub App has been installed in your organization account. GitHub Apps extend GitHub's functionality both within and outside of GitHub. When an app is installed it is granted permissions to read or modify your repository and organization data. Only trusted apps should be installed and any newly installed apps should be investigated to verify their legitimacy. Unauthorized app installation could lower your organization's security posture and leave you exposed for future attacks.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1072\",\"name\":\"Software Deployment Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1072/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"29106a32-8e19-47c0-a497-8966ab272f62\",\"rule_id\":\"1ca62f14-4787-4913-b7af-df11745a49da\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.646Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.708Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and event.action == \\\"integration_installation.create\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0ef1e7bd-a61c-44b2-a7c2-80117bb4ff5d\",\"rule_id\":\"1ceb05c4-7d25-11ee-9562-f661ea17fbcd\",\"revision\":0,\"current_rule\":{\"id\":\"0ef1e7bd-a61c-44b2-a7c2-80117bb4ff5d\",\"updated_at\":\"2024-12-04T19:45:43.581Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.581Z\",\"created_by\":\"elastic\",\"name\":\"Okta Sign-In Events via Third-Party IdP\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Initial Access\",\"Data Source: Okta\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Okta Sign-In Events via Third-Party IdP\\n\\nThis rule detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).\\n\\nAdversaries may attempt to add an unauthorized IdP to an Okta tenant to gain access to the tenant. Following this action, adversaries may attempt to sign in to the tenant using the unauthorized IdP. This rule detects both the addition of an unauthorized IdP and the subsequent sign-in attempt.\\n\\n#### Possible investigation steps:\\n- Identify the third-party IdP by examining the `okta.authentication_context.issuer.id` field.\\n- Once the third-party IdP is identified, determine if this IdP is authorized to be used by the tenant.\\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\\n- Identify the actor associated with the IdP creation by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields in historical data.\\n - The `New Okta Identity Provider (IdP) Added by Admin` rule may be helpful in identifying the actor and the IdP creation event.\\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n\\n### False positive analysis:\\n- It might be a false positive if this IdP is authorized to be used by the tenant.\\n- This may be a false positive if an authorized third-party IdP is used to sign in to the tenant but failures occurred due to an incorrect configuration.\\n\\n### Response and remediation:\\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\\n- Reset the effected user's password and enforce MFA re-enrollment, if applicable.\\n- Mobile device forensics may be required to determine if the user's device is compromised.\\n- If the IdP is authorized, ensure that the actor who created it is authorized to do so.\\n- If the actor is unauthorized, deactivate their account via the Okta console.\\n- If the actor is authorized, ensure that the actor's account is not compromised.\\n\\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- If the deactivated IdP was crucial to the organization, consider adding a new IdP and removing the unauthorized IdP.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-30m\",\"rule_id\":\"1ceb05c4-7d25-11ee-9562-f661ea17fbcd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1199\",\"name\":\"Trusted Relationship\",\"reference\":\"https://attack.mitre.org/techniques/T1199/\"}]}],\"to\":\"now\",\"references\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.authentication_context.issuer.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.debug_context.debug_data.request_uri\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.reason\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.result\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and\\n (not okta.authentication_context.issuer.id:Okta and event.action:(user.authentication.auth_via_IDP\\n or user.authentication.auth_via_inbound_SAML\\n or user.authentication.auth_via_mfa\\n or user.authentication.auth_via_social)\\n or event.action:user.session.start) or\\n (event.action:user.authentication.auth_via_IDP and okta.outcome.result:FAILURE\\n and okta.outcome.reason:(\\\"A SAML assert with the same ID has already been processed by Okta for a previous request\\\"\\n or \\\"Unable to match transformed username\\\"\\n or \\\"Unable to resolve IdP endpoint\\\"\\n or \\\"Unable to validate SAML Response\\\"\\n or \\\"Unable to validate incoming SAML Assertion\\\"))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Okta Sign-In Events via Third-Party IdP\",\"description\":\"Detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Okta Sign-In Events via Third-Party IdP\\n\\nThis rule detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).\\n\\nAdversaries may attempt to add an unauthorized IdP to an Okta tenant to gain access to the tenant. Following this action, adversaries may attempt to sign in to the tenant using the unauthorized IdP. This rule detects both the addition of an unauthorized IdP and the subsequent sign-in attempt.\\n\\n#### Possible investigation steps:\\n- Identify the third-party IdP by examining the `okta.authentication_context.issuer.id` field.\\n- Once the third-party IdP is identified, determine if this IdP is authorized to be used by the tenant.\\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\\n- Identify the actor associated with the IdP creation by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields in historical data.\\n - The `New Okta Identity Provider (IdP) Added by Admin` rule may be helpful in identifying the actor and the IdP creation event.\\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n\\n### False positive analysis:\\n- It might be a false positive if this IdP is authorized to be used by the tenant.\\n- This may be a false positive if an authorized third-party IdP is used to sign in to the tenant but failures occurred due to an incorrect configuration.\\n\\n### Response and remediation:\\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\\n- Reset the effected user's password and enforce MFA re-enrollment, if applicable.\\n- Mobile device forensics may be required to determine if the user's device is compromised.\\n- If the IdP is authorized, ensure that the actor who created it is authorized to do so.\\n- If the actor is unauthorized, deactivate their account via the Okta console.\\n- If the actor is authorized, ensure that the actor's account is not compromised.\\n\\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- If the deactivated IdP was crucial to the organization, consider adding a new IdP and removing the unauthorized IdP.\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Initial Access\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-30m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1199\",\"name\":\"Trusted Relationship\",\"reference\":\"https://attack.mitre.org/techniques/T1199/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.authentication_context.issuer.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.debug_context.debug_data.request_uri\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.reason\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.result\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"0ef1e7bd-a61c-44b2-a7c2-80117bb4ff5d\",\"rule_id\":\"1ceb05c4-7d25-11ee-9562-f661ea17fbcd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.646Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.581Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and\\n (not okta.authentication_context.issuer.id:Okta and event.action:(user.authentication.auth_via_IDP\\n or user.authentication.auth_via_inbound_SAML\\n or user.authentication.auth_via_mfa\\n or user.authentication.auth_via_social)\\n or event.action:user.session.start) or\\n (event.action:user.authentication.auth_via_IDP and okta.outcome.result:FAILURE\\n and okta.outcome.reason:(\\\"A SAML assert with the same ID has already been processed by Okta for a previous request\\\"\\n or \\\"Unable to match transformed username\\\"\\n or \\\"Unable to resolve IdP endpoint\\\"\\n or \\\"Unable to validate SAML Response\\\"\\n or \\\"Unable to validate incoming SAML Assertion\\\"))\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\"],\"target_version\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d9233b2d-a3fb-421d-b6b8-ba55797dce5a\",\"rule_id\":\"1e9b271c-8caa-4e20-aed8-e91e34de9283\",\"revision\":0,\"current_rule\":{\"id\":\"d9233b2d-a3fb-421d-b6b8-ba55797dce5a\",\"updated_at\":\"2024-12-04T19:46:03.710Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.710Z\",\"created_by\":\"elastic\",\"name\":\"First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Execution\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects a new private repo interaction for a GitHub PAT not seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1e9b271c-8caa-4e20-aed8-e91e34de9283\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.hashed_token\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.programmatic_access_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.repo\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.repository_public\",\"type\":\"boolean\",\"ecs\":false}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.repo:* and github.hashed_token:* and\\ngithub.programmatic_access_type:(\\\"OAuth access token\\\" or \\\"Fine-grained personal access token\\\") and \\ngithub.repository_public:false\\n\",\"new_terms_fields\":[\"github.hashed_token\",\"github.repo\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)\",\"description\":\"Detects a new private repo interaction for a GitHub PAT not seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Execution\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.hashed_token\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.programmatic_access_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.repo\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.repository_public\",\"type\":\"boolean\",\"ecs\":false}],\"id\":\"d9233b2d-a3fb-421d-b6b8-ba55797dce5a\",\"rule_id\":\"1e9b271c-8caa-4e20-aed8-e91e34de9283\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.646Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.710Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.repo:* and github.hashed_token:* and\\ngithub.programmatic_access_type:(\\\"OAuth access token\\\" or \\\"Fine-grained personal access token\\\") and \\ngithub.repository_public:false\\n\",\"new_terms_fields\":[\"github.hashed_token\",\"github.repo\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8e3522ca-1870-436d-a546-723ed270a9a4\",\"rule_id\":\"23f18264-2d6d-11ef-9413-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"8e3522ca-1870-436d-a546-723ed270a9a4\",\"updated_at\":\"2024-12-04T19:46:03.712Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.712Z\",\"created_by\":\"elastic\",\"name\":\"High Number of Okta Device Token Cookies Generated for Authentication\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Credential Access\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when an Okta client address has a certain threshold of Okta user authentication events with multiple device token hashes generated for single user authentication. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating High Number of Okta Device Token Cookies Generated for Authentication\\n\\nThis rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\\n\\n#### Possible investigation steps:\\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.\\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\\n\\n### False positive analysis:\\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\\n - Shared working spaces may have a single endpoint that is used by multiple users.\\n\\n### Response and remediation:\\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the users.\\n- If any of the users are not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\\n - If so, confirm with the user this was a legitimate request.\\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\\n - Reset passwords and reset MFA for the user.\\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\\n - This will prevent future occurrences of this event for this device from triggering the rule.\\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\\n - This should be done with caution as it may prevent legitimate alerts from being generated.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\",\"Shared systems such as Kiosks and conference room computers may be used by multiple users.\"],\"from\":\"now-9m\",\"rule_id\":\"23f18264-2d6d-11ef-9413-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]},{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.004\",\"name\":\"Credential Stuffing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.debug_context.debug_data.request_uri == \\\"/api/v1/authn\\\"\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| STATS\\n source_auth_count = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash)\\n BY okta.client.ip, okta.actor.alternate_id\\n| WHERE\\n source_auth_count >= 30\\n| SORT\\n source_auth_count DESC\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"High Number of Okta Device Token Cookies Generated for Authentication\",\"description\":\"Detects when an Okta client address has a certain threshold of Okta user authentication events with multiple device token hashes generated for single user authentication. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating High Number of Okta Device Token Cookies Generated for Authentication\\n\\nThis rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\\n\\n#### Possible investigation steps:\\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.\\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\\n\\n### False positive analysis:\\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\\n - Shared working spaces may have a single endpoint that is used by multiple users.\\n\\n### Response and remediation:\\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the users.\\n- If any of the users are not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\\n - If so, confirm with the user this was a legitimate request.\\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\\n - Reset passwords and reset MFA for the user.\\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\\n - This will prevent future occurrences of this event for this device from triggering the rule.\\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\\n - This should be done with caution as it may prevent legitimate alerts from being generated.\\n\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Credential Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\",\"Shared systems such as Kiosks and conference room computers may be used by multiple users.\"],\"references\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]},{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.004\",\"name\":\"Credential Stuffing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/004/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"8e3522ca-1870-436d-a546-723ed270a9a4\",\"rule_id\":\"23f18264-2d6d-11ef-9413-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.646Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.712Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.debug_context.debug_data.request_uri == \\\"/api/v1/authn\\\"\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| KEEP event.action, okta.debug_context.debug_data.dt_hash, okta.client.ip, okta.actor.alternate_id, okta.debug_context.debug_data.request_uri, okta.outcome.reason\\n| STATS\\n source_auth_count = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash)\\n BY okta.client.ip, okta.actor.alternate_id\\n| WHERE\\n source_auth_count >= 30\\n| SORT\\n source_auth_count DESC\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\"],\"target_version\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.debug_context.debug_data.request_uri == \\\"/api/v1/authn\\\"\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| STATS\\n source_auth_count = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash)\\n BY okta.client.ip, okta.actor.alternate_id\\n| WHERE\\n source_auth_count >= 30\\n| SORT\\n source_auth_count DESC\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.debug_context.debug_data.request_uri == \\\"/api/v1/authn\\\"\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| KEEP event.action, okta.debug_context.debug_data.dt_hash, okta.client.ip, okta.actor.alternate_id, okta.debug_context.debug_data.request_uri, okta.outcome.reason\\n| STATS\\n source_auth_count = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash)\\n BY okta.client.ip, okta.actor.alternate_id\\n| WHERE\\n source_auth_count >= 30\\n| SORT\\n source_auth_count DESC\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.debug_context.debug_data.request_uri == \\\"/api/v1/authn\\\"\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| KEEP event.action, okta.debug_context.debug_data.dt_hash, okta.client.ip, okta.actor.alternate_id, okta.debug_context.debug_data.request_uri, okta.outcome.reason\\n| STATS\\n source_auth_count = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash)\\n BY okta.client.ip, okta.actor.alternate_id\\n| WHERE\\n source_auth_count >= 30\\n| SORT\\n source_auth_count DESC\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f3437b21-e175-4717-8834-0b374fa19ac9\",\"rule_id\":\"24401eca-ad0b-4ff9-9431-487a8e183af9\",\"revision\":0,\"current_rule\":{\"id\":\"f3437b21-e175-4717-8834-0b374fa19ac9\",\"updated_at\":\"2024-12-04T19:45:44.599Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.599Z\",\"created_by\":\"elastic\",\"name\":\"New GitHub Owner Added\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Persistence\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a new member is added to a GitHub organization as an owner. This role provides admin level privileges. Any new owner roles should be investigated to determine it's validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"24401eca-ad0b-4ff9-9431-487a8e183af9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.003\",\"name\":\"Cloud Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.permission\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"],\"query\":\"iam where event.dataset == \\\"github.audit\\\" and event.action == \\\"org.add_member\\\" and github.permission == \\\"admin\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"New GitHub Owner Added\",\"description\":\"Detects when a new member is added to a GitHub organization as an owner. This role provides admin level privileges. Any new owner roles should be investigated to determine it's validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Persistence\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.003\",\"name\":\"Cloud Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.permission\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"f3437b21-e175-4717-8834-0b374fa19ac9\",\"rule_id\":\"24401eca-ad0b-4ff9-9431-487a8e183af9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.646Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.599Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where event.dataset == \\\"github.audit\\\" and event.action == \\\"org.add_member\\\" and github.permission == \\\"admin\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"44490733-969f-4d75-987b-d121ba47e483\",\"rule_id\":\"260486ee-7d98-11ee-9599-f661ea17fbcd\",\"revision\":0,\"current_rule\":{\"id\":\"44490733-969f-4d75-987b-d121ba47e483\",\"updated_at\":\"2024-12-04T19:45:44.615Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.615Z\",\"created_by\":\"elastic\",\"name\":\"New Okta Authentication Behavior Detected\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Initial Access\",\"Data Source: Okta\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects events where Okta behavior detection has identified a new authentication behavior.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating New Okta Authentication Behavior Detected\\n\\nThis rule detects events where Okta behavior detection has identified a new authentication behavior such as a new device or location.\\n\\n#### Possible investigation steps:\\n- Identify the user involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the authentication anomaly by examining the `okta.debug_context.debug_data.risk_behaviors` and `okta.debug_context.debug_data.flattened` fields.\\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\\n- Review the past activities of the actor involved in this action by checking their previous actions.\\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n\\n### False positive analysis:\\n- A user may be using a new device or location to sign in.\\n- The Okta behavior detection may be incorrectly identifying a new authentication behavior and need adjusted.\\n\\n### Response and remediation:\\n- If the user is legitimate and the authentication behavior is not suspicious, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the user.\\n- If the user is not legitimate, consider deactivating the user's account.\\n- If this is a false positive, consider adjusting the Okta behavior detection settings.\\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-30m\",\"rule_id\":\"260486ee-7d98-11ee-9599-f661ea17fbcd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\",\"https://help.okta.com/oie/en-us/content/topics/security/behavior-detection/about-behavior-detection.htm\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.debug_context.debug_data.risk_behaviors\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:*\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"New Okta Authentication Behavior Detected\",\"description\":\"Detects events where Okta behavior detection has identified a new authentication behavior.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating New Okta Authentication Behavior Detected\\n\\nThis rule detects events where Okta behavior detection has identified a new authentication behavior such as a new device or location.\\n\\n#### Possible investigation steps:\\n- Identify the user involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the authentication anomaly by examining the `okta.debug_context.debug_data.risk_behaviors` and `okta.debug_context.debug_data.flattened` fields.\\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\\n- Review the past activities of the actor involved in this action by checking their previous actions.\\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n\\n### False positive analysis:\\n- A user may be using a new device or location to sign in.\\n- The Okta behavior detection may be incorrectly identifying a new authentication behavior and need adjusted.\\n\\n### Response and remediation:\\n- If the user is legitimate and the authentication behavior is not suspicious, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the user.\\n- If the user is not legitimate, consider deactivating the user's account.\\n- If this is a false positive, consider adjusting the Okta behavior detection settings.\\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Initial Access\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-30m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\",\"https://help.okta.com/oie/en-us/content/topics/security/behavior-detection/about-behavior-detection.htm\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.debug_context.debug_data.risk_behaviors\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"44490733-969f-4d75-987b-d121ba47e483\",\"rule_id\":\"260486ee-7d98-11ee-9599-f661ea17fbcd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.646Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.615Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:*\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\",\"https://help.okta.com/oie/en-us/content/topics/security/behavior-detection/about-behavior-detection.htm\"],\"target_version\":[\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\",\"https://help.okta.com/oie/en-us/content/topics/security/behavior-detection/about-behavior-detection.htm\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\",\"https://help.okta.com/oie/en-us/content/topics/security/behavior-detection/about-behavior-detection.htm\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"604e76aa-ddb0-4135-b60f-93767ce41cda\",\"rule_id\":\"29b53942-7cd4-11ee-b70e-f661ea17fbcd\",\"revision\":0,\"current_rule\":{\"id\":\"604e76aa-ddb0-4135-b60f-93767ce41cda\",\"updated_at\":\"2024-12-04T19:46:03.724Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.724Z\",\"created_by\":\"elastic\",\"name\":\"New Okta Identity Provider (IdP) Added by Admin\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Persistence\",\"Data Source: Okta\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating New Okta Identity Provider (IdP) Added by Admin\\n\\nThis rule detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta.\\n\\n#### Possible investigation steps:\\n- Identify the actor associated with the IdP creation by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Identify the IdP added by reviewing the `okta.target` field and determing if this IdP is authorized.\\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n\\n### False positive analysis:\\n- It might be a false positive if the action was part of a planned activity or performed by an authorized person.\\n- Several unsuccessful attempts prior to this success, may indicate an adversary attempting to add an unauthorized IdP multiple times.\\n\\n### Response and remediation:\\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\\n- If the IdP is authorized, ensure that the actor who created it is authorized to do so.\\n- If the actor is unauthorized, deactivate their account via the Okta console.\\n- If the actor is authorized, ensure that the actor's account is not compromised.\\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- If the deactivated IdP was crucial to the organization, consider adding a new IdP and removing the unauthorized IdP.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-30m\",\"rule_id\":\"29b53942-7cd4-11ee-b70e-f661ea17fbcd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\",\"subtechnique\":[{\"id\":\"T1556.007\",\"name\":\"Hybrid Identity\",\"reference\":\"https://attack.mitre.org/techniques/T1556/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.outcome.result\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset: \\\"okta.system\\\" and event.action: \\\"system.idp.lifecycle.create\\\" and okta.outcome.result: \\\"SUCCESS\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"New Okta Identity Provider (IdP) Added by Admin\",\"description\":\"Detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating New Okta Identity Provider (IdP) Added by Admin\\n\\nThis rule detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta.\\n\\n#### Possible investigation steps:\\n- Identify the actor associated with the IdP creation by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Identify the IdP added by reviewing the `okta.target` field and determing if this IdP is authorized.\\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n\\n### False positive analysis:\\n- It might be a false positive if the action was part of a planned activity or performed by an authorized person.\\n- Several unsuccessful attempts prior to this success, may indicate an adversary attempting to add an unauthorized IdP multiple times.\\n\\n### Response and remediation:\\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\\n- If the IdP is authorized, ensure that the actor who created it is authorized to do so.\\n- If the actor is unauthorized, deactivate their account via the Okta console.\\n- If the actor is authorized, ensure that the actor's account is not compromised.\\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- If the deactivated IdP was crucial to the organization, consider adding a new IdP and removing the unauthorized IdP.\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Persistence\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-30m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\",\"subtechnique\":[{\"id\":\"T1556.007\",\"name\":\"Hybrid Identity\",\"reference\":\"https://attack.mitre.org/techniques/T1556/007/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.outcome.result\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"604e76aa-ddb0-4135-b60f-93767ce41cda\",\"rule_id\":\"29b53942-7cd4-11ee-b70e-f661ea17fbcd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.646Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.724Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset: \\\"okta.system\\\" and event.action: \\\"system.idp.lifecycle.create\\\" and okta.outcome.result: \\\"SUCCESS\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\"],\"target_version\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f35e8057-8356-41cf-917a-e4e64d406ab1\",\"rule_id\":\"2e56e1bc-867a-11ee-b13e-f661ea17fbcd\",\"revision\":0,\"current_rule\":{\"id\":\"f35e8057-8356-41cf-917a-e4e64d406ab1\",\"updated_at\":\"2024-12-04T19:45:44.714Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.714Z\",\"created_by\":\"elastic\",\"name\":\"Okta User Sessions Started from Different Geolocations\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Initial Access\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from different locations.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"\\n## Triage and analysis\\n\\n### Investigating Okta User Sessions Started from Different Geolocations\\n\\nThis rule detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from different locations.\\n\\n#### Possible investigation steps:\\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.id` values can be used to pivot into the raw authentication events related to this alert.\\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\\n\\n### False positive analysis:\\n- It is very rare that a legitimate user would have multiple sessions started from different geo-located countries in a short time frame.\\n\\n### Response and remediation:\\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the users.\\n- If any of the users are not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\\n - If so, confirm with the user this was a legitimate request.\\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\\n - Reset passwords and reset MFA for the user.\\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\\n - This will prevent future occurrences of this event for this device from triggering the rule.\\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\\n - This should be done with caution as it may prevent legitimate alerts from being generated.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-30m\",\"rule_id\":\"2e56e1bc-867a-11ee-b13e-f661ea17fbcd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\"],\"version\":101,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\\n\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.security_context.is_proxy != true and okta.actor.id != \\\"unknown\\\"\\n AND event.outcome == \\\"success\\\"\\n| STATS\\n geo_auth_counts = COUNT_DISTINCT(client.geo.country_name)\\n BY okta.actor.id, okta.actor.alternate_id\\n| WHERE\\n geo_auth_counts >= 2\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Okta User Sessions Started from Different Geolocations\",\"description\":\"Detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from different locations.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\\n## Triage and analysis\\n\\n### Investigating Okta User Sessions Started from Different Geolocations\\n\\nThis rule detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from different locations.\\n\\n#### Possible investigation steps:\\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.id` values can be used to pivot into the raw authentication events related to this alert.\\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\\n\\n### False positive analysis:\\n- It is very rare that a legitimate user would have multiple sessions started from different geo-located countries in a short time frame.\\n\\n### Response and remediation:\\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the users.\\n- If any of the users are not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\\n - If so, confirm with the user this was a legitimate request.\\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\\n - Reset passwords and reset MFA for the user.\\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\\n - This will prevent future occurrences of this event for this device from triggering the rule.\\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\\n - This should be done with caution as it may prevent legitimate alerts from being generated.\\n\",\"output_index\":\"\",\"version\":203,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Initial Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-30m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\\n\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"f35e8057-8356-41cf-917a-e4e64d406ab1\",\"rule_id\":\"2e56e1bc-867a-11ee-b13e-f661ea17fbcd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.646Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.714Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.security_context.is_proxy != true and okta.actor.id != \\\"unknown\\\"\\n AND event.outcome == \\\"success\\\"\\n| KEEP event.action, okta.security_context.is_proxy, okta.actor.id, event.outcome, client.geo.country_name, okta.actor.alternate_id\\n| STATS\\n geo_auth_counts = COUNT_DISTINCT(client.geo.country_name)\\n BY okta.actor.id, okta.actor.alternate_id\\n| WHERE\\n geo_auth_counts >= 2\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":101,\"target_version\":203,\"merged_version\":203,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.security_context.is_proxy != true and okta.actor.id != \\\"unknown\\\"\\n AND event.outcome == \\\"success\\\"\\n| STATS\\n geo_auth_counts = COUNT_DISTINCT(client.geo.country_name)\\n BY okta.actor.id, okta.actor.alternate_id\\n| WHERE\\n geo_auth_counts >= 2\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.security_context.is_proxy != true and okta.actor.id != \\\"unknown\\\"\\n AND event.outcome == \\\"success\\\"\\n| KEEP event.action, okta.security_context.is_proxy, okta.actor.id, event.outcome, client.geo.country_name, okta.actor.alternate_id\\n| STATS\\n geo_auth_counts = COUNT_DISTINCT(client.geo.country_name)\\n BY okta.actor.id, okta.actor.alternate_id\\n| WHERE\\n geo_auth_counts >= 2\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.security_context.is_proxy != true and okta.actor.id != \\\"unknown\\\"\\n AND event.outcome == \\\"success\\\"\\n| KEEP event.action, okta.security_context.is_proxy, okta.actor.id, event.outcome, client.geo.country_name, okta.actor.alternate_id\\n| STATS\\n geo_auth_counts = COUNT_DISTINCT(client.geo.country_name)\\n BY okta.actor.id, okta.actor.alternate_id\\n| WHERE\\n geo_auth_counts >= 2\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"70d77e68-a2c5-4a22-a42a-963b61f938f6\",\"rule_id\":\"3805c3dc-f82c-4f8d-891e-63c24d3102b0\",\"revision\":0,\"current_rule\":{\"id\":\"70d77e68-a2c5-4a22-a42a-963b61f938f6\",\"updated_at\":\"2024-12-04T19:45:45.905Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.905Z\",\"created_by\":\"elastic\",\"name\":\"Attempted Bypass of Okta MFA\",\"tags\":[\"Data Source: Okta\",\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempted Bypass of Okta MFA\\n\\nMulti-factor authentication (MFA) is a crucial security measure in preventing unauthorized access. Okta MFA, like other MFA solutions, requires the user to provide multiple means of identification at login. An adversary might attempt to bypass Okta MFA to gain unauthorized access to an application.\\n\\nThis rule detects attempts to bypass Okta MFA. It might indicate a serious attempt to compromise a user account within the organization's network.\\n\\n#### Possible investigation steps\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the bypass attempt.\\n- Check the `okta.outcome.result` field to confirm the MFA bypass attempt.\\n- Check if there are multiple unsuccessful MFA attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the MFA bypass attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the bypass attempt.\\n\\n### False positive analysis\\n\\n- Check if there were issues with the MFA system at the time of the bypass attempt. This could indicate a system error rather than a genuine bypass attempt.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the login attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's MFA settings to ensure they are correctly configured.\\n\\n### Response and remediation\\n\\n- If unauthorized access is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific MFA bypass technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-6m\",\"rule_id\":\"3805c3dc-f82c-4f8d-891e-63c24d3102b0\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1111\",\"name\":\"Multi-Factor Authentication Interception\",\"reference\":\"https://attack.mitre.org/techniques/T1111/\"}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":207,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:user.mfa.attempt_bypass\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempted Bypass of Okta MFA\",\"description\":\"Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempted Bypass of Okta MFA\\n\\nMulti-factor authentication (MFA) is a crucial security measure in preventing unauthorized access. Okta MFA, like other MFA solutions, requires the user to provide multiple means of identification at login. An adversary might attempt to bypass Okta MFA to gain unauthorized access to an application.\\n\\nThis rule detects attempts to bypass Okta MFA. It might indicate a serious attempt to compromise a user account within the organization's network.\\n\\n#### Possible investigation steps\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the bypass attempt.\\n- Check the `okta.outcome.result` field to confirm the MFA bypass attempt.\\n- Check if there are multiple unsuccessful MFA attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the MFA bypass attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the bypass attempt.\\n\\n### False positive analysis\\n\\n- Check if there were issues with the MFA system at the time of the bypass attempt. This could indicate a system error rather than a genuine bypass attempt.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the login attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's MFA settings to ensure they are correctly configured.\\n\\n### Response and remediation\\n\\n- If unauthorized access is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific MFA bypass technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Data Source: Okta\",\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1111\",\"name\":\"Multi-Factor Authentication Interception\",\"reference\":\"https://attack.mitre.org/techniques/T1111/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"70d77e68-a2c5-4a22-a42a-963b61f938f6\",\"rule_id\":\"3805c3dc-f82c-4f8d-891e-63c24d3102b0\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.646Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.905Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:user.mfa.attempt_bypass\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":207,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6b529744-6ad8-4e6a-a97d-1c34f012a717\",\"rule_id\":\"3af4cb9b-973f-4c54-be2b-7623c0e21b2b\",\"revision\":0,\"current_rule\":{\"id\":\"6b529744-6ad8-4e6a-a97d-1c34f012a717\",\"updated_at\":\"2024-12-04T19:46:03.743Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.743Z\",\"created_by\":\"elastic\",\"name\":\"First Occurrence of IP Address For GitHub User\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Initial Access\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects a new IP address used for a GitHub user not previously seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3af4cb9b-973f-4c54-be2b-7623c0e21b2b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.actor_ip\",\"type\":\"ip\",\"ecs\":false},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.actor_ip:* and user.name:*\\n\",\"new_terms_fields\":[\"user.name\",\"github.actor_ip\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Occurrence of IP Address For GitHub User\",\"description\":\"Detects a new IP address used for a GitHub user not previously seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Initial Access\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.actor_ip\",\"type\":\"ip\",\"ecs\":false},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"6b529744-6ad8-4e6a-a97d-1c34f012a717\",\"rule_id\":\"3af4cb9b-973f-4c54-be2b-7623c0e21b2b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.646Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.743Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.actor_ip:* and user.name:*\\n\",\"new_terms_fields\":[\"user.name\",\"github.actor_ip\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e67da079-7889-404d-84f7-e7e5797194cb\",\"rule_id\":\"4030c951-448a-4017-a2da-ed60f6d14f4f\",\"revision\":0,\"current_rule\":{\"id\":\"e67da079-7889-404d-84f7-e7e5797194cb\",\"updated_at\":\"2024-12-04T19:46:03.748Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.748Z\",\"created_by\":\"elastic\",\"name\":\"GitHub User Blocked From Organization\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Impact\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A GitHub user was blocked from access to an organization.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"4030c951-448a-4017-a2da-ed60f6d14f4f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"],\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and event.action == \\\"org.block_user\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"GitHub User Blocked From Organization\",\"description\":\"A GitHub user was blocked from access to an organization.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Impact\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e67da079-7889-404d-84f7-e7e5797194cb\",\"rule_id\":\"4030c951-448a-4017-a2da-ed60f6d14f4f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.646Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.748Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and event.action == \\\"org.block_user\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2845e1e5-42a7-4752-8fc7-1a781d15d93a\",\"rule_id\":\"41761cd3-380f-4d4d-89f3-46d6853ee35d\",\"revision\":0,\"current_rule\":{\"id\":\"2845e1e5-42a7-4752-8fc7-1a781d15d93a\",\"updated_at\":\"2024-12-04T19:46:03.750Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.750Z\",\"created_by\":\"elastic\",\"name\":\"First Occurrence of User-Agent For a GitHub User\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Initial Access\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects a new user agent used for a GitHub user not previously seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"41761cd3-380f-4d4d-89f3-46d6853ee35d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.user_agent\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.user_agent:* and user.name:*\\n\",\"new_terms_fields\":[\"user.name\",\"github.user_agent\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Occurrence of User-Agent For a GitHub User\",\"description\":\"Detects a new user agent used for a GitHub user not previously seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Initial Access\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.user_agent\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2845e1e5-42a7-4752-8fc7-1a781d15d93a\",\"rule_id\":\"41761cd3-380f-4d4d-89f3-46d6853ee35d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.646Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.750Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.user_agent:* and user.name:*\\n\",\"new_terms_fields\":[\"user.name\",\"github.user_agent\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d2a04698-2f2a-468c-b487-e276cd242ac0\",\"rule_id\":\"42bf698b-4738-445b-8231-c834ddefd8a0\",\"revision\":0,\"current_rule\":{\"id\":\"d2a04698-2f2a-468c-b487-e276cd242ac0\",\"updated_at\":\"2024-12-04T19:45:46.716Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.716Z\",\"created_by\":\"elastic\",\"name\":\"Okta Brute Force or Password Spraying Attack\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Okta Brute Force or Password Spraying Attack\\n\\nThis rule alerts when a high number of failed Okta user authentication attempts occur from a single IP address. This could be indicative of a brute force or password spraying attack, where an adversary may attempt to gain unauthorized access to user accounts by guessing the passwords.\\n\\n#### Possible investigation steps:\\n\\n- Review the `source.ip` field to identify the IP address from which the high volume of failed login attempts originated.\\n- Look into the `event.outcome` field to verify that these are indeed failed authentication attempts.\\n- Determine the `user.name` or `user.email` related to these failed login attempts. If the attempts are spread across multiple accounts, it might indicate a password spraying attack.\\n- Check the timeline of the events. Are the failed attempts spread out evenly, or are there burst periods, which might indicate an automated tool?\\n- Determine the geographical location of the source IP. Is this location consistent with the user's typical login location?\\n- Analyze any previous successful logins from this IP. Was this IP previously associated with successful logins?\\n\\n### False positive analysis:\\n\\n- A single user or automated process that attempts to authenticate using expired or wrong credentials multiple times may trigger a false positive.\\n- Analyze the behavior of the source IP. If the IP is associated with legitimate users or services, it may be a false positive.\\n\\n### Response and remediation:\\n\\n- If you identify unauthorized access attempts, consider blocking the source IP at the firewall level.\\n- Notify the users who are targeted by the attack. Ask them to change their passwords and ensure they use unique, complex passwords.\\n- Enhance monitoring on the affected user accounts for any suspicious activity.\\n- If the attack is persistent, consider implementing CAPTCHA or account lockouts after a certain number of failed login attempts.\\n- If the attack is persistent, consider implementing multi-factor authentication (MFA) for the affected user accounts.\\n- Review and update your security policies based on the findings from the incident.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives.\"],\"from\":\"now-6m\",\"rule_id\":\"42bf698b-4738-445b-8231-c834ddefd8a0\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\"}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":208,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"threshold\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.category:authentication and event.outcome:failure\\n\",\"threshold\":{\"field\":[\"source.ip\"],\"value\":25},\"actions\":[]},\"target_rule\":{\"name\":\"Okta Brute Force or Password Spraying Attack\",\"description\":\"Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Okta Brute Force or Password Spraying Attack\\n\\nThis rule alerts when a high number of failed Okta user authentication attempts occur from a single IP address. This could be indicative of a brute force or password spraying attack, where an adversary may attempt to gain unauthorized access to user accounts by guessing the passwords.\\n\\n#### Possible investigation steps:\\n\\n- Review the `source.ip` field to identify the IP address from which the high volume of failed login attempts originated.\\n- Look into the `event.outcome` field to verify that these are indeed failed authentication attempts.\\n- Determine the `user.name` or `user.email` related to these failed login attempts. If the attempts are spread across multiple accounts, it might indicate a password spraying attack.\\n- Check the timeline of the events. Are the failed attempts spread out evenly, or are there burst periods, which might indicate an automated tool?\\n- Determine the geographical location of the source IP. Is this location consistent with the user's typical login location?\\n- Analyze any previous successful logins from this IP. Was this IP previously associated with successful logins?\\n\\n### False positive analysis:\\n\\n- A single user or automated process that attempts to authenticate using expired or wrong credentials multiple times may trigger a false positive.\\n- Analyze the behavior of the source IP. If the IP is associated with legitimate users or services, it may be a false positive.\\n\\n### Response and remediation:\\n\\n- If you identify unauthorized access attempts, consider blocking the source IP at the firewall level.\\n- Notify the users who are targeted by the attack. Ask them to change their passwords and ensure they use unique, complex passwords.\\n- Enhance monitoring on the affected user accounts for any suspicious activity.\\n- If the attack is persistent, consider implementing CAPTCHA or account lockouts after a certain number of failed login attempts.\\n- If the attack is persistent, consider implementing multi-factor authentication (MFA) for the affected user accounts.\\n- Review and update your security policies based on the findings from the incident.\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives.\"],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d2a04698-2f2a-468c-b487-e276cd242ac0\",\"rule_id\":\"42bf698b-4738-445b-8231-c834ddefd8a0\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.646Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.716Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"threshold\",\"query\":\"event.dataset:okta.system and event.category:authentication and event.outcome:failure\\n\",\"threshold\":{\"field\":[\"source.ip\"],\"value\":25},\"index\":[\"filebeat-*\",\"logs-okta*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":208,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"dc863eae-3f04-4b7a-8446-b7cab69567ab\",\"rule_id\":\"4edd3e1a-3aa0-499b-8147-4d2ea43b1613\",\"revision\":0,\"current_rule\":{\"id\":\"dc863eae-3f04-4b7a-8446-b7cab69567ab\",\"updated_at\":\"2024-12-04T19:45:47.787Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.787Z\",\"created_by\":\"elastic\",\"name\":\"Unauthorized Access to an Okta Application\",\"tags\":[\"Tactic: Initial Access\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies unauthorized access attempts to Okta applications.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[],\"from\":\"now-6m\",\"rule_id\":\"4edd3e1a-3aa0-499b-8147-4d2ea43b1613\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unauthorized Access to an Okta Application\",\"description\":\"Identifies unauthorized access attempts to Okta applications.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Tactic: Initial Access\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"dc863eae-3f04-4b7a-8446-b7cab69567ab\",\"rule_id\":\"4edd3e1a-3aa0-499b-8147-4d2ea43b1613\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.646Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.787Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3b06fdf6-49d3-4dc2-9dc4-8d31fe095377\",\"rule_id\":\"50887ba8-7ff7-11ee-a038-f661ea17fbcd\",\"revision\":0,\"current_rule\":{\"id\":\"3b06fdf6-49d3-4dc2-9dc4-8d31fe095377\",\"updated_at\":\"2024-12-04T19:45:47.792Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.792Z\",\"created_by\":\"elastic\",\"name\":\"Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Credential Access\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy\\n\\nThis rule detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy. This may indicate that a shared device between users, or that a user is using a proxy to access multiple accounts for password spraying.\\n\\n#### Possible investigation steps:\\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n - Since the device is behind a proxy, the `okta.client.ip` field will not be useful for determining the actual device IP address.\\n- Review the `okta.request.ip_chain` field for more information about the geographic location of the proxy.\\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\\n\\n### False positive analysis:\\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\\n - Shared working spaces may have a single endpoint that is used by multiple users.\\n\\n### Response and remediation:\\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the users.\\n- If any of the users are not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\\n - If so, confirm with the user this was a legitimate request.\\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\\n - Reset passwords and reset MFA for the user.\\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\\n - This will prevent future occurrences of this event for this device from triggering the rule.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"An Okta admnistrator may be logged into multiple accounts from the same host for legitimate reasons.\",\"Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\",\"Shared systems such as Kiosks and conference room computers may be used by multiple users.\"],\"from\":\"now-9m\",\"rule_id\":\"50887ba8-7ff7-11ee-a038-f661ea17fbcd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]},{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.004\",\"name\":\"Credential Stuffing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.debug_context.debug_data.dt_hash\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.security_context.is_proxy\",\"type\":\"boolean\",\"ecs\":false}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"threshold\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system\\n and not okta.actor.id:okta* and okta.debug_context.debug_data.dt_hash:*\\n and okta.event_type:user.authentication* and okta.security_context.is_proxy:true\\n\",\"threshold\":{\"field\":[\"okta.debug_context.debug_data.dt_hash\"],\"value\":1,\"cardinality\":[{\"field\":\"okta.actor.id\",\"value\":3}]},\"actions\":[]},\"target_rule\":{\"name\":\"Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy\",\"description\":\"Detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy\\n\\nThis rule detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy. This may indicate that a shared device between users, or that a user is using a proxy to access multiple accounts for password spraying.\\n\\n#### Possible investigation steps:\\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n - Since the device is behind a proxy, the `okta.client.ip` field will not be useful for determining the actual device IP address.\\n- Review the `okta.request.ip_chain` field for more information about the geographic location of the proxy.\\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\\n\\n### False positive analysis:\\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\\n - Shared working spaces may have a single endpoint that is used by multiple users.\\n\\n### Response and remediation:\\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the users.\\n- If any of the users are not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\\n - If so, confirm with the user this was a legitimate request.\\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\\n - Reset passwords and reset MFA for the user.\\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\\n - This will prevent future occurrences of this event for this device from triggering the rule.\\n\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Credential Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"An Okta admnistrator may be logged into multiple accounts from the same host for legitimate reasons.\",\"Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\",\"Shared systems such as Kiosks and conference room computers may be used by multiple users.\"],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]},{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.004\",\"name\":\"Credential Stuffing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/004/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.debug_context.debug_data.dt_hash\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.security_context.is_proxy\",\"type\":\"boolean\",\"ecs\":false}],\"id\":\"3b06fdf6-49d3-4dc2-9dc4-8d31fe095377\",\"rule_id\":\"50887ba8-7ff7-11ee-a038-f661ea17fbcd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.646Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.792Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"threshold\",\"query\":\"event.dataset:okta.system\\n and not okta.actor.id:okta* and okta.debug_context.debug_data.dt_hash:*\\n and okta.event_type:user.authentication* and okta.security_context.is_proxy:true\\n\",\"threshold\":{\"field\":[\"okta.debug_context.debug_data.dt_hash\"],\"value\":1,\"cardinality\":[{\"field\":\"okta.actor.id\",\"value\":3}]},\"index\":[\"filebeat-*\",\"logs-okta*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d7e85031-87f4-4aee-a422-42e8ad170e52\",\"rule_id\":\"5610b192-7f18-11ee-825b-f661ea17fbcd\",\"revision\":0,\"current_rule\":{\"id\":\"d7e85031-87f4-4aee-a422-42e8ad170e52\",\"updated_at\":\"2024-12-04T19:46:03.765Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.765Z\",\"created_by\":\"elastic\",\"name\":\"Stolen Credentials Used to Login to Okta Account After MFA Reset\",\"tags\":[\"Tactic: Persistence\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Data Source: Elastic Defend\",\"Rule Type: Higher-Order Rule\",\"Domain: Endpoint\",\"Domain: Cloud\"],\"interval\":\"6h\",\"enabled\":false,\"revision\":0,\"description\":\"Detects a sequence of suspicious activities on Windows hosts indicative of credential compromise, followed by efforts to undermine multi-factor authentication (MFA) and single sign-on (SSO) mechanisms for an Okta user account.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Stolen Credentials Used to Login to Okta Account After MFA Reset\\n\\nThis rule detects a sequence of suspicious activities on Windows hosts indicative of credential compromise, followed by efforts to undermine multi-factor authentication (MFA) and single sign-on (SSO) mechanisms for an Okta user account.\\n\\nTypically, adversaries initially extract credentials from targeted endpoints through various means. Subsequently, leveraging social engineering, they may seek to reset the MFA credentials associated with an Okta account, especially in scenarios where Active Directory (AD) services are integrated with Okta. Successfully resetting MFA allows the unauthorized use of stolen credentials to gain access to the compromised Okta account. The attacker can then register their own device for MFA, paving the way for unfettered access to the user's Okta account and any associated SaaS applications. This is particularly alarming if the compromised account has administrative rights, as it could lead to widespread access to organizational resources and configurations.\\n\\n#### Possible investigation steps:\\n- Identify the user account associated with the Okta login attempt by examining the `user.name` field.\\n- Identify the endpoint for the Credential Access alert for this user by examining the `host.name` and `host.id` fields from the alert document.\\n- Cross-examine the Okta user and endpoint user to confirm that they are the same person.\\n- Reach out to the user to confirm if they have intentionally reset their MFA credentials recently or asked for help in doing so.\\n- If the user is unaware of the MFA reset, incident response may be required immediately to prevent further compromise.\\n\\n### False positive analysis:\\n- A Windows administrator may have triggered a low-fidelity credential access alert during a legitimate administrative action. Following this, the administrator may have reset the MFA credentials for themselves and then logged into the Okta console for AD directory services integration management.\\n\\n### Response and remediation:\\n- If confirmed that the user did not intentionally have their MFA factor reset, deactivate the user account.\\n- After deactivation, reset the user's password and MFA factor to regain control of the account.\\n - Ensure that all user sessions are stopped during this process.\\n- Immediately reset the user's AD password as well if Okta does not sync back to AD.\\n- Forensic analysis on the user's endpoint may be required to determine the root cause of the compromise and identify the scope of the compromise.\\n- Review Okta system logs to identify any other suspicious activity associated with the user account, such as creation of a backup account.\\n- With the device ID captured from the MFA factor reset, search across all Okta logs for any other activity associated with the device ID.\\n\\n## Setup\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"A Windows administrator may have triggered a low-fidelity credential access alert during a legitimate administrative action. Following this, the administrator may have reset the MFA credentials for themselves and then logged into the Okta console for AD directory services integration management.\"],\"from\":\"now-12h\",\"rule_id\":\"5610b192-7f18-11ee-825b-f661ea17fbcd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\",\"subtechnique\":[{\"id\":\"T1556.006\",\"name\":\"Multi-Factor Authentication\",\"reference\":\"https://attack.mitre.org/techniques/T1556/006/\"}]}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"signal.rule.threat.tactic.name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta and Elastic Defend fleet integration structured data is required to be compatible with this rule. Directory services integration in Okta with AD synced is also required for this rule to be effective as it relies on triaging `user.name` from Okta and Elastic Defend events.\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-okta*\",\".alerts-security.*\",\"logs-endpoint.events.*\"],\"query\":\"sequence by user.name with maxspan=12h\\n [any where host.os.type == \\\"windows\\\" and signal.rule.threat.tactic.name == \\\"Credential Access\\\"]\\n [any where event.dataset == \\\"okta.system\\\" and okta.event_type == \\\"user.mfa.factor.update\\\"]\\n [any where event.dataset == \\\"okta.system\\\" and okta.event_type: (\\\"user.session.start\\\", \\\"user.authentication*\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Stolen Credentials Used to Login to Okta Account After MFA Reset\",\"description\":\"Detects a sequence of suspicious activities on Windows hosts indicative of credential compromise, followed by efforts to undermine multi-factor authentication (MFA) and single sign-on (SSO) mechanisms for an Okta user account.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Stolen Credentials Used to Login to Okta Account After MFA Reset\\n\\nThis rule detects a sequence of suspicious activities on Windows hosts indicative of credential compromise, followed by efforts to undermine multi-factor authentication (MFA) and single sign-on (SSO) mechanisms for an Okta user account.\\n\\nTypically, adversaries initially extract credentials from targeted endpoints through various means. Subsequently, leveraging social engineering, they may seek to reset the MFA credentials associated with an Okta account, especially in scenarios where Active Directory (AD) services are integrated with Okta. Successfully resetting MFA allows the unauthorized use of stolen credentials to gain access to the compromised Okta account. The attacker can then register their own device for MFA, paving the way for unfettered access to the user's Okta account and any associated SaaS applications. This is particularly alarming if the compromised account has administrative rights, as it could lead to widespread access to organizational resources and configurations.\\n\\n#### Possible investigation steps:\\n- Identify the user account associated with the Okta login attempt by examining the `user.name` field.\\n- Identify the endpoint for the Credential Access alert for this user by examining the `host.name` and `host.id` fields from the alert document.\\n- Cross-examine the Okta user and endpoint user to confirm that they are the same person.\\n- Reach out to the user to confirm if they have intentionally reset their MFA credentials recently or asked for help in doing so.\\n- If the user is unaware of the MFA reset, incident response may be required immediately to prevent further compromise.\\n\\n### False positive analysis:\\n- A Windows administrator may have triggered a low-fidelity credential access alert during a legitimate administrative action. Following this, the administrator may have reset the MFA credentials for themselves and then logged into the Okta console for AD directory services integration management.\\n\\n### Response and remediation:\\n- If confirmed that the user did not intentionally have their MFA factor reset, deactivate the user account.\\n- After deactivation, reset the user's password and MFA factor to regain control of the account.\\n - Ensure that all user sessions are stopped during this process.\\n- Immediately reset the user's AD password as well if Okta does not sync back to AD.\\n- Forensic analysis on the user's endpoint may be required to determine the root cause of the compromise and identify the scope of the compromise.\\n- Review Okta system logs to identify any other suspicious activity associated with the user account, such as creation of a backup account.\\n- With the device ID captured from the MFA factor reset, search across all Okta logs for any other activity associated with the device ID.\\n\\n## Setup\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Tactic: Persistence\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Data Source: Elastic Defend\",\"Rule Type: Higher-Order Rule\",\"Domain: Endpoint\",\"Domain: Cloud\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"6h\",\"from\":\"now-12h\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"A Windows administrator may have triggered a low-fidelity credential access alert during a legitimate administrative action. Following this, the administrator may have reset the MFA credentials for themselves and then logged into the Okta console for AD directory services integration management.\"],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\",\"subtechnique\":[{\"id\":\"T1556.006\",\"name\":\"Multi-Factor Authentication\",\"reference\":\"https://attack.mitre.org/techniques/T1556/006/\"}]}]}],\"setup\":\"The Okta and Elastic Defend fleet integration structured data is required to be compatible with this rule. Directory services integration in Okta with AD synced is also required for this rule to be effective as it relies on triaging `user.name` from Okta and Elastic Defend events.\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"signal.rule.threat.tactic.name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d7e85031-87f4-4aee-a422-42e8ad170e52\",\"rule_id\":\"5610b192-7f18-11ee-825b-f661ea17fbcd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.646Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.765Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by user.name with maxspan=12h\\n [any where host.os.type == \\\"windows\\\" and signal.rule.threat.tactic.name == \\\"Credential Access\\\"]\\n [any where event.dataset == \\\"okta.system\\\" and okta.event_type == \\\"user.mfa.factor.update\\\"]\\n [any where event.dataset == \\\"okta.system\\\" and okta.event_type: (\\\"user.session.start\\\", \\\"user.authentication*\\\")]\\n\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-okta*\",\".alerts-security.*\",\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c00f96d2-98fc-47bb-bbcb-a8ea03ca92fb\",\"rule_id\":\"61336fe6-c043-4743-ab6e-41292f439603\",\"revision\":0,\"current_rule\":{\"id\":\"c00f96d2-98fc-47bb-bbcb-a8ea03ca92fb\",\"updated_at\":\"2024-12-04T19:46:03.783Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.783Z\",\"created_by\":\"elastic\",\"name\":\"New User Added To GitHub Organization\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Persistence\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A new user was added to a GitHub organization.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"61336fe6-c043-4743-ab6e-41292f439603\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.001\",\"name\":\"Additional Cloud Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1098/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"],\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and event.action == \\\"org.add_member\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"New User Added To GitHub Organization\",\"description\":\"A new user was added to a GitHub organization.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Persistence\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.001\",\"name\":\"Additional Cloud Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1098/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c00f96d2-98fc-47bb-bbcb-a8ea03ca92fb\",\"rule_id\":\"61336fe6-c043-4743-ab6e-41292f439603\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.647Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.783Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and event.action == \\\"org.add_member\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7b0e7e01-49d7-4532-bd32-4646a28c9840\",\"rule_id\":\"621e92b6-7e54-11ee-bdc0-f661ea17fbcd\",\"revision\":0,\"current_rule\":{\"id\":\"7b0e7e01-49d7-4532-bd32-4646a28c9840\",\"updated_at\":\"2024-12-04T19:45:48.936Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.936Z\",\"created_by\":\"elastic\",\"name\":\"Multiple Okta Sessions Detected for a Single User\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Lateral Movement\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a different location.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"A user may have multiple sessions open at the same time, such as on a mobile device and a laptop.\"],\"from\":\"now-30m\",\"rule_id\":\"621e92b6-7e54-11ee-bdc0-f661ea17fbcd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.004\",\"name\":\"Web Session Cookie\",\"reference\":\"https://attack.mitre.org/techniques/T1550/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.display_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.authentication_context.external_session_id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"threshold\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and okta.event_type:user.session.start and okta.authentication_context.external_session_id:*\\n and not (okta.actor.id: okta* or okta.actor.display_name: okta*)\\n\",\"threshold\":{\"field\":[\"okta.actor.id\"],\"value\":1,\"cardinality\":[{\"field\":\"okta.authentication_context.external_session_id\",\"value\":3}]},\"actions\":[]},\"target_rule\":{\"name\":\"Multiple Okta Sessions Detected for a Single User\",\"description\":\"Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a different location.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Lateral Movement\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-30m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"A user may have multiple sessions open at the same time, such as on a mobile device and a laptop.\"],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.004\",\"name\":\"Web Session Cookie\",\"reference\":\"https://attack.mitre.org/techniques/T1550/004/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.display_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.authentication_context.external_session_id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"7b0e7e01-49d7-4532-bd32-4646a28c9840\",\"rule_id\":\"621e92b6-7e54-11ee-bdc0-f661ea17fbcd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.647Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.936Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"threshold\",\"query\":\"event.dataset:okta.system and okta.event_type:user.session.start and okta.authentication_context.external_session_id:*\\n and not (okta.actor.id: okta* or okta.actor.display_name: okta*)\\n\",\"threshold\":{\"field\":[\"okta.actor.id\"],\"value\":1,\"cardinality\":[{\"field\":\"okta.authentication_context.external_session_id\",\"value\":3}]},\"index\":[\"filebeat-*\",\"logs-okta*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"881421e4-600b-45bb-ad26-3ac89bc9195d\",\"rule_id\":\"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45\",\"revision\":0,\"current_rule\":{\"id\":\"881421e4-600b-45bb-ad26-3ac89bc9195d\",\"updated_at\":\"2024-12-04T19:45:49.946Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.946Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Modify an Okta Policy\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Defense Evasion\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Modify an Okta Policy\\n\\nModifications to Okta policies may indicate attempts to weaken an organization's security controls. If such an attempt is detected, consider the following steps for investigation.\\n\\n#### Possible investigation steps:\\n- Identify the actor associated with the event. Check the fields `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name`.\\n- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.\\n- Check the nature of the policy modification. You can review the `okta.target` field, especially `okta.target.display_name` and `okta.target.id`.\\n- Examine the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the modification attempt.\\n- Check if there have been other similar modification attempts in a short time span from the same actor or IP address.\\n\\n### False positive analysis:\\n- This alert might be a false positive if Okta policies are regularly updated in your organization as a part of normal operations.\\n- Check if the actor associated with the event has legitimate rights to modify the Okta policies.\\n- Verify the actor's geographical location and the time of the modification attempt. If these align with the actor's regular behavior, it could be a false positive.\\n\\n### Response and remediation:\\n- If unauthorized modification is confirmed, initiate the incident response process.\\n- Lock the actor's account and enforce password change as an immediate response.\\n- Reset MFA tokens for the actor and enforce re-enrollment, if applicable.\\n- Review any other actions taken by the actor to assess the overall impact.\\n- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.\\n- Consider a security review of your Okta policies and rules to ensure they follow security best practices.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your organization.\"],\"from\":\"now-6m\",\"rule_id\":\"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.lifecycle.update\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Modify an Okta Policy\",\"description\":\"Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Modify an Okta Policy\\n\\nModifications to Okta policies may indicate attempts to weaken an organization's security controls. If such an attempt is detected, consider the following steps for investigation.\\n\\n#### Possible investigation steps:\\n- Identify the actor associated with the event. Check the fields `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name`.\\n- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.\\n- Check the nature of the policy modification. You can review the `okta.target` field, especially `okta.target.display_name` and `okta.target.id`.\\n- Examine the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the modification attempt.\\n- Check if there have been other similar modification attempts in a short time span from the same actor or IP address.\\n\\n### False positive analysis:\\n- This alert might be a false positive if Okta policies are regularly updated in your organization as a part of normal operations.\\n- Check if the actor associated with the event has legitimate rights to modify the Okta policies.\\n- Verify the actor's geographical location and the time of the modification attempt. If these align with the actor's regular behavior, it could be a false positive.\\n\\n### Response and remediation:\\n- If unauthorized modification is confirmed, initiate the incident response process.\\n- Lock the actor's account and enforce password change as an immediate response.\\n- Reset MFA tokens for the actor and enforce re-enrollment, if applicable.\\n- Review any other actions taken by the actor to assess the overall impact.\\n- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.\\n- Consider a security review of your Okta policies and rules to ensure they follow security best practices.\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your organization.\"],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"881421e4-600b-45bb-ad26-3ac89bc9195d\",\"rule_id\":\"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.647Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.946Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.lifecycle.update\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"19f6e107-fa5f-482c-9040-2bbf0eafa4e9\",\"rule_id\":\"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7\",\"revision\":0,\"current_rule\":{\"id\":\"19f6e107-fa5f-482c-9040-2bbf0eafa4e9\",\"updated_at\":\"2024-12-04T19:45:49.951Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.951Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Revoke Okta API Token\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Impact\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Revoke Okta API Token\\n\\nThe rule alerts when attempts are made to revoke an Okta API token. The API tokens are critical for integration services, and revoking them may lead to disruption in services. Therefore, it's important to validate these activities.\\n\\n#### Possible investigation steps:\\n- Identify the actor associated with the API token revocation attempt. You can use the `okta.actor.alternate_id` field for this purpose.\\n- Determine the client used by the actor. Review the `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context` fields.\\n- Verify if the API token revocation was authorized or part of some planned activity.\\n- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed.\\n- Analyze the past activities of the actor involved in this action. An actor who usually performs such activities may indicate a legitimate reason.\\n- Evaluate the actions that happened just before and after this event. It can help understand the full context of the activity.\\n\\n### False positive analysis:\\n- It might be a false positive if the action was part of a planned activity or was performed by an authorized person.\\n\\n### Response and remediation:\\n- If unauthorized revocation attempts are confirmed, initiate the incident response process.\\n- Block the IP address or device used in the attempts, if they appear suspicious.\\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- If the revoked token was used for critical integrations, coordinate with the relevant team to minimize the impact.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives.\"],\"from\":\"now-6m\",\"rule_id\":\"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:system.api_token.revoke\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Revoke Okta API Token\",\"description\":\"Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Revoke Okta API Token\\n\\nThe rule alerts when attempts are made to revoke an Okta API token. The API tokens are critical for integration services, and revoking them may lead to disruption in services. Therefore, it's important to validate these activities.\\n\\n#### Possible investigation steps:\\n- Identify the actor associated with the API token revocation attempt. You can use the `okta.actor.alternate_id` field for this purpose.\\n- Determine the client used by the actor. Review the `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context` fields.\\n- Verify if the API token revocation was authorized or part of some planned activity.\\n- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed.\\n- Analyze the past activities of the actor involved in this action. An actor who usually performs such activities may indicate a legitimate reason.\\n- Evaluate the actions that happened just before and after this event. It can help understand the full context of the activity.\\n\\n### False positive analysis:\\n- It might be a false positive if the action was part of a planned activity or was performed by an authorized person.\\n\\n### Response and remediation:\\n- If unauthorized revocation attempts are confirmed, initiate the incident response process.\\n- Block the IP address or device used in the attempts, if they appear suspicious.\\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- If the revoked token was used for critical integrations, coordinate with the relevant team to minimize the impact.\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Impact\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives.\"],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"19f6e107-fa5f-482c-9040-2bbf0eafa4e9\",\"rule_id\":\"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.647Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.951Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:system.api_token.revoke\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8bdda6ef-2a75-441d-acef-e65cdd68f149\",\"rule_id\":\"6885d2ae-e008-4762-b98a-e8e1cd3a81e9\",\"revision\":0,\"current_rule\":{\"id\":\"8bdda6ef-2a75-441d-acef-e65cdd68f149\",\"updated_at\":\"2024-12-04T19:45:49.958Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.958Z\",\"created_by\":\"elastic\",\"name\":\"Okta ThreatInsight Threat Suspected Promotion\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes, which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and other similar threats.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\nThis is a promotion rule for Okta ThreatInsight suspected threat events, which are alertable events per the vendor.\\nConsult vendor documentation on interpreting specific events.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"rule_name_override\":\"okta.display_message\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-6m\",\"rule_id\":\"6885d2ae-e008-4762-b98a-e8e1cd3a81e9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[{\"field\":\"okta.debug_context.debug_data.risk_level\",\"operator\":\"equals\",\"severity\":\"low\",\"value\":\"LOW\"},{\"field\":\"okta.debug_context.debug_data.risk_level\",\"operator\":\"equals\",\"severity\":\"medium\",\"value\":\"MEDIUM\"},{\"field\":\"okta.debug_context.debug_data.risk_level\",\"operator\":\"equals\",\"severity\":\"high\",\"value\":\"HIGH\"}],\"threat\":[],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.debug_context.debug_data.threat_suspected\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Okta ThreatInsight Threat Suspected Promotion\",\"description\":\"Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes, which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and other similar threats.\",\"risk_score\":47,\"severity\":\"medium\",\"rule_name_override\":\"okta.display_message\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\nThis is a promotion rule for Okta ThreatInsight suspected threat events, which are alertable events per the vendor.\\nConsult vendor documentation on interpreting specific events.\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[{\"field\":\"okta.debug_context.debug_data.risk_level\",\"operator\":\"equals\",\"severity\":\"low\",\"value\":\"LOW\"},{\"field\":\"okta.debug_context.debug_data.risk_level\",\"operator\":\"equals\",\"severity\":\"medium\",\"value\":\"MEDIUM\"},{\"field\":\"okta.debug_context.debug_data.risk_level\",\"operator\":\"equals\",\"severity\":\"high\",\"value\":\"HIGH\"}],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[],\"setup\":\"\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.debug_context.debug_data.threat_suspected\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"8bdda6ef-2a75-441d-acef-e65cdd68f149\",\"rule_id\":\"6885d2ae-e008-4762-b98a-e8e1cd3a81e9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.647Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.958Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true)\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"fb166877-c232-4ba3-901b-e0100c7aa9e3\",\"rule_id\":\"6cea88e4-6ce2-4238-9981-a54c140d6336\",\"revision\":0,\"current_rule\":{\"id\":\"fb166877-c232-4ba3-901b-e0100c7aa9e3\",\"updated_at\":\"2024-12-04T19:46:03.790Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.790Z\",\"created_by\":\"elastic\",\"name\":\"GitHub Repo Created\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Execution\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A new GitHub repository was created.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"6cea88e4-6ce2-4238-9981-a54c140d6336\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"],\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and event.action == \\\"repo.create\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"GitHub Repo Created\",\"description\":\"A new GitHub repository was created.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Execution\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"fb166877-c232-4ba3-901b-e0100c7aa9e3\",\"rule_id\":\"6cea88e4-6ce2-4238-9981-a54c140d6336\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.647Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.790Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and event.action == \\\"repo.create\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e354c0c1-ed01-44ca-acfe-41a2c53a5278\",\"rule_id\":\"6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd\",\"revision\":0,\"current_rule\":{\"id\":\"e354c0c1-ed01-44ca-acfe-41a2c53a5278\",\"updated_at\":\"2024-12-04T19:46:03.795Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.795Z\",\"created_by\":\"elastic\",\"name\":\"First Occurrence of Okta User Session Started via Proxy\",\"tags\":[\"Tactic: Initial Access\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the first occurrence of an Okta user session started via a proxy.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating First Occurrence of Okta User Session Started via Proxy\\n\\nThis rule detects the first occurrence of an Okta user session started via a proxy. This rule is designed to help identify suspicious authentication behavior that may be indicative of an attacker attempting to gain access to an Okta account while remaining anonymous. This rule leverages the New Terms rule type feature where the `okta.actor.id` value is checked against the previous 7 days of data to determine if the value has been seen before for this activity.\\n\\n#### Possible investigation steps:\\n- Identify the user involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- Examine the `okta.debug_context.debug_data.flattened` field for more information about the proxy used.\\n- Review the `okta.request.ip_chain` field for more information about the geographic location of the proxy.\\n- Review the past activities of the actor involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n\\n### False positive analysis:\\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\\n\\n### Response and remediation:\\n- Review the profile of the user involved in this action to determine if proxy usage may be expected.\\n- If the user is legitimate and the authentication behavior is not suspicious, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the user.\\n- If the user is not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n\\n## Setup\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-6m\",\"rule_id\":\"6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1133\",\"name\":\"External Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1133/\"}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://developer.okta.com/docs/reference/api/system-log/#issuer-object\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.security_context.is_proxy\",\"type\":\"boolean\",\"ecs\":false}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"new_terms\",\"query\":\"event.dataset:okta.system and okta.event_type: (user.session.start or user.authentication.verify) and okta.security_context.is_proxy:true and not okta.actor.id: okta*\\n\",\"new_terms_fields\":[\"okta.actor.id\",\"cloud.account.id\"],\"history_window_start\":\"now-7d\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Occurrence of Okta User Session Started via Proxy\",\"description\":\"Identifies the first occurrence of an Okta user session started via a proxy.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating First Occurrence of Okta User Session Started via Proxy\\n\\nThis rule detects the first occurrence of an Okta user session started via a proxy. This rule is designed to help identify suspicious authentication behavior that may be indicative of an attacker attempting to gain access to an Okta account while remaining anonymous. This rule leverages the New Terms rule type feature where the `okta.actor.id` value is checked against the previous 7 days of data to determine if the value has been seen before for this activity.\\n\\n#### Possible investigation steps:\\n- Identify the user involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- Examine the `okta.debug_context.debug_data.flattened` field for more information about the proxy used.\\n- Review the `okta.request.ip_chain` field for more information about the geographic location of the proxy.\\n- Review the past activities of the actor involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n\\n### False positive analysis:\\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\\n\\n### Response and remediation:\\n- Review the profile of the user involved in this action to determine if proxy usage may be expected.\\n- If the user is legitimate and the authentication behavior is not suspicious, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the user.\\n- If the user is not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n\\n## Setup\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Tactic: Initial Access\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://developer.okta.com/docs/reference/api/system-log/#issuer-object\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1133\",\"name\":\"External Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1133/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.security_context.is_proxy\",\"type\":\"boolean\",\"ecs\":false}],\"id\":\"e354c0c1-ed01-44ca-acfe-41a2c53a5278\",\"rule_id\":\"6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.647Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.795Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset:okta.system and okta.event_type: (user.session.start or user.authentication.verify) and okta.security_context.is_proxy:true and not okta.actor.id: okta*\\n\",\"new_terms_fields\":[\"okta.actor.id\",\"cloud.account.id\"],\"history_window_start\":\"now-7d\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://developer.okta.com/docs/reference/api/system-log/#issuer-object\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://developer.okta.com/docs/reference/api/system-log/#issuer-object\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://developer.okta.com/docs/reference/api/system-log/#issuer-object\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e0ee9ef6-537a-41b4-9b12-ce5165fd4342\",\"rule_id\":\"729aa18d-06a6-41c7-b175-b65b739b1181\",\"revision\":0,\"current_rule\":{\"id\":\"e0ee9ef6-537a-41b4-9b12-ce5165fd4342\",\"updated_at\":\"2024-12-04T19:45:51.195Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.195Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Reset MFA Factors for an Okta User Account\",\"tags\":[\"Tactic: Persistence\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are regularly reset in your organization.\"],\"from\":\"now-6m\",\"rule_id\":\"729aa18d-06a6-41c7-b175-b65b739b1181\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:user.mfa.factor.reset_all\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Reset MFA Factors for an Okta User Account\",\"description\":\"Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Tactic: Persistence\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are regularly reset in your organization.\"],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\",\"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e0ee9ef6-537a-41b4-9b12-ce5165fd4342\",\"rule_id\":\"729aa18d-06a6-41c7-b175-b65b739b1181\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.647Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.195Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:user.mfa.factor.reset_all\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\",\"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\",\"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a3640331-cce2-4dc5-95d7-1b3b61d1efce\",\"rule_id\":\"8a0fbd26-867f-11ee-947c-f661ea17fbcd\",\"revision\":0,\"current_rule\":{\"id\":\"a3640331-cce2-4dc5-95d7-1b3b61d1efce\",\"updated_at\":\"2024-12-04T19:45:52.121Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.121Z\",\"created_by\":\"elastic\",\"name\":\"Potential Okta MFA Bombing via Push Notifications\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Okta MFA Bombing via Push Notifications\\n\\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\\n\\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\\n\\n#### Possible investigation steps:\\n\\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\\n- Look for any other suspicious activity on the account around the same time.\\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\\n\\n### False positive analysis:\\n\\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\\n- Check if there are known issues with the MFA system causing false denials.\\n\\n### Response and remediation:\\n\\n- If unauthorized access is confirmed, initiate your incident response process.\\n- Alert the user and your IT department immediately.\\n- If possible, isolate the user's account until the issue is resolved.\\n- Investigate the source of the unauthorized access.\\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\\n- Consider enhancing your MFA policy to prevent such incidents in the future.\\n- Encourage users to report any unexpected MFA notifications immediately.\\n- Review and update your incident response plans and security policies based on the findings from the incident.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-6m\",\"rule_id\":\"8a0fbd26-867f-11ee-947c-f661ea17fbcd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1621\",\"name\":\"Multi-Factor Authentication Request Generation\",\"reference\":\"https://attack.mitre.org/techniques/T1621/\"}]}],\"to\":\"now\",\"references\":[\"https://www.mandiant.com/resources/russian-targeting-gov-business\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\"],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.result\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"sequence by okta.actor.id with maxspan=10m\\n [authentication where event.dataset == \\\"okta.system\\\"\\n and okta.event_type == \\\"user.mfa.okta_verify.deny_push\\\"] with runs=5\\n until [authentication where event.dataset == \\\"okta.system\\\"\\n and (okta.event_type: (\\n \\\"user.authentication.sso\\\",\\n \\\"user.authentication.auth_via_mfa\\\",\\n \\\"user.authentication.verify\\\",\\n \\\"user.session.start\\\") and okta.outcome.result == \\\"SUCCESS\\\")]\\n\",\"event_category_override\":\"event.category\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Okta MFA Bombing via Push Notifications\",\"description\":\"Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Okta MFA Bombing via Push Notifications\\n\\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\\n\\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\\n\\n#### Possible investigation steps:\\n\\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\\n- Look for any other suspicious activity on the account around the same time.\\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\\n\\n### False positive analysis:\\n\\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\\n- Check if there are known issues with the MFA system causing false denials.\\n\\n### Response and remediation:\\n\\n- If unauthorized access is confirmed, initiate your incident response process.\\n- Alert the user and your IT department immediately.\\n- If possible, isolate the user's account until the issue is resolved.\\n- Investigate the source of the unauthorized access.\\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\\n- Consider enhancing your MFA policy to prevent such incidents in the future.\\n- Encourage users to report any unexpected MFA notifications immediately.\\n- Review and update your incident response plans and security policies based on the findings from the incident.\\n\",\"output_index\":\"\",\"version\":106,\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.mandiant.com/resources/russian-targeting-gov-business\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1621\",\"name\":\"Multi-Factor Authentication Request Generation\",\"reference\":\"https://attack.mitre.org/techniques/T1621/\"}]}],\"setup\":\"## Setup\\n\\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\\n\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.result\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"a3640331-cce2-4dc5-95d7-1b3b61d1efce\",\"rule_id\":\"8a0fbd26-867f-11ee-947c-f661ea17fbcd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.647Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.121Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by okta.actor.id with maxspan=10m\\n [authentication where event.dataset == \\\"okta.system\\\"\\n and okta.event_type == \\\"user.mfa.okta_verify.deny_push\\\"] with runs=5\\n until [authentication where event.dataset == \\\"okta.system\\\"\\n and (okta.event_type: (\\n \\\"user.authentication.sso\\\",\\n \\\"user.authentication.auth_via_mfa\\\",\\n \\\"user.authentication.verify\\\",\\n \\\"user.session.start\\\") and okta.outcome.result == \\\"SUCCESS\\\")]\\n\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"event_category_override\":\"event.category\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":106,\"merged_version\":106,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.mandiant.com/resources/russian-targeting-gov-business\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\"],\"target_version\":[\"https://www.mandiant.com/resources/russian-targeting-gov-business\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://www.mandiant.com/resources/russian-targeting-gov-business\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f0044f98-c2f7-4957-b329-d10191f08ed7\",\"rule_id\":\"8a0fd93a-7df8-410d-8808-4cc5e340f2b9\",\"revision\":0,\"current_rule\":{\"id\":\"f0044f98-c2f7-4957-b329-d10191f08ed7\",\"updated_at\":\"2024-12-04T19:46:04.713Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.713Z\",\"created_by\":\"elastic\",\"name\":\"GitHub PAT Access Revoked\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Impact\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Access to private GitHub organization resources was revoked for a PAT.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"8a0fd93a-7df8-410d-8808-4cc5e340f2b9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"],\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and event.action == \\\"personal_access_token.access_revoked\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"GitHub PAT Access Revoked\",\"description\":\"Access to private GitHub organization resources was revoked for a PAT.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Impact\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f0044f98-c2f7-4957-b329-d10191f08ed7\",\"rule_id\":\"8a0fd93a-7df8-410d-8808-4cc5e340f2b9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.647Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.713Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and event.action == \\\"personal_access_token.access_revoked\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c9178ef3-a8c2-4b05-b379-dee1fb73a9ef\",\"rule_id\":\"8a5c1e5f-ad63-481e-b53a-ef959230f7f1\",\"revision\":0,\"current_rule\":{\"id\":\"c9178ef3-a8c2-4b05-b379-dee1fb73a9ef\",\"updated_at\":\"2024-12-04T19:45:52.129Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.129Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Deactivate an Okta Network Zone\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Use Case: Network Security Monitoring\",\"Tactic: Defense Evasion\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Deactivate an Okta Network Zone\\n\\nThe Okta network zones can be configured to restrict or limit access to a network based on IP addresses or geolocations. Deactivating a network zone in Okta may remove or weaken the security controls of an organization, which might be an indicator of an adversary's attempt to evade defenses.\\n\\n#### Possible investigation steps\\n\\n- Identify the actor related to the alert by reviewing the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\\n- Examine the `event.action` field to confirm the deactivation of a network zone.\\n- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the network zone that was deactivated.\\n- Investigate the `event.time` field to understand when the event happened.\\n- Review the actor's activities before and after the event to understand the context of this event.\\n\\n### False positive analysis\\n\\n- Check the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. If these match the actor's normal behavior, it might be a false positive.\\n- Check if the actor is a known administrator or part of the IT team who might have a legitimate reason to deactivate a network zone.\\n- Verify the actor's actions with any known planned changes or maintenance activities.\\n\\n### Response and remediation\\n\\n- If unauthorized access or actions are confirmed, immediately lock the affected actor account and require a password change.\\n- Re-enable the deactivated network zone if it was deactivated without authorization.\\n- Review and update the privileges of the actor who initiated the deactivation.\\n- Check the security policies and procedures to identify any gaps and update them as necessary.\\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.\\n- Communicate and train the employees about the importance of following proper procedures for modifying network zone settings.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are regularly modified.\"],\"from\":\"now-6m\",\"rule_id\":\"8a5c1e5f-ad63-481e-b53a-ef959230f7f1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:zone.deactivate\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Deactivate an Okta Network Zone\",\"description\":\"Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Deactivate an Okta Network Zone\\n\\nThe Okta network zones can be configured to restrict or limit access to a network based on IP addresses or geolocations. Deactivating a network zone in Okta may remove or weaken the security controls of an organization, which might be an indicator of an adversary's attempt to evade defenses.\\n\\n#### Possible investigation steps\\n\\n- Identify the actor related to the alert by reviewing the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\\n- Examine the `event.action` field to confirm the deactivation of a network zone.\\n- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the network zone that was deactivated.\\n- Investigate the `event.time` field to understand when the event happened.\\n- Review the actor's activities before and after the event to understand the context of this event.\\n\\n### False positive analysis\\n\\n- Check the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. If these match the actor's normal behavior, it might be a false positive.\\n- Check if the actor is a known administrator or part of the IT team who might have a legitimate reason to deactivate a network zone.\\n- Verify the actor's actions with any known planned changes or maintenance activities.\\n\\n### Response and remediation\\n\\n- If unauthorized access or actions are confirmed, immediately lock the affected actor account and require a password change.\\n- Re-enable the deactivated network zone if it was deactivated without authorization.\\n- Review and update the privileges of the actor who initiated the deactivation.\\n- Check the security policies and procedures to identify any gaps and update them as necessary.\\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.\\n- Communicate and train the employees about the importance of following proper procedures for modifying network zone settings.\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Use Case: Network Security Monitoring\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are regularly modified.\"],\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c9178ef3-a8c2-4b05-b379-dee1fb73a9ef\",\"rule_id\":\"8a5c1e5f-ad63-481e-b53a-ef959230f7f1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.647Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.129Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:zone.deactivate\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"87c5173b-6252-400c-9a2b-28a8b094b261\",\"rule_id\":\"94e734c0-2cda-11ef-84e1-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"87c5173b-6252-400c-9a2b-28a8b094b261\",\"updated_at\":\"2024-12-04T19:46:04.720Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.720Z\",\"created_by\":\"elastic\",\"name\":\"Multiple Okta User Authentication Events with Client Address\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Credential Access\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Multiple Okta User Authentication Events with Client Address\\n\\nThis rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\\n\\n#### Possible investigation steps:\\nSince this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.\\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\\n\\n### False positive analysis:\\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\\n - Shared working spaces may have a single endpoint that is used by multiple users.\\n\\n### Response and remediation:\\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the users.\\n- If any of the users are not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\\n - If so, confirm with the user this was a legitimate request.\\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\\n - Reset passwords and reset MFA for the user.\\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\\n - This will prevent future occurrences of this event for this device from triggering the rule.\\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\\n - This should be done with caution as it may prevent legitimate alerts from being generated.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\",\"Shared systems such as Kiosks and conference room computers may be used by multiple users.\"],\"from\":\"now-9m\",\"rule_id\":\"94e734c0-2cda-11ef-84e1-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]},{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.004\",\"name\":\"Credential Stuffing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action == \\\"user.session.start\\\" OR event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\")\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| STATS\\n source_auth_count = COUNT_DISTINCT(okta.actor.id)\\n BY okta.client.ip, okta.actor.alternate_id\\n| WHERE\\n source_auth_count > 5\\n| SORT\\n source_auth_count DESC\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Multiple Okta User Authentication Events with Client Address\",\"description\":\"Detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Multiple Okta User Authentication Events with Client Address\\n\\nThis rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\\n\\n#### Possible investigation steps:\\nSince this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.\\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\\n\\n### False positive analysis:\\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\\n - Shared working spaces may have a single endpoint that is used by multiple users.\\n\\n### Response and remediation:\\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the users.\\n- If any of the users are not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\\n - If so, confirm with the user this was a legitimate request.\\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\\n - Reset passwords and reset MFA for the user.\\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\\n - This will prevent future occurrences of this event for this device from triggering the rule.\\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\\n - This should be done with caution as it may prevent legitimate alerts from being generated.\\n\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Credential Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\",\"Shared systems such as Kiosks and conference room computers may be used by multiple users.\"],\"references\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]},{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.004\",\"name\":\"Credential Stuffing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/004/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"87c5173b-6252-400c-9a2b-28a8b094b261\",\"rule_id\":\"94e734c0-2cda-11ef-84e1-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.647Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.720Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action == \\\"user.session.start\\\" OR event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\")\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| KEEP okta.client.ip, okta.actor.alternate_id, okta.actor.id, event.action, okta.outcome.reason\\n| STATS\\n source_auth_count = COUNT_DISTINCT(okta.actor.id)\\n BY okta.client.ip, okta.actor.alternate_id\\n| WHERE\\n source_auth_count > 5\\n| SORT\\n source_auth_count DESC\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\"],\"target_version\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action == \\\"user.session.start\\\" OR event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\")\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| STATS\\n source_auth_count = COUNT_DISTINCT(okta.actor.id)\\n BY okta.client.ip, okta.actor.alternate_id\\n| WHERE\\n source_auth_count > 5\\n| SORT\\n source_auth_count DESC\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action == \\\"user.session.start\\\" OR event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\")\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| KEEP okta.client.ip, okta.actor.alternate_id, okta.actor.id, event.action, okta.outcome.reason\\n| STATS\\n source_auth_count = COUNT_DISTINCT(okta.actor.id)\\n BY okta.client.ip, okta.actor.alternate_id\\n| WHERE\\n source_auth_count > 5\\n| SORT\\n source_auth_count DESC\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action == \\\"user.session.start\\\" OR event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\")\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| KEEP okta.client.ip, okta.actor.alternate_id, okta.actor.id, event.action, okta.outcome.reason\\n| STATS\\n source_auth_count = COUNT_DISTINCT(okta.actor.id)\\n BY okta.client.ip, okta.actor.alternate_id\\n| WHERE\\n source_auth_count > 5\\n| SORT\\n source_auth_count DESC\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b5e28543-4187-4f92-ac79-12c57a170ab0\",\"rule_id\":\"95b99adc-2cda-11ef-84e1-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"b5e28543-4187-4f92-ac79-12c57a170ab0\",\"updated_at\":\"2024-12-04T19:46:04.723Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.723Z\",\"created_by\":\"elastic\",\"name\":\"Multiple Okta User Authentication Events with Same Device Token Hash\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Credential Access\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Multiple Okta User Authentication Events with Same Device Token Hash\\n\\nThis rule detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\\n\\n#### Possible investigation steps:\\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.debug_context.debug_data.dt_hash` values can be used to pivot into the raw authentication events related to this activity.\\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\\n\\n### False positive analysis:\\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\\n - Shared working spaces may have a single endpoint that is used by multiple users.\\n\\n### Response and remediation:\\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the users.\\n- If any of the users are not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\\n - If so, confirm with the user this was a legitimate request.\\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\\n - Reset passwords and reset MFA for the user.\\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\\n - This will prevent future occurrences of this event for this device from triggering the rule.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\",\"Shared systems such as Kiosks and conference room computers may be used by multiple users.\"],\"from\":\"now-9m\",\"rule_id\":\"95b99adc-2cda-11ef-84e1-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]},{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.004\",\"name\":\"Credential Stuffing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.debug_context.debug_data.dt_hash != \\\"-\\\"\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| STATS\\n target_auth_count = COUNT_DISTINCT(okta.actor.id)\\n BY okta.debug_context.debug_data.dt_hash, okta.actor.alternate_id\\n| WHERE\\n target_auth_count > 20\\n| SORT\\n target_auth_count DESC\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Multiple Okta User Authentication Events with Same Device Token Hash\",\"description\":\"Detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Multiple Okta User Authentication Events with Same Device Token Hash\\n\\nThis rule detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\\n\\n#### Possible investigation steps:\\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.debug_context.debug_data.dt_hash` values can be used to pivot into the raw authentication events related to this activity.\\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\\n\\n### False positive analysis:\\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\\n - Shared working spaces may have a single endpoint that is used by multiple users.\\n\\n### Response and remediation:\\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the users.\\n- If any of the users are not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\\n - If so, confirm with the user this was a legitimate request.\\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\\n - Reset passwords and reset MFA for the user.\\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\\n - This will prevent future occurrences of this event for this device from triggering the rule.\\n\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Credential Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\",\"Shared systems such as Kiosks and conference room computers may be used by multiple users.\"],\"references\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]},{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.004\",\"name\":\"Credential Stuffing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/004/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"b5e28543-4187-4f92-ac79-12c57a170ab0\",\"rule_id\":\"95b99adc-2cda-11ef-84e1-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.647Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.723Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.debug_context.debug_data.dt_hash != \\\"-\\\"\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| KEEP event.action, okta.debug_context.debug_data.dt_hash, okta.actor.id, okta.actor.alternate_id, okta.outcome.reason\\n| STATS\\n target_auth_count = COUNT_DISTINCT(okta.actor.id)\\n BY okta.debug_context.debug_data.dt_hash, okta.actor.alternate_id\\n| WHERE\\n target_auth_count > 20\\n| SORT\\n target_auth_count DESC\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\"],\"target_version\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.debug_context.debug_data.dt_hash != \\\"-\\\"\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| STATS\\n target_auth_count = COUNT_DISTINCT(okta.actor.id)\\n BY okta.debug_context.debug_data.dt_hash, okta.actor.alternate_id\\n| WHERE\\n target_auth_count > 20\\n| SORT\\n target_auth_count DESC\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.debug_context.debug_data.dt_hash != \\\"-\\\"\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| KEEP event.action, okta.debug_context.debug_data.dt_hash, okta.actor.id, okta.actor.alternate_id, okta.outcome.reason\\n| STATS\\n target_auth_count = COUNT_DISTINCT(okta.actor.id)\\n BY okta.debug_context.debug_data.dt_hash, okta.actor.alternate_id\\n| WHERE\\n target_auth_count > 20\\n| SORT\\n target_auth_count DESC\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.debug_context.debug_data.dt_hash != \\\"-\\\"\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| KEEP event.action, okta.debug_context.debug_data.dt_hash, okta.actor.id, okta.actor.alternate_id, okta.outcome.reason\\n| STATS\\n target_auth_count = COUNT_DISTINCT(okta.actor.id)\\n BY okta.debug_context.debug_data.dt_hash, okta.actor.alternate_id\\n| WHERE\\n target_auth_count > 20\\n| SORT\\n target_auth_count DESC\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"fc027bdd-32ba-48ca-ada0-c3a0d2af72d6\",\"rule_id\":\"96b9f4ea-0e8c-435b-8d53-2096e75fcac5\",\"revision\":0,\"current_rule\":{\"id\":\"fc027bdd-32ba-48ca-ada0-c3a0d2af72d6\",\"updated_at\":\"2024-12-04T19:45:53.179Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.179Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Create Okta API Token\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Persistence\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"If the behavior of creating Okta API tokens is expected, consider adding exceptions to this rule to filter false positives.\"],\"from\":\"now-6m\",\"rule_id\":\"96b9f4ea-0e8c-435b-8d53-2096e75fcac5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\"}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:system.api_token.create\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Create Okta API Token\",\"description\":\"Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Persistence\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"If the behavior of creating Okta API tokens is expected, consider adding exceptions to this rule to filter false positives.\"],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"fc027bdd-32ba-48ca-ada0-c3a0d2af72d6\",\"rule_id\":\"96b9f4ea-0e8c-435b-8d53-2096e75fcac5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.647Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.179Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:system.api_token.create\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"034405ee-7f05-4cf4-815b-d7582ae381e6\",\"rule_id\":\"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7\",\"revision\":0,\"current_rule\":{\"id\":\"034405ee-7f05-4cf4-815b-d7582ae381e6\",\"updated_at\":\"2024-12-04T19:45:53.195Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.195Z\",\"created_by\":\"elastic\",\"name\":\"Potentially Successful MFA Bombing via Push Notifications\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Abuse of Repeated MFA Push Notifications\\n\\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\\n\\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\\n\\n#### Possible investigation steps:\\n\\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\\n- Look for any other suspicious activity on the account around the same time.\\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\\n\\n### False positive analysis:\\n\\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\\n- Check if there are known issues with the MFA system causing false denials.\\n\\n### Response and remediation:\\n\\n- If unauthorized access is confirmed, initiate your incident response process.\\n- Alert the user and your IT department immediately.\\n- If possible, isolate the user's account until the issue is resolved.\\n- Investigate the source of the unauthorized access.\\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\\n- Consider enhancing your MFA policy to prevent such incidents in the future.\\n- Encourage users to report any unexpected MFA notifications immediately.\\n- Review and update your incident response plans and security policies based on the findings from the incident.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-6m\",\"rule_id\":\"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1621\",\"name\":\"Multi-Factor Authentication Request Generation\",\"reference\":\"https://attack.mitre.org/techniques/T1621/\"}]}],\"to\":\"now\",\"references\":[\"https://www.mandiant.com/resources/russian-targeting-gov-business\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\"],\"version\":209,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.module\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.result\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"sequence by okta.actor.id with maxspan=10m\\n [authentication where event.dataset == \\\"okta.system\\\" and event.module == \\\"okta\\\"\\n and event.action == \\\"user.mfa.okta_verify.deny_push\\\"] with runs=3\\n [authentication where event.dataset == \\\"okta.system\\\" and event.module == \\\"okta\\\"\\n and (event.action : (\\n \\\"user.authentication.sso\\\",\\n \\\"user.authentication.auth_via_mfa\\\",\\n \\\"user.authentication.verify\\\",\\n \\\"user.session.start\\\") and okta.outcome.result == \\\"SUCCESS\\\")]\\n\",\"event_category_override\":\"event.category\",\"actions\":[]},\"target_rule\":{\"name\":\"Potentially Successful MFA Bombing via Push Notifications\",\"description\":\"Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Abuse of Repeated MFA Push Notifications\\n\\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\\n\\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\\n\\n#### Possible investigation steps:\\n\\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\\n- Look for any other suspicious activity on the account around the same time.\\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\\n\\n### False positive analysis:\\n\\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\\n- Check if there are known issues with the MFA system causing false denials.\\n\\n### Response and remediation:\\n\\n- If unauthorized access is confirmed, initiate your incident response process.\\n- Alert the user and your IT department immediately.\\n- If possible, isolate the user's account until the issue is resolved.\\n- Investigate the source of the unauthorized access.\\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\\n- Consider enhancing your MFA policy to prevent such incidents in the future.\\n- Encourage users to report any unexpected MFA notifications immediately.\\n- Review and update your incident response plans and security policies based on the findings from the incident.\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.mandiant.com/resources/russian-targeting-gov-business\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1621\",\"name\":\"Multi-Factor Authentication Request Generation\",\"reference\":\"https://attack.mitre.org/techniques/T1621/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.module\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.result\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"034405ee-7f05-4cf4-815b-d7582ae381e6\",\"rule_id\":\"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.647Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.195Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by okta.actor.id with maxspan=10m\\n [authentication where event.dataset == \\\"okta.system\\\" and event.module == \\\"okta\\\"\\n and event.action == \\\"user.mfa.okta_verify.deny_push\\\"] with runs=3\\n [authentication where event.dataset == \\\"okta.system\\\" and event.module == \\\"okta\\\"\\n and (event.action : (\\n \\\"user.authentication.sso\\\",\\n \\\"user.authentication.auth_via_mfa\\\",\\n \\\"user.authentication.verify\\\",\\n \\\"user.session.start\\\") and okta.outcome.result == \\\"SUCCESS\\\")]\\n\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"event_category_override\":\"event.category\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":209,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.mandiant.com/resources/russian-targeting-gov-business\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\"],\"target_version\":[\"https://www.mandiant.com/resources/russian-targeting-gov-business\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://www.mandiant.com/resources/russian-targeting-gov-business\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f01d4448-25a6-4be1-b344-53c466e039ee\",\"rule_id\":\"9b343b62-d173-4cfd-bd8b-e6379f964ca4\",\"revision\":0,\"current_rule\":{\"id\":\"f01d4448-25a6-4be1-b344-53c466e039ee\",\"updated_at\":\"2024-12-04T19:45:54.186Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.186Z\",\"created_by\":\"elastic\",\"name\":\"GitHub Owner Role Granted To User\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Persistence\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects when a member is granted the organization owner role of a GitHub organization. This role provides admin level privileges. Any new owner role should be investigated to determine its validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"9b343b62-d173-4cfd-bd8b-e6379f964ca4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.permission\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"],\"query\":\"iam where event.dataset == \\\"github.audit\\\" and event.action == \\\"org.update_member\\\" and github.permission == \\\"admin\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"GitHub Owner Role Granted To User\",\"description\":\"This rule detects when a member is granted the organization owner role of a GitHub organization. This role provides admin level privileges. Any new owner role should be investigated to determine its validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Persistence\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.permission\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"f01d4448-25a6-4be1-b344-53c466e039ee\",\"rule_id\":\"9b343b62-d173-4cfd-bd8b-e6379f964ca4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.647Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.186Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where event.dataset == \\\"github.audit\\\" and event.action == \\\"org.update_member\\\" and github.permission == \\\"admin\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"10b08dad-75f3-4d2c-90e5-572ea0ba3330\",\"rule_id\":\"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9\",\"revision\":0,\"current_rule\":{\"id\":\"10b08dad-75f3-4d2c-90e5-572ea0ba3330\",\"updated_at\":\"2024-12-04T19:45:56.560Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.560Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Delete an Okta Policy\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Defense Evasion\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Delete an Okta Policy\\n\\nOkta policies are critical to managing user access and enforcing security controls within an organization. The deletion of an Okta policy could drastically weaken an organization's security posture by allowing unrestricted access or facilitating other malicious activities.\\n\\nThis rule detects attempts to delete an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. Adversaries may do this to bypass security barriers and enable further malicious activities.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the deletion attempt.\\n- Check the `okta.outcome.result` field to confirm the policy deletion attempt.\\n- Check if there are multiple policy deletion attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the policy deletion attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deletion attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the deletion attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deletion attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized policy deletion is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific deletion technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your organization.\"],\"from\":\"now-6m\",\"rule_id\":\"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.lifecycle.delete\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Delete an Okta Policy\",\"description\":\"Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Delete an Okta Policy\\n\\nOkta policies are critical to managing user access and enforcing security controls within an organization. The deletion of an Okta policy could drastically weaken an organization's security posture by allowing unrestricted access or facilitating other malicious activities.\\n\\nThis rule detects attempts to delete an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. Adversaries may do this to bypass security barriers and enable further malicious activities.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the deletion attempt.\\n- Check the `okta.outcome.result` field to confirm the policy deletion attempt.\\n- Check if there are multiple policy deletion attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the policy deletion attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deletion attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the deletion attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deletion attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized policy deletion is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific deletion technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your organization.\"],\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"10b08dad-75f3-4d2c-90e5-572ea0ba3330\",\"rule_id\":\"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.647Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.560Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.lifecycle.delete\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1474dc77-c0f8-433e-a134-ab5e2d91e735\",\"rule_id\":\"b719a170-3bdb-4141-b0e3-13e3cf627bfe\",\"revision\":0,\"current_rule\":{\"id\":\"1474dc77-c0f8-433e-a134-ab5e2d91e735\",\"updated_at\":\"2024-12-04T19:45:56.581Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.581Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Deactivate an Okta Policy\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Defense Evasion\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Deactivate an Okta Policy\\n\\nOkta policies define rules to manage user access to resources. Policies such as multi-factor authentication (MFA) are critical for enforcing strong security measures. Deactivation of an Okta policy could potentially weaken the security posture, allowing for unauthorized access or facilitating other malicious activities.\\n\\nThis rule is designed to detect attempts to deactivate an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. For example, disabling an MFA policy could lower the security of user authentication processes.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt.\\n- Check the `okta.outcome.result` field to confirm the policy deactivation attempt.\\n- Check if there are multiple policy deactivation attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the policy deactivation attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized policy deactivation is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false positives.\"],\"from\":\"now-6m\",\"rule_id\":\"b719a170-3bdb-4141-b0e3-13e3cf627bfe\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.lifecycle.deactivate\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Deactivate an Okta Policy\",\"description\":\"Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Deactivate an Okta Policy\\n\\nOkta policies define rules to manage user access to resources. Policies such as multi-factor authentication (MFA) are critical for enforcing strong security measures. Deactivation of an Okta policy could potentially weaken the security posture, allowing for unauthorized access or facilitating other malicious activities.\\n\\nThis rule is designed to detect attempts to deactivate an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. For example, disabling an MFA policy could lower the security of user authentication processes.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt.\\n- Check the `okta.outcome.result` field to confirm the policy deactivation attempt.\\n- Check if there are multiple policy deactivation attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the policy deactivation attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized policy deactivation is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false positives.\"],\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1474dc77-c0f8-433e-a134-ab5e2d91e735\",\"rule_id\":\"b719a170-3bdb-4141-b0e3-13e3cf627bfe\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.647Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.581Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.lifecycle.deactivate\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f38c02b0-4ec9-44af-a9a6-419af96ab91d\",\"rule_id\":\"b8075894-0b62-46e5-977c-31275da34419\",\"revision\":0,\"current_rule\":{\"id\":\"f38c02b0-4ec9-44af-a9a6-419af96ab91d\",\"updated_at\":\"2024-12-04T19:45:56.587Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.587Z\",\"created_by\":\"elastic\",\"name\":\"Administrator Privileges Assigned to an Okta Group\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Persistence\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-6m\",\"rule_id\":\"b8075894-0b62-46e5-977c-31275da34419\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:group.privilege.grant\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Administrator Privileges Assigned to an Okta Group\",\"description\":\"Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Persistence\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f38c02b0-4ec9-44af-a9a6-419af96ab91d\",\"rule_id\":\"b8075894-0b62-46e5-977c-31275da34419\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.647Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.587Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:group.privilege.grant\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"23054cee-c6f1-4fb6-b114-c45d53f5a462\",\"rule_id\":\"c749e367-a069-4a73-b1f2-43a3798153ad\",\"revision\":0,\"current_rule\":{\"id\":\"23054cee-c6f1-4fb6-b114-c45d53f5a462\",\"updated_at\":\"2024-12-04T19:45:57.464Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.464Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Delete an Okta Network Zone\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Use Case: Network Security Monitoring\",\"Tactic: Defense Evasion\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Delete an Okta Network Zone\\n\\nOkta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. Deleting a network zone in Okta might remove or weaken the security controls of an organization, which might be an indicator of an adversary's attempt to evade defenses.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor associated with the alert by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\\n- Examine the `event.action` field to confirm the deletion of a network zone.\\n- Investigate the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` fields to identify the network zone that was deleted.\\n- Review the `event.time` field to understand when the event happened.\\n- Check the actor's activities before and after the event to understand the context of this event.\\n\\n### False positive analysis:\\n\\n- Verify the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. If these match the actor's typical behavior, it might be a false positive.\\n- Check if the actor is a known administrator or a member of the IT team who might have a legitimate reason to delete a network zone.\\n- Cross-verify the actor's actions with any known planned changes or maintenance activities.\\n\\n### Response and remediation:\\n\\n- If unauthorized access or actions are confirmed, immediately lock the affected actor's account and require a password change.\\n- If a network zone was deleted without authorization, create a new network zone with similar settings as the deleted one.\\n- Review and update the privileges of the actor who initiated the deletion.\\n- Identify any gaps in the security policies and procedures and update them as necessary.\\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.\\n- Communicate and train the employees about the importance of following proper procedures for modifying network zone settings.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly deleted.\"],\"from\":\"now-6m\",\"rule_id\":\"c749e367-a069-4a73-b1f2-43a3798153ad\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:zone.delete\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Delete an Okta Network Zone\",\"description\":\"Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Delete an Okta Network Zone\\n\\nOkta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. Deleting a network zone in Okta might remove or weaken the security controls of an organization, which might be an indicator of an adversary's attempt to evade defenses.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor associated with the alert by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\\n- Examine the `event.action` field to confirm the deletion of a network zone.\\n- Investigate the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` fields to identify the network zone that was deleted.\\n- Review the `event.time` field to understand when the event happened.\\n- Check the actor's activities before and after the event to understand the context of this event.\\n\\n### False positive analysis:\\n\\n- Verify the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. If these match the actor's typical behavior, it might be a false positive.\\n- Check if the actor is a known administrator or a member of the IT team who might have a legitimate reason to delete a network zone.\\n- Cross-verify the actor's actions with any known planned changes or maintenance activities.\\n\\n### Response and remediation:\\n\\n- If unauthorized access or actions are confirmed, immediately lock the affected actor's account and require a password change.\\n- If a network zone was deleted without authorization, create a new network zone with similar settings as the deleted one.\\n- Review and update the privileges of the actor who initiated the deletion.\\n- Identify any gaps in the security policies and procedures and update them as necessary.\\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.\\n- Communicate and train the employees about the importance of following proper procedures for modifying network zone settings.\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Use Case: Network Security Monitoring\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly deleted.\"],\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"23054cee-c6f1-4fb6-b114-c45d53f5a462\",\"rule_id\":\"c749e367-a069-4a73-b1f2-43a3798153ad\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.648Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.464Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:zone.delete\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"81d33d7d-8697-40c7-afb6-442cf927690b\",\"rule_id\":\"c74fd275-ab2c-4d49-8890-e2943fa65c09\",\"revision\":0,\"current_rule\":{\"id\":\"81d33d7d-8697-40c7-afb6-442cf927690b\",\"updated_at\":\"2024-12-04T19:45:57.466Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.466Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Modify an Okta Application\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Impact\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly modified and the behavior is expected.\"],\"from\":\"now-6m\",\"rule_id\":\"c74fd275-ab2c-4d49-8890-e2943fa65c09\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:application.lifecycle.update\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Modify an Okta Application\",\"description\":\"Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Impact\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly modified and the behavior is expected.\"],\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"81d33d7d-8697-40c7-afb6-442cf927690b\",\"rule_id\":\"c74fd275-ab2c-4d49-8890-e2943fa65c09\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.648Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.466Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:application.lifecycle.update\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"79cd6398-e415-4fb1-9fba-f3595ba5b7ac\",\"rule_id\":\"cc382a2e-7e52-11ee-9aac-f661ea17fbcd\",\"revision\":0,\"current_rule\":{\"id\":\"79cd6398-e415-4fb1-9fba-f3595ba5b7ac\",\"updated_at\":\"2024-12-04T19:45:58.411Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.411Z\",\"created_by\":\"elastic\",\"name\":\"Multiple Device Token Hashes for Single Okta Session\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Credential Access\",\"Domain: SaaS\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Multiple Device Token Hashes for Single Okta Session\\n\\nThis rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.\\n\\n#### Possible investigation steps:\\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.authentication_context.external_session_id` values can be used to pivot into the raw authentication events related to this alert.\\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\\n - Authentication events have been filtered out to focus on Okta activity via established sessions.\\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\\n- Aggregate by `okta.actor.alternate_id` and `event.action` to determine the type of actions that are being performed by the actor(s) involved in this action.\\n - If various activity is reported that seems to indicate actions from separate users, consider deactivating the user's account temporarily.\\n\\n### False positive analysis:\\n- It is very rare that a legitimate user would have multiple device token hashes for a single Okta session as DT hashes do not change after an authenticated session is established.\\n\\n### Response and remediation:\\n- Consider stopping all sessions for the user(s) involved in this action.\\n- If this does not appear to be a false positive, consider resetting passwords for the users involved and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the users.\\n- If any of the users are not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\\n - If so, confirm with the user this was a legitimate request.\\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\\n - Reset passwords and reset MFA for the user.\\n- Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\\n - This should be done with caution as it may prevent legitimate alerts from being generated.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"cc382a2e-7e52-11ee-9aac-f661ea17fbcd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1539\",\"name\":\"Steal Web Session Cookie\",\"reference\":\"https://attack.mitre.org/techniques/T1539/\"}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://support.okta.com/help/s/article/session-hijacking-attack-definition-damage-defense?language=en_US\"],\"version\":102,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n // ignore authentication events where session and device token hash change often\\n AND NOT event.action IN (\\n \\\"policy.evaluate_sign_on\\\",\\n \\\"user.session.start\\\",\\n \\\"user.authentication.sso\\\"\\n )\\n // ignore Okta system events and only allow registered users\\n AND (\\n okta.actor.alternate_id != \\\"system@okta.com\\\"\\n AND okta.actor.alternate_id RLIKE \\\"[^@\\\\\\\\s]+\\\\\\\\@[^@\\\\\\\\s]+\\\"\\n )\\n AND okta.authentication_context.external_session_id != \\\"unknown\\\"\\n| STATS\\n dt_hash_counts = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash) BY\\n okta.actor.alternate_id,\\n okta.authentication_context.external_session_id\\n| WHERE\\n dt_hash_counts >= 2\\n| SORT\\n dt_hash_counts DESC\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Multiple Device Token Hashes for Single Okta Session\",\"description\":\"This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Multiple Device Token Hashes for Single Okta Session\\n\\nThis rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.\\n\\n#### Possible investigation steps:\\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.authentication_context.external_session_id` values can be used to pivot into the raw authentication events related to this alert.\\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\\n - Authentication events have been filtered out to focus on Okta activity via established sessions.\\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\\n- Aggregate by `okta.actor.alternate_id` and `event.action` to determine the type of actions that are being performed by the actor(s) involved in this action.\\n - If various activity is reported that seems to indicate actions from separate users, consider deactivating the user's account temporarily.\\n\\n### False positive analysis:\\n- It is very rare that a legitimate user would have multiple device token hashes for a single Okta session as DT hashes do not change after an authenticated session is established.\\n\\n### Response and remediation:\\n- Consider stopping all sessions for the user(s) involved in this action.\\n- If this does not appear to be a false positive, consider resetting passwords for the users involved and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the users.\\n- If any of the users are not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\\n - If so, confirm with the user this was a legitimate request.\\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\\n - Reset passwords and reset MFA for the user.\\n- Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\\n - This should be done with caution as it may prevent legitimate alerts from being generated.\\n\",\"output_index\":\"\",\"version\":204,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Credential Access\",\"Domain: SaaS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://support.okta.com/help/s/article/session-hijacking-attack-definition-damage-defense?language=en_US\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1539\",\"name\":\"Steal Web Session Cookie\",\"reference\":\"https://attack.mitre.org/techniques/T1539/\"}]}],\"setup\":\"## Setup\\n\\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"79cd6398-e415-4fb1-9fba-f3595ba5b7ac\",\"rule_id\":\"cc382a2e-7e52-11ee-9aac-f661ea17fbcd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.648Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.411Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n // ignore authentication events where session and device token hash change often\\n AND NOT event.action IN (\\n \\\"policy.evaluate_sign_on\\\",\\n \\\"user.session.start\\\",\\n \\\"user.authentication.sso\\\"\\n )\\n // ignore Okta system events and only allow registered users\\n AND (\\n okta.actor.alternate_id != \\\"system@okta.com\\\"\\n AND okta.actor.alternate_id RLIKE \\\"[^@\\\\\\\\s]+\\\\\\\\@[^@\\\\\\\\s]+\\\"\\n )\\n AND okta.authentication_context.external_session_id != \\\"unknown\\\"\\n| KEEP event.action, okta.actor.alternate_id, okta.authentication_context.external_session_id, okta.debug_context.debug_data.dt_hash\\n| STATS\\n dt_hash_counts = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash) BY\\n okta.actor.alternate_id,\\n okta.authentication_context.external_session_id\\n| WHERE\\n dt_hash_counts >= 2\\n| SORT\\n dt_hash_counts DESC\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":102,\"target_version\":204,\"merged_version\":204,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://support.okta.com/help/s/article/session-hijacking-attack-definition-damage-defense?language=en_US\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://support.okta.com/help/s/article/session-hijacking-attack-definition-damage-defense?language=en_US\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://support.okta.com/help/s/article/session-hijacking-attack-definition-damage-defense?language=en_US\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n // ignore authentication events where session and device token hash change often\\n AND NOT event.action IN (\\n \\\"policy.evaluate_sign_on\\\",\\n \\\"user.session.start\\\",\\n \\\"user.authentication.sso\\\"\\n )\\n // ignore Okta system events and only allow registered users\\n AND (\\n okta.actor.alternate_id != \\\"system@okta.com\\\"\\n AND okta.actor.alternate_id RLIKE \\\"[^@\\\\\\\\s]+\\\\\\\\@[^@\\\\\\\\s]+\\\"\\n )\\n AND okta.authentication_context.external_session_id != \\\"unknown\\\"\\n| STATS\\n dt_hash_counts = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash) BY\\n okta.actor.alternate_id,\\n okta.authentication_context.external_session_id\\n| WHERE\\n dt_hash_counts >= 2\\n| SORT\\n dt_hash_counts DESC\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n // ignore authentication events where session and device token hash change often\\n AND NOT event.action IN (\\n \\\"policy.evaluate_sign_on\\\",\\n \\\"user.session.start\\\",\\n \\\"user.authentication.sso\\\"\\n )\\n // ignore Okta system events and only allow registered users\\n AND (\\n okta.actor.alternate_id != \\\"system@okta.com\\\"\\n AND okta.actor.alternate_id RLIKE \\\"[^@\\\\\\\\s]+\\\\\\\\@[^@\\\\\\\\s]+\\\"\\n )\\n AND okta.authentication_context.external_session_id != \\\"unknown\\\"\\n| KEEP event.action, okta.actor.alternate_id, okta.authentication_context.external_session_id, okta.debug_context.debug_data.dt_hash\\n| STATS\\n dt_hash_counts = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash) BY\\n okta.actor.alternate_id,\\n okta.authentication_context.external_session_id\\n| WHERE\\n dt_hash_counts >= 2\\n| SORT\\n dt_hash_counts DESC\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n // ignore authentication events where session and device token hash change often\\n AND NOT event.action IN (\\n \\\"policy.evaluate_sign_on\\\",\\n \\\"user.session.start\\\",\\n \\\"user.authentication.sso\\\"\\n )\\n // ignore Okta system events and only allow registered users\\n AND (\\n okta.actor.alternate_id != \\\"system@okta.com\\\"\\n AND okta.actor.alternate_id RLIKE \\\"[^@\\\\\\\\s]+\\\\\\\\@[^@\\\\\\\\s]+\\\"\\n )\\n AND okta.authentication_context.external_session_id != \\\"unknown\\\"\\n| KEEP event.action, okta.actor.alternate_id, okta.authentication_context.external_session_id, okta.debug_context.debug_data.dt_hash\\n| STATS\\n dt_hash_counts = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash) BY\\n okta.actor.alternate_id,\\n okta.authentication_context.external_session_id\\n| WHERE\\n dt_hash_counts >= 2\\n| SORT\\n dt_hash_counts DESC\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"20603e17-f89f-473c-be26-26a665b73484\",\"rule_id\":\"cc92c835-da92-45c9-9f29-b4992ad621a0\",\"revision\":0,\"current_rule\":{\"id\":\"20603e17-f89f-473c-be26-26a665b73484\",\"updated_at\":\"2024-12-04T19:45:58.421Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.421Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Deactivate an Okta Policy Rule\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Defense Evasion\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Deactivate an Okta Policy Rule\\n\\nIdentity and Access Management (IAM) systems like Okta serve as the first line of defense for an organization's network, and are often targeted by adversaries. By disabling security rules, adversaries can circumvent multi-factor authentication, access controls, or other protective measures enforced by these policies, enabling unauthorized access, privilege escalation, or other malicious activities.\\n\\nThis rule detects attempts to deactivate a rule within an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. A threat actor may do this to remove barriers to their activities or enable future attacks.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt.\\n- Check the `okta.outcome.result` field to confirm the policy rule deactivation attempt.\\n- Check if there are multiple policy rule deactivation attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the policy rule deactivation attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized policy rule deactivation is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization.\"],\"from\":\"now-6m\",\"rule_id\":\"cc92c835-da92-45c9-9f29-b4992ad621a0\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":207,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.rule.deactivate\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Deactivate an Okta Policy Rule\",\"description\":\"Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Deactivate an Okta Policy Rule\\n\\nIdentity and Access Management (IAM) systems like Okta serve as the first line of defense for an organization's network, and are often targeted by adversaries. By disabling security rules, adversaries can circumvent multi-factor authentication, access controls, or other protective measures enforced by these policies, enabling unauthorized access, privilege escalation, or other malicious activities.\\n\\nThis rule detects attempts to deactivate a rule within an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. A threat actor may do this to remove barriers to their activities or enable future attacks.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt.\\n- Check the `okta.outcome.result` field to confirm the policy rule deactivation attempt.\\n- Check if there are multiple policy rule deactivation attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the policy rule deactivation attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized policy rule deactivation is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Defense Evasion\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization.\"],\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"20603e17-f89f-473c-be26-26a665b73484\",\"rule_id\":\"cc92c835-da92-45c9-9f29-b4992ad621a0\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.648Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.421Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.rule.deactivate\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":207,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4941a1db-1078-4c62-8056-2e477d37affe\",\"rule_id\":\"cd16fb10-0261-46e8-9932-a0336278cdbe\",\"revision\":0,\"current_rule\":{\"id\":\"4941a1db-1078-4c62-8056-2e477d37affe\",\"updated_at\":\"2024-12-04T19:45:58.423Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.423Z\",\"created_by\":\"elastic\",\"name\":\"Modification or Removal of an Okta Application Sign-On Policy\",\"tags\":[\"Tactic: Persistence\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are regularly modified or deleted in your organization.\"],\"from\":\"now-6m\",\"rule_id\":\"cd16fb10-0261-46e8-9932-a0336278cdbe\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Modification or Removal of an Okta Application Sign-On Policy\",\"description\":\"Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Tactic: Persistence\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are regularly modified or deleted in your organization.\"],\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"4941a1db-1078-4c62-8056-2e477d37affe\",\"rule_id\":\"cd16fb10-0261-46e8-9932-a0336278cdbe\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.648Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.423Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bcf9f642-e962-46c9-b848-5313354e7f1b\",\"rule_id\":\"cd89602e-9db0-48e3-9391-ae3bf241acd8\",\"revision\":0,\"current_rule\":{\"id\":\"bcf9f642-e962-46c9-b848-5313354e7f1b\",\"updated_at\":\"2024-12-04T19:45:58.436Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.436Z\",\"created_by\":\"elastic\",\"name\":\"MFA Deactivation with no Re-Activation for Okta User Account\",\"tags\":[\"Tactic: Persistence\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Domain: Cloud\"],\"interval\":\"6h\",\"enabled\":false,\"revision\":0,\"description\":\"Detects multi-factor authentication (MFA) deactivation with no subsequent re-activation for an Okta user account. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating MFA Deactivation with no Re-Activation for Okta User Account\\n\\nMFA is used to provide an additional layer of security for user accounts. An adversary may achieve MFA deactivation for an Okta user account to achieve persistence.\\n\\nThis rule fires when an Okta user account has MFA deactivated and no subsequent MFA reactivation is observed within 12 hours.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\\n- Review `okta.target` or `user.target.full_name` fields to determine if deactivation was performed by a se parate user.\\n- Using the `okta.actor.alternate_id` field, search for MFA re-activation events where `okta.event_type` is `user.mfa.factor.activate`.\\n- Review events where `okta.event_type` is `user.authenticate*` to determine if the user account had suspicious login activity.\\n - Geolocation details found in `client.geo*` related fields may be useful in determining if the login activity was suspicious for this user.\\n\\n#### False positive steps:\\n\\n- Determine with the target user if MFA deactivation was expected.\\n- Determine if MFA is required for the target user account.\\n\\n#### Response and remediation:\\n\\n- If the MFA deactivation was not expected, consider deactivating the user\\n - This should be followed by resetting the user's password and re-enabling MFA.\\n- If the MFA deactivation was expected, consider adding an exception to this rule to filter false positives.\\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\\n- Check if the compromised account was used to access or alter any sensitive data, applications or systems.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives.\"],\"from\":\"now-12h\",\"rule_id\":\"cd89602e-9db0-48e3-9391-ae3bf241acd8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\",\"subtechnique\":[{\"id\":\"T1556.006\",\"name\":\"Multi-Factor Authentication\",\"reference\":\"https://attack.mitre.org/techniques/T1556/006/\"}]}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":207,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.client.user_agent.raw_user_agent\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.result\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-okta.system*\"],\"query\":\"sequence by okta.actor.id with maxspan=12h\\n [any where event.dataset == \\\"okta.system\\\" and okta.event_type == \\\"user.mfa.factor.deactivate\\\"\\n and okta.outcome.result == \\\"SUCCESS\\\" and not okta.client.user_agent.raw_user_agent like \\\"SFDC-Callout*\\\"]\\n ![any where event.dataset == \\\"okta.system\\\" and okta.event_type == \\\"user.mfa.factor.activate\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"MFA Deactivation with no Re-Activation for Okta User Account\",\"description\":\"Detects multi-factor authentication (MFA) deactivation with no subsequent re-activation for an Okta user account. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating MFA Deactivation with no Re-Activation for Okta User Account\\n\\nMFA is used to provide an additional layer of security for user accounts. An adversary may achieve MFA deactivation for an Okta user account to achieve persistence.\\n\\nThis rule fires when an Okta user account has MFA deactivated and no subsequent MFA reactivation is observed within 12 hours.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\\n- Review `okta.target` or `user.target.full_name` fields to determine if deactivation was performed by a se parate user.\\n- Using the `okta.actor.alternate_id` field, search for MFA re-activation events where `okta.event_type` is `user.mfa.factor.activate`.\\n- Review events where `okta.event_type` is `user.authenticate*` to determine if the user account had suspicious login activity.\\n - Geolocation details found in `client.geo*` related fields may be useful in determining if the login activity was suspicious for this user.\\n\\n#### False positive steps:\\n\\n- Determine with the target user if MFA deactivation was expected.\\n- Determine if MFA is required for the target user account.\\n\\n#### Response and remediation:\\n\\n- If the MFA deactivation was not expected, consider deactivating the user\\n - This should be followed by resetting the user's password and re-enabling MFA.\\n- If the MFA deactivation was expected, consider adding an exception to this rule to filter false positives.\\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\\n- Check if the compromised account was used to access or alter any sensitive data, applications or systems.\\n- Review the client user-agent to determine if it's a known custom application that can be whitelisted.\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Tactic: Persistence\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Domain: Cloud\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"6h\",\"from\":\"now-12h\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives.\"],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\",\"subtechnique\":[{\"id\":\"T1556.006\",\"name\":\"Multi-Factor Authentication\",\"reference\":\"https://attack.mitre.org/techniques/T1556/006/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\\n\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.reason\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.result\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"bcf9f642-e962-46c9-b848-5313354e7f1b\",\"rule_id\":\"cd89602e-9db0-48e3-9391-ae3bf241acd8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.648Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.436Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by okta.actor.id with maxspan=12h\\n [any where event.dataset == \\\"okta.system\\\" and okta.event_type in (\\\"user.mfa.factor.deactivate\\\", \\\"user.mfa.factor.reset_all\\\")\\n and okta.outcome.reason != \\\"User reset SECURITY_QUESTION factor\\\" and okta.outcome.result == \\\"SUCCESS\\\"]\\n ![any where event.dataset == \\\"okta.system\\\" and okta.event_type == \\\"user.mfa.factor.activate\\\"]\\n\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-okta.system*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":207,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"note\":{\"has_base_version\":false,\"current_version\":\"## Triage and analysis\\n\\n### Investigating MFA Deactivation with no Re-Activation for Okta User Account\\n\\nMFA is used to provide an additional layer of security for user accounts. An adversary may achieve MFA deactivation for an Okta user account to achieve persistence.\\n\\nThis rule fires when an Okta user account has MFA deactivated and no subsequent MFA reactivation is observed within 12 hours.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\\n- Review `okta.target` or `user.target.full_name` fields to determine if deactivation was performed by a se parate user.\\n- Using the `okta.actor.alternate_id` field, search for MFA re-activation events where `okta.event_type` is `user.mfa.factor.activate`.\\n- Review events where `okta.event_type` is `user.authenticate*` to determine if the user account had suspicious login activity.\\n - Geolocation details found in `client.geo*` related fields may be useful in determining if the login activity was suspicious for this user.\\n\\n#### False positive steps:\\n\\n- Determine with the target user if MFA deactivation was expected.\\n- Determine if MFA is required for the target user account.\\n\\n#### Response and remediation:\\n\\n- If the MFA deactivation was not expected, consider deactivating the user\\n - This should be followed by resetting the user's password and re-enabling MFA.\\n- If the MFA deactivation was expected, consider adding an exception to this rule to filter false positives.\\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\\n- Check if the compromised account was used to access or alter any sensitive data, applications or systems.\\n\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating MFA Deactivation with no Re-Activation for Okta User Account\\n\\nMFA is used to provide an additional layer of security for user accounts. An adversary may achieve MFA deactivation for an Okta user account to achieve persistence.\\n\\nThis rule fires when an Okta user account has MFA deactivated and no subsequent MFA reactivation is observed within 12 hours.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\\n- Review `okta.target` or `user.target.full_name` fields to determine if deactivation was performed by a se parate user.\\n- Using the `okta.actor.alternate_id` field, search for MFA re-activation events where `okta.event_type` is `user.mfa.factor.activate`.\\n- Review events where `okta.event_type` is `user.authenticate*` to determine if the user account had suspicious login activity.\\n - Geolocation details found in `client.geo*` related fields may be useful in determining if the login activity was suspicious for this user.\\n\\n#### False positive steps:\\n\\n- Determine with the target user if MFA deactivation was expected.\\n- Determine if MFA is required for the target user account.\\n\\n#### Response and remediation:\\n\\n- If the MFA deactivation was not expected, consider deactivating the user\\n - This should be followed by resetting the user's password and re-enabling MFA.\\n- If the MFA deactivation was expected, consider adding an exception to this rule to filter false positives.\\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\\n- Check if the compromised account was used to access or alter any sensitive data, applications or systems.\\n- Review the client user-agent to determine if it's a known custom application that can be whitelisted.\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating MFA Deactivation with no Re-Activation for Okta User Account\\n\\nMFA is used to provide an additional layer of security for user accounts. An adversary may achieve MFA deactivation for an Okta user account to achieve persistence.\\n\\nThis rule fires when an Okta user account has MFA deactivated and no subsequent MFA reactivation is observed within 12 hours.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\\n- Review `okta.target` or `user.target.full_name` fields to determine if deactivation was performed by a se parate user.\\n- Using the `okta.actor.alternate_id` field, search for MFA re-activation events where `okta.event_type` is `user.mfa.factor.activate`.\\n- Review events where `okta.event_type` is `user.authenticate*` to determine if the user account had suspicious login activity.\\n - Geolocation details found in `client.geo*` related fields may be useful in determining if the login activity was suspicious for this user.\\n\\n#### False positive steps:\\n\\n- Determine with the target user if MFA deactivation was expected.\\n- Determine if MFA is required for the target user account.\\n\\n#### Response and remediation:\\n\\n- If the MFA deactivation was not expected, consider deactivating the user\\n - This should be followed by resetting the user's password and re-enabling MFA.\\n- If the MFA deactivation was expected, consider adding an exception to this rule to filter false positives.\\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\\n- Check if the compromised account was used to access or alter any sensitive data, applications or systems.\\n- Review the client user-agent to determine if it's a known custom application that can be whitelisted.\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.client.user_agent.raw_user_agent\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.result\",\"type\":\"keyword\",\"ecs\":false}],\"target_version\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.reason\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.result\",\"type\":\"keyword\",\"ecs\":false}],\"merged_version\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.reason\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.result\",\"type\":\"keyword\",\"ecs\":false}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by okta.actor.id with maxspan=12h\\n [any where event.dataset == \\\"okta.system\\\" and okta.event_type == \\\"user.mfa.factor.deactivate\\\"\\n and okta.outcome.result == \\\"SUCCESS\\\" and not okta.client.user_agent.raw_user_agent like \\\"SFDC-Callout*\\\"]\\n ![any where event.dataset == \\\"okta.system\\\" and okta.event_type == \\\"user.mfa.factor.activate\\\"]\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by okta.actor.id with maxspan=12h\\n [any where event.dataset == \\\"okta.system\\\" and okta.event_type in (\\\"user.mfa.factor.deactivate\\\", \\\"user.mfa.factor.reset_all\\\")\\n and okta.outcome.reason != \\\"User reset SECURITY_QUESTION factor\\\" and okta.outcome.result == \\\"SUCCESS\\\"]\\n ![any where event.dataset == \\\"okta.system\\\" and okta.event_type == \\\"user.mfa.factor.activate\\\"]\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by okta.actor.id with maxspan=12h\\n [any where event.dataset == \\\"okta.system\\\" and okta.event_type in (\\\"user.mfa.factor.deactivate\\\", \\\"user.mfa.factor.reset_all\\\")\\n and okta.outcome.reason != \\\"User reset SECURITY_QUESTION factor\\\" and okta.outcome.result == \\\"SUCCESS\\\"]\\n ![any where event.dataset == \\\"okta.system\\\" and okta.event_type == \\\"user.mfa.factor.activate\\\"]\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3e6bb36c-863f-4066-834a-06b5faec6362\",\"rule_id\":\"cdbebdc1-dc97-43c6-a538-f26a20c0a911\",\"revision\":0,\"current_rule\":{\"id\":\"3e6bb36c-863f-4066-834a-06b5faec6362\",\"updated_at\":\"2024-12-04T19:45:58.439Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.439Z\",\"created_by\":\"elastic\",\"name\":\"Okta User Session Impersonation\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\",\"Data Source: Okta\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Okta User Session Impersonation\\n\\nThe detection of an Okta User Session Impersonation indicates that a user has initiated a session impersonation which grants them access with the permissions of the user they are impersonating. This type of activity typically indicates Okta administrative access and should only ever occur if requested and expected.\\n\\n#### Possible investigation steps\\n\\n- Identify the actor associated with the impersonation event by checking the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\\n- Review the `event.action` field to confirm the initiation of the impersonation event.\\n- Check the `event.time` field to understand the timing of the event.\\n- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the user who was impersonated.\\n- Review any activities that occurred during the impersonation session. Look for any activities related to the impersonated user's account during and after the impersonation event.\\n\\n### False positive analysis\\n\\n- Verify if the session impersonation was part of an approved activity. Check if it was associated with any documented administrative tasks or troubleshooting efforts.\\n- Ensure that the impersonation session was initiated by an authorized individual. You can check this by verifying the `okta.actor.id` or `okta.actor.display_name` against the list of approved administrators.\\n\\n### Response and remediation\\n\\n- If the impersonation was not authorized, consider it as a breach. Suspend the user account of the impersonator immediately.\\n- Reset the user session and invalidate any active sessions related to the impersonated user.\\n- If a specific impersonation technique was used, ensure that systems are patched or configured to prevent such techniques.\\n- Conduct a thorough investigation to understand the extent of the breach and the potential impact on the systems and data.\\n- Review and update your security policies to prevent such incidents in the future.\\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-30m\",\"rule_id\":\"cdbebdc1-dc97-43c6-a538-f26a20c0a911\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":207,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:user.session.impersonation.initiate\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Okta User Session Impersonation\",\"description\":\"A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Okta User Session Impersonation\\n\\nThe detection of an Okta User Session Impersonation indicates that a user has initiated a session impersonation which grants them access with the permissions of the user they are impersonating. This type of activity typically indicates Okta administrative access and should only ever occur if requested and expected.\\n\\n#### Possible investigation steps\\n\\n- Identify the actor associated with the impersonation event by checking the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\\n- Review the `event.action` field to confirm the initiation of the impersonation event.\\n- Check the `event.time` field to understand the timing of the event.\\n- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the user who was impersonated.\\n- Review any activities that occurred during the impersonation session. Look for any activities related to the impersonated user's account during and after the impersonation event.\\n\\n### False positive analysis\\n\\n- Verify if the session impersonation was part of an approved activity. Check if it was associated with any documented administrative tasks or troubleshooting efforts.\\n- Ensure that the impersonation session was initiated by an authorized individual. You can check this by verifying the `okta.actor.id` or `okta.actor.display_name` against the list of approved administrators.\\n\\n### Response and remediation\\n\\n- If the impersonation was not authorized, consider it as a breach. Suspend the user account of the impersonator immediately.\\n- Reset the user session and invalidate any active sessions related to the impersonated user.\\n- If a specific impersonation technique was used, ensure that systems are patched or configured to prevent such techniques.\\n- Conduct a thorough investigation to understand the extent of the breach and the potential impact on the systems and data.\\n- Review and update your security policies to prevent such incidents in the future.\\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-30m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\",\"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3e6bb36c-863f-4066-834a-06b5faec6362\",\"rule_id\":\"cdbebdc1-dc97-43c6-a538-f26a20c0a911\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.648Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.439Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:user.session.impersonation.initiate\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":207,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\",\"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know\"],\"merged_version\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\",\"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a383a88c-9e58-4053-9d68-779668825790\",\"rule_id\":\"ce08b55a-f67d-4804-92b5-617b0fe5a5b5\",\"revision\":0,\"current_rule\":{\"id\":\"a383a88c-9e58-4053-9d68-779668825790\",\"updated_at\":\"2024-12-04T19:46:04.771Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.771Z\",\"created_by\":\"elastic\",\"name\":\"First Occurrence GitHub Event for a Personal Access Token (PAT)\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Execution\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects a first occurrence event for a personal access token (PAT) not seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ce08b55a-f67d-4804-92b5-617b0fe5a5b5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.hashed_token\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.programmatic_access_type\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\nevent.action:* and github.hashed_token:* and \\ngithub.programmatic_access_type:(\\\"OAuth access token\\\" or \\\"Fine-grained personal access token\\\")\\n\",\"new_terms_fields\":[\"github.hashed_token\",\"event.action\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Occurrence GitHub Event for a Personal Access Token (PAT)\",\"description\":\"Detects a first occurrence event for a personal access token (PAT) not seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Execution\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.hashed_token\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.programmatic_access_type\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"a383a88c-9e58-4053-9d68-779668825790\",\"rule_id\":\"ce08b55a-f67d-4804-92b5-617b0fe5a5b5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.648Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.771Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\nevent.action:* and github.hashed_token:* and \\ngithub.programmatic_access_type:(\\\"OAuth access token\\\" or \\\"Fine-grained personal access token\\\")\\n\",\"new_terms_fields\":[\"github.hashed_token\",\"event.action\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"ba5fdfd8-f7c1-477f-b4ea-1956054ebded\",\"rule_id\":\"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f\",\"revision\":0,\"current_rule\":{\"id\":\"ba5fdfd8-f7c1-477f-b4ea-1956054ebded\",\"updated_at\":\"2024-12-04T19:45:58.485Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.485Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Delete an Okta Application\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Impact\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deleted and the behavior is expected.\"],\"from\":\"now-6m\",\"rule_id\":\"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1489\",\"name\":\"Service Stop\",\"reference\":\"https://attack.mitre.org/techniques/T1489/\"}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:application.lifecycle.delete\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Delete an Okta Application\",\"description\":\"Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Impact\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deleted and the behavior is expected.\"],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1489\",\"name\":\"Service Stop\",\"reference\":\"https://attack.mitre.org/techniques/T1489/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"ba5fdfd8-f7c1-477f-b4ea-1956054ebded\",\"rule_id\":\"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.648Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.485Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:application.lifecycle.delete\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b9f5020f-4a2e-4363-9baa-5006a133e269\",\"rule_id\":\"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd\",\"revision\":0,\"current_rule\":{\"id\":\"b9f5020f-4a2e-4363-9baa-5006a133e269\",\"updated_at\":\"2024-12-04T19:45:58.502Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.502Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Delete an Okta Policy Rule\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Defense Evasion\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Delete an Okta Policy Rule\\n\\nOkta policy rules are integral components of an organization's security controls, as they define how user access to resources is managed. Deletion of a rule within an Okta policy could potentially weaken the organization's security posture, allowing for unauthorized access or facilitating other malicious activities.\\n\\nThis rule detects attempts to delete an Okta policy rule, which could indicate an adversary's attempt to weaken an organization's security controls. Adversaries may do this to circumvent security measures and enable further malicious activities.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the deletion attempt.\\n- Check the `okta.outcome.result` field to confirm the policy rule deletion attempt.\\n- Check if there are multiple policy rule deletion attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the policy rule deletion attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deletion attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the deletion attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deletion attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized policy rule deletion is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific deletion technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization.\"],\"from\":\"now-6m\",\"rule_id\":\"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.rule.delete\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Delete an Okta Policy Rule\",\"description\":\"Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Delete an Okta Policy Rule\\n\\nOkta policy rules are integral components of an organization's security controls, as they define how user access to resources is managed. Deletion of a rule within an Okta policy could potentially weaken the organization's security posture, allowing for unauthorized access or facilitating other malicious activities.\\n\\nThis rule detects attempts to delete an Okta policy rule, which could indicate an adversary's attempt to weaken an organization's security controls. Adversaries may do this to circumvent security measures and enable further malicious activities.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the deletion attempt.\\n- Check the `okta.outcome.result` field to confirm the policy rule deletion attempt.\\n- Check if there are multiple policy rule deletion attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the policy rule deletion attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deletion attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the deletion attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deletion attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized policy rule deletion is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific deletion technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization.\"],\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b9f5020f-4a2e-4363-9baa-5006a133e269\",\"rule_id\":\"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.648Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.502Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.rule.delete\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5efaa37e-86c0-42df-8e76-263ce22e768f\",\"rule_id\":\"e08ccd49-0380-4b2b-8d71-8000377d6e49\",\"revision\":0,\"current_rule\":{\"id\":\"5efaa37e-86c0-42df-8e76-263ce22e768f\",\"updated_at\":\"2024-12-04T19:45:59.614Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.614Z\",\"created_by\":\"elastic\",\"name\":\"Attempts to Brute Force an Okta User Account\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempts to Brute Force an Okta User Account\\n\\nBrute force attacks aim to guess user credentials through exhaustive trial-and-error attempts. In this context, Okta accounts are targeted.\\n\\nThis rule fires when an Okta user account has been locked out 3 times within a 3-hour window. This could indicate an attempted brute force or password spraying attack to gain unauthorized access to the user account. Okta's default authentication policy locks a user account after 10 failed authentication attempts.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\\n- Review the `okta.event_type` field to understand the nature of the events that led to the account lockout.\\n- Check the `okta.severity` and `okta.display_message` fields for more context around the lockout events.\\n- Look for correlation of events from the same IP address. Multiple lockouts from the same IP address might indicate a single source for the attack.\\n- If the IP is not familiar, investigate it. The IP could be a proxy, VPN, Tor node, cloud datacenter, or a legitimate IP turned malicious.\\n- Determine if the lockout events occurred during the user's regular activity hours. Unusual timing may indicate malicious activity.\\n- Examine the authentication methods used during the lockout events by checking the `okta.authentication_context.credential_type` field.\\n\\n### False positive analysis:\\n\\n- Determine whether the account owner or an internal user made repeated mistakes in entering their credentials, leading to the account lockout.\\n- Ensure there are no known network or application issues that might cause these events.\\n\\n### Response and remediation:\\n\\n- Alert the user and your IT department immediately.\\n- If unauthorized access is confirmed, initiate your incident response process.\\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\\n- Require the affected user to change their password.\\n- If the attack is ongoing, consider blocking the IP address initiating the brute force attack.\\n- Implement account lockout policies to limit the impact of brute force attacks.\\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"@BenB196\",\"Austin Songer\"],\"false_positives\":[],\"from\":\"now-180m\",\"rule_id\":\"e08ccd49-0380-4b2b-8d71-8000377d6e49\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\"}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":208,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"threshold\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:user.account.lock\\n\",\"threshold\":{\"field\":[\"okta.actor.alternate_id\"],\"value\":3},\"actions\":[]},\"target_rule\":{\"name\":\"Attempts to Brute Force an Okta User Account\",\"description\":\"Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempts to Brute Force an Okta User Account\\n\\nBrute force attacks aim to guess user credentials through exhaustive trial-and-error attempts. In this context, Okta accounts are targeted.\\n\\nThis rule fires when an Okta user account has been locked out 3 times within a 3-hour window. This could indicate an attempted brute force or password spraying attack to gain unauthorized access to the user account. Okta's default authentication policy locks a user account after 10 failed authentication attempts.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\\n- Review the `okta.event_type` field to understand the nature of the events that led to the account lockout.\\n- Check the `okta.severity` and `okta.display_message` fields for more context around the lockout events.\\n- Look for correlation of events from the same IP address. Multiple lockouts from the same IP address might indicate a single source for the attack.\\n- If the IP is not familiar, investigate it. The IP could be a proxy, VPN, Tor node, cloud datacenter, or a legitimate IP turned malicious.\\n- Determine if the lockout events occurred during the user's regular activity hours. Unusual timing may indicate malicious activity.\\n- Examine the authentication methods used during the lockout events by checking the `okta.authentication_context.credential_type` field.\\n\\n### False positive analysis:\\n\\n- Determine whether the account owner or an internal user made repeated mistakes in entering their credentials, leading to the account lockout.\\n- Ensure there are no known network or application issues that might cause these events.\\n\\n### Response and remediation:\\n\\n- Alert the user and your IT department immediately.\\n- If unauthorized access is confirmed, initiate your incident response process.\\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\\n- Require the affected user to change their password.\\n- If the attack is ongoing, consider blocking the IP address initiating the brute force attack.\\n- Implement account lockout policies to limit the impact of brute force attacks.\\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-180m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"@BenB196\",\"Austin Songer\"],\"false_positives\":[],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"5efaa37e-86c0-42df-8e76-263ce22e768f\",\"rule_id\":\"e08ccd49-0380-4b2b-8d71-8000377d6e49\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.648Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.614Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"threshold\",\"query\":\"event.dataset:okta.system and event.action:user.account.lock\\n\",\"threshold\":{\"field\":[\"okta.actor.alternate_id\"],\"value\":3},\"index\":[\"filebeat-*\",\"logs-okta*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":208,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0ce2a323-9a15-45cc-af61-1f71af168a4e\",\"rule_id\":\"e48236ca-b67a-4b4e-840c-fdc7782bc0c3\",\"revision\":0,\"current_rule\":{\"id\":\"0ce2a323-9a15-45cc-af61-1f71af168a4e\",\"updated_at\":\"2024-12-04T19:46:00.565Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.565Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Modify an Okta Network Zone\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Use Case: Network Security Monitoring\",\"Tactic: Defense Evasion\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Modify an Okta Network Zone\\n\\nThe modification of an Okta network zone is a critical event as it could potentially allow an adversary to gain unrestricted access to your network. This rule detects attempts to modify, delete, or deactivate an Okta network zone, which may suggest an attempt to remove or weaken an organization's security controls.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\\n- Check the `okta.outcome.result` field to confirm the network zone modification attempt.\\n- Check if there are multiple network zone modification attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the modification attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized modification is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly modified.\"],\"from\":\"now-6m\",\"rule_id\":\"e48236ca-b67a-4b4e-840c-fdc7782bc0c3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Modify an Okta Network Zone\",\"description\":\"Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Modify an Okta Network Zone\\n\\nThe modification of an Okta network zone is a critical event as it could potentially allow an adversary to gain unrestricted access to your network. This rule detects attempts to modify, delete, or deactivate an Okta network zone, which may suggest an attempt to remove or weaken an organization's security controls.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\\n- Check the `okta.outcome.result` field to confirm the network zone modification attempt.\\n- Check if there are multiple network zone modification attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the modification attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized modification is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Use Case: Network Security Monitoring\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly modified.\"],\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0ce2a323-9a15-45cc-af61-1f71af168a4e\",\"rule_id\":\"e48236ca-b67a-4b4e-840c-fdc7782bc0c3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.648Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.565Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4d582a92-6a39-4e5a-9e79-7afdcdec4f47\",\"rule_id\":\"e6e3ecff-03dd-48ec-acbd-54a04de10c68\",\"revision\":0,\"current_rule\":{\"id\":\"4d582a92-6a39-4e5a-9e79-7afdcdec4f47\",\"updated_at\":\"2024-12-04T19:46:00.580Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.580Z\",\"created_by\":\"elastic\",\"name\":\"Possible Okta DoS Attack\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Impact\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-6m\",\"rule_id\":\"e6e3ecff-03dd-48ec-acbd-54a04de10c68\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1498\",\"name\":\"Network Denial of Service\",\"reference\":\"https://attack.mitre.org/techniques/T1498/\"},{\"id\":\"T1499\",\"name\":\"Endpoint Denial of Service\",\"reference\":\"https://attack.mitre.org/techniques/T1499/\"}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Possible Okta DoS Attack\",\"description\":\"Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Impact\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1498\",\"name\":\"Network Denial of Service\",\"reference\":\"https://attack.mitre.org/techniques/T1498/\"},{\"id\":\"T1499\",\"name\":\"Endpoint Denial of Service\",\"reference\":\"https://attack.mitre.org/techniques/T1499/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"4d582a92-6a39-4e5a-9e79-7afdcdec4f47\",\"rule_id\":\"e6e3ecff-03dd-48ec-acbd-54a04de10c68\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.648Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.580Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"eeb7ff4f-948d-4757-bc6e-7e90f3c207b1\",\"rule_id\":\"e90ee3af-45fc-432e-a850-4a58cf14a457\",\"revision\":0,\"current_rule\":{\"id\":\"eeb7ff4f-948d-4757-bc6e-7e90f3c207b1\",\"updated_at\":\"2024-12-04T19:46:00.616Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.616Z\",\"created_by\":\"elastic\",\"name\":\"High Number of Okta User Password Reset or Unlock Attempts\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Defense Evasion\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating High Number of Okta User Password Reset or Unlock Attempts\\n\\nThis rule is designed to detect a suspiciously high number of password reset or account unlock attempts in Okta. Excessive password resets or account unlocks can be indicative of an attacker's attempt to gain unauthorized access to an account.\\n\\n#### Possible investigation steps:\\n- Identify the actor associated with the excessive attempts. The `okta.actor.alternate_id` field can be used for this purpose.\\n- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.\\n- Review the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the password reset or unlock attempts.\\n- Review the event actions associated with these attempts. Look at the `event.action` field and filter for actions related to password reset and account unlock attempts.\\n- Check for other similar patterns of behavior from the same actor or IP address. If there is a high number of failed login attempts before the password reset or unlock attempts, this may suggest a brute force attack.\\n- Also, look at the times when these attempts were made. If these were made during off-hours, it could further suggest an adversary's activity.\\n\\n### False positive analysis:\\n- This alert might be a false positive if there are legitimate reasons for a high number of password reset or unlock attempts. This could be due to the user forgetting their password or account lockouts due to too many incorrect attempts.\\n- Check the actor's past behavior. If this is their usual behavior and they have a valid reason for it, then it might be a false positive.\\n\\n### Response and remediation:\\n- If unauthorized attempts are confirmed, initiate the incident response process.\\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\\n- Block the IP address or device used in the attempts, if they appear suspicious.\\n- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.\\n- Consider a security review of your Okta policies and rules to ensure they follow security best practices.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"@BenB196\",\"Austin Songer\"],\"false_positives\":[\"The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule.\"],\"from\":\"now-60m\",\"rule_id\":\"e90ee3af-45fc-432e-a850-4a58cf14a457\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":208,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"threshold\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and\\n event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or\\n system.sms.send_account_unlock_message or system.sms.send_password_reset_message or\\n system.voice.send_account_unlock_call or system.voice.send_password_reset_call or\\n user.account.unlock_token)\\n\",\"threshold\":{\"field\":[\"okta.actor.alternate_id\"],\"value\":5},\"actions\":[]},\"target_rule\":{\"name\":\"High Number of Okta User Password Reset or Unlock Attempts\",\"description\":\"Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating High Number of Okta User Password Reset or Unlock Attempts\\n\\nThis rule is designed to detect a suspiciously high number of password reset or account unlock attempts in Okta. Excessive password resets or account unlocks can be indicative of an attacker's attempt to gain unauthorized access to an account.\\n\\n#### Possible investigation steps:\\n- Identify the actor associated with the excessive attempts. The `okta.actor.alternate_id` field can be used for this purpose.\\n- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.\\n- Review the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the password reset or unlock attempts.\\n- Review the event actions associated with these attempts. Look at the `event.action` field and filter for actions related to password reset and account unlock attempts.\\n- Check for other similar patterns of behavior from the same actor or IP address. If there is a high number of failed login attempts before the password reset or unlock attempts, this may suggest a brute force attack.\\n- Also, look at the times when these attempts were made. If these were made during off-hours, it could further suggest an adversary's activity.\\n\\n### False positive analysis:\\n- This alert might be a false positive if there are legitimate reasons for a high number of password reset or unlock attempts. This could be due to the user forgetting their password or account lockouts due to too many incorrect attempts.\\n- Check the actor's past behavior. If this is their usual behavior and they have a valid reason for it, then it might be a false positive.\\n\\n### Response and remediation:\\n- If unauthorized attempts are confirmed, initiate the incident response process.\\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\\n- Block the IP address or device used in the attempts, if they appear suspicious.\\n- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.\\n- Consider a security review of your Okta policies and rules to ensure they follow security best practices.\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-60m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"@BenB196\",\"Austin Songer\"],\"false_positives\":[\"The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule.\"],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"eeb7ff4f-948d-4757-bc6e-7e90f3c207b1\",\"rule_id\":\"e90ee3af-45fc-432e-a850-4a58cf14a457\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.648Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.616Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"threshold\",\"query\":\"event.dataset:okta.system and\\n event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or\\n system.sms.send_account_unlock_message or system.sms.send_password_reset_message or\\n system.voice.send_account_unlock_call or system.voice.send_password_reset_call or\\n user.account.unlock_token)\\n\",\"threshold\":{\"field\":[\"okta.actor.alternate_id\"],\"value\":5},\"index\":[\"filebeat-*\",\"logs-okta*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":208,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"14f20740-2d81-4012-93dc-c7aa5885040f\",\"rule_id\":\"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a\",\"revision\":0,\"current_rule\":{\"id\":\"14f20740-2d81-4012-93dc-c7aa5885040f\",\"updated_at\":\"2024-12-04T19:46:01.688Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.688Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Deactivate an Okta Application\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Impact\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Deactivate an Okta Application\\n\\nThis rule detects attempts to deactivate an Okta application. Unauthorized deactivation could lead to disruption of services and pose a significant risk to the organization.\\n\\n#### Possible investigation steps:\\n- Identify the actor associated with the deactivation attempt by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\\n- Understand the context of the event from the `okta.debug_context.debug_data` and `okta.authentication_context` fields.\\n- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed.\\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\\n- Analyze the `okta.transaction.id` and `okta.transaction.type` fields to understand the context of the transaction.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n\\n### False positive analysis:\\n- It might be a false positive if the action was part of a planned activity, performed by an authorized person, or if the `okta.outcome.result` field shows a failure.\\n- An unsuccessful attempt might also indicate an authorized user having trouble rather than a malicious activity.\\n\\n### Response and remediation:\\n- If unauthorized deactivation attempts are confirmed, initiate the incident response process.\\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- If the deactivated application was crucial for business operations, coordinate with the relevant team to reactivate it and minimize the impact.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deactivated and the behavior is expected.\"],\"from\":\"now-6m\",\"rule_id\":\"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1489\",\"name\":\"Service Stop\",\"reference\":\"https://attack.mitre.org/techniques/T1489/\"}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:application.lifecycle.deactivate\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Deactivate an Okta Application\",\"description\":\"Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Deactivate an Okta Application\\n\\nThis rule detects attempts to deactivate an Okta application. Unauthorized deactivation could lead to disruption of services and pose a significant risk to the organization.\\n\\n#### Possible investigation steps:\\n- Identify the actor associated with the deactivation attempt by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\\n- Understand the context of the event from the `okta.debug_context.debug_data` and `okta.authentication_context` fields.\\n- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed.\\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\\n- Analyze the `okta.transaction.id` and `okta.transaction.type` fields to understand the context of the transaction.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n\\n### False positive analysis:\\n- It might be a false positive if the action was part of a planned activity, performed by an authorized person, or if the `okta.outcome.result` field shows a failure.\\n- An unsuccessful attempt might also indicate an authorized user having trouble rather than a malicious activity.\\n\\n### Response and remediation:\\n- If unauthorized deactivation attempts are confirmed, initiate the incident response process.\\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- If the deactivated application was crucial for business operations, coordinate with the relevant team to reactivate it and minimize the impact.\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Impact\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deactivated and the behavior is expected.\"],\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1489\",\"name\":\"Service Stop\",\"reference\":\"https://attack.mitre.org/techniques/T1489/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"14f20740-2d81-4012-93dc-c7aa5885040f\",\"rule_id\":\"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.648Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.688Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:application.lifecycle.deactivate\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"74a920b4-50ca-4c09-bffc-1466d7230306\",\"rule_id\":\"ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e\",\"revision\":0,\"current_rule\":{\"id\":\"74a920b4-50ca-4c09-bffc-1466d7230306\",\"updated_at\":\"2024-12-04T19:46:01.700Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.700Z\",\"created_by\":\"elastic\",\"name\":\"Okta FastPass Phishing Detection\",\"tags\":[\"Tactic: Initial Access\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when Okta FastPass prevents a user from authenticating to a phishing website.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Austin Songer\"],\"false_positives\":[],\"from\":\"now-6m\",\"rule_id\":\"ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\"}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://sec.okta.com/fastpassphishingdetection\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\"],\"version\":103,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.reason\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\\n\\nThis rule requires Okta to have the following turned on:\\n\\nOkta Identity Engine - select 'Phishing Resistance for FastPass' under Settings > Features in the Admin Console.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.category:authentication and\\n okta.event_type:user.authentication.auth_via_mfa and event.outcome:failure and okta.outcome.reason:\\\"FastPass declined phishing attempt\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Okta FastPass Phishing Detection\",\"description\":\"Detects when Okta FastPass prevents a user from authenticating to a phishing website.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Tactic: Initial Access\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Austin Songer\"],\"false_positives\":[],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://sec.okta.com/fastpassphishingdetection\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\\n\\nThis rule requires Okta to have the following turned on:\\n\\nOkta Identity Engine - select 'Phishing Resistance for FastPass' under Settings > Features in the Admin Console.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.reason\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"74a920b4-50ca-4c09-bffc-1466d7230306\",\"rule_id\":\"ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.648Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.700Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.category:authentication and\\n okta.event_type:user.authentication.auth_via_mfa and event.outcome:failure and okta.outcome.reason:\\\"FastPass declined phishing attempt\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":103,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://sec.okta.com/fastpassphishingdetection\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://sec.okta.com/fastpassphishingdetection\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://sec.okta.com/fastpassphishingdetection\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0b919dfb-d75d-42b2-8dc1-9e877ea7f98a\",\"rule_id\":\"f06414a6-f2a4-466d-8eba-10f85e8abf71\",\"revision\":0,\"current_rule\":{\"id\":\"0b919dfb-d75d-42b2-8dc1-9e877ea7f98a\",\"updated_at\":\"2024-12-04T19:46:01.740Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.740Z\",\"created_by\":\"elastic\",\"name\":\"Administrator Role Assigned to an Okta User\",\"tags\":[\"Data Source: Okta\",\"Use Case: Identity and Access Audit\",\"Tactic: Persistence\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's environment.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-6m\",\"rule_id\":\"f06414a6-f2a4-466d-8eba-10f85e8abf71\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:user.account.privilege.grant\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Administrator Role Assigned to an Okta User\",\"description\":\"Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's environment.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Data Source: Okta\",\"Use Case: Identity and Access Audit\",\"Tactic: Persistence\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\",\"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0b919dfb-d75d-42b2-8dc1-9e877ea7f98a\",\"rule_id\":\"f06414a6-f2a4-466d-8eba-10f85e8abf71\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.648Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.740Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:user.account.privilege.grant\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\",\"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know\"],\"merged_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\",\"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"70ed8b0b-1b3f-47a7-ac6d-32cd3f7b67bd\",\"rule_id\":\"f94e898e-94f1-4545-8923-03e4b2866211\",\"revision\":0,\"current_rule\":{\"id\":\"70ed8b0b-1b3f-47a7-ac6d-32cd3f7b67bd\",\"updated_at\":\"2024-12-04T19:46:04.816Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.816Z\",\"created_by\":\"elastic\",\"name\":\"First Occurrence of Personal Access Token (PAT) Use For a GitHub User\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Persistence\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A new PAT was used for a GitHub user not previously seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f94e898e-94f1-4545-8923-03e4b2866211\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.001\",\"name\":\"Additional Cloud Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1098/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.hashed_token\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.programmatic_access_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.hashed_token:* and user.name:* and\\ngithub.programmatic_access_type:(\\\"OAuth access token\\\" or \\\"Fine-grained personal access token\\\")\\n\",\"new_terms_fields\":[\"user.name\",\"github.hashed_token\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Occurrence of Personal Access Token (PAT) Use For a GitHub User\",\"description\":\"A new PAT was used for a GitHub user not previously seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Persistence\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.001\",\"name\":\"Additional Cloud Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1098/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.hashed_token\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.programmatic_access_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"70ed8b0b-1b3f-47a7-ac6d-32cd3f7b67bd\",\"rule_id\":\"f94e898e-94f1-4545-8923-03e4b2866211\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.648Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.816Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.hashed_token:* and user.name:* and\\ngithub.programmatic_access_type:(\\\"OAuth access token\\\" or \\\"Fine-grained personal access token\\\")\\n\",\"new_terms_fields\":[\"user.name\",\"github.hashed_token\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"dbdbd85c-4fb8-44c8-8894-bac01c5fd1ad\",\"rule_id\":\"f994964f-6fce-4d75-8e79-e16ccc412588\",\"revision\":0,\"current_rule\":{\"id\":\"dbdbd85c-4fb8-44c8-8894-bac01c5fd1ad\",\"updated_at\":\"2024-12-04T19:46:02.674Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.674Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Activity Reported by Okta User\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Initial Access\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"A user may report suspicious activity on their Okta account in error.\"],\"from\":\"now-6m\",\"rule_id\":\"f994964f-6fce-4d75-8e79-e16ccc412588\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Activity Reported by Okta User\",\"description\":\"Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Initial Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"A user may report suspicious activity on their Okta account in error.\"],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"dbdbd85c-4fb8-44c8-8894-bac01c5fd1ad\",\"rule_id\":\"f994964f-6fce-4d75-8e79-e16ccc412588\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.649Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.674Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a3ec44ed-ea21-4361-a397-112e20e09274\",\"rule_id\":\"fb0afac5-bbd6-49b0-b4f8-44e5381e1587\",\"revision\":0,\"current_rule\":{\"id\":\"a3ec44ed-ea21-4361-a397-112e20e09274\",\"updated_at\":\"2024-12-04T19:46:04.818Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.818Z\",\"created_by\":\"elastic\",\"name\":\"High Number of Cloned GitHub Repos From PAT\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Execution\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects a high number of unique private repo clone events originating from a single personal access token within a short time period.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-6m\",\"rule_id\":\"fb0afac5-bbd6-49b0-b4f8-44e5381e1587\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.programmatic_access_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.repository_public\",\"type\":\"boolean\",\"ecs\":false}],\"setup\":\"\",\"type\":\"threshold\",\"language\":\"kuery\",\"index\":[\"logs-github.audit-*\"],\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and event.action:\\\"git.clone\\\" and \\ngithub.programmatic_access_type:(\\\"OAuth access token\\\" or \\\"Fine-grained personal access token\\\") and \\ngithub.repository_public:false\\n\",\"threshold\":{\"field\":[\"github.hashed_token\"],\"value\":1,\"cardinality\":[{\"field\":\"github.repo\",\"value\":10}]},\"actions\":[]},\"target_rule\":{\"name\":\"High Number of Cloned GitHub Repos From PAT\",\"description\":\"Detects a high number of unique private repo clone events originating from a single personal access token within a short time period.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Execution\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.programmatic_access_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.repository_public\",\"type\":\"boolean\",\"ecs\":false}],\"id\":\"a3ec44ed-ea21-4361-a397-112e20e09274\",\"rule_id\":\"fb0afac5-bbd6-49b0-b4f8-44e5381e1587\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.649Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.818Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"threshold\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and event.action:\\\"git.clone\\\" and \\ngithub.programmatic_access_type:(\\\"OAuth access token\\\" or \\\"Fine-grained personal access token\\\") and \\ngithub.repository_public:false\\n\",\"threshold\":{\"field\":[\"github.hashed_token\"],\"value\":1,\"cardinality\":[{\"field\":\"github.repo\",\"value\":10}]},\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a5bc9052-5004-4939-a174-cc09a13e6c84\",\"rule_id\":\"fc909baa-fb34-4c46-9691-be276ef4234c\",\"revision\":0,\"current_rule\":{\"id\":\"a5bc9052-5004-4939-a174-cc09a13e6c84\",\"updated_at\":\"2024-12-04T19:46:04.821Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.821Z\",\"created_by\":\"elastic\",\"name\":\"First Occurrence of IP Address For GitHub Personal Access Token (PAT)\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Initial Access\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects a new IP address used for a GitHub PAT not previously seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"fc909baa-fb34-4c46-9691-be276ef4234c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.actor_ip\",\"type\":\"ip\",\"ecs\":false},{\"name\":\"github.hashed_token\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.programmatic_access_type\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.actor_ip:* and github.hashed_token:* and\\ngithub.programmatic_access_type:(\\\"OAuth access token\\\" or \\\"Fine-grained personal access token\\\")\\n\",\"new_terms_fields\":[\"github.hashed_token\",\"github.actor_ip\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Occurrence of IP Address For GitHub Personal Access Token (PAT)\",\"description\":\"Detects a new IP address used for a GitHub PAT not previously seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Initial Access\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.actor_ip\",\"type\":\"ip\",\"ecs\":false},{\"name\":\"github.hashed_token\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.programmatic_access_type\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"a5bc9052-5004-4939-a174-cc09a13e6c84\",\"rule_id\":\"fc909baa-fb34-4c46-9691-be276ef4234c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.649Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.821Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.actor_ip:* and github.hashed_token:* and\\ngithub.programmatic_access_type:(\\\"OAuth access token\\\" or \\\"Fine-grained personal access token\\\")\\n\",\"new_terms_fields\":[\"github.hashed_token\",\"github.actor_ip\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2c819876-368f-411e-9c8f-87229e54f9b9\",\"rule_id\":\"fd01b949-81be-46d5-bcf8-284395d5f56d\",\"revision\":0,\"current_rule\":{\"id\":\"2c819876-368f-411e-9c8f-87229e54f9b9\",\"updated_at\":\"2024-12-04T19:46:04.823Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.823Z\",\"created_by\":\"elastic\",\"name\":\"GitHub App Deleted\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the deletion of a GitHub app either from a repo or an organization.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"fd01b949-81be-46d5-bcf8-284395d5f56d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.category\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"],\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and github.category == \\\"integration_installation\\\" and event.type == \\\"deletion\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"GitHub App Deleted\",\"description\":\"Detects the deletion of a GitHub app either from a repo or an organization.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.category\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"2c819876-368f-411e-9c8f-87229e54f9b9\",\"rule_id\":\"fd01b949-81be-46d5-bcf8-284395d5f56d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.649Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.823Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and github.category == \\\"integration_installation\\\" and event.type == \\\"deletion\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9a415ffd-b6ec-4dca-b9d2-de20bbf22dc9\",\"rule_id\":\"00140285-b827-4aee-aa09-8113f58a08f3\",\"revision\":0,\"current_rule\":{\"id\":\"9a415ffd-b6ec-4dca-b9d2-de20bbf22dc9\",\"updated_at\":\"2024-12-04T19:45:40.286Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.286Z\",\"created_by\":\"elastic\",\"name\":\"Potential Credential Access via Windows Utilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Credential Access via Windows Utilities\\n\\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\\n\\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership.\\n\\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the command line to identify what information was targeted.\\n- Identify the target computer and its role in the IT environment.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If the host is a domain controller (DC):\\n - Activate your incident response plan for total Active Directory compromise.\\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"00140285-b827-4aee-aa09-8113f58a08f3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"},{\"id\":\"T1003.003\",\"name\":\"NTDS\",\"reference\":\"https://attack.mitre.org/techniques/T1003/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]}],\"to\":\"now\",\"references\":[\"https://lolbas-project.github.io/\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (?process.pe.original_file_name : \\\"procdump\\\" or process.name : \\\"procdump.exe\\\") and process.args : \\\"-ma\\\"\\n ) or\\n (\\n process.name : \\\"ProcessDump.exe\\\" and not process.parent.executable regex~ \\\"\\\"\\\"C:\\\\\\\\Program Files( \\\\(x86\\\\))?\\\\\\\\Cisco Systems\\\\\\\\.*\\\"\\\"\\\"\\n ) or\\n (\\n (?process.pe.original_file_name : \\\"WriteMiniDump.exe\\\" or process.name : \\\"WriteMiniDump.exe\\\") and\\n not process.parent.executable regex~ \\\"\\\"\\\"C:\\\\\\\\Program Files( \\\\(x86\\\\))?\\\\\\\\Steam\\\\\\\\.*\\\"\\\"\\\"\\n ) or\\n (\\n (?process.pe.original_file_name : \\\"RUNDLL32.EXE\\\" or process.name : \\\"RUNDLL32.exe\\\") and\\n (process.args : \\\"MiniDump*\\\" or process.command_line : \\\"*comsvcs.dll*#24*\\\")\\n ) or\\n (\\n (?process.pe.original_file_name : \\\"RdrLeakDiag.exe\\\" or process.name : \\\"RdrLeakDiag.exe\\\") and\\n process.args : \\\"/fullmemdmp\\\"\\n ) or\\n (\\n (?process.pe.original_file_name : \\\"SqlDumper.exe\\\" or process.name : \\\"SqlDumper.exe\\\") and\\n process.args : \\\"0x01100*\\\") or\\n (\\n (?process.pe.original_file_name : \\\"TTTracer.exe\\\" or process.name : \\\"TTTracer.exe\\\") and\\n process.args : \\\"-dumpFull\\\" and process.args : \\\"-attach\\\") or\\n (\\n (?process.pe.original_file_name : \\\"ntdsutil.exe\\\" or process.name : \\\"ntdsutil.exe\\\") and\\n process.args : \\\"create*full*\\\") or\\n (\\n (?process.pe.original_file_name : \\\"diskshadow.exe\\\" or process.name : \\\"diskshadow.exe\\\") and process.args : \\\"/s\\\")\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Credential Access via Windows Utilities\",\"description\":\"Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Credential Access via Windows Utilities\\n\\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\\n\\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership.\\n\\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the command line to identify what information was targeted.\\n- Identify the target computer and its role in the IT environment.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If the host is a domain controller (DC):\\n - Activate your incident response plan for total Active Directory compromise.\\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":315,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://lolbas-project.github.io/\",\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"},{\"id\":\"T1003.003\",\"name\":\"NTDS\",\"reference\":\"https://attack.mitre.org/techniques/T1003/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"9a415ffd-b6ec-4dca-b9d2-de20bbf22dc9\",\"rule_id\":\"00140285-b827-4aee-aa09-8113f58a08f3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.649Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.286Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (?process.pe.original_file_name : \\\"procdump\\\" or process.name : \\\"procdump.exe\\\") and process.args : \\\"-ma\\\"\\n ) or\\n (\\n process.name : \\\"ProcessDump.exe\\\" and not process.parent.executable regex~ \\\"\\\"\\\"C:\\\\\\\\Program Files( \\\\(x86\\\\))?\\\\\\\\Cisco Systems\\\\\\\\.*\\\"\\\"\\\"\\n ) or\\n (\\n (?process.pe.original_file_name : \\\"WriteMiniDump.exe\\\" or process.name : \\\"WriteMiniDump.exe\\\") and\\n not process.parent.executable regex~ \\\"\\\"\\\"C:\\\\\\\\Program Files( \\\\(x86\\\\))?\\\\\\\\Steam\\\\\\\\.*\\\"\\\"\\\"\\n ) or\\n (\\n (?process.pe.original_file_name : \\\"RUNDLL32.EXE\\\" or process.name : \\\"RUNDLL32.exe\\\") and\\n (process.args : \\\"MiniDump*\\\" or process.command_line : \\\"*comsvcs.dll*#24*\\\")\\n ) or\\n (\\n (?process.pe.original_file_name : \\\"RdrLeakDiag.exe\\\" or process.name : \\\"RdrLeakDiag.exe\\\") and\\n process.args : \\\"/fullmemdmp\\\"\\n ) or\\n (\\n (?process.pe.original_file_name : \\\"SqlDumper.exe\\\" or process.name : \\\"SqlDumper.exe\\\") and\\n process.args : \\\"0x01100*\\\") or\\n (\\n (?process.pe.original_file_name : \\\"TTTracer.exe\\\" or process.name : \\\"TTTracer.exe\\\") and\\n process.args : \\\"-dumpFull\\\" and process.args : \\\"-attach\\\") or\\n (\\n (?process.pe.original_file_name : \\\"ntdsutil.exe\\\" or process.name : \\\"ntdsutil.exe\\\") and\\n process.args : \\\"create*full*\\\") or\\n (\\n (?process.pe.original_file_name : \\\"diskshadow.exe\\\" or process.name : \\\"diskshadow.exe\\\") and process.args : \\\"/s\\\")\\n)\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":315,\"merged_version\":315,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://lolbas-project.github.io/\"],\"target_version\":[\"https://lolbas-project.github.io/\",\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"merged_version\":[\"https://lolbas-project.github.io/\",\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"84f7ae8d-6af4-4916-9cf3-5a71f5a7b9ac\",\"rule_id\":\"0022d47d-39c7-4f69-a232-4fe9dc7a3acd\",\"revision\":0,\"current_rule\":{\"id\":\"84f7ae8d-6af4-4916-9cf3-5a71f5a7b9ac\",\"updated_at\":\"2024-12-04T19:45:40.289Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.289Z\",\"created_by\":\"elastic\",\"name\":\"System Shells via Services\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating System Shells via Services\\n\\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\\n\\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Check for commands executed under the spawned shell.\\n\\n### False positive analysis\\n\\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service or restore it to the original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"0022d47d-39c7-4f69-a232-4fe9dc7a3acd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":313,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"services.exe\\\" and\\n process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") and\\n\\n /* Third party FP's */\\n not process.args : \\\"NVDisplay.ContainerLocalSystem\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"System Shells via Services\",\"description\":\"Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating System Shells via Services\\n\\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\\n\\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Check for commands executed under the spawned shell.\\n\\n### False positive analysis\\n\\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service or restore it to the original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":415,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"84f7ae8d-6af4-4916-9cf3-5a71f5a7b9ac\",\"rule_id\":\"0022d47d-39c7-4f69-a232-4fe9dc7a3acd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.649Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.289Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"services.exe\\\" and\\n process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") and\\n\\n /* Third party FP's */\\n not process.args : \\\"NVDisplay.ContainerLocalSystem\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":313,\"target_version\":415,\"merged_version\":415,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"cf692437-c9ec-46ec-8377-1b23d2531485\",\"rule_id\":\"00678712-b2df-11ed-afe9-f661ea17fbcc\",\"revision\":0,\"current_rule\":{\"id\":\"cf692437-c9ec-46ec-8377-1b23d2531485\",\"updated_at\":\"2024-12-04T19:45:40.291Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.291Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace Suspended User Account Renewed\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Tactic: Initial Access\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a previously suspended user's account is renewed in Google Workspace. An adversary may renew a suspended user account to maintain access to the Google Workspace organization with a valid account.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Google Workspace administrators may renew a suspended user account if the user is expected to continue employment at the organization after temporary leave. Suspended user accounts are typically used by administrators to remove access to the user while actions is taken to transfer important documents and roles to other users, prior to deleting the user account and removing the license.\"],\"from\":\"now-130m\",\"rule_id\":\"00678712-b2df-11ed-afe9-f661ea17fbcc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/1110339\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace Suspended User Account Renewed\",\"description\":\"Detects when a previously suspended user's account is renewed in Google Workspace. An adversary may renew a suspended user account to maintain access to the Google Workspace organization with a valid account.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Tactic: Initial Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Google Workspace administrators may renew a suspended user account if the user is expected to continue employment at the organization after temporary leave. Suspended user accounts are typically used by administrators to remove access to the user while actions is taken to transfer important documents and roles to other users, prior to deleting the user account and removing the license.\"],\"references\":[\"https://support.google.com/a/answer/1110339\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"cf692437-c9ec-46ec-8377-1b23d2531485\",\"rule_id\":\"00678712-b2df-11ed-afe9-f661ea17fbcc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.649Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.291Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/1110339\"],\"target_version\":[\"https://support.google.com/a/answer/1110339\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/1110339\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5ae670a3-8ade-4d40-96ae-ecb22afe0713\",\"rule_id\":\"0171f283-ade7-4f87-9521-ac346c68cc9b\",\"revision\":0,\"current_rule\":{\"id\":\"5ae670a3-8ade-4d40-96ae-ecb22afe0713\",\"updated_at\":\"2024-12-04T19:45:40.299Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.299Z\",\"created_by\":\"elastic\",\"name\":\"Potential Network Scan Detected\",\"tags\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"0171f283-ade7-4f87-9521-ac346c68cc9b\",\"max_signals\":5,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1046\",\"name\":\"Network Service Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1046/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0043\",\"name\":\"Reconnaissance\",\"reference\":\"https://attack.mitre.org/tactics/TA0043/\"},\"technique\":[{\"id\":\"T1595\",\"name\":\"Active Scanning\",\"reference\":\"https://attack.mitre.org/techniques/T1595/\",\"subtechnique\":[{\"id\":\"T1595.001\",\"name\":\"Scanning IP Blocks\",\"reference\":\"https://attack.mitre.org/techniques/T1595/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"threshold\",\"language\":\"kuery\",\"index\":[\"logs-endpoint.events.network-*\",\"logs-network_traffic.*\",\"packetbeat-*\",\"filebeat-*\",\"auditbeat-*\"],\"query\":\"destination.port : * and event.action : \\\"network_flow\\\" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\\n\",\"threshold\":{\"field\":[\"destination.ip\",\"source.ip\"],\"value\":1,\"cardinality\":[{\"field\":\"destination.port\",\"value\":250}]},\"actions\":[]},\"target_rule\":{\"name\":\"Potential Network Scan Detected\",\"description\":\"This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\",\"Data Source: Elastic Defend\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":5,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1046\",\"name\":\"Network Service Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1046/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0043\",\"name\":\"Reconnaissance\",\"reference\":\"https://attack.mitre.org/tactics/TA0043/\"},\"technique\":[{\"id\":\"T1595\",\"name\":\"Active Scanning\",\"reference\":\"https://attack.mitre.org/techniques/T1595/\",\"subtechnique\":[{\"id\":\"T1595.001\",\"name\":\"Scanning IP Blocks\",\"reference\":\"https://attack.mitre.org/techniques/T1595/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"5ae670a3-8ade-4d40-96ae-ecb22afe0713\",\"rule_id\":\"0171f283-ade7-4f87-9521-ac346c68cc9b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.649Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.299Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"threshold\",\"query\":\"destination.port : * and event.action : \\\"network_flow\\\" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\\n\",\"threshold\":{\"field\":[\"destination.ip\",\"source.ip\"],\"value\":1,\"cardinality\":[{\"field\":\"destination.port\",\"value\":250}]},\"index\":[\"logs-endpoint.events.network-*\",\"logs-network_traffic.*\",\"packetbeat-*\",\"filebeat-*\",\"auditbeat-*\",\"logs-panw.panos*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\"],\"target_version\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\",\"Data Source: Elastic Defend\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\",\"Data Source: Elastic Defend\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"logs-network_traffic.*\",\"packetbeat-*\",\"filebeat-*\",\"auditbeat-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"logs-network_traffic.*\",\"packetbeat-*\",\"filebeat-*\",\"auditbeat-*\",\"logs-panw.panos*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"logs-network_traffic.*\",\"packetbeat-*\",\"filebeat-*\",\"auditbeat-*\",\"logs-panw.panos*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c76f287f-fb13-4d39-a1fd-dc4373e8a9ff\",\"rule_id\":\"027ff9ea-85e7-42e3-99d2-bbb7069e02eb\",\"revision\":0,\"current_rule\":{\"id\":\"c76f287f-fb13-4d39-a1fd-dc4373e8a9ff\",\"updated_at\":\"2024-12-04T19:45:41.399Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.399Z\",\"created_by\":\"elastic\",\"name\":\"Potential Cookies Theft via Browser Debugging\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Developers performing browsers plugin or extension debugging.\"],\"from\":\"now-9m\",\"rule_id\":\"027ff9ea-85e7-42e3-99d2-bbb7069e02eb\",\"max_signals\":33,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1539\",\"name\":\"Steal Web Session Cookie\",\"reference\":\"https://attack.mitre.org/techniques/T1539/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/defaultnamehere/cookie_crimes\",\"https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/\",\"https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md\",\"https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e\"],\"version\":105,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"winlogbeat-*\",\"logs-endpoint.events.*\",\"logs-windows.*\"],\"query\":\"process where event.type in (\\\"start\\\", \\\"process_started\\\", \\\"info\\\") and\\n process.name in (\\n \\\"Microsoft Edge\\\",\\n \\\"chrome.exe\\\",\\n \\\"Google Chrome\\\",\\n \\\"google-chrome-stable\\\",\\n \\\"google-chrome-beta\\\",\\n \\\"google-chrome\\\",\\n \\\"msedge.exe\\\") and\\n process.args : (\\\"--remote-debugging-port=*\\\",\\n \\\"--remote-debugging-targets=*\\\",\\n \\\"--remote-debugging-pipe=*\\\") and\\n process.args : \\\"--user-data-dir=*\\\" and not process.args:\\\"--remote-debugging-port=0\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Cookies Theft via Browser Debugging\",\"description\":\"Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Developers performing browsers plugin or extension debugging.\"],\"references\":[\"https://github.com/defaultnamehere/cookie_crimes\",\"https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/\",\"https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md\",\"https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e\"],\"max_signals\":33,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1539\",\"name\":\"Steal Web Session Cookie\",\"reference\":\"https://attack.mitre.org/techniques/T1539/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c76f287f-fb13-4d39-a1fd-dc4373e8a9ff\",\"rule_id\":\"027ff9ea-85e7-42e3-99d2-bbb7069e02eb\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.649Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.399Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where event.type in (\\\"start\\\", \\\"process_started\\\", \\\"info\\\") and\\n process.name in (\\n \\\"Microsoft Edge\\\",\\n \\\"chrome.exe\\\",\\n \\\"Google Chrome\\\",\\n \\\"google-chrome-stable\\\",\\n \\\"google-chrome-beta\\\",\\n \\\"google-chrome\\\",\\n \\\"msedge.exe\\\") and\\n process.args : (\\\"--remote-debugging-port=*\\\",\\n \\\"--remote-debugging-targets=*\\\",\\n \\\"--remote-debugging-pipe=*\\\") and\\n process.args : \\\"--user-data-dir=*\\\" and not process.args:\\\"--remote-debugging-port=0\\\"\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"winlogbeat-*\",\"logs-endpoint.events.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":105,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"137d0372-612b-4be5-ab72-e9f02c6144e1\",\"rule_id\":\"02a4576a-7480-4284-9327-548a806b5e48\",\"revision\":0,\"current_rule\":{\"id\":\"137d0372-612b-4be5-ab72-e9f02c6144e1\",\"updated_at\":\"2024-12-04T19:45:41.539Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.539Z\",\"created_by\":\"elastic\",\"name\":\"Potential Credential Access via DuplicateHandle in LSASS\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"02a4576a-7480-4284-9327-548a806b5e48\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/CCob/MirrorDump\"],\"version\":208,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallTrace\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.GrantedAccess\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n\\n /* LSASS requesting DuplicateHandle access right to another process */\\n process.name : \\\"lsass.exe\\\" and winlog.event_data.GrantedAccess == \\\"0x40\\\" and\\n\\n /* call is coming from an unknown executable region */\\n winlog.event_data.CallTrace : \\\"*UNKNOWN*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Credential Access via DuplicateHandle in LSASS\",\"description\":\"Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/CCob/MirrorDump\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallTrace\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.GrantedAccess\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"137d0372-612b-4be5-ab72-e9f02c6144e1\",\"rule_id\":\"02a4576a-7480-4284-9327-548a806b5e48\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.649Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.539Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n\\n /* LSASS requesting DuplicateHandle access right to another process */\\n process.name : \\\"lsass.exe\\\" and winlog.event_data.GrantedAccess == \\\"0x40\\\" and\\n\\n /* call is coming from an unknown executable region */\\n winlog.event_data.CallTrace : \\\"*UNKNOWN*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":208,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b69be826-890c-48d3-b55d-e6ff733aa048\",\"rule_id\":\"035889c4-2686-4583-a7df-67f89c292f2c\",\"revision\":0,\"current_rule\":{\"id\":\"b69be826-890c-48d3-b55d-e6ff733aa048\",\"updated_at\":\"2024-12-04T19:45:41.425Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.425Z\",\"created_by\":\"elastic\",\"name\":\"High Number of Process and/or Service Terminations\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating High Number of Process and/or Service Terminations\\n\\nAttackers can stop services and kill processes for a variety of purposes. For example, they can stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted, or stop security and backup solutions, etc.\\n\\nThis rule identifies a high number (10) of service and/or process terminations (stop, delete, or suspend) from the same host within a short time period.\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check if any files on the host machine have been encrypted.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reimage the host operating system or restore it to the operational state.\\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"035889c4-2686-4583-a7df-67f89c292f2c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1489\",\"name\":\"Service Stop\",\"reference\":\"https://attack.mitre.org/techniques/T1489/\"}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/security-labs/luna-ransomware-attack-pattern\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"threshold\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\\n process.args:(stop or pause or delete or \\\"/PID\\\" or \\\"/IM\\\" or \\\"/T\\\" or \\\"/F\\\" or \\\"/t\\\" or \\\"/f\\\" or \\\"/im\\\" or \\\"/pid\\\") and\\n not process.parent.name:osquerybeat.exe\\n\",\"threshold\":{\"field\":[\"host.id\"],\"value\":10},\"actions\":[]},\"target_rule\":{\"name\":\"High Number of Process and/or Service Terminations\",\"description\":\"This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating High Number of Process and/or Service Terminations\\n\\nAttackers can stop services and kill processes for a variety of purposes. For example, they can stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted, or stop security and backup solutions, etc.\\n\\nThis rule identifies a high number (10) of service and/or process terminations (stop, delete, or suspend) from the same host within a short time period.\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check if any files on the host machine have been encrypted.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reimage the host operating system or restore it to the operational state.\\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":212,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/luna-ransomware-attack-pattern\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1489\",\"name\":\"Service Stop\",\"reference\":\"https://attack.mitre.org/techniques/T1489/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b69be826-890c-48d3-b55d-e6ff733aa048\",\"rule_id\":\"035889c4-2686-4583-a7df-67f89c292f2c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.649Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.425Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"threshold\",\"query\":\"event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\\n process.args:(stop or pause or delete or \\\"/PID\\\" or \\\"/IM\\\" or \\\"/T\\\" or \\\"/F\\\" or \\\"/t\\\" or \\\"/f\\\" or \\\"/im\\\" or \\\"/pid\\\") and\\n not process.parent.name:osquerybeat.exe\\n\",\"threshold\":{\"field\":[\"host.id\"],\"value\":10},\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":212,\"merged_version\":212,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8d2c56d4-9ecc-4de5-a1f4-49051213a485\",\"rule_id\":\"035a6f21-4092-471d-9cda-9e379f459b1e\",\"revision\":0,\"current_rule\":{\"id\":\"8d2c56d4-9ecc-4de5-a1f4-49051213a485\",\"updated_at\":\"2024-12-04T19:45:41.427Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.427Z\",\"created_by\":\"elastic\",\"name\":\"Potential Memory Seeking Activity\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Monitors for the execution of Unix utilities that may be leveraged as memory address seekers. Attackers may leverage built-in utilities to seek specific memory addresses, allowing for potential future manipulation/exploitation.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"035a6f21-4092-471d-9cda-9e379f459b1e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1057\",\"name\":\"Process Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1057/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/arget13/DDexec\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and (\\n (process.name == \\\"tail\\\" and process.args == \\\"-c\\\") or\\n (process.name == \\\"cmp\\\" and process.args == \\\"-i\\\") or\\n (process.name in (\\\"hexdump\\\", \\\"xxd\\\") and process.args == \\\"-s\\\") or\\n (process.name == \\\"dd\\\" and process.args : (\\\"skip*\\\", \\\"seek*\\\"))\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Memory Seeking Activity\",\"description\":\"Monitors for the execution of Unix utilities that may be leveraged as memory address seekers. Attackers may leverage built-in utilities to seek specific memory addresses, allowing for potential future manipulation/exploitation.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/arget13/DDexec\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1057\",\"name\":\"Process Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1057/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"8d2c56d4-9ecc-4de5-a1f4-49051213a485\",\"rule_id\":\"035a6f21-4092-471d-9cda-9e379f459b1e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.649Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.427Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and (\\n (process.name == \\\"tail\\\" and process.args in (\\\"-c\\\", \\\"--bytes\\\")) or\\n (process.name == \\\"cmp\\\" and process.args == \\\"-i\\\") or\\n (process.name in (\\\"hexdump\\\", \\\"xxd\\\") and process.args == \\\"-s\\\") or\\n (process.name == \\\"dd\\\" and process.args : (\\\"skip*\\\", \\\"seek*\\\"))\\n) and not (\\n process.parent.args like (\\\"/opt/error_monitor/error_monitor.sh\\\", \\\"printf*\\\") or\\n process.parent.name in (\\\"acme.sh\\\", \\\"dracut\\\", \\\"leapp\\\") or\\n process.parent.executable like (\\n \\\"/bin/cagefs_enter\\\", \\\"/opt/nessus_agent/sbin/nessus-service\\\", \\\"/usr/libexec/platform-python*\\\",\\n \\\"/usr/libexec/vdsm/vdsmd\\\", \\\"/usr/local/bin/docker-entrypoint.sh\\\", \\\"/usr/lib/module-init-tools/lsinitrd-quick\\\"\\n ) or\\n process.parent.command_line like \\\"sh*acme.sh*\\\" or\\n process.args like \\\"/var/tmp/dracut*\\\"\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and (\\n (process.name == \\\"tail\\\" and process.args == \\\"-c\\\") or\\n (process.name == \\\"cmp\\\" and process.args == \\\"-i\\\") or\\n (process.name in (\\\"hexdump\\\", \\\"xxd\\\") and process.args == \\\"-s\\\") or\\n (process.name == \\\"dd\\\" and process.args : (\\\"skip*\\\", \\\"seek*\\\"))\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and (\\n (process.name == \\\"tail\\\" and process.args in (\\\"-c\\\", \\\"--bytes\\\")) or\\n (process.name == \\\"cmp\\\" and process.args == \\\"-i\\\") or\\n (process.name in (\\\"hexdump\\\", \\\"xxd\\\") and process.args == \\\"-s\\\") or\\n (process.name == \\\"dd\\\" and process.args : (\\\"skip*\\\", \\\"seek*\\\"))\\n) and not (\\n process.parent.args like (\\\"/opt/error_monitor/error_monitor.sh\\\", \\\"printf*\\\") or\\n process.parent.name in (\\\"acme.sh\\\", \\\"dracut\\\", \\\"leapp\\\") or\\n process.parent.executable like (\\n \\\"/bin/cagefs_enter\\\", \\\"/opt/nessus_agent/sbin/nessus-service\\\", \\\"/usr/libexec/platform-python*\\\",\\n \\\"/usr/libexec/vdsm/vdsmd\\\", \\\"/usr/local/bin/docker-entrypoint.sh\\\", \\\"/usr/lib/module-init-tools/lsinitrd-quick\\\"\\n ) or\\n process.parent.command_line like \\\"sh*acme.sh*\\\" or\\n process.args like \\\"/var/tmp/dracut*\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and (\\n (process.name == \\\"tail\\\" and process.args in (\\\"-c\\\", \\\"--bytes\\\")) or\\n (process.name == \\\"cmp\\\" and process.args == \\\"-i\\\") or\\n (process.name in (\\\"hexdump\\\", \\\"xxd\\\") and process.args == \\\"-s\\\") or\\n (process.name == \\\"dd\\\" and process.args : (\\\"skip*\\\", \\\"seek*\\\"))\\n) and not (\\n process.parent.args like (\\\"/opt/error_monitor/error_monitor.sh\\\", \\\"printf*\\\") or\\n process.parent.name in (\\\"acme.sh\\\", \\\"dracut\\\", \\\"leapp\\\") or\\n process.parent.executable like (\\n \\\"/bin/cagefs_enter\\\", \\\"/opt/nessus_agent/sbin/nessus-service\\\", \\\"/usr/libexec/platform-python*\\\",\\n \\\"/usr/libexec/vdsm/vdsmd\\\", \\\"/usr/local/bin/docker-entrypoint.sh\\\", \\\"/usr/lib/module-init-tools/lsinitrd-quick\\\"\\n ) or\\n process.parent.command_line like \\\"sh*acme.sh*\\\" or\\n process.args like \\\"/var/tmp/dracut*\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f191dea8-f8b3-45db-a434-e11c4afa9d81\",\"rule_id\":\"0415f22a-2336-45fa-ba07-618a5942e22c\",\"revision\":0,\"current_rule\":{\"id\":\"f191dea8-f8b3-45db-a434-e11c4afa9d81\",\"updated_at\":\"2024-12-04T19:45:41.437Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.437Z\",\"created_by\":\"elastic\",\"name\":\"Modification of OpenSSH Binaries\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Persistence\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Modification of OpenSSH Binaries\\n\\nOpenSSH is a widely used suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides encrypted communication sessions over a computer network.\\n\\nAdversaries may exploit OpenSSH by modifying its binaries, such as `/usr/bin/scp`, `/usr/bin/sftp`, `/usr/bin/ssh`, `/usr/sbin/sshd`, or `libkeyutils.so`, to gain unauthorized access or exfiltrate SSH credentials.\\n\\nThe detection rule 'Modification of OpenSSH Binaries' is designed to identify such abuse by monitoring file changes in the Linux environment. It triggers an alert when a process, modifies any of the specified OpenSSH binaries or libraries. This helps security analysts detect potential malicious activities and take appropriate action.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False positive analysis\\n\\n- Regular users should not need to modify OpenSSH binaries, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes.\"],\"from\":\"now-9m\",\"rule_id\":\"0415f22a-2336-45fa-ba07-618a5942e22c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.004\",\"name\":\"SSH\",\"reference\":\"https://attack.mitre.org/techniques/T1021/004/\"}]},{\"id\":\"T1563\",\"name\":\"Remote Service Session Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/\",\"subtechnique\":[{\"id\":\"T1563.001\",\"name\":\"SSH Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"event.category:file and host.os.type:linux and event.type:change and \\n process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron or platform-python)) and \\n (file.path:(/usr/bin/scp or \\n /usr/bin/sftp or \\n /usr/bin/ssh or \\n /usr/sbin/sshd) or \\n file.name:libkeyutils.so) and\\n not process.executable:/usr/share/elasticsearch/*\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Modification of OpenSSH Binaries\",\"description\":\"Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Modification of OpenSSH Binaries\\n\\nOpenSSH is a widely used suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides encrypted communication sessions over a computer network.\\n\\nAdversaries may exploit OpenSSH by modifying its binaries, such as `/usr/bin/scp`, `/usr/bin/sftp`, `/usr/bin/ssh`, `/usr/sbin/sshd`, or `libkeyutils.so`, to gain unauthorized access or exfiltrate SSH credentials.\\n\\nThe detection rule 'Modification of OpenSSH Binaries' is designed to identify such abuse by monitoring file changes in the Linux environment. It triggers an alert when a process, modifies any of the specified OpenSSH binaries or libraries. This helps security analysts detect potential malicious activities and take appropriate action.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False positive analysis\\n\\n- Regular users should not need to modify OpenSSH binaries, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":110,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Persistence\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes.\"],\"references\":[\"https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.004\",\"name\":\"SSH\",\"reference\":\"https://attack.mitre.org/techniques/T1021/004/\"}]},{\"id\":\"T1563\",\"name\":\"Remote Service Session Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/\",\"subtechnique\":[{\"id\":\"T1563.001\",\"name\":\"SSH Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f191dea8-f8b3-45db-a434-e11c4afa9d81\",\"rule_id\":\"0415f22a-2336-45fa-ba07-618a5942e22c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.649Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.437Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"event.category:file and host.os.type:linux and event.type:change and \\n process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron or platform-python)) and \\n (file.path:(/usr/bin/scp or \\n /usr/bin/sftp or \\n /usr/bin/ssh or \\n /usr/sbin/sshd) or \\n file.name:libkeyutils.so) and\\n not (\\n process.executable:/usr/share/elasticsearch/* or\\n process.name : (apk or ansible-admin or systemd or dnf or python*)\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":110,\"merged_version\":110,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"event.category:file and host.os.type:linux and event.type:change and \\n process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron or platform-python)) and \\n (file.path:(/usr/bin/scp or \\n /usr/bin/sftp or \\n /usr/bin/ssh or \\n /usr/sbin/sshd) or \\n file.name:libkeyutils.so) and\\n not process.executable:/usr/share/elasticsearch/*\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"event.category:file and host.os.type:linux and event.type:change and \\n process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron or platform-python)) and \\n (file.path:(/usr/bin/scp or \\n /usr/bin/sftp or \\n /usr/bin/ssh or \\n /usr/sbin/sshd) or \\n file.name:libkeyutils.so) and\\n not (\\n process.executable:/usr/share/elasticsearch/* or\\n process.name : (apk or ansible-admin or systemd or dnf or python*)\\n )\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"event.category:file and host.os.type:linux and event.type:change and \\n process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron or platform-python)) and \\n (file.path:(/usr/bin/scp or \\n /usr/bin/sftp or \\n /usr/bin/ssh or \\n /usr/sbin/sshd) or \\n file.name:libkeyutils.so) and\\n not (\\n process.executable:/usr/share/elasticsearch/* or\\n process.name : (apk or ansible-admin or systemd or dnf or python*)\\n )\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9bc8c1d6-5a15-4b2d-9a7b-0c02e9ea3ac9\",\"rule_id\":\"053a0387-f3b5-4ba5-8245-8002cca2bd08\",\"revision\":0,\"current_rule\":{\"id\":\"9bc8c1d6-5a15-4b2d-9a7b-0c02e9ea3ac9\",\"updated_at\":\"2024-12-04T19:45:41.442Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.442Z\",\"created_by\":\"elastic\",\"name\":\"Potential DLL Side-Loading via Microsoft Antimalware Service Executable\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Dennis Perto\"],\"false_positives\":[\"Microsoft Antimalware Service Executable installed on non default installation path.\"],\"from\":\"now-9m\",\"rule_id\":\"053a0387-f3b5-4ba5-8245-8002cca2bd08\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.002\",\"name\":\"DLL Side-Loading\",\"reference\":\"https://attack.mitre.org/techniques/T1574/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (process.pe.original_file_name == \\\"MsMpEng.exe\\\" and not process.name : \\\"MsMpEng.exe\\\") or\\n (process.name : \\\"MsMpEng.exe\\\" and not\\n process.executable : (\\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Windows Defender\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Windows Defender\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Security Client\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Security Client\\\\\\\\*.exe\\\"))\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential DLL Side-Loading via Microsoft Antimalware Service Executable\",\"description\":\"Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Dennis Perto\"],\"false_positives\":[\"Microsoft Antimalware Service Executable installed on non default installation path.\"],\"references\":[\"https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.002\",\"name\":\"DLL Side-Loading\",\"reference\":\"https://attack.mitre.org/techniques/T1574/002/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"9bc8c1d6-5a15-4b2d-9a7b-0c02e9ea3ac9\",\"rule_id\":\"053a0387-f3b5-4ba5-8245-8002cca2bd08\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.649Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.442Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (process.pe.original_file_name == \\\"MsMpEng.exe\\\" and not process.name : \\\"MsMpEng.exe\\\") or\\n (process.name : \\\"MsMpEng.exe\\\" and not\\n process.executable : (\\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Windows Defender\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Windows Defender\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Security Client\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Security Client\\\\\\\\*.exe\\\"))\\n)\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4631a486-1704-4014-b895-28d7f23947da\",\"rule_id\":\"054db96b-fd34-43b3-9af2-587b3bd33964\",\"revision\":0,\"current_rule\":{\"id\":\"4631a486-1704-4014-b895-28d7f23947da\",\"updated_at\":\"2024-12-04T19:45:41.444Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.444Z\",\"created_by\":\"elastic\",\"name\":\"Systemd-udevd Rule File Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Monitors for the creation of rule files that are used by systemd-udevd to manage device nodes and handle kernel device events in the Linux operating system. Systemd-udevd can be exploited for persistence by adversaries by creating malicious udev rules that trigger on specific events, executing arbitrary commands or payloads whenever a certain device is plugged in or recognized by the system.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"054db96b-fd34-43b3-9af2-587b3bd33964\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\"},{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\"}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click Add integrations.\\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\\n- Click Add Elastic Defend.\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest to select \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click Save and Continue.\\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and \\nprocess.executable != null and file.extension == \\\"rules\\\" and\\nfile.path : (\\n \\\"/lib/udev/*\\\", \\\"/etc/udev/rules.d/*\\\", \\\"/usr/lib/udev/rules.d/*\\\", \\\"/run/udev/rules.d/*\\\", \\\"/usr/local/lib/udev/rules.d/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/lib/systemd/system-generators/netplan\\\", \\\"/lib/systemd/systemd\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/sbin/sshd\\\",\\n \\\"/kaniko/executor\\\"\\n ) or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\"\\n ) or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Systemd-udevd Rule File Creation\",\"description\":\"Monitors for the creation of rule files that are used by systemd-udevd to manage device nodes and handle kernel device events in the Linux operating system. Systemd-udevd can be exploited for persistence by adversaries by creating malicious udev rules that trigger on specific events, executing arbitrary commands or payloads whenever a certain device is plugged in or recognized by the system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click Add integrations.\\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\\n- Click Add Elastic Defend.\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest to select \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click Save and Continue.\\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"4631a486-1704-4014-b895-28d7f23947da\",\"rule_id\":\"054db96b-fd34-43b3-9af2-587b3bd33964\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.649Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.444Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and \\nprocess.executable != null and file.extension == \\\"rules\\\" and\\nfile.path : (\\n \\\"/lib/udev/*\\\", \\\"/etc/udev/rules.d/*\\\", \\\"/usr/lib/udev/rules.d/*\\\", \\\"/run/udev/rules.d/*\\\", \\\"/usr/local/lib/udev/rules.d/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/lib/systemd/system-generators/netplan\\\", \\\"/lib/systemd/systemd\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/sbin/sshd\\\",\\n \\\"/kaniko/executor\\\"\\n ) or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\"\\n ) or\\n process.name in (\\\"systemd\\\", \\\"netplan\\\", \\\"apt-get\\\", \\\"vmware-config-tools.pl\\\", \\\"systemd-hwdb\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\"},{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\"}]}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\"}]}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\"}]}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and \\nprocess.executable != null and file.extension == \\\"rules\\\" and\\nfile.path : (\\n \\\"/lib/udev/*\\\", \\\"/etc/udev/rules.d/*\\\", \\\"/usr/lib/udev/rules.d/*\\\", \\\"/run/udev/rules.d/*\\\", \\\"/usr/local/lib/udev/rules.d/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/lib/systemd/system-generators/netplan\\\", \\\"/lib/systemd/systemd\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/sbin/sshd\\\",\\n \\\"/kaniko/executor\\\"\\n ) or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\"\\n ) or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and \\nprocess.executable != null and file.extension == \\\"rules\\\" and\\nfile.path : (\\n \\\"/lib/udev/*\\\", \\\"/etc/udev/rules.d/*\\\", \\\"/usr/lib/udev/rules.d/*\\\", \\\"/run/udev/rules.d/*\\\", \\\"/usr/local/lib/udev/rules.d/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/lib/systemd/system-generators/netplan\\\", \\\"/lib/systemd/systemd\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/sbin/sshd\\\",\\n \\\"/kaniko/executor\\\"\\n ) or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\"\\n ) or\\n process.name in (\\\"systemd\\\", \\\"netplan\\\", \\\"apt-get\\\", \\\"vmware-config-tools.pl\\\", \\\"systemd-hwdb\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and \\nprocess.executable != null and file.extension == \\\"rules\\\" and\\nfile.path : (\\n \\\"/lib/udev/*\\\", \\\"/etc/udev/rules.d/*\\\", \\\"/usr/lib/udev/rules.d/*\\\", \\\"/run/udev/rules.d/*\\\", \\\"/usr/local/lib/udev/rules.d/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/lib/systemd/system-generators/netplan\\\", \\\"/lib/systemd/systemd\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/sbin/sshd\\\",\\n \\\"/kaniko/executor\\\"\\n ) or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\"\\n ) or\\n process.name in (\\\"systemd\\\", \\\"netplan\\\", \\\"apt-get\\\", \\\"vmware-config-tools.pl\\\", \\\"systemd-hwdb\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"ae83e68a-0003-4322-8a80-86a0d769ed81\",\"rule_id\":\"0564fb9d-90b9-4234-a411-82a546dc1343\",\"revision\":0,\"current_rule\":{\"id\":\"ae83e68a-0003-4322-8a80-86a0d769ed81\",\"updated_at\":\"2024-12-04T19:45:40.135Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.135Z\",\"created_by\":\"elastic\",\"name\":\"Microsoft IIS Service Account Password Dumped\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"0564fb9d-90b9-4234-a411-82a546dc1343\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"}]}],\"to\":\"now\",\"references\":[\"https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"appcmd.exe\\\" or ?process.pe.original_file_name == \\\"appcmd.exe\\\") and\\n process.args : \\\"list\\\" and process.args : \\\"/text*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Microsoft IIS Service Account Password Dumped\",\"description\":\"Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":214,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"ae83e68a-0003-4322-8a80-86a0d769ed81\",\"rule_id\":\"0564fb9d-90b9-4234-a411-82a546dc1343\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.649Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.135Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"appcmd.exe\\\" or ?process.pe.original_file_name == \\\"appcmd.exe\\\") and\\n process.args : \\\"list\\\" and process.args : \\\"/text*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":214,\"merged_version\":214,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2672992d-ea62-4aef-bebc-b59fdbfcf0eb\",\"rule_id\":\"05b358de-aa6d-4f6c-89e6-78f74018b43b\",\"revision\":0,\"current_rule\":{\"id\":\"2672992d-ea62-4aef-bebc-b59fdbfcf0eb\",\"updated_at\":\"2024-12-04T19:45:41.447Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.447Z\",\"created_by\":\"elastic\",\"name\":\"Conhost Spawned By Suspicious Parent Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Conhost Spawned By Suspicious Parent Process\\n\\nThe Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as the classic Windows user interface for working with command-line applications.\\n\\nAttackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and `PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into legitimate system processes.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Retrieve the parent process executable and determine if it is malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26\\n- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"05b358de-aa6d-4f6c-89e6-78f74018b43b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]}],\"to\":\"now\",\"references\":[\"https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"conhost.exe\\\" and\\n process.parent.name : (\\\"lsass.exe\\\", \\\"services.exe\\\", \\\"smss.exe\\\", \\\"winlogon.exe\\\", \\\"explorer.exe\\\", \\\"dllhost.exe\\\", \\\"rundll32.exe\\\",\\n \\\"regsvr32.exe\\\", \\\"userinit.exe\\\", \\\"wininit.exe\\\", \\\"spoolsv.exe\\\", \\\"ctfmon.exe\\\") and\\n not (process.parent.name : \\\"rundll32.exe\\\" and\\n process.parent.args : (\\\"?:\\\\\\\\Windows\\\\\\\\Installer\\\\\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\PcaSvc.dll,PcaPatchSdbTask\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\davclnt.dll,DavSetCookie\\\"))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Conhost Spawned By Suspicious Parent Process\",\"description\":\"Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Conhost Spawned By Suspicious Parent Process\\n\\nThe Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as the classic Windows user interface for working with command-line applications.\\n\\nAttackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and `PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into legitimate system processes.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Retrieve the parent process executable and determine if it is malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26\\n- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2672992d-ea62-4aef-bebc-b59fdbfcf0eb\",\"rule_id\":\"05b358de-aa6d-4f6c-89e6-78f74018b43b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.650Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.447Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"conhost.exe\\\" and\\n process.parent.name : (\\\"lsass.exe\\\", \\\"services.exe\\\", \\\"smss.exe\\\", \\\"winlogon.exe\\\", \\\"explorer.exe\\\", \\\"dllhost.exe\\\", \\\"rundll32.exe\\\",\\n \\\"regsvr32.exe\\\", \\\"userinit.exe\\\", \\\"wininit.exe\\\", \\\"spoolsv.exe\\\", \\\"ctfmon.exe\\\") and\\n not (process.parent.name : \\\"rundll32.exe\\\" and\\n process.parent.args : (\\\"?:\\\\\\\\Windows\\\\\\\\Installer\\\\\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\PcaSvc.dll,PcaPatchSdbTask\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\davclnt.dll,DavSetCookie\\\"))\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f415a032-ac47-40d6-b9da-69574b7c6851\",\"rule_id\":\"0635c542-1b96-4335-9b47-126582d2c19a\",\"revision\":0,\"current_rule\":{\"id\":\"f415a032-ac47-40d6-b9da-69574b7c6851\",\"updated_at\":\"2024-12-04T19:45:41.458Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.458Z\",\"created_by\":\"elastic\",\"name\":\"Remote System Discovery Commands\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Discovery of remote system information using built-in commands, which may be used to move laterally.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote System Discovery Commands\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment, which is useful for attackers to identify lateral movement targets.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"0635c542-1b96-4335-9b47-126582d2c19a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1016\",\"name\":\"System Network Configuration Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1016/\"},{\"id\":\"T1018\",\"name\":\"Remote System Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1018/\"}]}],\"to\":\"now\",\"references\":[],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n ((process.name : \\\"nbtstat.exe\\\" and process.args : (\\\"-n\\\", \\\"-s\\\")) or\\n (process.name : \\\"arp.exe\\\" and process.args : \\\"-a\\\") or\\n (process.name : \\\"nltest.exe\\\" and process.args : (\\\"/dclist\\\", \\\"/dsgetdc\\\")) or\\n (process.name : \\\"nslookup.exe\\\" and process.args : \\\"*_ldap._tcp.dc.*\\\") or\\n (process.name: (\\\"dsquery.exe\\\", \\\"dsget.exe\\\") and process.args: \\\"subnet\\\") or\\n ((((process.name : \\\"net.exe\\\" or process.pe.original_file_name == \\\"net.exe\\\") or\\n ((process.name : \\\"net1.exe\\\" or process.pe.original_file_name == \\\"net1.exe\\\") and not \\n process.parent.name : \\\"net.exe\\\")) and \\n process.args : \\\"group\\\" and process.args : \\\"/domain\\\" and not process.args : \\\"/add\\\"))) and\\n not\\n (\\n (\\n process.name : \\\"arp.exe\\\" and\\n process.parent.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\CentraStage\\\\\\\\AEMAgent\\\\\\\\AEMAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Citrix\\\\\\\\Workspace Environment Management Agent\\\\\\\\Citrix.Wem.Agent.Service.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Lansweeper\\\\\\\\Service\\\\\\\\LansweeperService.exe\\\"\\n )\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Remote System Discovery Commands\",\"description\":\"Discovery of remote system information using built-in commands, which may be used to move laterally.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote System Discovery Commands\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment, which is useful for attackers to identify lateral movement targets.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":214,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1016\",\"name\":\"System Network Configuration Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1016/\"},{\"id\":\"T1018\",\"name\":\"Remote System Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1018/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f415a032-ac47-40d6-b9da-69574b7c6851\",\"rule_id\":\"0635c542-1b96-4335-9b47-126582d2c19a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.650Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.458Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n ((process.name : \\\"nbtstat.exe\\\" and process.args : (\\\"-n\\\", \\\"-s\\\")) or\\n (process.name : \\\"arp.exe\\\" and process.args : \\\"-a\\\") or\\n (process.name : \\\"nltest.exe\\\" and process.args : (\\\"/dclist\\\", \\\"/dsgetdc\\\")) or\\n (process.name : \\\"nslookup.exe\\\" and process.args : \\\"*_ldap._tcp.dc.*\\\") or\\n (process.name: (\\\"dsquery.exe\\\", \\\"dsget.exe\\\") and process.args: \\\"subnet\\\") or\\n ((((process.name : \\\"net.exe\\\" or process.pe.original_file_name == \\\"net.exe\\\") or\\n ((process.name : \\\"net1.exe\\\" or process.pe.original_file_name == \\\"net1.exe\\\") and not \\n process.parent.name : \\\"net.exe\\\")) and \\n process.args : \\\"group\\\" and process.args : \\\"/domain\\\" and not process.args : \\\"/add\\\"))) and\\n not\\n (\\n (\\n process.name : \\\"arp.exe\\\" and\\n process.parent.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\CentraStage\\\\\\\\AEMAgent\\\\\\\\AEMAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Citrix\\\\\\\\Workspace Environment Management Agent\\\\\\\\Citrix.Wem.Agent.Service.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Lansweeper\\\\\\\\Service\\\\\\\\LansweeperService.exe\\\"\\n )\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":214,\"merged_version\":214,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9fed4dda-8f21-43ea-881f-8b8403db53b2\",\"rule_id\":\"06568a02-af29-4f20-929c-f3af281e41aa\",\"revision\":0,\"current_rule\":{\"id\":\"9fed4dda-8f21-43ea-881f-8b8403db53b2\",\"updated_at\":\"2024-12-04T19:45:41.460Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.460Z\",\"created_by\":\"elastic\",\"name\":\"System Time Discovery\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"06568a02-af29-4f20-929c-f3af281e41aa\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1124\",\"name\":\"System Time Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1124/\"}]}],\"to\":\"now\",\"references\":[],\"version\":7,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (process.name: \\\"net.exe\\\" or (process.name : \\\"net1.exe\\\" and not process.parent.name : \\\"net.exe\\\")) and \\n process.args : \\\"time\\\" and not process.args : \\\"/set\\\"\\n ) or \\n (process.name: \\\"w32tm.exe\\\" and process.args: \\\"/tz\\\") or \\n (process.name: \\\"tzutil.exe\\\" and process.args: \\\"/g\\\")\\n) and not user.id : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"System Time Discovery\",\"description\":\"Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":110,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1124\",\"name\":\"System Time Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1124/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"9fed4dda-8f21-43ea-881f-8b8403db53b2\",\"rule_id\":\"06568a02-af29-4f20-929c-f3af281e41aa\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.650Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.460Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (process.name: \\\"net.exe\\\" or (process.name : \\\"net1.exe\\\" and not process.parent.name : \\\"net.exe\\\")) and \\n process.args : \\\"time\\\" and not process.args : \\\"/set\\\"\\n ) or \\n (process.name: \\\"w32tm.exe\\\" and process.args: \\\"/tz\\\") or \\n (process.name: \\\"tzutil.exe\\\" and process.args: \\\"/g\\\")\\n) and not user.id : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":7,\"target_version\":110,\"merged_version\":110,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b8381fae-148c-4ea3-a416-30558979f2a6\",\"rule_id\":\"06a7a03c-c735-47a6-a313-51c354aef6c3\",\"revision\":0,\"current_rule\":{\"id\":\"b8381fae-148c-4ea3-a416-30558979f2a6\",\"updated_at\":\"2024-12-04T19:45:41.463Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.463Z\",\"created_by\":\"elastic\",\"name\":\"Enumerating Domain Trusts via DSQUERY.EXE\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Enumerating Domain Trusts via DSQUERY.EXE\\n\\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \\\"trusting\\\" domain permits users from a \\\"trusted\\\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\\n\\nThis rule identifies the usage of the `dsquery.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Related rules\\n\\n- Enumerating Domain Trusts via NLTEST.EXE - 84da2554-e12a-11ec-b896-f661ea17fbcd\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Domain administrators may use this command-line utility for legitimate information gathering purposes.\"],\"from\":\"now-9m\",\"rule_id\":\"06a7a03c-c735-47a6-a313-51c354aef6c3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1018\",\"name\":\"Remote System Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1018/\"},{\"id\":\"T1482\",\"name\":\"Domain Trust Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1482/\"}]}],\"to\":\"now\",\"references\":[\"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)\",\"https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944\"],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"dsquery.exe\\\" or ?process.pe.original_file_name: \\\"dsquery.exe\\\") and \\n process.args : \\\"*objectClass=trustedDomain*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Enumerating Domain Trusts via DSQUERY.EXE\",\"description\":\"Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Enumerating Domain Trusts via DSQUERY.EXE\\n\\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \\\"trusting\\\" domain permits users from a \\\"trusted\\\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\\n\\nThis rule identifies the usage of the `dsquery.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Related rules\\n\\n- Enumerating Domain Trusts via NLTEST.EXE - 84da2554-e12a-11ec-b896-f661ea17fbcd\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Domain administrators may use this command-line utility for legitimate information gathering purposes.\"],\"references\":[\"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)\",\"https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1018\",\"name\":\"Remote System Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1018/\"},{\"id\":\"T1482\",\"name\":\"Domain Trust Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1482/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b8381fae-148c-4ea3-a416-30558979f2a6\",\"rule_id\":\"06a7a03c-c735-47a6-a313-51c354aef6c3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.650Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.463Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"dsquery.exe\\\" or ?process.pe.original_file_name: \\\"dsquery.exe\\\") and \\n process.args : \\\"*objectClass=trustedDomain*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3a17b463-4fba-4c30-8eee-5a8a2ba57017\",\"rule_id\":\"06dceabf-adca-48af-ac79-ffdf4c3b1e9a\",\"revision\":0,\"current_rule\":{\"id\":\"3a17b463-4fba-4c30-8eee-5a8a2ba57017\",\"updated_at\":\"2024-12-04T19:45:41.465Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.465Z\",\"created_by\":\"elastic\",\"name\":\"Potential Evasion via Filter Manager\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Evasion via Filter Manager\\n\\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\\n\\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\\n\\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Examine the command line event to identify the target driver.\\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Observe and collect information about the following activities in the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"06dceabf-adca-48af-ac79-ffdf4c3b1e9a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"fltMC.exe\\\" and process.args : \\\"unload\\\" and\\n not\\n (\\n (\\n process.executable : \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\ManageEngine\\\\\\\\UEMS_Agent\\\\\\\\bin\\\\\\\\DCFAService64.exe\\\" and\\n process.args : (\\\"DFMFilter\\\", \\\"DRMFilter\\\")\\n ) or\\n (\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\" and\\n process.args : (\\\"BrFilter_*\\\", \\\"BrCow_*\\\") and\\n user.id : \\\"S-1-5-18\\\"\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Evasion via Filter Manager\",\"description\":\"The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Evasion via Filter Manager\\n\\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\\n\\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\\n\\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Examine the command line event to identify the target driver.\\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Observe and collect information about the following activities in the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3a17b463-4fba-4c30-8eee-5a8a2ba57017\",\"rule_id\":\"06dceabf-adca-48af-ac79-ffdf4c3b1e9a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.650Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.465Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"fltMC.exe\\\" and process.args : \\\"unload\\\" and\\n not\\n (\\n (\\n process.executable : \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\ManageEngine\\\\\\\\UEMS_Agent\\\\\\\\bin\\\\\\\\DCFAService64.exe\\\" and\\n process.args : (\\\"DFMFilter\\\", \\\"DRMFilter\\\")\\n ) or\\n (\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\" and\\n process.args : (\\\"BrFilter_*\\\", \\\"BrCow_*\\\") and\\n user.id : \\\"S-1-5-18\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c8b9365c-ff0a-4d57-95b8-1f46f3f94241\",\"rule_id\":\"074464f9-f30d-4029-8c03-0ed237fffec7\",\"revision\":0,\"current_rule\":{\"id\":\"c8b9365c-ff0a-4d57-95b8-1f46f3f94241\",\"updated_at\":\"2024-12-04T19:45:41.467Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.467Z\",\"created_by\":\"elastic\",\"name\":\"Remote Desktop Enabled in Windows Firewall by Netsh\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote Desktop Enabled in Windows Firewall by Netsh\\n\\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\\n\\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\\n\\nThis rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the `netsh.exe` utility.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the user to check if they are aware of the operation.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\\n- Check if the host is directly exposed to the internet.\\n- Check whether privileged accounts accessed the host shortly after the modification.\\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\\n\\n### False positive analysis\\n\\n- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If RDP is needed, make sure to secure it:\\n - Allowlist RDP traffic to specific trusted hosts.\\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"074464f9-f30d-4029-8c03-0ed237fffec7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.004\",\"name\":\"Disable or Modify System Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"netsh.exe\\\" or ?process.pe.original_file_name == \\\"netsh.exe\\\") and\\n process.args : (\\\"localport=3389\\\", \\\"RemoteDesktop\\\", \\\"group=\\\\\\\"remote desktop\\\\\\\"\\\") and\\n process.args : (\\\"action=allow\\\", \\\"enable=Yes\\\", \\\"enable\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Remote Desktop Enabled in Windows Firewall by Netsh\",\"description\":\"Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote Desktop Enabled in Windows Firewall by Netsh\\n\\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\\n\\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\\n\\nThis rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the `netsh.exe` utility.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the user to check if they are aware of the operation.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\\n- Check if the host is directly exposed to the internet.\\n- Check whether privileged accounts accessed the host shortly after the modification.\\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\\n\\n### False positive analysis\\n\\n- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If RDP is needed, make sure to secure it:\\n - Allowlist RDP traffic to specific trusted hosts.\\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.004\",\"name\":\"Disable or Modify System Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c8b9365c-ff0a-4d57-95b8-1f46f3f94241\",\"rule_id\":\"074464f9-f30d-4029-8c03-0ed237fffec7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.650Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.467Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"netsh.exe\\\" or ?process.pe.original_file_name == \\\"netsh.exe\\\") and\\n process.args : (\\\"localport=3389\\\", \\\"RemoteDesktop\\\", \\\"group=\\\\\\\"remote desktop\\\\\\\"\\\") and\\n process.args : (\\\"action=allow\\\", \\\"enable=Yes\\\", \\\"enable\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d6b16bf6-ea56-4ea1-baf8-fcee5070ed25\",\"rule_id\":\"07b1ef73-1fde-4a49-a34a-5dd40011b076\",\"revision\":0,\"current_rule\":{\"id\":\"d6b16bf6-ea56-4ea1-baf8-fcee5070ed25\",\"updated_at\":\"2024-12-04T19:45:40.165Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.165Z\",\"created_by\":\"elastic\",\"name\":\"Local Account TokenFilter Policy Disabled\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"07b1ef73-1fde-4a49-a34a-5dd40011b076\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.002\",\"name\":\"Pass the Hash\",\"reference\":\"https://attack.mitre.org/techniques/T1550/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439\",\"https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167\",\"https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf\"],\"version\":212,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : \\\"LocalAccountTokenFilterPolicy\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\*\\\\\\\\LocalAccountTokenFilterPolicy\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\*\\\\\\\\LocalAccountTokenFilterPolicy\\\",\\n \\\"MACHINE\\\\\\\\*\\\\\\\\LocalAccountTokenFilterPolicy\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Local Account TokenFilter Policy Disabled\",\"description\":\"Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439\",\"https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167\",\"https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.002\",\"name\":\"Pass the Hash\",\"reference\":\"https://attack.mitre.org/techniques/T1550/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d6b16bf6-ea56-4ea1-baf8-fcee5070ed25\",\"rule_id\":\"07b1ef73-1fde-4a49-a34a-5dd40011b076\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.650Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.165Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : \\\"LocalAccountTokenFilterPolicy\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\*\\\\\\\\LocalAccountTokenFilterPolicy\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\*\\\\\\\\LocalAccountTokenFilterPolicy\\\",\\n \\\"MACHINE\\\\\\\\*\\\\\\\\LocalAccountTokenFilterPolicy\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":212,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"20e5c9ba-a2fb-402b-bcaa-3e53020cdf53\",\"rule_id\":\"07b5f85a-240f-11ed-b3d9-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"20e5c9ba-a2fb-402b-bcaa-3e53020cdf53\",\"updated_at\":\"2024-12-04T19:45:41.475Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.475Z\",\"created_by\":\"elastic\",\"name\":\"Google Drive Ownership Transferred via Google Workspace\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Tactic: Collection\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Drive and Docs is a Google Workspace service that allows users to leverage Google Drive and Google Docs. Access to files is based on inherited permissions from the child organizational unit the user belongs to which is scoped by administrators. Typically if a user is removed, their files can be transferred to another user by the administrator. This service can also be abused by adversaries to transfer files to an adversary account for potential exfiltration.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Drive Ownership Transferred via Google Workspace\\n\\nGoogle Drive is a cloud storage service that allows users to store and access files. It is available to users with a Google Workspace account.\\n\\nGoogle Workspace administrators consider users' roles and organizational units when assigning permissions to files or shared drives. Owners of sensitive files and folders can grant permissions to users who make internal or external access requests. Adversaries abuse this trust system by accessing Google Drive resources with improperly scoped permissions and shared settings. Distributing phishing emails is another common approach to sharing malicious Google Drive documents. With this approach, adversaries aim to inherit the recipient's Google Workspace privileges when an external entity grants ownership.\\n\\nThis rule identifies when the ownership of a shared drive within a Google Workspace organization is transferred to another internal user.\\n\\n#### Possible investigation steps\\n\\n- From the admin console, review admin logs for involved user accounts. To find admin logs, go to `Security > Reporting > Audit and investigation > Admin log events`.\\n- Determine if involved user accounts are active. To view user activity, go to `Directory > Users`.\\n- Check if the involved user accounts were recently disabled, then re-enabled.\\n- Review involved user accounts for potentially misconfigured permissions or roles.\\n- Review the involved shared drive or files and related policies to determine if this action was expected and appropriate.\\n- If a shared drive, access requirements based on Organizational Units in `Apps > Google Workspace > Drive and Docs > Manage shared drives`.\\n- Triage potentially related alerts based on the users involved. To find alerts, go to `Security > Alerts`.\\n\\n### False positive analysis\\n\\n- Transferring drives requires Google Workspace administration permissions related to Google Drive. Check if this action was planned/expected from the requester and is appropriately targeting the correct receiver.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may transfer file ownership during employee leave or absence to ensure continued operations by a new or existing employee.\"],\"from\":\"now-130m\",\"rule_id\":\"07b5f85a-240f-11ed-b3d9-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1074\",\"name\":\"Data Staged\",\"reference\":\"https://attack.mitre.org/techniques/T1074/\",\"subtechnique\":[{\"id\":\"T1074.002\",\"name\":\"Remote Data Staging\",\"reference\":\"https://attack.mitre.org/techniques/T1074/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/1247799?hl=en\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.application.name\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.action:\\\"CREATE_DATA_TRANSFER_REQUEST\\\"\\n and event.category:\\\"iam\\\" and google_workspace.admin.application.name:Drive*\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Drive Ownership Transferred via Google Workspace\",\"description\":\"Drive and Docs is a Google Workspace service that allows users to leverage Google Drive and Google Docs. Access to files is based on inherited permissions from the child organizational unit the user belongs to which is scoped by administrators. Typically if a user is removed, their files can be transferred to another user by the administrator. This service can also be abused by adversaries to transfer files to an adversary account for potential exfiltration.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Drive Ownership Transferred via Google Workspace\\n\\nGoogle Drive is a cloud storage service that allows users to store and access files. It is available to users with a Google Workspace account.\\n\\nGoogle Workspace administrators consider users' roles and organizational units when assigning permissions to files or shared drives. Owners of sensitive files and folders can grant permissions to users who make internal or external access requests. Adversaries abuse this trust system by accessing Google Drive resources with improperly scoped permissions and shared settings. Distributing phishing emails is another common approach to sharing malicious Google Drive documents. With this approach, adversaries aim to inherit the recipient's Google Workspace privileges when an external entity grants ownership.\\n\\nThis rule identifies when the ownership of a shared drive within a Google Workspace organization is transferred to another internal user.\\n\\n#### Possible investigation steps\\n\\n- From the admin console, review admin logs for involved user accounts. To find admin logs, go to `Security > Reporting > Audit and investigation > Admin log events`.\\n- Determine if involved user accounts are active. To view user activity, go to `Directory > Users`.\\n- Check if the involved user accounts were recently disabled, then re-enabled.\\n- Review involved user accounts for potentially misconfigured permissions or roles.\\n- Review the involved shared drive or files and related policies to determine if this action was expected and appropriate.\\n- If a shared drive, access requirements based on Organizational Units in `Apps > Google Workspace > Drive and Docs > Manage shared drives`.\\n- Triage potentially related alerts based on the users involved. To find alerts, go to `Security > Alerts`.\\n\\n### False positive analysis\\n\\n- Transferring drives requires Google Workspace administration permissions related to Google Drive. Check if this action was planned/expected from the requester and is appropriately targeting the correct receiver.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Tactic: Collection\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may transfer file ownership during employee leave or absence to ensure continued operations by a new or existing employee.\"],\"references\":[\"https://support.google.com/a/answer/1247799?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1074\",\"name\":\"Data Staged\",\"reference\":\"https://attack.mitre.org/techniques/T1074/\",\"subtechnique\":[{\"id\":\"T1074.002\",\"name\":\"Remote Data Staging\",\"reference\":\"https://attack.mitre.org/techniques/T1074/002/\"}]}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.application.name\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"20e5c9ba-a2fb-402b-bcaa-3e53020cdf53\",\"rule_id\":\"07b5f85a-240f-11ed-b3d9-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.650Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.475Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.action:\\\"CREATE_DATA_TRANSFER_REQUEST\\\"\\n and event.category:\\\"iam\\\" and google_workspace.admin.application.name:Drive*\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/1247799?hl=en\"],\"target_version\":[\"https://support.google.com/a/answer/1247799?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/1247799?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"51928ae5-4532-4c66-86b0-c5ba3ff74fce\",\"rule_id\":\"0859355c-0f08-4b43-8ff5-7d2a4789fc08\",\"revision\":0,\"current_rule\":{\"id\":\"51928ae5-4532-4c66-86b0-c5ba3ff74fce\",\"updated_at\":\"2024-12-04T19:45:41.484Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.484Z\",\"created_by\":\"elastic\",\"name\":\"First Time Seen Removable Device\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"0859355c-0f08-4b43-8ff5-7d2a4789fc08\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1091\",\"name\":\"Replication Through Removable Media\",\"reference\":\"https://attack.mitre.org/techniques/T1091/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1052\",\"name\":\"Exfiltration Over Physical Medium\",\"reference\":\"https://attack.mitre.org/techniques/T1052/\",\"subtechnique\":[{\"id\":\"T1052.001\",\"name\":\"Exfiltration over USB\",\"reference\":\"https://attack.mitre.org/techniques/T1052/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html\",\"https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings\"],\"version\":4,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.category:\\\"registry\\\" and host.os.type:\\\"windows\\\" and registry.value:\\\"FriendlyName\\\" and registry.path:*USBSTOR*\\n\",\"new_terms_fields\":[\"registry.path\"],\"history_window_start\":\"now-7d\",\"index\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Time Seen Removable Device\",\"description\":\"Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html\",\"https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1091\",\"name\":\"Replication Through Removable Media\",\"reference\":\"https://attack.mitre.org/techniques/T1091/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1052\",\"name\":\"Exfiltration Over Physical Medium\",\"reference\":\"https://attack.mitre.org/techniques/T1052/\",\"subtechnique\":[{\"id\":\"T1052.001\",\"name\":\"Exfiltration over USB\",\"reference\":\"https://attack.mitre.org/techniques/T1052/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"51928ae5-4532-4c66-86b0-c5ba3ff74fce\",\"rule_id\":\"0859355c-0f08-4b43-8ff5-7d2a4789fc08\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.650Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.484Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.category:\\\"registry\\\" and host.os.type:\\\"windows\\\" and registry.value:\\\"FriendlyName\\\" and registry.path:*USBSTOR*\\n\",\"new_terms_fields\":[\"registry.path\"],\"history_window_start\":\"now-7d\",\"index\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":4,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3db66c3c-e156-4acc-b305-6b84ddd9508c\",\"rule_id\":\"09443c92-46b3-45a4-8f25-383b028b258d\",\"revision\":0,\"current_rule\":{\"id\":\"3db66c3c-e156-4acc-b305-6b84ddd9508c\",\"updated_at\":\"2024-12-04T19:45:41.496Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.496Z\",\"created_by\":\"elastic\",\"name\":\"Process Termination followed by Deletion\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Process Termination followed by Deletion\\n\\nThis rule identifies an unsigned process termination event quickly followed by the deletion of its executable file. Attackers can delete programs after their execution in an attempt to cover their tracks in a host.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately, as programs that exhibit this behavior, such as installers and similar utilities, should be signed. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"09443c92-46b3-45a4-8f25-383b028b258d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.001\",\"name\":\"Invalid Code Signature\",\"reference\":\"https://attack.mitre.org/techniques/T1036/001/\"}]},{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.004\",\"name\":\"File Deletion\",\"reference\":\"https://attack.mitre.org/techniques/T1070/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\",\"endgame-*\"],\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"end\\\" and\\n process.code_signature.trusted != true and\\n not process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\*.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*.exe\\\")\\n ] by process.executable\\n [file where host.os.type == \\\"windows\\\" and event.type == \\\"deletion\\\" and file.extension : (\\\"exe\\\", \\\"scr\\\", \\\"com\\\") and\\n not process.executable :\\n (\\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drvinst.exe\\\") and\\n not file.path : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Work\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\$WinREAgent\\\\\\\\Scratch\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\tenable_mw_scan_*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\LogiUI\\\\\\\\Pak\\\\\\\\uninstall.exe\\\"\\n )\\n ] by file.path\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Process Termination followed by Deletion\",\"description\":\"Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Process Termination followed by Deletion\\n\\nThis rule identifies an unsigned process termination event quickly followed by the deletion of its executable file. Attackers can delete programs after their execution in an attempt to cover their tracks in a host.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately, as programs that exhibit this behavior, such as installers and similar utilities, should be signed. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":110,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.001\",\"name\":\"Invalid Code Signature\",\"reference\":\"https://attack.mitre.org/techniques/T1036/001/\"}]},{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.004\",\"name\":\"File Deletion\",\"reference\":\"https://attack.mitre.org/techniques/T1070/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3db66c3c-e156-4acc-b305-6b84ddd9508c\",\"rule_id\":\"09443c92-46b3-45a4-8f25-383b028b258d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.650Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.496Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"end\\\" and\\n process.code_signature.trusted != true and\\n not process.executable like\\n (\\\"C:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Postillion\\\\\\\\Office\\\\\\\\*.exe\\\") and\\n not (\\n process.name : \\\"infinst.exe\\\" and process.parent.name: \\\"dxsetup.exe\\\" and\\n process.parent.code_signature.subject_name == \\\"NVIDIA Corporation\\\" and\\n process.parent.code_signature.status == \\\"trusted\\\"\\n )\\n ] by process.executable\\n [file where host.os.type == \\\"windows\\\" and event.type == \\\"deletion\\\" and file.extension in~ (\\\"exe\\\", \\\"scr\\\", \\\"com\\\") and\\n not process.executable like\\n (\\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drvinst.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Postillion\\\\\\\\Office\\\\\\\\*.exe\\\") and\\n not file.path like (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Work\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\$WinREAgent\\\\\\\\Scratch\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\tenable_mw_scan_*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\LogiUI\\\\\\\\Pak\\\\\\\\uninstall.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\chocolatey\\\\\\\\*.exe\\\"\\n ) and\\n not (process.name : \\\"OktaVerifySetup-*.exe\\\" and process.code_signature.subject_name == \\\"Okta, Inc.\\\") and\\n not (\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\Citrix\\\\\\\\UpdaterBinaries\\\\\\\\CitrixReceiver\\\\\\\\*\\\" and\\n process.code_signature.subject_name == \\\"Citrix Systems, Inc.\\\" and\\n file.path : \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\Citrix\\\\\\\\UpdaterBinaries\\\\\\\\CitrixReceiver\\\\\\\\*\\\\\\\\bootstrapperhelper.exe\\\"\\n )\\n ] by file.path\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":110,\"merged_version\":110,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"end\\\" and\\n process.code_signature.trusted != true and\\n not process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\*.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*.exe\\\")\\n ] by process.executable\\n [file where host.os.type == \\\"windows\\\" and event.type == \\\"deletion\\\" and file.extension : (\\\"exe\\\", \\\"scr\\\", \\\"com\\\") and\\n not process.executable :\\n (\\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drvinst.exe\\\") and\\n not file.path : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Work\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\$WinREAgent\\\\\\\\Scratch\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\tenable_mw_scan_*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\LogiUI\\\\\\\\Pak\\\\\\\\uninstall.exe\\\"\\n )\\n ] by file.path\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"end\\\" and\\n process.code_signature.trusted != true and\\n not process.executable like\\n (\\\"C:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Postillion\\\\\\\\Office\\\\\\\\*.exe\\\") and\\n not (\\n process.name : \\\"infinst.exe\\\" and process.parent.name: \\\"dxsetup.exe\\\" and\\n process.parent.code_signature.subject_name == \\\"NVIDIA Corporation\\\" and\\n process.parent.code_signature.status == \\\"trusted\\\"\\n )\\n ] by process.executable\\n [file where host.os.type == \\\"windows\\\" and event.type == \\\"deletion\\\" and file.extension in~ (\\\"exe\\\", \\\"scr\\\", \\\"com\\\") and\\n not process.executable like\\n (\\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drvinst.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Postillion\\\\\\\\Office\\\\\\\\*.exe\\\") and\\n not file.path like (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Work\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\$WinREAgent\\\\\\\\Scratch\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\tenable_mw_scan_*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\LogiUI\\\\\\\\Pak\\\\\\\\uninstall.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\chocolatey\\\\\\\\*.exe\\\"\\n ) and\\n not (process.name : \\\"OktaVerifySetup-*.exe\\\" and process.code_signature.subject_name == \\\"Okta, Inc.\\\") and\\n not (\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\Citrix\\\\\\\\UpdaterBinaries\\\\\\\\CitrixReceiver\\\\\\\\*\\\" and\\n process.code_signature.subject_name == \\\"Citrix Systems, Inc.\\\" and\\n file.path : \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\Citrix\\\\\\\\UpdaterBinaries\\\\\\\\CitrixReceiver\\\\\\\\*\\\\\\\\bootstrapperhelper.exe\\\"\\n )\\n ] by file.path\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"end\\\" and\\n process.code_signature.trusted != true and\\n not process.executable like\\n (\\\"C:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Postillion\\\\\\\\Office\\\\\\\\*.exe\\\") and\\n not (\\n process.name : \\\"infinst.exe\\\" and process.parent.name: \\\"dxsetup.exe\\\" and\\n process.parent.code_signature.subject_name == \\\"NVIDIA Corporation\\\" and\\n process.parent.code_signature.status == \\\"trusted\\\"\\n )\\n ] by process.executable\\n [file where host.os.type == \\\"windows\\\" and event.type == \\\"deletion\\\" and file.extension in~ (\\\"exe\\\", \\\"scr\\\", \\\"com\\\") and\\n not process.executable like\\n (\\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drvinst.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Postillion\\\\\\\\Office\\\\\\\\*.exe\\\") and\\n not file.path like (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Work\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\$WinREAgent\\\\\\\\Scratch\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\tenable_mw_scan_*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\LogiUI\\\\\\\\Pak\\\\\\\\uninstall.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\chocolatey\\\\\\\\*.exe\\\"\\n ) and\\n not (process.name : \\\"OktaVerifySetup-*.exe\\\" and process.code_signature.subject_name == \\\"Okta, Inc.\\\") and\\n not (\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\Citrix\\\\\\\\UpdaterBinaries\\\\\\\\CitrixReceiver\\\\\\\\*\\\" and\\n process.code_signature.subject_name == \\\"Citrix Systems, Inc.\\\" and\\n file.path : \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\Citrix\\\\\\\\UpdaterBinaries\\\\\\\\CitrixReceiver\\\\\\\\*\\\\\\\\bootstrapperhelper.exe\\\"\\n )\\n ] by file.path\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f505cd07-0989-42ed-b6ad-9c24ce7245f6\",\"rule_id\":\"09bc6c90-7501-494d-b015-5d988dc3f233\",\"revision\":0,\"current_rule\":{\"id\":\"f505cd07-0989-42ed-b6ad-9c24ce7245f6\",\"updated_at\":\"2024-12-04T19:45:41.498Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.498Z\",\"created_by\":\"elastic\",\"name\":\"File Creation, Execution and Self-Deletion in Suspicious Directory\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute malicious code and delete itself to hide its tracks.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"09bc6c90-7501-494d-b015-5d988dc3f233\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":4,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"sequence by host.id, user.id with maxspan=1m\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and \\n process.name in (\\\"curl\\\", \\\"wget\\\", \\\"fetch\\\", \\\"ftp\\\", \\\"sftp\\\", \\\"scp\\\", \\\"rsync\\\", \\\"ld\\\") and \\n file.path : (\\\"/dev/shm/*\\\", \\\"/run/shm/*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\",\\n \\\"/run/*\\\", \\\"/var/run/*\\\", \\\"/var/www/*\\\", \\\"/proc/*/fd/*\\\")] by file.name\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")] by process.name\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"deletion\\\" and not process.name in (\\\"rm\\\", \\\"ld\\\") and \\n file.path : (\\\"/dev/shm/*\\\", \\\"/run/shm/*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\",\\n \\\"/run/*\\\", \\\"/var/run/*\\\", \\\"/var/www/*\\\", \\\"/proc/*/fd/*\\\")] by file.name\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"File Creation, Execution and Self-Deletion in Suspicious Directory\",\"description\":\"This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute malicious code and delete itself to hide its tracks.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":5,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f505cd07-0989-42ed-b6ad-9c24ce7245f6\",\"rule_id\":\"09bc6c90-7501-494d-b015-5d988dc3f233\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.650Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.498Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id, user.id with maxspan=1m\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and \\n process.name in (\\\"curl\\\", \\\"wget\\\", \\\"fetch\\\", \\\"ftp\\\", \\\"sftp\\\", \\\"scp\\\", \\\"rsync\\\", \\\"ld\\\") and \\n file.path : (\\\"/dev/shm/*\\\", \\\"/run/shm/*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\",\\n \\\"/run/*\\\", \\\"/var/run/*\\\", \\\"/var/www/*\\\", \\\"/proc/*/fd/*\\\")] by file.name\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") and\\n not process.parent.executable like (\\n \\\"/tmp/VeeamApp*\\\", \\\"/tmp/rajh/spack-stage/*\\\", \\\"plz-out/bin/vault/bridge/test/e2e/base/bridge-dev\\\",\\n \\\"/usr/bin/ranlib\\\", \\\"/usr/bin/ar\\\", \\\"plz-out/bin/vault/bridge/test/e2e/base/local-k8s\\\" \\n )] by process.name\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"deletion\\\" and not process.name in (\\\"rm\\\", \\\"ld\\\") and \\n file.path : (\\\"/dev/shm/*\\\", \\\"/run/shm/*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\",\\n \\\"/run/*\\\", \\\"/var/run/*\\\", \\\"/var/www/*\\\", \\\"/proc/*/fd/*\\\")] by file.name\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":4,\"target_version\":5,\"merged_version\":5,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by host.id, user.id with maxspan=1m\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and \\n process.name in (\\\"curl\\\", \\\"wget\\\", \\\"fetch\\\", \\\"ftp\\\", \\\"sftp\\\", \\\"scp\\\", \\\"rsync\\\", \\\"ld\\\") and \\n file.path : (\\\"/dev/shm/*\\\", \\\"/run/shm/*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\",\\n \\\"/run/*\\\", \\\"/var/run/*\\\", \\\"/var/www/*\\\", \\\"/proc/*/fd/*\\\")] by file.name\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")] by process.name\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"deletion\\\" and not process.name in (\\\"rm\\\", \\\"ld\\\") and \\n file.path : (\\\"/dev/shm/*\\\", \\\"/run/shm/*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\",\\n \\\"/run/*\\\", \\\"/var/run/*\\\", \\\"/var/www/*\\\", \\\"/proc/*/fd/*\\\")] by file.name\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by host.id, user.id with maxspan=1m\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and \\n process.name in (\\\"curl\\\", \\\"wget\\\", \\\"fetch\\\", \\\"ftp\\\", \\\"sftp\\\", \\\"scp\\\", \\\"rsync\\\", \\\"ld\\\") and \\n file.path : (\\\"/dev/shm/*\\\", \\\"/run/shm/*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\",\\n \\\"/run/*\\\", \\\"/var/run/*\\\", \\\"/var/www/*\\\", \\\"/proc/*/fd/*\\\")] by file.name\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") and\\n not process.parent.executable like (\\n \\\"/tmp/VeeamApp*\\\", \\\"/tmp/rajh/spack-stage/*\\\", \\\"plz-out/bin/vault/bridge/test/e2e/base/bridge-dev\\\",\\n \\\"/usr/bin/ranlib\\\", \\\"/usr/bin/ar\\\", \\\"plz-out/bin/vault/bridge/test/e2e/base/local-k8s\\\" \\n )] by process.name\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"deletion\\\" and not process.name in (\\\"rm\\\", \\\"ld\\\") and \\n file.path : (\\\"/dev/shm/*\\\", \\\"/run/shm/*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\",\\n \\\"/run/*\\\", \\\"/var/run/*\\\", \\\"/var/www/*\\\", \\\"/proc/*/fd/*\\\")] by file.name\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by host.id, user.id with maxspan=1m\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and \\n process.name in (\\\"curl\\\", \\\"wget\\\", \\\"fetch\\\", \\\"ftp\\\", \\\"sftp\\\", \\\"scp\\\", \\\"rsync\\\", \\\"ld\\\") and \\n file.path : (\\\"/dev/shm/*\\\", \\\"/run/shm/*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\",\\n \\\"/run/*\\\", \\\"/var/run/*\\\", \\\"/var/www/*\\\", \\\"/proc/*/fd/*\\\")] by file.name\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") and\\n not process.parent.executable like (\\n \\\"/tmp/VeeamApp*\\\", \\\"/tmp/rajh/spack-stage/*\\\", \\\"plz-out/bin/vault/bridge/test/e2e/base/bridge-dev\\\",\\n \\\"/usr/bin/ranlib\\\", \\\"/usr/bin/ar\\\", \\\"plz-out/bin/vault/bridge/test/e2e/base/local-k8s\\\" \\n )] by process.name\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"deletion\\\" and not process.name in (\\\"rm\\\", \\\"ld\\\") and \\n file.path : (\\\"/dev/shm/*\\\", \\\"/run/shm/*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\",\\n \\\"/run/*\\\", \\\"/var/run/*\\\", \\\"/var/www/*\\\", \\\"/proc/*/fd/*\\\")] by file.name\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e68c7236-77a0-48ee-a499-67b62a1ad070\",\"rule_id\":\"0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83\",\"revision\":0,\"current_rule\":{\"id\":\"e68c7236-77a0-48ee-a499-67b62a1ad070\",\"updated_at\":\"2024-12-04T19:45:41.508Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.508Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Script with Remote Execution Capabilities via WinRM\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Execution\",\"Data Source: PowerShell Logs\",\"Rule Type: BBR\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.006\",\"name\":\"Windows Remote Management\",\"reference\":\"https://attack.mitre.org/techniques/T1021/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://attack.mitre.org/techniques/T1021/006/\",\"https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/LateralMovement/PowerShellRemoting.cs\",\"https://github.com/BC-SECURITY/Empire/blob/main/empire/server/modules/powershell/lateral_movement/invoke_psremoting.py\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\\"Invoke-WmiMethod\\\" or \\\"Invoke-Command\\\" or \\\"Enter-PSSession\\\") and \\\"ComputerName\\\"\\n ) and\\n not user.id : \\\"S-1-5-18\\\" and\\n not file.directory : (\\n \\\"C:\\\\\\\\Program Files\\\\\\\\LogicMonitor\\\\\\\\Agent\\\\\\\\tmp\\\"\\n ) and not\\n powershell.file.script_block_text : (\\n \\\"Export-ModuleMember -Function @('Invoke-Expression''Invoke-Command')\\\" and\\n \\\"function Invoke-Command {\\\"\\n )\\n\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\dbatools\\\\\\\\*\\\\\\\\allcommands.ps1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.directory\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\*\\\\\\\\bin\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.directory\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ExchangeServer\\\\\\\\bin*\"}}}}],\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Script with Remote Execution Capabilities via WinRM\",\"description\":\"Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Execution\",\"Data Source: PowerShell Logs\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://attack.mitre.org/techniques/T1021/006/\",\"https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/LateralMovement/PowerShellRemoting.cs\",\"https://github.com/BC-SECURITY/Empire/blob/main/empire/server/modules/powershell/lateral_movement/invoke_psremoting.py\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.006\",\"name\":\"Windows Remote Management\",\"reference\":\"https://attack.mitre.org/techniques/T1021/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e68c7236-77a0-48ee-a499-67b62a1ad070\",\"rule_id\":\"0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.650Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.508Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\dbatools\\\\\\\\*\\\\\\\\allcommands.ps1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.directory\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\*\\\\\\\\bin\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.directory\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ExchangeServer\\\\\\\\bin*\"}}}}],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\\"Invoke-WmiMethod\\\" or \\\"Invoke-Command\\\" or \\\"Enter-PSSession\\\") and \\\"ComputerName\\\"\\n ) and\\n not user.id : \\\"S-1-5-18\\\" and\\n not file.directory : (\\n \\\"C:\\\\\\\\Program Files\\\\\\\\LogicMonitor\\\\\\\\Agent\\\\\\\\tmp\\\"\\n ) and not\\n powershell.file.script_block_text : (\\n \\\"Export-ModuleMember -Function @('Invoke-Expression''Invoke-Command')\\\" and\\n \\\"function Invoke-Command {\\\"\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c37a5ef2-b664-40d9-beb7-8e817009f21d\",\"rule_id\":\"0b15bcad-aff1-4250-a5be-5d1b7eb56d07\",\"revision\":0,\"current_rule\":{\"id\":\"c37a5ef2-b664-40d9-beb7-8e817009f21d\",\"updated_at\":\"2024-12-04T19:45:41.510Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.510Z\",\"created_by\":\"elastic\",\"name\":\"Yum Package Manager Plugin File Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects file creation events in the plugin directories for the Yum package manager. In Linux, Yum (Yellowdog Updater, Modified) is a command-line utility used for handling packages on (by default) Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor Yum to gain persistence by injecting malicious code into plugins that Yum runs, thereby ensuring continued unauthorized access or control each time Yum is used for package management.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"0b15bcad-aff1-4250-a5be-5d1b7eb56d07\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : (\\\"/usr/lib/yum-plugins/*\\\", \\\"/etc/yum/pluginconf.d/*\\\") and not (\\n process.executable in (\\n \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\", \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\",\\n \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\", \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\",\\n \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\", \\\"/bin/puppet\\\",\\n \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\", \\\"/bin/autossl_check\\\",\\n \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\",\\n \\\"/usr/libexec/netplan/generate\\\"\\n ) or\\n process.name == \\\"yumBackend.py\\\" or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\") or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\",\\n \\\"/etc/kernel/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Yum Package Manager Plugin File Creation\",\"description\":\"Detects file creation events in the plugin directories for the Yum package manager. In Linux, Yum (Yellowdog Updater, Modified) is a command-line utility used for handling packages on (by default) Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor Yum to gain persistence by injecting malicious code into plugins that Yum runs, thereby ensuring continued unauthorized access or control each time Yum is used for package management.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c37a5ef2-b664-40d9-beb7-8e817009f21d\",\"rule_id\":\"0b15bcad-aff1-4250-a5be-5d1b7eb56d07\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.650Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.510Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : (\\\"/usr/lib/yum-plugins/*\\\", \\\"/etc/yum/pluginconf.d/*\\\") and not (\\n process.executable in (\\n \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\", \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\",\\n \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\", \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\",\\n \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\", \\\"/bin/puppet\\\",\\n \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\", \\\"/bin/autossl_check\\\",\\n \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\",\\n \\\"/usr/libexec/netplan/generate\\\"\\n ) or\\n process.name == \\\"yumBackend.py\\\" or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\") or\\n file.Ext.original.name like \\\".ansible*\\\" or\\n file.name like \\\".ansible_tmp*\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\",\\n \\\"/etc/kernel/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"description\":{\"has_base_version\":false,\"current_version\":\"Detects file creation events in the plugin directories for the Yum package manager. In Linux, Yum (Yellowdog Updater, Modified) is a command-line utility used for handling packages on (by default) Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor Yum to gain persistence by injecting malicious code into plugins that Yum runs, thereby ensuring continued unauthorized access or control each time Yum is used for package management.\",\"target_version\":\"Detects file creation events in the plugin directories for the Yum package manager. In Linux, Yum (Yellowdog Updater, Modified) is a command-line utility used for handling packages on (by default) Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor Yum to gain persistence by injecting malicious code into plugins that Yum runs, thereby ensuring continued unauthorized access or control each time Yum is used for package management.\",\"merged_version\":\"Detects file creation events in the plugin directories for the Yum package manager. In Linux, Yum (Yellowdog Updater, Modified) is a command-line utility used for handling packages on (by default) Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor Yum to gain persistence by injecting malicious code into plugins that Yum runs, thereby ensuring continued unauthorized access or control each time Yum is used for package management.\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb\"],\"target_version\":[\"https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : (\\\"/usr/lib/yum-plugins/*\\\", \\\"/etc/yum/pluginconf.d/*\\\") and not (\\n process.executable in (\\n \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\", \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\",\\n \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\", \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\",\\n \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\", \\\"/bin/puppet\\\",\\n \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\", \\\"/bin/autossl_check\\\",\\n \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\",\\n \\\"/usr/libexec/netplan/generate\\\"\\n ) or\\n process.name == \\\"yumBackend.py\\\" or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\") or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\",\\n \\\"/etc/kernel/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : (\\\"/usr/lib/yum-plugins/*\\\", \\\"/etc/yum/pluginconf.d/*\\\") and not (\\n process.executable in (\\n \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\", \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\",\\n \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\", \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\",\\n \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\", \\\"/bin/puppet\\\",\\n \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\", \\\"/bin/autossl_check\\\",\\n \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\",\\n \\\"/usr/libexec/netplan/generate\\\"\\n ) or\\n process.name == \\\"yumBackend.py\\\" or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\") or\\n file.Ext.original.name like \\\".ansible*\\\" or\\n file.name like \\\".ansible_tmp*\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\",\\n \\\"/etc/kernel/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : (\\\"/usr/lib/yum-plugins/*\\\", \\\"/etc/yum/pluginconf.d/*\\\") and not (\\n process.executable in (\\n \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\", \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\",\\n \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\", \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\",\\n \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\", \\\"/bin/puppet\\\",\\n \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\", \\\"/bin/autossl_check\\\",\\n \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\",\\n \\\"/usr/libexec/netplan/generate\\\"\\n ) or\\n process.name == \\\"yumBackend.py\\\" or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\") or\\n file.Ext.original.name like \\\".ansible*\\\" or\\n file.name like \\\".ansible_tmp*\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\",\\n \\\"/etc/kernel/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"581a371e-4041-4cd7-a1a2-69a4070e7ddc\",\"rule_id\":\"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5\",\"revision\":0,\"current_rule\":{\"id\":\"581a371e-4041-4cd7-a1a2-69a4070e7ddc\",\"updated_at\":\"2024-12-04T19:45:41.670Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.670Z\",\"created_by\":\"elastic\",\"name\":\"Anomalous Windows Process Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Anomalous Windows Process Creation\\n\\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\\n\\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\\n - Investigate the process metadata — such as the digital signature, directory, etc. — to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Retrieve Service Unisgned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert.\"],\"from\":\"now-45m\",\"rule_id\":\"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_process_creation\"],\"actions\":[]},\"target_rule\":{\"name\":\"Anomalous Windows Process Creation\",\"description\":\"Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Anomalous Windows Process Creation\\n\\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\\n\\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\\n - Investigate the process metadata — such as the digital signature, directory, etc. — to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Retrieve Service Unisgned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert.\"],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"581a371e-4041-4cd7-a1a2-69a4070e7ddc\",\"rule_id\":\"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.650Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.670Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_process_creation\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"31e1c05e-bfbe-4f0c-8a11-7f648a54a461\",\"rule_id\":\"0b2f3da5-b5ec-47d1-908b-6ebb74814289\",\"revision\":0,\"current_rule\":{\"id\":\"31e1c05e-bfbe-4f0c-8a11-7f648a54a461\",\"updated_at\":\"2024-12-04T19:45:41.513Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.513Z\",\"created_by\":\"elastic\",\"name\":\"User account exposed to Kerberoasting\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating User account exposed to Kerberoasting\\n\\nService Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target computers.\\n\\nBy default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making them invulnerable to Kerberoasting.\\n\\nA user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this information, as the human-defined password is likely to be less complex.\\n\\nFor scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that account passwords are robust and changed regularly and automatically. More information can be found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).\\n\\nAttackers can also perform \\\"Targeted Kerberoasting\\\", which consists of adding fake SPNs to user accounts that they have write privileges to, making them potentially vulnerable to Kerberoasting.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.).\\n- Investigate if tickets have been requested for the target account.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged. Domain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same security standards as computer accounts (which have long, complex, random passwords that change frequently), exposing them to credential cracking attacks (Kerberoasting, brute force, etc.).\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"0b2f3da5-b5ec-47d1-908b-6ebb74814289\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\",\"subtechnique\":[{\"id\":\"T1558.003\",\"name\":\"Kerberoasting\",\"reference\":\"https://attack.mitre.org/techniques/T1558/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting\",\"https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/\",\"https://www.thehacker.recipes/ad/movement/kerberos/kerberoast\",\"https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting\",\"https://adsecurity.org/?p=280\",\"https://github.com/OTRF/Set-AuditRule\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ObjectClass\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.OperationType\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\\n\\n```\\nSet-AuditRule -AdObjectPath 'AD:\\\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:(\\\"Directory Service Changes\\\" or \\\"directory-service-object-modified\\\") and event.code:5136 and\\n winlog.event_data.OperationType:\\\"%%14674\\\" and\\n winlog.event_data.ObjectClass:\\\"user\\\" and\\n winlog.event_data.AttributeLDAPDisplayName:\\\"servicePrincipalName\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"User account exposed to Kerberoasting\",\"description\":\"Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating User account exposed to Kerberoasting\\n\\nService Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target computers.\\n\\nBy default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making them invulnerable to Kerberoasting.\\n\\nA user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this information, as the human-defined password is likely to be less complex.\\n\\nFor scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that account passwords are robust and changed regularly and automatically. More information can be found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).\\n\\nAttackers can also perform \\\"Targeted Kerberoasting\\\", which consists of adding fake SPNs to user accounts that they have write privileges to, making them potentially vulnerable to Kerberoasting.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.).\\n- Investigate if tickets have been requested for the target account.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged. Domain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same security standards as computer accounts (which have long, complex, random passwords that change frequently), exposing them to credential cracking attacks (Kerberoasting, brute force, etc.).\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting\",\"https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/\",\"https://www.thehacker.recipes/ad/movement/kerberos/kerberoast\",\"https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting\",\"https://adsecurity.org/?p=280\",\"https://github.com/OTRF/Set-AuditRule\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\",\"subtechnique\":[{\"id\":\"T1558.003\",\"name\":\"Kerberoasting\",\"reference\":\"https://attack.mitre.org/techniques/T1558/003/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\\n\\n```\\nSet-AuditRule -AdObjectPath 'AD:\\\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ObjectClass\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.OperationType\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"31e1c05e-bfbe-4f0c-8a11-7f648a54a461\",\"rule_id\":\"0b2f3da5-b5ec-47d1-908b-6ebb74814289\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.650Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.513Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:(\\\"Directory Service Changes\\\" or \\\"directory-service-object-modified\\\") and event.code:5136 and\\n winlog.event_data.OperationType:\\\"%%14674\\\" and\\n winlog.event_data.ObjectClass:\\\"user\\\" and\\n winlog.event_data.AttributeLDAPDisplayName:\\\"servicePrincipalName\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"90b9f570-4c70-4dcf-8bb9-5232e0cca496\",\"rule_id\":\"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4\",\"revision\":0,\"current_rule\":{\"id\":\"90b9f570-4c70-4dcf-8bb9-5232e0cca496\",\"updated_at\":\"2024-12-04T19:45:41.522Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.522Z\",\"created_by\":\"elastic\",\"name\":\"Peripheral Device Discovery\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Peripheral Device Discovery\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to the computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable media. These devices can contain valuable information for attackers.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage services.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1120\",\"name\":\"Peripheral Device Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1120/\"}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"fsutil.exe\\\" or ?process.pe.original_file_name == \\\"fsutil.exe\\\") and\\n process.args : \\\"fsinfo\\\" and process.args : \\\"drives\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Peripheral Device Discovery\",\"description\":\"Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Peripheral Device Discovery\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to the computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable media. These devices can contain valuable information for attackers.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage services.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1120\",\"name\":\"Peripheral Device Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1120/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"90b9f570-4c70-4dcf-8bb9-5232e0cca496\",\"rule_id\":\"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.650Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.522Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"fsutil.exe\\\" or ?process.pe.original_file_name == \\\"fsutil.exe\\\") and\\n process.args : \\\"fsinfo\\\" and process.args : \\\"drives\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7c55bad8-7ad6-4f39-9739-0202c143e6fb\",\"rule_id\":\"0cd2f3e6-41da-40e6-b28b-466f688f00a6\",\"revision\":0,\"current_rule\":{\"id\":\"7c55bad8-7ad6-4f39-9739-0202c143e6fb\",\"updated_at\":\"2024-12-04T19:46:03.687Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.687Z\",\"created_by\":\"elastic\",\"name\":\"AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session\",\"tags\":[\"Domain: LLM\",\"Data Source: AWS Bedrock\",\"Data Source: AWS S3\",\"Resources: Investigation Guide\",\"Use Case: Policy Violation\",\"Mitre Atlas: T0051\",\"Mitre Atlas: T0054\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies multiple violations of AWS Bedrock guardrails by the same user in the same account over a session. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate misunderstanding by users or overly strict policies\"],\"from\":\"now-60m\",\"rule_id\":\"0cd2f3e6-41da-40e6-b28b-466f688f00a6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html\",\"https://atlas.mitre.org/techniques/AML.T0051\",\"https://atlas.mitre.org/techniques/AML.T0054\",\"https://www.elastic.co/security-labs/elastic-advances-llm-security\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\\n\\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\\n\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.compliance.violation_detected\\n| stats violations = count(*) by user.id, gen_ai.model.id, cloud.account.id\\n| where violations > 1\\n| sort violations desc\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session\",\"description\":\"Identifies multiple violations of AWS Bedrock guardrails by the same user in the same account over a session. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Amazon Bedrock Guardrail Multiple Policy Violations by a Single User Over a Session.\\n\\nAmazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.\\n\\nIt enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.\\n\\nThrough Guardrail, organizations can define \\\"denied topics\\\" to prevent the model from generating content on specific, undesired subjects,\\nand they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that caused multiple policy violations over a session and whether it should perform this kind of action.\\n- Investigate the user activity that might indicate a potential brute force attack.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's prompts and responses in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that caused multiple policy violations by a single user over session, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: LLM\",\"Data Source: AWS Bedrock\",\"Data Source: AWS S3\",\"Resources: Investigation Guide\",\"Use Case: Policy Violation\",\"Mitre Atlas: T0051\",\"Mitre Atlas: T0054\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-60m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate misunderstanding by users or overly strict policies\"],\"references\":[\"https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html\",\"https://atlas.mitre.org/techniques/AML.T0051\",\"https://atlas.mitre.org/techniques/AML.T0054\",\"https://www.elastic.co/security-labs/elastic-advances-llm-security\"],\"max_signals\":100,\"threat\":[],\"setup\":\"## Setup\\n\\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\\n\\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\\n\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"7c55bad8-7ad6-4f39-9739-0202c143e6fb\",\"rule_id\":\"0cd2f3e6-41da-40e6-b28b-466f688f00a6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.650Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.687Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.compliance.violation_detected\\n| keep user.id, gen_ai.request.model.id, cloud.account.id\\n| stats violations = count(*) by user.id, gen_ai.request.model.id, cloud.account.id\\n| where violations > 1\\n| sort violations desc\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"note\":{\"has_base_version\":false,\"current_version\":\"\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating Amazon Bedrock Guardrail Multiple Policy Violations by a Single User Over a Session.\\n\\nAmazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.\\n\\nIt enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.\\n\\nThrough Guardrail, organizations can define \\\"denied topics\\\" to prevent the model from generating content on specific, undesired subjects,\\nand they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that caused multiple policy violations over a session and whether it should perform this kind of action.\\n- Investigate the user activity that might indicate a potential brute force attack.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's prompts and responses in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that caused multiple policy violations by a single user over session, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating Amazon Bedrock Guardrail Multiple Policy Violations by a Single User Over a Session.\\n\\nAmazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.\\n\\nIt enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.\\n\\nThrough Guardrail, organizations can define \\\"denied topics\\\" to prevent the model from generating content on specific, undesired subjects,\\nand they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that caused multiple policy violations over a session and whether it should perform this kind of action.\\n- Investigate the user activity that might indicate a potential brute force attack.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's prompts and responses in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that caused multiple policy violations by a single user over session, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.compliance.violation_detected\\n| stats violations = count(*) by user.id, gen_ai.model.id, cloud.account.id\\n| where violations > 1\\n| sort violations desc\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.compliance.violation_detected\\n| keep user.id, gen_ai.request.model.id, cloud.account.id\\n| stats violations = count(*) by user.id, gen_ai.request.model.id, cloud.account.id\\n| where violations > 1\\n| sort violations desc\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.compliance.violation_detected\\n| keep user.id, gen_ai.request.model.id, cloud.account.id\\n| stats violations = count(*) by user.id, gen_ai.request.model.id, cloud.account.id\\n| where violations > 1\\n| sort violations desc\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"36ccce83-e8dd-487b-aac1-782aa889b48d\",\"rule_id\":\"0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5\",\"revision\":0,\"current_rule\":{\"id\":\"36ccce83-e8dd-487b-aac1-782aa889b48d\",\"updated_at\":\"2024-12-04T19:45:41.536Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.536Z\",\"created_by\":\"elastic\",\"name\":\"Execution of File Written or Modified by Microsoft Office\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Execution of File Written or Modified by Microsoft Office\\n\\nMicrosoft Office, a widely used suite of productivity applications, is frequently targeted by attackers due to its popularity in corporate environments. Attackers exploit its extensive capabilities, like macro scripts in Word and Excel, to gain initial access to systems. They often use Office documents as delivery mechanisms for malware or phishing attempts, taking advantage of their trusted status in professional settings.\\n\\nThis rule searches for executable files written by MS Office applications executed in sequence. This is most likely the result of the execution of malicious documents or exploitation for initial access or privilege escalation. This rule can also detect suspicious processes masquerading as the MS Office applications.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\\n- Determine if the collected files are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-120m\",\"rule_id\":\"0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\",\"endgame-*\"],\"query\":\"sequence with maxspan=2h\\n [file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.extension : \\\"exe\\\" and\\n (process.name : \\\"WINWORD.EXE\\\" or\\n process.name : \\\"EXCEL.EXE\\\" or\\n process.name : \\\"OUTLOOK.EXE\\\" or\\n process.name : \\\"POWERPNT.EXE\\\" or\\n process.name : \\\"eqnedt32.exe\\\" or\\n process.name : \\\"fltldr.exe\\\" or\\n process.name : \\\"MSPUB.EXE\\\" or\\n process.name : \\\"MSACCESS.EXE\\\")\\n ] by host.id, file.path\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n not (process.name : \\\"NewOutlookInstaller.exe\\\" and process.code_signature.subject_name : \\\"Microsoft Corporation\\\" and process.code_signature.trusted == true)\\n ] by host.id, process.executable\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Execution of File Written or Modified by Microsoft Office\",\"description\":\"Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Execution of File Written or Modified by Microsoft Office\\n\\nMicrosoft Office, a widely used suite of productivity applications, is frequently targeted by attackers due to its popularity in corporate environments. Attackers exploit its extensive capabilities, like macro scripts in Word and Excel, to gain initial access to systems. They often use Office documents as delivery mechanisms for malware or phishing attempts, taking advantage of their trusted status in professional settings.\\n\\nThis rule searches for executable files written by MS Office applications executed in sequence. This is most likely the result of the execution of malicious documents or exploitation for initial access or privilege escalation. This rule can also detect suspicious processes masquerading as the MS Office applications.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\\n- Determine if the collected files are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":111,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-120m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"36ccce83-e8dd-487b-aac1-782aa889b48d\",\"rule_id\":\"0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.651Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.536Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence with maxspan=2h\\n [file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.extension : \\\"exe\\\" and\\n (process.name : \\\"WINWORD.EXE\\\" or\\n process.name : \\\"EXCEL.EXE\\\" or\\n process.name : \\\"OUTLOOK.EXE\\\" or\\n process.name : \\\"POWERPNT.EXE\\\" or\\n process.name : \\\"eqnedt32.exe\\\" or\\n process.name : \\\"fltldr.exe\\\" or\\n process.name : \\\"MSPUB.EXE\\\" or\\n process.name : \\\"MSACCESS.EXE\\\")\\n ] by host.id, file.path\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n not (process.name : \\\"NewOutlookInstaller.exe\\\" and process.code_signature.subject_name : \\\"Microsoft Corporation\\\" and process.code_signature.trusted == true) and \\n not (process.name : \\\"ShareFileForOutlook-v*.exe\\\" and process.code_signature.subject_name : \\\"Citrix Systems, Inc.\\\" and process.code_signature.trusted == true)\\n ] by host.id, process.executable\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":111,\"merged_version\":111,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence with maxspan=2h\\n [file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.extension : \\\"exe\\\" and\\n (process.name : \\\"WINWORD.EXE\\\" or\\n process.name : \\\"EXCEL.EXE\\\" or\\n process.name : \\\"OUTLOOK.EXE\\\" or\\n process.name : \\\"POWERPNT.EXE\\\" or\\n process.name : \\\"eqnedt32.exe\\\" or\\n process.name : \\\"fltldr.exe\\\" or\\n process.name : \\\"MSPUB.EXE\\\" or\\n process.name : \\\"MSACCESS.EXE\\\")\\n ] by host.id, file.path\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n not (process.name : \\\"NewOutlookInstaller.exe\\\" and process.code_signature.subject_name : \\\"Microsoft Corporation\\\" and process.code_signature.trusted == true)\\n ] by host.id, process.executable\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence with maxspan=2h\\n [file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.extension : \\\"exe\\\" and\\n (process.name : \\\"WINWORD.EXE\\\" or\\n process.name : \\\"EXCEL.EXE\\\" or\\n process.name : \\\"OUTLOOK.EXE\\\" or\\n process.name : \\\"POWERPNT.EXE\\\" or\\n process.name : \\\"eqnedt32.exe\\\" or\\n process.name : \\\"fltldr.exe\\\" or\\n process.name : \\\"MSPUB.EXE\\\" or\\n process.name : \\\"MSACCESS.EXE\\\")\\n ] by host.id, file.path\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n not (process.name : \\\"NewOutlookInstaller.exe\\\" and process.code_signature.subject_name : \\\"Microsoft Corporation\\\" and process.code_signature.trusted == true) and \\n not (process.name : \\\"ShareFileForOutlook-v*.exe\\\" and process.code_signature.subject_name : \\\"Citrix Systems, Inc.\\\" and process.code_signature.trusted == true)\\n ] by host.id, process.executable\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence with maxspan=2h\\n [file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.extension : \\\"exe\\\" and\\n (process.name : \\\"WINWORD.EXE\\\" or\\n process.name : \\\"EXCEL.EXE\\\" or\\n process.name : \\\"OUTLOOK.EXE\\\" or\\n process.name : \\\"POWERPNT.EXE\\\" or\\n process.name : \\\"eqnedt32.exe\\\" or\\n process.name : \\\"fltldr.exe\\\" or\\n process.name : \\\"MSPUB.EXE\\\" or\\n process.name : \\\"MSACCESS.EXE\\\")\\n ] by host.id, file.path\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n not (process.name : \\\"NewOutlookInstaller.exe\\\" and process.code_signature.subject_name : \\\"Microsoft Corporation\\\" and process.code_signature.trusted == true) and \\n not (process.name : \\\"ShareFileForOutlook-v*.exe\\\" and process.code_signature.subject_name : \\\"Citrix Systems, Inc.\\\" and process.code_signature.trusted == true)\\n ] by host.id, process.executable\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7e31faaf-6df5-4841-abc3-d7a3dfe59fbc\",\"rule_id\":\"0e79980b-4250-4a50-a509-69294c14e84b\",\"revision\":0,\"current_rule\":{\"id\":\"7e31faaf-6df5-4841-abc3-d7a3dfe59fbc\",\"updated_at\":\"2024-12-04T19:45:42.480Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.480Z\",\"created_by\":\"elastic\",\"name\":\"MsBuild Making Network Connections\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating MsBuild Making Network Connections\\n\\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\\n\\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\\n\\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\\n- Investigate the target host that the signed binary is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of destination IP address and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"0e79980b-4250-4a50-a509-69294c14e84b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and process.name : \\\"MSBuild.exe\\\" and event.type == \\\"start\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"MSBuild.exe\\\" and\\n not cidrmatch(destination.ip, \\\"127.0.0.1\\\", \\\"::1\\\") and\\n not dns.question.name : \\\"localhost\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"MsBuild Making Network Connections\",\"description\":\"Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Performance\\n\\nThe performance impact of this rule is expected to be low to medium because of the first sequence, which looks for MsBuild.exe process execution. The events for this first sequence may be noisy, consider adding exceptions.\\n\\n### Investigating MsBuild Making Network Connections\\n\\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\\n\\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\\n\\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\\n- Investigate the target host that the signed binary is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of destination IP address and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://riccardoancarani.github.io/2019-10-19-hunting-covenant-msbuild/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"7e31faaf-6df5-4841-abc3-d7a3dfe59fbc\",\"rule_id\":\"0e79980b-4250-4a50-a509-69294c14e84b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.651Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.480Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id with maxspan=30s\\n\\n /* Look for MSBuild.exe process execution */\\n /* The events for this first sequence may be noisy, consider adding exceptions */\\n [process where host.os.type == \\\"windows\\\"\\n and (\\n process.pe.original_file_name: \\\"MSBuild.exe\\\" or\\n process.name: \\\"MSBuild.exe\\\"\\n )\\n and event.type == \\\"start\\\" and user.id != \\\"S-1-5-18\\\"]\\n\\n /* Followed by a network connection to an external address */\\n /* Exclude domains that are known to be benign */\\n [network where host.os.type == \\\"windows\\\"\\n and event.action: (\\\"connection_attempted\\\", \\\"lookup_requested\\\")\\n and (\\n process.pe.original_file_name: \\\"MSBuild.exe\\\" or\\n process.name: \\\"MSBuild.exe\\\"\\n )\\n and not user.id != \\\"S-1-5-18\\\" and\\n not cidrmatch(destination.ip, \\\"127.0.0.1\\\", \\\"::1\\\") and\\n not dns.question.name : (\\n \\\"localhost\\\",\\n \\\"dc.services.visualstudio.com\\\",\\n \\\"vortex.data.microsoft.com\\\",\\n \\\"api.nuget.org\\\")]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://riccardoancarani.github.io/2019-10-19-hunting-covenant-msbuild/\"],\"merged_version\":[\"https://riccardoancarani.github.io/2019-10-19-hunting-covenant-msbuild/\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"note\":{\"has_base_version\":false,\"current_version\":\"## Triage and analysis\\n\\n### Investigating MsBuild Making Network Connections\\n\\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\\n\\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\\n\\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\\n- Investigate the target host that the signed binary is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of destination IP address and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"target_version\":\"## Triage and analysis\\n\\n### Performance\\n\\nThe performance impact of this rule is expected to be low to medium because of the first sequence, which looks for MsBuild.exe process execution. The events for this first sequence may be noisy, consider adding exceptions.\\n\\n### Investigating MsBuild Making Network Connections\\n\\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\\n\\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\\n\\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\\n- Investigate the target host that the signed binary is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of destination IP address and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Performance\\n\\nThe performance impact of this rule is expected to be low to medium because of the first sequence, which looks for MsBuild.exe process execution. The events for this first sequence may be noisy, consider adding exceptions.\\n\\n### Investigating MsBuild Making Network Connections\\n\\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\\n\\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\\n\\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\\n- Investigate the target host that the signed binary is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of destination IP address and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and process.name : \\\"MSBuild.exe\\\" and event.type == \\\"start\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"MSBuild.exe\\\" and\\n not cidrmatch(destination.ip, \\\"127.0.0.1\\\", \\\"::1\\\") and\\n not dns.question.name : \\\"localhost\\\"]\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by process.entity_id with maxspan=30s\\n\\n /* Look for MSBuild.exe process execution */\\n /* The events for this first sequence may be noisy, consider adding exceptions */\\n [process where host.os.type == \\\"windows\\\"\\n and (\\n process.pe.original_file_name: \\\"MSBuild.exe\\\" or\\n process.name: \\\"MSBuild.exe\\\"\\n )\\n and event.type == \\\"start\\\" and user.id != \\\"S-1-5-18\\\"]\\n\\n /* Followed by a network connection to an external address */\\n /* Exclude domains that are known to be benign */\\n [network where host.os.type == \\\"windows\\\"\\n and event.action: (\\\"connection_attempted\\\", \\\"lookup_requested\\\")\\n and (\\n process.pe.original_file_name: \\\"MSBuild.exe\\\" or\\n process.name: \\\"MSBuild.exe\\\"\\n )\\n and not user.id != \\\"S-1-5-18\\\" and\\n not cidrmatch(destination.ip, \\\"127.0.0.1\\\", \\\"::1\\\") and\\n not dns.question.name : (\\n \\\"localhost\\\",\\n \\\"dc.services.visualstudio.com\\\",\\n \\\"vortex.data.microsoft.com\\\",\\n \\\"api.nuget.org\\\")]\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by process.entity_id with maxspan=30s\\n\\n /* Look for MSBuild.exe process execution */\\n /* The events for this first sequence may be noisy, consider adding exceptions */\\n [process where host.os.type == \\\"windows\\\"\\n and (\\n process.pe.original_file_name: \\\"MSBuild.exe\\\" or\\n process.name: \\\"MSBuild.exe\\\"\\n )\\n and event.type == \\\"start\\\" and user.id != \\\"S-1-5-18\\\"]\\n\\n /* Followed by a network connection to an external address */\\n /* Exclude domains that are known to be benign */\\n [network where host.os.type == \\\"windows\\\"\\n and event.action: (\\\"connection_attempted\\\", \\\"lookup_requested\\\")\\n and (\\n process.pe.original_file_name: \\\"MSBuild.exe\\\" or\\n process.name: \\\"MSBuild.exe\\\"\\n )\\n and not user.id != \\\"S-1-5-18\\\" and\\n not cidrmatch(destination.ip, \\\"127.0.0.1\\\", \\\"::1\\\") and\\n not dns.question.name : (\\n \\\"localhost\\\",\\n \\\"dc.services.visualstudio.com\\\",\\n \\\"vortex.data.microsoft.com\\\",\\n \\\"api.nuget.org\\\")]\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"703aee5f-7d82-466a-b39f-1f9937f9fc35\",\"rule_id\":\"0f4d35e4-925e-4959-ab24-911be207ee6f\",\"revision\":0,\"current_rule\":{\"id\":\"703aee5f-7d82-466a-b39f-1f9937f9fc35\",\"updated_at\":\"2024-12-04T19:45:42.482Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.482Z\",\"created_by\":\"elastic\",\"name\":\"rc.local/rc.common File Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors the creation/alteration of the rc.local/rc.common file. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the \\\"systemd-rc-local-generator\\\", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local/rc.common to execute malicious code at start-up, and gain persistence onto the system.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating rc.local/rc.common File Creation\\n\\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution.\\n\\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital.\\n\\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve rc-local.service File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path =\\\\n'/run/systemd/generator/multi-user.target.wants/rc-local.service')\\\\n\\\"}}\\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \\\"rc-local.service|/etc/rc.local Compatibility\\\"` can be executed to check for the execution of the service.\\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system.\\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account.\\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the `service/rc.local` files or restore their original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"0f4d35e4-925e-4959-ab24-911be207ee6f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\"],\"version\":113,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path in (\\\"/etc/rc.local\\\", \\\"/etc/rc.common\\\") and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/platform-python\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"rc.local/rc.common File Creation\",\"description\":\"This rule monitors the creation/alteration of the rc.local/rc.common file. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the \\\"systemd-rc-local-generator\\\", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local/rc.common to execute malicious code at start-up, and gain persistence onto the system.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating rc.local/rc.common File Creation\\n\\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution.\\n\\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital.\\n\\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve rc-local.service File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path =\\\\n'/run/systemd/generator/multi-user.target.wants/rc-local.service')\\\\n\\\"}}\\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \\\"rc-local.service|/etc/rc.local Compatibility\\\"` can be executed to check for the execution of the service.\\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system.\\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account.\\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the `service/rc.local` files or restore their original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":114,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"703aee5f-7d82-466a-b39f-1f9937f9fc35\",\"rule_id\":\"0f4d35e4-925e-4959-ab24-911be207ee6f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.651Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.482Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path in (\\\"/etc/rc.local\\\", \\\"/etc/rc.common\\\") and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/platform-python\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":113,\"target_version\":114,\"merged_version\":114,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\"],\"target_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c3bb0aec-5e4e-4a9f-a6f6-38b0ad0eed2c\",\"rule_id\":\"0f93cb9a-1931-48c2-8cd0-f173fd3e5283\",\"revision\":0,\"current_rule\":{\"id\":\"c3bb0aec-5e4e-4a9f-a6f6-38b0ad0eed2c\",\"updated_at\":\"2024-12-04T19:45:42.487Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.487Z\",\"created_by\":\"elastic\",\"name\":\"Potential LSASS Memory Dump via PssCaptureSnapShot\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"0f93cb9a-1931-48c2-8cd0-f173fd3e5283\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/\",\"https://twitter.com/sbousseaden/status/1280619931516747777?lang=en\"],\"version\":208,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.TargetImage\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThis is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold\\nrule cardinality feature.\\n\",\"type\":\"threshold\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"event.category:process and host.os.type:windows and event.code:10 and\\n winlog.event_data.TargetImage:(\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\lsass.exe\\\" or\\n \\\"c:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\lsass.exe\\\" or\\n \\\"c:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\")\\n\",\"threshold\":{\"field\":[\"process.entity_id\"],\"value\":2,\"cardinality\":[{\"field\":\"winlog.event_data.TargetProcessId\",\"value\":2}]},\"actions\":[]},\"target_rule\":{\"name\":\"Potential LSASS Memory Dump via PssCaptureSnapShot\",\"description\":\"Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/\",\"https://twitter.com/sbousseaden/status/1280619931516747777?lang=en\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold\\nrule cardinality feature.\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.TargetImage\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"c3bb0aec-5e4e-4a9f-a6f6-38b0ad0eed2c\",\"rule_id\":\"0f93cb9a-1931-48c2-8cd0-f173fd3e5283\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.651Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.487Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"threshold\",\"query\":\"event.category:process and host.os.type:windows and event.code:10 and\\n winlog.event_data.TargetImage:(\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\lsass.exe\\\" or\\n \\\"c:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\lsass.exe\\\" or\\n \\\"c:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\")\\n\",\"threshold\":{\"field\":[\"process.entity_id\"],\"value\":2,\"cardinality\":[{\"field\":\"winlog.event_data.TargetProcessId\",\"value\":2}]},\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":208,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"157ce65b-90f2-4df8-8e48-4f17e0ba56ba\",\"rule_id\":\"1160dcdb-0a0a-4a79-91d8-9b84616edebd\",\"revision\":0,\"current_rule\":{\"id\":\"157ce65b-90f2-4df8-8e48-4f17e0ba56ba\",\"updated_at\":\"2024-12-04T19:45:42.503Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.503Z\",\"created_by\":\"elastic\",\"name\":\"Potential DLL Side-Loading via Trusted Microsoft Programs\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1160dcdb-0a0a-4a79-91d8-9b84616edebd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.002\",\"name\":\"DLL Side-Loading\",\"reference\":\"https://attack.mitre.org/techniques/T1574/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.pe.original_file_name in (\\\"WinWord.exe\\\", \\\"EXPLORER.EXE\\\", \\\"w3wp.exe\\\", \\\"DISM.EXE\\\") and\\n not (process.name : (\\\"winword.exe\\\", \\\"explorer.exe\\\", \\\"w3wp.exe\\\", \\\"Dism.exe\\\") or\\n process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\Office*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Program Files?(x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\Office*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Dism.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\Dism.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\")\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential DLL Side-Loading via Trusted Microsoft Programs\",\"description\":\"Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.002\",\"name\":\"DLL Side-Loading\",\"reference\":\"https://attack.mitre.org/techniques/T1574/002/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"157ce65b-90f2-4df8-8e48-4f17e0ba56ba\",\"rule_id\":\"1160dcdb-0a0a-4a79-91d8-9b84616edebd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.651Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.503Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.pe.original_file_name in (\\\"WinWord.exe\\\", \\\"EXPLORER.EXE\\\", \\\"w3wp.exe\\\", \\\"DISM.EXE\\\") and\\n not (process.name : (\\\"winword.exe\\\", \\\"explorer.exe\\\", \\\"w3wp.exe\\\", \\\"Dism.exe\\\") or\\n process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\Office*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Program Files?(x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\Office*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Dism.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\Dism.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\")\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"706abc92-9b47-4671-825a-d656da598f2f\",\"rule_id\":\"1178ae09-5aff-460a-9f2f-455cd0ac4d8e\",\"revision\":0,\"current_rule\":{\"id\":\"706abc92-9b47-4671-825a-d656da598f2f\",\"updated_at\":\"2024-12-04T19:45:42.506Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.506Z\",\"created_by\":\"elastic\",\"name\":\"UAC Bypass via Windows Firewall Snap-In Hijack\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\\n\\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\\n\\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\\n\\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1178ae09-5aff-460a-9f2f-455cd0ac4d8e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.014\",\"name\":\"MMC\",\"reference\":\"https://attack.mitre.org/techniques/T1218/014/\"}]},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/AzAgarampur/byeintegrity-uac\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name == \\\"mmc.exe\\\" and\\n /* process.Ext.token.integrity_level_name == \\\"high\\\" can be added in future for tuning */\\n /* args of the Windows Firewall SnapIn */\\n process.parent.args == \\\"WF.msc\\\" and process.name != \\\"WerFault.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"UAC Bypass via Windows Firewall Snap-In Hijack\",\"description\":\"Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\\n\\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\\n\\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\\n\\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/AzAgarampur/byeintegrity-uac\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.014\",\"name\":\"MMC\",\"reference\":\"https://attack.mitre.org/techniques/T1218/014/\"}]},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"706abc92-9b47-4671-825a-d656da598f2f\",\"rule_id\":\"1178ae09-5aff-460a-9f2f-455cd0ac4d8e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.651Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.506Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name == \\\"mmc.exe\\\" and\\n /* process.Ext.token.integrity_level_name == \\\"high\\\" can be added in future for tuning */\\n /* args of the Windows Firewall SnapIn */\\n process.parent.args == \\\"WF.msc\\\" and process.name != \\\"WerFault.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"51186120-2a29-4ab8-ba4c-20948d60b1c5\",\"rule_id\":\"11dd9713-0ec6-4110-9707-32daae1ee68c\",\"revision\":0,\"current_rule\":{\"id\":\"51186120-2a29-4ab8-ba4c-20948d60b1c5\",\"updated_at\":\"2024-12-04T19:45:42.510Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.510Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Script with Token Impersonation Capabilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Script with Token Impersonation Capabilities\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAdversaries can abuse PowerShell to perform token impersonation, which involves duplicating and impersonating another user's token to escalate privileges and bypass access controls. This rule identifies scripts containing PowerShell functions, structures, or Windows API functions related to token impersonation/theft.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine PowerShell process creation and script block logs to identify command line arguments or hardcoded information that can indicate which user was the target of the impersonation.\\n- Investigate any abnormal behavior by the subject process (PowerShell), such as network connections, registry or file modifications, and any spawned child processes.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- Regular users should not need to impersonate other users, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Related Rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"11dd9713-0ec6-4110-9707-32daae1ee68c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\",\"subtechnique\":[{\"id\":\"T1134.001\",\"name\":\"Token Impersonation/Theft\",\"reference\":\"https://attack.mitre.org/techniques/T1134/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/decoder-it/psgetsystem\",\"https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1\",\"https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1\",\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"version\":12,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\\n\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text:(\\n \\\"Invoke-TokenManipulation\\\" or\\n \\\"ImpersonateNamedPipeClient\\\" or\\n \\\"NtImpersonateThread\\\" or\\n (\\n \\\"STARTUPINFOEX\\\" and\\n \\\"UpdateProcThreadAttribute\\\"\\n ) or\\n (\\n \\\"AdjustTokenPrivileges\\\" and\\n \\\"SeDebugPrivilege\\\"\\n ) or\\n (\\n (\\\"DuplicateToken\\\" or\\n \\\"DuplicateTokenEx\\\") and\\n (\\\"SetThreadToken\\\" or\\n \\\"ImpersonateLoggedOnUser\\\" or\\n \\\"CreateProcessWithTokenW\\\" or\\n \\\"CreatePRocessAsUserW\\\" or\\n \\\"CreateProcessAsUserA\\\")\\n ) \\n ) and\\n not (\\n user.id:(\\\"S-1-5-18\\\" or \\\"S-1-5-19\\\" or \\\"S-1-5-20\\\") and\\n file.directory: \\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\Downloads\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\" and \\\"PowerSploitIndicators\\\"\\n ) and\\n not (\\n powershell.file.script_block_text : \\\"New-HPPrivateToastNotificationLogo\\\" and\\n file.path : \\\"C:\\\\Program Files\\\\HPConnect\\\\hp-cmsl-wl\\\\modules\\\\HP.Notifications\\\\HP.Notifications.psm1\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Script with Token Impersonation Capabilities\",\"description\":\"Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Script with Token Impersonation Capabilities\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAdversaries can abuse PowerShell to perform token impersonation, which involves duplicating and impersonating another user's token to escalate privileges and bypass access controls. This rule identifies scripts containing PowerShell functions, structures, or Windows API functions related to token impersonation/theft.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine PowerShell process creation and script block logs to identify command line arguments or hardcoded information that can indicate which user was the target of the impersonation.\\n- Investigate any abnormal behavior by the subject process (PowerShell), such as network connections, registry or file modifications, and any spawned child processes.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- Regular users should not need to impersonate other users, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Related Rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"output_index\":\"\",\"version\":114,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/decoder-it/psgetsystem\",\"https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1\",\"https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1\",\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\",\"subtechnique\":[{\"id\":\"T1134.001\",\"name\":\"Token Impersonation/Theft\",\"reference\":\"https://attack.mitre.org/techniques/T1134/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"setup\":\"The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\\n\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"51186120-2a29-4ab8-ba4c-20948d60b1c5\",\"rule_id\":\"11dd9713-0ec6-4110-9707-32daae1ee68c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.651Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.510Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text:(\\n \\\"Invoke-TokenManipulation\\\" or\\n \\\"ImpersonateNamedPipeClient\\\" or\\n \\\"NtImpersonateThread\\\" or\\n (\\n \\\"STARTUPINFOEX\\\" and\\n \\\"UpdateProcThreadAttribute\\\"\\n ) or\\n (\\n \\\"AdjustTokenPrivileges\\\" and\\n \\\"SeDebugPrivilege\\\"\\n ) or\\n (\\n (\\\"DuplicateToken\\\" or\\n \\\"DuplicateTokenEx\\\") and\\n (\\\"SetThreadToken\\\" or\\n \\\"ImpersonateLoggedOnUser\\\" or\\n \\\"CreateProcessWithTokenW\\\" or\\n \\\"CreatePRocessAsUserW\\\" or\\n \\\"CreateProcessAsUserA\\\")\\n ) \\n ) and\\n not (\\n user.id:(\\\"S-1-5-18\\\" or \\\"S-1-5-19\\\" or \\\"S-1-5-20\\\") and\\n file.directory: \\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\Downloads\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\" and \\\"PowerSploitIndicators\\\"\\n ) and\\n not (\\n powershell.file.script_block_text : \\\"New-HPPrivateToastNotificationLogo\\\" and\\n file.path : \\\"C:\\\\Program Files\\\\HPConnect\\\\hp-cmsl-wl\\\\modules\\\\HP.Notifications\\\\HP.Notifications.psm1\\\"\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":12,\"target_version\":114,\"merged_version\":114,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bfabdb4d-2468-45d2-b62e-34111882d6dc\",\"rule_id\":\"11ea6bec-ebde-4d71-a8e9-784948f8e3e9\",\"revision\":0,\"current_rule\":{\"id\":\"bfabdb4d-2468-45d2-b62e-34111882d6dc\",\"updated_at\":\"2024-12-04T19:45:42.513Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.513Z\",\"created_by\":\"elastic\",\"name\":\"Third-party Backup Files Deleted via Unexpected Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Third-party Backup Files Deleted via Unexpected Process\\n\\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target.\\n\\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom.\\n\\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check if any files on the host machine have been encrypted.\\n\\n### False positive analysis\\n\\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\\n\\n### Related rules\\n\\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Certain utilities that delete files for disk cleanup or Administrators manually removing backup files.\"],\"from\":\"now-9m\",\"rule_id\":\"11ea6bec-ebde-4d71-a8e9-784948f8e3e9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1485\",\"name\":\"Data Destruction\",\"reference\":\"https://attack.mitre.org/techniques/T1485/\"},{\"id\":\"T1490\",\"name\":\"Inhibit System Recovery\",\"reference\":\"https://attack.mitre.org/techniques/T1490/\"}]}],\"to\":\"now\",\"references\":[\"https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love\"],\"version\":113,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"deletion\\\" and\\n (\\n /* Veeam Related Backup Files */\\n (\\n file.extension : (\\\"VBK\\\", \\\"VIB\\\", \\\"VBM\\\") and\\n not (\\n process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\") and\\n (process.code_signature.trusted == true and process.code_signature.subject_name : (\\\"Veeam Software Group GmbH\\\", \\\"Veeam Software AG\\\"))\\n )\\n ) or\\n /* Veritas Backup Exec Related Backup File */\\n (\\n file.extension : \\\"BKF\\\" and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Veritas\\\\\\\\Backup Exec\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Veritas\\\\\\\\Backup Exec\\\\\\\\*\\\"\\n )\\n )\\n ) and\\n not (\\n process.name : (\\\"MSExchangeMailboxAssistants.exe\\\", \\\"Microsoft.PowerBI.EnterpriseGateway.exe\\\") and\\n (process.code_signature.subject_name : \\\"Microsoft Corporation\\\" and process.code_signature.trusted == true)\\n ) and\\n not file.path : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Trend Micro\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\$RECYCLE.BIN\\\\\\\\*\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Third-party Backup Files Deleted via Unexpected Process\",\"description\":\"Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Third-party Backup Files Deleted via Unexpected Process\\n\\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target.\\n\\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom.\\n\\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check if any files on the host machine have been encrypted.\\n\\n### False positive analysis\\n\\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\\n\\n### Related rules\\n\\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Certain utilities that delete files for disk cleanup or Administrators manually removing backup files.\"],\"references\":[\"https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1485\",\"name\":\"Data Destruction\",\"reference\":\"https://attack.mitre.org/techniques/T1485/\"},{\"id\":\"T1490\",\"name\":\"Inhibit System Recovery\",\"reference\":\"https://attack.mitre.org/techniques/T1490/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"bfabdb4d-2468-45d2-b62e-34111882d6dc\",\"rule_id\":\"11ea6bec-ebde-4d71-a8e9-784948f8e3e9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.651Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.513Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"deletion\\\" and\\n (\\n /* Veeam Related Backup Files */\\n (\\n file.extension : (\\\"VBK\\\", \\\"VIB\\\", \\\"VBM\\\") and\\n not (\\n process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\") and\\n (process.code_signature.trusted == true and process.code_signature.subject_name : (\\\"Veeam Software Group GmbH\\\", \\\"Veeam Software AG\\\"))\\n )\\n ) or\\n /* Veritas Backup Exec Related Backup File */\\n (\\n file.extension : \\\"BKF\\\" and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Veritas\\\\\\\\Backup Exec\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Veritas\\\\\\\\Backup Exec\\\\\\\\*\\\"\\n )\\n )\\n ) and\\n not (\\n process.name : (\\\"MSExchangeMailboxAssistants.exe\\\", \\\"Microsoft.PowerBI.EnterpriseGateway.exe\\\") and\\n (process.code_signature.subject_name : \\\"Microsoft Corporation\\\" and process.code_signature.trusted == true)\\n ) and\\n not file.path : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Trend Micro\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\$RECYCLE.BIN\\\\\\\\*\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":113,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"16b58dfa-aa25-48fd-874e-6502dc83247e\",\"rule_id\":\"1224da6c-0326-4b4f-8454-68cdc5ae542b\",\"revision\":0,\"current_rule\":{\"id\":\"16b58dfa-aa25-48fd-874e-6502dc83247e\",\"updated_at\":\"2024-12-04T19:45:42.518Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.518Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Windows Process Cluster Spawned by a User\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-45m\",\"rule_id\":\"1224da6c-0326-4b4f-8454-68cdc5ae542b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"problem_child_high_sum_by_user\"],\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Windows Process Cluster Spawned by a User\",\"description\":\"A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\\n\",\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"16b58dfa-aa25-48fd-874e-6502dc83247e\",\"rule_id\":\"1224da6c-0326-4b4f-8454-68cdc5ae542b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.651Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.518Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"problem_child_high_sum_by_user\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"69c5b255-338b-4798-b84b-9e261d2b377f\",\"rule_id\":\"1251b98a-ff45-11ee-89a1-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"69c5b255-338b-4798-b84b-9e261d2b377f\",\"updated_at\":\"2024-12-04T19:46:03.692Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.692Z\",\"created_by\":\"elastic\",\"name\":\"AWS Lambda Function Created or Updated\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS Lambda\",\"Use Case: Asset Visibility\",\"Tactic: Execution\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies when an AWS Lambda function is created or updated. AWS Lambda lets you run code without provisioning or managing servers. Adversaries can create or update Lambda functions to execute malicious code, exfiltrate data, or escalate privileges. This is a [building block rule](https://www.elastic.co/guide/en/security/current/building-block-rule.html) that does not generate alerts, but signals when a Lambda function is created or updated that matches the rule's conditions. To generate alerts, create a rule that uses this signal as a building block.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate changes to Lambda functions can trigger this signal. Ensure that the changes are authorized and align with your organization's policies.\"],\"from\":\"now-60m\",\"rule_id\":\"1251b98a-ff45-11ee-89a1-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"to\":\"now\",\"references\":[\"https://mattslifebytes.com/2023/04/14/from-rebuilds-to-reloads-hacking-aws-lambda-to-enable-instant-code-updates/\",\"https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-overwrite-code/\",\"https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionCode.html\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"lambda.amazonaws.com\\\"\\n and event.outcome: \\\"success\\\"\\n and event.action: (CreateFunction* or UpdateFunctionCode*)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS Lambda Function Created or Updated\",\"description\":\"Identifies when an AWS Lambda function is created or updated. AWS Lambda lets you run code without provisioning or managing servers. Adversaries can create or update Lambda functions to execute malicious code, exfiltrate data, or escalate privileges. This is a [building block rule](https://www.elastic.co/guide/en/security/current/building-block-rule.html) that does not generate alerts, but signals when a Lambda function is created or updated that matches the rule's conditions. To generate alerts, create a rule that uses this signal as a building block.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS Lambda\",\"Use Case: Asset Visibility\",\"Tactic: Execution\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-60m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate changes to Lambda functions can trigger this signal. Ensure that the changes are authorized and align with your organization's policies.\"],\"references\":[\"https://mattslifebytes.com/2023/04/14/from-rebuilds-to-reloads-hacking-aws-lambda-to-enable-instant-code-updates/\",\"https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-overwrite-code/\",\"https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionCode.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"69c5b255-338b-4798-b84b-9e261d2b377f\",\"rule_id\":\"1251b98a-ff45-11ee-89a1-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.651Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.692Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"lambda.amazonaws.com\\\"\\n and event.outcome: \\\"success\\\"\\n and event.action: (CreateFunction* or UpdateFunctionCode*)\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS Lambda\",\"Use Case: Asset Visibility\",\"Tactic: Execution\"],\"target_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS Lambda\",\"Use Case: Asset Visibility\",\"Tactic: Execution\",\"Rule Type: BBR\"],\"merged_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS Lambda\",\"Use Case: Asset Visibility\",\"Tactic: Execution\",\"Rule Type: BBR\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4553ffb4-6844-41f2-b071-a3b0f0daaa28\",\"rule_id\":\"128468bf-cab1-4637-99ea-fdf3780a4609\",\"revision\":0,\"current_rule\":{\"id\":\"4553ffb4-6844-41f2-b071-a3b0f0daaa28\",\"updated_at\":\"2024-12-04T19:45:42.520Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.520Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Lsass Process Access\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"128468bf-cab1-4637-99ea-fdf3780a4609\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallTrace\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.GrantedAccess\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetImage\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n winlog.event_data.TargetImage : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\lsass.exe\\\" and\\n not winlog.event_data.GrantedAccess :\\n (\\\"0x1000\\\", \\\"0x1400\\\", \\\"0x101400\\\", \\\"0x101000\\\", \\\"0x101001\\\", \\\"0x100000\\\", \\\"0x100040\\\", \\\"0x3200\\\", \\\"0x40\\\", \\\"0x3200\\\") and\\n not process.name : (\\\"procexp64.exe\\\", \\\"procmon.exe\\\", \\\"procexp.exe\\\", \\\"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\platform\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\WebEx\\\\\\\\webex\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LTSvc\\\\\\\\LTSVC.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\csrss.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsm.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\MRT.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\wmiprvse.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wininit.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SystemTemp\\\\\\\\GUM*.tmp\\\\\\\\GoogleUpdate.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\sysWOW64\\\\\\\\wbem\\\\\\\\wmiprvse.exe\\\"\\n ) and\\n not winlog.event_data.CallTrace : (\\\"*mpengine.dll*\\\", \\\"*appresolver.dll*\\\", \\\"*sysmain.dll*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Lsass Process Access\",\"description\":\"Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallTrace\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.GrantedAccess\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetImage\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"4553ffb4-6844-41f2-b071-a3b0f0daaa28\",\"rule_id\":\"128468bf-cab1-4637-99ea-fdf3780a4609\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.651Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.520Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n winlog.event_data.TargetImage : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\lsass.exe\\\" and\\n not winlog.event_data.GrantedAccess :\\n (\\\"0x1000\\\", \\\"0x1400\\\", \\\"0x101400\\\", \\\"0x101000\\\", \\\"0x101001\\\", \\\"0x100000\\\", \\\"0x100040\\\", \\\"0x3200\\\", \\\"0x40\\\", \\\"0x3200\\\") and\\n not process.name : (\\\"procexp64.exe\\\", \\\"procmon.exe\\\", \\\"procexp.exe\\\", \\\"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\platform\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\WebEx\\\\\\\\webex\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LTSvc\\\\\\\\LTSVC.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\CynetMS.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\csrss.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsm.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\MRT.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\wmiprvse.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wininit.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SystemTemp\\\\\\\\GUM*.tmp\\\\\\\\GoogleUpdate.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\sysWOW64\\\\\\\\wbem\\\\\\\\wmiprvse.exe\\\", \\n \\\"C:\\\\\\\\oracle\\\\\\\\64\\\\\\\\02\\\\\\\\instantclient_19_13\\\\\\\\sqlplus.exe\\\", \\n \\\"C:\\\\\\\\oracle\\\\\\\\64\\\\\\\\02\\\\\\\\instantclient_19_13\\\\\\\\sqlldr.exe\\\",\\n \\\"d:\\\\\\\\oracle\\\\\\\\product\\\\\\\\19\\\\\\\\dbhome1\\\\\\\\bin\\\\\\\\ORACLE.EXE\\\",\\n \\\"C:\\\\\\\\wamp\\\\\\\\bin\\\\\\\\apache\\\\\\\\apache*\\\\\\\\bin\\\\\\\\httpd.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\netstat.exe\\\", \\n \\\"C:\\\\\\\\PROGRA~1\\\\\\\\INFORM~1\\\\\\\\apps\\\\\\\\jdk\\\\\\\\*\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\", \\n \\\"C:\\\\\\\\PROGRA~2\\\\\\\\CyberCNSAgentV2\\\\\\\\osqueryi.exe\\\",\\n \\\"C:\\\\\\\\Utilityw2k19\\\\\\\\packetbeat\\\\\\\\packetbeat.exe\\\",\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Cisco\\\\\\\\Cisco AnyConnect Secure Mobility Client\\\\\\\\Temp\\\\\\\\CloudUpdate\\\\\\\\vpndownloader.exe\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Cisco\\\\\\\\Cisco Secure Client\\\\\\\\Temp\\\\\\\\CloudUpdate\\\\\\\\vpndownloader.exe\\\"\\n ) and\\n not winlog.event_data.CallTrace : (\\\"*mpengine.dll*\\\", \\\"*appresolver.dll*\\\", \\\"*sysmain.dll*\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n winlog.event_data.TargetImage : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\lsass.exe\\\" and\\n not winlog.event_data.GrantedAccess :\\n (\\\"0x1000\\\", \\\"0x1400\\\", \\\"0x101400\\\", \\\"0x101000\\\", \\\"0x101001\\\", \\\"0x100000\\\", \\\"0x100040\\\", \\\"0x3200\\\", \\\"0x40\\\", \\\"0x3200\\\") and\\n not process.name : (\\\"procexp64.exe\\\", \\\"procmon.exe\\\", \\\"procexp.exe\\\", \\\"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\platform\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\WebEx\\\\\\\\webex\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LTSvc\\\\\\\\LTSVC.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\csrss.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsm.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\MRT.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\wmiprvse.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wininit.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SystemTemp\\\\\\\\GUM*.tmp\\\\\\\\GoogleUpdate.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\sysWOW64\\\\\\\\wbem\\\\\\\\wmiprvse.exe\\\"\\n ) and\\n not winlog.event_data.CallTrace : (\\\"*mpengine.dll*\\\", \\\"*appresolver.dll*\\\", \\\"*sysmain.dll*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n winlog.event_data.TargetImage : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\lsass.exe\\\" and\\n not winlog.event_data.GrantedAccess :\\n (\\\"0x1000\\\", \\\"0x1400\\\", \\\"0x101400\\\", \\\"0x101000\\\", \\\"0x101001\\\", \\\"0x100000\\\", \\\"0x100040\\\", \\\"0x3200\\\", \\\"0x40\\\", \\\"0x3200\\\") and\\n not process.name : (\\\"procexp64.exe\\\", \\\"procmon.exe\\\", \\\"procexp.exe\\\", \\\"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\platform\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\WebEx\\\\\\\\webex\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LTSvc\\\\\\\\LTSVC.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\CynetMS.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\csrss.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsm.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\MRT.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\wmiprvse.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wininit.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SystemTemp\\\\\\\\GUM*.tmp\\\\\\\\GoogleUpdate.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\sysWOW64\\\\\\\\wbem\\\\\\\\wmiprvse.exe\\\", \\n \\\"C:\\\\\\\\oracle\\\\\\\\64\\\\\\\\02\\\\\\\\instantclient_19_13\\\\\\\\sqlplus.exe\\\", \\n \\\"C:\\\\\\\\oracle\\\\\\\\64\\\\\\\\02\\\\\\\\instantclient_19_13\\\\\\\\sqlldr.exe\\\",\\n \\\"d:\\\\\\\\oracle\\\\\\\\product\\\\\\\\19\\\\\\\\dbhome1\\\\\\\\bin\\\\\\\\ORACLE.EXE\\\",\\n \\\"C:\\\\\\\\wamp\\\\\\\\bin\\\\\\\\apache\\\\\\\\apache*\\\\\\\\bin\\\\\\\\httpd.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\netstat.exe\\\", \\n \\\"C:\\\\\\\\PROGRA~1\\\\\\\\INFORM~1\\\\\\\\apps\\\\\\\\jdk\\\\\\\\*\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\", \\n \\\"C:\\\\\\\\PROGRA~2\\\\\\\\CyberCNSAgentV2\\\\\\\\osqueryi.exe\\\",\\n \\\"C:\\\\\\\\Utilityw2k19\\\\\\\\packetbeat\\\\\\\\packetbeat.exe\\\",\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Cisco\\\\\\\\Cisco AnyConnect Secure Mobility Client\\\\\\\\Temp\\\\\\\\CloudUpdate\\\\\\\\vpndownloader.exe\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Cisco\\\\\\\\Cisco Secure Client\\\\\\\\Temp\\\\\\\\CloudUpdate\\\\\\\\vpndownloader.exe\\\"\\n ) and\\n not winlog.event_data.CallTrace : (\\\"*mpengine.dll*\\\", \\\"*appresolver.dll*\\\", \\\"*sysmain.dll*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n winlog.event_data.TargetImage : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\lsass.exe\\\" and\\n not winlog.event_data.GrantedAccess :\\n (\\\"0x1000\\\", \\\"0x1400\\\", \\\"0x101400\\\", \\\"0x101000\\\", \\\"0x101001\\\", \\\"0x100000\\\", \\\"0x100040\\\", \\\"0x3200\\\", \\\"0x40\\\", \\\"0x3200\\\") and\\n not process.name : (\\\"procexp64.exe\\\", \\\"procmon.exe\\\", \\\"procexp.exe\\\", \\\"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\platform\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\WebEx\\\\\\\\webex\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LTSvc\\\\\\\\LTSVC.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\CynetMS.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\csrss.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsm.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\MRT.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\wmiprvse.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wininit.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SystemTemp\\\\\\\\GUM*.tmp\\\\\\\\GoogleUpdate.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\sysWOW64\\\\\\\\wbem\\\\\\\\wmiprvse.exe\\\", \\n \\\"C:\\\\\\\\oracle\\\\\\\\64\\\\\\\\02\\\\\\\\instantclient_19_13\\\\\\\\sqlplus.exe\\\", \\n \\\"C:\\\\\\\\oracle\\\\\\\\64\\\\\\\\02\\\\\\\\instantclient_19_13\\\\\\\\sqlldr.exe\\\",\\n \\\"d:\\\\\\\\oracle\\\\\\\\product\\\\\\\\19\\\\\\\\dbhome1\\\\\\\\bin\\\\\\\\ORACLE.EXE\\\",\\n \\\"C:\\\\\\\\wamp\\\\\\\\bin\\\\\\\\apache\\\\\\\\apache*\\\\\\\\bin\\\\\\\\httpd.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\netstat.exe\\\", \\n \\\"C:\\\\\\\\PROGRA~1\\\\\\\\INFORM~1\\\\\\\\apps\\\\\\\\jdk\\\\\\\\*\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\", \\n \\\"C:\\\\\\\\PROGRA~2\\\\\\\\CyberCNSAgentV2\\\\\\\\osqueryi.exe\\\",\\n \\\"C:\\\\\\\\Utilityw2k19\\\\\\\\packetbeat\\\\\\\\packetbeat.exe\\\",\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Cisco\\\\\\\\Cisco AnyConnect Secure Mobility Client\\\\\\\\Temp\\\\\\\\CloudUpdate\\\\\\\\vpndownloader.exe\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Cisco\\\\\\\\Cisco Secure Client\\\\\\\\Temp\\\\\\\\CloudUpdate\\\\\\\\vpndownloader.exe\\\"\\n ) and\\n not winlog.event_data.CallTrace : (\\\"*mpengine.dll*\\\", \\\"*appresolver.dll*\\\", \\\"*sysmain.dll*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e0eb3f0c-56de-49d9-b38d-90393b463a46\",\"rule_id\":\"12de29d4-bbb0-4eef-b687-857e8a163870\",\"revision\":0,\"current_rule\":{\"id\":\"e0eb3f0c-56de-49d9-b38d-90393b463a46\",\"updated_at\":\"2024-12-04T19:45:42.527Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.527Z\",\"created_by\":\"elastic\",\"name\":\"Potential Exploitation of an Unquoted Service Path Vulnerability\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Adversaries may leverage unquoted service path vulnerabilities to escalate privileges. By placing an executable in a higher-level directory within the path of an unquoted service executable, Windows will natively launch this executable from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"12de29d4-bbb0-4eef-b687-857e8a163870\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.009\",\"name\":\"Path Interception by Unquoted Path\",\"reference\":\"https://attack.mitre.org/techniques/T1574/009/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n (\\n process.executable : \\\"?:\\\\\\\\Program.exe\\\" or \\n process.executable regex \\\"\\\"\\\"(C:\\\\\\\\Program Files \\\\(x86\\\\)\\\\\\\\|C:\\\\\\\\Program Files\\\\\\\\)\\\\w+.exe\\\"\\\"\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Exploitation of an Unquoted Service Path Vulnerability\",\"description\":\"Adversaries may leverage unquoted service path vulnerabilities to escalate privileges. By placing an executable in a higher-level directory within the path of an unquoted service executable, Windows will natively launch this executable from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":203,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.009\",\"name\":\"Path Interception by Unquoted Path\",\"reference\":\"https://attack.mitre.org/techniques/T1574/009/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e0eb3f0c-56de-49d9-b38d-90393b463a46\",\"rule_id\":\"12de29d4-bbb0-4eef-b687-857e8a163870\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.651Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.527Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n (\\n process.executable : \\\"?:\\\\\\\\Program.exe\\\" or \\n process.executable regex \\\"\\\"\\\"(C:\\\\\\\\Program Files \\\\(x86\\\\)\\\\\\\\|C:\\\\\\\\Program Files\\\\\\\\)\\\\w+.exe\\\"\\\"\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"logs-system.security-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":203,\"merged_version\":203,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"logs-system.security-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"logs-system.security-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"13fb823c-6a8a-4316-80d4-c455df743efa\",\"rule_id\":\"12f07955-1674-44f7-86b5-c35da0a6f41a\",\"revision\":0,\"current_rule\":{\"id\":\"13fb823c-6a8a-4316-80d4-c455df743efa\",\"updated_at\":\"2024-12-04T19:45:42.530Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.530Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Cmd Execution via WMI\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"12f07955-1674-44f7-86b5-c35da0a6f41a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"},{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"WmiPrvSE.exe\\\" and process.name : \\\"cmd.exe\\\" and\\n process.args : \\\"\\\\\\\\\\\\\\\\127.0.0.1\\\\\\\\*\\\" and process.args : (\\\"2>&1\\\", \\\"1>\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Cmd Execution via WMI\",\"description\":\"Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\",\"https://www.elastic.co/security-labs/operation-bleeding-bear\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"},{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"13fb823c-6a8a-4316-80d4-c455df743efa\",\"rule_id\":\"12f07955-1674-44f7-86b5-c35da0a6f41a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.651Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.530Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"WmiPrvSE.exe\\\" and process.name : \\\"cmd.exe\\\" and\\n process.args : \\\"\\\\\\\\\\\\\\\\127.0.0.1\\\\\\\\*\\\" and process.args : (\\\"2>&1\\\", \\\"1>\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\",\"https://www.elastic.co/security-labs/operation-bleeding-bear\"],\"merged_version\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\",\"https://www.elastic.co/security-labs/operation-bleeding-bear\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"df001b51-0c86-4f1a-93f6-5d68fabb3bc5\",\"rule_id\":\"1327384f-00f3-44d5-9a8c-2373ba071e92\",\"revision\":0,\"current_rule\":{\"id\":\"df001b51-0c86-4f1a-93f6-5d68fabb3bc5\",\"updated_at\":\"2024-12-04T19:45:42.536Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.536Z\",\"created_by\":\"elastic\",\"name\":\"Persistence via Scheduled Job Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled jobs may be created during installation of new software.\"],\"from\":\"now-9m\",\"rule_id\":\"1327384f-00f3-44d5-9a8c-2373ba071e92\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":310,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.path : \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\" and file.extension : \\\"job\\\" and\\n not (\\n (\\n process.executable : \\\"?:\\\\\\\\Program Files\\\\\\\\CCleaner\\\\\\\\CCleaner64.exe\\\" and\\n file.path : \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\CCleanerCrashReporting.job\\\"\\n ) or\\n (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\ManageEngine\\\\\\\\UEMS_Agent\\\\\\\\bin\\\\\\\\dcagentregister.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\DesktopCentral_Agent\\\\\\\\bin\\\\\\\\dcagentregister.exe\\\"\\n ) and\\n file.path : \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\DCAgentUpdater.job\\\"\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Persistence via Scheduled Job Creation\",\"description\":\"A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":411,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled jobs may be created during installation of new software.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"df001b51-0c86-4f1a-93f6-5d68fabb3bc5\",\"rule_id\":\"1327384f-00f3-44d5-9a8c-2373ba071e92\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.651Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.536Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.path : \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\" and file.extension : \\\"job\\\" and\\n not (\\n (\\n process.executable : \\\"?:\\\\\\\\Program Files\\\\\\\\CCleaner\\\\\\\\CCleaner64.exe\\\" and\\n file.path : \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\CCleanerCrashReporting.job\\\"\\n ) or\\n (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\ManageEngine\\\\\\\\UEMS_Agent\\\\\\\\bin\\\\\\\\dcagentregister.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\DesktopCentral_Agent\\\\\\\\bin\\\\\\\\dcagentregister.exe\\\"\\n ) and\\n file.path : \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\DCAgentUpdater.job\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":310,\"target_version\":411,\"merged_version\":411,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"40120176-f00f-469a-bc8a-27a401034c4d\",\"rule_id\":\"1397e1b9-0c90-4d24-8d7b-80598eb9bc9a\",\"revision\":0,\"current_rule\":{\"id\":\"40120176-f00f-469a-bc8a-27a401034c4d\",\"updated_at\":\"2024-12-04T19:45:42.541Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.541Z\",\"created_by\":\"elastic\",\"name\":\"Potential Ransomware Behavior - High count of Readme files by System\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule identifies a high number (20) of file creation event by the System virtual process from the same host and with same file name containing keywords similar to ransomware note files and all within a short time period.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n#### Possible investigation steps\\n\\n- Investigate the content of the readme files.\\n- Investigate any file names with unusual extensions.\\n- Investigate any incoming network connection to port 445 on this host.\\n- Investigate any network logon events to this host.\\n- Identify the total number and type of modified files by pid 4.\\n- If the number of files is too high and source.ip connecting over SMB is unusual isolate the host and block the used credentials.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Local file modification from a Kernel mode driver.\\n\\n### Related rules\\n\\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\\n- Potential Ransomware Note File Dropped via SMB - 02bab13d-fb14-4d7c-b6fe-4a28874d37c5\\n- Suspicious File Renamed via SMB - 78e9b5d5-7c07-40a7-a591-3dbbf464c386\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\\n- If any backups were affected:\\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1397e1b9-0c90-4d24-8d7b-80598eb9bc9a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1485\",\"name\":\"Data Destruction\",\"reference\":\"https://attack.mitre.org/techniques/T1485/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"\",\"type\":\"threshold\",\"language\":\"kuery\",\"index\":[\"logs-endpoint.events.file-*\"],\"query\":\"event.category:file and host.os.type:windows and process.pid:4 and event.action:creation and\\n file.name:(*read*me* or *README* or *lock* or *LOCK* or *how*to* or *HOW*TO* or *@* or *recover* or *RECOVER* or *decrypt* or *DECRYPT* or *restore* or *RESTORE* or *FILES_BACK* or *files_back*)\\n\",\"threshold\":{\"field\":[\"host.id\",\"file.name\"],\"value\":20},\"actions\":[]},\"target_rule\":{\"name\":\"Potential Ransomware Behavior - High count of Readme files by System\",\"description\":\"This rule identifies a high number (20) of file creation event by the System virtual process from the same host and with same file name containing keywords similar to ransomware note files and all within a short time period.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n#### Possible investigation steps\\n\\n- Investigate the content of the readme files.\\n- Investigate any file names with unusual extensions.\\n- Investigate any incoming network connection to port 445 on this host.\\n- Investigate any network logon events to this host.\\n- Identify the total number and type of modified files by pid 4.\\n- If the number of files is too high and source.ip connecting over SMB is unusual isolate the host and block the used credentials.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Local file modification from a Kernel mode driver.\\n\\n### Related rules\\n\\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\\n- Potential Ransomware Note File Dropped via SMB - 02bab13d-fb14-4d7c-b6fe-4a28874d37c5\\n- Suspicious File Renamed via SMB - 78e9b5d5-7c07-40a7-a591-3dbbf464c386\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\\n- If any backups were affected:\\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1485\",\"name\":\"Data Destruction\",\"reference\":\"https://attack.mitre.org/techniques/T1485/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"id\":\"40120176-f00f-469a-bc8a-27a401034c4d\",\"rule_id\":\"1397e1b9-0c90-4d24-8d7b-80598eb9bc9a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.651Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.541Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"threshold\",\"query\":\"event.category:file and host.os.type:windows and process.pid:4 and event.action:creation and\\n file.name:(*read*me* or *README* or *lock* or *LOCK* or *how*to* or *HOW*TO* or *@* or *recover* or *RECOVER* or *decrypt* or *DECRYPT* or *restore* or *RESTORE* or *FILES_BACK* or *files_back*)\\n\",\"threshold\":{\"field\":[\"host.id\",\"file.name\"],\"value\":20},\"index\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"896545e6-f2a2-4f84-b1c7-ece87e236a9a\",\"rule_id\":\"13e908b9-7bf0-4235-abc9-b5deb500d0ad\",\"revision\":0,\"current_rule\":{\"id\":\"896545e6-f2a2-4f84-b1c7-ece87e236a9a\",\"updated_at\":\"2024-12-04T19:45:42.543Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.543Z\",\"created_by\":\"elastic\",\"name\":\"Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity\",\"tags\":[\"OS: Windows\",\"Data Source: Elastic Endgame\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-10m\",\"rule_id\":\"13e908b9-7bf0-4235-abc9-b5deb500d0ad\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.004\",\"name\":\"Masquerade Task or Service\",\"reference\":\"https://attack.mitre.org/techniques/T1036/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"blocklist_label\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"problemchild.prediction\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"endgame-*\",\"logs-endpoint.events.process-*\",\"winlogbeat-*\"],\"query\":\"process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : (\\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.txt*\\\", \\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.tmp*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score\",\"description\":\"A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with low probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":8,\"tags\":[\"OS: Windows\",\"Data Source: Elastic Endgame\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-10m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.004\",\"name\":\"Masquerade Task or Service\",\"reference\":\"https://attack.mitre.org/techniques/T1036/004/\"}]}]}],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\\n\",\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"blocklist_label\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"problemchild.prediction\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"problemchild.prediction_probability\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"896545e6-f2a2-4f84-b1c7-ece87e236a9a\",\"rule_id\":\"13e908b9-7bf0-4235-abc9-b5deb500d0ad\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.652Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.543Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where ((problemchild.prediction == 1 and problemchild.prediction_probability <= 0.98) or\\nblocklist_label == 1) and not process.args : (\\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.txt*\\\", \\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.tmp*\\\")\\n\",\"language\":\"eql\",\"index\":[\"endgame-*\",\"logs-endpoint.events.process-*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":8,\"merged_version\":8,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"name\":{\"has_base_version\":false,\"current_version\":\"Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity\",\"target_version\":\"Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score\",\"merged_version\":\"Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"OS: Windows\",\"Data Source: Elastic Endgame\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"target_version\":[\"OS: Windows\",\"Data Source: Elastic Endgame\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"merged_version\":[\"OS: Windows\",\"Data Source: Elastic Endgame\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"description\":{\"has_base_version\":false,\"current_version\":\"A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.\",\"target_version\":\"A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with low probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.\",\"merged_version\":\"A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with low probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"blocklist_label\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"problemchild.prediction\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"blocklist_label\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"problemchild.prediction\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"problemchild.prediction_probability\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"blocklist_label\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"problemchild.prediction\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"problemchild.prediction_probability\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : (\\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.txt*\\\", \\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.tmp*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where ((problemchild.prediction == 1 and problemchild.prediction_probability <= 0.98) or\\nblocklist_label == 1) and not process.args : (\\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.txt*\\\", \\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.tmp*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where ((problemchild.prediction == 1 and problemchild.prediction_probability <= 0.98) or\\nblocklist_label == 1) and not process.args : (\\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.txt*\\\", \\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.tmp*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"067c8ad5-e283-4697-b1a6-c95ef3c10993\",\"rule_id\":\"143cb236-0956-4f42-a706-814bcaa0cf5a\",\"revision\":0,\"current_rule\":{\"id\":\"067c8ad5-e283-4697-b1a6-c95ef3c10993\",\"updated_at\":\"2024-12-04T19:45:42.548Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.548Z\",\"created_by\":\"elastic\",\"name\":\"RPC (Remote Procedure Call) from the Internet\",\"tags\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"143cb236-0956-4f42-a706-814bcaa0cf5a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]}],\"to\":\"now\",\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"version\":103,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\\n network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\\n not source.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n ) and\\n destination.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"RPC (Remote Procedure Call) from the Internet\",\"description\":\"This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"067c8ad5-e283-4697-b1a6-c95ef3c10993\",\"rule_id\":\"143cb236-0956-4f42-a706-814bcaa0cf5a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.652Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.548Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\\n network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\\n not source.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n ) and\\n destination.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":103,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"target_version\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"target_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merged_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"fc41eb45-a989-437e-b12a-bb349d601860\",\"rule_id\":\"14dab405-5dd9-450c-8106-72951af2391f\",\"revision\":0,\"current_rule\":{\"id\":\"fc41eb45-a989-437e-b12a-bb349d601860\",\"updated_at\":\"2024-12-04T19:45:42.550Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.550Z\",\"created_by\":\"elastic\",\"name\":\"Office Test Registry Persistence\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the modification of the Microsoft Office \\\"Office Test\\\" Registry key, a registry location that can be used to specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain persistence on a compromised host.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"14dab405-5dd9-450c-8106-72951af2391f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1137\",\"name\":\"Office Application Startup\",\"reference\":\"https://attack.mitre.org/techniques/T1137/\",\"subtechnique\":[{\"id\":\"T1137.002\",\"name\":\"Office Test\",\"reference\":\"https://attack.mitre.org/techniques/T1137/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[\"https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/\"],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and\\n registry.path : \\\"*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Office Test\\\\\\\\Special\\\\\\\\Perf\\\\\\\\*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Office Test Registry Persistence\",\"description\":\"Identifies the modification of the Microsoft Office \\\"Office Test\\\" Registry key, a registry location that can be used to specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain persistence on a compromised host.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1137\",\"name\":\"Office Application Startup\",\"reference\":\"https://attack.mitre.org/techniques/T1137/\",\"subtechnique\":[{\"id\":\"T1137.002\",\"name\":\"Office Test\",\"reference\":\"https://attack.mitre.org/techniques/T1137/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"fc41eb45-a989-437e-b12a-bb349d601860\",\"rule_id\":\"14dab405-5dd9-450c-8106-72951af2391f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.652Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.550Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and\\n registry.path : \\\"*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Office Test\\\\\\\\Special\\\\\\\\Perf\\\\\\\\*\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"logs-m365_defender.event-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"logs-m365_defender.event-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"logs-m365_defender.event-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"50a7093c-9d61-4337-9770-c025f4abcc07\",\"rule_id\":\"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204\",\"revision\":0,\"current_rule\":{\"id\":\"50a7093c-9d61-4337-9770-c025f4abcc07\",\"updated_at\":\"2024-12-04T19:45:40.147Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.147Z\",\"created_by\":\"elastic\",\"name\":\"Potential Persistence via Time Provider Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Persistence via Time Provider Modification\\n\\nThe Time Provider architecture in Windows is responsible for obtaining accurate timestamps from network devices or clients. It is implemented as a DLL file in the System32 folder and is initiated by the W32Time service during Windows startup. Adversaries may exploit this by registering and enabling a malicious DLL as a time provider to establish persistence. \\n\\nThis rule identifies changes in the registry paths associated with Time Providers, specifically targeting the addition of new DLL files.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine whether the DLL is signed.\\n- Retrieve the DLL and determine if it is malicious:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restore Time Provider settings to the desired state.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.003\",\"name\":\"Time Providers\",\"reference\":\"https://attack.mitre.org/techniques/T1547/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.003\",\"name\":\"Time Providers\",\"reference\":\"https://attack.mitre.org/techniques/T1547/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://pentestlab.blog/2019/10/22/persistence-time-providers/\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path: (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\TimeProviders\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\TimeProviders\\\\\\\\*\\\"\\n ) and\\n registry.data.strings:\\\"*.dll\\\" and\\n not\\n (\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\" and\\n registry.data.strings : \\\"?:\\\\\\\\Program Files\\\\\\\\VMware\\\\\\\\VMware Tools\\\\\\\\vmwTimeProvider\\\\\\\\vmwTimeProvider.dll\\\"\\n ) and\\n not registry.data.strings : \\\"C:\\\\\\\\Windows\\\\\\\\SYSTEM32\\\\\\\\w32time.DLL\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Persistence via Time Provider Modification\",\"description\":\"Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Persistence via Time Provider Modification\\n\\nThe Time Provider architecture in Windows is responsible for obtaining accurate timestamps from network devices or clients. It is implemented as a DLL file in the System32 folder and is initiated by the W32Time service during Windows startup. Adversaries may exploit this by registering and enabling a malicious DLL as a time provider to establish persistence. \\n\\nThis rule identifies changes in the registry paths associated with Time Providers, specifically targeting the addition of new DLL files.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine whether the DLL is signed.\\n- Retrieve the DLL and determine if it is malicious:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restore Time Provider settings to the desired state.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://pentestlab.blog/2019/10/22/persistence-time-providers/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.003\",\"name\":\"Time Providers\",\"reference\":\"https://attack.mitre.org/techniques/T1547/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.003\",\"name\":\"Time Providers\",\"reference\":\"https://attack.mitre.org/techniques/T1547/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"50a7093c-9d61-4337-9770-c025f4abcc07\",\"rule_id\":\"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.652Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.147Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path: (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\TimeProviders\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\TimeProviders\\\\\\\\*\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\TimeProviders\\\\\\\\*\\\"\\n ) and\\n registry.data.strings:\\\"*.dll\\\" and\\n not\\n (\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\" and\\n registry.data.strings : \\\"?:\\\\\\\\Program Files\\\\\\\\VMware\\\\\\\\VMware Tools\\\\\\\\vmwTimeProvider\\\\\\\\vmwTimeProvider.dll\\\"\\n ) and\\n not registry.data.strings : \\\"C:\\\\\\\\Windows\\\\\\\\SYSTEM32\\\\\\\\w32time.DLL\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path: (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\TimeProviders\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\TimeProviders\\\\\\\\*\\\"\\n ) and\\n registry.data.strings:\\\"*.dll\\\" and\\n not\\n (\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\" and\\n registry.data.strings : \\\"?:\\\\\\\\Program Files\\\\\\\\VMware\\\\\\\\VMware Tools\\\\\\\\vmwTimeProvider\\\\\\\\vmwTimeProvider.dll\\\"\\n ) and\\n not registry.data.strings : \\\"C:\\\\\\\\Windows\\\\\\\\SYSTEM32\\\\\\\\w32time.DLL\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path: (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\TimeProviders\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\TimeProviders\\\\\\\\*\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\TimeProviders\\\\\\\\*\\\"\\n ) and\\n registry.data.strings:\\\"*.dll\\\" and\\n not\\n (\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\" and\\n registry.data.strings : \\\"?:\\\\\\\\Program Files\\\\\\\\VMware\\\\\\\\VMware Tools\\\\\\\\vmwTimeProvider\\\\\\\\vmwTimeProvider.dll\\\"\\n ) and\\n not registry.data.strings : \\\"C:\\\\\\\\Windows\\\\\\\\SYSTEM32\\\\\\\\w32time.DLL\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path: (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\TimeProviders\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\TimeProviders\\\\\\\\*\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\TimeProviders\\\\\\\\*\\\"\\n ) and\\n registry.data.strings:\\\"*.dll\\\" and\\n not\\n (\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\" and\\n registry.data.strings : \\\"?:\\\\\\\\Program Files\\\\\\\\VMware\\\\\\\\VMware Tools\\\\\\\\vmwTimeProvider\\\\\\\\vmwTimeProvider.dll\\\"\\n ) and\\n not registry.data.strings : \\\"C:\\\\\\\\Windows\\\\\\\\SYSTEM32\\\\\\\\w32time.DLL\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b3cea5d7-8bcb-45c4-b15d-8fd5e521e251\",\"rule_id\":\"15a8ba77-1c13-4274-88fe-6bd14133861e\",\"revision\":0,\"current_rule\":{\"id\":\"b3cea5d7-8bcb-45c4-b15d-8fd5e521e251\",\"updated_at\":\"2024-12-04T19:45:42.557Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.557Z\",\"created_by\":\"elastic\",\"name\":\"Scheduled Task Execution at Scale via GPO\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Lateral Movement\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Scheduled Task Execution at Scale via GPO\\n\\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\\\\Machine\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml` file.\\n\\n#### Possible investigation steps\\n\\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\\n\\n### False positive analysis\\n\\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\\n\\n### Related rules\\n\\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\\n- Remove the script from the GPO.\\n- Check if other GPOs have suspicious scheduled tasks attached.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-6m\",\"rule_id\":\"15a8ba77-1c13-4274-88fe-6bd14133861e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]},{\"id\":\"T1484\",\"name\":\"Domain or Tenant Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/\",\"subtechnique\":[{\"id\":\"T1484.001\",\"name\":\"Group Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1570\",\"name\":\"Lateral Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1570/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md\",\"https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md\",\"https://labs.f-secure.com/tools/sharpgpoabuse\",\"https://twitter.com/menasec1/status/1106899890377052160\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"message\",\"type\":\"match_only_text\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessList\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.RelativeTargetName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ShareName\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nObject Access >\\nAudit Detailed File Share (Success,Failure)\\n```\\n\\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"(event.code: \\\"5136\\\" and winlog.event_data.AttributeLDAPDisplayName:(\\\"gPCMachineExtensionNames\\\" or \\\"gPCUserExtensionNames\\\") and\\n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))\\nor\\n(event.code: \\\"5145\\\" and winlog.event_data.ShareName: \\\"\\\\\\\\\\\\\\\\*\\\\\\\\SYSVOL\\\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Scheduled Task Execution at Scale via GPO\",\"description\":\"Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Scheduled Task Execution at Scale via GPO\\n\\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\\\\Machine\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml` file.\\n\\n#### Possible investigation steps\\n\\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\\n\\n### False positive analysis\\n\\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\\n\\n### Related rules\\n\\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\\n- Remove the script from the GPO.\\n- Check if other GPOs have suspicious scheduled tasks attached.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":212,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Lateral Movement\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md\",\"https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md\",\"https://labs.f-secure.com/tools/sharpgpoabuse\",\"https://twitter.com/menasec1/status/1106899890377052160\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]},{\"id\":\"T1484\",\"name\":\"Domain or Tenant Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/\",\"subtechnique\":[{\"id\":\"T1484.001\",\"name\":\"Group Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1570\",\"name\":\"Lateral Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1570/\"}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nObject Access >\\nAudit Detailed File Share (Success,Failure)\\n```\\n\\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessList\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.RelativeTargetName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ShareName\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"b3cea5d7-8bcb-45c4-b15d-8fd5e521e251\",\"rule_id\":\"15a8ba77-1c13-4274-88fe-6bd14133861e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.652Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.557Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and event.code in (\\\"5136\\\", \\\"5145\\\") and\\n(\\n (\\n winlog.event_data.AttributeLDAPDisplayName : (\\n \\\"gPCMachineExtensionNames\\\",\\n \\\"gPCUserExtensionNames\\\"\\n ) and\\n winlog.event_data.AttributeValue : \\\"*CAB54552-DEEA-4691-817E-ED4A4D1AFC72*\\\" and\\n winlog.event_data.AttributeValue : \\\"*AADCED64-746C-4633-A97C-D61349046527*\\\"\\n ) or\\n (\\n winlog.event_data.ShareName : \\\"\\\\\\\\\\\\\\\\*\\\\\\\\SYSVOL\\\" and\\n winlog.event_data.RelativeTargetName : \\\"*ScheduledTasks.xml\\\" and\\n winlog.event_data.AccessList:\\\"*%%4417*\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":212,\"merged_version\":212,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Lateral Movement\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Lateral Movement\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Lateral Movement\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"message\",\"type\":\"match_only_text\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessList\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.RelativeTargetName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ShareName\",\"type\":\"unknown\",\"ecs\":false}],\"target_version\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessList\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.RelativeTargetName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ShareName\",\"type\":\"unknown\",\"ecs\":false}],\"merged_version\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessList\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.RelativeTargetName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ShareName\",\"type\":\"unknown\",\"ecs\":false}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"type\":{\"has_base_version\":false,\"current_version\":\"query\",\"target_version\":\"eql\",\"merged_version\":\"eql\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NON_SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"(event.code: \\\"5136\\\" and winlog.event_data.AttributeLDAPDisplayName:(\\\"gPCMachineExtensionNames\\\" or \\\"gPCUserExtensionNames\\\") and\\n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))\\nor\\n(event.code: \\\"5145\\\" and winlog.event_data.ShareName: \\\"\\\\\\\\\\\\\\\\*\\\\\\\\SYSVOL\\\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"target_version\":{\"query\":\"any where host.os.type == \\\"windows\\\" and event.code in (\\\"5136\\\", \\\"5145\\\") and\\n(\\n (\\n winlog.event_data.AttributeLDAPDisplayName : (\\n \\\"gPCMachineExtensionNames\\\",\\n \\\"gPCUserExtensionNames\\\"\\n ) and\\n winlog.event_data.AttributeValue : \\\"*CAB54552-DEEA-4691-817E-ED4A4D1AFC72*\\\" and\\n winlog.event_data.AttributeValue : \\\"*AADCED64-746C-4633-A97C-D61349046527*\\\"\\n ) or\\n (\\n winlog.event_data.ShareName : \\\"\\\\\\\\\\\\\\\\*\\\\\\\\SYSVOL\\\" and\\n winlog.event_data.RelativeTargetName : \\\"*ScheduledTasks.xml\\\" and\\n winlog.event_data.AccessList:\\\"*%%4417*\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"any where host.os.type == \\\"windows\\\" and event.code in (\\\"5136\\\", \\\"5145\\\") and\\n(\\n (\\n winlog.event_data.AttributeLDAPDisplayName : (\\n \\\"gPCMachineExtensionNames\\\",\\n \\\"gPCUserExtensionNames\\\"\\n ) and\\n winlog.event_data.AttributeValue : \\\"*CAB54552-DEEA-4691-817E-ED4A4D1AFC72*\\\" and\\n winlog.event_data.AttributeValue : \\\"*AADCED64-746C-4633-A97C-D61349046527*\\\"\\n ) or\\n (\\n winlog.event_data.ShareName : \\\"\\\\\\\\\\\\\\\\*\\\\\\\\SYSVOL\\\" and\\n winlog.event_data.RelativeTargetName : \\\"*ScheduledTasks.xml\\\" and\\n winlog.event_data.AccessList:\\\"*%%4417*\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":1}},{\"id\":\"f61e3fd4-7dee-4e57-b654-968c07e660b7\",\"rule_id\":\"15c0b7a7-9c34-4869-b25b-fa6518414899\",\"revision\":0,\"current_rule\":{\"id\":\"f61e3fd4-7dee-4e57-b654-968c07e660b7\",\"updated_at\":\"2024-12-04T19:45:42.560Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.560Z\",\"created_by\":\"elastic\",\"name\":\"Remote File Download via Desktopimgdownldr Utility\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote File Download via Desktopimgdownldr Utility\\n\\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\\n\\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the user in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"user.id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{user.id}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the host in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"host.name\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{host.name}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - !{investigate{\\\"label\\\":\\\"Investigate the Subject Process Network Events\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"process.entity_id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{process.entity_id}}\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"event.category\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"network\\\",\\\"valueType\\\":\\\"string\\\"}]]}}\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"15c0b7a7-9c34-4869-b25b-fa6518414899\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"to\":\"now\",\"references\":[\"https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"desktopimgdownldr.exe\\\" or ?process.pe.original_file_name == \\\"desktopimgdownldr.exe\\\") and\\n process.args : \\\"/lockscreenurl:http*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Remote File Download via Desktopimgdownldr Utility\",\"description\":\"Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote File Download via Desktopimgdownldr Utility\\n\\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\\n\\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the user in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"user.id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{user.id}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the host in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"host.name\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{host.name}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - !{investigate{\\\"label\\\":\\\"Investigate the Subject Process Network Events\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"process.entity_id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{process.entity_id}}\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"event.category\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"network\\\",\\\"valueType\\\":\\\"string\\\"}]]}}\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f61e3fd4-7dee-4e57-b654-968c07e660b7\",\"rule_id\":\"15c0b7a7-9c34-4869-b25b-fa6518414899\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.652Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.560Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"desktopimgdownldr.exe\\\" or ?process.pe.original_file_name == \\\"desktopimgdownldr.exe\\\") and\\n process.args : \\\"/lockscreenurl:http*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bf90f0a8-8fb9-4e5f-be0c-a4010716f41b\",\"rule_id\":\"166727ab-6768-4e26-b80c-948b228ffc06\",\"revision\":0,\"current_rule\":{\"id\":\"bf90f0a8-8fb9-4e5f-be0c-a4010716f41b\",\"updated_at\":\"2024-12-04T19:45:42.571Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.571Z\",\"created_by\":\"elastic\",\"name\":\"File Creation Time Changed\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"166727ab-6768-4e26-b80c-948b228ffc06\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.006\",\"name\":\"Timestomp\",\"reference\":\"https://attack.mitre.org/techniques/T1070/006/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.code : \\\"2\\\" and\\n\\n /* Requires Sysmon EventID 2 - File creation time change */\\n event.action : \\\"File creation time changed*\\\" and \\n \\n not process.executable : \\n (\\\"?:\\\\\\\\Program Files\\\\\\\\*\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\cleanmgr.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\msiexec.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\syswow64\\\\\\\\msiexec.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\", \\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\backgroundTaskHost.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\", \\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Mozilla Firefox\\\\\\\\firefox.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\slack\\\\\\\\app-*\\\\\\\\slack.exe\\\", \\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\GitHubDesktop\\\\\\\\app-*\\\\\\\\GitHubDesktop.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Teams\\\\\\\\current\\\\\\\\Teams.exe\\\", \\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\OneDrive.exe\\\") and \\n not file.extension : (\\\"temp\\\", \\\"tmp\\\", \\\"~tmp\\\", \\\"xml\\\", \\\"newcfg\\\") and not user.name : (\\\"SYSTEM\\\", \\\"Local Service\\\", \\\"Network Service\\\") and\\n not file.name : (\\\"LOG\\\", \\\"temp-index\\\", \\\"license.rtf\\\", \\\"iconcache_*.db\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"File Creation Time Changed\",\"description\":\"Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.006\",\"name\":\"Timestomp\",\"reference\":\"https://attack.mitre.org/techniques/T1070/006/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"bf90f0a8-8fb9-4e5f-be0c-a4010716f41b\",\"rule_id\":\"166727ab-6768-4e26-b80c-948b228ffc06\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.652Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.571Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.code : \\\"2\\\" and\\n\\n /* Requires Sysmon EventID 2 - File creation time change */\\n event.action : \\\"File creation time changed*\\\" and \\n \\n not process.executable : \\n (\\\"?:\\\\\\\\Program Files\\\\\\\\*\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\cleanmgr.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\msiexec.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\syswow64\\\\\\\\msiexec.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\", \\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\backgroundTaskHost.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\", \\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Mozilla Firefox\\\\\\\\firefox.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\slack\\\\\\\\app-*\\\\\\\\slack.exe\\\", \\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\GitHubDesktop\\\\\\\\app-*\\\\\\\\GitHubDesktop.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Teams\\\\\\\\current\\\\\\\\Teams.exe\\\", \\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\OneDrive.exe\\\") and \\n not file.extension : (\\\"temp\\\", \\\"tmp\\\", \\\"~tmp\\\", \\\"xml\\\", \\\"newcfg\\\") and not user.name : (\\\"SYSTEM\\\", \\\"Local Service\\\", \\\"Network Service\\\") and\\n not file.name : (\\\"LOG\\\", \\\"temp-index\\\", \\\"license.rtf\\\", \\\"iconcache_*.db\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"31d14300-cbb9-4f8c-a0f0-d563ae855d6d\",\"rule_id\":\"16fac1a1-21ee-4ca6-b720-458e3855d046\",\"revision\":0,\"current_rule\":{\"id\":\"31d14300-cbb9-4f8c-a0f0-d563ae855d6d\",\"updated_at\":\"2024-12-04T19:45:42.578Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.578Z\",\"created_by\":\"elastic\",\"name\":\"Startup/Logon Script added to Group Policy Object\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Startup/Logon Script added to Group Policy Object\\n\\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\\n - `\\\\Machine\\\\Scripts\\\\`\\n - `\\\\User\\\\Scripts\\\\`\\n\\n#### Possible investigation steps\\n\\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\\n\\n### False positive analysis\\n\\n- Verify if the execution is legitimately authorized and executed under a change management process.\\n\\n### Related rules\\n\\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\\n- Remove the script from the GPO.\\n- Check if other GPOs have suspicious scripts attached.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate Administrative Activity\"],\"from\":\"now-6m\",\"rule_id\":\"16fac1a1-21ee-4ca6-b720-458e3855d046\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1484\",\"name\":\"Domain or Tenant Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/\",\"subtechnique\":[{\"id\":\"T1484.001\",\"name\":\"Group Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/001/\"}]},{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md\",\"https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md\",\"https://labs.f-secure.com/tools/sharpgpoabuse\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"message\",\"type\":\"match_only_text\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessList\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.RelativeTargetName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ShareName\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nObject Access >\\nAudit Detailed File Share (Success,Failure)\\n```\\n\\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"(\\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\\n winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\\n (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\\n)\\nor\\n(\\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\\\\\\\\\*\\\\\\\\SYSVOL and\\n winlog.event_data.RelativeTargetName:(*\\\\\\\\scripts.ini or *\\\\\\\\psscripts.ini) and\\n (message:WriteData or winlog.event_data.AccessList:*%%4417*)\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Startup/Logon Script added to Group Policy Object\",\"description\":\"Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Startup/Logon Script added to Group Policy Object\\n\\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\\n - `\\\\Machine\\\\Scripts\\\\`\\n - `\\\\User\\\\Scripts\\\\`\\n\\n#### Possible investigation steps\\n\\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\\n\\n### False positive analysis\\n\\n- Verify if the execution is legitimately authorized and executed under a change management process.\\n\\n### Related rules\\n\\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\\n- Remove the script from the GPO.\\n- Check if other GPOs have suspicious scripts attached.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate Administrative Activity\"],\"references\":[\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md\",\"https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md\",\"https://labs.f-secure.com/tools/sharpgpoabuse\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1484\",\"name\":\"Domain or Tenant Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/\",\"subtechnique\":[{\"id\":\"T1484.001\",\"name\":\"Group Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/001/\"}]},{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\"}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nObject Access >\\nAudit Detailed File Share (Success,Failure)\\n```\\n\\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessList\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.RelativeTargetName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ShareName\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"31d14300-cbb9-4f8c-a0f0-d563ae855d6d\",\"rule_id\":\"16fac1a1-21ee-4ca6-b720-458e3855d046\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.652Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.578Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and event.code in (\\\"5136\\\", \\\"5145\\\") and\\n(\\n (\\n winlog.event_data.AttributeLDAPDisplayName : (\\n \\\"gPCMachineExtensionNames\\\",\\n \\\"gPCUserExtensionNames\\\"\\n ) and\\n winlog.event_data.AttributeValue : \\\"*42B5FAAE-6536-11D2-AE5A-0000F87571E3*\\\" and\\n winlog.event_data.AttributeValue : (\\n \\\"*40B66650-4972-11D1-A7CA-0000F87571E3*\\\",\\n \\\"*40B6664F-4972-11D1-A7CA-0000F87571E3*\\\"\\n )\\n ) or\\n (\\n winlog.event_data.ShareName : \\\"\\\\\\\\\\\\\\\\*\\\\\\\\SYSVOL\\\" and\\n winlog.event_data.RelativeTargetName : (\\\"*\\\\\\\\scripts.ini\\\", \\\"*\\\\\\\\psscripts.ini\\\") and\\n winlog.event_data.AccessList:\\\"*%%4417*\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"message\",\"type\":\"match_only_text\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessList\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.RelativeTargetName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ShareName\",\"type\":\"unknown\",\"ecs\":false}],\"target_version\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessList\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.RelativeTargetName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ShareName\",\"type\":\"unknown\",\"ecs\":false}],\"merged_version\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessList\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.RelativeTargetName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ShareName\",\"type\":\"unknown\",\"ecs\":false}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"type\":{\"has_base_version\":false,\"current_version\":\"query\",\"target_version\":\"eql\",\"merged_version\":\"eql\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NON_SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"(\\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\\n winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\\n (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\\n)\\nor\\n(\\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\\\\\\\\\*\\\\\\\\SYSVOL and\\n winlog.event_data.RelativeTargetName:(*\\\\\\\\scripts.ini or *\\\\\\\\psscripts.ini) and\\n (message:WriteData or winlog.event_data.AccessList:*%%4417*)\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"target_version\":{\"query\":\"any where host.os.type == \\\"windows\\\" and event.code in (\\\"5136\\\", \\\"5145\\\") and\\n(\\n (\\n winlog.event_data.AttributeLDAPDisplayName : (\\n \\\"gPCMachineExtensionNames\\\",\\n \\\"gPCUserExtensionNames\\\"\\n ) and\\n winlog.event_data.AttributeValue : \\\"*42B5FAAE-6536-11D2-AE5A-0000F87571E3*\\\" and\\n winlog.event_data.AttributeValue : (\\n \\\"*40B66650-4972-11D1-A7CA-0000F87571E3*\\\",\\n \\\"*40B6664F-4972-11D1-A7CA-0000F87571E3*\\\"\\n )\\n ) or\\n (\\n winlog.event_data.ShareName : \\\"\\\\\\\\\\\\\\\\*\\\\\\\\SYSVOL\\\" and\\n winlog.event_data.RelativeTargetName : (\\\"*\\\\\\\\scripts.ini\\\", \\\"*\\\\\\\\psscripts.ini\\\") and\\n winlog.event_data.AccessList:\\\"*%%4417*\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"any where host.os.type == \\\"windows\\\" and event.code in (\\\"5136\\\", \\\"5145\\\") and\\n(\\n (\\n winlog.event_data.AttributeLDAPDisplayName : (\\n \\\"gPCMachineExtensionNames\\\",\\n \\\"gPCUserExtensionNames\\\"\\n ) and\\n winlog.event_data.AttributeValue : \\\"*42B5FAAE-6536-11D2-AE5A-0000F87571E3*\\\" and\\n winlog.event_data.AttributeValue : (\\n \\\"*40B66650-4972-11D1-A7CA-0000F87571E3*\\\",\\n \\\"*40B6664F-4972-11D1-A7CA-0000F87571E3*\\\"\\n )\\n ) or\\n (\\n winlog.event_data.ShareName : \\\"\\\\\\\\\\\\\\\\*\\\\\\\\SYSVOL\\\" and\\n winlog.event_data.RelativeTargetName : (\\\"*\\\\\\\\scripts.ini\\\", \\\"*\\\\\\\\psscripts.ini\\\") and\\n winlog.event_data.AccessList:\\\"*%%4417*\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":1}},{\"id\":\"fddccc1e-7f40-4904-9629-36d701ba9e04\",\"rule_id\":\"17261da3-a6d0-463c-aac8-ea1718afcd20\",\"revision\":0,\"current_rule\":{\"id\":\"fddccc1e-7f40-4904-9629-36d701ba9e04\",\"updated_at\":\"2024-12-04T19:46:03.699Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.699Z\",\"created_by\":\"elastic\",\"name\":\"AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User\",\"tags\":[\"Domain: LLM\",\"Data Source: AWS Bedrock\",\"Data Source: AWS S3\",\"Resources: Investigation Guide\",\"Use Case: Policy Violation\",\"Mitre Atlas: T0015\",\"Mitre Atlas: T0034\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies multiple successive failed attempts to use denied model resources within AWS Bedrock. This could indicated attempts to bypass limitations of other approved models, or to force an impact on the environment by incurring exhorbitant costs.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate misunderstanding by users or overly strict policies\"],\"from\":\"now-60m\",\"rule_id\":\"17261da3-a6d0-463c-aac8-ea1718afcd20\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html\",\"https://atlas.mitre.org/techniques/AML.T0015\",\"https://atlas.mitre.org/techniques/AML.T0034\",\"https://www.elastic.co/security-labs/elastic-advances-llm-security\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\\n\\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\\n\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.response.error_code == \\\"AccessDeniedException\\\"\\n| stats total_denials = count(*) by user.id, gen_ai.request.model.id, cloud.account.id\\n| where total_denials > 3\\n| sort total_denials desc\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User\",\"description\":\"Identifies multiple successive failed attempts to use denied model resources within AWS Bedrock. This could indicated attempts to bypass limitations of other approved models, or to force an impact on the environment by incurring exhorbitant costs.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to use Denied Amazon Bedrock Models.\\n\\nAmazon Bedrock is AWS’s managed service that enables developers to build and scale generative AI applications using large foundation models (FMs) from top providers.\\n\\nBedrock offers a variety of pretrained models from Amazon (such as the Titan series), as well as models from providers like Anthropic, Meta, Cohere, and AI21 Labs.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that attempted to use denied models.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's attempts to access Amazon Bedrock models in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that attempted to use denied models, is a legitimate misunderstanding by users or overly strict policies.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"investigation_fields\":{\"field_names\":[\"user.id\",\"cloud.account.id\",\"gen_ai.request.model.id\",\"total_denials\"]},\"version\":3,\"tags\":[\"Domain: LLM\",\"Data Source: AWS Bedrock\",\"Data Source: AWS S3\",\"Resources: Investigation Guide\",\"Use Case: Policy Violation\",\"Mitre Atlas: T0015\",\"Mitre Atlas: T0034\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-60m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate misunderstanding by users or overly strict policies\"],\"references\":[\"https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html\",\"https://atlas.mitre.org/techniques/AML.T0015\",\"https://atlas.mitre.org/techniques/AML.T0034\",\"https://www.elastic.co/security-labs/elastic-advances-llm-security\"],\"max_signals\":100,\"threat\":[],\"setup\":\"## Setup\\n\\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\\n\\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\\n\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"fddccc1e-7f40-4904-9629-36d701ba9e04\",\"rule_id\":\"17261da3-a6d0-463c-aac8-ea1718afcd20\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.652Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.699Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.response.error_code == \\\"AccessDeniedException\\\"\\n| keep user.id, gen_ai.request.model.id, cloud.account.id, gen_ai.response.error_code\\n| stats total_denials = count(*) by user.id, gen_ai.request.model.id, cloud.account.id\\n| where total_denials > 3\\n| sort total_denials desc\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"note\":{\"has_base_version\":false,\"current_version\":\"\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating Attempt to use Denied Amazon Bedrock Models.\\n\\nAmazon Bedrock is AWS’s managed service that enables developers to build and scale generative AI applications using large foundation models (FMs) from top providers.\\n\\nBedrock offers a variety of pretrained models from Amazon (such as the Titan series), as well as models from providers like Anthropic, Meta, Cohere, and AI21 Labs.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that attempted to use denied models.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's attempts to access Amazon Bedrock models in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that attempted to use denied models, is a legitimate misunderstanding by users or overly strict policies.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating Attempt to use Denied Amazon Bedrock Models.\\n\\nAmazon Bedrock is AWS’s managed service that enables developers to build and scale generative AI applications using large foundation models (FMs) from top providers.\\n\\nBedrock offers a variety of pretrained models from Amazon (such as the Titan series), as well as models from providers like Anthropic, Meta, Cohere, and AI21 Labs.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that attempted to use denied models.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's attempts to access Amazon Bedrock models in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that attempted to use denied models, is a legitimate misunderstanding by users or overly strict policies.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"investigation_fields\":{\"has_base_version\":false,\"target_version\":{\"field_names\":[\"user.id\",\"cloud.account.id\",\"gen_ai.request.model.id\",\"total_denials\"]},\"merged_version\":{\"field_names\":[\"user.id\",\"cloud.account.id\",\"gen_ai.request.model.id\",\"total_denials\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.response.error_code == \\\"AccessDeniedException\\\"\\n| stats total_denials = count(*) by user.id, gen_ai.request.model.id, cloud.account.id\\n| where total_denials > 3\\n| sort total_denials desc\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.response.error_code == \\\"AccessDeniedException\\\"\\n| keep user.id, gen_ai.request.model.id, cloud.account.id, gen_ai.response.error_code\\n| stats total_denials = count(*) by user.id, gen_ai.request.model.id, cloud.account.id\\n| where total_denials > 3\\n| sort total_denials desc\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.response.error_code == \\\"AccessDeniedException\\\"\\n| keep user.id, gen_ai.request.model.id, cloud.account.id, gen_ai.response.error_code\\n| stats total_denials = count(*) by user.id, gen_ai.request.model.id, cloud.account.id\\n| where total_denials > 3\\n| sort total_denials desc\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9c3f9a14-fe2f-4e5c-adb1-39d0c97b3606\",\"rule_id\":\"1781d055-5c66-4adf-9c59-fc0fa58336a5\",\"revision\":0,\"current_rule\":{\"id\":\"9c3f9a14-fe2f-4e5c-adb1-39d0c97b3606\",\"updated_at\":\"2024-12-04T19:45:42.581Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.581Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Windows Username\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Initial Access\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating an Unusual Windows User\\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration.\"],\"from\":\"now-45m\",\"rule_id\":\"1781d055-5c66-4adf-9c59-fc0fa58336a5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"},{\"id\":\"T1078.003\",\"name\":\"Local Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"version\":105,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_user_name\"],\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Windows Username\",\"description\":\"A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating an Unusual Windows User\\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Initial Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration.\"],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"},{\"id\":\"T1078.003\",\"name\":\"Local Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/003/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"9c3f9a14-fe2f-4e5c-adb1-39d0c97b3606\",\"rule_id\":\"1781d055-5c66-4adf-9c59-fc0fa58336a5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.652Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.581Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_user_name\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":105,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"55a25dfb-97b4-4776-b4ba-4b399b2c62f2\",\"rule_id\":\"1781d055-5c66-4adf-9c71-fc0fa58338c7\",\"revision\":0,\"current_rule\":{\"id\":\"55a25dfb-97b4-4776-b4ba-4b399b2c62f2\",\"updated_at\":\"2024-12-04T19:45:42.583Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.583Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Windows Service\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Persistence\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert.\"],\"from\":\"now-45m\",\"rule_id\":\"1781d055-5c66-4adf-9c71-fc0fa58338c7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"version\":104,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_service\"],\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Windows Service\",\"description\":\"A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Persistence\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert.\"],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"55a25dfb-97b4-4776-b4ba-4b399b2c62f2\",\"rule_id\":\"1781d055-5c66-4adf-9c71-fc0fa58338c7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.652Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.583Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_service\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":104,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8c945e82-cbc0-45f4-b962-4e0121a8369f\",\"rule_id\":\"1781d055-5c66-4adf-9d60-fc0fa58337b6\",\"revision\":0,\"current_rule\":{\"id\":\"8c945e82-cbc0-45f4-b962-4e0121a8369f\",\"updated_at\":\"2024-12-04T19:45:42.585Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.585Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Powershell Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Execution\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert.\"],\"from\":\"now-45m\",\"rule_id\":\"1781d055-5c66-4adf-9d60-fc0fa58337b6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"version\":105,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_script\"],\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Powershell Script\",\"description\":\"A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Execution\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert.\"],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"8c945e82-cbc0-45f4-b962-4e0121a8369f\",\"rule_id\":\"1781d055-5c66-4adf-9d60-fc0fa58337b6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.652Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.585Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_script\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":105,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f72a3fb8-7235-4d9b-9a61-9777360e9be9\",\"rule_id\":\"1781d055-5c66-4adf-9d82-fc0fa58449c8\",\"revision\":0,\"current_rule\":{\"id\":\"f72a3fb8-7235-4d9b-9a61-9777360e9be9\",\"updated_at\":\"2024-12-04T19:45:42.588Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.588Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Windows User Privilege Elevation Activity\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Privilege Escalation\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration.\"],\"from\":\"now-45m\",\"rule_id\":\"1781d055-5c66-4adf-9d82-fc0fa58449c8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"version\":104,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_rare_user_runas_event\"],\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Windows User Privilege Elevation Activity\",\"description\":\"A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Privilege Escalation\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration.\"],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"f72a3fb8-7235-4d9b-9a61-9777360e9be9\",\"rule_id\":\"1781d055-5c66-4adf-9d82-fc0fa58449c8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.652Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.588Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_rare_user_runas_event\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":104,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"fe32705e-9bef-4c3d-8331-6048b12f8134\",\"rule_id\":\"1781d055-5c66-4adf-9e93-fc0fa69550c9\",\"revision\":0,\"current_rule\":{\"id\":\"fe32705e-9bef-4c3d-8331-6048b12f8134\",\"updated_at\":\"2024-12-04T19:45:42.590Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.590Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Windows Remote User\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Initial Access\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating an Unusual Windows User\\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.\"],\"from\":\"now-45m\",\"rule_id\":\"1781d055-5c66-4adf-9e93-fc0fa69550c9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"version\":104,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_rare_user_type10_remote_login\"],\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Windows Remote User\",\"description\":\"A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating an Unusual Windows User\\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Initial Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.\"],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"fe32705e-9bef-4c3d-8331-6048b12f8134\",\"rule_id\":\"1781d055-5c66-4adf-9e93-fc0fa69550c9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.652Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.590Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_rare_user_type10_remote_login\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":104,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"dd89ad2a-3105-4a03-9486-75c4122ec40f\",\"rule_id\":\"17b0a495-4d9f-414c-8ad0-92f018b8e001\",\"revision\":0,\"current_rule\":{\"id\":\"dd89ad2a-3105-4a03-9486-75c4122ec40f\",\"updated_at\":\"2024-12-04T19:45:42.593Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.593Z\",\"created_by\":\"elastic\",\"name\":\"Systemd Service Created\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects the creation or renaming of a new Systemd file in all of the common Systemd service locations for both root and regular users. Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying services to execute malicious commands or payloads during system startup or at a predefined interval by adding a systemd timer. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Systemd Service Created\\n\\nSystemd service files are configuration files in Linux systems used to define and manage system services.\\n\\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\\n\\nThis rule monitors the creation of new systemd service files, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the systemd service file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%'\\\\nOR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%'\\\\nOR path LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\\n- Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"17b0a495-4d9f-414c-8ad0-92f018b8e001\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\"],\"version\":13,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/systemd/system/*\\\", \\\"/etc/systemd/user/*\\\", \\\"/usr/local/lib/systemd/system/*\\\",\\n \\\"/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/user/*\\\",\\n \\\"/home/*/.config/systemd/user/*\\\", \\\"/home/*/.local/share/systemd/user/*\\\",\\n \\\"/root/.config/systemd/user/*\\\", \\\"/root/.local/share/systemd/user/*\\\"\\n) and file.extension == \\\"service\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/crio\\\", \\\"/usr/sbin/crond\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/kaniko/kaniko-executor\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/podman\\\", \\\"/bin/install\\\", \\\"/proc/self/exe\\\", \\\"/usr/lib/systemd/systemd\\\",\\n \\\"/usr/sbin/sshd\\\", \\\"/usr/bin/gitlab-runner\\\", \\\"/opt/gitlab/embedded/bin/ruby\\\", \\\"/usr/sbin/gdm\\\", \\\"/usr/bin/install\\\",\\n \\\"/usr/local/manageengine/uems_agent/bin/dcregister\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Systemd Service Created\",\"description\":\"This rule detects the creation or renaming of a new Systemd file in all of the common Systemd service locations for both root and regular users. Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying services to execute malicious commands or payloads during system startup or at a predefined interval by adding a systemd timer. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Systemd Service Created\\n\\nSystemd service files are configuration files in Linux systems used to define and manage system services.\\n\\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\\n\\nThis rule monitors the creation of new systemd service files, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the systemd service file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE\\\\n'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE\\\\n'/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path LIKE\\\\n'/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%' OR\\\\npath LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path\\\\nLIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%'\\\\nOR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\\n- Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":15,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"dd89ad2a-3105-4a03-9486-75c4122ec40f\",\"rule_id\":\"17b0a495-4d9f-414c-8ad0-92f018b8e001\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.652Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.593Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/systemd/system/*\\\", \\\"/etc/systemd/user/*\\\", \\\"/usr/local/lib/systemd/system/*\\\",\\n \\\"/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/user/*\\\",\\n \\\"/home/*/.config/systemd/user/*\\\", \\\"/home/*/.local/share/systemd/user/*\\\",\\n \\\"/root/.config/systemd/user/*\\\", \\\"/root/.local/share/systemd/user/*\\\"\\n) and file.extension == \\\"service\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/crio\\\", \\\"/usr/sbin/crond\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/kaniko/kaniko-executor\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/podman\\\", \\\"/bin/install\\\", \\\"/proc/self/exe\\\", \\\"/usr/lib/systemd/systemd\\\",\\n \\\"/usr/sbin/sshd\\\", \\\"/usr/bin/gitlab-runner\\\", \\\"/opt/gitlab/embedded/bin/ruby\\\", \\\"/usr/sbin/gdm\\\", \\\"/usr/bin/install\\\",\\n \\\"/usr/local/manageengine/uems_agent/bin/dcregister\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n process.name like (\\n \\\"ssm-agent-worker\\\", \\\"python*\\\", \\\"platform-python*\\\", \\\"dnf_install\\\", \\\"cloudflared\\\", \\\"lxc-pve-prestart-hook\\\",\\n \\\"convert-usrmerge\\\", \\\"elastic-agent\\\", \\\"google_metadata_script_runner\\\", \\\"update-alternatives\\\", \\\"gitlab-runner\\\",\\n \\\"install\\\", \\\"crio\\\", \\\"apt-get\\\", \\\"package-cleanup\\\", \\\"dcservice\\\", \\\"dcregister\\\", \\\"jumpcloud-agent\\\", \\\"executor\\\"\\n ) or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":13,\"target_version\":15,\"merged_version\":15,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\"],\"target_version\":[\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"note\":{\"has_base_version\":false,\"current_version\":\"## Triage and analysis\\n\\n### Investigating Systemd Service Created\\n\\nSystemd service files are configuration files in Linux systems used to define and manage system services.\\n\\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\\n\\nThis rule monitors the creation of new systemd service files, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the systemd service file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%'\\\\nOR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%'\\\\nOR path LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\\n- Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating Systemd Service Created\\n\\nSystemd service files are configuration files in Linux systems used to define and manage system services.\\n\\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\\n\\nThis rule monitors the creation of new systemd service files, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the systemd service file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE\\\\n'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE\\\\n'/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path LIKE\\\\n'/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%' OR\\\\npath LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path\\\\nLIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%'\\\\nOR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\\n- Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating Systemd Service Created\\n\\nSystemd service files are configuration files in Linux systems used to define and manage system services.\\n\\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\\n\\nThis rule monitors the creation of new systemd service files, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the systemd service file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE\\\\n'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE\\\\n'/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path LIKE\\\\n'/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%' OR\\\\npath LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path\\\\nLIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%'\\\\nOR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\\n- Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/systemd/system/*\\\", \\\"/etc/systemd/user/*\\\", \\\"/usr/local/lib/systemd/system/*\\\",\\n \\\"/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/user/*\\\",\\n \\\"/home/*/.config/systemd/user/*\\\", \\\"/home/*/.local/share/systemd/user/*\\\",\\n \\\"/root/.config/systemd/user/*\\\", \\\"/root/.local/share/systemd/user/*\\\"\\n) and file.extension == \\\"service\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/crio\\\", \\\"/usr/sbin/crond\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/kaniko/kaniko-executor\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/podman\\\", \\\"/bin/install\\\", \\\"/proc/self/exe\\\", \\\"/usr/lib/systemd/systemd\\\",\\n \\\"/usr/sbin/sshd\\\", \\\"/usr/bin/gitlab-runner\\\", \\\"/opt/gitlab/embedded/bin/ruby\\\", \\\"/usr/sbin/gdm\\\", \\\"/usr/bin/install\\\",\\n \\\"/usr/local/manageengine/uems_agent/bin/dcregister\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/systemd/system/*\\\", \\\"/etc/systemd/user/*\\\", \\\"/usr/local/lib/systemd/system/*\\\",\\n \\\"/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/user/*\\\",\\n \\\"/home/*/.config/systemd/user/*\\\", \\\"/home/*/.local/share/systemd/user/*\\\",\\n \\\"/root/.config/systemd/user/*\\\", \\\"/root/.local/share/systemd/user/*\\\"\\n) and file.extension == \\\"service\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/crio\\\", \\\"/usr/sbin/crond\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/kaniko/kaniko-executor\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/podman\\\", \\\"/bin/install\\\", \\\"/proc/self/exe\\\", \\\"/usr/lib/systemd/systemd\\\",\\n \\\"/usr/sbin/sshd\\\", \\\"/usr/bin/gitlab-runner\\\", \\\"/opt/gitlab/embedded/bin/ruby\\\", \\\"/usr/sbin/gdm\\\", \\\"/usr/bin/install\\\",\\n \\\"/usr/local/manageengine/uems_agent/bin/dcregister\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n process.name like (\\n \\\"ssm-agent-worker\\\", \\\"python*\\\", \\\"platform-python*\\\", \\\"dnf_install\\\", \\\"cloudflared\\\", \\\"lxc-pve-prestart-hook\\\",\\n \\\"convert-usrmerge\\\", \\\"elastic-agent\\\", \\\"google_metadata_script_runner\\\", \\\"update-alternatives\\\", \\\"gitlab-runner\\\",\\n \\\"install\\\", \\\"crio\\\", \\\"apt-get\\\", \\\"package-cleanup\\\", \\\"dcservice\\\", \\\"dcregister\\\", \\\"jumpcloud-agent\\\", \\\"executor\\\"\\n ) or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/systemd/system/*\\\", \\\"/etc/systemd/user/*\\\", \\\"/usr/local/lib/systemd/system/*\\\",\\n \\\"/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/user/*\\\",\\n \\\"/home/*/.config/systemd/user/*\\\", \\\"/home/*/.local/share/systemd/user/*\\\",\\n \\\"/root/.config/systemd/user/*\\\", \\\"/root/.local/share/systemd/user/*\\\"\\n) and file.extension == \\\"service\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/crio\\\", \\\"/usr/sbin/crond\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/kaniko/kaniko-executor\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/podman\\\", \\\"/bin/install\\\", \\\"/proc/self/exe\\\", \\\"/usr/lib/systemd/systemd\\\",\\n \\\"/usr/sbin/sshd\\\", \\\"/usr/bin/gitlab-runner\\\", \\\"/opt/gitlab/embedded/bin/ruby\\\", \\\"/usr/sbin/gdm\\\", \\\"/usr/bin/install\\\",\\n \\\"/usr/local/manageengine/uems_agent/bin/dcregister\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n process.name like (\\n \\\"ssm-agent-worker\\\", \\\"python*\\\", \\\"platform-python*\\\", \\\"dnf_install\\\", \\\"cloudflared\\\", \\\"lxc-pve-prestart-hook\\\",\\n \\\"convert-usrmerge\\\", \\\"elastic-agent\\\", \\\"google_metadata_script_runner\\\", \\\"update-alternatives\\\", \\\"gitlab-runner\\\",\\n \\\"install\\\", \\\"crio\\\", \\\"apt-get\\\", \\\"package-cleanup\\\", \\\"dcservice\\\", \\\"dcregister\\\", \\\"jumpcloud-agent\\\", \\\"executor\\\"\\n ) or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bfee78e3-7aeb-414c-aeba-ed7eecda83f9\",\"rule_id\":\"17c7f6a5-5bc9-4e1f-92bf-13632d24384d\",\"revision\":0,\"current_rule\":{\"id\":\"bfee78e3-7aeb-414c-aeba-ed7eecda83f9\",\"updated_at\":\"2024-12-04T19:45:42.595Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.595Z\",\"created_by\":\"elastic\",\"name\":\"Renamed Utility Executed with Short Program Name\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Renamed Utility Executed with Short Program Name\\n\\nIdentifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"17c7f6a5-5bc9-4e1f-92bf-13632d24384d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.003\",\"name\":\"Rename System Utilities\",\"reference\":\"https://attack.mitre.org/techniques/T1036/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and length(process.name) > 0 and\\n length(process.name) == 5 and length(process.pe.original_file_name) > 5\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Renamed Utility Executed with Short Program Name\",\"description\":\"Identifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Renamed Utility Executed with Short Program Name\\n\\nIdentifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.003\",\"name\":\"Rename System Utilities\",\"reference\":\"https://attack.mitre.org/techniques/T1036/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"bfee78e3-7aeb-414c-aeba-ed7eecda83f9\",\"rule_id\":\"17c7f6a5-5bc9-4e1f-92bf-13632d24384d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.652Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.595Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and length(process.name) > 0 and\\n length(process.name) == 5 and length(process.pe.original_file_name) > 5\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2e3ec3e9-0fb6-49ca-9d46-45950c04b9c1\",\"rule_id\":\"192657ba-ab0e-4901-89a2-911d611eee98\",\"revision\":0,\"current_rule\":{\"id\":\"2e3ec3e9-0fb6-49ca-9d46-45950c04b9c1\",\"updated_at\":\"2024-12-04T19:45:42.609Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.609Z\",\"created_by\":\"elastic\",\"name\":\"Potential Persistence via File Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: File Integrity Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths specified in the query need to be added to the FIM policy in the Elastic Security app.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"192657ba-ab0e-4901-89a2-911d611eee98\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]},{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.006\",\"name\":\"Dynamic Linker Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1574/006/\"}]},{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.003\",\"name\":\"Sudo and Sudo Caching\",\"reference\":\"https://attack.mitre.org/techniques/T1548/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"fim\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from the Elastic File Integrity Monitoring (FIM) integration.\\n\\n### Elastic FIM Integration Setup\\nTo configure the Elastic FIM integration, follow these steps:\\n\\n1. Install and configure the Elastic Agent on your Linux system. You can refer to the [Elastic Agent documentation](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html) for detailed instructions.\\n2. Once the Elastic Agent is installed, navigate to the Elastic Security app in Kibana.\\n3. In the Kibana home page, click on \\\"Integrations\\\" in the left sidebar.\\n4. Search for \\\"File Integrity Monitoring\\\" in the search bar and select the integration.\\n5. Provide a name and optional description for the integration.\\n6. Select the appropriate agent policy for your Linux system or create a new one.\\n7. Configure the FIM policy by specifying the paths that you want to monitor for file modifications. You can use the same paths mentioned in the `query` field of the rule. Note that FIM does not accept wildcards in the paths, so you need to specify the exact paths you want to monitor.\\n8. Save the configuration and the Elastic Agent will start monitoring the specified paths for file modifications.\\n\\nFor more details on configuring the Elastic FIM integration, you can refer to the [Elastic FIM documentation](https://docs.elastic.co/integrations/fim).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-fim.event-*\",\"auditbeat-*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.dataset == \\\"fim.event\\\" and event.action == \\\"updated\\\" and\\nfile.path : (\\n // cron, anacron & at\\n \\\"/etc/cron.d/*\\\", \\\"/etc/cron.daily/*\\\", \\\"/etc/cron.hourly/*\\\", \\\"/etc/cron.monthly/*\\\",\\n \\\"/etc/cron.weekly/*\\\", \\\"/etc/crontab\\\", \\\"/var/spool/cron/crontabs/*\\\", \\\"/etc/cron.allow\\\",\\n \\\"/etc/cron.deny\\\", \\\"/var/spool/anacron/*\\\", \\\"/var/spool/cron/atjobs/*\\\",\\n\\n // systemd services & timers\\n \\\"/etc/systemd/system/*\\\", \\\"/usr/local/lib/systemd/system/*\\\", \\\"/lib/systemd/system/*\\\",\\n \\\"/usr/lib/systemd/system/*\\\", \\\"/home/*/.config/systemd/user/*\\\", \\\"/home/*/.local/share/systemd/user/*\\\",\\n \\\"/root/.config/systemd/user/*\\\", \\\"/root/.local/share/systemd/user/*\\\",\\n\\n // LD_PRELOAD\\n \\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf.d/*\\\", \\\"/etc/ld.so.conf\\\",\\n\\n // message-of-the-day (MOTD)\\n \\\"/etc/update-motd.d/*\\\",\\n\\n // SSH\\n \\\"/home/*/.ssh/*\\\", \\\"/root/.ssh/*\\\", \\\"/etc/ssh/*\\\",\\n\\n // system-wide shell configurations\\n \\\"/etc/profile\\\", \\\"/etc/profile.d/*\\\", \\\"/etc/bash.bashrc\\\", \\\"/etc/zsh/*\\\", \\\"/etc/csh.cshrc\\\",\\n \\\"/etc/csh.login\\\", \\\"/etc/fish/config.fish\\\", \\\"/etc/ksh.kshrc\\\",\\n\\n // root and user shell configurations\\n \\\"/home/*/.profile\\\", \\\"/home/*/.bashrc\\\", \\\"/home/*/.bash_login\\\", \\\"/home/*/.bash_logout\\\",\\n \\\"/root/.profile\\\", \\\"/root/.bashrc\\\", \\\"/root/.bash_login\\\", \\\"/root/.bash_logout\\\",\\n \\\"/home/*/.zprofile\\\", \\\"/home/*/.zshrc\\\", \\\"/root/.zprofile\\\", \\\"/root/.zshrc\\\",\\n \\\"/home/*/.cshrc\\\", \\\"/home/*/.login\\\", \\\"/home/*/.logout\\\", \\\"/root/.cshrc\\\", \\\"/root/.login\\\", \\\"/root/.logout\\\",\\n \\\"/home/*/.config/fish/config.fish\\\", \\\"/root/.config/fish/config.fish\\\",\\n \\\"/home/*/.kshrc\\\", \\\"/root/.kshrc\\\",\\n\\n // runtime control\\n \\\"/etc/rc.common\\\", \\\"/etc/rc.local\\\",\\n\\n // System V init/Upstart\\n \\\"/etc/init.d/*\\\", \\\"/etc/init/*\\\",\\n\\n // passwd/sudoers/shadow\\n \\\"/etc/passwd\\\", \\\"/etc/shadow\\\", \\\"/etc/sudoers\\\", \\\"/etc/sudoers.d/*\\\",\\n\\n // Systemd udevd\\n \\\"/lib/udev/*\\\", \\\"/etc/udev/rules.d/*\\\", \\\"/usr/lib/udev/rules.d/*\\\", \\\"/run/udev/rules.d/*\\\", \\\"/usr/local/lib/udev/rules.d/*\\\",\\n\\n // XDG/KDE autostart entries\\n \\\"/home/*/.config/autostart/*\\\", \\\"/root/.config/autostart/*\\\", \\\"/etc/xdg/autostart/*\\\", \\\"/usr/share/autostart/*\\\",\\n \\\"/home/*/.kde/Autostart/*\\\", \\\"/root/.kde/Autostart/*\\\",\\n \\\"/home/*/.kde4/Autostart/*\\\", \\\"/root/.kde4/Autostart/*\\\",\\n \\\"/home/*/.kde/share/autostart/*\\\", \\\"/root/.kde/share/autostart/*\\\",\\n \\\"/home/*/.kde4/share/autostart/*\\\", \\\"/root/.kde4/share/autostart/*\\\",\\n \\\"/home/*/.local/share/autostart/*\\\", \\\"/root/.local/share/autostart/*\\\",\\n \\\"/home/*/.config/autostart-scripts/*\\\", \\\"/root/.config/autostart-scripts/*\\\"\\n) and not (\\n file.path : (\\n \\\"/var/spool/cron/crontabs/tmp.*\\\", \\\"/run/udev/rules.d/*rules.*\\\", \\\"/home/*/.ssh/known_hosts.*\\\", \\\"/root/.ssh/known_hosts.*\\\"\\n ) or\\n file.extension in (\\\"dpkg-new\\\", \\\"dpkg-remove\\\", \\\"SEQ\\\")\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Persistence via File Modification\",\"description\":\"This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths specified in the query need to be added to the FIM policy in the Elastic Security app.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: File Integrity Monitoring\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]},{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]},{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.006\",\"name\":\"Dynamic Linker Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1574/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.003\",\"name\":\"Sudo and Sudo Caching\",\"reference\":\"https://attack.mitre.org/techniques/T1548/003/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from the Elastic File Integrity Monitoring (FIM) integration.\\n\\n### Elastic FIM Integration Setup\\nTo configure the Elastic FIM integration, follow these steps:\\n\\n1. Install and configure the Elastic Agent on your Linux system. You can refer to the [Elastic Agent documentation](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html) for detailed instructions.\\n2. Once the Elastic Agent is installed, navigate to the Elastic Security app in Kibana.\\n3. In the Kibana home page, click on \\\"Integrations\\\" in the left sidebar.\\n4. Search for \\\"File Integrity Monitoring\\\" in the search bar and select the integration.\\n5. Provide a name and optional description for the integration.\\n6. Select the appropriate agent policy for your Linux system or create a new one.\\n7. Configure the FIM policy by specifying the paths that you want to monitor for file modifications. You can use the same paths mentioned in the `query` field of the rule. Note that FIM does not accept wildcards in the paths, so you need to specify the exact paths you want to monitor.\\n8. Save the configuration and the Elastic Agent will start monitoring the specified paths for file modifications.\\n\\nFor more details on configuring the Elastic FIM integration, you can refer to the [Elastic FIM documentation](https://docs.elastic.co/integrations/fim).\\n\",\"related_integrations\":[{\"package\":\"fim\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2e3ec3e9-0fb6-49ca-9d46-45950c04b9c1\",\"rule_id\":\"192657ba-ab0e-4901-89a2-911d611eee98\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.652Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.609Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.dataset == \\\"fim.event\\\" and event.action == \\\"updated\\\" and\\nfile.path : (\\n // cron, anacron & at\\n \\\"/etc/cron.d/*\\\", \\\"/etc/cron.daily/*\\\", \\\"/etc/cron.hourly/*\\\", \\\"/etc/cron.monthly/*\\\",\\n \\\"/etc/cron.weekly/*\\\", \\\"/etc/crontab\\\", \\\"/var/spool/cron/crontabs/*\\\", \\\"/etc/cron.allow\\\",\\n \\\"/etc/cron.deny\\\", \\\"/var/spool/anacron/*\\\", \\\"/var/spool/cron/atjobs/*\\\",\\n\\n // systemd services & timers\\n \\\"/etc/systemd/system/*\\\", \\\"/usr/local/lib/systemd/system/*\\\", \\\"/lib/systemd/system/*\\\",\\n \\\"/usr/lib/systemd/system/*\\\", \\\"/home/*/.config/systemd/user/*\\\", \\\"/home/*/.local/share/systemd/user/*\\\",\\n \\\"/root/.config/systemd/user/*\\\", \\\"/root/.local/share/systemd/user/*\\\",\\n\\n // LD_PRELOAD\\n \\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf.d/*\\\", \\\"/etc/ld.so.conf\\\",\\n\\n // message-of-the-day (MOTD)\\n \\\"/etc/update-motd.d/*\\\",\\n\\n // SSH\\n \\\"/home/*/.ssh/*\\\", \\\"/root/.ssh/*\\\", \\\"/etc/ssh/*\\\",\\n\\n // system-wide shell configurations\\n \\\"/etc/profile\\\", \\\"/etc/profile.d/*\\\", \\\"/etc/bash.bashrc\\\", \\\"/etc/zsh/*\\\", \\\"/etc/csh.cshrc\\\",\\n \\\"/etc/csh.login\\\", \\\"/etc/fish/config.fish\\\", \\\"/etc/ksh.kshrc\\\",\\n\\n // root and user shell configurations\\n \\\"/home/*/.profile\\\", \\\"/home/*/.bashrc\\\", \\\"/home/*/.bash_login\\\", \\\"/home/*/.bash_logout\\\",\\n \\\"/root/.profile\\\", \\\"/root/.bashrc\\\", \\\"/root/.bash_login\\\", \\\"/root/.bash_logout\\\",\\n \\\"/home/*/.zprofile\\\", \\\"/home/*/.zshrc\\\", \\\"/root/.zprofile\\\", \\\"/root/.zshrc\\\",\\n \\\"/home/*/.cshrc\\\", \\\"/home/*/.login\\\", \\\"/home/*/.logout\\\", \\\"/root/.cshrc\\\", \\\"/root/.login\\\", \\\"/root/.logout\\\",\\n \\\"/home/*/.config/fish/config.fish\\\", \\\"/root/.config/fish/config.fish\\\",\\n \\\"/home/*/.kshrc\\\", \\\"/root/.kshrc\\\",\\n\\n // runtime control\\n \\\"/etc/rc.common\\\", \\\"/etc/rc.local\\\",\\n\\n // System V init/Upstart\\n \\\"/etc/init.d/*\\\", \\\"/etc/init/*\\\",\\n\\n // passwd/sudoers/shadow\\n \\\"/etc/passwd\\\", \\\"/etc/shadow\\\", \\\"/etc/sudoers\\\", \\\"/etc/sudoers.d/*\\\",\\n\\n // Systemd udevd\\n \\\"/lib/udev/*\\\", \\\"/etc/udev/rules.d/*\\\", \\\"/usr/lib/udev/rules.d/*\\\", \\\"/run/udev/rules.d/*\\\", \\\"/usr/local/lib/udev/rules.d/*\\\",\\n\\n // XDG/KDE autostart entries\\n \\\"/home/*/.config/autostart/*\\\", \\\"/root/.config/autostart/*\\\", \\\"/etc/xdg/autostart/*\\\", \\\"/usr/share/autostart/*\\\",\\n \\\"/home/*/.kde/Autostart/*\\\", \\\"/root/.kde/Autostart/*\\\",\\n \\\"/home/*/.kde4/Autostart/*\\\", \\\"/root/.kde4/Autostart/*\\\",\\n \\\"/home/*/.kde/share/autostart/*\\\", \\\"/root/.kde/share/autostart/*\\\",\\n \\\"/home/*/.kde4/share/autostart/*\\\", \\\"/root/.kde4/share/autostart/*\\\",\\n \\\"/home/*/.local/share/autostart/*\\\", \\\"/root/.local/share/autostart/*\\\",\\n \\\"/home/*/.config/autostart-scripts/*\\\", \\\"/root/.config/autostart-scripts/*\\\"\\n) and not (\\n file.path : (\\n \\\"/var/spool/cron/crontabs/tmp.*\\\", \\\"/run/udev/rules.d/*rules.*\\\", \\\"/home/*/.ssh/known_hosts.*\\\", \\\"/root/.ssh/known_hosts.*\\\"\\n ) or\\n file.extension in (\\\"dpkg-new\\\", \\\"dpkg-remove\\\", \\\"SEQ\\\")\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-fim.event-*\",\"auditbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]},{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.006\",\"name\":\"Dynamic Linker Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1574/006/\"}]},{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.003\",\"name\":\"Sudo and Sudo Caching\",\"reference\":\"https://attack.mitre.org/techniques/T1548/003/\"}]}]}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]},{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]},{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.006\",\"name\":\"Dynamic Linker Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1574/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.003\",\"name\":\"Sudo and Sudo Caching\",\"reference\":\"https://attack.mitre.org/techniques/T1548/003/\"}]}]}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]},{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]},{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.006\",\"name\":\"Dynamic Linker Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1574/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.003\",\"name\":\"Sudo and Sudo Caching\",\"reference\":\"https://attack.mitre.org/techniques/T1548/003/\"}]}]}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"53e1e301-edec-439c-91e9-d35234266ab9\",\"rule_id\":\"1a6075b0-7479-450e-8fe7-b8b8438ac570\",\"revision\":0,\"current_rule\":{\"id\":\"53e1e301-edec-439c-91e9-d35234266ab9\",\"updated_at\":\"2024-12-04T19:45:43.549Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.549Z\",\"created_by\":\"elastic\",\"name\":\"Execution of COM object via Xwizard\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1a6075b0-7479-450e-8fe7-b8b8438ac570\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1559\",\"name\":\"Inter-Process Communication\",\"reference\":\"https://attack.mitre.org/techniques/T1559/\",\"subtechnique\":[{\"id\":\"T1559.001\",\"name\":\"Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1559/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://lolbas-project.github.io/lolbas/Binaries/Xwizard/\",\"http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"xwizard.exe\\\" or ?process.pe.original_file_name : \\\"xwizard.exe\\\") and\\n (\\n (process.args : \\\"RunWizard\\\" and process.args : \\\"{*}\\\") or\\n (process.executable != null and\\n not process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\xwizard.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\xwizard.exe\\\")\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Execution of COM object via Xwizard\",\"description\":\"Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://lolbas-project.github.io/lolbas/Binaries/Xwizard/\",\"http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1559\",\"name\":\"Inter-Process Communication\",\"reference\":\"https://attack.mitre.org/techniques/T1559/\",\"subtechnique\":[{\"id\":\"T1559.001\",\"name\":\"Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1559/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"53e1e301-edec-439c-91e9-d35234266ab9\",\"rule_id\":\"1a6075b0-7479-450e-8fe7-b8b8438ac570\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.653Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.549Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"xwizard.exe\\\" or ?process.pe.original_file_name : \\\"xwizard.exe\\\") and\\n (\\n (process.args : \\\"RunWizard\\\" and process.args : \\\"{*}\\\") or\\n (process.executable != null and\\n not process.executable : (\\n \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\xwizard.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\xwizard.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\xwizard.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\xwizard.exe\\\"\\n )\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"xwizard.exe\\\" or ?process.pe.original_file_name : \\\"xwizard.exe\\\") and\\n (\\n (process.args : \\\"RunWizard\\\" and process.args : \\\"{*}\\\") or\\n (process.executable != null and\\n not process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\xwizard.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\xwizard.exe\\\")\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"xwizard.exe\\\" or ?process.pe.original_file_name : \\\"xwizard.exe\\\") and\\n (\\n (process.args : \\\"RunWizard\\\" and process.args : \\\"{*}\\\") or\\n (process.executable != null and\\n not process.executable : (\\n \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\xwizard.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\xwizard.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\xwizard.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\xwizard.exe\\\"\\n )\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"xwizard.exe\\\" or ?process.pe.original_file_name : \\\"xwizard.exe\\\") and\\n (\\n (process.args : \\\"RunWizard\\\" and process.args : \\\"{*}\\\") or\\n (process.executable != null and\\n not process.executable : (\\n \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\xwizard.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\xwizard.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\xwizard.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\xwizard.exe\\\"\\n )\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"af519c67-fa8a-4ffb-bd26-15ee3304be2b\",\"rule_id\":\"1aa9181a-492b-4c01-8b16-fa0735786b2b\",\"revision\":0,\"current_rule\":{\"id\":\"af519c67-fa8a-4ffb-bd26-15ee3304be2b\",\"updated_at\":\"2024-12-04T19:45:43.553Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.553Z\",\"created_by\":\"elastic\",\"name\":\"User Account Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to create new users. This is sometimes done by attackers to increase access or establish persistence on a system or domain.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating User Account Creation\\n\\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\\n\\nThis rule identifies the usage of `net.exe` to create new accounts.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\\n\\n### Related rules\\n\\n- Creation of a Hidden Local User Account - 2edc8076-291e-41e9-81e4-e3fcbc97ae5e\\n- Windows User Account Creation - 38e17753-f581-4644-84da-0d60a8318694\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Delete the created account.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1aa9181a-492b-4c01-8b16-fa0735786b2b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"net.exe\\\", \\\"net1.exe\\\") and\\n not process.parent.name : \\\"net.exe\\\" and\\n (process.args : \\\"user\\\" and process.args : (\\\"/ad\\\", \\\"/add\\\"))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"User Account Creation\",\"description\":\"Identifies attempts to create new users. This is sometimes done by attackers to increase access or establish persistence on a system or domain.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating User Account Creation\\n\\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\\n\\nThis rule identifies the usage of `net.exe` to create new accounts.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\\n\\n### Related rules\\n\\n- Creation of a Hidden Local User Account - 2edc8076-291e-41e9-81e4-e3fcbc97ae5e\\n- Windows User Account Creation - 38e17753-f581-4644-84da-0d60a8318694\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Delete the created account.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"af519c67-fa8a-4ffb-bd26-15ee3304be2b\",\"rule_id\":\"1aa9181a-492b-4c01-8b16-fa0735786b2b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.653Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.553Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"net.exe\\\", \\\"net1.exe\\\") and not process.parent.name : \\\"net.exe\\\") and\\n (process.args : \\\"user\\\" and process.args : (\\\"/ad\\\", \\\"/add\\\"))\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"net.exe\\\", \\\"net1.exe\\\") and\\n not process.parent.name : \\\"net.exe\\\" and\\n (process.args : \\\"user\\\" and process.args : (\\\"/ad\\\", \\\"/add\\\"))\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"net.exe\\\", \\\"net1.exe\\\") and not process.parent.name : \\\"net.exe\\\") and\\n (process.args : \\\"user\\\" and process.args : (\\\"/ad\\\", \\\"/add\\\"))\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"net.exe\\\", \\\"net1.exe\\\") and not process.parent.name : \\\"net.exe\\\") and\\n (process.args : \\\"user\\\" and process.args : (\\\"/ad\\\", \\\"/add\\\"))\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b103cf61-88ca-42e0-b6a5-9dd64d93ef98\",\"rule_id\":\"1c84dd64-7e6c-4bad-ac73-a5014ee37042\",\"revision\":0,\"current_rule\":{\"id\":\"b103cf61-88ca-42e0-b6a5-9dd64d93ef98\",\"updated_at\":\"2024-12-04T19:45:43.574Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.574Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious File Creation in /etc for Persistence\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Threat: Orbit\",\"Threat: Lightning Framework\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious File Creation in /etc for Persistence\\n\\nThe /etc/ directory in Linux is used to store system-wide configuration files and scripts.\\n\\nBy creating or modifying specific system-wide configuration files, attackers can leverage system services to execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\\n\\nThis rule monitors for the creation of the most common system-wide configuration files and scripts abused by attackers for persistence. \\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the file that was created or modified.\\n- Investigate whether any other files in any of the commonly abused directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%'\\\\nOR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/lib/systemd/system/%' )\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE\\\\n'/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%' OR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE\\\\n'/etc/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' )\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Cron Job Created or Changed by Previously Unknown Process - ff10d4d8-fea7-422d-afb1-e5a2702369a9\\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1c84dd64-7e6c-4bad-ac73-a5014ee37042\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.006\",\"name\":\"Dynamic Linker Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1574/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.003\",\"name\":\"Sudo and Sudo Caching\",\"reference\":\"https://attack.mitre.org/techniques/T1548/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/\",\"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\"],\"version\":115,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.type in (\\\"creation\\\", \\\"file_create_event\\\") and user.id == \\\"0\\\" and\\nfile.path : (\\\"/etc/ld.so.conf.d/*\\\", \\\"/etc/cron.d/*\\\", \\\"/etc/sudoers.d/*\\\", \\\"/etc/init.d/*\\\", \\\"/etc/systemd/system/*\\\",\\n\\\"/usr/lib/systemd/system/*\\\") and not (\\n (process.name : (\\n \\\"chef-client\\\", \\\"ruby\\\", \\\"pacman\\\", \\\"packagekitd\\\", \\\"python*\\\", \\\"platform-python\\\", \\\"dpkg\\\", \\\"yum\\\", \\\"apt\\\", \\\"dnf\\\", \\\"rpm\\\",\\n \\\"systemd\\\", \\\"snapd\\\", \\\"dnf-automatic\\\", \\\"yum-cron\\\", \\\"elastic-agent\\\", \\\"dnfdaemon-system\\\", \\\"dockerd\\\", \\\"executor\\\",\\n \\\"rhn_check\\\"\\n )\\n ) or \\n (file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"tmp\\\"))\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious File Creation in /etc for Persistence\",\"description\":\"Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious File Creation in /etc for Persistence\\n\\nThe /etc/ directory in Linux is used to store system-wide configuration files and scripts.\\n\\nBy creating or modifying specific system-wide configuration files, attackers can leverage system services to execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\\n\\nThis rule monitors for the creation of the most common system-wide configuration files and scripts abused by attackers for persistence. \\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the file that was created or modified.\\n- Investigate whether any other files in any of the commonly abused directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%'\\\\nOR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/lib/systemd/system/%' )\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE\\\\n'/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%' OR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE\\\\n'/etc/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' )\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Cron Job Created or Changed by Previously Unknown Process - ff10d4d8-fea7-422d-afb1-e5a2702369a9\\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":116,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Threat: Orbit\",\"Threat: Lightning Framework\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/\",\"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.006\",\"name\":\"Dynamic Linker Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1574/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.003\",\"name\":\"Sudo and Sudo Caching\",\"reference\":\"https://attack.mitre.org/techniques/T1548/003/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b103cf61-88ca-42e0-b6a5-9dd64d93ef98\",\"rule_id\":\"1c84dd64-7e6c-4bad-ac73-a5014ee37042\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.653Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.574Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.type in (\\\"creation\\\", \\\"file_create_event\\\") and user.id == \\\"0\\\" and\\nfile.path : (\\\"/etc/ld.so.conf.d/*\\\", \\\"/etc/cron.d/*\\\", \\\"/etc/sudoers.d/*\\\", \\\"/etc/init.d/*\\\", \\\"/etc/systemd/system/*\\\",\\n\\\"/usr/lib/systemd/system/*\\\") and not (\\n (process.name : (\\n \\\"chef-client\\\", \\\"ruby\\\", \\\"pacman\\\", \\\"packagekitd\\\", \\\"python*\\\", \\\"platform-python\\\", \\\"dpkg\\\", \\\"yum\\\", \\\"apt\\\", \\\"dnf\\\", \\\"rpm\\\",\\n \\\"systemd\\\", \\\"snapd\\\", \\\"dnf-automatic\\\", \\\"yum-cron\\\", \\\"elastic-agent\\\", \\\"dnfdaemon-system\\\", \\\"dockerd\\\", \\\"executor\\\",\\n \\\"rhn_check\\\"\\n )\\n ) or \\n (file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"tmp\\\"))\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":115,\"target_version\":116,\"merged_version\":116,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/\",\"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\"],\"target_version\":[\"https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/\",\"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/\",\"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"883cb7de-f7cc-44b1-87fb-5faa303a6c61\",\"rule_id\":\"1cd01db9-be24-4bef-8e7c-e923f0ff78ab\",\"revision\":0,\"current_rule\":{\"id\":\"883cb7de-f7cc-44b1-87fb-5faa303a6c61\",\"updated_at\":\"2024-12-04T19:45:43.579Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.579Z\",\"created_by\":\"elastic\",\"name\":\"Incoming Execution via WinRM Remote Shell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"WinRM is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool.\"],\"from\":\"now-9m\",\"rule_id\":\"1cd01db9-be24-4bef-8e7c-e923f0ff78ab\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.006\",\"name\":\"Windows Remote Management\",\"reference\":\"https://attack.mitre.org/techniques/T1021/006/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by host.id with maxspan=30s\\n [network where host.os.type == \\\"windows\\\" and process.pid == 4 and network.direction : (\\\"incoming\\\", \\\"ingress\\\") and\\n destination.port in (5985, 5986) and network.protocol == \\\"http\\\" and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"]\\n [process where host.os.type == \\\"windows\\\" and \\n event.type == \\\"start\\\" and process.parent.name : \\\"winrshost.exe\\\" and not process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Incoming Execution via WinRM Remote Shell\",\"description\":\"Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"WinRM is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.006\",\"name\":\"Windows Remote Management\",\"reference\":\"https://attack.mitre.org/techniques/T1021/006/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"883cb7de-f7cc-44b1-87fb-5faa303a6c61\",\"rule_id\":\"1cd01db9-be24-4bef-8e7c-e923f0ff78ab\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.653Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.579Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=30s\\n [network where host.os.type == \\\"windows\\\" and process.pid == 4 and network.direction : (\\\"incoming\\\", \\\"ingress\\\") and\\n destination.port in (5985, 5986) and network.protocol == \\\"http\\\" and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"]\\n [process where host.os.type == \\\"windows\\\" and \\n event.type == \\\"start\\\" and process.parent.name : \\\"winrshost.exe\\\" and not process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\\\"]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"19b22f37-3d44-45c9-8c3e-84b08dca7b4d\",\"rule_id\":\"1d276579-3380-4095-ad38-e596a01bc64f\",\"revision\":0,\"current_rule\":{\"id\":\"19b22f37-3d44-45c9-8c3e-84b08dca7b4d\",\"updated_at\":\"2024-12-04T19:45:43.584Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.584Z\",\"created_by\":\"elastic\",\"name\":\"Remote File Download via Script Interpreter\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote File Download via Script Interpreter\\n\\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\\n\\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\\n\\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1d276579-3380-4095-ad38-e596a01bc64f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.network-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by host.id, process.entity_id\\n [network where host.os.type == \\\"windows\\\" and process.name : (\\\"wscript.exe\\\", \\\"cscript.exe\\\") and network.protocol != \\\"dns\\\" and\\n network.direction : (\\\"outgoing\\\", \\\"egress\\\") and network.type == \\\"ipv4\\\" and destination.ip != \\\"127.0.0.1\\\"\\n ]\\n [file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and file.extension : (\\\"exe\\\", \\\"dll\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Remote File Download via Script Interpreter\",\"description\":\"Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote File Download via Script Interpreter\\n\\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\\n\\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\\n\\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"19b22f37-3d44-45c9-8c3e-84b08dca7b4d\",\"rule_id\":\"1d276579-3380-4095-ad38-e596a01bc64f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.654Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.584Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id, process.entity_id\\n [network where host.os.type == \\\"windows\\\" and process.name : (\\\"wscript.exe\\\", \\\"cscript.exe\\\") and network.protocol != \\\"dns\\\" and\\n network.direction : (\\\"outgoing\\\", \\\"egress\\\") and network.type == \\\"ipv4\\\" and destination.ip != \\\"127.0.0.1\\\"\\n ]\\n [file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and file.extension : (\\\"exe\\\", \\\"dll\\\")]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.network-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5057442d-19d1-4c2d-a20c-a4820424f0af\",\"rule_id\":\"1d9aeb0b-9549-46f6-a32d-05e2a001b7fd\",\"revision\":0,\"current_rule\":{\"id\":\"5057442d-19d1-4c2d-a20c-a4820424f0af\",\"updated_at\":\"2024-12-04T19:45:43.591Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.591Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Script with Encryption/Decryption Capabilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: PowerShell Logs\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of Cmdlets and methods related to encryption/decryption of files in PowerShell scripts, which malware and offensive security tools can abuse to encrypt data or decrypt payloads to bypass security solutions.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Script with Encryption/Decryption Capabilities\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\\n\\nPowerShell offers encryption and decryption functionalities that attackers can abuse for various purposes, such as concealing payloads, C2 communications, and encrypting data as part of ransomware operations.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n\\n### False positive analysis\\n\\n- This is a dual-use mechanism, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the script doesn't contain malicious functions or potential for abuse, no other suspicious activity was identified, and there are justifications for the execution.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate PowerShell Scripts which makes use of encryption.\"],\"from\":\"now-9m\",\"rule_id\":\"1d9aeb0b-9549-46f6-a32d-05e2a001b7fd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1027\",\"name\":\"Obfuscated Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1027/\"},{\"id\":\"T1140\",\"name\":\"Deobfuscate/Decode Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1140/\"}]}],\"to\":\"now\",\"references\":[],\"version\":7,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\n \\\"Cryptography.AESManaged\\\" or\\n \\\"Cryptography.RijndaelManaged\\\" or\\n \\\"Cryptography.SHA1Managed\\\" or\\n \\\"Cryptography.SHA256Managed\\\" or\\n \\\"Cryptography.SHA384Managed\\\" or\\n \\\"Cryptography.SHA512Managed\\\" or\\n \\\"Cryptography.SymmetricAlgorithm\\\" or\\n \\\"PasswordDeriveBytes\\\" or\\n \\\"Rfc2898DeriveBytes\\\"\\n ) and\\n (\\n CipherMode and PaddingMode\\n ) and\\n (\\n \\\".CreateEncryptor\\\" or\\n \\\".CreateDecryptor\\\"\\n )\\n ) and\\n not user.id : \\\"S-1-5-18\\\" and\\n not (\\n file.name : \\\"Bootstrap.Octopus.FunctionAppenderContext.ps1\\\" and\\n powershell.file.script_block_text : (\\\"function Decrypt-Variables\\\" or \\\"github.com/OctopusDeploy\\\")\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Script with Encryption/Decryption Capabilities\",\"description\":\"Identifies the use of Cmdlets and methods related to encryption/decryption of files in PowerShell scripts, which malware and offensive security tools can abuse to encrypt data or decrypt payloads to bypass security solutions.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Script with Encryption/Decryption Capabilities\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\\n\\nPowerShell offers encryption and decryption functionalities that attackers can abuse for various purposes, such as concealing payloads, C2 communications, and encrypting data as part of ransomware operations.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n\\n### False positive analysis\\n\\n- This is a dual-use mechanism, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the script doesn't contain malicious functions or potential for abuse, no other suspicious activity was identified, and there are justifications for the execution.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":109,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: PowerShell Logs\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate PowerShell Scripts which makes use of encryption.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1027\",\"name\":\"Obfuscated Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1027/\"},{\"id\":\"T1140\",\"name\":\"Deobfuscate/Decode Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1140/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"5057442d-19d1-4c2d-a20c-a4820424f0af\",\"rule_id\":\"1d9aeb0b-9549-46f6-a32d-05e2a001b7fd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.654Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.591Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\n \\\"Cryptography.AESManaged\\\" or\\n \\\"Cryptography.RijndaelManaged\\\" or\\n \\\"Cryptography.SHA1Managed\\\" or\\n \\\"Cryptography.SHA256Managed\\\" or\\n \\\"Cryptography.SHA384Managed\\\" or\\n \\\"Cryptography.SHA512Managed\\\" or\\n \\\"Cryptography.SymmetricAlgorithm\\\" or\\n \\\"PasswordDeriveBytes\\\" or\\n \\\"Rfc2898DeriveBytes\\\"\\n ) and\\n (\\n CipherMode and PaddingMode\\n ) and\\n (\\n \\\".CreateEncryptor\\\" or\\n \\\".CreateDecryptor\\\"\\n )\\n ) and\\n not user.id : \\\"S-1-5-18\\\" and\\n not (\\n file.name : \\\"Bootstrap.Octopus.FunctionAppenderContext.ps1\\\" and\\n powershell.file.script_block_text : (\\\"function Decrypt-Variables\\\" or \\\"github.com/OctopusDeploy\\\")\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":7,\"target_version\":109,\"merged_version\":109,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"cefa3616-9844-4566-941e-1b876167d874\",\"rule_id\":\"1dcc51f6-ba26-49e7-9ef4-2655abb2361e\",\"revision\":0,\"current_rule\":{\"id\":\"cefa3616-9844-4566-941e-1b876167d874\",\"updated_at\":\"2024-12-04T19:45:43.593Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.593Z\",\"created_by\":\"elastic\",\"name\":\"UAC Bypass via DiskCleanup Scheduled Task Hijack\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1dcc51f6-ba26-49e7-9ef4-2655abb2361e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.args : \\\"/autoclean\\\" and process.args : \\\"/d\\\" and process.executable != null and \\n not process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cleanmgr.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cleanmgr.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"UAC Bypass via DiskCleanup Scheduled Task Hijack\",\"description\":\"Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"cefa3616-9844-4566-941e-1b876167d874\",\"rule_id\":\"1dcc51f6-ba26-49e7-9ef4-2655abb2361e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.654Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.593Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.args : \\\"/autoclean\\\" and process.args : \\\"/d\\\" and process.executable != null and \\n not process.executable : (\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cleanmgr.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cleanmgr.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cleanmgr.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cleanmgr.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\"\\n)\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.args : \\\"/autoclean\\\" and process.args : \\\"/d\\\" and process.executable != null and \\n not process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cleanmgr.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cleanmgr.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.args : \\\"/autoclean\\\" and process.args : \\\"/d\\\" and process.executable != null and \\n not process.executable : (\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cleanmgr.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cleanmgr.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cleanmgr.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cleanmgr.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.args : \\\"/autoclean\\\" and process.args : \\\"/d\\\" and process.executable != null and \\n not process.executable : (\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cleanmgr.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cleanmgr.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cleanmgr.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cleanmgr.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e740e6a7-d20d-4a5d-a991-d04cbea2a771\",\"rule_id\":\"1defdd62-cd8d-426e-a246-81a37751bb2b\",\"revision\":0,\"current_rule\":{\"id\":\"e740e6a7-d20d-4a5d-a991-d04cbea2a771\",\"updated_at\":\"2024-12-04T19:45:43.603Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.603Z\",\"created_by\":\"elastic\",\"name\":\"Execution of File Written or Modified by PDF Reader\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Execution of File Written or Modified by PDF Reader\\n\\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\\n\\nThis rule searches for executable files written by PDF reader software and executed in sequence. This is most likely the result of exploitation for privilege escalation or initial access. This rule can also detect suspicious processes masquerading as PDF readers.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve the PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\\n- Determine if the collected files are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-120m\",\"rule_id\":\"1defdd62-cd8d-426e-a246-81a37751bb2b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"sequence with maxspan=2h\\n [file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.extension : \\\"exe\\\" and\\n (process.name : \\\"AcroRd32.exe\\\" or\\n process.name : \\\"rdrcef.exe\\\" or\\n process.name : \\\"FoxitPhantomPDF.exe\\\" or\\n process.name : \\\"FoxitReader.exe\\\") and\\n not (file.name : \\\"FoxitPhantomPDF.exe\\\" or\\n file.name : \\\"FoxitPhantomPDFUpdater.exe\\\" or\\n file.name : \\\"FoxitReader.exe\\\" or\\n file.name : \\\"FoxitReaderUpdater.exe\\\" or\\n file.name : \\\"AcroRd32.exe\\\" or\\n file.name : \\\"rdrcef.exe\\\")\\n ] by host.id, file.path\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\"] by host.id, process.executable\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Execution of File Written or Modified by PDF Reader\",\"description\":\"Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Execution of File Written or Modified by PDF Reader\\n\\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\\n\\nThis rule searches for executable files written by PDF reader software and executed in sequence. This is most likely the result of exploitation for privilege escalation or initial access. This rule can also detect suspicious processes masquerading as PDF readers.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve the PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\\n- Determine if the collected files are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-120m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e740e6a7-d20d-4a5d-a991-d04cbea2a771\",\"rule_id\":\"1defdd62-cd8d-426e-a246-81a37751bb2b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.655Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.603Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence with maxspan=2h\\n [file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.extension : \\\"exe\\\" and\\n (process.name : \\\"AcroRd32.exe\\\" or\\n process.name : \\\"rdrcef.exe\\\" or\\n process.name : \\\"FoxitPhantomPDF.exe\\\" or\\n process.name : \\\"FoxitReader.exe\\\") and\\n not (file.name : \\\"FoxitPhantomPDF.exe\\\" or\\n file.name : \\\"FoxitPhantomPDFUpdater.exe\\\" or\\n file.name : \\\"FoxitReader.exe\\\" or\\n file.name : \\\"FoxitReaderUpdater.exe\\\" or\\n file.name : \\\"AcroRd32.exe\\\" or\\n file.name : \\\"rdrcef.exe\\\")\\n ] by host.id, file.path\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\"] by host.id, process.executable\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9fa2cd9f-343d-4410-90c7-7f106b3f7938\",\"rule_id\":\"1df1152b-610a-4f48-9d7a-504f6ee5d9da\",\"revision\":0,\"current_rule\":{\"id\":\"9fa2cd9f-343d-4410-90c7-7f106b3f7938\",\"updated_at\":\"2024-12-04T19:45:43.605Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.605Z\",\"created_by\":\"elastic\",\"name\":\"Potential Linux Hack Tool Launched\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from this rule should be investigated further, as hack tools are commonly used by blue teamers and system administrators as well.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1df1152b-610a-4f48-9d7a-504f6ee5d9da\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest to select \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name in (\\n // exploitation frameworks\\n \\\"crackmapexec\\\", \\\"msfconsole\\\", \\\"msfvenom\\\", \\\"sliver-client\\\", \\\"sliver-server\\\", \\\"havoc\\\",\\n // network scanners (nmap left out to reduce noise)\\n \\\"zenmap\\\", \\\"nuclei\\\", \\\"netdiscover\\\", \\\"legion\\\",\\n // web enumeration\\n \\\"gobuster\\\", \\\"dirbuster\\\", \\\"dirb\\\", \\\"wfuzz\\\", \\\"ffuf\\\", \\\"whatweb\\\", \\\"eyewitness\\\",\\n // web vulnerability scanning\\n \\\"wpscan\\\", \\\"joomscan\\\", \\\"droopescan\\\", \\\"nikto\\\", \\n // exploitation tools\\n \\\"sqlmap\\\", \\\"commix\\\", \\\"yersinia\\\",\\n // cracking and brute forcing\\n \\\"john\\\", \\\"hashcat\\\", \\\"hydra\\\", \\\"ncrack\\\", \\\"cewl\\\", \\\"fcrackzip\\\", \\\"rainbowcrack\\\",\\n // host and network\\n \\\"linenum.sh\\\", \\\"linpeas.sh\\\", \\\"pspy32\\\", \\\"pspy32s\\\", \\\"pspy64\\\", \\\"pspy64s\\\", \\\"binwalk\\\", \\\"evil-winrm\\\"\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Linux Hack Tool Launched\",\"description\":\"Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from this rule should be investigated further, as hack tools are commonly used by blue teamers and system administrators as well.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest to select \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"9fa2cd9f-343d-4410-90c7-7f106b3f7938\",\"rule_id\":\"1df1152b-610a-4f48-9d7a-504f6ee5d9da\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.655Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.605Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and\\nprocess.name in~ (\\n // exploitation frameworks\\n \\\"crackmapexec\\\", \\\"msfconsole\\\", \\\"msfvenom\\\", \\\"sliver-client\\\", \\\"sliver-server\\\", \\\"havoc\\\",\\n // network scanners (nmap left out to reduce noise)\\n \\\"zenmap\\\", \\\"nuclei\\\", \\\"netdiscover\\\", \\\"legion\\\",\\n // web enumeration\\n \\\"gobuster\\\", \\\"dirbuster\\\", \\\"dirb\\\", \\\"wfuzz\\\", \\\"ffuf\\\", \\\"whatweb\\\", \\\"eyewitness\\\",\\n // web vulnerability scanning\\n \\\"wpscan\\\", \\\"joomscan\\\", \\\"droopescan\\\", \\\"nikto\\\", \\n // exploitation tools\\n \\\"sqlmap\\\", \\\"commix\\\", \\\"yersinia\\\",\\n // cracking and brute forcing\\n \\\"john\\\", \\\"hashcat\\\", \\\"hydra\\\", \\\"ncrack\\\", \\\"cewl\\\", \\\"fcrackzip\\\", \\\"rainbowcrack\\\",\\n // host and network\\n \\\"linenum.sh\\\", \\\"linpeas.sh\\\", \\\"pspy32\\\", \\\"pspy32s\\\", \\\"pspy64\\\", \\\"pspy64s\\\", \\\"binwalk\\\", \\\"evil-winrm\\\",\\n \\\"linux-exploit-suggester-2.pl\\\", \\\"linux-exploit-suggester.sh\\\", \\\"panix.sh\\\"\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name in (\\n // exploitation frameworks\\n \\\"crackmapexec\\\", \\\"msfconsole\\\", \\\"msfvenom\\\", \\\"sliver-client\\\", \\\"sliver-server\\\", \\\"havoc\\\",\\n // network scanners (nmap left out to reduce noise)\\n \\\"zenmap\\\", \\\"nuclei\\\", \\\"netdiscover\\\", \\\"legion\\\",\\n // web enumeration\\n \\\"gobuster\\\", \\\"dirbuster\\\", \\\"dirb\\\", \\\"wfuzz\\\", \\\"ffuf\\\", \\\"whatweb\\\", \\\"eyewitness\\\",\\n // web vulnerability scanning\\n \\\"wpscan\\\", \\\"joomscan\\\", \\\"droopescan\\\", \\\"nikto\\\", \\n // exploitation tools\\n \\\"sqlmap\\\", \\\"commix\\\", \\\"yersinia\\\",\\n // cracking and brute forcing\\n \\\"john\\\", \\\"hashcat\\\", \\\"hydra\\\", \\\"ncrack\\\", \\\"cewl\\\", \\\"fcrackzip\\\", \\\"rainbowcrack\\\",\\n // host and network\\n \\\"linenum.sh\\\", \\\"linpeas.sh\\\", \\\"pspy32\\\", \\\"pspy32s\\\", \\\"pspy64\\\", \\\"pspy64s\\\", \\\"binwalk\\\", \\\"evil-winrm\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and\\nprocess.name in~ (\\n // exploitation frameworks\\n \\\"crackmapexec\\\", \\\"msfconsole\\\", \\\"msfvenom\\\", \\\"sliver-client\\\", \\\"sliver-server\\\", \\\"havoc\\\",\\n // network scanners (nmap left out to reduce noise)\\n \\\"zenmap\\\", \\\"nuclei\\\", \\\"netdiscover\\\", \\\"legion\\\",\\n // web enumeration\\n \\\"gobuster\\\", \\\"dirbuster\\\", \\\"dirb\\\", \\\"wfuzz\\\", \\\"ffuf\\\", \\\"whatweb\\\", \\\"eyewitness\\\",\\n // web vulnerability scanning\\n \\\"wpscan\\\", \\\"joomscan\\\", \\\"droopescan\\\", \\\"nikto\\\", \\n // exploitation tools\\n \\\"sqlmap\\\", \\\"commix\\\", \\\"yersinia\\\",\\n // cracking and brute forcing\\n \\\"john\\\", \\\"hashcat\\\", \\\"hydra\\\", \\\"ncrack\\\", \\\"cewl\\\", \\\"fcrackzip\\\", \\\"rainbowcrack\\\",\\n // host and network\\n \\\"linenum.sh\\\", \\\"linpeas.sh\\\", \\\"pspy32\\\", \\\"pspy32s\\\", \\\"pspy64\\\", \\\"pspy64s\\\", \\\"binwalk\\\", \\\"evil-winrm\\\",\\n \\\"linux-exploit-suggester-2.pl\\\", \\\"linux-exploit-suggester.sh\\\", \\\"panix.sh\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and\\nprocess.name in~ (\\n // exploitation frameworks\\n \\\"crackmapexec\\\", \\\"msfconsole\\\", \\\"msfvenom\\\", \\\"sliver-client\\\", \\\"sliver-server\\\", \\\"havoc\\\",\\n // network scanners (nmap left out to reduce noise)\\n \\\"zenmap\\\", \\\"nuclei\\\", \\\"netdiscover\\\", \\\"legion\\\",\\n // web enumeration\\n \\\"gobuster\\\", \\\"dirbuster\\\", \\\"dirb\\\", \\\"wfuzz\\\", \\\"ffuf\\\", \\\"whatweb\\\", \\\"eyewitness\\\",\\n // web vulnerability scanning\\n \\\"wpscan\\\", \\\"joomscan\\\", \\\"droopescan\\\", \\\"nikto\\\", \\n // exploitation tools\\n \\\"sqlmap\\\", \\\"commix\\\", \\\"yersinia\\\",\\n // cracking and brute forcing\\n \\\"john\\\", \\\"hashcat\\\", \\\"hydra\\\", \\\"ncrack\\\", \\\"cewl\\\", \\\"fcrackzip\\\", \\\"rainbowcrack\\\",\\n // host and network\\n \\\"linenum.sh\\\", \\\"linpeas.sh\\\", \\\"pspy32\\\", \\\"pspy32s\\\", \\\"pspy64\\\", \\\"pspy64s\\\", \\\"binwalk\\\", \\\"evil-winrm\\\",\\n \\\"linux-exploit-suggester-2.pl\\\", \\\"linux-exploit-suggester.sh\\\", \\\"panix.sh\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2c3724e3-7466-4231-ac84-46760b8fb35d\",\"rule_id\":\"1e0a3f7c-21e7-4bb1-98c7-2036612fb1be\",\"revision\":0,\"current_rule\":{\"id\":\"2c3724e3-7466-4231-ac84-46760b8fb35d\",\"updated_at\":\"2024-12-04T19:45:43.608Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.608Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Script with Discovery Capabilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Tactic: Discovery\",\"Data Source: PowerShell Logs\",\"Rule Type: BBR\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of Cmdlets and methods related to discovery activities. Attackers can use these to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"1e0a3f7c-21e7-4bb1-98c7-2036612fb1be\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\",\"subtechnique\":[{\"id\":\"T1087.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/001/\"},{\"id\":\"T1087.002\",\"name\":\"Domain Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/002/\"}]},{\"id\":\"T1482\",\"name\":\"Domain Trust Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1482/\"},{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"},{\"id\":\"T1083\",\"name\":\"File and Directory Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1083/\"},{\"id\":\"T1615\",\"name\":\"Group Policy Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1615/\"},{\"id\":\"T1135\",\"name\":\"Network Share Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1135/\"},{\"id\":\"T1201\",\"name\":\"Password Policy Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1201/\"},{\"id\":\"T1057\",\"name\":\"Process Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1057/\"},{\"id\":\"T1518\",\"name\":\"Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/\",\"subtechnique\":[{\"id\":\"T1518.001\",\"name\":\"Security Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/001/\"}]},{\"id\":\"T1012\",\"name\":\"Query Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1012/\"},{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"},{\"id\":\"T1049\",\"name\":\"System Network Connections Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1049/\"},{\"id\":\"T1007\",\"name\":\"System Service Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1007/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\n \\\"Get-ADDefaultDomainPasswordPolicy\\\" or\\n \\\"Get-ADDomain\\\" or \\\"Get-ComputerInfo\\\" or\\n \\\"Get-Disk\\\" or \\\"Get-DnsClientCache\\\" or\\n \\\"Get-GPOReport\\\" or \\\"Get-HotFix\\\" or\\n \\\"Get-LocalUser\\\" or \\\"Get-NetFirewallProfile\\\" or\\n \\\"get-nettcpconnection\\\" or \\\"Get-NetAdapter\\\" or\\n \\\"Get-PhysicalDisk\\\" or \\\"Get-Process\\\" or\\n \\\"Get-PSDrive\\\" or \\\"Get-Service\\\" or\\n \\\"Get-SmbShare\\\" or \\\"Get-WinEvent\\\"\\n ) or\\n (\\n (\\\"Get-WmiObject\\\" or \\\"gwmi\\\" or \\\"Get-CimInstance\\\" or\\n \\\"gcim\\\" or \\\"Management.ManagementObjectSearcher\\\" or\\n \\\"System.Management.ManagementClass\\\" or\\n \\\"[WmiClass]\\\" or \\\"[WMI]\\\") and\\n (\\n \\\"AntiVirusProduct\\\" or \\\"CIM_BIOSElement\\\" or \\\"CIM_ComputerSystem\\\" or \\\"CIM_Product\\\" or \\\"CIM_DiskDrive\\\" or\\n \\\"CIM_LogicalDisk\\\" or \\\"CIM_NetworkAdapter\\\" or \\\"CIM_StorageVolume\\\" or \\\"CIM_OperatingSystem\\\" or\\n \\\"CIM_Process\\\" or \\\"CIM_Service\\\" or \\\"MSFT_DNSClientCache\\\" or \\\"Win32_BIOS\\\" or \\\"Win32_ComputerSystem\\\" or\\n \\\"Win32_ComputerSystemProduct\\\" or \\\"Win32_DiskDrive\\\" or \\\"win32_environment\\\" or \\\"Win32_Group\\\" or\\n \\\"Win32_groupuser\\\" or \\\"Win32_IP4RouteTable\\\" or \\\"Win32_logicaldisk\\\" or \\\"Win32_MappedLogicalDisk\\\" or\\n \\\"Win32_NetworkAdapterConfiguration\\\" or \\\"win32_ntdomain\\\" or \\\"Win32_OperatingSystem\\\" or\\n \\\"Win32_PnPEntity\\\" or \\\"Win32_Process\\\" or \\\"Win32_Product\\\" or \\\"Win32_quickfixengineering\\\" or\\n \\\"win32_service\\\" or \\\"Win32_Share\\\" or \\\"Win32_UserAccount\\\"\\n )\\n ) or\\n (\\n (\\\"ADSI\\\" and \\\"WinNT\\\") or\\n (\\\"Get-ChildItem\\\" and \\\"sysmondrv.sys\\\") or\\n (\\\"::GetIPGlobalProperties()\\\" and \\\"GetActiveTcpConnections()\\\") or\\n (\\\"ServiceProcess.ServiceController\\\" and \\\"::GetServices\\\") or\\n (\\\"Diagnostics.Process\\\" and \\\"::GetProcesses\\\") or\\n (\\\"DirectoryServices.Protocols.GroupPolicy\\\" and \\\".GetGPOReport()\\\") or\\n (\\\"DirectoryServices.AccountManagement\\\" and \\\"PrincipalSearcher\\\") or\\n (\\\"NetFwTypeLib.NetFwMgr\\\" and \\\"CurrentProfile\\\") or\\n (\\\"NetworkInformation.NetworkInterface\\\" and \\\"GetAllNetworkInterfaces\\\") or\\n (\\\"Automation.PSDriveInfo\\\") or\\n (\\\"Microsoft.Win32.RegistryHive\\\")\\n ) or\\n (\\n \\\"Get-ItemProperty\\\" and\\n (\\n \\\"\\\\Control\\\\SecurityProviders\\\\WDigest\\\" or\\n \\\"\\\\microsoft\\\\windows\\\\currentversion\\\\explorer\\\\runmru\\\" or\\n \\\"\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Kerberos\\\\Parameters\\\" or\\n \\\"\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\" or\\n \\\"\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\" or\\n \\\"Policies\\\\Microsoft\\\\Windows\\\\Installer\\\" or\\n \\\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\" or\\n (\\\"\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\" and \\\"EnableFirewall\\\") or\\n (\\\"Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\" and \\\"proxyEnable\\\")\\n )\\n ) or\\n (\\n (\\\"Directoryservices.Activedirectory\\\" or\\n \\\"DirectoryServices.AccountManagement\\\") and \\n (\\n \\\"Domain Admins\\\" or \\\"DomainControllers\\\" or\\n \\\"FindAllGlobalCatalogs\\\" or \\\"GetAllTrustRelationships\\\" or\\n \\\"GetCurrentDomain\\\" or \\\"GetCurrentForest\\\"\\n ) or\\n \\\"DirectoryServices.DirectorySearcher\\\" and\\n (\\n \\\"samAccountType=805306368\\\" or\\n \\\"samAccountType=805306369\\\" or\\n \\\"objectCategory=group\\\" or\\n \\\"objectCategory=groupPolicyContainer\\\" or\\n \\\"objectCategory=site\\\" or\\n \\\"objectCategory=subnet\\\" or\\n \\\"objectClass=trustedDomain\\\"\\n )\\n ) or\\n (\\n \\\"Get-Process\\\" and\\n (\\n \\\"mcshield\\\" or \\\"windefend\\\" or \\\"savservice\\\" or\\n \\\"TMCCSF\\\" or \\\"symantec antivirus\\\" or\\n \\\"CSFalcon\\\" or \\\"TmPfw\\\" or \\\"kvoop\\\"\\n )\\n )\\n ) and\\n not powershell.file.script_block_text : (\\n (\\n \\\"__cmdletization_BindCommonParameters\\\" and\\n \\\"Microsoft.PowerShell.Core\\\\Export-ModuleMember\\\" and\\n \\\"Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter\\\"\\n ) or\\n \\\"CmdletsToExport=@(\\\\\\\"Add-Content\\\\\\\",\\\"\\n ) and\\n not user.id : (\\\"S-1-5-18\\\" or \\\"S-1-5-19\\\" or \\\"S-1-5-20\\\")\\n\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.ps?1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Azure AD Sync\\\\\\\\Extensions\\\\\\\\AADConnector.psm1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"*ServiceNow MID Server*\\\\\\\\agent\\\\\\\\scripts\\\\\\\\PowerShell\\\\\\\\*.psm1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\IMECache\\\\\\\\HealthScripts\\\\\\\\*\\\\\\\\detect.ps1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\TEMP\\\\\\\\SDIAG*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Temp\\\\\\\\SDIAG*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\SDIAG*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\Monitoring Host Temporary Files*\"}}}}],\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Script with Discovery Capabilities\",\"description\":\"Identifies the use of Cmdlets and methods related to discovery activities. Attackers can use these to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Tactic: Discovery\",\"Data Source: PowerShell Logs\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\",\"subtechnique\":[{\"id\":\"T1087.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/001/\"},{\"id\":\"T1087.002\",\"name\":\"Domain Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/002/\"}]},{\"id\":\"T1482\",\"name\":\"Domain Trust Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1482/\"},{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"},{\"id\":\"T1083\",\"name\":\"File and Directory Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1083/\"},{\"id\":\"T1615\",\"name\":\"Group Policy Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1615/\"},{\"id\":\"T1135\",\"name\":\"Network Share Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1135/\"},{\"id\":\"T1201\",\"name\":\"Password Policy Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1201/\"},{\"id\":\"T1057\",\"name\":\"Process Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1057/\"},{\"id\":\"T1518\",\"name\":\"Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/\",\"subtechnique\":[{\"id\":\"T1518.001\",\"name\":\"Security Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/001/\"}]},{\"id\":\"T1012\",\"name\":\"Query Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1012/\"},{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"},{\"id\":\"T1049\",\"name\":\"System Network Connections Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1049/\"},{\"id\":\"T1007\",\"name\":\"System Service Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1007/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2c3724e3-7466-4231-ac84-46760b8fb35d\",\"rule_id\":\"1e0a3f7c-21e7-4bb1-98c7-2036612fb1be\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.655Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.608Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.ps?1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Azure AD Sync\\\\\\\\Extensions\\\\\\\\AADConnector.psm1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"*ServiceNow MID Server*\\\\\\\\agent\\\\\\\\scripts\\\\\\\\PowerShell\\\\\\\\*.psm1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\IMECache\\\\\\\\HealthScripts\\\\\\\\*\\\\\\\\detect.ps1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\TEMP\\\\\\\\SDIAG*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Temp\\\\\\\\SDIAG*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\SDIAG*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\Monitoring Host Temporary Files*\"}}}}],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\n \\\"Get-ADDefaultDomainPasswordPolicy\\\" or\\n \\\"Get-ADDomain\\\" or \\\"Get-ComputerInfo\\\" or\\n \\\"Get-Disk\\\" or \\\"Get-DnsClientCache\\\" or\\n \\\"Get-GPOReport\\\" or \\\"Get-HotFix\\\" or\\n \\\"Get-LocalUser\\\" or \\\"Get-NetFirewallProfile\\\" or\\n \\\"get-nettcpconnection\\\" or \\\"Get-NetAdapter\\\" or\\n \\\"Get-PhysicalDisk\\\" or \\\"Get-Process\\\" or\\n \\\"Get-PSDrive\\\" or \\\"Get-Service\\\" or\\n \\\"Get-SmbShare\\\" or \\\"Get-WinEvent\\\"\\n ) or\\n (\\n (\\\"Get-WmiObject\\\" or \\\"gwmi\\\" or \\\"Get-CimInstance\\\" or\\n \\\"gcim\\\" or \\\"Management.ManagementObjectSearcher\\\" or\\n \\\"System.Management.ManagementClass\\\" or\\n \\\"[WmiClass]\\\" or \\\"[WMI]\\\") and\\n (\\n \\\"AntiVirusProduct\\\" or \\\"CIM_BIOSElement\\\" or \\\"CIM_ComputerSystem\\\" or \\\"CIM_Product\\\" or \\\"CIM_DiskDrive\\\" or\\n \\\"CIM_LogicalDisk\\\" or \\\"CIM_NetworkAdapter\\\" or \\\"CIM_StorageVolume\\\" or \\\"CIM_OperatingSystem\\\" or\\n \\\"CIM_Process\\\" or \\\"CIM_Service\\\" or \\\"MSFT_DNSClientCache\\\" or \\\"Win32_BIOS\\\" or \\\"Win32_ComputerSystem\\\" or\\n \\\"Win32_ComputerSystemProduct\\\" or \\\"Win32_DiskDrive\\\" or \\\"win32_environment\\\" or \\\"Win32_Group\\\" or\\n \\\"Win32_groupuser\\\" or \\\"Win32_IP4RouteTable\\\" or \\\"Win32_logicaldisk\\\" or \\\"Win32_MappedLogicalDisk\\\" or\\n \\\"Win32_NetworkAdapterConfiguration\\\" or \\\"win32_ntdomain\\\" or \\\"Win32_OperatingSystem\\\" or\\n \\\"Win32_PnPEntity\\\" or \\\"Win32_Process\\\" or \\\"Win32_Product\\\" or \\\"Win32_quickfixengineering\\\" or\\n \\\"win32_service\\\" or \\\"Win32_Share\\\" or \\\"Win32_UserAccount\\\"\\n )\\n ) or\\n (\\n (\\\"ADSI\\\" and \\\"WinNT\\\") or\\n (\\\"Get-ChildItem\\\" and \\\"sysmondrv.sys\\\") or\\n (\\\"::GetIPGlobalProperties()\\\" and \\\"GetActiveTcpConnections()\\\") or\\n (\\\"ServiceProcess.ServiceController\\\" and \\\"::GetServices\\\") or\\n (\\\"Diagnostics.Process\\\" and \\\"::GetProcesses\\\") or\\n (\\\"DirectoryServices.Protocols.GroupPolicy\\\" and \\\".GetGPOReport()\\\") or\\n (\\\"DirectoryServices.AccountManagement\\\" and \\\"PrincipalSearcher\\\") or\\n (\\\"NetFwTypeLib.NetFwMgr\\\" and \\\"CurrentProfile\\\") or\\n (\\\"NetworkInformation.NetworkInterface\\\" and \\\"GetAllNetworkInterfaces\\\") or\\n (\\\"Automation.PSDriveInfo\\\") or\\n (\\\"Microsoft.Win32.RegistryHive\\\")\\n ) or\\n (\\n \\\"Get-ItemProperty\\\" and\\n (\\n \\\"\\\\Control\\\\SecurityProviders\\\\WDigest\\\" or\\n \\\"\\\\microsoft\\\\windows\\\\currentversion\\\\explorer\\\\runmru\\\" or\\n \\\"\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Kerberos\\\\Parameters\\\" or\\n \\\"\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\" or\\n \\\"\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\" or\\n \\\"Policies\\\\Microsoft\\\\Windows\\\\Installer\\\" or\\n \\\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\" or\\n (\\\"\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\" and \\\"EnableFirewall\\\") or\\n (\\\"Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\" and \\\"proxyEnable\\\")\\n )\\n ) or\\n (\\n (\\\"Directoryservices.Activedirectory\\\" or\\n \\\"DirectoryServices.AccountManagement\\\") and \\n (\\n \\\"Domain Admins\\\" or \\\"DomainControllers\\\" or\\n \\\"FindAllGlobalCatalogs\\\" or \\\"GetAllTrustRelationships\\\" or\\n \\\"GetCurrentDomain\\\" or \\\"GetCurrentForest\\\"\\n ) or\\n \\\"DirectoryServices.DirectorySearcher\\\" and\\n (\\n \\\"samAccountType=805306368\\\" or\\n \\\"samAccountType=805306369\\\" or\\n \\\"objectCategory=group\\\" or\\n \\\"objectCategory=groupPolicyContainer\\\" or\\n \\\"objectCategory=site\\\" or\\n \\\"objectCategory=subnet\\\" or\\n \\\"objectClass=trustedDomain\\\"\\n )\\n ) or\\n (\\n \\\"Get-Process\\\" and\\n (\\n \\\"mcshield\\\" or \\\"windefend\\\" or \\\"savservice\\\" or\\n \\\"TMCCSF\\\" or \\\"symantec antivirus\\\" or\\n \\\"CSFalcon\\\" or \\\"TmPfw\\\" or \\\"kvoop\\\"\\n )\\n )\\n ) and\\n not powershell.file.script_block_text : (\\n (\\n \\\"__cmdletization_BindCommonParameters\\\" and\\n \\\"Microsoft.PowerShell.Core\\\\Export-ModuleMember\\\" and\\n \\\"Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter\\\"\\n ) or\\n \\\"CmdletsToExport=@(\\\\\\\"Add-Content\\\\\\\",\\\"\\n ) and\\n not user.id : (\\\"S-1-5-18\\\" or \\\"S-1-5-19\\\" or \\\"S-1-5-20\\\")\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bf1bdcab-e727-4ee1-be5b-6896e67ece0a\",\"rule_id\":\"1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc\",\"revision\":0,\"current_rule\":{\"id\":\"bf1bdcab-e727-4ee1-be5b-6896e67ece0a\",\"updated_at\":\"2024-12-04T19:45:43.613Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.613Z\",\"created_by\":\"elastic\",\"name\":\"Creation of a DNS-Named Record\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues because of the default permission (Any authenticated users) to create DNS-named records. Attackers can perform Dynamic Spoofing attacks, where they monitor LLMNR/NBT-NS requests and create DNS-named records to target systems that are requested from multiple systems. They can also create specific records to target specific services, such as wpad, for spoofing attacks.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1557\",\"name\":\"Adversary-in-the-Middle\",\"reference\":\"https://attack.mitre.org/techniques/T1557/\"}]}],\"to\":\"now\",\"references\":[\"https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/\",\"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wpad-spoofing\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ObjectClass\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\\n\\n```\\nSet-AuditRule -AdObjectPath 'AD:\\\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\\n```\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"any where host.os.type == \\\"windows\\\" and event.action in (\\\"Directory Service Changes\\\", \\\"directory-service-object-modified\\\") and\\n event.code == \\\"5137\\\" and winlog.event_data.ObjectClass == \\\"dnsNode\\\" and\\n not winlog.event_data.SubjectUserName : \\\"*$\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Creation of a DNS-Named Record\",\"description\":\"Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues because of the default permission (Any authenticated users) to create DNS-named records. Attackers can perform Dynamic Spoofing attacks, where they monitor LLMNR/NBT-NS requests and create DNS-named records to target systems that are requested from multiple systems. They can also create specific records to target specific services, such as wpad, for spoofing attacks.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/\",\"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wpad-spoofing\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1557\",\"name\":\"Adversary-in-the-Middle\",\"reference\":\"https://attack.mitre.org/techniques/T1557/\"}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\\n\\n```\\nSet-AuditRule -AdObjectPath 'AD:\\\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ObjectClass\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"bf1bdcab-e727-4ee1-be5b-6896e67ece0a\",\"rule_id\":\"1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.655Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.613Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and event.action in (\\\"Directory Service Changes\\\", \\\"directory-service-object-modified\\\") and\\n event.code == \\\"5137\\\" and winlog.event_data.ObjectClass == \\\"dnsNode\\\" and\\n not winlog.event_data.SubjectUserName : \\\"*$\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1914d8d9-cc68-44f8-a340-3e160d0d35a7\",\"rule_id\":\"1e6363a6-3af5-41d4-b7ea-d475389c0ceb\",\"revision\":0,\"current_rule\":{\"id\":\"1914d8d9-cc68-44f8-a340-3e160d0d35a7\",\"updated_at\":\"2024-12-04T19:45:43.615Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.615Z\",\"created_by\":\"elastic\",\"name\":\"Creation of SettingContent-ms Files\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the suspicious creation of SettingContents-ms files, which have been used in attacks to achieve code execution while evading defenses.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1e6363a6-3af5-41d4-b7ea-d475389c0ceb\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39\"],\"version\":4,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n file.extension : \\\"settingcontent-ms\\\" and\\n not file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Packages\\\\\\\\windows.immersivecontrolpanel_*\\\\\\\\LocalState\\\\\\\\Indexed\\\\\\\\Settings\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume*\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\amd64_microsoft-windows-s..*\\\\\\\\*.settingcontent-ms\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Creation of SettingContent-ms Files\",\"description\":\"Identifies the suspicious creation of SettingContents-ms files, which have been used in attacks to achieve code execution while evading defenses.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":106,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1914d8d9-cc68-44f8-a340-3e160d0d35a7\",\"rule_id\":\"1e6363a6-3af5-41d4-b7ea-d475389c0ceb\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.655Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.615Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n file.extension : \\\"settingcontent-ms\\\" and\\n not file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Packages\\\\\\\\windows.immersivecontrolpanel_*\\\\\\\\LocalState\\\\\\\\Indexed\\\\\\\\Settings\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume*\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\amd64_microsoft-windows-s..*\\\\\\\\*.settingcontent-ms\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":4,\"target_version\":106,\"merged_version\":106,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0d766c09-97b6-401b-805e-bd98f732633f\",\"rule_id\":\"1f0a69c0-3392-4adf-b7d5-6012fd292da8\",\"revision\":0,\"current_rule\":{\"id\":\"0d766c09-97b6-401b-805e-bd98f732633f\",\"updated_at\":\"2024-12-04T19:45:43.620Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.620Z\",\"created_by\":\"elastic\",\"name\":\"Potential Antimalware Scan Interface Bypass via PowerShell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: PowerShell Logs\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses. An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\\n\\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate commands and scripts executed after this activity was observed.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\\n - Observe and collect information about the following activities in the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1f0a69c0-3392-4adf-b7d5-6012fd292da8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell\"],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:\\\"process\\\" and host.os.type:windows and\\n (\\n powershell.file.script_block_text : (\\n \\\"System.Management.Automation.AmsiUtils\\\" or\\n\\t\\t\\tamsiInitFailed or \\n\\t\\t\\t\\\"Invoke-AmsiBypass\\\" or \\n\\t\\t\\t\\\"Bypass.AMSI\\\" or \\n\\t\\t\\t\\\"amsi.dll\\\" or \\n\\t\\t\\tAntimalwareProvider or \\n\\t\\t\\tamsiSession or \\n\\t\\t\\tamsiContext or\\n\\t\\t\\tAmsiInitialize or \\n\\t\\t\\tunloadobfuscated or \\n\\t\\t\\tunloadsilent or \\n\\t\\t\\tAmsiX64 or \\n\\t\\t\\tAmsiX32 or \\n\\t\\t\\tFindAmsiFun\\n ) or\\n powershell.file.script_block_text:(\\\"[System.Runtime.InteropServices.Marshal]::Copy\\\" and \\\"VirtualProtect\\\") or\\n powershell.file.script_block_text:(\\\"[Ref].Assembly.GetType(('System.Management.Automation\\\" and \\\".SetValue(\\\")\\n ) and\\n not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Antimalware Scan Interface Bypass via PowerShell\",\"description\":\"Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses. An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\\n\\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate commands and scripts executed after this activity was observed.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\\n - Observe and collect information about the following activities in the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":110,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: PowerShell Logs\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"0d766c09-97b6-401b-805e-bd98f732633f\",\"rule_id\":\"1f0a69c0-3392-4adf-b7d5-6012fd292da8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.655Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.620Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:\\\"process\\\" and host.os.type:windows and\\n (\\n powershell.file.script_block_text : (\\n \\\"System.Management.Automation.AmsiUtils\\\" or\\n\\t\\t\\tamsiInitFailed or \\n\\t\\t\\t\\\"Invoke-AmsiBypass\\\" or \\n\\t\\t\\t\\\"Bypass.AMSI\\\" or \\n\\t\\t\\t\\\"amsi.dll\\\" or \\n\\t\\t\\tAntimalwareProvider or \\n\\t\\t\\tamsiSession or \\n\\t\\t\\tamsiContext or\\n\\t\\t\\tAmsiInitialize or \\n\\t\\t\\tunloadobfuscated or \\n\\t\\t\\tunloadsilent or \\n\\t\\t\\tAmsiX64 or \\n\\t\\t\\tAmsiX32 or \\n\\t\\t\\tFindAmsiFun\\n ) or\\n powershell.file.script_block_text:(\\\"[System.Runtime.InteropServices.Marshal]::Copy\\\" and \\\"VirtualProtect\\\") or\\n powershell.file.script_block_text:(\\\"[Ref].Assembly.GetType(('System.Management.Automation\\\" and \\\".SetValue(\\\")\\n ) and\\n not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\"\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":110,\"merged_version\":110,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"031732c5-13e3-4e6e-842a-9a42e0a12fe1\",\"rule_id\":\"1f460f12-a3cf-4105-9ebb-f788cc63f365\",\"revision\":0,\"current_rule\":{\"id\":\"031732c5-13e3-4e6e-842a-9a42e0a12fe1\",\"updated_at\":\"2024-12-04T19:45:43.623Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.623Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Process Execution on WBEM Path\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies unusual processes running from the WBEM path, uncommon outside WMI-related Windows processes.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"1f460f12-a3cf-4105-9ebb-f788cc63f365\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-system.security*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\*\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWow64\\\\\\\\wbem\\\\\\\\*\\\") and\\n not process.name : (\\n \\\"mofcomp.exe\\\",\\n \\\"scrcons.exe\\\",\\n \\\"unsecapp.exe\\\",\\n \\\"wbemtest.exe\\\",\\n \\\"winmgmt.exe\\\",\\n \\\"wmiadap.exe\\\",\\n \\\"wmiapsrv.exe\\\",\\n \\\"wmic.exe\\\",\\n \\\"wmiprvse.exe\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Process Execution on WBEM Path\",\"description\":\"Identifies unusual processes running from the WBEM path, uncommon outside WMI-related Windows processes.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"031732c5-13e3-4e6e-842a-9a42e0a12fe1\",\"rule_id\":\"1f460f12-a3cf-4105-9ebb-f788cc63f365\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.655Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.623Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\*\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWow64\\\\\\\\wbem\\\\\\\\*\\\") and\\n not process.name : (\\n \\\"mofcomp.exe\\\",\\n \\\"scrcons.exe\\\",\\n \\\"unsecapp.exe\\\",\\n \\\"wbemtest.exe\\\",\\n \\\"winmgmt.exe\\\",\\n \\\"wmiadap.exe\\\",\\n \\\"wmiapsrv.exe\\\",\\n \\\"wmic.exe\\\",\\n \\\"wmiprvse.exe\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-system.security*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d527a474-80a9-4d9d-8350-d6d12b513d68\",\"rule_id\":\"1fe3b299-fbb5-4657-a937-1d746f2c711a\",\"revision\":0,\"current_rule\":{\"id\":\"d527a474-80a9-4d9d-8350-d6d12b513d68\",\"updated_at\":\"2024-12-04T19:45:43.628Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.628Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Network Activity from a Windows System Binary\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Network Activity from a Windows System Binary\\n\\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\\n\\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1fe3b299-fbb5-4657-a937-1d746f2c711a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]},{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"},{\"id\":\"T1218.005\",\"name\":\"Mshta\",\"reference\":\"https://attack.mitre.org/techniques/T1218/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id with maxspan=5m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n\\n /* known applocker bypasses */\\n (process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"control.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"installutil.exe\\\" or\\n process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n process.name : \\\"MSBuild.exe\\\" or\\n process.name : \\\"msdt.exe\\\" or\\n process.name : \\\"mshta.exe\\\" or\\n process.name : \\\"msiexec.exe\\\" or\\n process.name : \\\"msxsl.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"regsvr32.exe\\\" or\\n process.name : \\\"xwizard.exe\\\")]\\n [network where\\n (process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"control.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"installutil.exe\\\" or\\n process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n (\\n process.name : \\\"msbuild.exe\\\" and\\n destination.ip != \\\"127.0.0.1\\\"\\n ) or\\n process.name : \\\"msdt.exe\\\" or\\n process.name : \\\"mshta.exe\\\" or\\n (\\n process.name : \\\"msiexec.exe\\\" and not\\n dns.question.name : (\\n \\\"ocsp.digicert.com\\\", \\\"ocsp.verisign.com\\\", \\\"ocsp.comodoca.com\\\", \\\"ocsp.entrust.net\\\", \\\"ocsp.usertrust.com\\\",\\n \\\"ocsp.godaddy.com\\\", \\\"ocsp.camerfirma.com\\\", \\\"ocsp.globalsign.com\\\", \\\"ocsp.sectigo.com\\\", \\\"*.local\\\"\\n ) and\\n /* Localhost, DigiCert and Comodo CA IP addresses */\\n not cidrmatch(destination.ip, \\\"127.0.0.1\\\", \\\"192.229.211.108/32\\\", \\\"192.229.221.95/32\\\",\\n \\\"152.195.38.76/32\\\", \\\"104.18.14.101/32\\\")\\n ) or\\n process.name : \\\"msxsl.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"regsvr32.exe\\\" or\\n process.name : \\\"xwizard.exe\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Network Activity from a Windows System Binary\",\"description\":\"Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Network Activity from a Windows System Binary\\n\\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\\n\\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]},{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"},{\"id\":\"T1218.005\",\"name\":\"Mshta\",\"reference\":\"https://attack.mitre.org/techniques/T1218/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d527a474-80a9-4d9d-8350-d6d12b513d68\",\"rule_id\":\"1fe3b299-fbb5-4657-a937-1d746f2c711a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.655Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.628Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id with maxspan=5m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n\\n /* known applocker bypasses */\\n (process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"control.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"installutil.exe\\\" or\\n process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n process.name : \\\"MSBuild.exe\\\" or\\n process.name : \\\"msdt.exe\\\" or\\n process.name : \\\"mshta.exe\\\" or\\n process.name : \\\"msiexec.exe\\\" or\\n process.name : \\\"msxsl.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"regsvr32.exe\\\" or\\n process.name : \\\"xwizard.exe\\\")]\\n [network where\\n (process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"control.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"installutil.exe\\\" or\\n process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n (\\n process.name : \\\"msbuild.exe\\\" and\\n destination.ip != \\\"127.0.0.1\\\"\\n ) or\\n process.name : \\\"msdt.exe\\\" or\\n process.name : \\\"mshta.exe\\\" or\\n (\\n process.name : \\\"msiexec.exe\\\" and not\\n dns.question.name : (\\n \\\"ocsp.digicert.com\\\", \\\"ocsp.verisign.com\\\", \\\"ocsp.comodoca.com\\\", \\\"ocsp.entrust.net\\\", \\\"ocsp.usertrust.com\\\",\\n \\\"ocsp.godaddy.com\\\", \\\"ocsp.camerfirma.com\\\", \\\"ocsp.globalsign.com\\\", \\\"ocsp.sectigo.com\\\", \\\"*.local\\\"\\n ) and\\n /* Localhost, DigiCert and Comodo CA IP addresses */\\n not cidrmatch(destination.ip, \\\"127.0.0.1\\\", \\\"192.229.211.108/32\\\", \\\"192.229.221.95/32\\\",\\n \\\"152.195.38.76/32\\\", \\\"104.18.14.101/32\\\")\\n ) or\\n process.name : \\\"msxsl.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"regsvr32.exe\\\" or\\n process.name : \\\"xwizard.exe\\\") and \\n \\n not dns.question.name : (\\\"localhost\\\", \\\"setup.officetimeline.com\\\", \\\"us.deployment.endpoint.ingress.rapid7.com\\\", \\n \\\"ctldl.windowsupdate.com\\\", \\\"crl?.digicert.com\\\", \\\"ocsp.digicert.com\\\", \\\"addon-cms-asl.eu.goskope.com\\\", \\\"crls.ssl.com\\\", \\n \\\"evcs-ocsp.ws.symantec.com\\\", \\\"s.symcd.com\\\", \\\"s?.symcb.com\\\", \\\"crl.verisign.com\\\", \\\"oneocsp.microsoft.com\\\", \\\"crl.verisign.com\\\", \\n \\\"aka.ms\\\", \\\"crl.comodoca.com\\\", \\\"acroipm2.adobe.com\\\", \\\"sv.symcd.com\\\") and \\n\\n /* host query itself */\\n not startswith~(dns.question.name, host.name)\\n ]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by process.entity_id with maxspan=5m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n\\n /* known applocker bypasses */\\n (process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"control.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"installutil.exe\\\" or\\n process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n process.name : \\\"MSBuild.exe\\\" or\\n process.name : \\\"msdt.exe\\\" or\\n process.name : \\\"mshta.exe\\\" or\\n process.name : \\\"msiexec.exe\\\" or\\n process.name : \\\"msxsl.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"regsvr32.exe\\\" or\\n process.name : \\\"xwizard.exe\\\")]\\n [network where\\n (process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"control.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"installutil.exe\\\" or\\n process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n (\\n process.name : \\\"msbuild.exe\\\" and\\n destination.ip != \\\"127.0.0.1\\\"\\n ) or\\n process.name : \\\"msdt.exe\\\" or\\n process.name : \\\"mshta.exe\\\" or\\n (\\n process.name : \\\"msiexec.exe\\\" and not\\n dns.question.name : (\\n \\\"ocsp.digicert.com\\\", \\\"ocsp.verisign.com\\\", \\\"ocsp.comodoca.com\\\", \\\"ocsp.entrust.net\\\", \\\"ocsp.usertrust.com\\\",\\n \\\"ocsp.godaddy.com\\\", \\\"ocsp.camerfirma.com\\\", \\\"ocsp.globalsign.com\\\", \\\"ocsp.sectigo.com\\\", \\\"*.local\\\"\\n ) and\\n /* Localhost, DigiCert and Comodo CA IP addresses */\\n not cidrmatch(destination.ip, \\\"127.0.0.1\\\", \\\"192.229.211.108/32\\\", \\\"192.229.221.95/32\\\",\\n \\\"152.195.38.76/32\\\", \\\"104.18.14.101/32\\\")\\n ) or\\n process.name : \\\"msxsl.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"regsvr32.exe\\\" or\\n process.name : \\\"xwizard.exe\\\")]\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by process.entity_id with maxspan=5m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n\\n /* known applocker bypasses */\\n (process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"control.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"installutil.exe\\\" or\\n process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n process.name : \\\"MSBuild.exe\\\" or\\n process.name : \\\"msdt.exe\\\" or\\n process.name : \\\"mshta.exe\\\" or\\n process.name : \\\"msiexec.exe\\\" or\\n process.name : \\\"msxsl.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"regsvr32.exe\\\" or\\n process.name : \\\"xwizard.exe\\\")]\\n [network where\\n (process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"control.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"installutil.exe\\\" or\\n process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n (\\n process.name : \\\"msbuild.exe\\\" and\\n destination.ip != \\\"127.0.0.1\\\"\\n ) or\\n process.name : \\\"msdt.exe\\\" or\\n process.name : \\\"mshta.exe\\\" or\\n (\\n process.name : \\\"msiexec.exe\\\" and not\\n dns.question.name : (\\n \\\"ocsp.digicert.com\\\", \\\"ocsp.verisign.com\\\", \\\"ocsp.comodoca.com\\\", \\\"ocsp.entrust.net\\\", \\\"ocsp.usertrust.com\\\",\\n \\\"ocsp.godaddy.com\\\", \\\"ocsp.camerfirma.com\\\", \\\"ocsp.globalsign.com\\\", \\\"ocsp.sectigo.com\\\", \\\"*.local\\\"\\n ) and\\n /* Localhost, DigiCert and Comodo CA IP addresses */\\n not cidrmatch(destination.ip, \\\"127.0.0.1\\\", \\\"192.229.211.108/32\\\", \\\"192.229.221.95/32\\\",\\n \\\"152.195.38.76/32\\\", \\\"104.18.14.101/32\\\")\\n ) or\\n process.name : \\\"msxsl.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"regsvr32.exe\\\" or\\n process.name : \\\"xwizard.exe\\\") and \\n \\n not dns.question.name : (\\\"localhost\\\", \\\"setup.officetimeline.com\\\", \\\"us.deployment.endpoint.ingress.rapid7.com\\\", \\n \\\"ctldl.windowsupdate.com\\\", \\\"crl?.digicert.com\\\", \\\"ocsp.digicert.com\\\", \\\"addon-cms-asl.eu.goskope.com\\\", \\\"crls.ssl.com\\\", \\n \\\"evcs-ocsp.ws.symantec.com\\\", \\\"s.symcd.com\\\", \\\"s?.symcb.com\\\", \\\"crl.verisign.com\\\", \\\"oneocsp.microsoft.com\\\", \\\"crl.verisign.com\\\", \\n \\\"aka.ms\\\", \\\"crl.comodoca.com\\\", \\\"acroipm2.adobe.com\\\", \\\"sv.symcd.com\\\") and \\n\\n /* host query itself */\\n not startswith~(dns.question.name, host.name)\\n ]\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by process.entity_id with maxspan=5m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n\\n /* known applocker bypasses */\\n (process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"control.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"installutil.exe\\\" or\\n process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n process.name : \\\"MSBuild.exe\\\" or\\n process.name : \\\"msdt.exe\\\" or\\n process.name : \\\"mshta.exe\\\" or\\n process.name : \\\"msiexec.exe\\\" or\\n process.name : \\\"msxsl.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"regsvr32.exe\\\" or\\n process.name : \\\"xwizard.exe\\\")]\\n [network where\\n (process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"control.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"installutil.exe\\\" or\\n process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n (\\n process.name : \\\"msbuild.exe\\\" and\\n destination.ip != \\\"127.0.0.1\\\"\\n ) or\\n process.name : \\\"msdt.exe\\\" or\\n process.name : \\\"mshta.exe\\\" or\\n (\\n process.name : \\\"msiexec.exe\\\" and not\\n dns.question.name : (\\n \\\"ocsp.digicert.com\\\", \\\"ocsp.verisign.com\\\", \\\"ocsp.comodoca.com\\\", \\\"ocsp.entrust.net\\\", \\\"ocsp.usertrust.com\\\",\\n \\\"ocsp.godaddy.com\\\", \\\"ocsp.camerfirma.com\\\", \\\"ocsp.globalsign.com\\\", \\\"ocsp.sectigo.com\\\", \\\"*.local\\\"\\n ) and\\n /* Localhost, DigiCert and Comodo CA IP addresses */\\n not cidrmatch(destination.ip, \\\"127.0.0.1\\\", \\\"192.229.211.108/32\\\", \\\"192.229.221.95/32\\\",\\n \\\"152.195.38.76/32\\\", \\\"104.18.14.101/32\\\")\\n ) or\\n process.name : \\\"msxsl.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"regsvr32.exe\\\" or\\n process.name : \\\"xwizard.exe\\\") and \\n \\n not dns.question.name : (\\\"localhost\\\", \\\"setup.officetimeline.com\\\", \\\"us.deployment.endpoint.ingress.rapid7.com\\\", \\n \\\"ctldl.windowsupdate.com\\\", \\\"crl?.digicert.com\\\", \\\"ocsp.digicert.com\\\", \\\"addon-cms-asl.eu.goskope.com\\\", \\\"crls.ssl.com\\\", \\n \\\"evcs-ocsp.ws.symantec.com\\\", \\\"s.symcd.com\\\", \\\"s?.symcb.com\\\", \\\"crl.verisign.com\\\", \\\"oneocsp.microsoft.com\\\", \\\"crl.verisign.com\\\", \\n \\\"aka.ms\\\", \\\"crl.comodoca.com\\\", \\\"acroipm2.adobe.com\\\", \\\"sv.symcd.com\\\") and \\n\\n /* host query itself */\\n not startswith~(dns.question.name, host.name)\\n ]\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"cc69d8a0-e387-4ce0-9145-c902988cb3e7\",\"rule_id\":\"201200f1-a99b-43fb-88ed-f65a45c4972c\",\"revision\":0,\"current_rule\":{\"id\":\"cc69d8a0-e387-4ce0-9145-c902988cb3e7\",\"updated_at\":\"2024-12-04T19:45:43.637Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.637Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious .NET Code Compilation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to compile code after delivery in order to bypass security mechanisms.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"201200f1-a99b-43fb-88ed-f65a45c4972c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1027\",\"name\":\"Obfuscated Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1027/\",\"subtechnique\":[{\"id\":\"T1027.004\",\"name\":\"Compile After Delivery\",\"reference\":\"https://attack.mitre.org/techniques/T1027/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"csc.exe\\\", \\\"vbc.exe\\\") and\\n process.parent.name : (\\\"wscript.exe\\\", \\\"mshta.exe\\\", \\\"cscript.exe\\\", \\\"wmic.exe\\\", \\\"svchost.exe\\\", \\\"rundll32.exe\\\", \\\"cmstp.exe\\\", \\\"regsvr32.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious .NET Code Compilation\",\"description\":\"Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to compile code after delivery in order to bypass security mechanisms.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1027\",\"name\":\"Obfuscated Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1027/\",\"subtechnique\":[{\"id\":\"T1027.004\",\"name\":\"Compile After Delivery\",\"reference\":\"https://attack.mitre.org/techniques/T1027/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"cc69d8a0-e387-4ce0-9145-c902988cb3e7\",\"rule_id\":\"201200f1-a99b-43fb-88ed-f65a45c4972c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.655Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.637Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"csc.exe\\\", \\\"vbc.exe\\\") and\\n process.parent.name : (\\\"wscript.exe\\\", \\\"mshta.exe\\\", \\\"cscript.exe\\\", \\\"wmic.exe\\\", \\\"svchost.exe\\\", \\\"rundll32.exe\\\", \\\"cmstp.exe\\\", \\\"regsvr32.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"144bc0c3-c4d4-4150-8be0-58a7a10570b0\",\"rule_id\":\"203ab79b-239b-4aa5-8e54-fc50623ee8e4\",\"revision\":0,\"current_rule\":{\"id\":\"144bc0c3-c4d4-4150-8be0-58a7a10570b0\",\"updated_at\":\"2024-12-04T19:45:40.141Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.141Z\",\"created_by\":\"elastic\",\"name\":\"Creation or Modification of Root Certificate\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Creation or Modification of Root Certificate\\n\\nRoot certificates are the primary level of certifications that tell a browser that the communication is trusted and legitimate. This verification is based upon the identification of a certification authority. Windows adds several trusted root certificates so browsers can use them to communicate with websites.\\n\\n[Check out this post](https://www.thewindowsclub.com/what-are-root-certificates-windows) for more details on root certificates and the involved cryptography.\\n\\nThis rule identifies the creation or modification of a root certificate by monitoring registry modifications. The installation of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate abnormal behaviors observed by the subject process such as network connections, other registry or file modifications, and any spawned child processes.\\n- If one of the processes is suspicious, retrieve it and determine if it is malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove the malicious certificate from the root certificate store.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Certain applications may install root certificates for the purpose of inspecting SSL traffic.\"],\"from\":\"now-9m\",\"rule_id\":\"203ab79b-239b-4aa5-8e54-fc50623ee8e4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1553\",\"name\":\"Subvert Trust Controls\",\"reference\":\"https://attack.mitre.org/techniques/T1553/\",\"subtechnique\":[{\"id\":\"T1553.004\",\"name\":\"Install Root Certificate\",\"reference\":\"https://attack.mitre.org/techniques/T1553/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec\",\"https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Blob\\\" and\\n registry.path :\\n (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\"\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Lenovo\\\\\\\\Vantage\\\\\\\\Addins\\\\\\\\LenovoHardwareScanAddin\\\\\\\\*\\\\\\\\LdeApi.Server.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Logishrd\\\\\\\\LogiOptionsPlus\\\\\\\\Plugins\\\\\\\\64\\\\\\\\certmgr.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MpDefenderCoreService.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Quest\\\\\\\\KACE\\\\\\\\modules\\\\\\\\clientidentifier\\\\\\\\clientidentifier.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Sophos\\\\\\\\AutoUpdate\\\\\\\\Cache\\\\\\\\sophos_autoupdate1.dir\\\\\\\\SophosUpdate.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ccmsetup\\\\\\\\cache\\\\\\\\ccmsetup.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Cluster\\\\\\\\clussvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Lenovo\\\\\\\\ImController\\\\\\\\PluginHost86\\\\\\\\Lenovo.Modern.ImController.PluginHost.Device.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Lenovo\\\\\\\\ImController\\\\\\\\Service\\\\\\\\Lenovo.Modern.ImController.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\UUS\\\\\\\\amd64\\\\\\\\MoUsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*.exe\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Creation or Modification of Root Certificate\",\"description\":\"Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Creation or Modification of Root Certificate\\n\\nRoot certificates are the primary level of certifications that tell a browser that the communication is trusted and legitimate. This verification is based upon the identification of a certification authority. Windows adds several trusted root certificates so browsers can use them to communicate with websites.\\n\\n[Check out this post](https://www.thewindowsclub.com/what-are-root-certificates-windows) for more details on root certificates and the involved cryptography.\\n\\nThis rule identifies the creation or modification of a root certificate by monitoring registry modifications. The installation of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate abnormal behaviors observed by the subject process such as network connections, other registry or file modifications, and any spawned child processes.\\n- If one of the processes is suspicious, retrieve it and determine if it is malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove the malicious certificate from the root certificate store.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Certain applications may install root certificates for the purpose of inspecting SSL traffic.\"],\"references\":[\"https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec\",\"https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1553\",\"name\":\"Subvert Trust Controls\",\"reference\":\"https://attack.mitre.org/techniques/T1553/\",\"subtechnique\":[{\"id\":\"T1553.004\",\"name\":\"Install Root Certificate\",\"reference\":\"https://attack.mitre.org/techniques/T1553/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"144bc0c3-c4d4-4150-8be0-58a7a10570b0\",\"rule_id\":\"203ab79b-239b-4aa5-8e54-fc50623ee8e4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.655Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.141Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Blob\\\" and\\n registry.path :\\n (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\"\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Lenovo\\\\\\\\Vantage\\\\\\\\Addins\\\\\\\\LenovoHardwareScanAddin\\\\\\\\*\\\\\\\\LdeApi.Server.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Logishrd\\\\\\\\LogiOptionsPlus\\\\\\\\Plugins\\\\\\\\64\\\\\\\\certmgr.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MpDefenderCoreService.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Quest\\\\\\\\KACE\\\\\\\\modules\\\\\\\\clientidentifier\\\\\\\\clientidentifier.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Sophos\\\\\\\\AutoUpdate\\\\\\\\Cache\\\\\\\\sophos_autoupdate1.dir\\\\\\\\SophosUpdate.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ccmsetup\\\\\\\\cache\\\\\\\\ccmsetup.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Cluster\\\\\\\\clussvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Lenovo\\\\\\\\ImController\\\\\\\\PluginHost86\\\\\\\\Lenovo.Modern.ImController.PluginHost.Device.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Lenovo\\\\\\\\ImController\\\\\\\\Service\\\\\\\\Lenovo.Modern.ImController.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\UUS\\\\\\\\amd64\\\\\\\\MoUsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*.exe\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Blob\\\" and\\n registry.path :\\n (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\"\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Lenovo\\\\\\\\Vantage\\\\\\\\Addins\\\\\\\\LenovoHardwareScanAddin\\\\\\\\*\\\\\\\\LdeApi.Server.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Logishrd\\\\\\\\LogiOptionsPlus\\\\\\\\Plugins\\\\\\\\64\\\\\\\\certmgr.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MpDefenderCoreService.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Quest\\\\\\\\KACE\\\\\\\\modules\\\\\\\\clientidentifier\\\\\\\\clientidentifier.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Sophos\\\\\\\\AutoUpdate\\\\\\\\Cache\\\\\\\\sophos_autoupdate1.dir\\\\\\\\SophosUpdate.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ccmsetup\\\\\\\\cache\\\\\\\\ccmsetup.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Cluster\\\\\\\\clussvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Lenovo\\\\\\\\ImController\\\\\\\\PluginHost86\\\\\\\\Lenovo.Modern.ImController.PluginHost.Device.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Lenovo\\\\\\\\ImController\\\\\\\\Service\\\\\\\\Lenovo.Modern.ImController.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\UUS\\\\\\\\amd64\\\\\\\\MoUsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Blob\\\" and\\n registry.path :\\n (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\"\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Lenovo\\\\\\\\Vantage\\\\\\\\Addins\\\\\\\\LenovoHardwareScanAddin\\\\\\\\*\\\\\\\\LdeApi.Server.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Logishrd\\\\\\\\LogiOptionsPlus\\\\\\\\Plugins\\\\\\\\64\\\\\\\\certmgr.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MpDefenderCoreService.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Quest\\\\\\\\KACE\\\\\\\\modules\\\\\\\\clientidentifier\\\\\\\\clientidentifier.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Sophos\\\\\\\\AutoUpdate\\\\\\\\Cache\\\\\\\\sophos_autoupdate1.dir\\\\\\\\SophosUpdate.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ccmsetup\\\\\\\\cache\\\\\\\\ccmsetup.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Cluster\\\\\\\\clussvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Lenovo\\\\\\\\ImController\\\\\\\\PluginHost86\\\\\\\\Lenovo.Modern.ImController.PluginHost.Device.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Lenovo\\\\\\\\ImController\\\\\\\\Service\\\\\\\\Lenovo.Modern.ImController.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\UUS\\\\\\\\amd64\\\\\\\\MoUsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Blob\\\" and\\n registry.path :\\n (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\"\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Lenovo\\\\\\\\Vantage\\\\\\\\Addins\\\\\\\\LenovoHardwareScanAddin\\\\\\\\*\\\\\\\\LdeApi.Server.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Logishrd\\\\\\\\LogiOptionsPlus\\\\\\\\Plugins\\\\\\\\64\\\\\\\\certmgr.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MpDefenderCoreService.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Quest\\\\\\\\KACE\\\\\\\\modules\\\\\\\\clientidentifier\\\\\\\\clientidentifier.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Sophos\\\\\\\\AutoUpdate\\\\\\\\Cache\\\\\\\\sophos_autoupdate1.dir\\\\\\\\SophosUpdate.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ccmsetup\\\\\\\\cache\\\\\\\\ccmsetup.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Cluster\\\\\\\\clussvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Lenovo\\\\\\\\ImController\\\\\\\\PluginHost86\\\\\\\\Lenovo.Modern.ImController.PluginHost.Device.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Lenovo\\\\\\\\ImController\\\\\\\\Service\\\\\\\\Lenovo.Modern.ImController.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\UUS\\\\\\\\amd64\\\\\\\\MoUsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8a588033-cac4-431c-a10b-cb80c50eb82d\",\"rule_id\":\"20457e4f-d1de-4b92-ae69-142e27a4342a\",\"revision\":0,\"current_rule\":{\"id\":\"8a588033-cac4-431c-a10b-cb80c50eb82d\",\"updated_at\":\"2024-12-04T19:45:43.645Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.645Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Web Browser Sensitive File Access\",\"tags\":[\"Domain: Endpoint\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the access or file open of web browser sensitive files by an untrusted/unsigned process or osascript. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"20457e4f-d1de-4b92-ae69-142e27a4342a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1539\",\"name\":\"Steal Web Session Cookie\",\"reference\":\"https://attack.mitre.org/techniques/T1539/\"},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\",\"subtechnique\":[{\"id\":\"T1555.003\",\"name\":\"Credentials from Web Browsers\",\"reference\":\"https://attack.mitre.org/techniques/T1555/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://securelist.com/calisto-trojan-for-macos/86543/\"],\"version\":208,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.effective_parent.executable\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.code_signature.exists\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.code_signature.signing_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, for MacOS it is recommended to select \\\"Traditional Endpoints\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\"],\"query\":\"file where event.action == \\\"open\\\" and host.os.type == \\\"macos\\\" and process.executable != null and\\n file.name : (\\\"cookies.sqlite\\\", \\n \\\"key?.db\\\", \\n \\\"logins.json\\\", \\n \\\"Cookies\\\", \\n \\\"Cookies.binarycookies\\\", \\n \\\"Login Data\\\") and \\n ((process.code_signature.trusted == false or process.code_signature.exists == false) or process.name : \\\"osascript\\\") and \\n not process.code_signature.signing_id : \\\"org.mozilla.firefox\\\" and\\n not process.Ext.effective_parent.executable : \\\"/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Web Browser Sensitive File Access\",\"description\":\"Identifies the access or file open of web browser sensitive files by an untrusted/unsigned process or osascript. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://securelist.com/calisto-trojan-for-macos/86543/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1539\",\"name\":\"Steal Web Session Cookie\",\"reference\":\"https://attack.mitre.org/techniques/T1539/\"},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\",\"subtechnique\":[{\"id\":\"T1555.003\",\"name\":\"Credentials from Web Browsers\",\"reference\":\"https://attack.mitre.org/techniques/T1555/003/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, for MacOS it is recommended to select \\\"Traditional Endpoints\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"Effective_process.executable\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.exists\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.code_signature.signing_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"8a588033-cac4-431c-a10b-cb80c50eb82d\",\"rule_id\":\"20457e4f-d1de-4b92-ae69-142e27a4342a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.655Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.645Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where event.action == \\\"open\\\" and host.os.type == \\\"macos\\\" and process.executable != null and\\n file.name : (\\\"cookies.sqlite\\\", \\n \\\"key?.db\\\", \\n \\\"logins.json\\\", \\n \\\"Cookies\\\", \\n \\\"Cookies.binarycookies\\\", \\n \\\"Login Data\\\") and \\n ((process.code_signature.trusted == false or process.code_signature.exists == false) or process.name : \\\"osascript\\\") and \\n not process.code_signature.signing_id : \\\"org.mozilla.firefox\\\" and\\n not Effective_process.executable : \\\"/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":208,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.effective_parent.executable\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.code_signature.exists\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.code_signature.signing_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"Effective_process.executable\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.exists\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.code_signature.signing_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"Effective_process.executable\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.exists\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.code_signature.signing_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where event.action == \\\"open\\\" and host.os.type == \\\"macos\\\" and process.executable != null and\\n file.name : (\\\"cookies.sqlite\\\", \\n \\\"key?.db\\\", \\n \\\"logins.json\\\", \\n \\\"Cookies\\\", \\n \\\"Cookies.binarycookies\\\", \\n \\\"Login Data\\\") and \\n ((process.code_signature.trusted == false or process.code_signature.exists == false) or process.name : \\\"osascript\\\") and \\n not process.code_signature.signing_id : \\\"org.mozilla.firefox\\\" and\\n not process.Ext.effective_parent.executable : \\\"/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where event.action == \\\"open\\\" and host.os.type == \\\"macos\\\" and process.executable != null and\\n file.name : (\\\"cookies.sqlite\\\", \\n \\\"key?.db\\\", \\n \\\"logins.json\\\", \\n \\\"Cookies\\\", \\n \\\"Cookies.binarycookies\\\", \\n \\\"Login Data\\\") and \\n ((process.code_signature.trusted == false or process.code_signature.exists == false) or process.name : \\\"osascript\\\") and \\n not process.code_signature.signing_id : \\\"org.mozilla.firefox\\\" and\\n not Effective_process.executable : \\\"/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where event.action == \\\"open\\\" and host.os.type == \\\"macos\\\" and process.executable != null and\\n file.name : (\\\"cookies.sqlite\\\", \\n \\\"key?.db\\\", \\n \\\"logins.json\\\", \\n \\\"Cookies\\\", \\n \\\"Cookies.binarycookies\\\", \\n \\\"Login Data\\\") and \\n ((process.code_signature.trusted == false or process.code_signature.exists == false) or process.name : \\\"osascript\\\") and \\n not process.code_signature.signing_id : \\\"org.mozilla.firefox\\\" and\\n not Effective_process.executable : \\\"/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"38659c39-880a-4769-9a3b-c9dd17885063\",\"rule_id\":\"205b52c4-9c28-4af4-8979-935f3278d61a\",\"revision\":0,\"current_rule\":{\"id\":\"38659c39-880a-4769-9a3b-c9dd17885063\",\"updated_at\":\"2024-12-04T19:45:43.648Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.648Z\",\"created_by\":\"elastic\",\"name\":\"Werfault ReflectDebugger Persistence\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the registration of a Werfault Debugger. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed with the \\\"-pr\\\" parameter.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"205b52c4-9c28-4af4-8979-935f3278d61a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[\"https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\Hangs\\\\\\\\ReflectDebugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\Hangs\\\\\\\\ReflectDebugger\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Werfault ReflectDebugger Persistence\",\"description\":\"Identifies the registration of a Werfault Debugger. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed with the \\\"-pr\\\" parameter.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":202,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"38659c39-880a-4769-9a3b-c9dd17885063\",\"rule_id\":\"205b52c4-9c28-4af4-8979-935f3278d61a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.655Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.648Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\Hangs\\\\\\\\ReflectDebugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\Hangs\\\\\\\\ReflectDebugger\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\Hangs\\\\\\\\ReflectDebugger\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":202,\"merged_version\":202,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\Hangs\\\\\\\\ReflectDebugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\Hangs\\\\\\\\ReflectDebugger\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\Hangs\\\\\\\\ReflectDebugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\Hangs\\\\\\\\ReflectDebugger\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\Hangs\\\\\\\\ReflectDebugger\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\Hangs\\\\\\\\ReflectDebugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\Hangs\\\\\\\\ReflectDebugger\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\Hangs\\\\\\\\ReflectDebugger\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-windows.sysmon_operational-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-windows.sysmon_operational-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"688fae9b-c7c9-4bcd-aae4-7be9ec4565a0\",\"rule_id\":\"208dbe77-01ed-4954-8d44-1e5751cb20de\",\"revision\":0,\"current_rule\":{\"id\":\"688fae9b-c7c9-4bcd-aae4-7be9ec4565a0\",\"updated_at\":\"2024-12-04T19:45:43.650Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.650Z\",\"created_by\":\"elastic\",\"name\":\"LSASS Memory Dump Handle Access\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating LSASS Memory Dump Handle Access\\n\\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\\n\\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn’t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Scope compromised credentials and disable the accounts.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"208dbe77-01ed-4954-8d44-1e5751cb20de\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656\",\"https://twitter.com/jsecurity101/status/1227987828534956033?s=20\",\"https://attack.mitre.org/techniques/T1003/001/\",\"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html\",\"http://findingbad.blogspot.com/2017/\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessMask\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AccessMaskDescription\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ObjectName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ProcessName\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nEnsure advanced audit policies for Windows are enabled, specifically:\\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nSystem Audit Policies >\\nObject Access >\\nAudit File System (Success,Failure)\\nAudit Handle Manipulation (Success,Failure)\\n```\\n\\nAlso, this event generates only if the object’s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"any where event.action == \\\"File System\\\" and event.code == \\\"4656\\\" and\\n\\n winlog.event_data.ObjectName : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume??\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\") and\\n\\n /* The right to perform an operation controlled by an extended access right. */\\n\\n (winlog.event_data.AccessMask : (\\\"0x1fffff\\\" , \\\"0x1010\\\", \\\"0x120089\\\", \\\"0x1F3FFF\\\") or\\n winlog.event_data.AccessMaskDescription : (\\\"READ_CONTROL\\\", \\\"Read from process memory\\\"))\\n\\n /* Common Noisy False Positives */\\n\\n and not winlog.event_data.ProcessName : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\poqexec.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"LSASS Memory Dump Handle Access\",\"description\":\"Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating LSASS Memory Dump Handle Access\\n\\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\\n\\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn’t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Scope compromised credentials and disable the accounts.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656\",\"https://twitter.com/jsecurity101/status/1227987828534956033?s=20\",\"https://attack.mitre.org/techniques/T1003/001/\",\"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html\",\"http://findingbad.blogspot.com/2017/\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"setup\":\"## Setup\\n\\nEnsure advanced audit policies for Windows are enabled, specifically:\\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nSystem Audit Policies >\\nObject Access >\\nAudit File System (Success,Failure)\\nAudit Handle Manipulation (Success,Failure)\\n```\\n\\nAlso, this event generates only if the object’s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessMask\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AccessMaskDescription\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ObjectName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ProcessName\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"688fae9b-c7c9-4bcd-aae4-7be9ec4565a0\",\"rule_id\":\"208dbe77-01ed-4954-8d44-1e5751cb20de\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.655Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.650Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where event.action == \\\"File System\\\" and event.code == \\\"4656\\\" and\\n\\n winlog.event_data.ObjectName : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume??\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\") and\\n\\n /* The right to perform an operation controlled by an extended access right. */\\n\\n (winlog.event_data.AccessMask : (\\\"0x1fffff\\\" , \\\"0x1010\\\", \\\"0x120089\\\", \\\"0x1F3FFF\\\") or\\n winlog.event_data.AccessMaskDescription : (\\\"READ_CONTROL\\\", \\\"Read from process memory\\\"))\\n\\n /* Common Noisy False Positives */\\n\\n and not winlog.event_data.ProcessName : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\poqexec.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f4dee06f-3709-4a09-b2ee-7adb357c26a6\",\"rule_id\":\"210d4430-b371-470e-b879-80b7182aa75e\",\"revision\":0,\"current_rule\":{\"id\":\"f4dee06f-3709-4a09-b2ee-7adb357c26a6\",\"updated_at\":\"2024-12-04T19:45:43.652Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.652Z\",\"created_by\":\"elastic\",\"name\":\"Mofcomp Activity\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Managed Object Format (MOF) files can be compiled locally or remotely through mofcomp.exe. Attackers may leverage MOF files to build their own namespaces and classes into the Windows Management Instrumentation (WMI) repository, or establish persistence using WMI Event Subscription.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"210d4430-b371-470e-b879-80b7182aa75e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.003\",\"name\":\"Windows Management Instrumentation Event Subscription\",\"reference\":\"https://attack.mitre.org/techniques/T1546/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"mofcomp.exe\\\" and process.args : \\\"*.mof\\\" and\\n not user.id : \\\"S-1-5-18\\\" and\\n not\\n (\\n process.parent.name : \\\"ScenarioEngine.exe\\\" and\\n process.args : (\\n \\\"*\\\\\\\\MSSQL\\\\\\\\Binn\\\\\\\\*.mof\\\",\\n \\\"*\\\\\\\\Microsoft SQL Server\\\\\\\\???\\\\\\\\Shared\\\\\\\\*.mof\\\",\\n \\\"*\\\\\\\\OLAP\\\\\\\\bin\\\\\\\\*.mof\\\"\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Mofcomp Activity\",\"description\":\"Managed Object Format (MOF) files can be compiled locally or remotely through mofcomp.exe. Attackers may leverage MOF files to build their own namespaces and classes into the Windows Management Instrumentation (WMI) repository, or establish persistence using WMI Event Subscription.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Elastic Endgame\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.003\",\"name\":\"Windows Management Instrumentation Event Subscription\",\"reference\":\"https://attack.mitre.org/techniques/T1546/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f4dee06f-3709-4a09-b2ee-7adb357c26a6\",\"rule_id\":\"210d4430-b371-470e-b879-80b7182aa75e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.655Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.652Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"mofcomp.exe\\\" and process.args : \\\"*.mof\\\" and\\n not user.id : \\\"S-1-5-18\\\" and\\n not\\n (\\n process.parent.name : \\\"ScenarioEngine.exe\\\" and\\n process.args : (\\n \\\"*\\\\\\\\MSSQL\\\\\\\\Binn\\\\\\\\*.mof\\\",\\n \\\"*\\\\\\\\Microsoft SQL Server\\\\\\\\???\\\\\\\\Shared\\\\\\\\*.mof\\\",\\n \\\"*\\\\\\\\OLAP\\\\\\\\bin\\\\\\\\*.mof\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-m365_defender.event-*\",\"endgame-*\",\"logs-system.security-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Elastic Endgame\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Elastic Endgame\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-m365_defender.event-*\",\"endgame-*\",\"logs-system.security-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-m365_defender.event-*\",\"endgame-*\",\"logs-system.security-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2346e1b5-bead-4815-bb09-44ffca9dfe36\",\"rule_id\":\"21bafdf0-cf17-11ed-bd57-f661ea17fbcc\",\"revision\":0,\"current_rule\":{\"id\":\"2346e1b5-bead-4815-bb09-44ffca9dfe36\",\"updated_at\":\"2024-12-04T19:45:43.657Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.657Z\",\"created_by\":\"elastic\",\"name\":\"First Time Seen Google Workspace OAuth Login from Third-Party Application\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Tactic: Defense Evasion\",\"Tactic: Initial Access\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Setup\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Developers may leverage third-party applications for legitimate purposes in Google Workspace such as for administrative tasks.\"],\"from\":\"now-130m\",\"rule_id\":\"21bafdf0-cf17-11ed-bd57-f661ea17fbcc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.001\",\"name\":\"Application Access Token\",\"reference\":\"https://attack.mitre.org/techniques/T1550/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://developers.google.com/apps-script/guides/bound\",\"https://developers.google.com/identity/protocols/oauth2\"],\"version\":4,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.token.client.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.token.scope.data\",\"type\":\"flattened\",\"ecs\":false}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"new_terms\",\"query\":\"event.dataset: \\\"google_workspace.token\\\" and event.action: \\\"authorize\\\" and\\ngoogle_workspace.token.scope.data: *Login and google_workspace.token.client.id: *apps.googleusercontent.com\\n\",\"new_terms_fields\":[\"google_workspace.token.client.id\"],\"history_window_start\":\"now-15d\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Time Seen Google Workspace OAuth Login from Third-Party Application\",\"description\":\"Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Setup\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":5,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Tactic: Defense Evasion\",\"Tactic: Initial Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Developers may leverage third-party applications for legitimate purposes in Google Workspace such as for administrative tasks.\"],\"references\":[\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\",\"https://developers.google.com/apps-script/guides/bound\",\"https://developers.google.com/identity/protocols/oauth2\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.001\",\"name\":\"Application Access Token\",\"reference\":\"https://attack.mitre.org/techniques/T1550/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.token.client.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.token.scope.data\",\"type\":\"flattened\",\"ecs\":false}],\"id\":\"2346e1b5-bead-4815-bb09-44ffca9dfe36\",\"rule_id\":\"21bafdf0-cf17-11ed-bd57-f661ea17fbcc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.655Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.657Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset: \\\"google_workspace.token\\\" and event.action: \\\"authorize\\\" and\\ngoogle_workspace.token.scope.data: *Login and google_workspace.token.client.id: *apps.googleusercontent.com\\n\",\"new_terms_fields\":[\"google_workspace.token.client.id\"],\"history_window_start\":\"now-15d\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":4,\"target_version\":5,\"merged_version\":5,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://developers.google.com/apps-script/guides/bound\",\"https://developers.google.com/identity/protocols/oauth2\"],\"target_version\":[\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\",\"https://developers.google.com/apps-script/guides/bound\",\"https://developers.google.com/identity/protocols/oauth2\"],\"merged_version\":[\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\",\"https://developers.google.com/apps-script/guides/bound\",\"https://developers.google.com/identity/protocols/oauth2\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0d88bd09-e03a-4869-96ef-648aa0fac805\",\"rule_id\":\"220be143-5c67-4fdb-b6ce-dd6826d024fd\",\"revision\":0,\"current_rule\":{\"id\":\"0d88bd09-e03a-4869-96ef-648aa0fac805\",\"updated_at\":\"2024-12-04T19:45:43.660Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.660Z\",\"created_by\":\"elastic\",\"name\":\"Full User-Mode Dumps Enabled System-Wide\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the enable of the full user-mode dumps feature system-wide. This feature allows Windows Error Reporting (WER) to collect data after an application crashes. This setting is a requirement for the LSASS Shtinkering attack, which fakes the communication of a crash on LSASS, generating a dump of the process memory, which gives the attacker access to the credentials present on the system without having to bring malware to the system. This setting is not enabled by default, and applications must create their registry subkeys to hold settings that enable them to collect dumps.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"220be143-5c67-4fdb-b6ce-dd6826d024fd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps\",\"https://github.com/deepinstinct/Lsass-Shtinkering\",\"https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf\"],\"version\":7,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\LocalDumps\\\\\\\\DumpType\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\LocalDumps\\\\\\\\DumpType\\\"\\n ) and\\n registry.data.strings : (\\\"2\\\", \\\"0x00000002\\\") and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\" and user.id : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Full User-Mode Dumps Enabled System-Wide\",\"description\":\"Identifies the enable of the full user-mode dumps feature system-wide. This feature allows Windows Error Reporting (WER) to collect data after an application crashes. This setting is a requirement for the LSASS Shtinkering attack, which fakes the communication of a crash on LSASS, generating a dump of the process memory, which gives the attacker access to the credentials present on the system without having to bring malware to the system. This setting is not enabled by default, and applications must create their registry subkeys to hold settings that enable them to collect dumps.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":108,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps\",\"https://github.com/deepinstinct/Lsass-Shtinkering\",\"https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0d88bd09-e03a-4869-96ef-648aa0fac805\",\"rule_id\":\"220be143-5c67-4fdb-b6ce-dd6826d024fd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.656Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.660Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\LocalDumps\\\\\\\\DumpType\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\LocalDumps\\\\\\\\DumpType\\\"\\n ) and\\n registry.data.strings : (\\\"2\\\", \\\"0x00000002\\\") and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\" and user.id : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"))\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":7,\"target_version\":108,\"merged_version\":108,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"76f06403-4a80-46c9-aa25-2abdbbe6ef74\",\"rule_id\":\"2339f03c-f53f-40fa-834b-40c5983fc41f\",\"revision\":0,\"current_rule\":{\"id\":\"76f06403-4a80-46c9-aa25-2abdbbe6ef74\",\"updated_at\":\"2024-12-04T19:45:44.732Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.732Z\",\"created_by\":\"elastic\",\"name\":\"Kernel Module Load via insmod\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Threat: Rootkit\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Kernel module load via insmod\\n\\nThe insmod binary is a Linux utility that allows users with root privileges to load kernel modules, which are object files that extend the functionality of the kernel. \\n\\nThreat actors can abuse this utility to load rootkits, granting them full control over the system and the ability to evade security products.\\n\\nThe detection rule 'Kernel module load via insmod' is designed to identify instances where the insmod binary is used to load a kernel object file (with a .ko extension) on a Linux system. This activity is uncommon and may indicate suspicious or malicious behavior.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n### Possible investigation steps\\n\\n- Investigate the kernel object file that was loaded via insmod.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n- Investigate the kernel ring buffer for any warnings or messages, such as tainted or out-of-tree kernel module loads through `dmesg`.\\n- Investigate syslog for any unusual segfaults or other messages. Rootkits may be installed on targets with different architecture as expected, and could potentially cause segmentation faults. \\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - $osquery_6\\n\\n### False positive analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Kernel Driver Load - 3e12a439-d002-4944-bc42-171c0dcb9b96\\n- Tainted Out-Of-Tree Kernel Module Load - 51a09737-80f7-4551-a3be-dac8ef5d181a\\n- Tainted Kernel Module Load - 05cad2fb-200c-407f-b472-02ea8c9e5e4a\\n- Attempt to Clear Kernel Ring Buffer - 2724808c-ba5d-48b2-86d2-0002103df753\\n- Enumeration of Kernel Modules via Proc - 80084fa9-8677-4453-8680-b891d3c0c778\\n- Suspicious Modprobe File Event - 40ddbcc8-6561-44d9-afc8-eefdbfe0cccd\\n- Kernel Module Removal - cd66a5af-e34b-4bb0-8931-57d0a043f2ef\\n- Enumeration of Kernel Modules - 2d8043ed-5bda-4caf-801c-c1feb7410504\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2339f03c-f53f-40fa-834b-40c5983fc41f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.006\",\"name\":\"Kernel Modules and Extensions\",\"reference\":\"https://attack.mitre.org/techniques/T1547/006/\"}]}]}],\"to\":\"now\",\"references\":[\"https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and process.name == \\\"insmod\\\" and process.args : \\\"*.ko\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Kernel Module Load via insmod\",\"description\":\"Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Kernel module load via insmod\\n\\nThe insmod binary is a Linux utility that allows users with root privileges to load kernel modules, which are object files that extend the functionality of the kernel. \\n\\nThreat actors can abuse this utility to load rootkits, granting them full control over the system and the ability to evade security products.\\n\\nThe detection rule 'Kernel module load via insmod' is designed to identify instances where the insmod binary is used to load a kernel object file (with a .ko extension) on a Linux system. This activity is uncommon and may indicate suspicious or malicious behavior.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n### Possible investigation steps\\n\\n- Investigate the kernel object file that was loaded via insmod.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n- Investigate the kernel ring buffer for any warnings or messages, such as tainted or out-of-tree kernel module loads through `dmesg`.\\n- Investigate syslog for any unusual segfaults or other messages. Rootkits may be installed on targets with different architecture as expected, and could potentially cause segmentation faults. \\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - $osquery_6\\n\\n### False positive analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Kernel Driver Load - 3e12a439-d002-4944-bc42-171c0dcb9b96\\n- Tainted Out-Of-Tree Kernel Module Load - 51a09737-80f7-4551-a3be-dac8ef5d181a\\n- Tainted Kernel Module Load - 05cad2fb-200c-407f-b472-02ea8c9e5e4a\\n- Attempt to Clear Kernel Ring Buffer - 2724808c-ba5d-48b2-86d2-0002103df753\\n- Enumeration of Kernel Modules via Proc - 80084fa9-8677-4453-8680-b891d3c0c778\\n- Suspicious Modprobe File Event - 40ddbcc8-6561-44d9-afc8-eefdbfe0cccd\\n- Kernel Module Removal - cd66a5af-e34b-4bb0-8931-57d0a043f2ef\\n- Enumeration of Kernel Modules - 2d8043ed-5bda-4caf-801c-c1feb7410504\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":110,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Threat: Rootkit\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.006\",\"name\":\"Kernel Modules and Extensions\",\"reference\":\"https://attack.mitre.org/techniques/T1547/006/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"76f06403-4a80-46c9-aa25-2abdbbe6ef74\",\"rule_id\":\"2339f03c-f53f-40fa-834b-40c5983fc41f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.656Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.732Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and process.name == \\\"insmod\\\" and process.args : \\\"*.ko\\\" and\\nnot process.parent.executable like (\\n \\\"/opt/ds_agent/*\\\", \\\"/usr/sbin/veeamsnap-loader\\\", \\\"/opt/TrendMicro/vls_agent/*\\\", \\\"/opt/intel/oneapi/*\\\",\\n \\\"/opt/commvault/Base/linux_drv\\\", \\\"/bin/falcoctl\\\"\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":110,\"merged_version\":110,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and process.name == \\\"insmod\\\" and process.args : \\\"*.ko\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and process.name == \\\"insmod\\\" and process.args : \\\"*.ko\\\" and\\nnot process.parent.executable like (\\n \\\"/opt/ds_agent/*\\\", \\\"/usr/sbin/veeamsnap-loader\\\", \\\"/opt/TrendMicro/vls_agent/*\\\", \\\"/opt/intel/oneapi/*\\\",\\n \\\"/opt/commvault/Base/linux_drv\\\", \\\"/bin/falcoctl\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and process.name == \\\"insmod\\\" and process.args : \\\"*.ko\\\" and\\nnot process.parent.executable like (\\n \\\"/opt/ds_agent/*\\\", \\\"/usr/sbin/veeamsnap-loader\\\", \\\"/opt/TrendMicro/vls_agent/*\\\", \\\"/opt/intel/oneapi/*\\\",\\n \\\"/opt/commvault/Base/linux_drv\\\", \\\"/bin/falcoctl\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"64fa1743-d12c-466e-a576-c21ded5afdf7\",\"rule_id\":\"23bcd283-2bc0-4db2-81d4-273fc051e5c0\",\"revision\":0,\"current_rule\":{\"id\":\"64fa1743-d12c-466e-a576-c21ded5afdf7\",\"updated_at\":\"2024-12-04T19:45:44.596Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.596Z\",\"created_by\":\"elastic\",\"name\":\"Unknown Execution of Binary with RWX Memory Region\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Monitors for the execution of a previously unknown unix binary with read, write and execute memory region permissions. The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases overly permissive, and should be analyzed thoroughly.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"23bcd283-2bc0-4db2-81d4-273fc051e5c0\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://man7.org/linux/man-pages/man2/mprotect.2.html\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"auditd.data.a2\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.syscall\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\\n```\\nKibana -->\\nManagement -->\\nIntegrations -->\\nAuditd Manager -->\\nAdd Auditd Manager\\n```\\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\\n```\\n-a always,exit -F arch=b64 -S mprotect\\n```\\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n\",\"type\":\"new_terms\",\"query\":\"event.category:process and host.os.type:linux and auditd.data.syscall:mprotect and auditd.data.a2:7 and not (\\n process.executable:(\\n \\\"/usr/share/kibana/node/bin/node\\\" or \\\"/usr/share/elasticsearch/jdk/bin/java\\\" or \\\"/usr/sbin/apache2\\\"\\n ) or\\n process.name:httpd\\n)\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-7d\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Unknown Execution of Binary with RWX Memory Region\",\"description\":\"Monitors for the execution of a previously unknown unix binary with read, write and execute memory region permissions. The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases overly permissive, and should be analyzed thoroughly.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://man7.org/linux/man-pages/man2/mprotect.2.html\",\"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\\n```\\nKibana -->\\nManagement -->\\nIntegrations -->\\nAuditd Manager -->\\nAdd Auditd Manager\\n```\\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\\n```\\n-a always,exit -F arch=b64 -S mprotect\\n```\\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n\",\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"auditd.data.a2\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.syscall\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"64fa1743-d12c-466e-a576-c21ded5afdf7\",\"rule_id\":\"23bcd283-2bc0-4db2-81d4-273fc051e5c0\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.656Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.596Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.category:process and host.os.type:linux and auditd.data.syscall:mprotect and auditd.data.a2:7 and not (\\n process.executable:(\\n \\\"/usr/share/kibana/node/bin/node\\\" or \\\"/usr/share/elasticsearch/jdk/bin/java\\\" or \\\"/usr/sbin/apache2\\\"\\n ) or\\n process.name:httpd\\n)\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-7d\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://man7.org/linux/man-pages/man2/mprotect.2.html\"],\"target_version\":[\"https://man7.org/linux/man-pages/man2/mprotect.2.html\",\"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd\"],\"merged_version\":[\"https://man7.org/linux/man-pages/man2/mprotect.2.html\",\"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5860dbca-8ca4-4fbe-89ea-91642cc91291\",\"rule_id\":\"25224a80-5a4a-4b8a-991e-6ab390465c4f\",\"revision\":0,\"current_rule\":{\"id\":\"5860dbca-8ca4-4fbe-89ea-91642cc91291\",\"updated_at\":\"2024-12-04T19:45:44.601Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.601Z\",\"created_by\":\"elastic\",\"name\":\"Lateral Movement via Startup Folder\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"25224a80-5a4a-4b8a-991e-6ab390465c4f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.mdsec.co.uk/2017/06/rdpinception/\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type in (\\\"creation\\\", \\\"change\\\") and\\n\\n /* via RDP TSClient mounted share or SMB */\\n (process.name : \\\"mstsc.exe\\\" or process.pid == 4) and\\n\\n file.path : (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Lateral Movement via Startup Folder\",\"description\":\"Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.mdsec.co.uk/2017/06/rdpinception/\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"id\":\"5860dbca-8ca4-4fbe-89ea-91642cc91291\",\"rule_id\":\"25224a80-5a4a-4b8a-991e-6ab390465c4f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.656Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.601Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type in (\\\"creation\\\", \\\"change\\\") and\\n\\n /* via RDP TSClient mounted share or SMB */\\n (process.name : \\\"mstsc.exe\\\" or process.pid == 4) and\\n\\n file.path : (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.mdsec.co.uk/2017/06/rdpinception/\"],\"target_version\":[\"https://www.mdsec.co.uk/2017/06/rdpinception/\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merged_version\":[\"https://www.mdsec.co.uk/2017/06/rdpinception/\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"ad957cdd-3ff6-4163-b3ad-14b1827919c2\",\"rule_id\":\"2553a9af-52a4-4a05-bb03-85b2a479a0a0\",\"revision\":0,\"current_rule\":{\"id\":\"ad957cdd-3ff6-4163-b3ad-14b1827919c2\",\"updated_at\":\"2024-12-04T19:45:44.604Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.604Z\",\"created_by\":\"elastic\",\"name\":\"Potential PowerShell HackTool Script by Author\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects known PowerShell offensive tooling author's name in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code, which may still contain the author artifacts. This rule identifies common author handles found in popular PowerShell scripts used for red team exercises.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2553a9af-52a4-4a05-bb03-85b2a479a0a0\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"host.os.type:windows and event.category:process and\\n powershell.file.script_block_text : (\\n \\\"mattifestation\\\" or \\\"JosephBialek\\\" or\\n \\\"harmj0y\\\" or \\\"ukstufus\\\" or\\n \\\"SecureThisShit\\\" or \\\"Matthew Graeber\\\" or\\n \\\"secabstraction\\\" or \\\"mgeeky\\\" or\\n \\\"oddvarmoe\\\" or \\\"am0nsec\\\" or\\n \\\"obscuresec\\\" or \\\"sixdub\\\" or\\n \\\"darkoperator\\\" or \\\"funoverip\\\" or\\n \\\"rvrsh3ll\\\" or \\\"kevin_robertson\\\" or\\n \\\"dafthack\\\" or \\\"r4wd3r\\\" or\\n \\\"danielhbohannon\\\" or \\\"OneLogicalMyth\\\" or\\n \\\"cobbr_io\\\" or \\\"xorrior\\\" or\\n \\\"PetrMedonos\\\" or \\\"citronneur\\\" or\\n \\\"eladshamir\\\" or \\\"RastaMouse\\\" or\\n \\\"enigma0x3\\\" or \\\"FuzzySec\\\" or\\n \\\"424f424f\\\" or \\\"jaredhaight\\\" or\\n \\\"fullmetalcache\\\" or \\\"Hubbl3\\\" or\\n \\\"curi0usJack\\\" or \\\"Cx01N\\\" or\\n \\\"itm4n\\\" or \\\"nurfed1\\\" or\\n \\\"cfalta\\\" or \\\"Scott Sutherland\\\" or\\n \\\"_nullbind\\\" or \\\"_tmenochet\\\" or\\n \\\"jaredcatkinson\\\" or \\\"ChrisTruncer\\\" or\\n \\\"monoxgas\\\" or \\\"TheRealWover\\\" or\\n \\\"splinter_code\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential PowerShell HackTool Script by Author\",\"description\":\"Detects known PowerShell offensive tooling author's name in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code, which may still contain the author artifacts. This rule identifies common author handles found in popular PowerShell scripts used for red team exercises.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"ad957cdd-3ff6-4163-b3ad-14b1827919c2\",\"rule_id\":\"2553a9af-52a4-4a05-bb03-85b2a479a0a0\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.656Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.604Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"host.os.type:windows and event.category:process and\\n powershell.file.script_block_text : (\\n \\\"mattifestation\\\" or \\\"JosephBialek\\\" or\\n \\\"harmj0y\\\" or \\\"ukstufus\\\" or\\n \\\"SecureThisShit\\\" or \\\"Matthew Graeber\\\" or\\n \\\"secabstraction\\\" or \\\"mgeeky\\\" or\\n \\\"oddvarmoe\\\" or \\\"am0nsec\\\" or\\n \\\"obscuresec\\\" or \\\"sixdub\\\" or\\n \\\"darkoperator\\\" or \\\"funoverip\\\" or\\n \\\"rvrsh3ll\\\" or \\\"kevin_robertson\\\" or\\n \\\"dafthack\\\" or \\\"r4wd3r\\\" or\\n \\\"danielhbohannon\\\" or \\\"OneLogicalMyth\\\" or\\n \\\"cobbr_io\\\" or \\\"xorrior\\\" or\\n \\\"PetrMedonos\\\" or \\\"citronneur\\\" or\\n \\\"eladshamir\\\" or \\\"RastaMouse\\\" or\\n \\\"enigma0x3\\\" or \\\"FuzzySec\\\" or\\n \\\"424f424f\\\" or \\\"jaredhaight\\\" or\\n \\\"fullmetalcache\\\" or \\\"Hubbl3\\\" or\\n \\\"curi0usJack\\\" or \\\"Cx01N\\\" or\\n \\\"itm4n\\\" or \\\"nurfed1\\\" or\\n \\\"cfalta\\\" or \\\"Scott Sutherland\\\" or\\n \\\"_nullbind\\\" or \\\"_tmenochet\\\" or\\n \\\"jaredcatkinson\\\" or \\\"ChrisTruncer\\\" or\\n \\\"monoxgas\\\" or \\\"TheRealWover\\\" or\\n \\\"splinter_code\\\"\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d7177e24-d781-46c7-8b51-b3e5cc9f16e5\",\"rule_id\":\"25d917c4-aa3c-4111-974c-286c0312ff95\",\"revision\":0,\"current_rule\":{\"id\":\"d7177e24-d781-46c7-8b51-b3e5cc9f16e5\",\"updated_at\":\"2024-12-04T19:45:44.608Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.608Z\",\"created_by\":\"elastic\",\"name\":\"Network Activity Detected via Kworker\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"25d917c4-aa3c-4111-974c-286c0312ff95\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1014\",\"name\":\"Rootkit\",\"reference\":\"https://attack.mitre.org/techniques/T1014/\"},{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1041\",\"name\":\"Exfiltration Over C2 Channel\",\"reference\":\"https://attack.mitre.org/techniques/T1041/\"}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest to select \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and \\nprocess.name:kworker* and not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16 or\\n 224.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n) and not destination.port:2049\\n\",\"new_terms_fields\":[\"process.name\",\"destination.ip\",\"destination.port\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Network Activity Detected via Kworker\",\"description\":\"This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":6,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1014\",\"name\":\"Rootkit\",\"reference\":\"https://attack.mitre.org/techniques/T1014/\"},{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1041\",\"name\":\"Exfiltration Over C2 Channel\",\"reference\":\"https://attack.mitre.org/techniques/T1041/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest to select \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d7177e24-d781-46c7-8b51-b3e5cc9f16e5\",\"rule_id\":\"25d917c4-aa3c-4111-974c-286c0312ff95\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.656Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.608Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and \\nprocess.name:kworker* and not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16 or\\n 224.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n) and not destination.port:(\\\"2049\\\" or \\\"111\\\" or \\\"892\\\" or \\\"597\\\")\\n\",\"new_terms_fields\":[\"process.name\",\"host.id\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":6,\"merged_version\":6,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and \\nprocess.name:kworker* and not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16 or\\n 224.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n) and not destination.port:2049\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and \\nprocess.name:kworker* and not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16 or\\n 224.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n) and not destination.port:(\\\"2049\\\" or \\\"111\\\" or \\\"892\\\" or \\\"597\\\")\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and \\nprocess.name:kworker* and not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16 or\\n 224.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n) and not destination.port:(\\\"2049\\\" or \\\"111\\\" or \\\"892\\\" or \\\"597\\\")\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"new_terms_fields\":{\"has_base_version\":false,\"current_version\":[\"process.name\",\"destination.ip\",\"destination.port\"],\"target_version\":[\"process.name\",\"host.id\"],\"merged_version\":[\"process.name\",\"host.id\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b3558f16-aa94-41fe-9a47-e53f67a87dac\",\"rule_id\":\"263481c8-1e9b-492e-912d-d1760707f810\",\"revision\":0,\"current_rule\":{\"id\":\"b3558f16-aa94-41fe-9a47-e53f67a87dac\",\"updated_at\":\"2024-12-04T19:46:03.717Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.717Z\",\"created_by\":\"elastic\",\"name\":\"Potential Relay Attack against a Domain Controller\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies potential relay attacks against a domain controller (DC) by identifying authentication events using the domain controller computer account coming from other hosts to the DC that owns the account. Attackers may relay the DC hash after capturing it using forced authentication.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"263481c8-1e9b-492e-912d-d1760707f810\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1187\",\"name\":\"Forced Authentication\",\"reference\":\"https://attack.mitre.org/techniques/T1187/\"},{\"id\":\"T1557\",\"name\":\"Adversary-in-the-Middle\",\"reference\":\"https://attack.mitre.org/techniques/T1557/\",\"subtechnique\":[{\"id\":\"T1557.001\",\"name\":\"LLMNR/NBT-NS Poisoning and SMB Relay\",\"reference\":\"https://attack.mitre.org/techniques/T1557/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/p0dalirius/windows-coerced-authentication-methods\",\"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications\",\"https://attack.mitre.org/techniques/T1187/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"host.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AuthenticationPackageName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-system.security-*\",\"logs-windows.forwarded*\"],\"query\":\"authentication where host.os.type == \\\"windows\\\" and event.code in (\\\"4624\\\", \\\"4625\\\") and endswith~(user.name, \\\"$\\\") and\\n winlog.event_data.AuthenticationPackageName : \\\"NTLM\\\" and winlog.logon.type : \\\"network\\\" and\\n\\n /* Filter for a machine account that matches the hostname */\\n startswith~(host.name, substring(user.name, 0, -1)) and\\n \\n /* Verify if the Source IP belongs to the host */\\n not endswith(string(source.ip), string(host.ip)) and\\n source.ip != null and source.ip != \\\"::1\\\" and source.ip != \\\"127.0.0.1\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Relay Attack against a Domain Controller\",\"description\":\"Identifies potential relay attacks against a domain controller (DC) by identifying authentication events using the domain controller computer account coming from other hosts to the DC that owns the account. Attackers may relay the DC hash after capturing it using forced authentication.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":102,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/p0dalirius/windows-coerced-authentication-methods\",\"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications\",\"https://attack.mitre.org/techniques/T1187/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1187\",\"name\":\"Forced Authentication\",\"reference\":\"https://attack.mitre.org/techniques/T1187/\"},{\"id\":\"T1557\",\"name\":\"Adversary-in-the-Middle\",\"reference\":\"https://attack.mitre.org/techniques/T1557/\",\"subtechnique\":[{\"id\":\"T1557.001\",\"name\":\"LLMNR/NBT-NS Poisoning and SMB Relay\",\"reference\":\"https://attack.mitre.org/techniques/T1557/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"host.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AuthenticationPackageName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"b3558f16-aa94-41fe-9a47-e53f67a87dac\",\"rule_id\":\"263481c8-1e9b-492e-912d-d1760707f810\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.656Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.717Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"authentication where host.os.type == \\\"windows\\\" and event.code in (\\\"4624\\\", \\\"4625\\\") and endswith~(user.name, \\\"$\\\") and\\n winlog.event_data.AuthenticationPackageName : \\\"NTLM\\\" and winlog.logon.type : \\\"network\\\" and\\n\\n /* Filter for a machine account that matches the hostname */\\n startswith~(host.name, substring(user.name, 0, -1)) and\\n \\n /* Verify if the Source IP belongs to the host */\\n not endswith(string(source.ip), string(host.ip)) and\\n source.ip != null and source.ip != \\\"::1\\\" and source.ip != \\\"127.0.0.1\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-system.security-*\",\"logs-windows.forwarded*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":102,\"merged_version\":102,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"host.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AuthenticationPackageName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"target_version\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"host.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AuthenticationPackageName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"merged_version\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"host.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AuthenticationPackageName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-system.security-*\",\"logs-windows.forwarded*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-system.security-*\",\"logs-windows.forwarded*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-system.security-*\",\"logs-windows.forwarded*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"664e3f24-cf84-43b0-affe-4046801910cd\",\"rule_id\":\"265db8f5-fc73-4d0d-b434-6483b56372e2\",\"revision\":0,\"current_rule\":{\"id\":\"664e3f24-cf84-43b0-affe-4046801910cd\",\"updated_at\":\"2024-12-04T19:45:44.621Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.621Z\",\"created_by\":\"elastic\",\"name\":\"Persistence via Update Orchestrator Service Hijack\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Use Case: Vulnerability\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Persistence via Update Orchestrator Service Hijack\\n\\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\\n\\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"265db8f5-fc73-4d0d-b434-6483b56372e2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/irsl/CVE-2020-1313\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.executable : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\" and\\n process.parent.args : \\\"UsoSvc\\\" and\\n not process.executable :\\n (\\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UUS\\\\\\\\Packages\\\\\\\\*\\\\\\\\amd64\\\\\\\\MoUsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\UsoClient.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MusNotification.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MusNotificationUx.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MusNotifyIcon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerMgr.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\UUS\\\\\\\\amd64\\\\\\\\MoUsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MoUsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\UUS\\\\\\\\amd64\\\\\\\\UsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\UsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Common Files\\\\\\\\microsoft shared\\\\\\\\ClickToRun\\\\\\\\OfficeC2RClient.exe\\\") and\\n not process.name : (\\\"MoUsoCoreWorker.exe\\\", \\\"OfficeC2RClient.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Persistence via Update Orchestrator Service Hijack\",\"description\":\"Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Persistence via Update Orchestrator Service Hijack\\n\\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\\n\\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Use Case: Vulnerability\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/irsl/CVE-2020-1313\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"664e3f24-cf84-43b0-affe-4046801910cd\",\"rule_id\":\"265db8f5-fc73-4d0d-b434-6483b56372e2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.656Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.621Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.executable : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\" and\\n process.parent.args : \\\"UsoSvc\\\" and\\n not process.executable :\\n (\\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UUS\\\\\\\\Packages\\\\\\\\*\\\\\\\\amd64\\\\\\\\MoUsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\UsoClient.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MusNotification.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MusNotificationUx.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MusNotifyIcon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerMgr.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\UUS\\\\\\\\amd64\\\\\\\\MoUsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MoUsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\UUS\\\\\\\\amd64\\\\\\\\UsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\UsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Common Files\\\\\\\\microsoft shared\\\\\\\\ClickToRun\\\\\\\\OfficeC2RClient.exe\\\") and\\n not process.name : (\\\"MoUsoCoreWorker.exe\\\", \\\"OfficeC2RClient.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Use Case: Vulnerability\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Use Case: Vulnerability\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Use Case: Vulnerability\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d3dbe85f-b9ca-4d8b-b073-693aa6ab13f4\",\"rule_id\":\"26f68dba-ce29-497b-8e13-b4fde1db5a2d\",\"revision\":0,\"current_rule\":{\"id\":\"d3dbe85f-b9ca-4d8b-b073-693aa6ab13f4\",\"updated_at\":\"2024-12-04T19:45:44.628Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.628Z\",\"created_by\":\"elastic\",\"name\":\"Attempts to Brute Force a Microsoft 365 User Account\",\"tags\":[\"Domain: Cloud\",\"Domain: SaaS\",\"Data Source: Microsoft 365\",\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Willem D'Haese\",\"Austin Songer\"],\"false_positives\":[\"Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives.\"],\"from\":\"now-9m\",\"rule_id\":\"26f68dba-ce29-497b-8e13-b4fde1db5a2d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\"}]}],\"to\":\"now\",\"references\":[\"https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem\",\"https://learn.microsoft.com/en-us/purview/audit-log-detailed-properties\"],\"version\":209,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-o365.audit-*\\n| MV_EXPAND event.category\\n| WHERE event.dataset == \\\"o365.audit\\\"\\n AND event.category == \\\"authentication\\\"\\n\\n // filter only on Entra ID or Exchange audit logs in O365 integration\\n AND event.provider in (\\\"AzureActiveDirectory\\\", \\\"Exchange\\\")\\n\\n // filter only for UserLoginFailed or partial failures\\n AND event.action in (\\\"UserLoginFailed\\\", \\\"PasswordLogonInitialAuthUsingPassword\\\")\\n\\n // ignore specific logon errors\\n AND not o365.audit.LogonError in (\\n \\\"EntitlementGrantsNotFound\\\",\\n \\\"UserStrongAuthEnrollmentRequired\\\",\\n \\\"UserStrongAuthClientAuthNRequired\\\",\\n \\\"InvalidReplyTo\\\",\\n \\\"SsoArtifactExpiredDueToConditionalAccess\\\",\\n \\\"PasswordResetRegistrationRequiredInterrupt\\\",\\n \\\"SsoUserAccountNotFoundInResourceTenant\\\",\\n \\\"UserStrongAuthExpired\\\",\\n \\\"CmsiInterrupt\\\"\\n)\\n // filters out non user or application logins based on target\\n AND o365.audit.Target.Type in (\\\"0\\\", \\\"2\\\", \\\"3\\\", \\\"5\\\", \\\"6\\\", \\\"10\\\")\\n\\n // filters only for logins from user or application, ignoring oauth:token\\n AND to_lower(o365.audit.ExtendedProperties.RequestType) rlike \\\"(.*)login(.*)\\\"\\n\\n| STATS\\n // count the number of failed login attempts target per user\\n login_attempt_counts = COUNT(*) by o365.audit.Target.ID, o365.audit.LogonError\\n\\n| WHERE login_attempt_counts > 10\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempts to Brute Force a Microsoft 365 User Account\",\"description\":\"Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed login attempts or login sources within a 30-minute window. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Cloud\",\"Domain: SaaS\",\"Data Source: Microsoft 365\",\"Use Case: Identity and Access Audit\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Willem D'Haese\",\"Austin Songer\"],\"false_positives\":[\"Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives.\"],\"references\":[\"https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem\",\"https://learn.microsoft.com/en-us/purview/audit-log-detailed-properties\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\"}]}],\"setup\":\"\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"d3dbe85f-b9ca-4d8b-b073-693aa6ab13f4\",\"rule_id\":\"26f68dba-ce29-497b-8e13-b4fde1db5a2d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.656Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.628Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-o365.audit-*\\n// truncate the timestamp to a 30-minute window\\n| eval target_time_window = DATE_TRUNC(30 minutes, @timestamp)\\n| mv_expand event.category\\n| where event.dataset == \\\"o365.audit\\\"\\n and event.category == \\\"authentication\\\"\\n\\n // filter only on Entra ID or Exchange audit logs in O365 integration\\n and event.provider in (\\\"AzureActiveDirectory\\\", \\\"Exchange\\\")\\n\\n // filter only for UserLoginFailed or partial failures\\n and event.action in (\\\"UserLoginFailed\\\", \\\"PasswordLogonInitialAuthUsingPassword\\\")\\n\\n // ignore specific logon errors\\n and not o365.audit.LogonError in (\\n \\\"EntitlementGrantsNotFound\\\",\\n \\\"UserStrongAuthEnrollmentRequired\\\",\\n \\\"UserStrongAuthClientAuthNRequired\\\",\\n \\\"InvalidReplyTo\\\",\\n \\\"SsoArtifactExpiredDueToConditionalAccess\\\",\\n \\\"PasswordResetRegistrationRequiredInterrupt\\\",\\n \\\"SsoUserAccountNotFoundInResourceTenant\\\",\\n \\\"UserStrongAuthExpired\\\",\\n \\\"CmsiInterrupt\\\"\\n)\\n\\n // ignore unavailable\\n and o365.audit.UserId != \\\"Not Available\\\"\\n\\n // filters out non user or application logins based on target\\n and o365.audit.Target.Type in (\\\"0\\\", \\\"2\\\", \\\"3\\\", \\\"5\\\", \\\"6\\\", \\\"10\\\")\\n\\n // filters only for logins from user or application, ignoring oauth:token\\n and to_lower(o365.audit.ExtendedProperties.RequestType) rlike \\\"(.*)login(.*)\\\"\\n\\n// keep only relevant fields\\n| keep event.provider, event.dataset, event.category, o365.audit.UserId, event.action, source.ip, o365.audit.LogonError, o365.audit.ExtendedProperties.RequestType, o365.audit.Target.Type, target_time_window\\n\\n// count the number of login sources and failed login attempts\\n| stats\\n login_source_count = count(source.ip),\\n failed_login_count = count(*) by target_time_window, o365.audit.UserId\\n\\n// filter for users with more than 20 login sources or failed login attempts\\n| where (login_source_count >= 20 or failed_login_count >= 20)\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":209,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Cloud\",\"Domain: SaaS\",\"Data Source: Microsoft 365\",\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\"],\"target_version\":[\"Domain: Cloud\",\"Domain: SaaS\",\"Data Source: Microsoft 365\",\"Use Case: Identity and Access Audit\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\"],\"merged_version\":[\"Domain: Cloud\",\"Domain: SaaS\",\"Data Source: Microsoft 365\",\"Use Case: Identity and Access Audit\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"description\":{\"has_base_version\":false,\"current_version\":\"Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.\",\"target_version\":\"Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed login attempts or login sources within a 30-minute window. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services.\",\"merged_version\":\"Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed login attempts or login sources within a 30-minute window. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services.\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-o365.audit-*\\n| MV_EXPAND event.category\\n| WHERE event.dataset == \\\"o365.audit\\\"\\n AND event.category == \\\"authentication\\\"\\n\\n // filter only on Entra ID or Exchange audit logs in O365 integration\\n AND event.provider in (\\\"AzureActiveDirectory\\\", \\\"Exchange\\\")\\n\\n // filter only for UserLoginFailed or partial failures\\n AND event.action in (\\\"UserLoginFailed\\\", \\\"PasswordLogonInitialAuthUsingPassword\\\")\\n\\n // ignore specific logon errors\\n AND not o365.audit.LogonError in (\\n \\\"EntitlementGrantsNotFound\\\",\\n \\\"UserStrongAuthEnrollmentRequired\\\",\\n \\\"UserStrongAuthClientAuthNRequired\\\",\\n \\\"InvalidReplyTo\\\",\\n \\\"SsoArtifactExpiredDueToConditionalAccess\\\",\\n \\\"PasswordResetRegistrationRequiredInterrupt\\\",\\n \\\"SsoUserAccountNotFoundInResourceTenant\\\",\\n \\\"UserStrongAuthExpired\\\",\\n \\\"CmsiInterrupt\\\"\\n)\\n // filters out non user or application logins based on target\\n AND o365.audit.Target.Type in (\\\"0\\\", \\\"2\\\", \\\"3\\\", \\\"5\\\", \\\"6\\\", \\\"10\\\")\\n\\n // filters only for logins from user or application, ignoring oauth:token\\n AND to_lower(o365.audit.ExtendedProperties.RequestType) rlike \\\"(.*)login(.*)\\\"\\n\\n| STATS\\n // count the number of failed login attempts target per user\\n login_attempt_counts = COUNT(*) by o365.audit.Target.ID, o365.audit.LogonError\\n\\n| WHERE login_attempt_counts > 10\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-o365.audit-*\\n// truncate the timestamp to a 30-minute window\\n| eval target_time_window = DATE_TRUNC(30 minutes, @timestamp)\\n| mv_expand event.category\\n| where event.dataset == \\\"o365.audit\\\"\\n and event.category == \\\"authentication\\\"\\n\\n // filter only on Entra ID or Exchange audit logs in O365 integration\\n and event.provider in (\\\"AzureActiveDirectory\\\", \\\"Exchange\\\")\\n\\n // filter only for UserLoginFailed or partial failures\\n and event.action in (\\\"UserLoginFailed\\\", \\\"PasswordLogonInitialAuthUsingPassword\\\")\\n\\n // ignore specific logon errors\\n and not o365.audit.LogonError in (\\n \\\"EntitlementGrantsNotFound\\\",\\n \\\"UserStrongAuthEnrollmentRequired\\\",\\n \\\"UserStrongAuthClientAuthNRequired\\\",\\n \\\"InvalidReplyTo\\\",\\n \\\"SsoArtifactExpiredDueToConditionalAccess\\\",\\n \\\"PasswordResetRegistrationRequiredInterrupt\\\",\\n \\\"SsoUserAccountNotFoundInResourceTenant\\\",\\n \\\"UserStrongAuthExpired\\\",\\n \\\"CmsiInterrupt\\\"\\n)\\n\\n // ignore unavailable\\n and o365.audit.UserId != \\\"Not Available\\\"\\n\\n // filters out non user or application logins based on target\\n and o365.audit.Target.Type in (\\\"0\\\", \\\"2\\\", \\\"3\\\", \\\"5\\\", \\\"6\\\", \\\"10\\\")\\n\\n // filters only for logins from user or application, ignoring oauth:token\\n and to_lower(o365.audit.ExtendedProperties.RequestType) rlike \\\"(.*)login(.*)\\\"\\n\\n// keep only relevant fields\\n| keep event.provider, event.dataset, event.category, o365.audit.UserId, event.action, source.ip, o365.audit.LogonError, o365.audit.ExtendedProperties.RequestType, o365.audit.Target.Type, target_time_window\\n\\n// count the number of login sources and failed login attempts\\n| stats\\n login_source_count = count(source.ip),\\n failed_login_count = count(*) by target_time_window, o365.audit.UserId\\n\\n// filter for users with more than 20 login sources or failed login attempts\\n| where (login_source_count >= 20 or failed_login_count >= 20)\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-o365.audit-*\\n// truncate the timestamp to a 30-minute window\\n| eval target_time_window = DATE_TRUNC(30 minutes, @timestamp)\\n| mv_expand event.category\\n| where event.dataset == \\\"o365.audit\\\"\\n and event.category == \\\"authentication\\\"\\n\\n // filter only on Entra ID or Exchange audit logs in O365 integration\\n and event.provider in (\\\"AzureActiveDirectory\\\", \\\"Exchange\\\")\\n\\n // filter only for UserLoginFailed or partial failures\\n and event.action in (\\\"UserLoginFailed\\\", \\\"PasswordLogonInitialAuthUsingPassword\\\")\\n\\n // ignore specific logon errors\\n and not o365.audit.LogonError in (\\n \\\"EntitlementGrantsNotFound\\\",\\n \\\"UserStrongAuthEnrollmentRequired\\\",\\n \\\"UserStrongAuthClientAuthNRequired\\\",\\n \\\"InvalidReplyTo\\\",\\n \\\"SsoArtifactExpiredDueToConditionalAccess\\\",\\n \\\"PasswordResetRegistrationRequiredInterrupt\\\",\\n \\\"SsoUserAccountNotFoundInResourceTenant\\\",\\n \\\"UserStrongAuthExpired\\\",\\n \\\"CmsiInterrupt\\\"\\n)\\n\\n // ignore unavailable\\n and o365.audit.UserId != \\\"Not Available\\\"\\n\\n // filters out non user or application logins based on target\\n and o365.audit.Target.Type in (\\\"0\\\", \\\"2\\\", \\\"3\\\", \\\"5\\\", \\\"6\\\", \\\"10\\\")\\n\\n // filters only for logins from user or application, ignoring oauth:token\\n and to_lower(o365.audit.ExtendedProperties.RequestType) rlike \\\"(.*)login(.*)\\\"\\n\\n// keep only relevant fields\\n| keep event.provider, event.dataset, event.category, o365.audit.UserId, event.action, source.ip, o365.audit.LogonError, o365.audit.ExtendedProperties.RequestType, o365.audit.Target.Type, target_time_window\\n\\n// count the number of login sources and failed login attempts\\n| stats\\n login_source_count = count(source.ip),\\n failed_login_count = count(*) by target_time_window, o365.audit.UserId\\n\\n// filter for users with more than 20 login sources or failed login attempts\\n| where (login_source_count >= 20 or failed_login_count >= 20)\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"08cdc5b4-74c2-4364-9e64-2b7d9cc839b3\",\"rule_id\":\"27071ea3-e806-4697-8abc-e22c92aa4293\",\"revision\":0,\"current_rule\":{\"id\":\"08cdc5b4-74c2-4364-9e64-2b7d9cc839b3\",\"updated_at\":\"2024-12-04T19:45:44.630Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.630Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Script with Archive Compression Capabilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: PowerShell Logs\",\"Rule Type: BBR\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of Cmdlets and methods related to archive compression activities. Adversaries will often compress and encrypt data in preparation for exfiltration.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"27071ea3-e806-4697-8abc-e22c92aa4293\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1560\",\"name\":\"Archive Collected Data\",\"reference\":\"https://attack.mitre.org/techniques/T1560/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n(\\n powershell.file.script_block_text : (\\n \\\"IO.Compression.ZipFile\\\" or\\n \\\"IO.Compression.ZipArchive\\\" or\\n \\\"ZipFile.CreateFromDirectory\\\" or\\n \\\"IO.Compression.BrotliStream\\\" or\\n \\\"IO.Compression.DeflateStream\\\" or\\n \\\"IO.Compression.GZipStream\\\" or\\n \\\"IO.Compression.ZLibStream\\\"\\n ) and \\n powershell.file.script_block_text : (\\n \\\"CompressionLevel\\\" or\\n \\\"CompressionMode\\\" or\\n \\\"ZipArchiveMode\\\"\\n ) or\\n powershell.file.script_block_text : \\\"Compress-Archive\\\"\\n) and\\nnot powershell.file.script_block_text : (\\n \\\"Compress-Archive -Path 'C:\\\\ProgramData\\\\Lenovo\\\\Udc\\\\diagnostics\\\\latest\\\" or\\n (\\\"Copyright: (c) 2017, Ansible Project\\\" and \\\"Ansible.ModuleUtils.Backup\\\")\\n) and\\nnot file.directory : \\\"C:\\\\Program Files\\\\Microsoft Dependency Agent\\\\plugins\\\\lib\\\"\\n\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\Downloads\\\\\\\\*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\DataCollection\\\\\\\\*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\dbatools\\\\\\\\*\\\\\\\\optional\\\\\\\\Expand-Archive.ps1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\dbatools\\\\\\\\*\\\\\\\\optional\\\\\\\\Compress-Archive.ps1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\Azure\\\\\\\\StorageSyncAgent\\\\\\\\AFSDiag.ps1\"}}}}],\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Script with Archive Compression Capabilities\",\"description\":\"Identifies the use of Cmdlets and methods related to archive compression activities. Adversaries will often compress and encrypt data in preparation for exfiltration.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: PowerShell Logs\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1560\",\"name\":\"Archive Collected Data\",\"reference\":\"https://attack.mitre.org/techniques/T1560/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"08cdc5b4-74c2-4364-9e64-2b7d9cc839b3\",\"rule_id\":\"27071ea3-e806-4697-8abc-e22c92aa4293\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.656Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.630Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\Downloads\\\\\\\\*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\DataCollection\\\\\\\\*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\dbatools\\\\\\\\*\\\\\\\\optional\\\\\\\\Expand-Archive.ps1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\dbatools\\\\\\\\*\\\\\\\\optional\\\\\\\\Compress-Archive.ps1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\Azure\\\\\\\\StorageSyncAgent\\\\\\\\AFSDiag.ps1\"}}}}],\"query\":\"event.category:process and host.os.type:windows and\\n(\\n powershell.file.script_block_text : (\\n \\\"IO.Compression.ZipFile\\\" or\\n \\\"IO.Compression.ZipArchive\\\" or\\n \\\"ZipFile.CreateFromDirectory\\\" or\\n \\\"IO.Compression.BrotliStream\\\" or\\n \\\"IO.Compression.DeflateStream\\\" or\\n \\\"IO.Compression.GZipStream\\\" or\\n \\\"IO.Compression.ZLibStream\\\"\\n ) and \\n powershell.file.script_block_text : (\\n \\\"CompressionLevel\\\" or\\n \\\"CompressionMode\\\" or\\n \\\"ZipArchiveMode\\\"\\n ) or\\n powershell.file.script_block_text : \\\"Compress-Archive\\\"\\n) and\\nnot powershell.file.script_block_text : (\\n \\\"Compress-Archive -Path 'C:\\\\ProgramData\\\\Lenovo\\\\Udc\\\\diagnostics\\\\latest\\\" or\\n (\\\"Copyright: (c) 2017, Ansible Project\\\" and \\\"Ansible.ModuleUtils.Backup\\\")\\n) and\\nnot file.directory : \\\"C:\\\\Program Files\\\\Microsoft Dependency Agent\\\\plugins\\\\lib\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e715bb9b-6d49-41bd-b45c-bc25d8285feb\",\"rule_id\":\"2772264c-6fb9-4d9d-9014-b416eed21254\",\"revision\":0,\"current_rule\":{\"id\":\"e715bb9b-6d49-41bd-b45c-bc25d8285feb\",\"updated_at\":\"2024-12-04T19:45:44.637Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.637Z\",\"created_by\":\"elastic\",\"name\":\"Incoming Execution via PowerShell Remoting\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool.\"],\"from\":\"now-9m\",\"rule_id\":\"2772264c-6fb9-4d9d-9014-b416eed21254\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.006\",\"name\":\"Windows Remote Management\",\"reference\":\"https://attack.mitre.org/techniques/T1021/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by host.id with maxspan = 30s\\n [network where host.os.type == \\\"windows\\\" and network.direction : (\\\"incoming\\\", \\\"ingress\\\") and destination.port in (5985, 5986) and\\n network.protocol == \\\"http\\\" and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"]\\n [process where host.os.type == \\\"windows\\\" and \\n event.type == \\\"start\\\" and process.parent.name : \\\"wsmprovhost.exe\\\" and not process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Incoming Execution via PowerShell Remoting\",\"description\":\"Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool.\"],\"references\":[\"https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.006\",\"name\":\"Windows Remote Management\",\"reference\":\"https://attack.mitre.org/techniques/T1021/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"e715bb9b-6d49-41bd-b45c-bc25d8285feb\",\"rule_id\":\"2772264c-6fb9-4d9d-9014-b416eed21254\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.656Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.637Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan = 30s\\n [network where host.os.type == \\\"windows\\\" and network.direction : (\\\"incoming\\\", \\\"ingress\\\") and destination.port in (5985, 5986) and\\n network.protocol == \\\"http\\\" and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"]\\n [process where host.os.type == \\\"windows\\\" and \\n event.type == \\\"start\\\" and process.parent.name : \\\"wsmprovhost.exe\\\" and not process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\\\"]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a654633e-73bf-4c1e-923c-71ecba4d8964\",\"rule_id\":\"2820c9c2-bcd7-4d6e-9eba-faf3891ba450\",\"revision\":0,\"current_rule\":{\"id\":\"a654633e-73bf-4c1e-923c-71ecba4d8964\",\"updated_at\":\"2024-12-04T19:45:44.645Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.645Z\",\"created_by\":\"elastic\",\"name\":\"Account Password Reset Remotely\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Impact\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Performance\\nThis rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate remote account administration.\"],\"from\":\"now-9m\",\"rule_id\":\"2820c9c2-bcd7-4d6e-9eba-faf3891ba450\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724\",\"https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/\",\"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"version\":115,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetLogonId\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetSid\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetUserName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"],\"query\":\"sequence by winlog.computer_name with maxspan=1m\\n [authentication where event.action == \\\"logged-in\\\" and\\n /* event 4624 need to be logged */\\n winlog.logon.type : \\\"Network\\\" and event.outcome == \\\"success\\\" and source.ip != null and\\n source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and\\n not winlog.event_data.TargetUserName : (\\\"svc*\\\", \\\"PIM_*\\\", \\\"_*_\\\", \\\"*-*-*\\\", \\\"*$\\\")] by winlog.event_data.TargetLogonId\\n /* event 4724 need to be logged */\\n [iam where event.action == \\\"reset-password\\\" and\\n (\\n /*\\n This rule is very noisy if not scoped to privileged accounts, duplicate the\\n rule and add your own naming convention and accounts of interest here.\\n */\\n winlog.event_data.TargetUserName: (\\\"*Admin*\\\", \\\"*super*\\\", \\\"*SVC*\\\", \\\"*DC0*\\\", \\\"*service*\\\", \\\"*DMZ*\\\", \\\"*ADM*\\\") or\\n winlog.event_data.TargetSid : (\\\"S-1-5-21-*-500\\\", \\\"S-1-12-1-*-500\\\")\\n )\\n ] by winlog.event_data.SubjectLogonId\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Account Password Reset Remotely\",\"description\":\"Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Performance\\nThis rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity.\\n\",\"output_index\":\"\",\"version\":216,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Impact\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate remote account administration.\"],\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724\",\"https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/\",\"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetLogonId\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetSid\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetUserName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"a654633e-73bf-4c1e-923c-71ecba4d8964\",\"rule_id\":\"2820c9c2-bcd7-4d6e-9eba-faf3891ba450\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.656Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.645Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by winlog.computer_name with maxspan=1m\\n [authentication where event.action == \\\"logged-in\\\" and\\n /* event 4624 need to be logged */\\n winlog.logon.type : \\\"Network\\\" and event.outcome == \\\"success\\\" and source.ip != null and\\n source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and\\n not winlog.event_data.TargetUserName : (\\\"svc*\\\", \\\"PIM_*\\\", \\\"_*_\\\", \\\"*-*-*\\\", \\\"*$\\\")] by winlog.event_data.TargetLogonId\\n /* event 4724 need to be logged */\\n [iam where event.action == \\\"reset-password\\\" and\\n (\\n /*\\n This rule is very noisy if not scoped to privileged accounts, duplicate the\\n rule and add your own naming convention and accounts of interest here.\\n */\\n winlog.event_data.TargetUserName: (\\\"*Admin*\\\", \\\"*super*\\\", \\\"*SVC*\\\", \\\"*DC0*\\\", \\\"*service*\\\", \\\"*DMZ*\\\", \\\"*ADM*\\\") or\\n winlog.event_data.TargetSid : (\\\"S-1-5-21-*-500\\\", \\\"S-1-12-1-*-500\\\")\\n )\\n ] by winlog.event_data.SubjectLogonId\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":115,\"target_version\":216,\"merged_version\":216,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Impact\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Impact\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Impact\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3555dcf0-856e-4ef3-994d-429670d9466d\",\"rule_id\":\"28371aa1-14ed-46cf-ab5b-2fc7d1942278\",\"revision\":0,\"current_rule\":{\"id\":\"3555dcf0-856e-4ef3-994d-429670d9466d\",\"updated_at\":\"2024-12-04T19:46:03.720Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.720Z\",\"created_by\":\"elastic\",\"name\":\"Potential Widespread Malware Infection Across Multiple Hosts\",\"tags\":[\"Domain: Endpoint\",\"Data Source: Elastic Defend\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Rule Type: Higher-Order Rule\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule uses alert data to determine when a malware signature is triggered in multiple hosts. Analysts can use this to prioritize triage and response, as this can potentially indicate a widespread malware infection.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"28371aa1-14ed-46cf-ab5b-2fc7d1942278\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/elastic/protections-artifacts/tree/main/yara/rules\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-endpoint.alerts-*\\n| where event.code in (\\\"malicious_file\\\", \\\"memory_signature\\\", \\\"shellcode_thread\\\") and rule.name is not null\\n| stats hosts = count_distinct(host.id) by rule.name, event.code\\n| where hosts >= 3\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Widespread Malware Infection Across Multiple Hosts\",\"description\":\"This rule uses alert data to determine when a malware signature is triggered in multiple hosts. Analysts can use this to prioritize triage and response, as this can potentially indicate a widespread malware infection.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"Data Source: Elastic Defend\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Rule Type: Higher-Order Rule\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/elastic/protections-artifacts/tree/main/yara/rules\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"3555dcf0-856e-4ef3-994d-429670d9466d\",\"rule_id\":\"28371aa1-14ed-46cf-ab5b-2fc7d1942278\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.656Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.720Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-endpoint.alerts-*\\n| where event.code in (\\\"malicious_file\\\", \\\"memory_signature\\\", \\\"shellcode_thread\\\") and rule.name is not null\\n| keep host.id, rule.name, event.code\\n| stats hosts = count_distinct(host.id) by rule.name, event.code\\n| where hosts >= 3\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-endpoint.alerts-*\\n| where event.code in (\\\"malicious_file\\\", \\\"memory_signature\\\", \\\"shellcode_thread\\\") and rule.name is not null\\n| stats hosts = count_distinct(host.id) by rule.name, event.code\\n| where hosts >= 3\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-endpoint.alerts-*\\n| where event.code in (\\\"malicious_file\\\", \\\"memory_signature\\\", \\\"shellcode_thread\\\") and rule.name is not null\\n| keep host.id, rule.name, event.code\\n| stats hosts = count_distinct(host.id) by rule.name, event.code\\n| where hosts >= 3\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-endpoint.alerts-*\\n| where event.code in (\\\"malicious_file\\\", \\\"memory_signature\\\", \\\"shellcode_thread\\\") and rule.name is not null\\n| keep host.id, rule.name, event.code\\n| stats hosts = count_distinct(host.id) by rule.name, event.code\\n| where hosts >= 3\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bb9cdb83-a773-4ee7-91d4-ee0869c2a702\",\"rule_id\":\"2856446a-34e6-435b-9fb5-f8f040bfa7ed\",\"revision\":0,\"current_rule\":{\"id\":\"bb9cdb83-a773-4ee7-91d4-ee0869c2a702\",\"updated_at\":\"2024-12-04T19:45:44.647Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.647Z\",\"created_by\":\"elastic\",\"name\":\"Account Discovery Command via SYSTEM Account\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Account Discovery Command via SYSTEM Account\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed after attackers successfully perform privilege escalation or exploit web applications.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike, investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential webshell backdoor.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system shell using Windows services, scheduled tasks or other third party utilities.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n- Use the data collected through the analysis to investigate other machines affected in the environment.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2856446a-34e6-435b-9fb5-f8f040bfa7ed\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1033\",\"name\":\"System Owner/User Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1033/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.003\",\"name\":\"Local Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.token.integrity_level_name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (?process.Ext.token.integrity_level_name : \\\"System\\\" or\\n ?winlog.event_data.IntegrityLevel : \\\"System\\\") and\\n (\\n process.name : \\\"whoami.exe\\\" or\\n (\\n process.name : \\\"net1.exe\\\" and not process.parent.name : \\\"net.exe\\\" and not process.args : (\\\"start\\\", \\\"stop\\\", \\\"/active:*\\\")\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Account Discovery Command via SYSTEM Account\",\"description\":\"Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Account Discovery Command via SYSTEM Account\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed after attackers successfully perform privilege escalation or exploit web applications.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike, investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential webshell backdoor.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system shell using Windows services, scheduled tasks or other third party utilities.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n- Use the data collected through the analysis to investigate other machines affected in the environment.\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1033\",\"name\":\"System Owner/User Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1033/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.003\",\"name\":\"Local Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/003/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.token.integrity_level_name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"bb9cdb83-a773-4ee7-91d4-ee0869c2a702\",\"rule_id\":\"2856446a-34e6-435b-9fb5-f8f040bfa7ed\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.656Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.647Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (?process.Ext.token.integrity_level_name : \\\"System\\\" or\\n ?winlog.event_data.IntegrityLevel : \\\"System\\\") and\\n (\\n process.name : \\\"whoami.exe\\\" or\\n (\\n process.name : \\\"net1.exe\\\" and not process.parent.name : \\\"net.exe\\\" and not process.args : (\\\"start\\\", \\\"stop\\\", \\\"/active:*\\\")\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"04fa4f8c-e6ca-442b-adec-76ea39f2a595\",\"rule_id\":\"28d39238-0c01-420a-b77a-24e5a7378663\",\"revision\":0,\"current_rule\":{\"id\":\"04fa4f8c-e6ca-442b-adec-76ea39f2a595\",\"updated_at\":\"2024-12-04T19:45:44.658Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.658Z\",\"created_by\":\"elastic\",\"name\":\"Sudo Command Enumeration Detected\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions, potentially allowing to escalate privileges to root.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"28d39238-0c01-420a-b77a-24e5a7378663\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1033\",\"name\":\"System Owner/User Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1033/\"}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.Ext.real.id\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.Ext.real.id\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\nprocess.name == \\\"sudo\\\" and process.args == \\\"-l\\\" and process.args_count == 2 and\\nprocess.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") and \\nnot group.Ext.real.id : \\\"0\\\" and not user.Ext.real.id : \\\"0\\\" and not process.args == \\\"dpkg\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Sudo Command Enumeration Detected\",\"description\":\"This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions, potentially allowing to escalate privileges to root.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":6,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1033\",\"name\":\"System Owner/User Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1033/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"04fa4f8c-e6ca-442b-adec-76ea39f2a595\",\"rule_id\":\"28d39238-0c01-420a-b77a-24e5a7378663\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.656Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.658Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\nprocess.name == \\\"sudo\\\" and process.args == \\\"-l\\\" and process.args_count == 2 and\\nprocess.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") and \\nnot process.args == \\\"dpkg\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":6,\"merged_version\":6,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.Ext.real.id\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.Ext.real.id\",\"type\":\"unknown\",\"ecs\":false}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\nprocess.name == \\\"sudo\\\" and process.args == \\\"-l\\\" and process.args_count == 2 and\\nprocess.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") and \\nnot group.Ext.real.id : \\\"0\\\" and not user.Ext.real.id : \\\"0\\\" and not process.args == \\\"dpkg\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\nprocess.name == \\\"sudo\\\" and process.args == \\\"-l\\\" and process.args_count == 2 and\\nprocess.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") and \\nnot process.args == \\\"dpkg\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\nprocess.name == \\\"sudo\\\" and process.args == \\\"-l\\\" and process.args_count == 2 and\\nprocess.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") and \\nnot process.args == \\\"dpkg\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"99f4031d-00eb-472b-bf90-4deb722aab8a\",\"rule_id\":\"28eb3afe-131d-48b0-a8fc-9784f3d54f3c\",\"revision\":0,\"current_rule\":{\"id\":\"99f4031d-00eb-472b-bf90-4deb722aab8a\",\"updated_at\":\"2024-12-04T19:46:03.722Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.722Z\",\"created_by\":\"elastic\",\"name\":\"Privilege Escalation via SUID/SGID\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies instances where a process is executed with user/group ID 0 (root), and a real user/group ID that is not 0. This is indicative of a process that has been granted SUID/SGID permissions, allowing it to run with elevated privileges. Attackers may leverage a misconfiguration for exploitation in order to escalate their privileges to root, or establish a backdoor for persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"28eb3afe-131d-48b0-a8fc-9784f3d54f3c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.001\",\"name\":\"Setuid and Setgid\",\"reference\":\"https://attack.mitre.org/techniques/T1548/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://gtfobins.github.io/#+suid\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.group.id\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.real_group.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.real_user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and (\\n (process.user.id == \\\"0\\\" and process.real_user.id != \\\"0\\\") or \\n (process.group.id == \\\"0\\\" and process.real_group.id != \\\"0\\\")\\n) and (\\n process.name in (\\n \\\"aa-exec\\\", \\\"ab\\\", \\\"agetty\\\", \\\"alpine\\\", \\\"ar\\\", \\\"arj\\\", \\\"arp\\\", \\\"as\\\", \\\"ascii-xfr\\\", \\\"ash\\\", \\\"aspell\\\",\\n \\\"atobm\\\", \\\"awk\\\", \\\"base32\\\", \\\"base64\\\", \\\"basenc\\\", \\\"basez\\\", \\\"bash\\\", \\\"bc\\\", \\\"bridge\\\", \\\"busctl\\\",\\n \\\"busybox\\\", \\\"bzip2\\\", \\\"cabal\\\", \\\"capsh\\\", \\\"cat\\\", \\\"choom\\\", \\\"chown\\\", \\\"chroot\\\", \\\"clamscan\\\", \\\"cmp\\\",\\n \\\"column\\\", \\\"comm\\\", \\\"cp\\\", \\\"cpio\\\", \\\"cpulimit\\\", \\\"csh\\\", \\\"csplit\\\", \\\"csvtool\\\", \\\"cupsfilter\\\", \\\"curl\\\",\\n \\\"cut\\\", \\\"dash\\\", \\\"date\\\", \\\"dd\\\", \\\"debugfs\\\", \\\"dialog\\\", \\\"diff\\\", \\\"dig\\\", \\\"distcc\\\", \\\"dmsetup\\\", \\\"docker\\\",\\n \\\"dosbox\\\", \\\"ed\\\", \\\"efax\\\", \\\"elvish\\\", \\\"emacs\\\", \\\"env\\\", \\\"eqn\\\", \\\"espeak\\\", \\\"expand\\\", \\\"expect\\\", \\\"file\\\",\\n \\\"find\\\", \\\"fish\\\", \\\"flock\\\", \\\"fmt\\\", \\\"fold\\\", \\\"gawk\\\", \\\"gcore\\\", \\\"gdb\\\", \\\"genie\\\", \\\"genisoimage\\\", \\\"gimp\\\",\\n \\\"grep\\\", \\\"gtester\\\", \\\"gzip\\\", \\\"hd\\\", \\\"head\\\", \\\"hexdump\\\", \\\"highlight\\\", \\\"hping3\\\", \\\"iconv\\\", \\\"install\\\",\\n \\\"ionice\\\", \\\"ispell\\\", \\\"jjs\\\", \\\"join\\\", \\\"jq\\\", \\\"jrunscript\\\", \\\"julia\\\", \\\"ksh\\\", \\\"ksshell\\\", \\\"kubectl\\\",\\n \\\"ld.so\\\", \\\"less\\\", \\\"links\\\", \\\"logsave\\\", \\\"look\\\", \\\"lua\\\", \\\"make\\\", \\\"mawk\\\", \\\"minicom\\\", \\\"more\\\",\\n \\\"mosquitto\\\", \\\"msgattrib\\\", \\\"msgcat\\\", \\\"msgconv\\\", \\\"msgfilter\\\", \\\"msgmerge\\\", \\\"msguniq\\\", \\\"multitime\\\",\\n \\\"mv\\\", \\\"nasm\\\", \\\"nawk\\\", \\\"ncftp\\\", \\\"nft\\\", \\\"nice\\\", \\\"nl\\\", \\\"nm\\\", \\\"nmap\\\", \\\"node\\\", \\\"nohup\\\", \\\"ntpdate\\\",\\n \\\"od\\\", \\\"openssl\\\", \\\"openvpn\\\", \\\"pandoc\\\", \\\"paste\\\", \\\"perf\\\", \\\"perl\\\", \\\"pexec\\\", \\\"pg\\\", \\\"php\\\", \\\"pidstat\\\",\\n \\\"pr\\\", \\\"ptx\\\", \\\"python\\\", \\\"rc\\\", \\\"readelf\\\", \\\"restic\\\", \\\"rev\\\", \\\"rlwrap\\\", \\\"rsync\\\", \\\"rtorrent\\\",\\n \\\"run-parts\\\", \\\"rview\\\", \\\"rvim\\\", \\\"sash\\\", \\\"scanmem\\\", \\\"sed\\\", \\\"setarch\\\", \\\"setfacl\\\", \\\"setlock\\\", \\\"shuf\\\",\\n \\\"soelim\\\", \\\"softlimit\\\", \\\"sort\\\", \\\"sqlite3\\\", \\\"ss\\\", \\\"ssh-agent\\\", \\\"ssh-keygen\\\", \\\"ssh-keyscan\\\",\\n \\\"sshpass\\\", \\\"start-stop-daemon\\\", \\\"stdbuf\\\", \\\"strace\\\", \\\"strings\\\", \\\"sysctl\\\", \\\"systemctl\\\", \\\"tac\\\",\\n \\\"tail\\\", \\\"taskset\\\", \\\"tbl\\\", \\\"tclsh\\\", \\\"tee\\\", \\\"terraform\\\", \\\"tftp\\\", \\\"tic\\\", \\\"time\\\", \\\"timeout\\\", \\\"troff\\\",\\n \\\"ul\\\", \\\"unexpand\\\", \\\"uniq\\\", \\\"unshare\\\", \\\"unsquashfs\\\", \\\"unzip\\\", \\\"update-alternatives\\\", \\\"uudecode\\\",\\n \\\"uuencode\\\", \\\"vagrant\\\", \\\"varnishncsa\\\", \\\"view\\\", \\\"vigr\\\", \\\"vim\\\", \\\"vimdiff\\\", \\\"vipw\\\", \\\"w3m\\\", \\\"watch\\\",\\n \\\"wc\\\", \\\"wget\\\", \\\"whiptail\\\", \\\"xargs\\\", \\\"xdotool\\\", \\\"xmodmap\\\", \\\"xmore\\\", \\\"xxd\\\", \\\"xz\\\", \\\"yash\\\", \\\"zsh\\\",\\n \\\"zsoelim\\\"\\n ) or \\n process.name == \\\"ip\\\" and (\\n (process.args == \\\"-force\\\" and process.args in (\\\"-batch\\\", \\\"-b\\\")) or (process.args == \\\"exec\\\")\\n )\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Privilege Escalation via SUID/SGID\",\"description\":\"Identifies instances where a process is executed with user/group ID 0 (root), and a real user/group ID that is not 0. This is indicative of a process that has been granted SUID/SGID permissions, allowing it to run with elevated privileges. Attackers may leverage a misconfiguration for exploitation in order to escalate their privileges to root, or establish a backdoor for persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://gtfobins.github.io/#+suid\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.001\",\"name\":\"Setuid and Setgid\",\"reference\":\"https://attack.mitre.org/techniques/T1548/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.group.id\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.real_group.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.real_user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"99f4031d-00eb-472b-bf90-4deb722aab8a\",\"rule_id\":\"28eb3afe-131d-48b0-a8fc-9784f3d54f3c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.657Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.722Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and (\\n (process.user.id == \\\"0\\\" and process.real_user.id != \\\"0\\\") or \\n (process.group.id == \\\"0\\\" and process.real_group.id != \\\"0\\\")\\n) and (\\n process.name in (\\n \\\"aa-exec\\\", \\\"ab\\\", \\\"agetty\\\", \\\"alpine\\\", \\\"ar\\\", \\\"arj\\\", \\\"arp\\\", \\\"as\\\", \\\"ascii-xfr\\\", \\\"ash\\\", \\\"aspell\\\",\\n \\\"atobm\\\", \\\"awk\\\", \\\"base32\\\", \\\"base64\\\", \\\"basenc\\\", \\\"basez\\\", \\\"bash\\\", \\\"bc\\\", \\\"bridge\\\", \\\"busctl\\\",\\n \\\"busybox\\\", \\\"bzip2\\\", \\\"cabal\\\", \\\"capsh\\\", \\\"cat\\\", \\\"choom\\\", \\\"chown\\\", \\\"chroot\\\", \\\"clamscan\\\", \\\"cmp\\\",\\n \\\"column\\\", \\\"comm\\\", \\\"cp\\\", \\\"cpio\\\", \\\"cpulimit\\\", \\\"csh\\\", \\\"csplit\\\", \\\"csvtool\\\", \\\"cupsfilter\\\", \\\"curl\\\",\\n \\\"cut\\\", \\\"dash\\\", \\\"date\\\", \\\"dd\\\", \\\"debugfs\\\", \\\"dialog\\\", \\\"diff\\\", \\\"dig\\\", \\\"distcc\\\", \\\"dmsetup\\\", \\\"docker\\\",\\n \\\"dosbox\\\", \\\"ed\\\", \\\"efax\\\", \\\"elvish\\\", \\\"emacs\\\", \\\"env\\\", \\\"eqn\\\", \\\"espeak\\\", \\\"expand\\\", \\\"expect\\\", \\\"file\\\",\\n \\\"find\\\", \\\"fish\\\", \\\"flock\\\", \\\"fmt\\\", \\\"fold\\\", \\\"gawk\\\", \\\"gcore\\\", \\\"gdb\\\", \\\"genie\\\", \\\"genisoimage\\\", \\\"gimp\\\",\\n \\\"grep\\\", \\\"gtester\\\", \\\"gzip\\\", \\\"hd\\\", \\\"head\\\", \\\"hexdump\\\", \\\"highlight\\\", \\\"hping3\\\", \\\"iconv\\\", \\\"install\\\",\\n \\\"ionice\\\", \\\"ispell\\\", \\\"jjs\\\", \\\"join\\\", \\\"jq\\\", \\\"jrunscript\\\", \\\"julia\\\", \\\"ksh\\\", \\\"ksshell\\\", \\\"kubectl\\\",\\n \\\"ld.so\\\", \\\"less\\\", \\\"links\\\", \\\"logsave\\\", \\\"look\\\", \\\"lua\\\", \\\"make\\\", \\\"mawk\\\", \\\"minicom\\\", \\\"more\\\",\\n \\\"mosquitto\\\", \\\"msgattrib\\\", \\\"msgcat\\\", \\\"msgconv\\\", \\\"msgfilter\\\", \\\"msgmerge\\\", \\\"msguniq\\\", \\\"multitime\\\",\\n \\\"mv\\\", \\\"nasm\\\", \\\"nawk\\\", \\\"ncftp\\\", \\\"nft\\\", \\\"nice\\\", \\\"nl\\\", \\\"nm\\\", \\\"nmap\\\", \\\"node\\\", \\\"nohup\\\", \\\"ntpdate\\\",\\n \\\"od\\\", \\\"openssl\\\", \\\"openvpn\\\", \\\"pandoc\\\", \\\"paste\\\", \\\"perf\\\", \\\"perl\\\", \\\"pexec\\\", \\\"pg\\\", \\\"php\\\", \\\"pidstat\\\",\\n \\\"pr\\\", \\\"ptx\\\", \\\"python\\\", \\\"rc\\\", \\\"readelf\\\", \\\"restic\\\", \\\"rev\\\", \\\"rlwrap\\\", \\\"rsync\\\", \\\"rtorrent\\\",\\n \\\"run-parts\\\", \\\"rview\\\", \\\"rvim\\\", \\\"sash\\\", \\\"scanmem\\\", \\\"sed\\\", \\\"setarch\\\", \\\"setfacl\\\", \\\"setlock\\\", \\\"shuf\\\",\\n \\\"soelim\\\", \\\"softlimit\\\", \\\"sort\\\", \\\"sqlite3\\\", \\\"ss\\\", \\\"ssh-agent\\\", \\\"ssh-keygen\\\", \\\"ssh-keyscan\\\",\\n \\\"sshpass\\\", \\\"start-stop-daemon\\\", \\\"stdbuf\\\", \\\"strace\\\", \\\"strings\\\", \\\"sysctl\\\", \\\"systemctl\\\", \\\"tac\\\",\\n \\\"tail\\\", \\\"taskset\\\", \\\"tbl\\\", \\\"tclsh\\\", \\\"tee\\\", \\\"terraform\\\", \\\"tftp\\\", \\\"tic\\\", \\\"time\\\", \\\"timeout\\\", \\\"troff\\\",\\n \\\"ul\\\", \\\"unexpand\\\", \\\"uniq\\\", \\\"unshare\\\", \\\"unsquashfs\\\", \\\"unzip\\\", \\\"update-alternatives\\\", \\\"uudecode\\\",\\n \\\"uuencode\\\", \\\"vagrant\\\", \\\"varnishncsa\\\", \\\"view\\\", \\\"vigr\\\", \\\"vim\\\", \\\"vimdiff\\\", \\\"vipw\\\", \\\"w3m\\\", \\\"watch\\\",\\n \\\"wc\\\", \\\"wget\\\", \\\"whiptail\\\", \\\"xargs\\\", \\\"xdotool\\\", \\\"xmodmap\\\", \\\"xmore\\\", \\\"xxd\\\", \\\"xz\\\", \\\"yash\\\", \\\"zsh\\\",\\n \\\"zsoelim\\\"\\n ) or \\n process.name == \\\"ip\\\" and (\\n (process.args == \\\"-force\\\" and process.args in (\\\"-batch\\\", \\\"-b\\\")) or (process.args == \\\"exec\\\")\\n )\\n) and not process.parent.name == \\\"spine\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://gtfobins.github.io/#+suid\"],\"target_version\":[\"https://gtfobins.github.io/#+suid\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://gtfobins.github.io/#+suid\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.group.id\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.real_group.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.real_user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.user.id\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.group.id\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.real_group.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.real_user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.group.id\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.real_group.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.real_user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and (\\n (process.user.id == \\\"0\\\" and process.real_user.id != \\\"0\\\") or \\n (process.group.id == \\\"0\\\" and process.real_group.id != \\\"0\\\")\\n) and (\\n process.name in (\\n \\\"aa-exec\\\", \\\"ab\\\", \\\"agetty\\\", \\\"alpine\\\", \\\"ar\\\", \\\"arj\\\", \\\"arp\\\", \\\"as\\\", \\\"ascii-xfr\\\", \\\"ash\\\", \\\"aspell\\\",\\n \\\"atobm\\\", \\\"awk\\\", \\\"base32\\\", \\\"base64\\\", \\\"basenc\\\", \\\"basez\\\", \\\"bash\\\", \\\"bc\\\", \\\"bridge\\\", \\\"busctl\\\",\\n \\\"busybox\\\", \\\"bzip2\\\", \\\"cabal\\\", \\\"capsh\\\", \\\"cat\\\", \\\"choom\\\", \\\"chown\\\", \\\"chroot\\\", \\\"clamscan\\\", \\\"cmp\\\",\\n \\\"column\\\", \\\"comm\\\", \\\"cp\\\", \\\"cpio\\\", \\\"cpulimit\\\", \\\"csh\\\", \\\"csplit\\\", \\\"csvtool\\\", \\\"cupsfilter\\\", \\\"curl\\\",\\n \\\"cut\\\", \\\"dash\\\", \\\"date\\\", \\\"dd\\\", \\\"debugfs\\\", \\\"dialog\\\", \\\"diff\\\", \\\"dig\\\", \\\"distcc\\\", \\\"dmsetup\\\", \\\"docker\\\",\\n \\\"dosbox\\\", \\\"ed\\\", \\\"efax\\\", \\\"elvish\\\", \\\"emacs\\\", \\\"env\\\", \\\"eqn\\\", \\\"espeak\\\", \\\"expand\\\", \\\"expect\\\", \\\"file\\\",\\n \\\"find\\\", \\\"fish\\\", \\\"flock\\\", \\\"fmt\\\", \\\"fold\\\", \\\"gawk\\\", \\\"gcore\\\", \\\"gdb\\\", \\\"genie\\\", \\\"genisoimage\\\", \\\"gimp\\\",\\n \\\"grep\\\", \\\"gtester\\\", \\\"gzip\\\", \\\"hd\\\", \\\"head\\\", \\\"hexdump\\\", \\\"highlight\\\", \\\"hping3\\\", \\\"iconv\\\", \\\"install\\\",\\n \\\"ionice\\\", \\\"ispell\\\", \\\"jjs\\\", \\\"join\\\", \\\"jq\\\", \\\"jrunscript\\\", \\\"julia\\\", \\\"ksh\\\", \\\"ksshell\\\", \\\"kubectl\\\",\\n \\\"ld.so\\\", \\\"less\\\", \\\"links\\\", \\\"logsave\\\", \\\"look\\\", \\\"lua\\\", \\\"make\\\", \\\"mawk\\\", \\\"minicom\\\", \\\"more\\\",\\n \\\"mosquitto\\\", \\\"msgattrib\\\", \\\"msgcat\\\", \\\"msgconv\\\", \\\"msgfilter\\\", \\\"msgmerge\\\", \\\"msguniq\\\", \\\"multitime\\\",\\n \\\"mv\\\", \\\"nasm\\\", \\\"nawk\\\", \\\"ncftp\\\", \\\"nft\\\", \\\"nice\\\", \\\"nl\\\", \\\"nm\\\", \\\"nmap\\\", \\\"node\\\", \\\"nohup\\\", \\\"ntpdate\\\",\\n \\\"od\\\", \\\"openssl\\\", \\\"openvpn\\\", \\\"pandoc\\\", \\\"paste\\\", \\\"perf\\\", \\\"perl\\\", \\\"pexec\\\", \\\"pg\\\", \\\"php\\\", \\\"pidstat\\\",\\n \\\"pr\\\", \\\"ptx\\\", \\\"python\\\", \\\"rc\\\", \\\"readelf\\\", \\\"restic\\\", \\\"rev\\\", \\\"rlwrap\\\", \\\"rsync\\\", \\\"rtorrent\\\",\\n \\\"run-parts\\\", \\\"rview\\\", \\\"rvim\\\", \\\"sash\\\", \\\"scanmem\\\", \\\"sed\\\", \\\"setarch\\\", \\\"setfacl\\\", \\\"setlock\\\", \\\"shuf\\\",\\n \\\"soelim\\\", \\\"softlimit\\\", \\\"sort\\\", \\\"sqlite3\\\", \\\"ss\\\", \\\"ssh-agent\\\", \\\"ssh-keygen\\\", \\\"ssh-keyscan\\\",\\n \\\"sshpass\\\", \\\"start-stop-daemon\\\", \\\"stdbuf\\\", \\\"strace\\\", \\\"strings\\\", \\\"sysctl\\\", \\\"systemctl\\\", \\\"tac\\\",\\n \\\"tail\\\", \\\"taskset\\\", \\\"tbl\\\", \\\"tclsh\\\", \\\"tee\\\", \\\"terraform\\\", \\\"tftp\\\", \\\"tic\\\", \\\"time\\\", \\\"timeout\\\", \\\"troff\\\",\\n \\\"ul\\\", \\\"unexpand\\\", \\\"uniq\\\", \\\"unshare\\\", \\\"unsquashfs\\\", \\\"unzip\\\", \\\"update-alternatives\\\", \\\"uudecode\\\",\\n \\\"uuencode\\\", \\\"vagrant\\\", \\\"varnishncsa\\\", \\\"view\\\", \\\"vigr\\\", \\\"vim\\\", \\\"vimdiff\\\", \\\"vipw\\\", \\\"w3m\\\", \\\"watch\\\",\\n \\\"wc\\\", \\\"wget\\\", \\\"whiptail\\\", \\\"xargs\\\", \\\"xdotool\\\", \\\"xmodmap\\\", \\\"xmore\\\", \\\"xxd\\\", \\\"xz\\\", \\\"yash\\\", \\\"zsh\\\",\\n \\\"zsoelim\\\"\\n ) or \\n process.name == \\\"ip\\\" and (\\n (process.args == \\\"-force\\\" and process.args in (\\\"-batch\\\", \\\"-b\\\")) or (process.args == \\\"exec\\\")\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and (\\n (process.user.id == \\\"0\\\" and process.real_user.id != \\\"0\\\") or \\n (process.group.id == \\\"0\\\" and process.real_group.id != \\\"0\\\")\\n) and (\\n process.name in (\\n \\\"aa-exec\\\", \\\"ab\\\", \\\"agetty\\\", \\\"alpine\\\", \\\"ar\\\", \\\"arj\\\", \\\"arp\\\", \\\"as\\\", \\\"ascii-xfr\\\", \\\"ash\\\", \\\"aspell\\\",\\n \\\"atobm\\\", \\\"awk\\\", \\\"base32\\\", \\\"base64\\\", \\\"basenc\\\", \\\"basez\\\", \\\"bash\\\", \\\"bc\\\", \\\"bridge\\\", \\\"busctl\\\",\\n \\\"busybox\\\", \\\"bzip2\\\", \\\"cabal\\\", \\\"capsh\\\", \\\"cat\\\", \\\"choom\\\", \\\"chown\\\", \\\"chroot\\\", \\\"clamscan\\\", \\\"cmp\\\",\\n \\\"column\\\", \\\"comm\\\", \\\"cp\\\", \\\"cpio\\\", \\\"cpulimit\\\", \\\"csh\\\", \\\"csplit\\\", \\\"csvtool\\\", \\\"cupsfilter\\\", \\\"curl\\\",\\n \\\"cut\\\", \\\"dash\\\", \\\"date\\\", \\\"dd\\\", \\\"debugfs\\\", \\\"dialog\\\", \\\"diff\\\", \\\"dig\\\", \\\"distcc\\\", \\\"dmsetup\\\", \\\"docker\\\",\\n \\\"dosbox\\\", \\\"ed\\\", \\\"efax\\\", \\\"elvish\\\", \\\"emacs\\\", \\\"env\\\", \\\"eqn\\\", \\\"espeak\\\", \\\"expand\\\", \\\"expect\\\", \\\"file\\\",\\n \\\"find\\\", \\\"fish\\\", \\\"flock\\\", \\\"fmt\\\", \\\"fold\\\", \\\"gawk\\\", \\\"gcore\\\", \\\"gdb\\\", \\\"genie\\\", \\\"genisoimage\\\", \\\"gimp\\\",\\n \\\"grep\\\", \\\"gtester\\\", \\\"gzip\\\", \\\"hd\\\", \\\"head\\\", \\\"hexdump\\\", \\\"highlight\\\", \\\"hping3\\\", \\\"iconv\\\", \\\"install\\\",\\n \\\"ionice\\\", \\\"ispell\\\", \\\"jjs\\\", \\\"join\\\", \\\"jq\\\", \\\"jrunscript\\\", \\\"julia\\\", \\\"ksh\\\", \\\"ksshell\\\", \\\"kubectl\\\",\\n \\\"ld.so\\\", \\\"less\\\", \\\"links\\\", \\\"logsave\\\", \\\"look\\\", \\\"lua\\\", \\\"make\\\", \\\"mawk\\\", \\\"minicom\\\", \\\"more\\\",\\n \\\"mosquitto\\\", \\\"msgattrib\\\", \\\"msgcat\\\", \\\"msgconv\\\", \\\"msgfilter\\\", \\\"msgmerge\\\", \\\"msguniq\\\", \\\"multitime\\\",\\n \\\"mv\\\", \\\"nasm\\\", \\\"nawk\\\", \\\"ncftp\\\", \\\"nft\\\", \\\"nice\\\", \\\"nl\\\", \\\"nm\\\", \\\"nmap\\\", \\\"node\\\", \\\"nohup\\\", \\\"ntpdate\\\",\\n \\\"od\\\", \\\"openssl\\\", \\\"openvpn\\\", \\\"pandoc\\\", \\\"paste\\\", \\\"perf\\\", \\\"perl\\\", \\\"pexec\\\", \\\"pg\\\", \\\"php\\\", \\\"pidstat\\\",\\n \\\"pr\\\", \\\"ptx\\\", \\\"python\\\", \\\"rc\\\", \\\"readelf\\\", \\\"restic\\\", \\\"rev\\\", \\\"rlwrap\\\", \\\"rsync\\\", \\\"rtorrent\\\",\\n \\\"run-parts\\\", \\\"rview\\\", \\\"rvim\\\", \\\"sash\\\", \\\"scanmem\\\", \\\"sed\\\", \\\"setarch\\\", \\\"setfacl\\\", \\\"setlock\\\", \\\"shuf\\\",\\n \\\"soelim\\\", \\\"softlimit\\\", \\\"sort\\\", \\\"sqlite3\\\", \\\"ss\\\", \\\"ssh-agent\\\", \\\"ssh-keygen\\\", \\\"ssh-keyscan\\\",\\n \\\"sshpass\\\", \\\"start-stop-daemon\\\", \\\"stdbuf\\\", \\\"strace\\\", \\\"strings\\\", \\\"sysctl\\\", \\\"systemctl\\\", \\\"tac\\\",\\n \\\"tail\\\", \\\"taskset\\\", \\\"tbl\\\", \\\"tclsh\\\", \\\"tee\\\", \\\"terraform\\\", \\\"tftp\\\", \\\"tic\\\", \\\"time\\\", \\\"timeout\\\", \\\"troff\\\",\\n \\\"ul\\\", \\\"unexpand\\\", \\\"uniq\\\", \\\"unshare\\\", \\\"unsquashfs\\\", \\\"unzip\\\", \\\"update-alternatives\\\", \\\"uudecode\\\",\\n \\\"uuencode\\\", \\\"vagrant\\\", \\\"varnishncsa\\\", \\\"view\\\", \\\"vigr\\\", \\\"vim\\\", \\\"vimdiff\\\", \\\"vipw\\\", \\\"w3m\\\", \\\"watch\\\",\\n \\\"wc\\\", \\\"wget\\\", \\\"whiptail\\\", \\\"xargs\\\", \\\"xdotool\\\", \\\"xmodmap\\\", \\\"xmore\\\", \\\"xxd\\\", \\\"xz\\\", \\\"yash\\\", \\\"zsh\\\",\\n \\\"zsoelim\\\"\\n ) or \\n process.name == \\\"ip\\\" and (\\n (process.args == \\\"-force\\\" and process.args in (\\\"-batch\\\", \\\"-b\\\")) or (process.args == \\\"exec\\\")\\n )\\n) and not process.parent.name == \\\"spine\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and (\\n (process.user.id == \\\"0\\\" and process.real_user.id != \\\"0\\\") or \\n (process.group.id == \\\"0\\\" and process.real_group.id != \\\"0\\\")\\n) and (\\n process.name in (\\n \\\"aa-exec\\\", \\\"ab\\\", \\\"agetty\\\", \\\"alpine\\\", \\\"ar\\\", \\\"arj\\\", \\\"arp\\\", \\\"as\\\", \\\"ascii-xfr\\\", \\\"ash\\\", \\\"aspell\\\",\\n \\\"atobm\\\", \\\"awk\\\", \\\"base32\\\", \\\"base64\\\", \\\"basenc\\\", \\\"basez\\\", \\\"bash\\\", \\\"bc\\\", \\\"bridge\\\", \\\"busctl\\\",\\n \\\"busybox\\\", \\\"bzip2\\\", \\\"cabal\\\", \\\"capsh\\\", \\\"cat\\\", \\\"choom\\\", \\\"chown\\\", \\\"chroot\\\", \\\"clamscan\\\", \\\"cmp\\\",\\n \\\"column\\\", \\\"comm\\\", \\\"cp\\\", \\\"cpio\\\", \\\"cpulimit\\\", \\\"csh\\\", \\\"csplit\\\", \\\"csvtool\\\", \\\"cupsfilter\\\", \\\"curl\\\",\\n \\\"cut\\\", \\\"dash\\\", \\\"date\\\", \\\"dd\\\", \\\"debugfs\\\", \\\"dialog\\\", \\\"diff\\\", \\\"dig\\\", \\\"distcc\\\", \\\"dmsetup\\\", \\\"docker\\\",\\n \\\"dosbox\\\", \\\"ed\\\", \\\"efax\\\", \\\"elvish\\\", \\\"emacs\\\", \\\"env\\\", \\\"eqn\\\", \\\"espeak\\\", \\\"expand\\\", \\\"expect\\\", \\\"file\\\",\\n \\\"find\\\", \\\"fish\\\", \\\"flock\\\", \\\"fmt\\\", \\\"fold\\\", \\\"gawk\\\", \\\"gcore\\\", \\\"gdb\\\", \\\"genie\\\", \\\"genisoimage\\\", \\\"gimp\\\",\\n \\\"grep\\\", \\\"gtester\\\", \\\"gzip\\\", \\\"hd\\\", \\\"head\\\", \\\"hexdump\\\", \\\"highlight\\\", \\\"hping3\\\", \\\"iconv\\\", \\\"install\\\",\\n \\\"ionice\\\", \\\"ispell\\\", \\\"jjs\\\", \\\"join\\\", \\\"jq\\\", \\\"jrunscript\\\", \\\"julia\\\", \\\"ksh\\\", \\\"ksshell\\\", \\\"kubectl\\\",\\n \\\"ld.so\\\", \\\"less\\\", \\\"links\\\", \\\"logsave\\\", \\\"look\\\", \\\"lua\\\", \\\"make\\\", \\\"mawk\\\", \\\"minicom\\\", \\\"more\\\",\\n \\\"mosquitto\\\", \\\"msgattrib\\\", \\\"msgcat\\\", \\\"msgconv\\\", \\\"msgfilter\\\", \\\"msgmerge\\\", \\\"msguniq\\\", \\\"multitime\\\",\\n \\\"mv\\\", \\\"nasm\\\", \\\"nawk\\\", \\\"ncftp\\\", \\\"nft\\\", \\\"nice\\\", \\\"nl\\\", \\\"nm\\\", \\\"nmap\\\", \\\"node\\\", \\\"nohup\\\", \\\"ntpdate\\\",\\n \\\"od\\\", \\\"openssl\\\", \\\"openvpn\\\", \\\"pandoc\\\", \\\"paste\\\", \\\"perf\\\", \\\"perl\\\", \\\"pexec\\\", \\\"pg\\\", \\\"php\\\", \\\"pidstat\\\",\\n \\\"pr\\\", \\\"ptx\\\", \\\"python\\\", \\\"rc\\\", \\\"readelf\\\", \\\"restic\\\", \\\"rev\\\", \\\"rlwrap\\\", \\\"rsync\\\", \\\"rtorrent\\\",\\n \\\"run-parts\\\", \\\"rview\\\", \\\"rvim\\\", \\\"sash\\\", \\\"scanmem\\\", \\\"sed\\\", \\\"setarch\\\", \\\"setfacl\\\", \\\"setlock\\\", \\\"shuf\\\",\\n \\\"soelim\\\", \\\"softlimit\\\", \\\"sort\\\", \\\"sqlite3\\\", \\\"ss\\\", \\\"ssh-agent\\\", \\\"ssh-keygen\\\", \\\"ssh-keyscan\\\",\\n \\\"sshpass\\\", \\\"start-stop-daemon\\\", \\\"stdbuf\\\", \\\"strace\\\", \\\"strings\\\", \\\"sysctl\\\", \\\"systemctl\\\", \\\"tac\\\",\\n \\\"tail\\\", \\\"taskset\\\", \\\"tbl\\\", \\\"tclsh\\\", \\\"tee\\\", \\\"terraform\\\", \\\"tftp\\\", \\\"tic\\\", \\\"time\\\", \\\"timeout\\\", \\\"troff\\\",\\n \\\"ul\\\", \\\"unexpand\\\", \\\"uniq\\\", \\\"unshare\\\", \\\"unsquashfs\\\", \\\"unzip\\\", \\\"update-alternatives\\\", \\\"uudecode\\\",\\n \\\"uuencode\\\", \\\"vagrant\\\", \\\"varnishncsa\\\", \\\"view\\\", \\\"vigr\\\", \\\"vim\\\", \\\"vimdiff\\\", \\\"vipw\\\", \\\"w3m\\\", \\\"watch\\\",\\n \\\"wc\\\", \\\"wget\\\", \\\"whiptail\\\", \\\"xargs\\\", \\\"xdotool\\\", \\\"xmodmap\\\", \\\"xmore\\\", \\\"xxd\\\", \\\"xz\\\", \\\"yash\\\", \\\"zsh\\\",\\n \\\"zsoelim\\\"\\n ) or \\n process.name == \\\"ip\\\" and (\\n (process.args == \\\"-force\\\" and process.args in (\\\"-batch\\\", \\\"-b\\\")) or (process.args == \\\"exec\\\")\\n )\\n) and not process.parent.name == \\\"spine\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f18d3558-22cd-455d-af16-999cf08e9f92\",\"rule_id\":\"28f6f34b-8e16-487a-b5fd-9d22eb903db8\",\"revision\":0,\"current_rule\":{\"id\":\"f18d3558-22cd-455d-af16-999cf08e9f92\",\"updated_at\":\"2024-12-04T19:45:44.661Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.661Z\",\"created_by\":\"elastic\",\"name\":\"Shell Configuration Creation or Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors the creation/alteration of a shell configuration file. Unix systems use shell configuration files to set environment variables, create aliases, and customize the user's environment. Adversaries may modify or add a shell configuration file to execute malicious code and gain persistence in the system. This behavior is consistent with the Kaiji malware family.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate user shell modification activity.\"],\"from\":\"now-9m\",\"rule_id\":\"28f6f34b-8e16-487a-b5fd-9d22eb903db8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.004\",\"name\":\"Unix Shell Configuration Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1546/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\"],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n // system-wide configurations\\n \\\"/etc/profile\\\", \\\"/etc/profile.d/*\\\", \\\"/etc/bash.bashrc\\\", \\\"/etc/bash.bash_logout\\\", \\\"/etc/zsh/*\\\",\\n \\\"/etc/csh.cshrc\\\", \\\"/etc/csh.login\\\", \\\"/etc/fish/config.fish\\\", \\\"/etc/ksh.kshrc\\\",\\n // root and user configurations\\n \\\"/home/*/.profile\\\", \\\"/home/*/.bashrc\\\", \\\"/home/*/.bash_login\\\", \\\"/home/*/.bash_logout\\\", \\\"/home/*/.bash_profile\\\",\\n \\\"/root/.profile\\\", \\\"/root/.bashrc\\\", \\\"/root/.bash_login\\\", \\\"/root/.bash_logout\\\", \\\"/root/.bash_profile\\\",\\n \\\"/home/*/.zprofile\\\", \\\"/home/*/.zshrc\\\", \\\"/root/.zprofile\\\", \\\"/root/.zshrc\\\",\\n \\\"/home/*/.cshrc\\\", \\\"/home/*/.login\\\", \\\"/home/*/.logout\\\", \\\"/root/.cshrc\\\", \\\"/root/.login\\\", \\\"/root/.logout\\\",\\n \\\"/home/*/.config/fish/config.fish\\\", \\\"/root/.config/fish/config.fish\\\",\\n \\\"/home/*/.kshrc\\\", \\\"/root/.kshrc\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/sbin/adduser\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/local/bin/dockerd\\\",\\n \\\"/usr/sbin/gdm\\\", \\\"/usr/bin/unzip\\\", \\\"/usr/bin/gnome-shell\\\", \\\"/sbin/mkhomedir_helper\\\", \\\"/usr/sbin/sshd\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/bin/xfce4-session\\\", \\\"/usr/libexec/oddjob/mkhomedir\\\", \\\"/sbin/useradd\\\",\\n \\\"/usr/lib/systemd/systemd\\\", \\\"/usr/sbin/crond\\\", \\\"/usr/bin/pamac-daemon\\\", \\\"/usr/sbin/mkhomedir_helper\\\",\\n \\\"/opt/pbis/sbin/lwsmd\\\", \\\"/usr/sbin/oddjobd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\",\\n \\\"/usr/libexec/platform-python*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Shell Configuration Creation or Modification\",\"description\":\"This rule monitors the creation/alteration of a shell configuration file. Unix systems use shell configuration files to set environment variables, create aliases, and customize the user's environment. Adversaries may modify or add a shell configuration file to execute malicious code and gain persistence in the system. This behavior is consistent with the Kaiji malware family.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":5,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate user shell modification activity.\"],\"references\":[\"https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.004\",\"name\":\"Unix Shell Configuration Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1546/004/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f18d3558-22cd-455d-af16-999cf08e9f92\",\"rule_id\":\"28f6f34b-8e16-487a-b5fd-9d22eb903db8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.657Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.661Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n // system-wide configurations\\n \\\"/etc/profile\\\", \\\"/etc/profile.d/*\\\", \\\"/etc/bash.bashrc\\\", \\\"/etc/bash.bash_logout\\\", \\\"/etc/zsh/*\\\",\\n \\\"/etc/csh.cshrc\\\", \\\"/etc/csh.login\\\", \\\"/etc/fish/config.fish\\\", \\\"/etc/ksh.kshrc\\\",\\n // root and user configurations\\n \\\"/home/*/.profile\\\", \\\"/home/*/.bashrc\\\", \\\"/home/*/.bash_login\\\", \\\"/home/*/.bash_logout\\\", \\\"/home/*/.bash_profile\\\",\\n \\\"/root/.profile\\\", \\\"/root/.bashrc\\\", \\\"/root/.bash_login\\\", \\\"/root/.bash_logout\\\", \\\"/root/.bash_profile\\\",\\n \\\"/home/*/.zprofile\\\", \\\"/home/*/.zshrc\\\", \\\"/root/.zprofile\\\", \\\"/root/.zshrc\\\",\\n \\\"/home/*/.cshrc\\\", \\\"/home/*/.login\\\", \\\"/home/*/.logout\\\", \\\"/root/.cshrc\\\", \\\"/root/.login\\\", \\\"/root/.logout\\\",\\n \\\"/home/*/.config/fish/config.fish\\\", \\\"/root/.config/fish/config.fish\\\",\\n \\\"/home/*/.kshrc\\\", \\\"/root/.kshrc\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/sbin/adduser\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/local/bin/dockerd\\\",\\n \\\"/usr/sbin/gdm\\\", \\\"/usr/bin/unzip\\\", \\\"/usr/bin/gnome-shell\\\", \\\"/sbin/mkhomedir_helper\\\", \\\"/usr/sbin/sshd\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/bin/xfce4-session\\\", \\\"/usr/libexec/oddjob/mkhomedir\\\", \\\"/sbin/useradd\\\",\\n \\\"/usr/lib/systemd/systemd\\\", \\\"/usr/sbin/crond\\\", \\\"/usr/bin/pamac-daemon\\\", \\\"/usr/sbin/mkhomedir_helper\\\",\\n \\\"/opt/pbis/sbin/lwsmd\\\", \\\"/usr/sbin/oddjobd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\",\\n \\\"/usr/libexec/platform-python*\\\"\\n ) or\\n process.executable == null or\\n process.name in (\\\"adclient\\\", \\\"mkhomedir_helper\\\", \\\"teleport\\\", \\\"mkhomedir\\\", \\\"adduser\\\", \\\"desktopDaemon\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":5,\"merged_version\":5,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\"],\"target_version\":[\"https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n // system-wide configurations\\n \\\"/etc/profile\\\", \\\"/etc/profile.d/*\\\", \\\"/etc/bash.bashrc\\\", \\\"/etc/bash.bash_logout\\\", \\\"/etc/zsh/*\\\",\\n \\\"/etc/csh.cshrc\\\", \\\"/etc/csh.login\\\", \\\"/etc/fish/config.fish\\\", \\\"/etc/ksh.kshrc\\\",\\n // root and user configurations\\n \\\"/home/*/.profile\\\", \\\"/home/*/.bashrc\\\", \\\"/home/*/.bash_login\\\", \\\"/home/*/.bash_logout\\\", \\\"/home/*/.bash_profile\\\",\\n \\\"/root/.profile\\\", \\\"/root/.bashrc\\\", \\\"/root/.bash_login\\\", \\\"/root/.bash_logout\\\", \\\"/root/.bash_profile\\\",\\n \\\"/home/*/.zprofile\\\", \\\"/home/*/.zshrc\\\", \\\"/root/.zprofile\\\", \\\"/root/.zshrc\\\",\\n \\\"/home/*/.cshrc\\\", \\\"/home/*/.login\\\", \\\"/home/*/.logout\\\", \\\"/root/.cshrc\\\", \\\"/root/.login\\\", \\\"/root/.logout\\\",\\n \\\"/home/*/.config/fish/config.fish\\\", \\\"/root/.config/fish/config.fish\\\",\\n \\\"/home/*/.kshrc\\\", \\\"/root/.kshrc\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/sbin/adduser\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/local/bin/dockerd\\\",\\n \\\"/usr/sbin/gdm\\\", \\\"/usr/bin/unzip\\\", \\\"/usr/bin/gnome-shell\\\", \\\"/sbin/mkhomedir_helper\\\", \\\"/usr/sbin/sshd\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/bin/xfce4-session\\\", \\\"/usr/libexec/oddjob/mkhomedir\\\", \\\"/sbin/useradd\\\",\\n \\\"/usr/lib/systemd/systemd\\\", \\\"/usr/sbin/crond\\\", \\\"/usr/bin/pamac-daemon\\\", \\\"/usr/sbin/mkhomedir_helper\\\",\\n \\\"/opt/pbis/sbin/lwsmd\\\", \\\"/usr/sbin/oddjobd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\",\\n \\\"/usr/libexec/platform-python*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n // system-wide configurations\\n \\\"/etc/profile\\\", \\\"/etc/profile.d/*\\\", \\\"/etc/bash.bashrc\\\", \\\"/etc/bash.bash_logout\\\", \\\"/etc/zsh/*\\\",\\n \\\"/etc/csh.cshrc\\\", \\\"/etc/csh.login\\\", \\\"/etc/fish/config.fish\\\", \\\"/etc/ksh.kshrc\\\",\\n // root and user configurations\\n \\\"/home/*/.profile\\\", \\\"/home/*/.bashrc\\\", \\\"/home/*/.bash_login\\\", \\\"/home/*/.bash_logout\\\", \\\"/home/*/.bash_profile\\\",\\n \\\"/root/.profile\\\", \\\"/root/.bashrc\\\", \\\"/root/.bash_login\\\", \\\"/root/.bash_logout\\\", \\\"/root/.bash_profile\\\",\\n \\\"/home/*/.zprofile\\\", \\\"/home/*/.zshrc\\\", \\\"/root/.zprofile\\\", \\\"/root/.zshrc\\\",\\n \\\"/home/*/.cshrc\\\", \\\"/home/*/.login\\\", \\\"/home/*/.logout\\\", \\\"/root/.cshrc\\\", \\\"/root/.login\\\", \\\"/root/.logout\\\",\\n \\\"/home/*/.config/fish/config.fish\\\", \\\"/root/.config/fish/config.fish\\\",\\n \\\"/home/*/.kshrc\\\", \\\"/root/.kshrc\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/sbin/adduser\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/local/bin/dockerd\\\",\\n \\\"/usr/sbin/gdm\\\", \\\"/usr/bin/unzip\\\", \\\"/usr/bin/gnome-shell\\\", \\\"/sbin/mkhomedir_helper\\\", \\\"/usr/sbin/sshd\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/bin/xfce4-session\\\", \\\"/usr/libexec/oddjob/mkhomedir\\\", \\\"/sbin/useradd\\\",\\n \\\"/usr/lib/systemd/systemd\\\", \\\"/usr/sbin/crond\\\", \\\"/usr/bin/pamac-daemon\\\", \\\"/usr/sbin/mkhomedir_helper\\\",\\n \\\"/opt/pbis/sbin/lwsmd\\\", \\\"/usr/sbin/oddjobd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\",\\n \\\"/usr/libexec/platform-python*\\\"\\n ) or\\n process.executable == null or\\n process.name in (\\\"adclient\\\", \\\"mkhomedir_helper\\\", \\\"teleport\\\", \\\"mkhomedir\\\", \\\"adduser\\\", \\\"desktopDaemon\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n // system-wide configurations\\n \\\"/etc/profile\\\", \\\"/etc/profile.d/*\\\", \\\"/etc/bash.bashrc\\\", \\\"/etc/bash.bash_logout\\\", \\\"/etc/zsh/*\\\",\\n \\\"/etc/csh.cshrc\\\", \\\"/etc/csh.login\\\", \\\"/etc/fish/config.fish\\\", \\\"/etc/ksh.kshrc\\\",\\n // root and user configurations\\n \\\"/home/*/.profile\\\", \\\"/home/*/.bashrc\\\", \\\"/home/*/.bash_login\\\", \\\"/home/*/.bash_logout\\\", \\\"/home/*/.bash_profile\\\",\\n \\\"/root/.profile\\\", \\\"/root/.bashrc\\\", \\\"/root/.bash_login\\\", \\\"/root/.bash_logout\\\", \\\"/root/.bash_profile\\\",\\n \\\"/home/*/.zprofile\\\", \\\"/home/*/.zshrc\\\", \\\"/root/.zprofile\\\", \\\"/root/.zshrc\\\",\\n \\\"/home/*/.cshrc\\\", \\\"/home/*/.login\\\", \\\"/home/*/.logout\\\", \\\"/root/.cshrc\\\", \\\"/root/.login\\\", \\\"/root/.logout\\\",\\n \\\"/home/*/.config/fish/config.fish\\\", \\\"/root/.config/fish/config.fish\\\",\\n \\\"/home/*/.kshrc\\\", \\\"/root/.kshrc\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/sbin/adduser\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/local/bin/dockerd\\\",\\n \\\"/usr/sbin/gdm\\\", \\\"/usr/bin/unzip\\\", \\\"/usr/bin/gnome-shell\\\", \\\"/sbin/mkhomedir_helper\\\", \\\"/usr/sbin/sshd\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/bin/xfce4-session\\\", \\\"/usr/libexec/oddjob/mkhomedir\\\", \\\"/sbin/useradd\\\",\\n \\\"/usr/lib/systemd/systemd\\\", \\\"/usr/sbin/crond\\\", \\\"/usr/bin/pamac-daemon\\\", \\\"/usr/sbin/mkhomedir_helper\\\",\\n \\\"/opt/pbis/sbin/lwsmd\\\", \\\"/usr/sbin/oddjobd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\",\\n \\\"/usr/libexec/platform-python*\\\"\\n ) or\\n process.executable == null or\\n process.name in (\\\"adclient\\\", \\\"mkhomedir_helper\\\", \\\"teleport\\\", \\\"mkhomedir\\\", \\\"adduser\\\", \\\"desktopDaemon\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6ede564e-4077-4802-a4b4-350ee7d9307f\",\"rule_id\":\"29052c19-ff3e-42fd-8363-7be14d7c5469\",\"revision\":0,\"current_rule\":{\"id\":\"6ede564e-4077-4802-a4b4-350ee7d9307f\",\"updated_at\":\"2024-12-04T19:45:44.663Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.663Z\",\"created_by\":\"elastic\",\"name\":\"AWS Security Group Configuration Change Detection\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS EC2\",\"Use Case: Network Security Monitoring\",\"Tactic: Persistence\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[\"A security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\"],\"from\":\"now-30m\",\"rule_id\":\"29052c19-ff3e-42fd-8363-7be14d7c5469\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"query\":\"event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or\\nCreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or\\nRevokeSecurityGroupIngress) and event.outcome:success\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS EC2 Security Group Configuration Change\",\"description\":\"Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"### Investigating AWS EC2 Security Group Configuration Change\\n\\nThis rule identifies any changes to an AWS Security Group, which functions as a virtual firewall controlling inbound and outbound traffic for resources like EC2 instances. Modifications to a security group configuration could expose critical assets to unauthorized access. Threat actors may exploit such changes to establish persistence, exfiltrate data, or pivot within an AWS environment.\\n\\n#### Possible Investigation Steps\\n\\n1. **Identify the Modified Security Group**:\\n - **Security Group ID**: Check the `aws.cloudtrail.flattened.request_parameters.groupId` field to identify the specific security group affected.\\n - **Rule Changes**: Review `aws.cloudtrail.flattened.response_elements.securityGroupRuleSet` to determine the new rules or configurations, including any added or removed IP ranges, protocol changes, and port specifications.\\n\\n2. **Review User Context**:\\n - **User Identity**: Inspect the `aws.cloudtrail.user_identity.arn` field to determine which user or role made the modification. Verify if this is an authorized administrator or a potentially compromised account.\\n - **Access Patterns**: Analyze whether this user regularly interacts with security group configurations or if this event is out of the ordinary for their account.\\n\\n3. **Analyze the Configuration Change**:\\n - **Egress vs. Ingress**: Determine if the change affected inbound (ingress) or outbound (egress) traffic by reviewing fields like `isEgress` in the `securityGroupRuleSet`. Unauthorized changes to outbound traffic can indicate data exfiltration attempts.\\n - **IP Ranges and Ports**: Assess any added IP ranges, especially `0.0.0.0/0`, which exposes resources to the internet. Port changes should also be evaluated to ensure only necessary ports are open.\\n\\n4. **Check User Agent and Source IP**:\\n - **User Agent Analysis**: Examine the `user_agent.original` field to identify the tool or application used, such as `AWS Console` or `Terraform`, which may reveal if the action was automated or manual.\\n - **Source IP and Geolocation**: Use `source.address` and `source.geo` fields to verify if the IP address and geolocation match expected locations for your organization. Unexpected IPs or regions may indicate unauthorized access.\\n\\n5. **Evaluate for Persistence Indicators**:\\n - **Repeated Changes**: Investigate if similar changes were recently made across multiple security groups, which may suggest an attempt to maintain or expand access.\\n - **Permissions Review**: Confirm that the user’s IAM policies are configured to limit changes to security groups only as necessary.\\n\\n6. **Correlate with Other CloudTrail Events**:\\n - **Cross-Reference Other Security Events**: Look for related actions like `AuthorizeSecurityGroupIngress`, `CreateSecurityGroup`, or `RevokeSecurityGroupIngress` that may indicate additional or preparatory steps for unauthorized access.\\n - **Monitor for IAM or Network Changes**: Check for IAM modifications, network interface changes, or other configuration updates in the same timeframe to detect broader malicious activities.\\n\\n### False Positive Analysis\\n\\n- **Routine Security Changes**: Security group modifications may be part of regular infrastructure maintenance. Verify if this action aligns with known, scheduled administrative activities.\\n- **Automated Configuration Management**: If you are using automated tools like `Terraform` or `CloudFormation`, confirm if the change matches expected configuration drift corrections or deployments.\\n\\n### Response and Remediation\\n\\n- **Revert Unauthorized Changes**: If unauthorized, revert the security group configuration to its previous state to secure the environment.\\n- **Restrict Security Group Permissions**: Remove permissions to modify security groups from any compromised or unnecessary accounts to limit future access.\\n- **Quarantine Affected Resources**: If necessary, isolate any affected instances or resources to prevent further unauthorized activity.\\n- **Audit IAM and Security Group Policies**: Regularly review permissions related to security groups to ensure least privilege access and prevent excessive access.\\n\\n### Additional Information\\n\\nFor more details on managing AWS Security Groups and best practices, refer to the [AWS EC2 Security Groups Documentation](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html) and AWS security best practices.\\n\",\"output_index\":\"\",\"investigation_fields\":{\"field_names\":[\"@timestamp\",\"user.name\",\"aws.cloudtrail.user_identity.arn\",\"aws.cloudtrail.user_identity.type\",\"user_agent.original\",\"aws.cloudtrail.flattened.request_parameters.instanceId\",\"event.action\",\"event.outcome\",\"cloud.region\",\"event.provider\",\"aws.cloudtrail.request_parameters\",\"aws.cloudtrail.response_elements\"]},\"version\":207,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS EC2\",\"Use Case: Network Security Monitoring\",\"Resources: Investigation Guide\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[\"A security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\"],\"references\":[\"https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"6ede564e-4077-4802-a4b4-350ee7d9307f\",\"rule_id\":\"29052c19-ff3e-42fd-8363-7be14d7c5469\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.657Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.663Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"ec2.amazonaws.com\\\"\\n and event.action:(\\n \\\"AuthorizeSecurityGroupEgress\\\" or\\n \\\"CreateSecurityGroup\\\" or\\n \\\"ModifyInstanceAttribute\\\" or\\n \\\"ModifySecurityGroupRules\\\" or\\n \\\"RevokeSecurityGroupEgress\\\" or\\n \\\"RevokeSecurityGroupIngress\\\")\\n and event.outcome: \\\"success\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"name\":{\"has_base_version\":false,\"current_version\":\"AWS Security Group Configuration Change Detection\",\"target_version\":\"AWS EC2 Security Group Configuration Change\",\"merged_version\":\"AWS EC2 Security Group Configuration Change\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS EC2\",\"Use Case: Network Security Monitoring\",\"Tactic: Persistence\"],\"target_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS EC2\",\"Use Case: Network Security Monitoring\",\"Resources: Investigation Guide\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\"],\"merged_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS EC2\",\"Use Case: Network Security Monitoring\",\"Resources: Investigation Guide\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"note\":{\"has_base_version\":false,\"current_version\":\"\",\"target_version\":\"### Investigating AWS EC2 Security Group Configuration Change\\n\\nThis rule identifies any changes to an AWS Security Group, which functions as a virtual firewall controlling inbound and outbound traffic for resources like EC2 instances. Modifications to a security group configuration could expose critical assets to unauthorized access. Threat actors may exploit such changes to establish persistence, exfiltrate data, or pivot within an AWS environment.\\n\\n#### Possible Investigation Steps\\n\\n1. **Identify the Modified Security Group**:\\n - **Security Group ID**: Check the `aws.cloudtrail.flattened.request_parameters.groupId` field to identify the specific security group affected.\\n - **Rule Changes**: Review `aws.cloudtrail.flattened.response_elements.securityGroupRuleSet` to determine the new rules or configurations, including any added or removed IP ranges, protocol changes, and port specifications.\\n\\n2. **Review User Context**:\\n - **User Identity**: Inspect the `aws.cloudtrail.user_identity.arn` field to determine which user or role made the modification. Verify if this is an authorized administrator or a potentially compromised account.\\n - **Access Patterns**: Analyze whether this user regularly interacts with security group configurations or if this event is out of the ordinary for their account.\\n\\n3. **Analyze the Configuration Change**:\\n - **Egress vs. Ingress**: Determine if the change affected inbound (ingress) or outbound (egress) traffic by reviewing fields like `isEgress` in the `securityGroupRuleSet`. Unauthorized changes to outbound traffic can indicate data exfiltration attempts.\\n - **IP Ranges and Ports**: Assess any added IP ranges, especially `0.0.0.0/0`, which exposes resources to the internet. Port changes should also be evaluated to ensure only necessary ports are open.\\n\\n4. **Check User Agent and Source IP**:\\n - **User Agent Analysis**: Examine the `user_agent.original` field to identify the tool or application used, such as `AWS Console` or `Terraform`, which may reveal if the action was automated or manual.\\n - **Source IP and Geolocation**: Use `source.address` and `source.geo` fields to verify if the IP address and geolocation match expected locations for your organization. Unexpected IPs or regions may indicate unauthorized access.\\n\\n5. **Evaluate for Persistence Indicators**:\\n - **Repeated Changes**: Investigate if similar changes were recently made across multiple security groups, which may suggest an attempt to maintain or expand access.\\n - **Permissions Review**: Confirm that the user’s IAM policies are configured to limit changes to security groups only as necessary.\\n\\n6. **Correlate with Other CloudTrail Events**:\\n - **Cross-Reference Other Security Events**: Look for related actions like `AuthorizeSecurityGroupIngress`, `CreateSecurityGroup`, or `RevokeSecurityGroupIngress` that may indicate additional or preparatory steps for unauthorized access.\\n - **Monitor for IAM or Network Changes**: Check for IAM modifications, network interface changes, or other configuration updates in the same timeframe to detect broader malicious activities.\\n\\n### False Positive Analysis\\n\\n- **Routine Security Changes**: Security group modifications may be part of regular infrastructure maintenance. Verify if this action aligns with known, scheduled administrative activities.\\n- **Automated Configuration Management**: If you are using automated tools like `Terraform` or `CloudFormation`, confirm if the change matches expected configuration drift corrections or deployments.\\n\\n### Response and Remediation\\n\\n- **Revert Unauthorized Changes**: If unauthorized, revert the security group configuration to its previous state to secure the environment.\\n- **Restrict Security Group Permissions**: Remove permissions to modify security groups from any compromised or unnecessary accounts to limit future access.\\n- **Quarantine Affected Resources**: If necessary, isolate any affected instances or resources to prevent further unauthorized activity.\\n- **Audit IAM and Security Group Policies**: Regularly review permissions related to security groups to ensure least privilege access and prevent excessive access.\\n\\n### Additional Information\\n\\nFor more details on managing AWS Security Groups and best practices, refer to the [AWS EC2 Security Groups Documentation](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html) and AWS security best practices.\\n\",\"merged_version\":\"### Investigating AWS EC2 Security Group Configuration Change\\n\\nThis rule identifies any changes to an AWS Security Group, which functions as a virtual firewall controlling inbound and outbound traffic for resources like EC2 instances. Modifications to a security group configuration could expose critical assets to unauthorized access. Threat actors may exploit such changes to establish persistence, exfiltrate data, or pivot within an AWS environment.\\n\\n#### Possible Investigation Steps\\n\\n1. **Identify the Modified Security Group**:\\n - **Security Group ID**: Check the `aws.cloudtrail.flattened.request_parameters.groupId` field to identify the specific security group affected.\\n - **Rule Changes**: Review `aws.cloudtrail.flattened.response_elements.securityGroupRuleSet` to determine the new rules or configurations, including any added or removed IP ranges, protocol changes, and port specifications.\\n\\n2. **Review User Context**:\\n - **User Identity**: Inspect the `aws.cloudtrail.user_identity.arn` field to determine which user or role made the modification. Verify if this is an authorized administrator or a potentially compromised account.\\n - **Access Patterns**: Analyze whether this user regularly interacts with security group configurations or if this event is out of the ordinary for their account.\\n\\n3. **Analyze the Configuration Change**:\\n - **Egress vs. Ingress**: Determine if the change affected inbound (ingress) or outbound (egress) traffic by reviewing fields like `isEgress` in the `securityGroupRuleSet`. Unauthorized changes to outbound traffic can indicate data exfiltration attempts.\\n - **IP Ranges and Ports**: Assess any added IP ranges, especially `0.0.0.0/0`, which exposes resources to the internet. Port changes should also be evaluated to ensure only necessary ports are open.\\n\\n4. **Check User Agent and Source IP**:\\n - **User Agent Analysis**: Examine the `user_agent.original` field to identify the tool or application used, such as `AWS Console` or `Terraform`, which may reveal if the action was automated or manual.\\n - **Source IP and Geolocation**: Use `source.address` and `source.geo` fields to verify if the IP address and geolocation match expected locations for your organization. Unexpected IPs or regions may indicate unauthorized access.\\n\\n5. **Evaluate for Persistence Indicators**:\\n - **Repeated Changes**: Investigate if similar changes were recently made across multiple security groups, which may suggest an attempt to maintain or expand access.\\n - **Permissions Review**: Confirm that the user’s IAM policies are configured to limit changes to security groups only as necessary.\\n\\n6. **Correlate with Other CloudTrail Events**:\\n - **Cross-Reference Other Security Events**: Look for related actions like `AuthorizeSecurityGroupIngress`, `CreateSecurityGroup`, or `RevokeSecurityGroupIngress` that may indicate additional or preparatory steps for unauthorized access.\\n - **Monitor for IAM or Network Changes**: Check for IAM modifications, network interface changes, or other configuration updates in the same timeframe to detect broader malicious activities.\\n\\n### False Positive Analysis\\n\\n- **Routine Security Changes**: Security group modifications may be part of regular infrastructure maintenance. Verify if this action aligns with known, scheduled administrative activities.\\n- **Automated Configuration Management**: If you are using automated tools like `Terraform` or `CloudFormation`, confirm if the change matches expected configuration drift corrections or deployments.\\n\\n### Response and Remediation\\n\\n- **Revert Unauthorized Changes**: If unauthorized, revert the security group configuration to its previous state to secure the environment.\\n- **Restrict Security Group Permissions**: Remove permissions to modify security groups from any compromised or unnecessary accounts to limit future access.\\n- **Quarantine Affected Resources**: If necessary, isolate any affected instances or resources to prevent further unauthorized activity.\\n- **Audit IAM and Security Group Policies**: Regularly review permissions related to security groups to ensure least privilege access and prevent excessive access.\\n\\n### Additional Information\\n\\nFor more details on managing AWS Security Groups and best practices, refer to the [AWS EC2 Security Groups Documentation](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html) and AWS security best practices.\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"rule_schedule\":{\"has_base_version\":false,\"current_version\":{\"interval\":\"10m\",\"lookback\":\"1200s\"},\"target_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merged_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"investigation_fields\":{\"has_base_version\":false,\"target_version\":{\"field_names\":[\"@timestamp\",\"user.name\",\"aws.cloudtrail.user_identity.arn\",\"aws.cloudtrail.user_identity.type\",\"user_agent.original\",\"aws.cloudtrail.flattened.request_parameters.instanceId\",\"event.action\",\"event.outcome\",\"cloud.region\",\"event.provider\",\"aws.cloudtrail.request_parameters\",\"aws.cloudtrail.response_elements\"]},\"merged_version\":{\"field_names\":[\"@timestamp\",\"user.name\",\"aws.cloudtrail.user_identity.arn\",\"aws.cloudtrail.user_identity.type\",\"user_agent.original\",\"aws.cloudtrail.flattened.request_parameters.instanceId\",\"event.action\",\"event.outcome\",\"cloud.region\",\"event.provider\",\"aws.cloudtrail.request_parameters\",\"aws.cloudtrail.response_elements\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or\\nCreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or\\nRevokeSecurityGroupIngress) and event.outcome:success\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"ec2.amazonaws.com\\\"\\n and event.action:(\\n \\\"AuthorizeSecurityGroupEgress\\\" or\\n \\\"CreateSecurityGroup\\\" or\\n \\\"ModifyInstanceAttribute\\\" or\\n \\\"ModifySecurityGroupRules\\\" or\\n \\\"RevokeSecurityGroupEgress\\\" or\\n \\\"RevokeSecurityGroupIngress\\\")\\n and event.outcome: \\\"success\\\"\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"ec2.amazonaws.com\\\"\\n and event.action:(\\n \\\"AuthorizeSecurityGroupEgress\\\" or\\n \\\"CreateSecurityGroup\\\" or\\n \\\"ModifyInstanceAttribute\\\" or\\n \\\"ModifySecurityGroupRules\\\" or\\n \\\"RevokeSecurityGroupEgress\\\" or\\n \\\"RevokeSecurityGroupIngress\\\")\\n and event.outcome: \\\"success\\\"\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":8,\"num_fields_with_conflicts\":7,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0c39a617-df81-419d-a503-2aaa8fa2f6cd\",\"rule_id\":\"290aca65-e94d-403b-ba0f-62f320e63f51\",\"revision\":0,\"current_rule\":{\"id\":\"0c39a617-df81-419d-a503-2aaa8fa2f6cd\",\"updated_at\":\"2024-12-04T19:45:44.665Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.665Z\",\"created_by\":\"elastic\",\"name\":\"UAC Bypass Attempt via Windows Directory Masquerading\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\\n\\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\\n\\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\\n\\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"290aca65-e94d-403b-ba0f-62f320e63f51\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e\"],\"version\":113,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.args : (\\\"C:\\\\\\\\Windows \\\\\\\\system32\\\\\\\\*.exe\\\", \\\"C:\\\\\\\\Windows \\\\\\\\SysWOW64\\\\\\\\*.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"UAC Bypass Attempt via Windows Directory Masquerading\",\"description\":\"Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\\n\\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\\n\\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\\n\\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":315,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0c39a617-df81-419d-a503-2aaa8fa2f6cd\",\"rule_id\":\"290aca65-e94d-403b-ba0f-62f320e63f51\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.657Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.665Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.args : (\\\"C:\\\\\\\\Windows \\\\\\\\system32\\\\\\\\*.exe\\\", \\\"C:\\\\\\\\Windows \\\\\\\\SysWOW64\\\\\\\\*.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":113,\"target_version\":315,\"merged_version\":315,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0bd729c7-d2df-40c5-aa37-ae29f985dc0a\",\"rule_id\":\"2917d495-59bd-4250-b395-c29409b76086\",\"revision\":0,\"current_rule\":{\"id\":\"0bd729c7-d2df-40c5-aa37-ae29f985dc0a\",\"updated_at\":\"2024-12-04T19:45:44.668Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.668Z\",\"created_by\":\"elastic\",\"name\":\"Web Shell Detection: Script Process Child of Common Web Processes\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Web Shell Detection: Script Process Child of Common Web Processes\\n\\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server.\\n\\nThis rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell.\\n\\n#### Possible investigation steps\\n\\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes.\\n- Examine the command line to determine which commands or scripts were executed.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes.\"],\"from\":\"now-9m\",\"rule_id\":\"2917d495-59bd-4250-b395-c29409b76086\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1505\",\"name\":\"Server Software Component\",\"reference\":\"https://attack.mitre.org/techniques/T1505/\",\"subtechnique\":[{\"id\":\"T1505.003\",\"name\":\"Web Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1505/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"},{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]},{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"to\":\"now\",\"references\":[\"https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/\",\"https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965\",\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\"],\"version\":313,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"w3wp.exe\\\", \\\"httpd.exe\\\", \\\"nginx.exe\\\", \\\"php.exe\\\", \\\"php-cgi.exe\\\", \\\"tomcat.exe\\\") and\\n process.name : (\\\"cmd.exe\\\", \\\"cscript.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\", \\\"wmic.exe\\\", \\\"wscript.exe\\\") and\\n not\\n (\\n process.parent.name : (\\\"php.exe\\\", \\\"httpd.exe\\\") and process.name : \\\"cmd.exe\\\" and\\n process.command_line : (\\n \\\"cmd.exe /c mode CON\\\",\\n \\\"cmd.exe /s /c \\\\\\\"mode CON\\\\\\\"\\\",\\n \\\"cmd.exe /c \\\\\\\"mode\\\\\\\"\\\",\\n \\\"cmd.exe /s /c \\\\\\\"tput colors 2>&1\\\\\\\"\\\"\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Web Shell Detection: Script Process Child of Common Web Processes\",\"description\":\"Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Web Shell Detection: Script Process Child of Common Web Processes\\n\\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server.\\n\\nThis rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell.\\n\\n#### Possible investigation steps\\n\\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes.\\n- Examine the command line to determine which commands or scripts were executed.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":416,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes.\"],\"references\":[\"https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/\",\"https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965\",\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1505\",\"name\":\"Server Software Component\",\"reference\":\"https://attack.mitre.org/techniques/T1505/\",\"subtechnique\":[{\"id\":\"T1505.003\",\"name\":\"Web Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1505/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"},{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]},{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0bd729c7-d2df-40c5-aa37-ae29f985dc0a\",\"rule_id\":\"2917d495-59bd-4250-b395-c29409b76086\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.657Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.668Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"w3wp.exe\\\", \\\"httpd.exe\\\", \\\"nginx.exe\\\", \\\"php.exe\\\", \\\"php-cgi.exe\\\", \\\"tomcat.exe\\\") and\\n process.name : (\\\"cmd.exe\\\", \\\"cscript.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\", \\\"wmic.exe\\\", \\\"wscript.exe\\\") and\\n not\\n (\\n process.parent.name : (\\\"php.exe\\\", \\\"httpd.exe\\\") and process.name : \\\"cmd.exe\\\" and\\n process.command_line : (\\n \\\"cmd.exe /c mode CON\\\",\\n \\\"cmd.exe /s /c \\\\\\\"mode CON\\\\\\\"\\\",\\n \\\"cmd.exe /c \\\\\\\"mode\\\\\\\"\\\",\\n \\\"cmd.exe /s /c \\\\\\\"tput colors 2>&1\\\\\\\"\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":313,\"target_version\":416,\"merged_version\":416,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2deea678-620c-444e-b280-958e0c1945d0\",\"rule_id\":\"291a0de9-937a-4189-94c0-3e847c8b13e4\",\"revision\":0,\"current_rule\":{\"id\":\"2deea678-620c-444e-b280-958e0c1945d0\",\"updated_at\":\"2024-12-04T19:45:44.670Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.670Z\",\"created_by\":\"elastic\",\"name\":\"Enumeration of Privileged Local Groups Membership\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Enumeration of Privileged Local Groups Membership\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the process, host and user involved on the event.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"291a0de9-937a-4189-94c0-3e847c8b13e4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1069\",\"name\":\"Permission Groups Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1069/\",\"subtechnique\":[{\"id\":\"T1069.001\",\"name\":\"Local Groups\",\"reference\":\"https://attack.mitre.org/techniques/T1069/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":311,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallerProcessName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetSid\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Security Group Management' audit policy must be configured (Success).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nAccount Management >\\nAudit Security Group Management (Success)\\n```\\n\\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:windows and event.category:iam and event.action:user-member-enumerated and \\n (\\n group.name:(*Admin* or \\\"RemoteDesktopUsers\\\") or\\n winlog.event_data.TargetSid:(\\\"S-1-5-32-544\\\" or \\\"S-1-5-32-555\\\")\\n ) and \\n not (\\n winlog.event_data.SubjectUserName: *$ or\\n winlog.event_data.SubjectUserSid: (\\\"S-1-5-19\\\" or \\\"S-1-5-20\\\") or \\n winlog.event_data.CallerProcessName:(\\\"-\\\" or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VSSVC.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchIndexer.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CompatTelRunner.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\oobe\\\\\\\\msoobe.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\net1.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Netplwiz.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CloudExperienceHostBroker.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RuntimeBroker.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SrTasks.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\diskshadow.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dfsrs.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vssadmin.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SettingSyncHost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wsmprovhost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\esentutl.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RecoveryDrive.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\rubrik_vmware*\\\\\\\\snaptool.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe or\\n C\\\\:\\\\\\\\WindowsAzure\\\\\\\\*WaAppAgent.exe or\\n C\\\\:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\*.exe\\n )\\n )\\n\",\"new_terms_fields\":[\"host.id\",\"winlog.event_data.SubjectUserName\",\"winlog.event_data.CallerProcessName\"],\"history_window_start\":\"now-14d\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"winlog.event_data.CallerProcessName\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"winlog.event_data.CallerProcessName\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files\\\\\\\\*.exe\"}}}}],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Enumeration of Privileged Local Groups Membership\",\"description\":\"Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Enumeration of Privileged Local Groups Membership\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the process, host and user involved on the event.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":415,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1069\",\"name\":\"Permission Groups Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1069/\",\"subtechnique\":[{\"id\":\"T1069.001\",\"name\":\"Local Groups\",\"reference\":\"https://attack.mitre.org/techniques/T1069/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Security Group Management' audit policy must be configured (Success).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nAccount Management >\\nAudit Security Group Management (Success)\\n```\\n\\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallerProcessName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetSid\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"2deea678-620c-444e-b280-958e0c1945d0\",\"rule_id\":\"291a0de9-937a-4189-94c0-3e847c8b13e4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.657Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.670Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:windows and event.category:iam and event.action:user-member-enumerated and \\n (\\n group.name:(*Admin* or \\\"RemoteDesktopUsers\\\") or\\n winlog.event_data.TargetSid:(\\\"S-1-5-32-544\\\" or \\\"S-1-5-32-555\\\")\\n ) and \\n not (\\n winlog.event_data.SubjectUserName: *$ or\\n winlog.event_data.SubjectUserSid: (\\\"S-1-5-19\\\" or \\\"S-1-5-20\\\") or \\n winlog.event_data.CallerProcessName:(\\\"-\\\" or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VSSVC.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchIndexer.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CompatTelRunner.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\oobe\\\\\\\\msoobe.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\net1.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Netplwiz.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CloudExperienceHostBroker.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RuntimeBroker.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SrTasks.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\diskshadow.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dfsrs.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vssadmin.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SettingSyncHost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wsmprovhost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\esentutl.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RecoveryDrive.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\rubrik_vmware*\\\\\\\\snaptool.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe or\\n C\\\\:\\\\\\\\WindowsAzure\\\\\\\\*WaAppAgent.exe or\\n C\\\\:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\*.exe\\n )\\n )\\n\",\"new_terms_fields\":[\"host.id\",\"winlog.event_data.SubjectUserName\",\"winlog.event_data.CallerProcessName\"],\"history_window_start\":\"now-14d\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"winlog.event_data.CallerProcessName\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"winlog.event_data.CallerProcessName\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files\\\\\\\\*.exe\"}}}}],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":311,\"target_version\":415,\"merged_version\":415,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:windows and event.category:iam and event.action:user-member-enumerated and \\n (\\n group.name:(*Admin* or \\\"RemoteDesktopUsers\\\") or\\n winlog.event_data.TargetSid:(\\\"S-1-5-32-544\\\" or \\\"S-1-5-32-555\\\")\\n ) and \\n not (\\n winlog.event_data.SubjectUserName: *$ or\\n winlog.event_data.SubjectUserSid: (\\\"S-1-5-19\\\" or \\\"S-1-5-20\\\") or \\n winlog.event_data.CallerProcessName:(\\\"-\\\" or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VSSVC.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchIndexer.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CompatTelRunner.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\oobe\\\\\\\\msoobe.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\net1.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Netplwiz.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CloudExperienceHostBroker.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RuntimeBroker.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SrTasks.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\diskshadow.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dfsrs.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vssadmin.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SettingSyncHost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wsmprovhost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\esentutl.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RecoveryDrive.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\rubrik_vmware*\\\\\\\\snaptool.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe or\\n C\\\\:\\\\\\\\WindowsAzure\\\\\\\\*WaAppAgent.exe or\\n C\\\\:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\*.exe\\n )\\n )\\n\",\"language\":\"kuery\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"winlog.event_data.CallerProcessName\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"winlog.event_data.CallerProcessName\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files\\\\\\\\*.exe\"}}}}]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:windows and event.category:iam and event.action:user-member-enumerated and \\n (\\n group.name:(*Admin* or \\\"RemoteDesktopUsers\\\") or\\n winlog.event_data.TargetSid:(\\\"S-1-5-32-544\\\" or \\\"S-1-5-32-555\\\")\\n ) and \\n not (\\n winlog.event_data.SubjectUserName: *$ or\\n winlog.event_data.SubjectUserSid: (\\\"S-1-5-19\\\" or \\\"S-1-5-20\\\") or \\n winlog.event_data.CallerProcessName:(\\\"-\\\" or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VSSVC.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchIndexer.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CompatTelRunner.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\oobe\\\\\\\\msoobe.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\net1.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Netplwiz.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CloudExperienceHostBroker.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RuntimeBroker.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SrTasks.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\diskshadow.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dfsrs.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vssadmin.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SettingSyncHost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wsmprovhost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\esentutl.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RecoveryDrive.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\rubrik_vmware*\\\\\\\\snaptool.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe or\\n C\\\\:\\\\\\\\WindowsAzure\\\\\\\\*WaAppAgent.exe or\\n C\\\\:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\*.exe\\n )\\n )\\n\",\"language\":\"kuery\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"winlog.event_data.CallerProcessName\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"winlog.event_data.CallerProcessName\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files\\\\\\\\*.exe\"}}}}]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:windows and event.category:iam and event.action:user-member-enumerated and \\n (\\n group.name:(*Admin* or \\\"RemoteDesktopUsers\\\") or\\n winlog.event_data.TargetSid:(\\\"S-1-5-32-544\\\" or \\\"S-1-5-32-555\\\")\\n ) and \\n not (\\n winlog.event_data.SubjectUserName: *$ or\\n winlog.event_data.SubjectUserSid: (\\\"S-1-5-19\\\" or \\\"S-1-5-20\\\") or \\n winlog.event_data.CallerProcessName:(\\\"-\\\" or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VSSVC.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchIndexer.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CompatTelRunner.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\oobe\\\\\\\\msoobe.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\net1.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Netplwiz.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CloudExperienceHostBroker.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RuntimeBroker.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SrTasks.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\diskshadow.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dfsrs.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vssadmin.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SettingSyncHost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wsmprovhost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\esentutl.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RecoveryDrive.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\rubrik_vmware*\\\\\\\\snaptool.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe or\\n C\\\\:\\\\\\\\WindowsAzure\\\\\\\\*WaAppAgent.exe or\\n C\\\\:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\*.exe\\n )\\n )\\n\",\"language\":\"kuery\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"winlog.event_data.CallerProcessName\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"winlog.event_data.CallerProcessName\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files\\\\\\\\*.exe\"}}}}]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"17f29e1c-3e56-4c2f-80b8-70b3c32e87fc\",\"rule_id\":\"29f0cf93-d17c-4b12-b4f3-a433800539fa\",\"revision\":0,\"current_rule\":{\"id\":\"17f29e1c-3e56-4c2f-80b8-70b3c32e87fc\",\"updated_at\":\"2024-12-04T19:45:44.673Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.673Z\",\"created_by\":\"elastic\",\"name\":\"Potential Linux SSH X11 Forwarding\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for X11 forwarding via SSH. X11 forwarding is a feature that allows users to run graphical applications on a remote server and display the application's graphical user interface on their local machine. Attackers can abuse X11 forwarding for tunneling their GUI-based tools, pivot through compromised systems, and create covert communication channels, enabling lateral movement and facilitating remote control of systems within a network.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Linux SSH X11 Forwarding\\n\\nAttackers can leverage SSH X11 forwarding to capture a user's graphical desktop session and potentially execute unauthorized GUI applications remotely.\\n\\nThis rule looks for the execution of SSH in conjunction with command line arguments that are capable of setting up X11 forwarding. \\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n\\n- Identify any signs of suspicious network activity or anomalies that may indicate network forwarding activity. This could include unexpected traffic patterns or unusual network behavior.\\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Process Info\\\",\\\"query\\\":\\\"SELECT name, cmdline, parent, path, uid FROM processes\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n\\n### Related rules\\n\\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\\n\\n### False positive analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator or developer who uses port tunneling/forwarding for benign purposes, consider adding exceptions for specific user accounts or hosts. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"29f0cf93-d17c-4b12-b4f3-a433800539fa\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1572\",\"name\":\"Protocol Tunneling\",\"reference\":\"https://attack.mitre.org/techniques/T1572/\"}]}],\"to\":\"now\",\"references\":[\"https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding\"],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\nprocess.name in (\\\"ssh\\\", \\\"sshd\\\") and process.args in (\\\"-X\\\", \\\"-Y\\\") and process.args_count >= 3 and \\nprocess.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Linux SSH X11 Forwarding\",\"description\":\"This rule monitors for X11 forwarding via SSH. X11 forwarding is a feature that allows users to run graphical applications on a remote server and display the application's graphical user interface on their local machine. Attackers can abuse X11 forwarding for tunneling their GUI-based tools, pivot through compromised systems, and create covert communication channels, enabling lateral movement and facilitating remote control of systems within a network.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Linux SSH X11 Forwarding\\n\\nAttackers can leverage SSH X11 forwarding to capture a user's graphical desktop session and potentially execute unauthorized GUI applications remotely.\\n\\nThis rule looks for the execution of SSH in conjunction with command line arguments that are capable of setting up X11 forwarding. \\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n\\n- Identify any signs of suspicious network activity or anomalies that may indicate network forwarding activity. This could include unexpected traffic patterns or unusual network behavior.\\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Process Info\\\",\\\"query\\\":\\\"SELECT name, cmdline, parent, path, uid FROM processes\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n\\n### Related rules\\n\\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\\n\\n### False positive analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator or developer who uses port tunneling/forwarding for benign purposes, consider adding exceptions for specific user accounts or hosts. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1572\",\"name\":\"Protocol Tunneling\",\"reference\":\"https://attack.mitre.org/techniques/T1572/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"17f29e1c-3e56-4c2f-80b8-70b3c32e87fc\",\"rule_id\":\"29f0cf93-d17c-4b12-b4f3-a433800539fa\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.657Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.673Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\nprocess.name in (\\\"ssh\\\", \\\"sshd\\\") and process.args in (\\\"-X\\\", \\\"-Y\\\") and process.args_count >= 3 and \\nprocess.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"name\":{\"has_base_version\":false,\"current_version\":\"Potential Linux SSH X11 Forwarding\",\"target_version\":\"Linux SSH X11 Forwarding\",\"merged_version\":\"Linux SSH X11 Forwarding\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"rule_schedule\":{\"has_base_version\":false,\"current_version\":{\"interval\":\"60m\",\"lookback\":\"3540s\"},\"target_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merged_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"building_block\":{\"has_base_version\":false,\"current_version\":{\"type\":\"default\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"79f40013-80c2-488b-8927-23c1e4ecde65\",\"rule_id\":\"2a692072-d78d-42f3-a48a-775677d79c4e\",\"revision\":0,\"current_rule\":{\"id\":\"79f40013-80c2-488b-8927-23c1e4ecde65\",\"updated_at\":\"2024-12-04T19:45:44.675Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.675Z\",\"created_by\":\"elastic\",\"name\":\"Potential Code Execution via Postgresql\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2a692072-d78d-42f3-a48a-775677d79c4e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"fork\\\", \\\"fork_event\\\") and \\nuser.name == \\\"postgres\\\" and (\\n (process.parent.args : \\\"*sh\\\" and process.parent.args : \\\"echo*\\\") or \\n (process.args : \\\"*sh\\\" and process.args : \\\"echo*\\\")\\n) and not process.parent.name : \\\"puppet\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Code Execution via Postgresql\",\"description\":\"This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"79f40013-80c2-488b-8927-23c1e4ecde65\",\"rule_id\":\"2a692072-d78d-42f3-a48a-775677d79c4e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.657Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.675Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"fork\\\", \\\"fork_event\\\") and user.name == \\\"postgres\\\" and (\\n (process.parent.args : \\\"*sh\\\" and process.parent.args : \\\"echo*\\\") or \\n (process.args : \\\"*sh\\\" and process.args : \\\"echo*\\\")\\n) and not (\\n process.parent.name == \\\"puppet\\\" or\\n process.command_line like \\\"*BECOME-SUCCESS-*\\\" or\\n process.parent.command_line like \\\"*BECOME-SUCCESS-*\\\"\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"fork\\\", \\\"fork_event\\\") and \\nuser.name == \\\"postgres\\\" and (\\n (process.parent.args : \\\"*sh\\\" and process.parent.args : \\\"echo*\\\") or \\n (process.args : \\\"*sh\\\" and process.args : \\\"echo*\\\")\\n) and not process.parent.name : \\\"puppet\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"fork\\\", \\\"fork_event\\\") and user.name == \\\"postgres\\\" and (\\n (process.parent.args : \\\"*sh\\\" and process.parent.args : \\\"echo*\\\") or \\n (process.args : \\\"*sh\\\" and process.args : \\\"echo*\\\")\\n) and not (\\n process.parent.name == \\\"puppet\\\" or\\n process.command_line like \\\"*BECOME-SUCCESS-*\\\" or\\n process.parent.command_line like \\\"*BECOME-SUCCESS-*\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"fork\\\", \\\"fork_event\\\") and user.name == \\\"postgres\\\" and (\\n (process.parent.args : \\\"*sh\\\" and process.parent.args : \\\"echo*\\\") or \\n (process.args : \\\"*sh\\\" and process.args : \\\"echo*\\\")\\n) and not (\\n process.parent.name == \\\"puppet\\\" or\\n process.command_line like \\\"*BECOME-SUCCESS-*\\\" or\\n process.parent.command_line like \\\"*BECOME-SUCCESS-*\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bffbd534-d1fa-4e06-80ed-a91c9ce4a0cc\",\"rule_id\":\"2b662e21-dc6e-461e-b5cf-a6eb9b235ec4\",\"revision\":0,\"current_rule\":{\"id\":\"bffbd534-d1fa-4e06-80ed-a91c9ce4a0cc\",\"updated_at\":\"2024-12-04T19:45:44.680Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.680Z\",\"created_by\":\"elastic\",\"name\":\"ESXI Discovery via Grep\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments related to virtual machine (VM) files, such as \\\"vmdk\\\", \\\"vmx\\\", \\\"vmxf\\\", \\\"vmsd\\\", \\\"vmsn\\\", \\\"vswp\\\", \\\"vmss\\\", \\\"nvram\\\", or \\\"vmem\\\". These file extensions are associated with VM-related file formats, and their presence in grep command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2b662e21-dc6e-461e-b5cf-a6eb9b235ec4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1518\",\"name\":\"Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/\"}]}],\"to\":\"now\",\"references\":[\"https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/\"],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name in (\\\"grep\\\", \\\"egrep\\\", \\\"pgrep\\\") and process.args in (\\n \\\"vmdk\\\", \\\"vmx\\\", \\\"vmxf\\\", \\\"vmsd\\\", \\\"vmsn\\\", \\\"vswp\\\", \\\"vmss\\\", \\\"nvram\\\", \\\"vmem\\\"\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"ESXI Discovery via Grep\",\"description\":\"Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments related to virtual machine (VM) files, such as \\\"vmdk\\\", \\\"vmx\\\", \\\"vmxf\\\", \\\"vmsd\\\", \\\"vmsn\\\", \\\"vswp\\\", \\\"vmss\\\", \\\"nvram\\\", or \\\"vmem\\\". These file extensions are associated with VM-related file formats, and their presence in grep command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1518\",\"name\":\"Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"bffbd534-d1fa-4e06-80ed-a91c9ce4a0cc\",\"rule_id\":\"2b662e21-dc6e-461e-b5cf-a6eb9b235ec4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.657Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.680Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and\\nprocess.name in (\\\"grep\\\", \\\"egrep\\\", \\\"pgrep\\\") and\\nprocess.args in (\\\"vmdk\\\", \\\"vmx\\\", \\\"vmxf\\\", \\\"vmsd\\\", \\\"vmsn\\\", \\\"vswp\\\", \\\"vmss\\\", \\\"nvram\\\", \\\"vmem\\\") and\\nnot process.parent.executable == \\\"/usr/share/qemu/init/qemu-kvm-init\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name in (\\\"grep\\\", \\\"egrep\\\", \\\"pgrep\\\") and process.args in (\\n \\\"vmdk\\\", \\\"vmx\\\", \\\"vmxf\\\", \\\"vmsd\\\", \\\"vmsn\\\", \\\"vswp\\\", \\\"vmss\\\", \\\"nvram\\\", \\\"vmem\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and\\nprocess.name in (\\\"grep\\\", \\\"egrep\\\", \\\"pgrep\\\") and\\nprocess.args in (\\\"vmdk\\\", \\\"vmx\\\", \\\"vmxf\\\", \\\"vmsd\\\", \\\"vmsn\\\", \\\"vswp\\\", \\\"vmss\\\", \\\"nvram\\\", \\\"vmem\\\") and\\nnot process.parent.executable == \\\"/usr/share/qemu/init/qemu-kvm-init\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and\\nprocess.name in (\\\"grep\\\", \\\"egrep\\\", \\\"pgrep\\\") and\\nprocess.args in (\\\"vmdk\\\", \\\"vmx\\\", \\\"vmxf\\\", \\\"vmsd\\\", \\\"vmsn\\\", \\\"vswp\\\", \\\"vmss\\\", \\\"nvram\\\", \\\"vmem\\\") and\\nnot process.parent.executable == \\\"/usr/share/qemu/init/qemu-kvm-init\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9a3f0ba6-fa6e-445a-8282-e250e3ee2616\",\"rule_id\":\"2bf78aa2-9c56-48de-b139-f169bf99cf86\",\"revision\":0,\"current_rule\":{\"id\":\"9a3f0ba6-fa6e-445a-8282-e250e3ee2616\",\"updated_at\":\"2024-12-04T19:45:44.682Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.682Z\",\"created_by\":\"elastic\",\"name\":\"Adobe Hijack Persistence\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects writing executable files that will be automatically launched by Adobe on launch.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Adobe Hijack Persistence\\n\\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2bf78aa2-9c56-48de-b139-f169bf99cf86\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.010\",\"name\":\"Services File Permissions Weakness\",\"reference\":\"https://attack.mitre.org/techniques/T1574/010/\"}]},{\"id\":\"T1554\",\"name\":\"Compromise Host Software Binary\",\"reference\":\"https://attack.mitre.org/techniques/T1554/\"}]}],\"to\":\"now\",\"references\":[\"https://twitter.com/pabraeken/status/997997818362155008\"],\"version\":314,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n file.path : (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Adobe\\\\\\\\Acrobat Reader DC\\\\\\\\Reader\\\\\\\\AcroCEF\\\\\\\\RdrCEF.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Adobe\\\\\\\\Acrobat Reader DC\\\\\\\\Reader\\\\\\\\AcroCEF\\\\\\\\RdrCEF.exe\\\") and\\n not process.name : \\\"msiexec.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Adobe Hijack Persistence\",\"description\":\"Detects writing executable files that will be automatically launched by Adobe on launch.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Adobe Hijack Persistence\\n\\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":414,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://twitter.com/pabraeken/status/997997818362155008\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.010\",\"name\":\"Services File Permissions Weakness\",\"reference\":\"https://attack.mitre.org/techniques/T1574/010/\"}]},{\"id\":\"T1554\",\"name\":\"Compromise Host Software Binary\",\"reference\":\"https://attack.mitre.org/techniques/T1554/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"9a3f0ba6-fa6e-445a-8282-e250e3ee2616\",\"rule_id\":\"2bf78aa2-9c56-48de-b139-f169bf99cf86\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.657Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.682Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n file.path : (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Adobe\\\\\\\\Acrobat Reader DC\\\\\\\\Reader\\\\\\\\AcroCEF\\\\\\\\RdrCEF.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Adobe\\\\\\\\Acrobat Reader DC\\\\\\\\Reader\\\\\\\\AcroCEF\\\\\\\\RdrCEF.exe\\\") and\\n not process.name : \\\"msiexec.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":314,\"target_version\":414,\"merged_version\":414,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"169c8cd2-358b-4bc1-a969-89ed1b50f8e0\",\"rule_id\":\"2c17e5d7-08b9-43b2-b58a-0270d65ac85b\",\"revision\":0,\"current_rule\":{\"id\":\"169c8cd2-358b-4bc1-a969-89ed1b50f8e0\",\"updated_at\":\"2024-12-04T19:45:44.689Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.689Z\",\"created_by\":\"elastic\",\"name\":\"Windows Defender Exclusions Added via PowerShell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Defender Exclusions Added via PowerShell\\n\\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows. Since this software product is used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Examine the exclusion in order to determine the intent behind it.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- If the exclusion specifies a suspicious file or path, retrieve the file(s) and determine if malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This rule has a high chance to produce false positives due to how often network administrators legitimately configure exclusions. In order to validate the activity further, review the specific exclusion and its intent. There are many legitimate reasons for exclusions, so it's important to gain context.\\n\\n### Related rules\\n\\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2c17e5d7-08b9-43b2-b58a-0270d65ac85b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"},{\"id\":\"T1562.006\",\"name\":\"Indicator Blocking\",\"reference\":\"https://attack.mitre.org/techniques/T1562/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or ?process.pe.original_file_name in (\\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\")) and\\n process.args : (\\\"*Add-MpPreference*\\\", \\\"*Set-MpPreference*\\\") and\\n process.args : (\\\"*-Exclusion*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Windows Defender Exclusions Added via PowerShell\",\"description\":\"Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Defender Exclusions Added via PowerShell\\n\\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows. Since this software product is used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Examine the exclusion in order to determine the intent behind it.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- If the exclusion specifies a suspicious file or path, retrieve the file(s) and determine if malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This rule has a high chance to produce false positives due to how often network administrators legitimately configure exclusions. In order to validate the activity further, review the specific exclusion and its intent. There are many legitimate reasons for exclusions, so it's important to gain context.\\n\\n### Related rules\\n\\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf\",\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\",\"https://www.elastic.co/security-labs/operation-bleeding-bear\",\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"},{\"id\":\"T1562.006\",\"name\":\"Indicator Blocking\",\"reference\":\"https://attack.mitre.org/techniques/T1562/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"169c8cd2-358b-4bc1-a969-89ed1b50f8e0\",\"rule_id\":\"2c17e5d7-08b9-43b2-b58a-0270d65ac85b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.657Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.689Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or ?process.pe.original_file_name in (\\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\")) and\\n process.args : (\\\"*Add-MpPreference*\\\", \\\"*Set-MpPreference*\\\") and\\n process.args : (\\\"*-Exclusion*\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf\"],\"target_version\":[\"https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf\",\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\",\"https://www.elastic.co/security-labs/operation-bleeding-bear\",\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"merged_version\":[\"https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf\",\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\",\"https://www.elastic.co/security-labs/operation-bleeding-bear\",\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"16fc5aba-c692-46fb-8887-407e2ac99c42\",\"rule_id\":\"2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a\",\"revision\":0,\"current_rule\":{\"id\":\"16fc5aba-c692-46fb-8887-407e2ac99c42\",\"updated_at\":\"2024-12-04T19:45:44.692Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.692Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Microsoft Diagnostics Wizard Execution\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"to\":\"now\",\"references\":[\"https://twitter.com/nao_sec/status/1530196847679401984\",\"https://lolbas-project.github.io/lolbas/Binaries/Msdt/\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.pe.original_file_name == \\\"msdt.exe\\\" or process.name : \\\"msdt.exe\\\") and\\n (\\n process.args : (\\\"IT_RebrowseForFile=*\\\", \\\"ms-msdt:/id\\\", \\\"ms-msdt:-id\\\", \\\"*FromBase64*\\\") or\\n\\n (process.args : \\\"-af\\\" and process.args : \\\"/skip\\\" and\\n process.parent.name : (\\\"explorer.exe\\\", \\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"mshta.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\") and\\n process.args : (\\\"?:\\\\\\\\WINDOWS\\\\\\\\diagnostics\\\\\\\\index\\\\\\\\PCWDiagnostic.xml\\\", \\\"PCWDiagnostic.xml\\\", \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\")) or\\n\\n (process.pe.original_file_name == \\\"msdt.exe\\\" and not process.name : \\\"msdt.exe\\\" and process.name != null) or\\n\\n (process.pe.original_file_name == \\\"msdt.exe\\\" and not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\msdt.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msdt.exe\\\"))\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Microsoft Diagnostics Wizard Execution\",\"description\":\"Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://twitter.com/nao_sec/status/1530196847679401984\",\"https://lolbas-project.github.io/lolbas/Binaries/Msdt/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"16fc5aba-c692-46fb-8887-407e2ac99c42\",\"rule_id\":\"2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.657Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.692Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.pe.original_file_name == \\\"msdt.exe\\\" or process.name : \\\"msdt.exe\\\") and\\n (\\n process.args : (\\\"IT_RebrowseForFile=*\\\", \\\"ms-msdt:/id\\\", \\\"ms-msdt:-id\\\", \\\"*FromBase64*\\\") or\\n\\n (process.args : \\\"-af\\\" and process.args : \\\"/skip\\\" and\\n process.parent.name : (\\\"explorer.exe\\\", \\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"mshta.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\") and\\n process.args : (\\\"?:\\\\\\\\WINDOWS\\\\\\\\diagnostics\\\\\\\\index\\\\\\\\PCWDiagnostic.xml\\\", \\\"PCWDiagnostic.xml\\\", \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\")) or\\n\\n (process.pe.original_file_name == \\\"msdt.exe\\\" and not process.name : \\\"msdt.exe\\\" and process.name != null) or\\n\\n (process.pe.original_file_name == \\\"msdt.exe\\\" and not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\msdt.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msdt.exe\\\"))\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3e31fd30-0851-4ef6-9053-5a7bc93938e1\",\"rule_id\":\"2d8043ed-5bda-4caf-801c-c1feb7410504\",\"revision\":0,\"current_rule\":{\"id\":\"3e31fd30-0851-4ef6-9053-5a7bc93938e1\",\"updated_at\":\"2024-12-04T19:45:44.694Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.694Z\",\"created_by\":\"elastic\",\"name\":\"Enumeration of Kernel Modules\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username.\"],\"from\":\"now-9m\",\"rule_id\":\"2d8043ed-5bda-4caf-801c-c1feb7410504\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"to\":\"now\",\"references\":[],\"version\":209,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"new_terms\",\"query\":\"event.category:process and host.os.type:linux and event.type:start and event.action:(exec or exec_event) and (\\n (process.name:(lsmod or modinfo)) or \\n (process.name:kmod and process.args:list) or \\n (process.name:depmod and process.args:(--all or -a))\\n) and not process.parent.name:(mkinitramfs or cryptroot or framebuffer or dracut or jem or thin-provisioning-tools\\nor readykernel or lvm2 or vz-start or iscsi or mdadm or ovalprobes or bcache or plymouth or dkms or overlayroot or \\nweak-modules or zfs)\\n\",\"new_terms_fields\":[\"process.parent.command_line\",\"process.command_line\",\"host.id\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Enumeration of Kernel Modules\",\"description\":\"Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3e31fd30-0851-4ef6-9053-5a7bc93938e1\",\"rule_id\":\"2d8043ed-5bda-4caf-801c-c1feb7410504\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.657Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.694Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.category:process and host.os.type:linux and event.type:start and event.action:(exec or exec_event) and (\\n (process.name:(lsmod or modinfo)) or \\n (process.name:kmod and process.args:list) or \\n (process.name:depmod and process.args:(--all or -a))\\n) and\\nnot (\\n process.parent.name:(\\n mkinitramfs or cryptroot or framebuffer or dracut or jem or thin-provisioning-tools or readykernel or lvm2 or\\n vz-start or iscsi or mdadm or ovalprobes or bcache or plymouth or dkms or overlayroot or weak-modules or zfs or\\n systemd or whoopsie-upload-all or kdumpctl or apport-gtk or casper or rear or kernel-install\\n )\\n)\\n\",\"new_terms_fields\":[\"process.executable\",\"process.parent.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":209,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"event.category:process and host.os.type:linux and event.type:start and event.action:(exec or exec_event) and (\\n (process.name:(lsmod or modinfo)) or \\n (process.name:kmod and process.args:list) or \\n (process.name:depmod and process.args:(--all or -a))\\n) and not process.parent.name:(mkinitramfs or cryptroot or framebuffer or dracut or jem or thin-provisioning-tools\\nor readykernel or lvm2 or vz-start or iscsi or mdadm or ovalprobes or bcache or plymouth or dkms or overlayroot or \\nweak-modules or zfs)\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"event.category:process and host.os.type:linux and event.type:start and event.action:(exec or exec_event) and (\\n (process.name:(lsmod or modinfo)) or \\n (process.name:kmod and process.args:list) or \\n (process.name:depmod and process.args:(--all or -a))\\n) and\\nnot (\\n process.parent.name:(\\n mkinitramfs or cryptroot or framebuffer or dracut or jem or thin-provisioning-tools or readykernel or lvm2 or\\n vz-start or iscsi or mdadm or ovalprobes or bcache or plymouth or dkms or overlayroot or weak-modules or zfs or\\n systemd or whoopsie-upload-all or kdumpctl or apport-gtk or casper or rear or kernel-install\\n )\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"event.category:process and host.os.type:linux and event.type:start and event.action:(exec or exec_event) and (\\n (process.name:(lsmod or modinfo)) or \\n (process.name:kmod and process.args:list) or \\n (process.name:depmod and process.args:(--all or -a))\\n) and\\nnot (\\n process.parent.name:(\\n mkinitramfs or cryptroot or framebuffer or dracut or jem or thin-provisioning-tools or readykernel or lvm2 or\\n vz-start or iscsi or mdadm or ovalprobes or bcache or plymouth or dkms or overlayroot or weak-modules or zfs or\\n systemd or whoopsie-upload-all or kdumpctl or apport-gtk or casper or rear or kernel-install\\n )\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"new_terms_fields\":{\"has_base_version\":false,\"current_version\":[\"process.parent.command_line\",\"process.command_line\",\"host.id\"],\"target_version\":[\"process.executable\",\"process.parent.executable\"],\"merged_version\":[\"process.executable\",\"process.parent.executable\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2ed42379-4757-484a-a6e0-6ac4df45a282\",\"rule_id\":\"2dd480be-1263-4d9c-8672-172928f6789a\",\"revision\":0,\"current_rule\":{\"id\":\"2ed42379-4757-484a-a6e0-6ac4df45a282\",\"updated_at\":\"2024-12-04T19:45:44.697Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.697Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Process Access via Direct System Call\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Process Access via Direct System Call\\n\\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\\n\\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\\n\\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove the malicious certificate from the root certificate store.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2dd480be-1263-4d9c-8672-172928f6789a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"to\":\"now\",\"references\":[\"https://twitter.com/SBousseaden/status/1278013896440324096\",\"https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs\"],\"version\":211,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallTrace\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetImage\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n length(winlog.event_data.CallTrace) > 0 and\\n\\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\\n not winlog.event_data.CallTrace :\\n (\\\"?:\\\\\\\\WINDOWS\\\\\\\\SYSTEM32\\\\\\\\ntdll.dll*\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\SysWOW64\\\\\\\\ntdll.dll*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wow64cpu.dll*\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\System32\\\\\\\\wow64win.dll*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\win32u.dll*\\\") and\\n\\n not winlog.event_data.TargetImage :\\n (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Malwarebytes Anti-Exploit\\\\\\\\mbae-svc.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Cisco\\\\\\\\AMP\\\\\\\\*\\\\\\\\sfc.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\EdgeWebView\\\\\\\\Application\\\\\\\\*\\\\\\\\msedgewebview2.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Adobe\\\\\\\\Acrobat DC\\\\\\\\Acrobat\\\\\\\\*\\\\\\\\AcroCEF.exe\\\") and\\n\\n not (process.executable : (\\\"?:\\\\\\\\Program Files\\\\\\\\Adobe\\\\\\\\Acrobat DC\\\\\\\\Acrobat\\\\\\\\Acrobat.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\World of Warcraft\\\\\\\\_classic_\\\\\\\\WowClassic.exe\\\") and\\n not winlog.event_data.TargetImage : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\lsass.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Process Access via Direct System Call\",\"description\":\"Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Process Access via Direct System Call\\n\\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\\n\\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\\n\\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove the malicious certificate from the root certificate store.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://twitter.com/SBousseaden/status/1278013896440324096\",\"https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallTrace\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetImage\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"2ed42379-4757-484a-a6e0-6ac4df45a282\",\"rule_id\":\"2dd480be-1263-4d9c-8672-172928f6789a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.657Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.697Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n length(winlog.event_data.CallTrace) > 0 and\\n\\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\\n not winlog.event_data.CallTrace :\\n (\\\"?:\\\\\\\\WINDOWS\\\\\\\\SYSTEM32\\\\\\\\ntdll.dll*\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\SysWOW64\\\\\\\\ntdll.dll*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wow64cpu.dll*\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\System32\\\\\\\\wow64win.dll*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\win32u.dll*\\\") and\\n\\n not winlog.event_data.TargetImage :\\n (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Malwarebytes Anti-Exploit\\\\\\\\mbae-svc.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Cisco\\\\\\\\AMP\\\\\\\\*\\\\\\\\sfc.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\EdgeWebView\\\\\\\\Application\\\\\\\\*\\\\\\\\msedgewebview2.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Adobe\\\\\\\\Acrobat DC\\\\\\\\Acrobat\\\\\\\\*\\\\\\\\AcroCEF.exe\\\") and\\n\\n not (process.executable : (\\\"?:\\\\\\\\Program Files\\\\\\\\Adobe\\\\\\\\Acrobat DC\\\\\\\\Acrobat\\\\\\\\Acrobat.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\World of Warcraft\\\\\\\\_classic_\\\\\\\\WowClassic.exe\\\") and\\n not winlog.event_data.TargetImage : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\lsass.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":211,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e2da6171-c7a5-4b16-8c1e-5bc1553a1119\",\"rule_id\":\"2de87d72-ee0c-43e2-b975-5f0b029ac600\",\"revision\":0,\"current_rule\":{\"id\":\"e2da6171-c7a5-4b16-8c1e-5bc1553a1119\",\"updated_at\":\"2024-12-04T19:45:44.704Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.704Z\",\"created_by\":\"elastic\",\"name\":\"Wireless Credential Dumping using Netsh Command\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Wireless Credential Dumping using Netsh Command\\n\\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\\n\\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\\n - Observe and collect information about the following activities in the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2de87d72-ee0c-43e2-b975-5f0b029ac600\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"to\":\"now\",\"references\":[\"https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts\",\"https://www.geeksforgeeks.org/how-to-find-the-wi-fi-password-using-cmd-in-windows/\"],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"netsh.exe\\\" or ?process.pe.original_file_name == \\\"netsh.exe\\\") and\\n process.args : \\\"wlan\\\" and process.args : \\\"key*clear\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Wireless Credential Dumping using Netsh Command\",\"description\":\"Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Wireless Credential Dumping using Netsh Command\\n\\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\\n\\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\\n - Observe and collect information about the following activities in the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts\",\"https://www.geeksforgeeks.org/how-to-find-the-wi-fi-password-using-cmd-in-windows/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e2da6171-c7a5-4b16-8c1e-5bc1553a1119\",\"rule_id\":\"2de87d72-ee0c-43e2-b975-5f0b029ac600\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.657Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.704Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"netsh.exe\\\" or ?process.pe.original_file_name == \\\"netsh.exe\\\") and\\n process.args : \\\"wlan\\\" and process.args : \\\"key*clear\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"07c1e43e-9e38-4a68-959f-8365095626b8\",\"rule_id\":\"2e1e835d-01e5-48ca-b9fc-7a61f7f11902\",\"revision\":0,\"current_rule\":{\"id\":\"07c1e43e-9e38-4a68-959f-8365095626b8\",\"updated_at\":\"2024-12-04T19:45:44.706Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.706Z\",\"created_by\":\"elastic\",\"name\":\"Renamed AutoIt Scripts Interpreter\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Renamed AutoIt Scripts Interpreter\\n\\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\\n\\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\\n\\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2e1e835d-01e5-48ca-b9fc-7a61f7f11902\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.003\",\"name\":\"Rename System Utilities\",\"reference\":\"https://attack.mitre.org/techniques/T1036/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.pe.original_file_name : \\\"AutoIt*.exe\\\" and not process.name : \\\"AutoIt*.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Renamed AutoIt Scripts Interpreter\",\"description\":\"Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Renamed AutoIt Scripts Interpreter\\n\\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\\n\\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\\n\\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.003\",\"name\":\"Rename System Utilities\",\"reference\":\"https://attack.mitre.org/techniques/T1036/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"07c1e43e-9e38-4a68-959f-8365095626b8\",\"rule_id\":\"2e1e835d-01e5-48ca-b9fc-7a61f7f11902\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.657Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.706Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.pe.original_file_name : \\\"AutoIt*.exe\\\" and not process.name : \\\"AutoIt*.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8bba526e-b48f-4e4e-be60-d5543c6267ed\",\"rule_id\":\"2e29e96a-b67c-455a-afe4-de6183431d0d\",\"revision\":0,\"current_rule\":{\"id\":\"8bba526e-b48f-4e4e-be60-d5543c6267ed\",\"updated_at\":\"2024-12-04T19:45:44.709Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.709Z\",\"created_by\":\"elastic\",\"name\":\"Potential Process Injection via PowerShell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Process Injection via PowerShell\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nPowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, like the execution of inline C# code, PSReflect, Get-ProcAddress, etc.\\n\\nRed Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject payloads directly into the memory without touching the disk to circumvent file-based security protections.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Check if the imported function was executed and which process it targeted.\\n- Check if the injected code can be retrieved (hardcoded in the script or on command line logs).\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate PowerShell scripts that make use of these functions.\"],\"from\":\"now-9m\",\"rule_id\":\"2e29e96a-b67c-455a-afe4-de6183431d0d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\",\"subtechnique\":[{\"id\":\"T1055.001\",\"name\":\"Dynamic-link Library Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/001/\"},{\"id\":\"T1055.002\",\"name\":\"Portable Executable Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1\",\"https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1\",\"https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\\n LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\\n (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\\n SuspendThread or ResumeThread or GetDelegateForFunctionPointer)\\n ) and not \\n file.directory: (\\n \\\"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\SenseCM\\\" or\\n \\\"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Process Injection via PowerShell\",\"description\":\"Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Process Injection via PowerShell\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nPowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, like the execution of inline C# code, PSReflect, Get-ProcAddress, etc.\\n\\nRed Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject payloads directly into the memory without touching the disk to circumvent file-based security protections.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Check if the imported function was executed and which process it targeted.\\n- Check if the injected code can be retrieved (hardcoded in the script or on command line logs).\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate PowerShell scripts that make use of these functions.\"],\"references\":[\"https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1\",\"https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1\",\"https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\",\"subtechnique\":[{\"id\":\"T1055.001\",\"name\":\"Dynamic-link Library Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/001/\"},{\"id\":\"T1055.002\",\"name\":\"Portable Executable Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"8bba526e-b48f-4e4e-be60-d5543c6267ed\",\"rule_id\":\"2e29e96a-b67c-455a-afe4-de6183431d0d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.658Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.709Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\\n LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\\n (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\\n SuspendThread or ResumeThread or GetDelegateForFunctionPointer)\\n ) and not \\n file.directory: (\\n \\\"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\SenseCM\\\" or\\n \\\"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\"\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"29788b1a-42b1-4dd1-9486-f7f808407a63\",\"rule_id\":\"2e311539-cd88-4a85-a301-04f38795007c\",\"revision\":0,\"current_rule\":{\"id\":\"29788b1a-42b1-4dd1-9486-f7f808407a63\",\"updated_at\":\"2024-12-04T19:45:44.711Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.711Z\",\"created_by\":\"elastic\",\"name\":\"Accessing Outlook Data Files\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies commands containing references to Outlook data files extensions, which can potentially indicate the search, access, or modification of these files.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"2e311539-cd88-4a85-a301-04f38795007c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1114\",\"name\":\"Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/\",\"subtechnique\":[{\"id\":\"T1114.001\",\"name\":\"Local Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.args : (\\\"*.ost\\\", \\\"*.pst\\\") and\\n not process.name : \\\"outlook.exe\\\" and\\n not (\\n process.name : \\\"rundll32.exe\\\" and\\n process.args : \\\"*davclnt.dll,DavSetCookie*\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Accessing Outlook Data Files\",\"description\":\"Identifies commands containing references to Outlook data files extensions, which can potentially indicate the search, access, or modification of these files.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1114\",\"name\":\"Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/\",\"subtechnique\":[{\"id\":\"T1114.001\",\"name\":\"Local Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"29788b1a-42b1-4dd1-9486-f7f808407a63\",\"rule_id\":\"2e311539-cd88-4a85-a301-04f38795007c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.658Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.711Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.args : (\\\"*.ost\\\", \\\"*.pst\\\") and\\n not process.name : \\\"outlook.exe\\\" and\\n not (\\n process.name : \\\"rundll32.exe\\\" and\\n process.args : \\\"*davclnt.dll,DavSetCookie*\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"884e84dd-9194-4a31-9196-f285d1204b12\",\"rule_id\":\"2edc8076-291e-41e9-81e4-e3fcbc97ae5e\",\"revision\":0,\"current_rule\":{\"id\":\"884e84dd-9194-4a31-9196-f285d1204b12\",\"updated_at\":\"2024-12-04T19:45:40.144Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.144Z\",\"created_by\":\"elastic\",\"name\":\"Creation of a Hidden Local User Account\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Creation of a Hidden Local User Account\\n\\nAttackers can create accounts ending with a `$` symbol to make the account hidden to user enumeration utilities and bypass detections that identify computer accounts by this pattern to apply filters.\\n\\nThis rule uses registry events to identify the creation of local hidden accounts.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positive (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Delete the hidden account.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2edc8076-291e-41e9-81e4-e3fcbc97ae5e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"to\":\"now\",\"references\":[\"http://web.archive.org/web/20230329153858/https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html\",\"https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\\\\\\\Names\\\\\\\\*$\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\\\\\\\Names\\\\\\\\*$\\\\\\\\\\\"\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Creation of a Hidden Local User Account\",\"description\":\"Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Creation of a Hidden Local User Account\\n\\nAttackers can create accounts ending with a `$` symbol to make the account hidden to user enumeration utilities and bypass detections that identify computer accounts by this pattern to apply filters.\\n\\nThis rule uses registry events to identify the creation of local hidden accounts.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positive (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Delete the hidden account.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"http://web.archive.org/web/20230329153858/https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html\",\"https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"884e84dd-9194-4a31-9196-f285d1204b12\",\"rule_id\":\"2edc8076-291e-41e9-81e4-e3fcbc97ae5e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.658Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.144Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\\\\\\\Names\\\\\\\\*$\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\\\\\\\Names\\\\\\\\*$\\\\\\\\\\\",\\n \\\"MACHINE\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\\\\\\\Names\\\\\\\\*$\\\\\\\\\\\"\\n)\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\\\\\\\Names\\\\\\\\*$\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\\\\\\\Names\\\\\\\\*$\\\\\\\\\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\\\\\\\Names\\\\\\\\*$\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\\\\\\\Names\\\\\\\\*$\\\\\\\\\\\",\\n \\\"MACHINE\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\\\\\\\Names\\\\\\\\*$\\\\\\\\\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\\\\\\\Names\\\\\\\\*$\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\\\\\\\Names\\\\\\\\*$\\\\\\\\\\\",\\n \\\"MACHINE\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\\\\\\\Names\\\\\\\\*$\\\\\\\\\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1a9c38ac-2dd6-4bc4-bce6-40bb7e30b07d\",\"rule_id\":\"2f2f4939-0b34-40c2-a0a3-844eb7889f43\",\"revision\":0,\"current_rule\":{\"id\":\"1a9c38ac-2dd6-4bc4-bce6-40bb7e30b07d\",\"updated_at\":\"2024-12-04T19:45:44.718Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.718Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Suspicious Script with Audio Capture Capabilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can use PowerShell to interact with the Windows API with the intent of capturing audio from input devices connected to the victim's computer.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Investigate if the script stores the recorded data locally and determine if anything was recorded.\\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\\n- Assess network data to determine if the host communicated with the exfiltration server.\\n\\n### False positive analysis\\n\\n- Regular users should not need scripts to capture audio, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2f2f4939-0b34-40c2-a0a3-844eb7889f43\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1123\",\"name\":\"Audio Capture\",\"reference\":\"https://attack.mitre.org/techniques/T1123/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"Get-MicrophoneAudio\\\" or\\n \\\"WindowsAudioDevice-Powershell-Cmdlet\\\" or\\n (waveInGetNumDevs and mciSendStringA)\\n )\\n and not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\" and \\\"PowerSploitIndicators\\\"\\n )\\n and not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Suspicious Script with Audio Capture Capabilities\",\"description\":\"Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can use PowerShell to interact with the Windows API with the intent of capturing audio from input devices connected to the victim's computer.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Investigate if the script stores the recorded data locally and determine if anything was recorded.\\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\\n- Assess network data to determine if the host communicated with the exfiltration server.\\n\\n### False positive analysis\\n\\n- Regular users should not need scripts to capture audio, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":212,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1123\",\"name\":\"Audio Capture\",\"reference\":\"https://attack.mitre.org/techniques/T1123/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1a9c38ac-2dd6-4bc4-bce6-40bb7e30b07d\",\"rule_id\":\"2f2f4939-0b34-40c2-a0a3-844eb7889f43\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.658Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.718Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"Get-MicrophoneAudio\\\" or\\n \\\"WindowsAudioDevice-Powershell-Cmdlet\\\" or\\n (waveInGetNumDevs and mciSendStringA)\\n )\\n and not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\" and \\\"PowerSploitIndicators\\\"\\n )\\n and not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":212,\"merged_version\":212,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5e6ce03a-3ed9-4b59-93b6-d2d56d78d741\",\"rule_id\":\"2f8a1226-5720-437d-9c20-e0029deb6194\",\"revision\":0,\"current_rule\":{\"id\":\"5e6ce03a-3ed9-4b59-93b6-d2d56d78d741\",\"updated_at\":\"2024-12-04T19:45:44.721Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.721Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Disable Syslog Service\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2f8a1226-5720-437d-9c20-e0029deb6194\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\n ( (process.name == \\\"service\\\" and process.args == \\\"stop\\\") or\\n (process.name == \\\"chkconfig\\\" and process.args == \\\"off\\\") or\\n (process.name == \\\"systemctl\\\" and process.args in (\\\"disable\\\", \\\"stop\\\", \\\"kill\\\"))\\n ) and process.args in (\\\"syslog\\\", \\\"rsyslog\\\", \\\"syslog-ng\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Disable Syslog Service\",\"description\":\"Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":110,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"5e6ce03a-3ed9-4b59-93b6-d2d56d78d741\",\"rule_id\":\"2f8a1226-5720-437d-9c20-e0029deb6194\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.658Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.721Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\n ( (process.name == \\\"service\\\" and process.args == \\\"stop\\\") or\\n (process.name == \\\"chkconfig\\\" and process.args == \\\"off\\\") or\\n (process.name == \\\"systemctl\\\" and process.args in (\\\"disable\\\", \\\"stop\\\", \\\"kill\\\"))\\n ) and process.args in (\\\"syslog\\\", \\\"rsyslog\\\", \\\"syslog-ng\\\")\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":110,\"merged_version\":110,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"merged_version\":[\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"022aa806-2ecc-429c-bc1c-11bcde789ef1\",\"rule_id\":\"2ffa1f1e-b6db-47fa-994b-1512743847eb\",\"revision\":0,\"current_rule\":{\"id\":\"022aa806-2ecc-429c-bc1c-11bcde789ef1\",\"updated_at\":\"2024-12-04T19:45:40.150Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.150Z\",\"created_by\":\"elastic\",\"name\":\"Windows Defender Disabled via Registry Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Defender Disabled via Registry Modification\\n\\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\\n\\nThis rule monitors the registry for configurations that disable Windows Defender or the start of its service.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check if this operation was approved and performed according to the organization's change management policy.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\\n\\n### Related rules\\n\\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Re-enable Windows Defender and restore the service configurations to automatic start.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2ffa1f1e-b6db-47fa-994b-1512743847eb\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"},{\"id\":\"T1562.006\",\"name\":\"Indicator Blocking\",\"reference\":\"https://attack.mitre.org/techniques/T1562/006/\"}]}]}],\"to\":\"now\",\"references\":[\"https://thedfirreport.com/2020/12/13/defender-control/\"],\"version\":113,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n (\\n (\\n registry.path: (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\DisableAntiSpyware\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\DisableAntiSpyware\\\"\\n ) and\\n registry.data.strings: (\\\"1\\\", \\\"0x00000001\\\")\\n ) or\\n (\\n registry.path: (\\n \\\"HKLM\\\\\\\\System\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\WinDefend\\\\\\\\Start\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\System\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\WinDefend\\\\\\\\Start\\\"\\n ) and\\n registry.data.strings in (\\\"3\\\", \\\"4\\\", \\\"0x00000003\\\", \\\"0x00000004\\\")\\n )\\n ) and\\n\\n not\\n (\\n process.executable : (\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\services.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\Security Agent\\\\\\\\NTRmv.exe\\\"\\n ) and user.id : \\\"S-1-5-18\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Windows Defender Disabled via Registry Modification\",\"description\":\"Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Defender Disabled via Registry Modification\\n\\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\\n\\nThis rule monitors the registry for configurations that disable Windows Defender or the start of its service.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check if this operation was approved and performed according to the organization's change management policy.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\\n\\n### Related rules\\n\\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Re-enable Windows Defender and restore the service configurations to automatic start.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":215,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://thedfirreport.com/2020/12/13/defender-control/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"},{\"id\":\"T1562.006\",\"name\":\"Indicator Blocking\",\"reference\":\"https://attack.mitre.org/techniques/T1562/006/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"022aa806-2ecc-429c-bc1c-11bcde789ef1\",\"rule_id\":\"2ffa1f1e-b6db-47fa-994b-1512743847eb\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.658Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.150Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n (\\n (\\n registry.path: (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\DisableAntiSpyware\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\DisableAntiSpyware\\\"\\n ) and\\n registry.data.strings: (\\\"1\\\", \\\"0x00000001\\\")\\n ) or\\n (\\n registry.path: (\\n \\\"HKLM\\\\\\\\System\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\WinDefend\\\\\\\\Start\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\System\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\WinDefend\\\\\\\\Start\\\"\\n ) and\\n registry.data.strings in (\\\"3\\\", \\\"4\\\", \\\"0x00000003\\\", \\\"0x00000004\\\")\\n )\\n ) and\\n\\n not\\n (\\n process.executable : (\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\services.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\Security Agent\\\\\\\\NTRmv.exe\\\"\\n ) and user.id : \\\"S-1-5-18\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":113,\"target_version\":215,\"merged_version\":215,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"92625dbe-14e3-4b8d-b7ed-6c455ac05dde\",\"rule_id\":\"30fbf4db-c502-4e68-a239-2e99af0f70da\",\"revision\":0,\"current_rule\":{\"id\":\"92625dbe-14e3-4b8d-b7ed-6c455ac05dde\",\"updated_at\":\"2024-12-04T19:46:03.729Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.729Z\",\"created_by\":\"elastic\",\"name\":\"AWS STS GetCallerIdentity API Called for the First Time\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS STS\",\"Use Case: Identity and Access Audit\",\"Tactic: Discovery\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"An adversary with access to a set of compromised credentials may attempt to verify that the credentials are valid and determine what account they are using. This rule looks for the first time an identity has called the STS `GetCallerIdentity` API operation in the last 15 days, which may be an indicator of compromised credentials. A legitimate user would not need to call this operation as they should know the account they are using.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS GetCallerIdentity API Called for the First Time\\n\\nAWS Security Token Service (AWS STS) is a service that enables you to request temporary, limited-privilege credentials for users.\\nThe `GetCallerIdentity` function returns details about the IAM user or role owning the credentials used to call the operation. \\nNo permissions are required to run this operation and the same information is returned even when access is denied.\\nThis rule looks for use of the `GetCallerIdentity` operation. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has called this operation within the last 15 days.\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment, a role belonging to a service like Lambda or an EC2 instance would be highly suspicious.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- Review IAM permission policies for the user identity.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions — preferably with a combination of user agent and IP address conditions.\\n- Automation workflows that rely on the results from this API request may also generate false-positives. We recommend adding exceptions related to the `user.name` or `aws.cloudtrail.user_identity.arn` values to ignore these.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Verify whether the user identity should be using the STS `GetCallerIdentity` API operation. If known behavior is causing false positives, it can be exempted from the rule.\"],\"from\":\"now-60m\",\"rule_id\":\"30fbf4db-c502-4e68-a239-2e99af0f70da\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\",\"subtechnique\":[{\"id\":\"T1087.004\",\"name\":\"Cloud Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html\",\"https://www.secureworks.com/research/detecting-the-use-of-stolen-aws-lambda-credentials\",\"https://detectioninthe.cloud/ttps/discovery/get_caller_identity/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"aws.cloudtrail\\\" and event.provider:\\\"sts.amazonaws.com\\\" and event.action:\\\"GetCallerIdentity\\\"\\n\",\"new_terms_fields\":[\"aws.cloudtrail.user_identity.arn\"],\"history_window_start\":\"now-10d\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS STS GetCallerIdentity API Called for the First Time\",\"description\":\"An adversary with access to a set of compromised credentials may attempt to verify that the credentials are valid and determine what account they are using. This rule looks for the first time an identity has called the STS `GetCallerIdentity` API operation in the last 15 days, which may be an indicator of compromised credentials. A legitimate user would not need to call this operation as they should know the account they are using.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS GetCallerIdentity API Called for the First Time\\n\\nAWS Security Token Service (AWS STS) is a service that enables you to request temporary, limited-privilege credentials for users.\\nThe `GetCallerIdentity` function returns details about the IAM user or role owning the credentials used to call the operation.\\nNo permissions are required to run this operation and the same information is returned even when access is denied.\\nThis rule looks for use of the `GetCallerIdentity` operation. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has called this operation within the last 15 days.\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment, a role belonging to a service like Lambda or an EC2 instance would be highly suspicious.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- Review IAM permission policies for the user identity.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions — preferably with a combination of user agent and IP address conditions.\\n- Automation workflows that rely on the results from this API request may also generate false-positives. We recommend adding exceptions related to the `user.name` or `aws.cloudtrail.user_identity.arn` values to ignore these.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"investigation_fields\":{\"field_names\":[\"@timestamp\",\"user.name\",\"source.address\",\"aws.cloudtrail.user_identity.type\",\"aws.cloudtrail.user_identity.arn\",\"user_agent.original\",\"event.action\",\"event.outcome\",\"cloud.region\",\"aws.cloudtrail.request_parameters\"]},\"version\":3,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS STS\",\"Use Case: Identity and Access Audit\",\"Tactic: Discovery\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-60m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Verify whether the user identity should be using the STS `GetCallerIdentity` API operation. If known behavior is causing false positives, it can be exempted from the rule.\"],\"references\":[\"https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html\",\"https://www.secureworks.com/research/detecting-the-use-of-stolen-aws-lambda-credentials\",\"https://detectioninthe.cloud/ttps/discovery/get_caller_identity/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\",\"subtechnique\":[{\"id\":\"T1087.004\",\"name\":\"Cloud Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"aws.cloudtrail.user_identity.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"92625dbe-14e3-4b8d-b7ed-6c455ac05dde\",\"rule_id\":\"30fbf4db-c502-4e68-a239-2e99af0f70da\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.658Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.729Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"sts.amazonaws.com\\\"\\n and event.action: \\\"GetCallerIdentity\\\"\\n and event.outcome: \\\"success\\\"\\n and not aws.cloudtrail.user_identity.type: \\\"AssumedRole\\\"\\n\",\"new_terms_fields\":[\"aws.cloudtrail.user_identity.arn\"],\"history_window_start\":\"now-10d\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"note\":{\"has_base_version\":false,\"current_version\":\"## Triage and analysis\\n\\n### Investigating AWS GetCallerIdentity API Called for the First Time\\n\\nAWS Security Token Service (AWS STS) is a service that enables you to request temporary, limited-privilege credentials for users.\\nThe `GetCallerIdentity` function returns details about the IAM user or role owning the credentials used to call the operation. \\nNo permissions are required to run this operation and the same information is returned even when access is denied.\\nThis rule looks for use of the `GetCallerIdentity` operation. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has called this operation within the last 15 days.\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment, a role belonging to a service like Lambda or an EC2 instance would be highly suspicious.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- Review IAM permission policies for the user identity.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions — preferably with a combination of user agent and IP address conditions.\\n- Automation workflows that rely on the results from this API request may also generate false-positives. We recommend adding exceptions related to the `user.name` or `aws.cloudtrail.user_identity.arn` values to ignore these.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating AWS GetCallerIdentity API Called for the First Time\\n\\nAWS Security Token Service (AWS STS) is a service that enables you to request temporary, limited-privilege credentials for users.\\nThe `GetCallerIdentity` function returns details about the IAM user or role owning the credentials used to call the operation.\\nNo permissions are required to run this operation and the same information is returned even when access is denied.\\nThis rule looks for use of the `GetCallerIdentity` operation. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has called this operation within the last 15 days.\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment, a role belonging to a service like Lambda or an EC2 instance would be highly suspicious.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- Review IAM permission policies for the user identity.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions — preferably with a combination of user agent and IP address conditions.\\n- Automation workflows that rely on the results from this API request may also generate false-positives. We recommend adding exceptions related to the `user.name` or `aws.cloudtrail.user_identity.arn` values to ignore these.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating AWS GetCallerIdentity API Called for the First Time\\n\\nAWS Security Token Service (AWS STS) is a service that enables you to request temporary, limited-privilege credentials for users.\\nThe `GetCallerIdentity` function returns details about the IAM user or role owning the credentials used to call the operation.\\nNo permissions are required to run this operation and the same information is returned even when access is denied.\\nThis rule looks for use of the `GetCallerIdentity` operation. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has called this operation within the last 15 days.\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment, a role belonging to a service like Lambda or an EC2 instance would be highly suspicious.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- Review IAM permission policies for the user identity.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions — preferably with a combination of user agent and IP address conditions.\\n- Automation workflows that rely on the results from this API request may also generate false-positives. We recommend adding exceptions related to the `user.name` or `aws.cloudtrail.user_identity.arn` values to ignore these.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"aws.cloudtrail.user_identity.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"aws.cloudtrail.user_identity.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"investigation_fields\":{\"has_base_version\":false,\"target_version\":{\"field_names\":[\"@timestamp\",\"user.name\",\"source.address\",\"aws.cloudtrail.user_identity.type\",\"aws.cloudtrail.user_identity.arn\",\"user_agent.original\",\"event.action\",\"event.outcome\",\"cloud.region\",\"aws.cloudtrail.request_parameters\"]},\"merged_version\":{\"field_names\":[\"@timestamp\",\"user.name\",\"source.address\",\"aws.cloudtrail.user_identity.type\",\"aws.cloudtrail.user_identity.arn\",\"user_agent.original\",\"event.action\",\"event.outcome\",\"cloud.region\",\"aws.cloudtrail.request_parameters\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset:\\\"aws.cloudtrail\\\" and event.provider:\\\"sts.amazonaws.com\\\" and event.action:\\\"GetCallerIdentity\\\"\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"sts.amazonaws.com\\\"\\n and event.action: \\\"GetCallerIdentity\\\"\\n and event.outcome: \\\"success\\\"\\n and not aws.cloudtrail.user_identity.type: \\\"AssumedRole\\\"\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"sts.amazonaws.com\\\"\\n and event.action: \\\"GetCallerIdentity\\\"\\n and event.outcome: \\\"success\\\"\\n and not aws.cloudtrail.user_identity.type: \\\"AssumedRole\\\"\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e3273e1b-7942-4b0f-a143-4b138a4868dc\",\"rule_id\":\"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62\",\"revision\":0,\"current_rule\":{\"id\":\"e3273e1b-7942-4b0f-a143-4b138a4868dc\",\"updated_at\":\"2024-12-04T19:45:45.844Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.844Z\",\"created_by\":\"elastic\",\"name\":\"Bypass UAC via Event Viewer\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Bypass UAC via Event Viewer\\n\\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\\n\\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\\n\\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\\\Software\\\\Classes\\\\mscfile\\\\shell\\\\open\\\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":113,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"eventvwr.exe\\\" and\\n not process.executable :\\n (\\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Bypass UAC via Event Viewer\",\"description\":\"Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Bypass UAC via Event Viewer\\n\\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\\n\\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\\n\\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\\\Software\\\\Classes\\\\mscfile\\\\shell\\\\open\\\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":315,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e3273e1b-7942-4b0f-a143-4b138a4868dc\",\"rule_id\":\"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.658Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.844Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"eventvwr.exe\\\" and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\mmc.exe\\\",\\n \\\"?\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\WerFault.exe\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":113,\"target_version\":315,\"merged_version\":315,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"eventvwr.exe\\\" and\\n not process.executable :\\n (\\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"eventvwr.exe\\\" and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\mmc.exe\\\",\\n \\\"?\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\WerFault.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"eventvwr.exe\\\" and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\mmc.exe\\\",\\n \\\"?\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\WerFault.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"967e9395-3053-4020-9e86-e4a3a4ee8481\",\"rule_id\":\"32300431-c2d5-432d-8ec8-0e03f9924756\",\"revision\":0,\"current_rule\":{\"id\":\"967e9395-3053-4020-9e86-e4a3a4ee8481\",\"updated_at\":\"2024-12-04T19:46:03.732Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.732Z\",\"created_by\":\"elastic\",\"name\":\"Network Connection from Binary with RWX Memory Region\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Monitors for the execution of a unix binary with read, write and execute memory region permissions, followed by a network connection. The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases overly permissive, and should (especially in conjunction with an outbound network connection) be analyzed thoroughly.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"32300431-c2d5-432d-8ec8-0e03f9924756\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\"}]}],\"to\":\"now\",\"references\":[\"https://man7.org/linux/man-pages/man2/mprotect.2.html\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"auditd.data.a2\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.syscall\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\\n```\\nKibana -->\\nManagement -->\\nIntegrations -->\\nAuditd Manager -->\\nAdd Auditd Manager\\n```\\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\\n```\\n-a always,exit -F arch=b64 -S mprotect\\n```\\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"sample by host.id, process.pid, process.name\\n /* auditd.data.a2 == \\\"7\\\" translates to RWX memory region protection (PROT_READ | PROT_WRITE | PROT_EXEC) */\\n [process where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"mprotect\\\" and auditd.data.a2 == \\\"7\\\"]\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and\\n not cidrmatch(destination.ip, \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"224.0.0.0/4\\\", \\\"::1\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Network Connection from Binary with RWX Memory Region\",\"description\":\"Monitors for the execution of a unix binary with read, write and execute memory region permissions, followed by a network connection. The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases overly permissive, and should (especially in conjunction with an outbound network connection) be analyzed thoroughly.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://man7.org/linux/man-pages/man2/mprotect.2.html\",\"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\\n```\\nKibana -->\\nManagement -->\\nIntegrations -->\\nAuditd Manager -->\\nAdd Auditd Manager\\n```\\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\\n```\\n-a always,exit -F arch=b64 -S mprotect\\n```\\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n\",\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"auditd.data.a2\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.syscall\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"id\":\"967e9395-3053-4020-9e86-e4a3a4ee8481\",\"rule_id\":\"32300431-c2d5-432d-8ec8-0e03f9924756\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.658Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.732Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sample by host.id, process.pid, process.name\\n /* auditd.data.a2 == \\\"7\\\" translates to RWX memory region protection (PROT_READ | PROT_WRITE | PROT_EXEC) */\\n [process where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"mprotect\\\" and auditd.data.a2 == \\\"7\\\" and\\n not process.name == \\\"httpd\\\"]\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and\\n not cidrmatch(destination.ip, \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"224.0.0.0/4\\\", \\\"::1\\\")]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://man7.org/linux/man-pages/man2/mprotect.2.html\"],\"target_version\":[\"https://man7.org/linux/man-pages/man2/mprotect.2.html\",\"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd\"],\"merged_version\":[\"https://man7.org/linux/man-pages/man2/mprotect.2.html\",\"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sample by host.id, process.pid, process.name\\n /* auditd.data.a2 == \\\"7\\\" translates to RWX memory region protection (PROT_READ | PROT_WRITE | PROT_EXEC) */\\n [process where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"mprotect\\\" and auditd.data.a2 == \\\"7\\\"]\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and\\n not cidrmatch(destination.ip, \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"224.0.0.0/4\\\", \\\"::1\\\")]\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sample by host.id, process.pid, process.name\\n /* auditd.data.a2 == \\\"7\\\" translates to RWX memory region protection (PROT_READ | PROT_WRITE | PROT_EXEC) */\\n [process where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"mprotect\\\" and auditd.data.a2 == \\\"7\\\" and\\n not process.name == \\\"httpd\\\"]\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and\\n not cidrmatch(destination.ip, \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"224.0.0.0/4\\\", \\\"::1\\\")]\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sample by host.id, process.pid, process.name\\n /* auditd.data.a2 == \\\"7\\\" translates to RWX memory region protection (PROT_READ | PROT_WRITE | PROT_EXEC) */\\n [process where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"mprotect\\\" and auditd.data.a2 == \\\"7\\\" and\\n not process.name == \\\"httpd\\\"]\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and\\n not cidrmatch(destination.ip, \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"224.0.0.0/4\\\", \\\"::1\\\")]\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"59ef5e4c-a5c2-4878-acd8-425d021ab442\",\"rule_id\":\"32923416-763a-4531-bb35-f33b9232ecdb\",\"revision\":0,\"current_rule\":{\"id\":\"59ef5e4c-a5c2-4878-acd8-425d021ab442\",\"updated_at\":\"2024-12-04T19:45:45.856Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.856Z\",\"created_by\":\"elastic\",\"name\":\"RPC (Remote Procedure Call) to the Internet\",\"tags\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"32923416-763a-4531-bb35-f33b9232ecdb\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]}],\"to\":\"now\",\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"version\":103,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\\n network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\\n source.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n ) and\\n not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"RPC (Remote Procedure Call) to the Internet\",\"description\":\"This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"59ef5e4c-a5c2-4878-acd8-425d021ab442\",\"rule_id\":\"32923416-763a-4531-bb35-f33b9232ecdb\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.658Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.856Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\\n network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\\n source.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n ) and\\n not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":103,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"target_version\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"target_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merged_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"72ad354e-db78-4093-8735-62b38bebdc18\",\"rule_id\":\"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14\",\"revision\":0,\"current_rule\":{\"id\":\"72ad354e-db78-4093-8735-62b38bebdc18\",\"updated_at\":\"2024-12-04T19:45:45.858Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.858Z\",\"created_by\":\"elastic\",\"name\":\"Program Files Directory Masquerading\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : \\\"C:\\\\\\\\*Program*Files*\\\\\\\\*.exe\\\" and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Downloaded Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?FilesOpera*\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?Files?(x86)Opera*\\\\\\\\*.exe\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Program Files Directory Masquerading\",\"description\":\"Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"72ad354e-db78-4093-8735-62b38bebdc18\",\"rule_id\":\"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.658Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.858Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : (\\n \\\"C:\\\\\\\\*Program*Files*\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\*Program*Files*\\\\\\\\*.exe\\\"\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Downloaded Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?FilesOpera*\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?Files?(x86)Opera*\\\\\\\\*.exe\\\"\\n ) and\\n not (\\n event.dataset == \\\"crowdstrike.fdr\\\" and\\n process.executable : (\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Users\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\ProgramData\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Downloaded Program Files\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?FilesOpera*\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?Files?(x86)Opera*\\\\\\\\*.exe\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : \\\"C:\\\\\\\\*Program*Files*\\\\\\\\*.exe\\\" and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Downloaded Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?FilesOpera*\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?Files?(x86)Opera*\\\\\\\\*.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : (\\n \\\"C:\\\\\\\\*Program*Files*\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\*Program*Files*\\\\\\\\*.exe\\\"\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Downloaded Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?FilesOpera*\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?Files?(x86)Opera*\\\\\\\\*.exe\\\"\\n ) and\\n not (\\n event.dataset == \\\"crowdstrike.fdr\\\" and\\n process.executable : (\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Users\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\ProgramData\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Downloaded Program Files\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?FilesOpera*\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?Files?(x86)Opera*\\\\\\\\*.exe\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : (\\n \\\"C:\\\\\\\\*Program*Files*\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\*Program*Files*\\\\\\\\*.exe\\\"\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Downloaded Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?FilesOpera*\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?Files?(x86)Opera*\\\\\\\\*.exe\\\"\\n ) and\\n not (\\n event.dataset == \\\"crowdstrike.fdr\\\" and\\n process.executable : (\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Users\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\ProgramData\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Downloaded Program Files\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?FilesOpera*\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?Files?(x86)Opera*\\\\\\\\*.exe\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f3def219-2078-49f0-8097-4a966d572bd7\",\"rule_id\":\"32f4675e-6c49-4ace-80f9-97c9259dca2e\",\"revision\":0,\"current_rule\":{\"id\":\"f3def219-2078-49f0-8097-4a966d572bd7\",\"updated_at\":\"2024-12-04T19:45:45.861Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.861Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious MS Outlook Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious MS Outlook Child Process\\n\\nMicrosoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite.\\n\\nThis rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client.\\n- Determine if the collected files are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"32f4675e-6c49-4ace-80f9-97c9259dca2e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"to\":\"now\",\"references\":[],\"version\":314,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"outlook.exe\\\" and\\n process.name : (\\\"Microsoft.Workflow.Compiler.exe\\\", \\\"arp.exe\\\", \\\"atbroker.exe\\\", \\\"bginfo.exe\\\", \\\"bitsadmin.exe\\\",\\n \\\"cdb.exe\\\", \\\"certutil.exe\\\", \\\"cmd.exe\\\", \\\"cmstp.exe\\\", \\\"cscript.exe\\\", \\\"csi.exe\\\", \\\"dnx.exe\\\", \\\"dsget.exe\\\",\\n \\\"dsquery.exe\\\", \\\"forfiles.exe\\\", \\\"fsi.exe\\\", \\\"ftp.exe\\\", \\\"gpresult.exe\\\", \\\"hostname.exe\\\", \\\"ieexec.exe\\\",\\n \\\"iexpress.exe\\\", \\\"installutil.exe\\\", \\\"ipconfig.exe\\\", \\\"mshta.exe\\\", \\\"msxsl.exe\\\", \\\"nbtstat.exe\\\", \\\"net.exe\\\",\\n \\\"net1.exe\\\", \\\"netsh.exe\\\", \\\"netstat.exe\\\", \\\"nltest.exe\\\", \\\"odbcconf.exe\\\", \\\"ping.exe\\\", \\\"powershell.exe\\\",\\n \\\"pwsh.exe\\\", \\\"qprocess.exe\\\", \\\"quser.exe\\\", \\\"qwinsta.exe\\\", \\\"rcsi.exe\\\", \\\"reg.exe\\\", \\\"regasm.exe\\\",\\n \\\"regsvcs.exe\\\", \\\"regsvr32.exe\\\", \\\"sc.exe\\\", \\\"schtasks.exe\\\", \\\"systeminfo.exe\\\", \\\"tasklist.exe\\\",\\n \\\"tracert.exe\\\", \\\"whoami.exe\\\", \\\"wmic.exe\\\", \\\"wscript.exe\\\", \\\"xwizard.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious MS Outlook Child Process\",\"description\":\"Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious MS Outlook Child Process\\n\\nMicrosoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite.\\n\\nThis rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client.\\n- Determine if the collected files are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":416,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f3def219-2078-49f0-8097-4a966d572bd7\",\"rule_id\":\"32f4675e-6c49-4ace-80f9-97c9259dca2e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.658Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.861Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"outlook.exe\\\" and\\n process.name : (\\\"Microsoft.Workflow.Compiler.exe\\\", \\\"arp.exe\\\", \\\"atbroker.exe\\\", \\\"bginfo.exe\\\", \\\"bitsadmin.exe\\\",\\n \\\"cdb.exe\\\", \\\"certutil.exe\\\", \\\"cmd.exe\\\", \\\"cmstp.exe\\\", \\\"cscript.exe\\\", \\\"csi.exe\\\", \\\"dnx.exe\\\", \\\"dsget.exe\\\",\\n \\\"dsquery.exe\\\", \\\"forfiles.exe\\\", \\\"fsi.exe\\\", \\\"ftp.exe\\\", \\\"gpresult.exe\\\", \\\"hostname.exe\\\", \\\"ieexec.exe\\\",\\n \\\"iexpress.exe\\\", \\\"installutil.exe\\\", \\\"ipconfig.exe\\\", \\\"mshta.exe\\\", \\\"msxsl.exe\\\", \\\"nbtstat.exe\\\", \\\"net.exe\\\",\\n \\\"net1.exe\\\", \\\"netsh.exe\\\", \\\"netstat.exe\\\", \\\"nltest.exe\\\", \\\"odbcconf.exe\\\", \\\"ping.exe\\\", \\\"powershell.exe\\\",\\n \\\"pwsh.exe\\\", \\\"qprocess.exe\\\", \\\"quser.exe\\\", \\\"qwinsta.exe\\\", \\\"rcsi.exe\\\", \\\"reg.exe\\\", \\\"regasm.exe\\\",\\n \\\"regsvcs.exe\\\", \\\"regsvr32.exe\\\", \\\"sc.exe\\\", \\\"schtasks.exe\\\", \\\"systeminfo.exe\\\", \\\"tasklist.exe\\\",\\n \\\"tracert.exe\\\", \\\"whoami.exe\\\", \\\"wmic.exe\\\", \\\"wscript.exe\\\", \\\"xwizard.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":314,\"target_version\":416,\"merged_version\":416,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f8070f29-22d8-4345-ba1d-2cf6ff5e75f9\",\"rule_id\":\"33a6752b-da5e-45f8-b13a-5f094c09522f\",\"revision\":0,\"current_rule\":{\"id\":\"f8070f29-22d8-4345-ba1d-2cf6ff5e75f9\",\"updated_at\":\"2024-12-04T19:45:45.865Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.865Z\",\"created_by\":\"elastic\",\"name\":\"ESXI Discovery via Find\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies instances where the 'find' command is started on a Linux system with arguments targeting specific VM-related paths, such as \\\"/etc/vmware/\\\", \\\"/usr/lib/vmware/\\\", or \\\"/vmfs/*\\\". These paths are associated with VMware virtualization software, and their presence in the find command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files and configurations on the system.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"33a6752b-da5e-45f8-b13a-5f094c09522f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1518\",\"name\":\"Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/\"}]}],\"to\":\"now\",\"references\":[\"https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/\"],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name == \\\"find\\\" and process.args : (\\\"/etc/vmware/*\\\", \\\"/usr/lib/vmware/*\\\", \\\"/vmfs/*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"ESXI Discovery via Find\",\"description\":\"Identifies instances where the 'find' command is started on a Linux system with arguments targeting specific VM-related paths, such as \\\"/etc/vmware/\\\", \\\"/usr/lib/vmware/\\\", or \\\"/vmfs/*\\\". These paths are associated with VMware virtualization software, and their presence in the find command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files and configurations on the system.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1518\",\"name\":\"Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f8070f29-22d8-4345-ba1d-2cf6ff5e75f9\",\"rule_id\":\"33a6752b-da5e-45f8-b13a-5f094c09522f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.658Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.865Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and process.name == \\\"find\\\" and\\nprocess.args : (\\\"/etc/vmware/*\\\", \\\"/usr/lib/vmware/*\\\", \\\"/vmfs/*\\\") and \\nnot process.parent.executable == \\\"/usr/lib/vmware/viewagent/bin/uninstall_viewagent.sh\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name == \\\"find\\\" and process.args : (\\\"/etc/vmware/*\\\", \\\"/usr/lib/vmware/*\\\", \\\"/vmfs/*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and process.name == \\\"find\\\" and\\nprocess.args : (\\\"/etc/vmware/*\\\", \\\"/usr/lib/vmware/*\\\", \\\"/vmfs/*\\\") and \\nnot process.parent.executable == \\\"/usr/lib/vmware/viewagent/bin/uninstall_viewagent.sh\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and process.name == \\\"find\\\" and\\nprocess.args : (\\\"/etc/vmware/*\\\", \\\"/usr/lib/vmware/*\\\", \\\"/vmfs/*\\\") and \\nnot process.parent.executable == \\\"/usr/lib/vmware/viewagent/bin/uninstall_viewagent.sh\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"424f39d3-c2b5-471b-9e78-301b96708483\",\"rule_id\":\"34fde489-94b0-4500-a76f-b8a157cf9269\",\"revision\":0,\"current_rule\":{\"id\":\"424f39d3-c2b5-471b-9e78-301b96708483\",\"updated_at\":\"2024-12-04T19:45:40.178Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.178Z\",\"created_by\":\"elastic\",\"name\":\"Accepted Default Telnet Port Connection\",\"tags\":[\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Lateral Movement\",\"Tactic: Initial Access\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timeline_id\":\"300afc76-072d-4261-864d-4149714bf3f1\",\"timeline_title\":\"Comprehensive Network Timeline\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious.\"],\"from\":\"now-9m\",\"rule_id\":\"34fde489-94b0-4500-a76f-b8a157cf9269\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]}],\"to\":\"now\",\"references\":[],\"version\":105,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"],\"query\":\"(event.dataset:network_traffic.flow or event.category:(network or network_traffic))\\n and event.type:connection and not event.action:(\\n flow_dropped or flow_denied or denied or deny or\\n flow_terminated or timeout or Reject or network_flow)\\n and destination.port:23\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Accepted Default Telnet Port Connection\",\"description\":\"This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"timeline_id\":\"300afc76-072d-4261-864d-4149714bf3f1\",\"timeline_title\":\"Comprehensive Network Timeline\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":106,\"tags\":[\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Lateral Movement\",\"Tactic: Initial Access\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"424f39d3-c2b5-471b-9e78-301b96708483\",\"rule_id\":\"34fde489-94b0-4500-a76f-b8a157cf9269\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.658Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.178Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"],\"query\":\"(event.dataset:network_traffic.flow or event.category:(network or network_traffic))\\n and event.type:connection and not event.action:(\\n flow_dropped or flow_denied or denied or deny or\\n flow_terminated or timeout or Reject or network_flow)\\n and destination.port:23\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":105,\"target_version\":106,\"merged_version\":106,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Lateral Movement\",\"Tactic: Initial Access\"],\"target_version\":[\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Lateral Movement\",\"Tactic: Initial Access\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Lateral Movement\",\"Tactic: Initial Access\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"target_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merged_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3120e238-ac07-4320-a9f4-6d46ff2a101a\",\"rule_id\":\"3535c8bb-3bd5-40f4-ae32-b7cd589d5372\",\"revision\":0,\"current_rule\":{\"id\":\"3120e238-ac07-4320-a9f4-6d46ff2a101a\",\"updated_at\":\"2024-12-04T19:45:45.875Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.875Z\",\"created_by\":\"elastic\",\"name\":\"Port Forwarding Rule Addition\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Port Forwarding Rule Addition\\n\\nNetwork port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to any other port number, or even to a port on a remote computer.\\n\\nAttackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box to access previously unreachable systems.\\n\\nThis rule monitors the modifications to the `HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\` subkeys.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Identify the target host IP address, check the connections originating from the host where the modification occurred, and inspect the credentials used.\\n - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Delete the port forwarding rule.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3535c8bb-3bd5-40f4-ae32-b7cd589d5372\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1572\",\"name\":\"Protocol Tunneling\",\"reference\":\"https://attack.mitre.org/techniques/T1572/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[\"https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html\"],\"version\":312,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\PortProxy\\\\\\\\v4tov4\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\PortProxy\\\\\\\\v4tov4\\\\\\\\*\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\PortProxy\\\\\\\\v4tov4\\\\\\\\*\\\"\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Port Forwarding Rule Addition\",\"description\":\"Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Port Forwarding Rule Addition\\n\\nNetwork port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to any other port number, or even to a port on a remote computer.\\n\\nAttackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box to access previously unreachable systems.\\n\\nThis rule monitors the modifications to the `HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\` subkeys.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Identify the target host IP address, check the connections originating from the host where the modification occurred, and inspect the credentials used.\\n - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Delete the port forwarding rule.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":413,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1572\",\"name\":\"Protocol Tunneling\",\"reference\":\"https://attack.mitre.org/techniques/T1572/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3120e238-ac07-4320-a9f4-6d46ff2a101a\",\"rule_id\":\"3535c8bb-3bd5-40f4-ae32-b7cd589d5372\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.658Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.875Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\PortProxy\\\\\\\\v4tov4\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\PortProxy\\\\\\\\v4tov4\\\\\\\\*\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\PortProxy\\\\\\\\v4tov4\\\\\\\\*\\\"\\n)\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":312,\"target_version\":413,\"merged_version\":413,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f58aa97a-ef4b-41a1-bab2-ae4e2dd6c593\",\"rule_id\":\"35df0dd8-092d-4a83-88c1-5151a804f31b\",\"revision\":0,\"current_rule\":{\"id\":\"f58aa97a-ef4b-41a1-bab2-ae4e2dd6c593\",\"updated_at\":\"2024-12-04T19:45:45.880Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.880Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Parent-Child Relationship\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Parent-Child Relationship\\n\\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\\n\\nThis rule uses this information to spot suspicious parent and child processes.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"35df0dd8-092d-4a83-88c1-5151a804f31b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\",\"subtechnique\":[{\"id\":\"T1055.012\",\"name\":\"Process Hollowing\",\"reference\":\"https://attack.mitre.org/techniques/T1055/012/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png\",\"https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\nprocess.parent.name != null and\\n (\\n /* suspicious parent processes */\\n (process.name:\\\"autochk.exe\\\" and not process.parent.name:\\\"smss.exe\\\") or\\n (process.name:(\\\"fontdrvhost.exe\\\", \\\"dwm.exe\\\") and not process.parent.name:(\\\"wininit.exe\\\", \\\"winlogon.exe\\\")) or\\n (process.name:(\\\"consent.exe\\\", \\\"RuntimeBroker.exe\\\", \\\"TiWorker.exe\\\") and not process.parent.name:\\\"svchost.exe\\\") or\\n (process.name:\\\"SearchIndexer.exe\\\" and not process.parent.name:\\\"services.exe\\\") or\\n (process.name:\\\"SearchProtocolHost.exe\\\" and not process.parent.name:(\\\"SearchIndexer.exe\\\", \\\"dllhost.exe\\\")) or\\n (process.name:\\\"dllhost.exe\\\" and not process.parent.name:(\\\"services.exe\\\", \\\"svchost.exe\\\")) or\\n (process.name:\\\"smss.exe\\\" and not process.parent.name:(\\\"System\\\", \\\"smss.exe\\\")) or\\n (process.name:\\\"csrss.exe\\\" and not process.parent.name:(\\\"smss.exe\\\", \\\"svchost.exe\\\")) or\\n (process.name:\\\"wininit.exe\\\" and not process.parent.name:\\\"smss.exe\\\") or\\n (process.name:\\\"winlogon.exe\\\" and not process.parent.name:\\\"smss.exe\\\") or\\n (process.name:(\\\"lsass.exe\\\", \\\"LsaIso.exe\\\") and not process.parent.name:\\\"wininit.exe\\\") or\\n (process.name:\\\"LogonUI.exe\\\" and not process.parent.name:(\\\"wininit.exe\\\", \\\"winlogon.exe\\\")) or\\n (process.name:\\\"services.exe\\\" and not process.parent.name:\\\"wininit.exe\\\") or\\n (process.name:\\\"svchost.exe\\\" and not process.parent.name:(\\\"MsMpEng.exe\\\", \\\"services.exe\\\", \\\"svchost.exe\\\")) or\\n (process.name:\\\"spoolsv.exe\\\" and not process.parent.name:\\\"services.exe\\\") or\\n (process.name:\\\"taskhost.exe\\\" and not process.parent.name:(\\\"services.exe\\\", \\\"svchost.exe\\\", \\\"ngentask.exe\\\")) or\\n (process.name:\\\"taskhostw.exe\\\" and not process.parent.name:(\\\"services.exe\\\", \\\"svchost.exe\\\")) or\\n (process.name:\\\"userinit.exe\\\" and not process.parent.name:(\\\"dwm.exe\\\", \\\"winlogon.exe\\\")) or\\n (process.name:(\\\"wmiprvse.exe\\\", \\\"wsmprovhost.exe\\\", \\\"winrshost.exe\\\") and not process.parent.name:\\\"svchost.exe\\\") or\\n /* suspicious child processes */\\n (process.parent.name:(\\\"SearchProtocolHost.exe\\\", \\\"taskhost.exe\\\", \\\"csrss.exe\\\") and not process.name:(\\\"werfault.exe\\\", \\\"wermgr.exe\\\", \\\"WerFaultSecure.exe\\\", \\\"conhost.exe\\\")) or\\n (process.parent.name:\\\"autochk.exe\\\" and not process.name:(\\\"chkdsk.exe\\\", \\\"doskey.exe\\\", \\\"WerFault.exe\\\")) or\\n (process.parent.name:\\\"smss.exe\\\" and not process.name:(\\\"autochk.exe\\\", \\\"smss.exe\\\", \\\"csrss.exe\\\", \\\"wininit.exe\\\", \\\"winlogon.exe\\\", \\\"setupcl.exe\\\", \\\"WerFault.exe\\\")) or\\n (process.parent.name:\\\"wermgr.exe\\\" and not process.name:(\\\"WerFaultSecure.exe\\\", \\\"wermgr.exe\\\", \\\"WerFault.exe\\\")) or\\n (process.parent.name:\\\"conhost.exe\\\" and not process.name:(\\\"mscorsvw.exe\\\", \\\"wermgr.exe\\\", \\\"WerFault.exe\\\", \\\"WerFaultSecure.exe\\\"))\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Parent-Child Relationship\",\"description\":\"Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Parent-Child Relationship\\n\\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\\n\\nThis rule uses this information to spot suspicious parent and child processes.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png\",\"https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/\",\"https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\",\"subtechnique\":[{\"id\":\"T1055.012\",\"name\":\"Process Hollowing\",\"reference\":\"https://attack.mitre.org/techniques/T1055/012/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f58aa97a-ef4b-41a1-bab2-ae4e2dd6c593\",\"rule_id\":\"35df0dd8-092d-4a83-88c1-5151a804f31b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.659Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.880Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\nprocess.parent.name != null and\\n (\\n /* suspicious parent processes */\\n (process.name:\\\"autochk.exe\\\" and not process.parent.name:\\\"smss.exe\\\") or\\n (process.name:(\\\"fontdrvhost.exe\\\", \\\"dwm.exe\\\") and not process.parent.name:(\\\"wininit.exe\\\", \\\"winlogon.exe\\\")) or\\n (process.name:(\\\"consent.exe\\\", \\\"RuntimeBroker.exe\\\", \\\"TiWorker.exe\\\") and not process.parent.name:\\\"svchost.exe\\\") or\\n (process.name:\\\"SearchIndexer.exe\\\" and not process.parent.name:\\\"services.exe\\\") or\\n (process.name:\\\"SearchProtocolHost.exe\\\" and not process.parent.name:(\\\"SearchIndexer.exe\\\", \\\"dllhost.exe\\\")) or\\n (process.name:\\\"dllhost.exe\\\" and not process.parent.name:(\\\"services.exe\\\", \\\"svchost.exe\\\")) or\\n (process.name:\\\"smss.exe\\\" and not process.parent.name:(\\\"System\\\", \\\"smss.exe\\\")) or\\n (process.name:\\\"csrss.exe\\\" and not process.parent.name:(\\\"smss.exe\\\", \\\"svchost.exe\\\")) or\\n (process.name:\\\"wininit.exe\\\" and not process.parent.name:\\\"smss.exe\\\") or\\n (process.name:\\\"winlogon.exe\\\" and not process.parent.name:\\\"smss.exe\\\") or\\n (process.name:(\\\"lsass.exe\\\", \\\"LsaIso.exe\\\") and not process.parent.name:\\\"wininit.exe\\\") or\\n (process.name:\\\"LogonUI.exe\\\" and not process.parent.name:(\\\"wininit.exe\\\", \\\"winlogon.exe\\\")) or\\n (process.name:\\\"services.exe\\\" and not process.parent.name:\\\"wininit.exe\\\") or\\n (process.name:\\\"svchost.exe\\\" and not process.parent.name:(\\\"MsMpEng.exe\\\", \\\"services.exe\\\", \\\"svchost.exe\\\")) or\\n (process.name:\\\"spoolsv.exe\\\" and not process.parent.name:\\\"services.exe\\\") or\\n (process.name:\\\"taskhost.exe\\\" and not process.parent.name:(\\\"services.exe\\\", \\\"svchost.exe\\\", \\\"ngentask.exe\\\")) or\\n (process.name:\\\"taskhostw.exe\\\" and not process.parent.name:(\\\"services.exe\\\", \\\"svchost.exe\\\")) or\\n (process.name:\\\"userinit.exe\\\" and not process.parent.name:(\\\"dwm.exe\\\", \\\"winlogon.exe\\\")) or\\n (process.name:(\\\"wmiprvse.exe\\\", \\\"wsmprovhost.exe\\\", \\\"winrshost.exe\\\") and not process.parent.name:\\\"svchost.exe\\\") or\\n /* suspicious child processes */\\n (process.parent.name:(\\\"SearchProtocolHost.exe\\\", \\\"taskhost.exe\\\", \\\"csrss.exe\\\") and not process.name:(\\\"werfault.exe\\\", \\\"wermgr.exe\\\", \\\"WerFaultSecure.exe\\\", \\\"conhost.exe\\\")) or\\n (process.parent.name:\\\"autochk.exe\\\" and not process.name:(\\\"chkdsk.exe\\\", \\\"doskey.exe\\\", \\\"WerFault.exe\\\")) or\\n (process.parent.name:\\\"smss.exe\\\" and not process.name:(\\\"autochk.exe\\\", \\\"smss.exe\\\", \\\"csrss.exe\\\", \\\"wininit.exe\\\", \\\"winlogon.exe\\\", \\\"setupcl.exe\\\", \\\"WerFault.exe\\\")) or\\n (process.parent.name:\\\"wermgr.exe\\\" and not process.name:(\\\"WerFaultSecure.exe\\\", \\\"wermgr.exe\\\", \\\"WerFault.exe\\\")) or\\n (process.parent.name:\\\"conhost.exe\\\" and not process.name:(\\\"mscorsvw.exe\\\", \\\"wermgr.exe\\\", \\\"WerFault.exe\\\", \\\"WerFaultSecure.exe\\\"))\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png\",\"https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/\"],\"target_version\":[\"https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png\",\"https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/\",\"https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit\"],\"merged_version\":[\"https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png\",\"https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/\",\"https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a1336dc0-681c-473f-b209-11408786f6fc\",\"rule_id\":\"36a8e048-d888-4f61-a8b9-0f9e2e40f317\",\"revision\":0,\"current_rule\":{\"id\":\"a1336dc0-681c-473f-b209-11408786f6fc\",\"updated_at\":\"2024-12-04T19:45:40.175Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.175Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious ImagePath Service Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"36a8e048-d888-4f61-a8b9-0f9e2e40f317\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : \\\"ImagePath\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\"\\n ) and\\n /* add suspicious registry ImagePath values here */\\n registry.data.strings : (\\\"%COMSPEC%*\\\", \\\"*\\\\\\\\.\\\\\\\\pipe\\\\\\\\*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious ImagePath Service Creation\",\"description\":\"Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a1336dc0-681c-473f-b209-11408786f6fc\",\"rule_id\":\"36a8e048-d888-4f61-a8b9-0f9e2e40f317\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.659Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.175Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : \\\"ImagePath\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\"\\n ) and\\n /* add suspicious registry ImagePath values here */\\n registry.data.strings : (\\\"%COMSPEC%*\\\", \\\"*\\\\\\\\.\\\\\\\\pipe\\\\\\\\*\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f6f7e469-f668-45ff-bba9-64a1601ce543\",\"rule_id\":\"37b211e8-4e2f-440f-86d8-06cc8f158cfa\",\"revision\":0,\"current_rule\":{\"id\":\"f6f7e469-f668-45ff-bba9-64a1601ce543\",\"updated_at\":\"2024-12-04T19:45:45.901Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.901Z\",\"created_by\":\"elastic\",\"name\":\"AWS Execution via System Manager\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS SSM\",\"Use Case: Log Auditing\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS Execution via System Manager\\n\\nAmazon EC2 Systems Manager is a management service designed to help users automatically collect software inventory, apply operating system patches, create system images, and configure Windows and Linux operating systems.\\n\\nThis rule looks for the execution of commands and scripts using System Manager. Note that the actual contents of these scripts and commands are not included in the event, so analysts must gain visibility using an host-level security product.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate the commands or scripts using host-level visibility.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Check if this operation was approved and performed according to the organization's change management policy.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and IP address conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suspicious commands from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\"],\"from\":\"now-60m\",\"rule_id\":\"37b211e8-4e2f-440f-86d8-06cc8f158cfa\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html\"],\"version\":209,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"query\":\"event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS SSM `SendCommand` Execution by Rare User\",\"description\":\"Detects the execution of commands or scripts on EC2 instances using AWS Systems Manager (SSM), such as `RunShellScript`, `RunPowerShellScript` or custom documents. While legitimate users may employ these commands for management tasks, they can also be exploited by attackers with credentials to establish persistence, install malware, or execute reverse shells for further access to compromised instances. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that looks for the first instance of this behavior by the `aws.cloudtrail.user_identity.arn` field in the last 7 days.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and Analysis\\n\\n### Investigating AWS SSM `SendCommand` Execution by Rare User\\n\\nThis rule detects the execution of commands or scripts on EC2 instances using AWS Systems Manager (SSM) by an unexpected or new user. The SSM `SendCommand` action can enable remote command execution, which adversaries may exploit to install backdoors, deploy malware, or interact with compromised instances through reverse shells.\\n\\n#### Possible Investigation Steps\\n\\n- **Identify the Target Instance**:\\n - **Instance ID**: Review the `aws.cloudtrail.flattened.request_parameters.targets` field to identify which EC2 instances were targeted by this command. Confirm if these instances are expected to be managed through SSM.\\n - **Document Used**: Check the `aws.cloudtrail.flattened.request_parameters.documentName` field, which specifies the document or script being executed. Commands such as `RunShellScript` or `RunPowerShellScript` can indicate interactive sessions or script-based interactions.\\n\\n- **Review User Context**:\\n - **User Identity**: Inspect the `aws.cloudtrail.user_identity.arn` field to determine the user or role executing the `SendCommand`. If this user is not typically involved in EC2 or SSM interactions, this could indicate unauthorized access.\\n - **Access Patterns**: Validate whether the user typically has permissions to perform `SendCommand` operations on instances and whether the frequency of this action matches expected behavior.\\n\\n- **Analyze Command Parameters**:\\n - **Document Contents**: While the exact command may not be visible in CloudTrail, use logs to determine the purpose of the script, especially if the document name suggests encryption, data transfer, or reverse shell capabilities.\\n - **Timing and Context**: Compare this command execution with other recent SSM actions in your environment. A single `SendCommand` event by an unusual user can indicate an early stage of a larger attack.\\n\\n- **Check User Agent and Source IP**:\\n - **User Agent Analysis**: Review the `user_agent.original` field to verify the tool or client used (e.g., `aws-cli`). This can provide insight into whether this action was automated, scripted, or executed manually.\\n - **Source IP and Geolocation**: Use `source.address` and `source.geo` fields to check if the IP address and geolocation align with expected regions for your organization. Unusual IP addresses or locations can indicate external adversaries.\\n\\n- **Evaluate for Persistence Indicators**:\\n - **Command Consistency**: Investigate if this action is part of a recurring pattern, such as repeated command executions across instances, which may suggest an attempt to maintain access.\\n - **Permissions**: Ensure that the IAM policies associated with the user limit `SendCommand` actions to necessary use cases. Consider adding alerts for commands executed by users with minimal roles or permissions.\\n\\n- **Correlate with Other CloudTrail Events**:\\n - **Cross-Reference SSM Actions**: Look for other recent SSM actions like `CreateDocument`, `UpdateDocument`, or additional `SendCommand` events that could indicate preparation for further exploitation.\\n - **Monitor Data Access or Modification**: Correlate with `S3` access patterns, IAM changes, or EC2 modifications in recent events to detect broader malicious activities.\\n\\n### False Positive Analysis\\n\\n- **Routine Automation**: SSM `SendCommand` may be used by automation scripts or management tools. Verify if this event aligns with known, routine automated workflows.\\n- **Maintenance Activity**: Confirm if legitimate administrative activities, such as patching or updates, are expected at this time, which may involve similar commands executed on multiple instances.\\n\\n### Response and Remediation\\n\\n- **Limit SSM Permissions**: If unauthorized, immediately revoke `SendCommand` permissions from the user or role to prevent further access.\\n- **Quarantine Target Instance**: If malicious behavior is confirmed, isolate the affected EC2 instance(s) to limit lateral movement or data exfiltration.\\n- **Investigate and Contain User Account**: If the action was performed by a compromised account, review recent activity and reset access credentials as necessary.\\n- **Audit SSM and IAM Configurations**: Periodically review permissions associated with SSM usage and ensure least privilege access principles are in place.\\n\\n### Additional Information\\n\\nFor further details on managing AWS SSM and security best practices for EC2 instances, refer to the [AWS Systems Manager Documentation](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html) and AWS best practices.\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS SSM\",\"Use Case: Log Auditing\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suspicious commands from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\"],\"references\":[\"https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1651\",\"name\":\"Cloud Administration Command\",\"reference\":\"https://attack.mitre.org/techniques/T1651/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"aws.cloudtrail.user_identity.arn\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f6f7e469-f668-45ff-bba9-64a1601ce543\",\"rule_id\":\"37b211e8-4e2f-440f-86d8-06cc8f158cfa\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.659Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.901Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"ssm.amazonaws.com\\\"\\n and event.action: \\\"SendCommand\\\"\\n and event.outcome: \\\"success\\\"\\n and not aws.cloudtrail.user_identity.arn: *AWSServiceRoleForAmazonSSM/StateManagerService*\\n\",\"new_terms_fields\":[\"aws.cloudtrail.user_identity.arn\"],\"history_window_start\":\"now-7d\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":209,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"name\":{\"has_base_version\":false,\"current_version\":\"AWS Execution via System Manager\",\"target_version\":\"AWS SSM `SendCommand` Execution by Rare User\",\"merged_version\":\"AWS SSM `SendCommand` Execution by Rare User\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS SSM\",\"Use Case: Log Auditing\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\"],\"target_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS SSM\",\"Use Case: Log Auditing\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\"],\"merged_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS SSM\",\"Use Case: Log Auditing\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"description\":{\"has_base_version\":false,\"current_version\":\"Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.\",\"target_version\":\"Detects the execution of commands or scripts on EC2 instances using AWS Systems Manager (SSM), such as `RunShellScript`, `RunPowerShellScript` or custom documents. While legitimate users may employ these commands for management tasks, they can also be exploited by attackers with credentials to establish persistence, install malware, or execute reverse shells for further access to compromised instances. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that looks for the first instance of this behavior by the `aws.cloudtrail.user_identity.arn` field in the last 7 days.\",\"merged_version\":\"Detects the execution of commands or scripts on EC2 instances using AWS Systems Manager (SSM), such as `RunShellScript`, `RunPowerShellScript` or custom documents. While legitimate users may employ these commands for management tasks, they can also be exploited by attackers with credentials to establish persistence, install malware, or execute reverse shells for further access to compromised instances. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that looks for the first instance of this behavior by the `aws.cloudtrail.user_identity.arn` field in the last 7 days.\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1651\",\"name\":\"Cloud Administration Command\",\"reference\":\"https://attack.mitre.org/techniques/T1651/\"}]}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1651\",\"name\":\"Cloud Administration Command\",\"reference\":\"https://attack.mitre.org/techniques/T1651/\"}]}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"note\":{\"has_base_version\":false,\"current_version\":\"## Triage and analysis\\n\\n### Investigating AWS Execution via System Manager\\n\\nAmazon EC2 Systems Manager is a management service designed to help users automatically collect software inventory, apply operating system patches, create system images, and configure Windows and Linux operating systems.\\n\\nThis rule looks for the execution of commands and scripts using System Manager. Note that the actual contents of these scripts and commands are not included in the event, so analysts must gain visibility using an host-level security product.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate the commands or scripts using host-level visibility.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Check if this operation was approved and performed according to the organization's change management policy.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and IP address conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"target_version\":\"## Triage and Analysis\\n\\n### Investigating AWS SSM `SendCommand` Execution by Rare User\\n\\nThis rule detects the execution of commands or scripts on EC2 instances using AWS Systems Manager (SSM) by an unexpected or new user. The SSM `SendCommand` action can enable remote command execution, which adversaries may exploit to install backdoors, deploy malware, or interact with compromised instances through reverse shells.\\n\\n#### Possible Investigation Steps\\n\\n- **Identify the Target Instance**:\\n - **Instance ID**: Review the `aws.cloudtrail.flattened.request_parameters.targets` field to identify which EC2 instances were targeted by this command. Confirm if these instances are expected to be managed through SSM.\\n - **Document Used**: Check the `aws.cloudtrail.flattened.request_parameters.documentName` field, which specifies the document or script being executed. Commands such as `RunShellScript` or `RunPowerShellScript` can indicate interactive sessions or script-based interactions.\\n\\n- **Review User Context**:\\n - **User Identity**: Inspect the `aws.cloudtrail.user_identity.arn` field to determine the user or role executing the `SendCommand`. If this user is not typically involved in EC2 or SSM interactions, this could indicate unauthorized access.\\n - **Access Patterns**: Validate whether the user typically has permissions to perform `SendCommand` operations on instances and whether the frequency of this action matches expected behavior.\\n\\n- **Analyze Command Parameters**:\\n - **Document Contents**: While the exact command may not be visible in CloudTrail, use logs to determine the purpose of the script, especially if the document name suggests encryption, data transfer, or reverse shell capabilities.\\n - **Timing and Context**: Compare this command execution with other recent SSM actions in your environment. A single `SendCommand` event by an unusual user can indicate an early stage of a larger attack.\\n\\n- **Check User Agent and Source IP**:\\n - **User Agent Analysis**: Review the `user_agent.original` field to verify the tool or client used (e.g., `aws-cli`). This can provide insight into whether this action was automated, scripted, or executed manually.\\n - **Source IP and Geolocation**: Use `source.address` and `source.geo` fields to check if the IP address and geolocation align with expected regions for your organization. Unusual IP addresses or locations can indicate external adversaries.\\n\\n- **Evaluate for Persistence Indicators**:\\n - **Command Consistency**: Investigate if this action is part of a recurring pattern, such as repeated command executions across instances, which may suggest an attempt to maintain access.\\n - **Permissions**: Ensure that the IAM policies associated with the user limit `SendCommand` actions to necessary use cases. Consider adding alerts for commands executed by users with minimal roles or permissions.\\n\\n- **Correlate with Other CloudTrail Events**:\\n - **Cross-Reference SSM Actions**: Look for other recent SSM actions like `CreateDocument`, `UpdateDocument`, or additional `SendCommand` events that could indicate preparation for further exploitation.\\n - **Monitor Data Access or Modification**: Correlate with `S3` access patterns, IAM changes, or EC2 modifications in recent events to detect broader malicious activities.\\n\\n### False Positive Analysis\\n\\n- **Routine Automation**: SSM `SendCommand` may be used by automation scripts or management tools. Verify if this event aligns with known, routine automated workflows.\\n- **Maintenance Activity**: Confirm if legitimate administrative activities, such as patching or updates, are expected at this time, which may involve similar commands executed on multiple instances.\\n\\n### Response and Remediation\\n\\n- **Limit SSM Permissions**: If unauthorized, immediately revoke `SendCommand` permissions from the user or role to prevent further access.\\n- **Quarantine Target Instance**: If malicious behavior is confirmed, isolate the affected EC2 instance(s) to limit lateral movement or data exfiltration.\\n- **Investigate and Contain User Account**: If the action was performed by a compromised account, review recent activity and reset access credentials as necessary.\\n- **Audit SSM and IAM Configurations**: Periodically review permissions associated with SSM usage and ensure least privilege access principles are in place.\\n\\n### Additional Information\\n\\nFor further details on managing AWS SSM and security best practices for EC2 instances, refer to the [AWS Systems Manager Documentation](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html) and AWS best practices.\\n\",\"merged_version\":\"## Triage and Analysis\\n\\n### Investigating AWS SSM `SendCommand` Execution by Rare User\\n\\nThis rule detects the execution of commands or scripts on EC2 instances using AWS Systems Manager (SSM) by an unexpected or new user. The SSM `SendCommand` action can enable remote command execution, which adversaries may exploit to install backdoors, deploy malware, or interact with compromised instances through reverse shells.\\n\\n#### Possible Investigation Steps\\n\\n- **Identify the Target Instance**:\\n - **Instance ID**: Review the `aws.cloudtrail.flattened.request_parameters.targets` field to identify which EC2 instances were targeted by this command. Confirm if these instances are expected to be managed through SSM.\\n - **Document Used**: Check the `aws.cloudtrail.flattened.request_parameters.documentName` field, which specifies the document or script being executed. Commands such as `RunShellScript` or `RunPowerShellScript` can indicate interactive sessions or script-based interactions.\\n\\n- **Review User Context**:\\n - **User Identity**: Inspect the `aws.cloudtrail.user_identity.arn` field to determine the user or role executing the `SendCommand`. If this user is not typically involved in EC2 or SSM interactions, this could indicate unauthorized access.\\n - **Access Patterns**: Validate whether the user typically has permissions to perform `SendCommand` operations on instances and whether the frequency of this action matches expected behavior.\\n\\n- **Analyze Command Parameters**:\\n - **Document Contents**: While the exact command may not be visible in CloudTrail, use logs to determine the purpose of the script, especially if the document name suggests encryption, data transfer, or reverse shell capabilities.\\n - **Timing and Context**: Compare this command execution with other recent SSM actions in your environment. A single `SendCommand` event by an unusual user can indicate an early stage of a larger attack.\\n\\n- **Check User Agent and Source IP**:\\n - **User Agent Analysis**: Review the `user_agent.original` field to verify the tool or client used (e.g., `aws-cli`). This can provide insight into whether this action was automated, scripted, or executed manually.\\n - **Source IP and Geolocation**: Use `source.address` and `source.geo` fields to check if the IP address and geolocation align with expected regions for your organization. Unusual IP addresses or locations can indicate external adversaries.\\n\\n- **Evaluate for Persistence Indicators**:\\n - **Command Consistency**: Investigate if this action is part of a recurring pattern, such as repeated command executions across instances, which may suggest an attempt to maintain access.\\n - **Permissions**: Ensure that the IAM policies associated with the user limit `SendCommand` actions to necessary use cases. Consider adding alerts for commands executed by users with minimal roles or permissions.\\n\\n- **Correlate with Other CloudTrail Events**:\\n - **Cross-Reference SSM Actions**: Look for other recent SSM actions like `CreateDocument`, `UpdateDocument`, or additional `SendCommand` events that could indicate preparation for further exploitation.\\n - **Monitor Data Access or Modification**: Correlate with `S3` access patterns, IAM changes, or EC2 modifications in recent events to detect broader malicious activities.\\n\\n### False Positive Analysis\\n\\n- **Routine Automation**: SSM `SendCommand` may be used by automation scripts or management tools. Verify if this event aligns with known, routine automated workflows.\\n- **Maintenance Activity**: Confirm if legitimate administrative activities, such as patching or updates, are expected at this time, which may involve similar commands executed on multiple instances.\\n\\n### Response and Remediation\\n\\n- **Limit SSM Permissions**: If unauthorized, immediately revoke `SendCommand` permissions from the user or role to prevent further access.\\n- **Quarantine Target Instance**: If malicious behavior is confirmed, isolate the affected EC2 instance(s) to limit lateral movement or data exfiltration.\\n- **Investigate and Contain User Account**: If the action was performed by a compromised account, review recent activity and reset access credentials as necessary.\\n- **Audit SSM and IAM Configurations**: Periodically review permissions associated with SSM usage and ensure least privilege access principles are in place.\\n\\n### Additional Information\\n\\nFor further details on managing AWS SSM and security best practices for EC2 instances, refer to the [AWS Systems Manager Documentation](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html) and AWS best practices.\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"aws.cloudtrail.user_identity.arn\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"aws.cloudtrail.user_identity.arn\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"rule_schedule\":{\"has_base_version\":false,\"current_version\":{\"interval\":\"10m\",\"lookback\":\"3000s\"},\"target_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merged_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"type\":{\"has_base_version\":false,\"current_version\":\"query\",\"target_version\":\"new_terms\",\"merged_version\":\"new_terms\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NON_SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"ssm.amazonaws.com\\\"\\n and event.action: \\\"SendCommand\\\"\\n and event.outcome: \\\"success\\\"\\n and not aws.cloudtrail.user_identity.arn: *AWSServiceRoleForAmazonSSM/StateManagerService*\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"ssm.amazonaws.com\\\"\\n and event.action: \\\"SendCommand\\\"\\n and event.outcome: \\\"success\\\"\\n and not aws.cloudtrail.user_identity.arn: *AWSServiceRoleForAmazonSSM/StateManagerService*\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"new_terms_fields\":{\"has_base_version\":false,\"target_version\":[\"aws.cloudtrail.user_identity.arn\"],\"merged_version\":[\"aws.cloudtrail.user_identity.arn\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"history_window_start\":{\"has_base_version\":false,\"target_version\":\"now-7d\",\"merged_version\":\"now-7d\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":13,\"num_fields_with_conflicts\":12,\"num_fields_with_non_solvable_conflicts\":1}},{\"id\":\"a57bc828-3b6e-4515-8720-2798c6d405f4\",\"rule_id\":\"3838e0e3-1850-4850-a411-2e8c5ba40ba8\",\"revision\":0,\"current_rule\":{\"id\":\"a57bc828-3b6e-4515-8720-2798c6d405f4\",\"updated_at\":\"2024-12-04T19:45:45.908Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.908Z\",\"created_by\":\"elastic\",\"name\":\"Network Connection via Certutil\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"note\":\"## Triage and analysis\\n\\n### Investigating Network Connection via Certutil\\n\\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\\n\\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the user in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"user.id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{user.id}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the host in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"host.name\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{host.name}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n- Investigate if the downloaded file was executed.\\n- Determine the context in which `certutil.exe` and the file were run.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the downloaded file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - !{investigate{\\\"label\\\":\\\"Investigate the Subject Process Network Events\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"process.entity_id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{process.entity_id}}\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"event.category\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"network\\\",\\\"valueType\\\":\\\"string\\\"}]]}}\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3838e0e3-1850-4850-a411-2e8c5ba40ba8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"to\":\"now\",\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\",\"https://frsecure.com/malware-incident-response-playbook/\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"network where host.os.type == \\\"windows\\\" and process.name : \\\"certutil.exe\\\" and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\",\\n \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\",\\n \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\n \\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\",\\n \\\"FE80::/10\\\", \\\"FF00::/8\\\") and\\n not dns.question.name in (\\\"localhost\\\", \\\"*.digicert.com\\\", \\\"ctldl.windowsupdate.com\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Network Connection via Certutil\",\"description\":\"Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Network Connection via Certutil\\n\\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\\n\\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the user in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"user.id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{user.id}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the host in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"host.name\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{host.name}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n- Investigate if the downloaded file was executed.\\n- Determine the context in which `certutil.exe` and the file were run.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the downloaded file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - !{investigate{\\\"label\\\":\\\"Investigate the Subject Process Network Events\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"process.entity_id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{process.entity_id}}\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"event.category\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"network\\\",\\\"valueType\\\":\\\"string\\\"}]]}}\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":215,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\",\"https://frsecure.com/malware-incident-response-playbook/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a57bc828-3b6e-4515-8720-2798c6d405f4\",\"rule_id\":\"3838e0e3-1850-4850-a411-2e8c5ba40ba8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.659Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.908Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"network where host.os.type == \\\"windows\\\" and process.name : \\\"certutil.exe\\\" and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\",\\n \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\",\\n \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\n \\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\",\\n \\\"FE80::/10\\\", \\\"FF00::/8\\\") and\\n not dns.question.name in (\\\"localhost\\\", \\\"*.digicert.com\\\", \\\"ctldl.windowsupdate.com\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":215,\"merged_version\":215,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"985db3a5-2aae-4172-9688-5ef3fb056822\",\"rule_id\":\"38f384e0-aef8-11ed-9a38-f661ea17fbcc\",\"revision\":0,\"current_rule\":{\"id\":\"985db3a5-2aae-4172-9688-5ef3fb056822\",\"updated_at\":\"2024-12-04T19:45:45.915Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.915Z\",\"created_by\":\"elastic\",\"name\":\"External User Added to Google Workspace Group\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects an external Google Workspace user account being added to an existing group. Adversaries may add external user accounts as a means to intercept shared files or emails with that specific group.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating External User Added to Google Workspace Group\\n\\nGoogle Workspace groups allow organizations to assign specific users to a group that can share resources. Application specific roles can be manually set for each group, but if not inherit permissions from the top-level organizational unit.\\n\\nThreat actors may use phishing techniques and container-bound scripts to add external Google accounts to an organization's groups with editorial privileges. As a result, the user account is unable to manually access the organization's resources, settings and files, but will receive anything shared to the group. As a result, confidential information could be leaked or perhaps documents shared with editorial privileges be weaponized for further intrusion.\\n\\nThis rule identifies when an external user account is added to an organization's groups where the domain name of the target does not match the Google Workspace domain.\\n\\n#### Possible investigation steps\\n- Identify user account(s) associated by reviewing `user.name` or `user.email` in the alert\\n - The `user.target.email` field contains the user added to the groups\\n - The `group.name` field contains the group the target user was added to\\n- Identify specific application settings given to the group which may indicate motive for the external user joining a particular group\\n- With the user identified, verify administrative privileges are scoped properly to add external users to the group\\n - Unauthorized actions may indicate the `user.email` account has been compromised or leveraged to add an external user\\n- To identify other users in this group, search for `event.action: \\\"ADD_GROUP_MEMBER\\\"`\\n - It is important to understand if external users with `@gmail.com` are expected to be added to this group based on historical references\\n- Review Gmail logs where emails were sent to and from the `group.name` value\\n - This may indicate potential internal spearphishing\\n\\n### False positive analysis\\n- With the user account whom added the new user, verify this action was intentional\\n- Verify that the target whom was added to the group is expected to have access to the organization's resources and data\\n- If other members have been added to groups that are external, this may indicate historically that this action is expected\\n\\n### Response and remediation\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Reactivate multi-factor authentication for the user.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may add external users to groups to share files and communication with them via the intended recipient be the group they are added to. It is unlikely an external user account would be added to an organization's group where administrators should create a new user account.\"],\"from\":\"now-130m\",\"rule_id\":\"38f384e0-aef8-11ed-9a38-f661ea17fbcc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/33329\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.target.email\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.target.group.domain\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"iam where event.dataset == \\\"google_workspace.admin\\\" and event.action == \\\"ADD_GROUP_MEMBER\\\" and\\n not endsWith(user.target.email, user.target.group.domain)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"External User Added to Google Workspace Group\",\"description\":\"Detects an external Google Workspace user account being added to an existing group. Adversaries may add external user accounts as a means to intercept shared files or emails with that specific group.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating External User Added to Google Workspace Group\\n\\nGoogle Workspace groups allow organizations to assign specific users to a group that can share resources. Application specific roles can be manually set for each group, but if not inherit permissions from the top-level organizational unit.\\n\\nThreat actors may use phishing techniques and container-bound scripts to add external Google accounts to an organization's groups with editorial privileges. As a result, the user account is unable to manually access the organization's resources, settings and files, but will receive anything shared to the group. As a result, confidential information could be leaked or perhaps documents shared with editorial privileges be weaponized for further intrusion.\\n\\nThis rule identifies when an external user account is added to an organization's groups where the domain name of the target does not match the Google Workspace domain.\\n\\n#### Possible investigation steps\\n- Identify user account(s) associated by reviewing `user.name` or `user.email` in the alert\\n - The `user.target.email` field contains the user added to the groups\\n - The `group.name` field contains the group the target user was added to\\n- Identify specific application settings given to the group which may indicate motive for the external user joining a particular group\\n- With the user identified, verify administrative privileges are scoped properly to add external users to the group\\n - Unauthorized actions may indicate the `user.email` account has been compromised or leveraged to add an external user\\n- To identify other users in this group, search for `event.action: \\\"ADD_GROUP_MEMBER\\\"`\\n - It is important to understand if external users with `@gmail.com` are expected to be added to this group based on historical references\\n- Review Gmail logs where emails were sent to and from the `group.name` value\\n - This may indicate potential internal spearphishing\\n\\n### False positive analysis\\n- With the user account whom added the new user, verify this action was intentional\\n- Verify that the target whom was added to the group is expected to have access to the organization's resources and data\\n- If other members have been added to groups that are external, this may indicate historically that this action is expected\\n\\n### Response and remediation\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Reactivate multi-factor authentication for the user.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may add external users to groups to share files and communication with them via the intended recipient be the group they are added to. It is unlikely an external user account would be added to an organization's group where administrators should create a new user account.\"],\"references\":[\"https://support.google.com/a/answer/33329\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.target.email\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.target.group.domain\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"985db3a5-2aae-4172-9688-5ef3fb056822\",\"rule_id\":\"38f384e0-aef8-11ed-9a38-f661ea17fbcc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.659Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.915Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where event.dataset == \\\"google_workspace.admin\\\" and event.action == \\\"ADD_GROUP_MEMBER\\\" and\\n not endsWith(user.target.email, user.target.group.domain)\\n\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/33329\"],\"target_version\":[\"https://support.google.com/a/answer/33329\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/33329\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1db06b17-0b99-4714-a6a0-92b044c2009a\",\"rule_id\":\"39157d52-4035-44a8-9d1a-6f8c5f580a07\",\"revision\":0,\"current_rule\":{\"id\":\"1db06b17-0b99-4714-a6a0-92b044c2009a\",\"updated_at\":\"2024-12-04T19:45:45.924Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.924Z\",\"created_by\":\"elastic\",\"name\":\"Downloaded Shortcut Files\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies .lnk shortcut file downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"39157d52-4035-44a8-9d1a-6f8c5f580a07\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.windows.zone_identifier\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and file.extension == \\\"lnk\\\" and file.Ext.windows.zone_identifier > 1\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Downloaded Shortcut Files\",\"description\":\"Identifies .lnk shortcut file downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.windows.zone_identifier\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1db06b17-0b99-4714-a6a0-92b044c2009a\",\"rule_id\":\"39157d52-4035-44a8-9d1a-6f8c5f580a07\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.659Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.924Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and file.extension == \\\"lnk\\\" and file.Ext.windows.zone_identifier > 1\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"severity\":{\"has_base_version\":false,\"current_version\":\"low\",\"target_version\":\"medium\",\"merged_version\":\"medium\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"risk_score\":{\"has_base_version\":false,\"current_version\":21,\"target_version\":47,\"merged_version\":47,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"17eabcd5-ccaf-426a-ae51-0d43609f6f70\",\"rule_id\":\"397945f3-d39a-4e6f-8bcb-9656c2031438\",\"revision\":0,\"current_rule\":{\"id\":\"17eabcd5-ccaf-426a-ae51-0d43609f6f70\",\"updated_at\":\"2024-12-04T19:45:45.927Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.927Z\",\"created_by\":\"elastic\",\"name\":\"Persistence via Microsoft Outlook VBA\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"A legitimate VBA for Outlook is usually configured interactively via OUTLOOK.EXE.\"],\"from\":\"now-9m\",\"rule_id\":\"397945f3-d39a-4e6f-8bcb-9656c2031438\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1137\",\"name\":\"Office Application Startup\",\"reference\":\"https://attack.mitre.org/techniques/T1137/\"}]}],\"to\":\"now\",\"references\":[\"https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/\",\"https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.path : \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Outlook\\\\\\\\VbaProject.OTM\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Persistence via Microsoft Outlook VBA\",\"description\":\"Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":307,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"A legitimate VBA for Outlook is usually configured interactively via OUTLOOK.EXE.\"],\"references\":[\"https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/\",\"https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1137\",\"name\":\"Office Application Startup\",\"reference\":\"https://attack.mitre.org/techniques/T1137/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"17eabcd5-ccaf-426a-ae51-0d43609f6f70\",\"rule_id\":\"397945f3-d39a-4e6f-8bcb-9656c2031438\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.659Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.927Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.path : \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Outlook\\\\\\\\VbaProject.OTM\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":307,\"merged_version\":307,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"21dd78ef-2eb5-4cd3-814c-cbb253d00468\",\"rule_id\":\"39c06367-b700-4380-848a-cab06e7afede\",\"revision\":0,\"current_rule\":{\"id\":\"21dd78ef-2eb5-4cd3-814c-cbb253d00468\",\"updated_at\":\"2024-12-04T19:46:03.736Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.736Z\",\"created_by\":\"elastic\",\"name\":\"Systemd Generator Created\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects the creation of a systemd generator file. Generators are small executables executed by systemd at bootup and during configuration reloads. Their main role is to convert non-native configuration and execution parameters into dynamically generated unit files, symlinks, or drop-ins, extending the unit file hierarchy for the service manager. Systemd generators can be used to execute arbitrary code at boot time, which can be leveraged by attackers to maintain persistence on a Linux system.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"39c06367-b700-4380-848a-cab06e7afede\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n\\\"/run/systemd/system-generators/*\\\", \\\"/etc/systemd/system-generators/*\\\",\\n\\\"/usr/local/lib/systemd/system-generators/*\\\", \\\"/lib/systemd/system-generators/*\\\",\\n\\\"/usr/lib/systemd/system-generators/*\\\", \\\"/etc/systemd/user-generators/*\\\",\\n\\\"/usr/local/lib/systemd/user-generators/*\\\", \\\"/usr/lib/systemd/user-generators/*\\\",\\n\\\"/lib/systemd/user-generators/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable == null\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Systemd Generator Created\",\"description\":\"This rule detects the creation of a systemd generator file. Generators are small executables executed by systemd at bootup and during configuration reloads. Their main role is to convert non-native configuration and execution parameters into dynamically generated unit files, symlinks, or drop-ins, extending the unit file hierarchy for the service manager. Systemd generators can be used to execute arbitrary code at boot time, which can be leveraged by attackers to maintain persistence on a Linux system.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"21dd78ef-2eb5-4cd3-814c-cbb253d00468\",\"rule_id\":\"39c06367-b700-4380-848a-cab06e7afede\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.659Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.736Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n\\\"/run/systemd/system-generators/*\\\", \\\"/etc/systemd/system-generators/*\\\",\\n\\\"/usr/local/lib/systemd/system-generators/*\\\", \\\"/lib/systemd/system-generators/*\\\",\\n\\\"/usr/lib/systemd/system-generators/*\\\", \\\"/etc/systemd/user-generators/*\\\",\\n\\\"/usr/local/lib/systemd/user-generators/*\\\", \\\"/usr/lib/systemd/user-generators/*\\\",\\n\\\"/lib/systemd/user-generators/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\", \\\"/usr/sbin/sshd\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/platform-python\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable == null\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/\"],\"target_version\":[\"https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n\\\"/run/systemd/system-generators/*\\\", \\\"/etc/systemd/system-generators/*\\\",\\n\\\"/usr/local/lib/systemd/system-generators/*\\\", \\\"/lib/systemd/system-generators/*\\\",\\n\\\"/usr/lib/systemd/system-generators/*\\\", \\\"/etc/systemd/user-generators/*\\\",\\n\\\"/usr/local/lib/systemd/user-generators/*\\\", \\\"/usr/lib/systemd/user-generators/*\\\",\\n\\\"/lib/systemd/user-generators/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable == null\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n\\\"/run/systemd/system-generators/*\\\", \\\"/etc/systemd/system-generators/*\\\",\\n\\\"/usr/local/lib/systemd/system-generators/*\\\", \\\"/lib/systemd/system-generators/*\\\",\\n\\\"/usr/lib/systemd/system-generators/*\\\", \\\"/etc/systemd/user-generators/*\\\",\\n\\\"/usr/local/lib/systemd/user-generators/*\\\", \\\"/usr/lib/systemd/user-generators/*\\\",\\n\\\"/lib/systemd/user-generators/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\", \\\"/usr/sbin/sshd\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/platform-python\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable == null\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n\\\"/run/systemd/system-generators/*\\\", \\\"/etc/systemd/system-generators/*\\\",\\n\\\"/usr/local/lib/systemd/system-generators/*\\\", \\\"/lib/systemd/system-generators/*\\\",\\n\\\"/usr/lib/systemd/system-generators/*\\\", \\\"/etc/systemd/user-generators/*\\\",\\n\\\"/usr/local/lib/systemd/user-generators/*\\\", \\\"/usr/lib/systemd/user-generators/*\\\",\\n\\\"/lib/systemd/user-generators/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\", \\\"/usr/sbin/sshd\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/platform-python\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable == null\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a5bfc3f7-c7be-4e10-8c61-8656870a58b9\",\"rule_id\":\"3a59fc81-99d3-47ea-8cd6-d48d561fca20\",\"revision\":0,\"current_rule\":{\"id\":\"a5bfc3f7-c7be-4e10-8c61-8656870a58b9\",\"updated_at\":\"2024-12-04T19:45:45.929Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.929Z\",\"created_by\":\"elastic\",\"name\":\"Potential DNS Tunneling via NsLookup\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential DNS Tunneling via NsLookup\\n\\nAttackers can abuse existing network rules that allow DNS communication with external resources to use the protocol as their command and control and/or exfiltration channel.\\n\\nDNS queries can be used to infiltrate data such as commands to be run, malicious files, etc., and also for exfiltration, since queries can be used to send data to the attacker-controlled DNS server. This process is commonly known as DNS tunneling.\\n\\nMore information on how tunneling works and how it can be abused can be found on [Palo Alto Unit42 Research](https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors).\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the DNS query and identify the information sent.\\n- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially compromised hosts.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. If the parent process is trusted and the data sent is not sensitive nor command and control related, this alert can be closed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Immediately block the identified indicators of compromise (IoCs).\\n- Implement any temporary network rules, procedures, and segmentation required to contain the attack.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Update firewall rules to be more restrictive.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3a59fc81-99d3-47ea-8cd6-d48d561fca20\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\",\"subtechnique\":[{\"id\":\"T1071.004\",\"name\":\"DNS\",\"reference\":\"https://attack.mitre.org/techniques/T1071/004/\"}]},{\"id\":\"T1572\",\"name\":\"Protocol Tunneling\",\"reference\":\"https://attack.mitre.org/techniques/T1572/\"}]}],\"to\":\"now\",\"references\":[\"https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"sequence by host.id with maxspan=5m\\n[process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"nslookup.exe\\\" and process.args:(\\\"-querytype=*\\\", \\\"-qt=*\\\", \\\"-q=*\\\", \\\"-type=*\\\")] with runs = 10\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential DNS Tunneling via NsLookup\",\"description\":\"This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential DNS Tunneling via NsLookup\\n\\nAttackers can abuse existing network rules that allow DNS communication with external resources to use the protocol as their command and control and/or exfiltration channel.\\n\\nDNS queries can be used to infiltrate data such as commands to be run, malicious files, etc., and also for exfiltration, since queries can be used to send data to the attacker-controlled DNS server. This process is commonly known as DNS tunneling.\\n\\nMore information on how tunneling works and how it can be abused can be found on [Palo Alto Unit42 Research](https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors).\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the DNS query and identify the information sent.\\n- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially compromised hosts.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. If the parent process is trusted and the data sent is not sensitive nor command and control related, this alert can be closed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Immediately block the identified indicators of compromise (IoCs).\\n- Implement any temporary network rules, procedures, and segmentation required to contain the attack.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Update firewall rules to be more restrictive.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\",\"subtechnique\":[{\"id\":\"T1071.004\",\"name\":\"DNS\",\"reference\":\"https://attack.mitre.org/techniques/T1071/004/\"}]},{\"id\":\"T1572\",\"name\":\"Protocol Tunneling\",\"reference\":\"https://attack.mitre.org/techniques/T1572/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a5bfc3f7-c7be-4e10-8c61-8656870a58b9\",\"rule_id\":\"3a59fc81-99d3-47ea-8cd6-d48d561fca20\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.659Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.929Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=5m\\n[process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"nslookup.exe\\\" and process.args:(\\\"-querytype=*\\\", \\\"-qt=*\\\", \\\"-q=*\\\", \\\"-type=*\\\")] with runs = 10\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7ed04db2-5ea7-47f5-abe7-86c1798bd9f7\",\"rule_id\":\"3a6001a0-0939-4bbe-86f4-47d8faeb7b97\",\"revision\":0,\"current_rule\":{\"id\":\"7ed04db2-5ea7-47f5-abe7-86c1798bd9f7\",\"updated_at\":\"2024-12-04T19:45:45.932Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.932Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Module Loaded by LSASS\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3a6001a0-0939-4bbe-86f4-47d8faeb7b97\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://blog.xpnsec.com/exploring-mimikatz-part-2/\",\"https://github.com/jas502n/mimikat_ssp\"],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"dll.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.hash.sha256\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.library-*\"],\"query\":\"library where host.os.type == \\\"windows\\\" and process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and\\n not (dll.code_signature.subject_name :\\n (\\\"Microsoft Windows\\\",\\n \\\"Microsoft Corporation\\\",\\n \\\"Microsoft Windows Publisher\\\",\\n \\\"Microsoft Windows Software Compatibility Publisher\\\",\\n \\\"Microsoft Windows Hardware Compatibility Publisher\\\",\\n \\\"McAfee, Inc.\\\",\\n \\\"SecMaker AB\\\",\\n \\\"HID Global Corporation\\\",\\n \\\"HID Global\\\",\\n \\\"Apple Inc.\\\",\\n \\\"Citrix Systems, Inc.\\\",\\n \\\"Dell Inc\\\",\\n \\\"Hewlett-Packard Company\\\",\\n \\\"Symantec Corporation\\\",\\n \\\"National Instruments Corporation\\\",\\n \\\"DigitalPersona, Inc.\\\",\\n \\\"Novell, Inc.\\\",\\n \\\"gemalto\\\",\\n \\\"EasyAntiCheat Oy\\\",\\n \\\"Entrust Datacard Corporation\\\",\\n \\\"AuriStor, Inc.\\\",\\n \\\"LogMeIn, Inc.\\\",\\n \\\"VMware, Inc.\\\",\\n \\\"Istituto Poligrafico e Zecca dello Stato S.p.A.\\\",\\n \\\"Nubeva Technologies Ltd\\\",\\n \\\"Micro Focus (US), Inc.\\\",\\n \\\"Yubico AB\\\",\\n \\\"GEMALTO SA\\\",\\n \\\"Secure Endpoints, Inc.\\\",\\n \\\"Sophos Ltd\\\",\\n \\\"Morphisec Information Security 2014 Ltd\\\",\\n \\\"Entrust, Inc.\\\",\\n \\\"Nubeva Technologies Ltd\\\",\\n \\\"Micro Focus (US), Inc.\\\",\\n \\\"F5 Networks Inc\\\",\\n \\\"Bit4id\\\",\\n \\\"Thales DIS CPL USA, Inc.\\\",\\n \\\"Micro Focus International plc\\\",\\n \\\"HYPR Corp\\\",\\n \\\"Intel(R) Software Development Products\\\",\\n \\\"PGP Corporation\\\",\\n \\\"Parallels International GmbH\\\",\\n \\\"FrontRange Solutions Deutschland GmbH\\\",\\n \\\"SecureLink, Inc.\\\",\\n \\\"Tidexa OU\\\",\\n \\\"Amazon Web Services, Inc.\\\",\\n \\\"SentryBay Limited\\\",\\n \\\"Audinate Pty Ltd\\\",\\n \\\"CyberArk Software Ltd.\\\",\\n \\\"McAfeeSysPrep\\\",\\n \\\"NVIDIA Corporation PE Sign v2016\\\",\\n \\\"Trend Micro, Inc.\\\",\\n \\\"Fortinet Technologies (Canada) Inc.\\\",\\n \\\"Carbon Black, Inc.\\\") and\\n dll.code_signature.status : (\\\"trusted\\\", \\\"errorExpired\\\", \\\"errorCode_endpoint*\\\", \\\"errorChaining\\\")) and\\n\\n not dll.hash.sha256 :\\n (\\\"811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c\\\",\\n \\\"1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1\\\",\\n \\\"ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3\\\",\\n \\\"26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12\\\",\\n \\\"9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa\\\",\\n \\\"d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b\\\",\\n \\\"0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61\\\",\\n \\\"4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb\\\",\\n \\\"86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Module Loaded by LSASS\",\"description\":\"Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":9,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blog.xpnsec.com/exploring-mimikatz-part-2/\",\"https://github.com/jas502n/mimikat_ssp\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"dll.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.hash.sha256\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"7ed04db2-5ea7-47f5-abe7-86c1798bd9f7\",\"rule_id\":\"3a6001a0-0939-4bbe-86f4-47d8faeb7b97\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.659Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.932Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where event.category in (\\\"library\\\", \\\"driver\\\") and host.os.type == \\\"windows\\\" and\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and\\n not (dll.code_signature.subject_name :\\n (\\\"Microsoft Windows\\\",\\n \\\"Microsoft Corporation\\\",\\n \\\"Microsoft Windows Publisher\\\",\\n \\\"Microsoft Windows Software Compatibility Publisher\\\",\\n \\\"Microsoft Windows Hardware Compatibility Publisher\\\",\\n \\\"McAfee, Inc.\\\",\\n \\\"SecMaker AB\\\",\\n \\\"HID Global Corporation\\\",\\n \\\"HID Global\\\",\\n \\\"Apple Inc.\\\",\\n \\\"Citrix Systems, Inc.\\\",\\n \\\"Dell Inc\\\",\\n \\\"Hewlett-Packard Company\\\",\\n \\\"Symantec Corporation\\\",\\n \\\"National Instruments Corporation\\\",\\n \\\"DigitalPersona, Inc.\\\",\\n \\\"Novell, Inc.\\\",\\n \\\"gemalto\\\",\\n \\\"EasyAntiCheat Oy\\\",\\n \\\"Entrust Datacard Corporation\\\",\\n \\\"AuriStor, Inc.\\\",\\n \\\"LogMeIn, Inc.\\\",\\n \\\"VMware, Inc.\\\",\\n \\\"Istituto Poligrafico e Zecca dello Stato S.p.A.\\\",\\n \\\"Nubeva Technologies Ltd\\\",\\n \\\"Micro Focus (US), Inc.\\\",\\n \\\"Yubico AB\\\",\\n \\\"GEMALTO SA\\\",\\n \\\"Secure Endpoints, Inc.\\\",\\n \\\"Sophos Ltd\\\",\\n \\\"Morphisec Information Security 2014 Ltd\\\",\\n \\\"Entrust, Inc.\\\",\\n \\\"Nubeva Technologies Ltd\\\",\\n \\\"Micro Focus (US), Inc.\\\",\\n \\\"F5 Networks Inc\\\",\\n \\\"Bit4id\\\",\\n \\\"Thales DIS CPL USA, Inc.\\\",\\n \\\"Micro Focus International plc\\\",\\n \\\"HYPR Corp\\\",\\n \\\"Intel(R) Software Development Products\\\",\\n \\\"PGP Corporation\\\",\\n \\\"Parallels International GmbH\\\",\\n \\\"FrontRange Solutions Deutschland GmbH\\\",\\n \\\"SecureLink, Inc.\\\",\\n \\\"Tidexa OU\\\",\\n \\\"Amazon Web Services, Inc.\\\",\\n \\\"SentryBay Limited\\\",\\n \\\"Audinate Pty Ltd\\\",\\n \\\"CyberArk Software Ltd.\\\",\\n \\\"McAfeeSysPrep\\\",\\n \\\"NVIDIA Corporation PE Sign v2016\\\",\\n \\\"Trend Micro, Inc.\\\",\\n \\\"Fortinet Technologies (Canada) Inc.\\\",\\n \\\"Carbon Black, Inc.\\\") and\\n dll.code_signature.status : (\\\"trusted\\\", \\\"errorExpired\\\", \\\"errorCode_endpoint*\\\", \\\"errorChaining\\\")) and\\n\\n not dll.hash.sha256 :\\n (\\\"811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c\\\",\\n \\\"1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1\\\",\\n \\\"ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3\\\",\\n \\\"26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12\\\",\\n \\\"9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa\\\",\\n \\\"d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b\\\",\\n \\\"0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61\\\",\\n \\\"4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb\\\",\\n \\\"86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.library-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":9,\"merged_version\":9,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"dll.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.hash.sha256\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"dll.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.hash.sha256\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"dll.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.hash.sha256\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"library where host.os.type == \\\"windows\\\" and process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and\\n not (dll.code_signature.subject_name :\\n (\\\"Microsoft Windows\\\",\\n \\\"Microsoft Corporation\\\",\\n \\\"Microsoft Windows Publisher\\\",\\n \\\"Microsoft Windows Software Compatibility Publisher\\\",\\n \\\"Microsoft Windows Hardware Compatibility Publisher\\\",\\n \\\"McAfee, Inc.\\\",\\n \\\"SecMaker AB\\\",\\n \\\"HID Global Corporation\\\",\\n \\\"HID Global\\\",\\n \\\"Apple Inc.\\\",\\n \\\"Citrix Systems, Inc.\\\",\\n \\\"Dell Inc\\\",\\n \\\"Hewlett-Packard Company\\\",\\n \\\"Symantec Corporation\\\",\\n \\\"National Instruments Corporation\\\",\\n \\\"DigitalPersona, Inc.\\\",\\n \\\"Novell, Inc.\\\",\\n \\\"gemalto\\\",\\n \\\"EasyAntiCheat Oy\\\",\\n \\\"Entrust Datacard Corporation\\\",\\n \\\"AuriStor, Inc.\\\",\\n \\\"LogMeIn, Inc.\\\",\\n \\\"VMware, Inc.\\\",\\n \\\"Istituto Poligrafico e Zecca dello Stato S.p.A.\\\",\\n \\\"Nubeva Technologies Ltd\\\",\\n \\\"Micro Focus (US), Inc.\\\",\\n \\\"Yubico AB\\\",\\n \\\"GEMALTO SA\\\",\\n \\\"Secure Endpoints, Inc.\\\",\\n \\\"Sophos Ltd\\\",\\n \\\"Morphisec Information Security 2014 Ltd\\\",\\n \\\"Entrust, Inc.\\\",\\n \\\"Nubeva Technologies Ltd\\\",\\n \\\"Micro Focus (US), Inc.\\\",\\n \\\"F5 Networks Inc\\\",\\n \\\"Bit4id\\\",\\n \\\"Thales DIS CPL USA, Inc.\\\",\\n \\\"Micro Focus International plc\\\",\\n \\\"HYPR Corp\\\",\\n \\\"Intel(R) Software Development Products\\\",\\n \\\"PGP Corporation\\\",\\n \\\"Parallels International GmbH\\\",\\n \\\"FrontRange Solutions Deutschland GmbH\\\",\\n \\\"SecureLink, Inc.\\\",\\n \\\"Tidexa OU\\\",\\n \\\"Amazon Web Services, Inc.\\\",\\n \\\"SentryBay Limited\\\",\\n \\\"Audinate Pty Ltd\\\",\\n \\\"CyberArk Software Ltd.\\\",\\n \\\"McAfeeSysPrep\\\",\\n \\\"NVIDIA Corporation PE Sign v2016\\\",\\n \\\"Trend Micro, Inc.\\\",\\n \\\"Fortinet Technologies (Canada) Inc.\\\",\\n \\\"Carbon Black, Inc.\\\") and\\n dll.code_signature.status : (\\\"trusted\\\", \\\"errorExpired\\\", \\\"errorCode_endpoint*\\\", \\\"errorChaining\\\")) and\\n\\n not dll.hash.sha256 :\\n (\\\"811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c\\\",\\n \\\"1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1\\\",\\n \\\"ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3\\\",\\n \\\"26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12\\\",\\n \\\"9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa\\\",\\n \\\"d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b\\\",\\n \\\"0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61\\\",\\n \\\"4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb\\\",\\n \\\"86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"any where event.category in (\\\"library\\\", \\\"driver\\\") and host.os.type == \\\"windows\\\" and\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and\\n not (dll.code_signature.subject_name :\\n (\\\"Microsoft Windows\\\",\\n \\\"Microsoft Corporation\\\",\\n \\\"Microsoft Windows Publisher\\\",\\n \\\"Microsoft Windows Software Compatibility Publisher\\\",\\n \\\"Microsoft Windows Hardware Compatibility Publisher\\\",\\n \\\"McAfee, Inc.\\\",\\n \\\"SecMaker AB\\\",\\n \\\"HID Global Corporation\\\",\\n \\\"HID Global\\\",\\n \\\"Apple Inc.\\\",\\n \\\"Citrix Systems, Inc.\\\",\\n \\\"Dell Inc\\\",\\n \\\"Hewlett-Packard Company\\\",\\n \\\"Symantec Corporation\\\",\\n \\\"National Instruments Corporation\\\",\\n \\\"DigitalPersona, Inc.\\\",\\n \\\"Novell, Inc.\\\",\\n \\\"gemalto\\\",\\n \\\"EasyAntiCheat Oy\\\",\\n \\\"Entrust Datacard Corporation\\\",\\n \\\"AuriStor, Inc.\\\",\\n \\\"LogMeIn, Inc.\\\",\\n \\\"VMware, Inc.\\\",\\n \\\"Istituto Poligrafico e Zecca dello Stato S.p.A.\\\",\\n \\\"Nubeva Technologies Ltd\\\",\\n \\\"Micro Focus (US), Inc.\\\",\\n \\\"Yubico AB\\\",\\n \\\"GEMALTO SA\\\",\\n \\\"Secure Endpoints, Inc.\\\",\\n \\\"Sophos Ltd\\\",\\n \\\"Morphisec Information Security 2014 Ltd\\\",\\n \\\"Entrust, Inc.\\\",\\n \\\"Nubeva Technologies Ltd\\\",\\n \\\"Micro Focus (US), Inc.\\\",\\n \\\"F5 Networks Inc\\\",\\n \\\"Bit4id\\\",\\n \\\"Thales DIS CPL USA, Inc.\\\",\\n \\\"Micro Focus International plc\\\",\\n \\\"HYPR Corp\\\",\\n \\\"Intel(R) Software Development Products\\\",\\n \\\"PGP Corporation\\\",\\n \\\"Parallels International GmbH\\\",\\n \\\"FrontRange Solutions Deutschland GmbH\\\",\\n \\\"SecureLink, Inc.\\\",\\n \\\"Tidexa OU\\\",\\n \\\"Amazon Web Services, Inc.\\\",\\n \\\"SentryBay Limited\\\",\\n \\\"Audinate Pty Ltd\\\",\\n \\\"CyberArk Software Ltd.\\\",\\n \\\"McAfeeSysPrep\\\",\\n \\\"NVIDIA Corporation PE Sign v2016\\\",\\n \\\"Trend Micro, Inc.\\\",\\n \\\"Fortinet Technologies (Canada) Inc.\\\",\\n \\\"Carbon Black, Inc.\\\") and\\n dll.code_signature.status : (\\\"trusted\\\", \\\"errorExpired\\\", \\\"errorCode_endpoint*\\\", \\\"errorChaining\\\")) and\\n\\n not dll.hash.sha256 :\\n (\\\"811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c\\\",\\n \\\"1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1\\\",\\n \\\"ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3\\\",\\n \\\"26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12\\\",\\n \\\"9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa\\\",\\n \\\"d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b\\\",\\n \\\"0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61\\\",\\n \\\"4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb\\\",\\n \\\"86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"any where event.category in (\\\"library\\\", \\\"driver\\\") and host.os.type == \\\"windows\\\" and\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and\\n not (dll.code_signature.subject_name :\\n (\\\"Microsoft Windows\\\",\\n \\\"Microsoft Corporation\\\",\\n \\\"Microsoft Windows Publisher\\\",\\n \\\"Microsoft Windows Software Compatibility Publisher\\\",\\n \\\"Microsoft Windows Hardware Compatibility Publisher\\\",\\n \\\"McAfee, Inc.\\\",\\n \\\"SecMaker AB\\\",\\n \\\"HID Global Corporation\\\",\\n \\\"HID Global\\\",\\n \\\"Apple Inc.\\\",\\n \\\"Citrix Systems, Inc.\\\",\\n \\\"Dell Inc\\\",\\n \\\"Hewlett-Packard Company\\\",\\n \\\"Symantec Corporation\\\",\\n \\\"National Instruments Corporation\\\",\\n \\\"DigitalPersona, Inc.\\\",\\n \\\"Novell, Inc.\\\",\\n \\\"gemalto\\\",\\n \\\"EasyAntiCheat Oy\\\",\\n \\\"Entrust Datacard Corporation\\\",\\n \\\"AuriStor, Inc.\\\",\\n \\\"LogMeIn, Inc.\\\",\\n \\\"VMware, Inc.\\\",\\n \\\"Istituto Poligrafico e Zecca dello Stato S.p.A.\\\",\\n \\\"Nubeva Technologies Ltd\\\",\\n \\\"Micro Focus (US), Inc.\\\",\\n \\\"Yubico AB\\\",\\n \\\"GEMALTO SA\\\",\\n \\\"Secure Endpoints, Inc.\\\",\\n \\\"Sophos Ltd\\\",\\n \\\"Morphisec Information Security 2014 Ltd\\\",\\n \\\"Entrust, Inc.\\\",\\n \\\"Nubeva Technologies Ltd\\\",\\n \\\"Micro Focus (US), Inc.\\\",\\n \\\"F5 Networks Inc\\\",\\n \\\"Bit4id\\\",\\n \\\"Thales DIS CPL USA, Inc.\\\",\\n \\\"Micro Focus International plc\\\",\\n \\\"HYPR Corp\\\",\\n \\\"Intel(R) Software Development Products\\\",\\n \\\"PGP Corporation\\\",\\n \\\"Parallels International GmbH\\\",\\n \\\"FrontRange Solutions Deutschland GmbH\\\",\\n \\\"SecureLink, Inc.\\\",\\n \\\"Tidexa OU\\\",\\n \\\"Amazon Web Services, Inc.\\\",\\n \\\"SentryBay Limited\\\",\\n \\\"Audinate Pty Ltd\\\",\\n \\\"CyberArk Software Ltd.\\\",\\n \\\"McAfeeSysPrep\\\",\\n \\\"NVIDIA Corporation PE Sign v2016\\\",\\n \\\"Trend Micro, Inc.\\\",\\n \\\"Fortinet Technologies (Canada) Inc.\\\",\\n \\\"Carbon Black, Inc.\\\") and\\n dll.code_signature.status : (\\\"trusted\\\", \\\"errorExpired\\\", \\\"errorCode_endpoint*\\\", \\\"errorChaining\\\")) and\\n\\n not dll.hash.sha256 :\\n (\\\"811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c\\\",\\n \\\"1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1\\\",\\n \\\"ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3\\\",\\n \\\"26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12\\\",\\n \\\"9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa\\\",\\n \\\"d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b\\\",\\n \\\"0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61\\\",\\n \\\"4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb\\\",\\n \\\"86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.library-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.library-*\",\"endgame-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.library-*\",\"endgame-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6de37c81-9085-43b0-b00f-12b6ed2c4106\",\"rule_id\":\"3ad49c61-7adc-42c1-b788-732eda2f5abf\",\"revision\":0,\"current_rule\":{\"id\":\"6de37c81-9085-43b0-b00f-12b6ed2c4106\",\"updated_at\":\"2024-12-04T19:45:45.934Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.934Z\",\"created_by\":\"elastic\",\"name\":\"VNC (Virtual Network Computing) to the Internet\",\"tags\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious.\"],\"from\":\"now-9m\",\"rule_id\":\"3ad49c61-7adc-42c1-b788-732eda2f5abf\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1219\",\"name\":\"Remote Access Software\",\"reference\":\"https://attack.mitre.org/techniques/T1219/\"}]}],\"to\":\"now\",\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"version\":104,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\\n network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\\n source.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n ) and\\n not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"VNC (Virtual Network Computing) to the Internet\",\"description\":\"This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious.\"],\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1219\",\"name\":\"Remote Access Software\",\"reference\":\"https://attack.mitre.org/techniques/T1219/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"6de37c81-9085-43b0-b00f-12b6ed2c4106\",\"rule_id\":\"3ad49c61-7adc-42c1-b788-732eda2f5abf\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.659Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.934Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\\n network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\\n source.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n ) and\\n not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":104,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"target_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"target_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merged_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b54825ba-28f7-4928-9978-6016c6ff0fc7\",\"rule_id\":\"3b47900d-e793-49e8-968f-c90dc3526aa1\",\"revision\":0,\"current_rule\":{\"id\":\"b54825ba-28f7-4928-9978-6016c6ff0fc7\",\"updated_at\":\"2024-12-04T19:45:45.941Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.941Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Parent Process for cmd.exe\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3b47900d-e793-49e8-968f-c90dc3526aa1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\"}]}],\"to\":\"now\",\"references\":[],\"version\":313,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"cmd.exe\\\" and\\n process.parent.name : (\\\"lsass.exe\\\",\\n \\\"csrss.exe\\\",\\n \\\"epad.exe\\\",\\n \\\"regsvr32.exe\\\",\\n \\\"dllhost.exe\\\",\\n \\\"LogonUI.exe\\\",\\n \\\"wermgr.exe\\\",\\n \\\"spoolsv.exe\\\",\\n \\\"jucheck.exe\\\",\\n \\\"jusched.exe\\\",\\n \\\"ctfmon.exe\\\",\\n \\\"taskhostw.exe\\\",\\n \\\"GoogleUpdate.exe\\\",\\n \\\"sppsvc.exe\\\",\\n \\\"sihost.exe\\\",\\n \\\"slui.exe\\\",\\n \\\"SIHClient.exe\\\",\\n \\\"SearchIndexer.exe\\\",\\n \\\"SearchProtocolHost.exe\\\",\\n \\\"FlashPlayerUpdateService.exe\\\",\\n \\\"WerFault.exe\\\",\\n \\\"WUDFHost.exe\\\",\\n \\\"unsecapp.exe\\\",\\n \\\"wlanext.exe\\\" ) and\\n not (process.parent.name : \\\"dllhost.exe\\\" and process.parent.args : \\\"/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Parent Process for cmd.exe\",\"description\":\"Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":413,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b54825ba-28f7-4928-9978-6016c6ff0fc7\",\"rule_id\":\"3b47900d-e793-49e8-968f-c90dc3526aa1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.659Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.941Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"cmd.exe\\\" and\\n process.parent.name : (\\\"lsass.exe\\\",\\n \\\"csrss.exe\\\",\\n \\\"epad.exe\\\",\\n \\\"regsvr32.exe\\\",\\n \\\"dllhost.exe\\\",\\n \\\"LogonUI.exe\\\",\\n \\\"wermgr.exe\\\",\\n \\\"spoolsv.exe\\\",\\n \\\"jucheck.exe\\\",\\n \\\"jusched.exe\\\",\\n \\\"ctfmon.exe\\\",\\n \\\"taskhostw.exe\\\",\\n \\\"GoogleUpdate.exe\\\",\\n \\\"sppsvc.exe\\\",\\n \\\"sihost.exe\\\",\\n \\\"slui.exe\\\",\\n \\\"SIHClient.exe\\\",\\n \\\"SearchIndexer.exe\\\",\\n \\\"SearchProtocolHost.exe\\\",\\n \\\"FlashPlayerUpdateService.exe\\\",\\n \\\"WerFault.exe\\\",\\n \\\"WUDFHost.exe\\\",\\n \\\"unsecapp.exe\\\",\\n \\\"wlanext.exe\\\" ) and\\n not (process.parent.name : \\\"dllhost.exe\\\" and process.parent.args : \\\"/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":313,\"target_version\":413,\"merged_version\":413,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"cba2d4de-5a9b-49ac-9dba-6d3bc473b1d3\",\"rule_id\":\"3bc6deaa-fbd4-433a-ae21-3e892f95624f\",\"revision\":0,\"current_rule\":{\"id\":\"cba2d4de-5a9b-49ac-9dba-6d3bc473b1d3\",\"updated_at\":\"2024-12-04T19:45:45.944Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.944Z\",\"created_by\":\"elastic\",\"name\":\"NTDS or SAM Database File Copied\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating NTDS or SAM Database File Copied\\n\\nThe Active Directory Domain Database (ntds.dit) and Security Account Manager (SAM) files are critical components in Windows environments, containing sensitive information such as hashed domain and local credentials.\\n\\nThis rule identifies copy operations of these files using specific command-line tools, such as Cmd.Exe, PowerShell.EXE, XCOPY.EXE, and esentutl.exe. By monitoring for the presence of these tools and their associated arguments, the rule aims to detect potential credential access activities.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, command lines, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check for any recent changes in user account privileges or group memberships that may have allowed the unauthorized access.\\n- Determine whether the file was potentially exfiltrated from the subject host.\\n- Scope compromised credentials and disable the accounts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3bc6deaa-fbd4-433a-ae21-3e892f95624f\",\"max_signals\":33,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"},{\"id\":\"T1003.003\",\"name\":\"NTDS\",\"reference\":\"https://attack.mitre.org/techniques/T1003/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\",\"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n ((?process.pe.original_file_name in (\\\"Cmd.Exe\\\", \\\"PowerShell.EXE\\\", \\\"XCOPY.EXE\\\") or process.name : (\\\"Cmd.Exe\\\", \\\"PowerShell.EXE\\\", \\\"XCOPY.EXE\\\")) and\\n process.args : (\\\"copy\\\", \\\"xcopy\\\", \\\"Copy-Item\\\", \\\"move\\\", \\\"cp\\\", \\\"mv\\\")\\n ) or\\n ((?process.pe.original_file_name : \\\"esentutl.exe\\\" or process.name : \\\"esentutl.exe\\\") and process.args : (\\\"*/y*\\\", \\\"*/vss*\\\", \\\"*/d*\\\"))\\n ) and\\n process.command_line : (\\\"*\\\\\\\\ntds.dit*\\\", \\\"*\\\\\\\\config\\\\\\\\SAM*\\\", \\\"*\\\\\\\\*\\\\\\\\GLOBALROOT\\\\\\\\Device\\\\\\\\HarddiskVolumeShadowCopy*\\\\\\\\*\\\", \\\"*/system32/config/SAM*\\\", \\\"*\\\\\\\\User Data\\\\\\\\*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"NTDS or SAM Database File Copied\",\"description\":\"Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating NTDS or SAM Database File Copied\\n\\nThe Active Directory Domain Database (ntds.dit) and Security Account Manager (SAM) files are critical components in Windows environments, containing sensitive information such as hashed domain and local credentials.\\n\\nThis rule identifies copy operations of these files using specific command-line tools, such as Cmd.Exe, PowerShell.EXE, XCOPY.EXE, and esentutl.exe. By monitoring for the presence of these tools and their associated arguments, the rule aims to detect potential credential access activities.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, command lines, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check for any recent changes in user account privileges or group memberships that may have allowed the unauthorized access.\\n- Determine whether the file was potentially exfiltrated from the subject host.\\n- Scope compromised credentials and disable the accounts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":315,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[],\"references\":[\"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\",\"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy\",\"https://www.elastic.co/security-labs/detect-credential-access\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"max_signals\":33,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"},{\"id\":\"T1003.003\",\"name\":\"NTDS\",\"reference\":\"https://attack.mitre.org/techniques/T1003/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"cba2d4de-5a9b-49ac-9dba-6d3bc473b1d3\",\"rule_id\":\"3bc6deaa-fbd4-433a-ae21-3e892f95624f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.659Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.944Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n ((?process.pe.original_file_name in (\\\"Cmd.Exe\\\", \\\"PowerShell.EXE\\\", \\\"XCOPY.EXE\\\") or process.name : (\\\"Cmd.Exe\\\", \\\"PowerShell.EXE\\\", \\\"XCOPY.EXE\\\")) and\\n process.args : (\\\"copy\\\", \\\"xcopy\\\", \\\"Copy-Item\\\", \\\"move\\\", \\\"cp\\\", \\\"mv\\\")\\n ) or\\n ((?process.pe.original_file_name : \\\"esentutl.exe\\\" or process.name : \\\"esentutl.exe\\\") and process.args : (\\\"*/y*\\\", \\\"*/vss*\\\", \\\"*/d*\\\"))\\n ) and\\n process.command_line : (\\\"*\\\\\\\\ntds.dit*\\\", \\\"*\\\\\\\\config\\\\\\\\SAM*\\\", \\\"*\\\\\\\\*\\\\\\\\GLOBALROOT\\\\\\\\Device\\\\\\\\HarddiskVolumeShadowCopy*\\\\\\\\*\\\", \\\"*/system32/config/SAM*\\\", \\\"*\\\\\\\\User Data\\\\\\\\*\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":315,\"merged_version\":315,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\",\"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"target_version\":[\"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\",\"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy\",\"https://www.elastic.co/security-labs/detect-credential-access\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merged_version\":[\"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\",\"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy\",\"https://www.elastic.co/security-labs/detect-credential-access\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2a693101-4227-4177-a0f1-709c3cfba820\",\"rule_id\":\"3d00feab-e203-4acc-a463-c3e15b7e9a73\",\"revision\":0,\"current_rule\":{\"id\":\"2a693101-4227-4177-a0f1-709c3cfba820\",\"updated_at\":\"2024-12-04T19:46:03.745Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.745Z\",\"created_by\":\"elastic\",\"name\":\"ScreenConnect Server Spawning Suspicious Processes\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This activity may indicate exploitation activity or access to an existing web shell backdoor.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3d00feab-e203-4acc-a463-c3e15b7e9a73\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://blackpointcyber.com/resources/blog/breaking-through-the-screen/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"logs-system.security*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"ScreenConnect.Service.exe\\\" and\\n (process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\", \\\"csc.exe\\\") or\\n ?process.pe.original_file_name in (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\"))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"ScreenConnect Server Spawning Suspicious Processes\",\"description\":\"Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This activity may indicate exploitation activity or access to an existing web shell backdoor.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":203,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blackpointcyber.com/resources/blog/breaking-through-the-screen/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2a693101-4227-4177-a0f1-709c3cfba820\",\"rule_id\":\"3d00feab-e203-4acc-a463-c3e15b7e9a73\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.659Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.745Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"ScreenConnect.Service.exe\\\" and\\n (process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\", \\\"csc.exe\\\") or\\n ?process.pe.original_file_name in (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\"))\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":203,\"merged_version\":203,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"logs-system.security*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"81c0120d-5eb1-43a9-a77c-6a04b463a21d\",\"rule_id\":\"3d3aa8f9-12af-441f-9344-9f31053e316d\",\"revision\":0,\"current_rule\":{\"id\":\"81c0120d-5eb1-43a9-a77c-6a04b463a21d\",\"updated_at\":\"2024-12-04T19:45:45.948Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.948Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Script with Log Clear Capabilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: PowerShell Logs\",\"Rule Type: BBR\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of Cmdlets and methods related to Windows event log deletion activities. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"3d3aa8f9-12af-441f-9344-9f31053e316d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.001\",\"name\":\"Clear Windows Event Logs\",\"reference\":\"https://attack.mitre.org/techniques/T1070/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear\",\"https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"Clear-EventLog\\\" or\\n \\\"Remove-EventLog\\\" or\\n (\\\"Eventing.Reader.EventLogSession\\\" and \\\".ClearLog\\\") or\\n (\\\"Diagnostics.EventLog\\\" and \\\".Clear\\\")\\n ) and\\n not powershell.file.script_block_text : (\\n \\\"CmdletsToExport=@(\\\\\\\"Add-Content\\\\\\\"\\\"\\n ) and\\n not file.directory : \\\"C:\\\\Program Files\\\\WindowsAdminCenter\\\\PowerShellModules\\\\Microsoft.WindowsAdminCenter.Configuration\\\"\\n\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\Modules\\\\\\\\Microsoft.PowerShell.Management\\\\\\\\*.psd1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\Resources\\\\\\\\*\\\\\\\\M365Library.ps1\"}}}}],\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Script with Log Clear Capabilities\",\"description\":\"Identifies the use of Cmdlets and methods related to Windows event log deletion activities. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: PowerShell Logs\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear\",\"https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.001\",\"name\":\"Clear Windows Event Logs\",\"reference\":\"https://attack.mitre.org/techniques/T1070/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"81c0120d-5eb1-43a9-a77c-6a04b463a21d\",\"rule_id\":\"3d3aa8f9-12af-441f-9344-9f31053e316d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.659Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.948Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\Modules\\\\\\\\Microsoft.PowerShell.Management\\\\\\\\*.psd1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\Resources\\\\\\\\*\\\\\\\\M365Library.ps1\"}}}}],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"Clear-EventLog\\\" or\\n \\\"Remove-EventLog\\\" or\\n (\\\"Eventing.Reader.EventLogSession\\\" and \\\".ClearLog\\\") or\\n (\\\"Diagnostics.EventLog\\\" and \\\".Clear\\\")\\n ) and\\n not powershell.file.script_block_text : (\\n \\\"CmdletsToExport=@(\\\\\\\"Add-Content\\\\\\\"\\\"\\n ) and\\n not file.directory : \\\"C:\\\\Program Files\\\\WindowsAdminCenter\\\\PowerShellModules\\\\Microsoft.WindowsAdminCenter.Configuration\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"163a15e9-3956-4f58-8253-ecf0724e7d5a\",\"rule_id\":\"3e0eeb75-16e8-4f2f-9826-62461ca128b7\",\"revision\":0,\"current_rule\":{\"id\":\"163a15e9-3956-4f58-8253-ecf0724e7d5a\",\"updated_at\":\"2024-12-04T19:45:45.956Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.956Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Execution via Windows Subsystem for Linux\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3e0eeb75-16e8-4f2f-9826-62461ca128b7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/\",\"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/\",\"https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1\"],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type : \\\"start\\\" and\\n (\\n (\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\bash.exe\\\" or ?process.pe.original_file_name == \\\"Bash.exe\\\") and \\n not process.command_line : (\\\"bash\\\", \\\"bash.exe\\\")\\n ) or \\n process.executable : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Packages\\\\\\\\*\\\\\\\\rootfs\\\\\\\\usr\\\\\\\\bin\\\\\\\\bash\\\" or \\n (\\n process.parent.name : \\\"wsl.exe\\\" and ?process.parent.command_line : \\\"bash*\\\" and not process.name : \\\"wslhost.exe\\\"\\n ) or \\n (\\n process.name : \\\"wsl.exe\\\" and process.args : (\\n \\\"curl\\\", \\\"/etc/shadow\\\", \\\"/etc/passwd\\\", \\\"cat\\\", \\\"--system\\\", \\\"root\\\", \\\"-e\\\", \\\"--exec\\\", \\\"bash\\\", \\\"/mnt/c/*\\\"\\n ) and not process.args : (\\\"wsl-bootstrap\\\", \\\"docker-desktop-data\\\", \\\"*.vscode-server*\\\")\\n )\\n ) and \\n not process.parent.executable : (\\\"?:\\\\\\\\Program Files\\\\\\\\Docker\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Docker\\\\\\\\*.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Execution via Windows Subsystem for Linux\",\"description\":\"Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/\",\"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/\",\"https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"163a15e9-3956-4f58-8253-ecf0724e7d5a\",\"rule_id\":\"3e0eeb75-16e8-4f2f-9826-62461ca128b7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.659Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.956Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type : \\\"start\\\" and\\n (\\n (\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\bash.exe\\\" or ?process.pe.original_file_name == \\\"Bash.exe\\\") and \\n not process.command_line : (\\\"bash\\\", \\\"bash.exe\\\")\\n ) or \\n process.executable : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Packages\\\\\\\\*\\\\\\\\rootfs\\\\\\\\usr\\\\\\\\bin\\\\\\\\bash\\\" or \\n (\\n process.parent.name : \\\"wsl.exe\\\" and process.parent.command_line : \\\"bash*\\\" and not process.name : \\\"wslhost.exe\\\"\\n ) or \\n (\\n process.name : \\\"wsl.exe\\\" and process.args : (\\n \\\"curl\\\", \\\"/etc/shadow\\\", \\\"/etc/passwd\\\", \\\"cat\\\", \\\"--system\\\", \\\"root\\\", \\\"-e\\\", \\\"--exec\\\", \\\"bash\\\", \\\"/mnt/c/*\\\"\\n ) and not process.args : (\\\"wsl-bootstrap\\\", \\\"docker-desktop-data\\\", \\\"*.vscode-server*\\\")\\n )\\n ) and \\n not process.parent.executable : (\\\"?:\\\\\\\\Program Files\\\\\\\\Docker\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Docker\\\\\\\\*.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type : \\\"start\\\" and\\n (\\n (\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\bash.exe\\\" or ?process.pe.original_file_name == \\\"Bash.exe\\\") and \\n not process.command_line : (\\\"bash\\\", \\\"bash.exe\\\")\\n ) or \\n process.executable : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Packages\\\\\\\\*\\\\\\\\rootfs\\\\\\\\usr\\\\\\\\bin\\\\\\\\bash\\\" or \\n (\\n process.parent.name : \\\"wsl.exe\\\" and ?process.parent.command_line : \\\"bash*\\\" and not process.name : \\\"wslhost.exe\\\"\\n ) or \\n (\\n process.name : \\\"wsl.exe\\\" and process.args : (\\n \\\"curl\\\", \\\"/etc/shadow\\\", \\\"/etc/passwd\\\", \\\"cat\\\", \\\"--system\\\", \\\"root\\\", \\\"-e\\\", \\\"--exec\\\", \\\"bash\\\", \\\"/mnt/c/*\\\"\\n ) and not process.args : (\\\"wsl-bootstrap\\\", \\\"docker-desktop-data\\\", \\\"*.vscode-server*\\\")\\n )\\n ) and \\n not process.parent.executable : (\\\"?:\\\\\\\\Program Files\\\\\\\\Docker\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Docker\\\\\\\\*.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type : \\\"start\\\" and\\n (\\n (\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\bash.exe\\\" or ?process.pe.original_file_name == \\\"Bash.exe\\\") and \\n not process.command_line : (\\\"bash\\\", \\\"bash.exe\\\")\\n ) or \\n process.executable : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Packages\\\\\\\\*\\\\\\\\rootfs\\\\\\\\usr\\\\\\\\bin\\\\\\\\bash\\\" or \\n (\\n process.parent.name : \\\"wsl.exe\\\" and process.parent.command_line : \\\"bash*\\\" and not process.name : \\\"wslhost.exe\\\"\\n ) or \\n (\\n process.name : \\\"wsl.exe\\\" and process.args : (\\n \\\"curl\\\", \\\"/etc/shadow\\\", \\\"/etc/passwd\\\", \\\"cat\\\", \\\"--system\\\", \\\"root\\\", \\\"-e\\\", \\\"--exec\\\", \\\"bash\\\", \\\"/mnt/c/*\\\"\\n ) and not process.args : (\\\"wsl-bootstrap\\\", \\\"docker-desktop-data\\\", \\\"*.vscode-server*\\\")\\n )\\n ) and \\n not process.parent.executable : (\\\"?:\\\\\\\\Program Files\\\\\\\\Docker\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Docker\\\\\\\\*.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type : \\\"start\\\" and\\n (\\n (\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\bash.exe\\\" or ?process.pe.original_file_name == \\\"Bash.exe\\\") and \\n not process.command_line : (\\\"bash\\\", \\\"bash.exe\\\")\\n ) or \\n process.executable : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Packages\\\\\\\\*\\\\\\\\rootfs\\\\\\\\usr\\\\\\\\bin\\\\\\\\bash\\\" or \\n (\\n process.parent.name : \\\"wsl.exe\\\" and process.parent.command_line : \\\"bash*\\\" and not process.name : \\\"wslhost.exe\\\"\\n ) or \\n (\\n process.name : \\\"wsl.exe\\\" and process.args : (\\n \\\"curl\\\", \\\"/etc/shadow\\\", \\\"/etc/passwd\\\", \\\"cat\\\", \\\"--system\\\", \\\"root\\\", \\\"-e\\\", \\\"--exec\\\", \\\"bash\\\", \\\"/mnt/c/*\\\"\\n ) and not process.args : (\\\"wsl-bootstrap\\\", \\\"docker-desktop-data\\\", \\\"*.vscode-server*\\\")\\n )\\n ) and \\n not process.parent.executable : (\\\"?:\\\\\\\\Program Files\\\\\\\\Docker\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Docker\\\\\\\\*.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"16cdb383-d384-4cb6-be65-3e29beb7845f\",\"rule_id\":\"3e3d15c6-1509-479a-b125-21718372157e\",\"revision\":0,\"current_rule\":{\"id\":\"16cdb383-d384-4cb6-be65-3e29beb7845f\",\"updated_at\":\"2024-12-04T19:45:45.965Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.965Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Emond Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3e3d15c6-1509-479a-b125-21718372157e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.014\",\"name\":\"Emond\",\"reference\":\"https://attack.mitre.org/techniques/T1546/014/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.xorrior.com/emond-persistence/\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, for MacOS it is recommended to select \\\"Traditional Endpoints\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"process where host.os.type == \\\"macos\\\" and event.type in (\\\"start\\\", \\\"process_started\\\") and\\n process.parent.name : \\\"emond\\\" and\\n process.name : (\\n \\\"bash\\\",\\n \\\"dash\\\",\\n \\\"sh\\\",\\n \\\"tcsh\\\",\\n \\\"csh\\\",\\n \\\"zsh\\\",\\n \\\"ksh\\\",\\n \\\"fish\\\",\\n \\\"Python\\\",\\n \\\"python*\\\",\\n \\\"perl*\\\",\\n \\\"php*\\\",\\n \\\"osascript\\\",\\n \\\"pwsh\\\",\\n \\\"curl\\\",\\n \\\"wget\\\",\\n \\\"cp\\\",\\n \\\"mv\\\",\\n \\\"touch\\\",\\n \\\"echo\\\",\\n \\\"base64\\\",\\n \\\"launchctl\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Emond Child Process\",\"description\":\"Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.xorrior.com/emond-persistence/\",\"https://www.elastic.co/security-labs/handy-elastic-tools-for-the-enthusiastic-detection-engineer\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.014\",\"name\":\"Emond\",\"reference\":\"https://attack.mitre.org/techniques/T1546/014/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, for MacOS it is recommended to select \\\"Traditional Endpoints\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"16cdb383-d384-4cb6-be65-3e29beb7845f\",\"rule_id\":\"3e3d15c6-1509-479a-b125-21718372157e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.659Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.965Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"macos\\\" and event.type in (\\\"start\\\", \\\"process_started\\\") and\\n process.parent.name : \\\"emond\\\" and\\n process.name : (\\n \\\"bash\\\",\\n \\\"dash\\\",\\n \\\"sh\\\",\\n \\\"tcsh\\\",\\n \\\"csh\\\",\\n \\\"zsh\\\",\\n \\\"ksh\\\",\\n \\\"fish\\\",\\n \\\"Python\\\",\\n \\\"python*\\\",\\n \\\"perl*\\\",\\n \\\"php*\\\",\\n \\\"osascript\\\",\\n \\\"pwsh\\\",\\n \\\"curl\\\",\\n \\\"wget\\\",\\n \\\"cp\\\",\\n \\\"mv\\\",\\n \\\"touch\\\",\\n \\\"echo\\\",\\n \\\"base64\\\",\\n \\\"launchctl\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.xorrior.com/emond-persistence/\"],\"target_version\":[\"https://www.xorrior.com/emond-persistence/\",\"https://www.elastic.co/security-labs/handy-elastic-tools-for-the-enthusiastic-detection-engineer\"],\"merged_version\":[\"https://www.xorrior.com/emond-persistence/\",\"https://www.elastic.co/security-labs/handy-elastic-tools-for-the-enthusiastic-detection-engineer\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"32ad672c-d860-4dbe-bbc5-733558b0fbd0\",\"rule_id\":\"3ecbdc9e-e4f2-43fa-8cca-63802125e582\",\"revision\":0,\"current_rule\":{\"id\":\"32ad672c-d860-4dbe-bbc5-733558b0fbd0\",\"updated_at\":\"2024-12-04T19:45:46.674Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.674Z\",\"created_by\":\"elastic\",\"name\":\"Privilege Escalation via Named Pipe Impersonation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Privilege Escalation via Named Pipe Impersonation\\n\\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\\n\\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3ecbdc9e-e4f2-43fa-8cca-63802125e582\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\"}]}],\"to\":\"now\",\"references\":[\"https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation\",\"https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/\",\"https://redcanary.com/blog/getsystem-offsec/\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"Cmd.Exe\\\", \\\"PowerShell.EXE\\\") or ?process.pe.original_file_name in (\\\"Cmd.Exe\\\", \\\"PowerShell.EXE\\\")) and\\n process.args : \\\"echo\\\" and process.args : \\\">\\\" and process.args : \\\"\\\\\\\\\\\\\\\\.\\\\\\\\pipe\\\\\\\\*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Privilege Escalation via Named Pipe Impersonation\",\"description\":\"Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Privilege Escalation via Named Pipe Impersonation\\n\\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\\n\\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation\",\"https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/\",\"https://redcanary.com/blog/getsystem-offsec/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"32ad672c-d860-4dbe-bbc5-733558b0fbd0\",\"rule_id\":\"3ecbdc9e-e4f2-43fa-8cca-63802125e582\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.660Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.674Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"Cmd.Exe\\\", \\\"PowerShell.EXE\\\") or ?process.pe.original_file_name in (\\\"Cmd.Exe\\\", \\\"PowerShell.EXE\\\")) and\\n process.args : \\\"echo\\\" and process.args : \\\">\\\" and process.args : \\\"\\\\\\\\\\\\\\\\.\\\\\\\\pipe\\\\\\\\*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9805ab76-5a00-44fc-b1e0-db8b112a3ea3\",\"rule_id\":\"3ed032b2-45d8-4406-bc79-7ad1eabb2c72\",\"revision\":0,\"current_rule\":{\"id\":\"9805ab76-5a00-44fc-b1e0-db8b112a3ea3\",\"updated_at\":\"2024-12-04T19:45:46.677Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.677Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Process Creation CallTrace\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection attempt.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Process Creation CallTrace\\n\\nAttackers may inject code into child processes' memory to hide their actual activity, evade detection mechanisms, and decrease discoverability during forensics. This rule looks for a spawned process by Microsoft Office, scripting, and command line applications, followed by a process access event for an unknown memory region by the parent process, which can indicate a code injection attempt.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Create a memory dump of the child process for analysis.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3ed032b2-45d8-4406-bc79-7ad1eabb2c72\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]}],\"to\":\"now\",\"references\":[],\"version\":208,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallTrace\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetProcessGUID\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by host.id with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.code == \\\"1\\\" and\\n /* sysmon process creation */\\n process.parent.name : (\\\"winword.exe\\\", \\\"excel.exe\\\", \\\"outlook.exe\\\", \\\"powerpnt.exe\\\", \\\"eqnedt32.exe\\\", \\\"fltldr.exe\\\",\\n \\\"mspub.exe\\\", \\\"msaccess.exe\\\",\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\",\\n \\\"mshta.exe\\\", \\\"wmic.exe\\\", \\\"cmstp.exe\\\", \\\"msxsl.exe\\\") and\\n\\n /* noisy FP patterns */\\n not (process.parent.name : \\\"EXCEL.EXE\\\" and process.executable : \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\Office*\\\\\\\\ADDINS\\\\\\\\*.exe\\\") and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\splwow64.exe\\\" and process.args in (\\\"8192\\\", \\\"12288\\\") and process.parent.name : (\\\"winword.exe\\\", \\\"excel.exe\\\", \\\"outlook.exe\\\", \\\"powerpnt.exe\\\")) and\\n not (process.parent.name : \\\"rundll32.exe\\\" and process.parent.args : (\\\"?:\\\\\\\\WINDOWS\\\\\\\\Installer\\\\\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\\\", \\\"--no-sandbox\\\")) and\\n not (process.executable :\\n (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\EdgeWebView\\\\\\\\Application\\\\\\\\*\\\\\\\\msedgewebview2.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Adobe\\\\\\\\Acrobat DC\\\\\\\\Acrobat\\\\\\\\Acrobat.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\DWWIN.EXE\\\") and\\n process.parent.name : (\\\"winword.exe\\\", \\\"excel.exe\\\", \\\"outlook.exe\\\", \\\"powerpnt.exe\\\")) and\\n not (process.parent.name : \\\"regsvr32.exe\\\" and process.parent.args : (\\\"?:\\\\\\\\Program Files\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\"))\\n ] by process.parent.entity_id, process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n /* Sysmon process access event from unknown module */\\n winlog.event_data.CallTrace : \\\"*UNKNOWN*\\\"] by process.entity_id, winlog.event_data.TargetProcessGUID\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Process Creation CallTrace\",\"description\":\"Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection attempt.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Process Creation CallTrace\\n\\nAttackers may inject code into child processes' memory to hide their actual activity, evade detection mechanisms, and decrease discoverability during forensics. This rule looks for a spawned process by Microsoft Office, scripting, and command line applications, followed by a process access event for an unknown memory region by the parent process, which can indicate a code injection attempt.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Create a memory dump of the child process for analysis.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallTrace\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetProcessGUID\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"9805ab76-5a00-44fc-b1e0-db8b112a3ea3\",\"rule_id\":\"3ed032b2-45d8-4406-bc79-7ad1eabb2c72\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.660Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.677Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.code == \\\"1\\\" and\\n /* sysmon process creation */\\n process.parent.name : (\\\"winword.exe\\\", \\\"excel.exe\\\", \\\"outlook.exe\\\", \\\"powerpnt.exe\\\", \\\"eqnedt32.exe\\\", \\\"fltldr.exe\\\",\\n \\\"mspub.exe\\\", \\\"msaccess.exe\\\",\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\",\\n \\\"mshta.exe\\\", \\\"wmic.exe\\\", \\\"cmstp.exe\\\", \\\"msxsl.exe\\\") and\\n\\n /* noisy FP patterns */\\n not (process.parent.name : \\\"EXCEL.EXE\\\" and process.executable : \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\Office*\\\\\\\\ADDINS\\\\\\\\*.exe\\\") and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\splwow64.exe\\\" and process.args in (\\\"8192\\\", \\\"12288\\\") and process.parent.name : (\\\"winword.exe\\\", \\\"excel.exe\\\", \\\"outlook.exe\\\", \\\"powerpnt.exe\\\")) and\\n not (process.parent.name : \\\"rundll32.exe\\\" and process.parent.args : (\\\"?:\\\\\\\\WINDOWS\\\\\\\\Installer\\\\\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\\\", \\\"--no-sandbox\\\")) and\\n not (process.executable :\\n (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\EdgeWebView\\\\\\\\Application\\\\\\\\*\\\\\\\\msedgewebview2.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Adobe\\\\\\\\Acrobat DC\\\\\\\\Acrobat\\\\\\\\Acrobat.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\DWWIN.EXE\\\") and\\n process.parent.name : (\\\"winword.exe\\\", \\\"excel.exe\\\", \\\"outlook.exe\\\", \\\"powerpnt.exe\\\")) and\\n not (process.parent.name : \\\"regsvr32.exe\\\" and process.parent.args : (\\\"?:\\\\\\\\Program Files\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\"))\\n ] by process.parent.entity_id, process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n /* Sysmon process access event from unknown module */\\n winlog.event_data.CallTrace : \\\"*UNKNOWN*\\\"] by process.entity_id, winlog.event_data.TargetProcessGUID\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":208,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e62b0f6e-1eeb-4cca-ad5c-31cd67d9c070\",\"rule_id\":\"3efee4f0-182a-40a8-a835-102c68a4175d\",\"revision\":0,\"current_rule\":{\"id\":\"e62b0f6e-1eeb-4cca-ad5c-31cd67d9c070\",\"updated_at\":\"2024-12-04T19:45:46.679Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.679Z\",\"created_by\":\"elastic\",\"name\":\"Potential Password Spraying of Microsoft 365 User Accounts\",\"tags\":[\"Domain: Cloud\",\"Data Source: Microsoft 365\",\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives.\"],\"from\":\"now-30m\",\"rule_id\":\"3efee4f0-182a-40a8-a835-102c68a4175d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\"}]}],\"to\":\"now\",\"references\":[],\"version\":207,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"o365\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"threshold\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-o365*\"],\"query\":\"event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and\\nevent.action:(\\\"UserLoginFailed\\\" or \\\"PasswordLogonInitialAuthUsingPassword\\\")\\n\",\"threshold\":{\"field\":[\"source.ip\"],\"value\":25},\"actions\":[]},\"target_rule\":{\"name\":\"Deprecated - Potential Password Spraying of Microsoft 365 User Accounts\",\"description\":\"Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"This rule has been deprecated in favor of `Attempts to Brute Force a Microsoft 365 User Account` (26f68dba-ce29-497b-8e13-b4fde1db5a2d).\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Cloud\",\"Data Source: Microsoft 365\",\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-30m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"o365\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e62b0f6e-1eeb-4cca-ad5c-31cd67d9c070\",\"rule_id\":\"3efee4f0-182a-40a8-a835-102c68a4175d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.660Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.679Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"threshold\",\"query\":\"event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and\\nevent.action:(\\\"UserLoginFailed\\\" or \\\"PasswordLogonInitialAuthUsingPassword\\\")\\n\",\"threshold\":{\"field\":[\"source.ip\"],\"value\":25},\"index\":[\"filebeat-*\",\"logs-o365*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":207,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"name\":{\"has_base_version\":false,\"current_version\":\"Potential Password Spraying of Microsoft 365 User Accounts\",\"target_version\":\"Deprecated - Potential Password Spraying of Microsoft 365 User Accounts\",\"merged_version\":\"Deprecated - Potential Password Spraying of Microsoft 365 User Accounts\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"note\":{\"has_base_version\":false,\"current_version\":\"\",\"target_version\":\"This rule has been deprecated in favor of `Attempts to Brute Force a Microsoft 365 User Account` (26f68dba-ce29-497b-8e13-b4fde1db5a2d).\",\"merged_version\":\"This rule has been deprecated in favor of `Attempts to Brute Force a Microsoft 365 User Account` (26f68dba-ce29-497b-8e13-b4fde1db5a2d).\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d54f4299-11cd-44f9-97cf-ac0564b69c6d\",\"rule_id\":\"3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\",\"revision\":0,\"current_rule\":{\"id\":\"d54f4299-11cd-44f9-97cf-ac0564b69c6d\",\"updated_at\":\"2024-12-04T19:45:46.684Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.684Z\",\"created_by\":\"elastic\",\"name\":\"Potential Protocol Tunneling via Chisel Client\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Protocol Tunneling via Chisel Client\\n\\nAttackers can leverage `chisel` to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems.\\n\\nThis rule looks for a sequence of command line arguments that are consistent with `chisel` client tunneling behavior, followed by a network event by an uncommon process. \\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n\\n- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior.\\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Process Info\\\",\\\"query\\\":\\\"SELECT name, cmdline, parent, path, uid FROM processes\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n\\n### Related rules\\n\\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\\n\\n### False positive analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator or developer who uses port tunneling for benign purposes, consider adding exceptions for specific user accounts or hosts. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1572\",\"name\":\"Protocol Tunneling\",\"reference\":\"https://attack.mitre.org/techniques/T1572/\"}]}],\"to\":\"now\",\"references\":[\"https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform\",\"https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding\"],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"sequence by host.id, process.entity_id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.args == \\\"client\\\" and process.args : (\\\"R*\\\", \\\"*:*\\\", \\\"*socks*\\\", \\\"*.*\\\") and process.args_count >= 4 and \\n process.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")]\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and event.type == \\\"start\\\" and \\n destination.ip != null and destination.ip != \\\"127.0.0.1\\\" and destination.ip != \\\"::1\\\" and \\n not process.name : (\\n \\\"python*\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\", \\\"openssl\\\", \\\"nc\\\", \\\"netcat\\\", \\\"ncat\\\", \\\"telnet\\\", \\\"awk\\\", \\\"java\\\", \\\"telnet\\\",\\n \\\"ftp\\\", \\\"socat\\\", \\\"curl\\\", \\\"wget\\\", \\\"dpkg\\\", \\\"docker\\\", \\\"dockerd\\\", \\\"yum\\\", \\\"apt\\\", \\\"rpm\\\", \\\"dnf\\\", \\\"ssh\\\", \\\"sshd\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Protocol Tunneling via Chisel Client\",\"description\":\"This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Protocol Tunneling via Chisel Client\\n\\nAttackers can leverage `chisel` to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems.\\n\\nThis rule looks for a sequence of command line arguments that are consistent with `chisel` client tunneling behavior, followed by a network event by an uncommon process. \\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n\\n- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior.\\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Process Info\\\",\\\"query\\\":\\\"SELECT name, cmdline, parent, path, uid FROM processes\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n\\n### Related rules\\n\\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\\n\\n### False positive analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator or developer who uses port tunneling for benign purposes, consider adding exceptions for specific user accounts or hosts. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":6,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform\",\"https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1572\",\"name\":\"Protocol Tunneling\",\"reference\":\"https://attack.mitre.org/techniques/T1572/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d54f4299-11cd-44f9-97cf-ac0564b69c6d\",\"rule_id\":\"3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.660Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.684Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id, process.entity_id with maxspan=3s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.args == \\\"client\\\" and process.args : (\\\"R*\\\", \\\"*:*\\\", \\\"*socks*\\\", \\\"*.*\\\") and process.args_count >= 4 and \\n process.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") and\\n not process.name in (\\\"velociraptor\\\", \\\"nbemmcmd\\\")]\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and event.type == \\\"start\\\" and \\n destination.ip != null and destination.ip != \\\"127.0.0.1\\\" and destination.ip != \\\"::1\\\" and \\n not process.name : (\\n \\\"python*\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\", \\\"openssl\\\", \\\"nc\\\", \\\"netcat\\\", \\\"ncat\\\", \\\"telnet\\\", \\\"awk\\\", \\\"java\\\", \\\"telnet\\\",\\n \\\"ftp\\\", \\\"socat\\\", \\\"curl\\\", \\\"wget\\\", \\\"dpkg\\\", \\\"docker\\\", \\\"dockerd\\\", \\\"yum\\\", \\\"apt\\\", \\\"rpm\\\", \\\"dnf\\\", \\\"ssh\\\", \\\"sshd\\\")]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":6,\"merged_version\":6,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by host.id, process.entity_id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.args == \\\"client\\\" and process.args : (\\\"R*\\\", \\\"*:*\\\", \\\"*socks*\\\", \\\"*.*\\\") and process.args_count >= 4 and \\n process.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")]\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and event.type == \\\"start\\\" and \\n destination.ip != null and destination.ip != \\\"127.0.0.1\\\" and destination.ip != \\\"::1\\\" and \\n not process.name : (\\n \\\"python*\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\", \\\"openssl\\\", \\\"nc\\\", \\\"netcat\\\", \\\"ncat\\\", \\\"telnet\\\", \\\"awk\\\", \\\"java\\\", \\\"telnet\\\",\\n \\\"ftp\\\", \\\"socat\\\", \\\"curl\\\", \\\"wget\\\", \\\"dpkg\\\", \\\"docker\\\", \\\"dockerd\\\", \\\"yum\\\", \\\"apt\\\", \\\"rpm\\\", \\\"dnf\\\", \\\"ssh\\\", \\\"sshd\\\")]\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by host.id, process.entity_id with maxspan=3s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.args == \\\"client\\\" and process.args : (\\\"R*\\\", \\\"*:*\\\", \\\"*socks*\\\", \\\"*.*\\\") and process.args_count >= 4 and \\n process.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") and\\n not process.name in (\\\"velociraptor\\\", \\\"nbemmcmd\\\")]\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and event.type == \\\"start\\\" and \\n destination.ip != null and destination.ip != \\\"127.0.0.1\\\" and destination.ip != \\\"::1\\\" and \\n not process.name : (\\n \\\"python*\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\", \\\"openssl\\\", \\\"nc\\\", \\\"netcat\\\", \\\"ncat\\\", \\\"telnet\\\", \\\"awk\\\", \\\"java\\\", \\\"telnet\\\",\\n \\\"ftp\\\", \\\"socat\\\", \\\"curl\\\", \\\"wget\\\", \\\"dpkg\\\", \\\"docker\\\", \\\"dockerd\\\", \\\"yum\\\", \\\"apt\\\", \\\"rpm\\\", \\\"dnf\\\", \\\"ssh\\\", \\\"sshd\\\")]\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by host.id, process.entity_id with maxspan=3s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.args == \\\"client\\\" and process.args : (\\\"R*\\\", \\\"*:*\\\", \\\"*socks*\\\", \\\"*.*\\\") and process.args_count >= 4 and \\n process.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") and\\n not process.name in (\\\"velociraptor\\\", \\\"nbemmcmd\\\")]\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and event.type == \\\"start\\\" and \\n destination.ip != null and destination.ip != \\\"127.0.0.1\\\" and destination.ip != \\\"::1\\\" and \\n not process.name : (\\n \\\"python*\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\", \\\"openssl\\\", \\\"nc\\\", \\\"netcat\\\", \\\"ncat\\\", \\\"telnet\\\", \\\"awk\\\", \\\"java\\\", \\\"telnet\\\",\\n \\\"ftp\\\", \\\"socat\\\", \\\"curl\\\", \\\"wget\\\", \\\"dpkg\\\", \\\"docker\\\", \\\"dockerd\\\", \\\"yum\\\", \\\"apt\\\", \\\"rpm\\\", \\\"dnf\\\", \\\"ssh\\\", \\\"sshd\\\")]\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e1db1993-601c-4c96-be96-608ddb66d0b8\",\"rule_id\":\"3fe4e20c-a600-4a86-9d98-3ecb1ef23550\",\"revision\":0,\"current_rule\":{\"id\":\"e1db1993-601c-4c96-be96-608ddb66d0b8\",\"updated_at\":\"2024-12-04T19:45:46.697Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.697Z\",\"created_by\":\"elastic\",\"name\":\"DNF Package Manager Plugin File Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects file creation events in the plugin directories for the Yum package manager. In Linux, DNF (Dandified YUM) is a command-line utility used for handling packages on Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor DNF to gain persistence by injecting malicious code into plugins that DNF runs, thereby ensuring continued unauthorized access or control each time DNF is used for package management.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3fe4e20c-a600-4a86-9d98-3ecb1ef23550\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://pwnshift.github.io/2020/10/01/persistence.html\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\n\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\n\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : (\\\"/usr/lib/python*/site-packages/dnf-plugins/*\\\", \\\"/etc/dnf/plugins/*\\\") and not (\\n process.executable in (\\n \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\", \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\",\\n \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\", \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\",\\n \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\", \\\"/bin/puppet\\\",\\n \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\", \\\"/bin/autossl_check\\\",\\n \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\",\\n \\\"/usr/libexec/netplan/generate\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\") or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\",\\n \\\"/etc/kernel/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"DNF Package Manager Plugin File Creation\",\"description\":\"Detects file creation events in the plugin directories for the Yum package manager. In Linux, DNF (Dandified YUM) is a command-line utility used for handling packages on Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor DNF to gain persistence by injecting malicious code into plugins that DNF runs, thereby ensuring continued unauthorized access or control each time DNF is used for package management.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://pwnshift.github.io/2020/10/01/persistence.html\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"setup\":\"## Setup\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\n\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\n\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e1db1993-601c-4c96-be96-608ddb66d0b8\",\"rule_id\":\"3fe4e20c-a600-4a86-9d98-3ecb1ef23550\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.660Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.697Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : (\\\"/usr/lib/python*/site-packages/dnf-plugins/*\\\", \\\"/etc/dnf/plugins/*\\\") and not (\\n process.executable in (\\n \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\", \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\",\\n \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\", \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\",\\n \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\", \\\"/bin/puppet\\\",\\n \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\", \\\"/bin/autossl_check\\\",\\n \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\",\\n \\\"/usr/libexec/netplan/generate\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\") or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\",\\n \\\"/etc/kernel/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://pwnshift.github.io/2020/10/01/persistence.html\"],\"target_version\":[\"https://pwnshift.github.io/2020/10/01/persistence.html\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://pwnshift.github.io/2020/10/01/persistence.html\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3ae32134-8935-4ca9-ae96-0b6442a8e90b\",\"rule_id\":\"40155ee4-1e6a-4e4d-a63b-e8ba16980cfb\",\"revision\":0,\"current_rule\":{\"id\":\"3ae32134-8935-4ca9-ae96-0b6442a8e90b\",\"updated_at\":\"2024-12-04T19:45:46.699Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.699Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Process Spawned by a User\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-45m\",\"rule_id\":\"40155ee4-1e6a-4e4d-a63b-e8ba16980cfb\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"problem_child_rare_process_by_user\"],\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Process Spawned by a User\",\"description\":\"A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\\n\",\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"3ae32134-8935-4ca9-ae96-0b6442a8e90b\",\"rule_id\":\"40155ee4-1e6a-4e4d-a63b-e8ba16980cfb\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.660Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.699Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"problem_child_rare_process_by_user\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e39b1a4c-40f0-495d-8f12-388f41297216\",\"rule_id\":\"403ef0d3-8259-40c9-a5b6-d48354712e49\",\"revision\":0,\"current_rule\":{\"id\":\"e39b1a4c-40f0-495d-8f12-388f41297216\",\"updated_at\":\"2024-12-04T19:45:40.187Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.187Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Persistence via Services Registry\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"403ef0d3-8259-40c9-a5b6-d48354712e49\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"ServiceDLL\\\", \\\"ImagePath\\\") and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ServiceDLL\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ServiceDLL\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\"\\n ) and not registry.data.strings : (\\n \\\"?:\\\\\\\\windows\\\\\\\\system32\\\\\\\\Drivers\\\\\\\\*.sys\\\",\\n \\\"\\\\\\\\SystemRoot\\\\\\\\System32\\\\\\\\drivers\\\\\\\\*.sys\\\",\\n \\\"\\\\\\\\??\\\\\\\\?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\Drivers\\\\\\\\*.SYS\\\",\\n \\\"\\\\\\\\??\\\\\\\\?:\\\\\\\\Windows\\\\\\\\syswow64\\\\\\\\*.sys\\\",\\n \\\"system32\\\\\\\\DRIVERS\\\\\\\\USBSTOR\\\") and\\n not (process.name : \\\"procexp??.exe\\\" and registry.data.strings : \\\"?:\\\\\\\\*\\\\\\\\procexp*.sys\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\winsxs\\\\\\\\*\\\\\\\\TiWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drvinst.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\regsvr32.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WaaSMedicAgent.exe\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Persistence via Services Registry\",\"description\":\"Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e39b1a4c-40f0-495d-8f12-388f41297216\",\"rule_id\":\"403ef0d3-8259-40c9-a5b6-d48354712e49\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.660Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.187Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"ServiceDLL\\\", \\\"ImagePath\\\") and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ServiceDLL\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ServiceDLL\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ServiceDLL\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\"\\n ) and not registry.data.strings : (\\n \\\"?:\\\\\\\\windows\\\\\\\\system32\\\\\\\\Drivers\\\\\\\\*.sys\\\",\\n \\\"\\\\\\\\SystemRoot\\\\\\\\System32\\\\\\\\drivers\\\\\\\\*.sys\\\",\\n \\\"\\\\\\\\??\\\\\\\\?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\Drivers\\\\\\\\*.SYS\\\",\\n \\\"\\\\\\\\??\\\\\\\\?:\\\\\\\\Windows\\\\\\\\syswow64\\\\\\\\*.sys\\\",\\n \\\"system32\\\\\\\\DRIVERS\\\\\\\\USBSTOR\\\") and\\n not (process.name : \\\"procexp??.exe\\\" and registry.data.strings : \\\"?:\\\\\\\\*\\\\\\\\procexp*.sys\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\winsxs\\\\\\\\*\\\\\\\\TiWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drvinst.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\regsvr32.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WaaSMedicAgent.exe\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"ServiceDLL\\\", \\\"ImagePath\\\") and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ServiceDLL\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ServiceDLL\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\"\\n ) and not registry.data.strings : (\\n \\\"?:\\\\\\\\windows\\\\\\\\system32\\\\\\\\Drivers\\\\\\\\*.sys\\\",\\n \\\"\\\\\\\\SystemRoot\\\\\\\\System32\\\\\\\\drivers\\\\\\\\*.sys\\\",\\n \\\"\\\\\\\\??\\\\\\\\?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\Drivers\\\\\\\\*.SYS\\\",\\n \\\"\\\\\\\\??\\\\\\\\?:\\\\\\\\Windows\\\\\\\\syswow64\\\\\\\\*.sys\\\",\\n \\\"system32\\\\\\\\DRIVERS\\\\\\\\USBSTOR\\\") and\\n not (process.name : \\\"procexp??.exe\\\" and registry.data.strings : \\\"?:\\\\\\\\*\\\\\\\\procexp*.sys\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\winsxs\\\\\\\\*\\\\\\\\TiWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drvinst.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\regsvr32.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WaaSMedicAgent.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"ServiceDLL\\\", \\\"ImagePath\\\") and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ServiceDLL\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ServiceDLL\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ServiceDLL\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\"\\n ) and not registry.data.strings : (\\n \\\"?:\\\\\\\\windows\\\\\\\\system32\\\\\\\\Drivers\\\\\\\\*.sys\\\",\\n \\\"\\\\\\\\SystemRoot\\\\\\\\System32\\\\\\\\drivers\\\\\\\\*.sys\\\",\\n \\\"\\\\\\\\??\\\\\\\\?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\Drivers\\\\\\\\*.SYS\\\",\\n \\\"\\\\\\\\??\\\\\\\\?:\\\\\\\\Windows\\\\\\\\syswow64\\\\\\\\*.sys\\\",\\n \\\"system32\\\\\\\\DRIVERS\\\\\\\\USBSTOR\\\") and\\n not (process.name : \\\"procexp??.exe\\\" and registry.data.strings : \\\"?:\\\\\\\\*\\\\\\\\procexp*.sys\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\winsxs\\\\\\\\*\\\\\\\\TiWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drvinst.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\regsvr32.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WaaSMedicAgent.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"ServiceDLL\\\", \\\"ImagePath\\\") and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ServiceDLL\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ServiceDLL\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ServiceDLL\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\"\\n ) and not registry.data.strings : (\\n \\\"?:\\\\\\\\windows\\\\\\\\system32\\\\\\\\Drivers\\\\\\\\*.sys\\\",\\n \\\"\\\\\\\\SystemRoot\\\\\\\\System32\\\\\\\\drivers\\\\\\\\*.sys\\\",\\n \\\"\\\\\\\\??\\\\\\\\?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\Drivers\\\\\\\\*.SYS\\\",\\n \\\"\\\\\\\\??\\\\\\\\?:\\\\\\\\Windows\\\\\\\\syswow64\\\\\\\\*.sys\\\",\\n \\\"system32\\\\\\\\DRIVERS\\\\\\\\USBSTOR\\\") and\\n not (process.name : \\\"procexp??.exe\\\" and registry.data.strings : \\\"?:\\\\\\\\*\\\\\\\\procexp*.sys\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\winsxs\\\\\\\\*\\\\\\\\TiWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drvinst.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\regsvr32.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WaaSMedicAgent.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"de42edec-5c76-4bec-9316-df0b80ccaf58\",\"rule_id\":\"40ddbcc8-6561-44d9-afc8-eefdbfe0cccd\",\"revision\":0,\"current_rule\":{\"id\":\"de42edec-5c76-4bec-9316-df0b80ccaf58\",\"updated_at\":\"2024-12-04T19:45:46.702Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.702Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Modprobe File Event\",\"tags\":[\"Data Source: Auditd Manager\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"40ddbcc8-6561-44d9-afc8-eefdbfe0cccd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"to\":\"now\",\"references\":[],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\\n\\n```\\nKibana -->\\nManagement -->\\nIntegrations -->\\nAuditd Manager -->\\nAdd Auditd Manager\\n```\\n\\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\n\\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\\n```\\n-w /etc/modprobe.conf -p wa -k modprobe\\n-w /etc/modprobe.d -p wa -k modprobe\\n```\\n\\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:file and event.action:\\\"opened-file\\\" and\\nfile.path : (\\\"/etc/modprobe.conf\\\" or \\\"/etc/modprobe.d\\\" or /etc/modprobe.d/*) and not process.name:(\\n cp or dpkg or dockerd or lynis or mkinitramfs or snapd or systemd-udevd or grep or borg or auditbeat or lspci or\\n aide or modprobe or python*\\n)\\n\",\"new_terms_fields\":[\"host.id\",\"process.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Modprobe File Event\",\"description\":\"Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":108,\"tags\":[\"Data Source: Auditd Manager\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\\n\\n```\\nKibana -->\\nManagement -->\\nIntegrations -->\\nAuditd Manager -->\\nAdd Auditd Manager\\n```\\n\\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\n\\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\\n```\\n-w /etc/modprobe.conf -p wa -k modprobe\\n-w /etc/modprobe.d -p wa -k modprobe\\n```\\n\\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n\",\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"de42edec-5c76-4bec-9316-df0b80ccaf58\",\"rule_id\":\"40ddbcc8-6561-44d9-afc8-eefdbfe0cccd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.660Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.702Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:file and event.action:\\\"opened-file\\\" and\\nfile.path : (\\\"/etc/modprobe.conf\\\" or \\\"/etc/modprobe.d\\\" or /etc/modprobe.d/*) and not process.name:(\\n cp or dpkg or dockerd or lynis or mkinitramfs or snapd or systemd-udevd or borg or auditbeat or lspci or\\n aide or modprobe or python*\\n)\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":108,\"merged_version\":108,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:file and event.action:\\\"opened-file\\\" and\\nfile.path : (\\\"/etc/modprobe.conf\\\" or \\\"/etc/modprobe.d\\\" or /etc/modprobe.d/*) and not process.name:(\\n cp or dpkg or dockerd or lynis or mkinitramfs or snapd or systemd-udevd or grep or borg or auditbeat or lspci or\\n aide or modprobe or python*\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:file and event.action:\\\"opened-file\\\" and\\nfile.path : (\\\"/etc/modprobe.conf\\\" or \\\"/etc/modprobe.d\\\" or /etc/modprobe.d/*) and not process.name:(\\n cp or dpkg or dockerd or lynis or mkinitramfs or snapd or systemd-udevd or borg or auditbeat or lspci or\\n aide or modprobe or python*\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:file and event.action:\\\"opened-file\\\" and\\nfile.path : (\\\"/etc/modprobe.conf\\\" or \\\"/etc/modprobe.d\\\" or /etc/modprobe.d/*) and not process.name:(\\n cp or dpkg or dockerd or lynis or mkinitramfs or snapd or systemd-udevd or borg or auditbeat or lspci or\\n aide or modprobe or python*\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"new_terms_fields\":{\"has_base_version\":false,\"current_version\":[\"host.id\",\"process.executable\"],\"target_version\":[\"process.executable\"],\"merged_version\":[\"process.executable\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e36101f2-d400-46ac-ba8c-235bc5a8c8bf\",\"rule_id\":\"41284ba3-ed1a-4598-bfba-a97f75d9aba2\",\"revision\":0,\"current_rule\":{\"id\":\"e36101f2-d400-46ac-ba8c-235bc5a8c8bf\",\"updated_at\":\"2024-12-04T19:45:46.704Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.704Z\",\"created_by\":\"elastic\",\"name\":\"Unix Socket Connection\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for inter-process communication via Unix sockets. Adversaries may attempt to communicate with local Unix sockets to enumerate application details, find vulnerabilities/configuration mistakes and potentially escalate privileges or set up malicious communication channels via Unix sockets for inter-process communication to attempt to evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"41284ba3-ed1a-4598-bfba-a97f75d9aba2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1559\",\"name\":\"Inter-Process Communication\",\"reference\":\"https://attack.mitre.org/techniques/T1559/\"}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and (\\n (process.name in (\\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"nc.openbsd\\\") and \\n process.args == \\\"-U\\\" and process.args : (\\\"/usr/local/*\\\", \\\"/run/*\\\", \\\"/var/run/*\\\")) or\\n (process.name == \\\"socat\\\" and \\n process.args == \\\"-\\\" and process.args : (\\\"UNIX-CLIENT:/usr/local/*\\\", \\\"UNIX-CLIENT:/run/*\\\", \\\"UNIX-CLIENT:/var/run/*\\\"))\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unix Socket Connection\",\"description\":\"This rule monitors for inter-process communication via Unix sockets. Adversaries may attempt to communicate with local Unix sockets to enumerate application details, find vulnerabilities/configuration mistakes and potentially escalate privileges or set up malicious communication channels via Unix sockets for inter-process communication to attempt to evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1559\",\"name\":\"Inter-Process Communication\",\"reference\":\"https://attack.mitre.org/techniques/T1559/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e36101f2-d400-46ac-ba8c-235bc5a8c8bf\",\"rule_id\":\"41284ba3-ed1a-4598-bfba-a97f75d9aba2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.660Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.704Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and (\\n (process.name in (\\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"nc.openbsd\\\") and \\n process.args == \\\"-U\\\" and process.args : (\\\"/usr/local/*\\\", \\\"/run/*\\\", \\\"/var/run/*\\\")) or\\n (process.name == \\\"socat\\\" and \\n process.args == \\\"-\\\" and process.args : (\\\"UNIX-CLIENT:/usr/local/*\\\", \\\"UNIX-CLIENT:/run/*\\\", \\\"UNIX-CLIENT:/var/run/*\\\"))\\n) and\\nnot process.args == \\\"/var/run/libvirt/libvirt-sock\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"building_block\":{\"has_base_version\":false,\"current_version\":{\"type\":\"default\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and (\\n (process.name in (\\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"nc.openbsd\\\") and \\n process.args == \\\"-U\\\" and process.args : (\\\"/usr/local/*\\\", \\\"/run/*\\\", \\\"/var/run/*\\\")) or\\n (process.name == \\\"socat\\\" and \\n process.args == \\\"-\\\" and process.args : (\\\"UNIX-CLIENT:/usr/local/*\\\", \\\"UNIX-CLIENT:/run/*\\\", \\\"UNIX-CLIENT:/var/run/*\\\"))\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and (\\n (process.name in (\\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"nc.openbsd\\\") and \\n process.args == \\\"-U\\\" and process.args : (\\\"/usr/local/*\\\", \\\"/run/*\\\", \\\"/var/run/*\\\")) or\\n (process.name == \\\"socat\\\" and \\n process.args == \\\"-\\\" and process.args : (\\\"UNIX-CLIENT:/usr/local/*\\\", \\\"UNIX-CLIENT:/run/*\\\", \\\"UNIX-CLIENT:/var/run/*\\\"))\\n) and\\nnot process.args == \\\"/var/run/libvirt/libvirt-sock\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and (\\n (process.name in (\\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"nc.openbsd\\\") and \\n process.args == \\\"-U\\\" and process.args : (\\\"/usr/local/*\\\", \\\"/run/*\\\", \\\"/var/run/*\\\")) or\\n (process.name == \\\"socat\\\" and \\n process.args == \\\"-\\\" and process.args : (\\\"UNIX-CLIENT:/usr/local/*\\\", \\\"UNIX-CLIENT:/run/*\\\", \\\"UNIX-CLIENT:/var/run/*\\\"))\\n) and\\nnot process.args == \\\"/var/run/libvirt/libvirt-sock\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"37a2c95b-b222-4281-8943-1d82ab154490\",\"rule_id\":\"416697ae-e468-4093-a93d-59661fa619ec\",\"revision\":0,\"current_rule\":{\"id\":\"37a2c95b-b222-4281-8943-1d82ab154490\",\"updated_at\":\"2024-12-04T19:45:46.706Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.706Z\",\"created_by\":\"elastic\",\"name\":\"Control Panel Process with Unusual Arguments\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"416697ae-e468-4093-a93d-59661fa619ec\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.002\",\"name\":\"Control Panel\",\"reference\":\"https://attack.mitre.org/techniques/T1218/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.joesandbox.com/analysis/476188/1/html\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\control.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\control.exe\\\") and\\n process.command_line :\\n (\\\"*.jpg*\\\",\\n \\\"*.png*\\\",\\n \\\"*.gif*\\\",\\n \\\"*.bmp*\\\",\\n \\\"*.jpeg*\\\",\\n \\\"*.TIFF*\\\",\\n \\\"*.inf*\\\",\\n \\\"*.cpl:*/*\\\",\\n \\\"*../../..*\\\",\\n \\\"*/AppData/Local/*\\\",\\n \\\"*:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*\\\",\\n \\\"*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Control Panel Process with Unusual Arguments\",\"description\":\"Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.joesandbox.com/analysis/476188/1/html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.002\",\"name\":\"Control Panel\",\"reference\":\"https://attack.mitre.org/techniques/T1218/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"37a2c95b-b222-4281-8943-1d82ab154490\",\"rule_id\":\"416697ae-e468-4093-a93d-59661fa619ec\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.660Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.706Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"control.exe\\\" and \\n process.command_line : (\\n \\\"*.jpg*\\\", \\\"*.png*\\\",\\n \\\"*.gif*\\\", \\\"*.bmp*\\\",\\n \\\"*.jpeg*\\\", \\\"*.TIFF*\\\",\\n \\\"*.inf*\\\", \\\"*.cpl:*/*\\\",\\n \\\"*../../..*\\\",\\n \\\"*/AppData/Local/*\\\",\\n \\\"*:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*\\\",\\n \\\"*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\*\\\"\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\control.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\control.exe\\\") and\\n process.command_line :\\n (\\\"*.jpg*\\\",\\n \\\"*.png*\\\",\\n \\\"*.gif*\\\",\\n \\\"*.bmp*\\\",\\n \\\"*.jpeg*\\\",\\n \\\"*.TIFF*\\\",\\n \\\"*.inf*\\\",\\n \\\"*.cpl:*/*\\\",\\n \\\"*../../..*\\\",\\n \\\"*/AppData/Local/*\\\",\\n \\\"*:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*\\\",\\n \\\"*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"control.exe\\\" and \\n process.command_line : (\\n \\\"*.jpg*\\\", \\\"*.png*\\\",\\n \\\"*.gif*\\\", \\\"*.bmp*\\\",\\n \\\"*.jpeg*\\\", \\\"*.TIFF*\\\",\\n \\\"*.inf*\\\", \\\"*.cpl:*/*\\\",\\n \\\"*../../..*\\\",\\n \\\"*/AppData/Local/*\\\",\\n \\\"*:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*\\\",\\n \\\"*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\*\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"control.exe\\\" and \\n process.command_line : (\\n \\\"*.jpg*\\\", \\\"*.png*\\\",\\n \\\"*.gif*\\\", \\\"*.bmp*\\\",\\n \\\"*.jpeg*\\\", \\\"*.TIFF*\\\",\\n \\\"*.inf*\\\", \\\"*.cpl:*/*\\\",\\n \\\"*../../..*\\\",\\n \\\"*/AppData/Local/*\\\",\\n \\\"*:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*\\\",\\n \\\"*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\*\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b63d1abd-b59b-4203-b19e-aa893739ab6a\",\"rule_id\":\"4182e486-fc61-11ee-a05d-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"b63d1abd-b59b-4203-b19e-aa893739ab6a\",\"updated_at\":\"2024-12-04T19:46:03.753Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.753Z\",\"created_by\":\"elastic\",\"name\":\"AWS EC2 EBS Snapshot Shared with Another Account\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS EC2\",\"Use Case: Threat Detection\",\"Tactic: Exfiltration\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies AWS EC2 EBS snaphots being shared with another AWS account. EBS virtual disks can be copied into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this in order to copy the snapshot into an environment they control, to access the data.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"\\n## Triage and Analysis\\n\\n### Investigating AWS EC2 EBS Snapshot Shared with Another Account\\n\\nThis rule detects when an AWS EC2 EBS snapshot is shared with another AWS account. EBS virtual disks can be copied into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this to copy the snapshot into an environment they control to access the data. Understanding the context and legitimacy of such changes is crucial to determine if the action is benign or malicious.\\n\\n#### Possible Investigation Steps:\\n\\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific changes made to the snapshot permissions. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the change occurred. Modifications during non-business hours or outside regular maintenance windows might require further scrutiny.\\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\\n\\n### False Positive Analysis:\\n\\n- **Legitimate Administrative Actions**: Confirm if the snapshot sharing aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.\\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the change was successful and intended according to policy.\\n\\n### Response and Remediation:\\n\\n- **Immediate Review and Reversal if Necessary**: If the change was unauthorized, update the snapshot permissions to remove any unauthorized accounts and restore it to its previous state.\\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.\\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning snapshot management and sharing permissions.\\n- **Audit Snapshots and Policies**: Conduct a comprehensive audit of all snapshots and associated policies to ensure they adhere to the principle of least privilege.\\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\\n\\n### Additional Information:\\n\\nFor further guidance on managing EBS snapshots and securing AWS environments, refer to the [AWS EBS documentation](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html) and AWS best practices for security. Additionally, consult the following resources for specific details on EBS snapshot security:\\n- [AWS EBS Snapshot Permissions](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html)\\n- [AWS API ModifySnapshotAttribute](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html)\\n- [AWS EBS Snapshot Dump](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump)\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"AMI sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action.\"],\"from\":\"now-9m\",\"rule_id\":\"4182e486-fc61-11ee-a05d-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1537\",\"name\":\"Transfer Data to Cloud Account\",\"reference\":\"https://attack.mitre.org/techniques/T1537/\"}]}],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html\",\"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html\",\"https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-*\\n| where event.provider == \\\"ec2.amazonaws.com\\\" and event.action == \\\"ModifySnapshotAttribute\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?snapshotId}=%{snapshotId},%{?attributeType}=%{attributeType},%{?createVolumePermission}={%{operationType}={%{?items}=[{%{?userId}=%{userId}}]}}}\\\"\\n| where operationType == \\\"add\\\" and cloud.account.id != userId\\n| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, snapshotId, attributeType, operationType, userId\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS EC2 EBS Snapshot Shared with Another Account\",\"description\":\"Identifies AWS EC2 EBS snaphots being shared with another AWS account. EBS virtual disks can be copied into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this in order to copy the snapshot into an environment they control, to access the data.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\\n## Triage and Analysis\\n\\n### Investigating AWS EC2 EBS Snapshot Shared with Another Account\\n\\nThis rule detects when an AWS EC2 EBS snapshot is shared with another AWS account. EBS virtual disks can be copied into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this to copy the snapshot into an environment they control to access the data. Understanding the context and legitimacy of such changes is crucial to determine if the action is benign or malicious.\\n\\n#### Possible Investigation Steps:\\n\\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific changes made to the snapshot permissions. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the change occurred. Modifications during non-business hours or outside regular maintenance windows might require further scrutiny.\\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\\n\\n### False Positive Analysis:\\n\\n- **Legitimate Administrative Actions**: Confirm if the snapshot sharing aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.\\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the change was successful and intended according to policy.\\n\\n### Response and Remediation:\\n\\n- **Immediate Review and Reversal if Necessary**: If the change was unauthorized, update the snapshot permissions to remove any unauthorized accounts and restore it to its previous state.\\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.\\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning snapshot management and sharing permissions.\\n- **Audit Snapshots and Policies**: Conduct a comprehensive audit of all snapshots and associated policies to ensure they adhere to the principle of least privilege.\\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\\n\\n### Additional Information:\\n\\nFor further guidance on managing EBS snapshots and securing AWS environments, refer to the [AWS EBS documentation](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html) and AWS best practices for security. Additionally, consult the following resources for specific details on EBS snapshot security:\\n- [AWS EBS Snapshot Permissions](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html)\\n- [AWS API ModifySnapshotAttribute](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html)\\n- [AWS EBS Snapshot Dump](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump)\\n\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS EC2\",\"Use Case: Threat Detection\",\"Tactic: Exfiltration\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"AMI sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action.\"],\"references\":[\"https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html\",\"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html\",\"https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1537\",\"name\":\"Transfer Data to Cloud Account\",\"reference\":\"https://attack.mitre.org/techniques/T1537/\"}]}],\"setup\":\"\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"b63d1abd-b59b-4203-b19e-aa893739ab6a\",\"rule_id\":\"4182e486-fc61-11ee-a05d-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.660Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.753Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"ec2.amazonaws.com\\\" and event.action == \\\"ModifySnapshotAttribute\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?snapshotId}=%{snapshotId},%{?attributeType}=%{attributeType},%{?createVolumePermission}={%{operationType}={%{?items}=[{%{?userId}=%{userId}}]}}}\\\"\\n| where operationType == \\\"add\\\" and cloud.account.id != userId\\n| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, snapshotId, attributeType, operationType, userId\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-aws.cloudtrail-*\\n| where event.provider == \\\"ec2.amazonaws.com\\\" and event.action == \\\"ModifySnapshotAttribute\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?snapshotId}=%{snapshotId},%{?attributeType}=%{attributeType},%{?createVolumePermission}={%{operationType}={%{?items}=[{%{?userId}=%{userId}}]}}}\\\"\\n| where operationType == \\\"add\\\" and cloud.account.id != userId\\n| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, snapshotId, attributeType, operationType, userId\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"ec2.amazonaws.com\\\" and event.action == \\\"ModifySnapshotAttribute\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?snapshotId}=%{snapshotId},%{?attributeType}=%{attributeType},%{?createVolumePermission}={%{operationType}={%{?items}=[{%{?userId}=%{userId}}]}}}\\\"\\n| where operationType == \\\"add\\\" and cloud.account.id != userId\\n| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, snapshotId, attributeType, operationType, userId\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"ec2.amazonaws.com\\\" and event.action == \\\"ModifySnapshotAttribute\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?snapshotId}=%{snapshotId},%{?attributeType}=%{attributeType},%{?createVolumePermission}={%{operationType}={%{?items}=[{%{?userId}=%{userId}}]}}}\\\"\\n| where operationType == \\\"add\\\" and cloud.account.id != userId\\n| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, snapshotId, attributeType, operationType, userId\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"509f9782-cae1-4981-820a-4926bd9db0b8\",\"rule_id\":\"42eeee3d-947f-46d3-a14d-7036b962c266\",\"revision\":0,\"current_rule\":{\"id\":\"509f9782-cae1-4981-820a-4926bd9db0b8\",\"updated_at\":\"2024-12-04T19:45:46.718Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.718Z\",\"created_by\":\"elastic\",\"name\":\"Process Creation via Secondary Logon\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"42eeee3d-947f-46d3-a14d-7036b962c266\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\",\"subtechnique\":[{\"id\":\"T1134.002\",\"name\":\"Create Process with Token\",\"reference\":\"https://attack.mitre.org/techniques/T1134/002/\"},{\"id\":\"T1134.003\",\"name\":\"Make and Impersonate Token\",\"reference\":\"https://attack.mitre.org/techniques/T1134/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://attack.mitre.org/techniques/T1134/002/\"],\"version\":9,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.LogonProcessName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetLogonId\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nAudit events 4624 and 4688 are needed to trigger this rule.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"sequence by winlog.computer_name with maxspan=1m\\n\\n[authentication where event.action:\\\"logged-in\\\" and\\n event.outcome == \\\"success\\\" and user.id : (\\\"S-1-5-21-*\\\", \\\"S-1-12-1-*\\\") and\\n\\n /* seclogon service */\\n process.name == \\\"svchost.exe\\\" and\\n winlog.event_data.LogonProcessName : \\\"seclogo*\\\" and source.ip == \\\"::1\\\" ] by winlog.event_data.TargetLogonId\\n\\n[process where event.type == \\\"start\\\"] by winlog.event_data.TargetLogonId\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Process Creation via Secondary Logon\",\"description\":\"Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":110,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://attack.mitre.org/techniques/T1134/002/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\",\"subtechnique\":[{\"id\":\"T1134.002\",\"name\":\"Create Process with Token\",\"reference\":\"https://attack.mitre.org/techniques/T1134/002/\"},{\"id\":\"T1134.003\",\"name\":\"Make and Impersonate Token\",\"reference\":\"https://attack.mitre.org/techniques/T1134/003/\"}]}]}],\"setup\":\"## Setup\\n\\nAudit events 4624 and 4688 are needed to trigger this rule.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.LogonProcessName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetLogonId\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"509f9782-cae1-4981-820a-4926bd9db0b8\",\"rule_id\":\"42eeee3d-947f-46d3-a14d-7036b962c266\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.660Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.718Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by winlog.computer_name with maxspan=1m\\n\\n[authentication where event.action:\\\"logged-in\\\" and\\n event.outcome == \\\"success\\\" and user.id : (\\\"S-1-5-21-*\\\", \\\"S-1-12-1-*\\\") and\\n\\n /* seclogon service */\\n process.name == \\\"svchost.exe\\\" and\\n winlog.event_data.LogonProcessName : \\\"seclogo*\\\" and source.ip == \\\"::1\\\" ] by winlog.event_data.TargetLogonId\\n\\n[process where event.type == \\\"start\\\"] by winlog.event_data.TargetLogonId\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":9,\"target_version\":110,\"merged_version\":110,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4c1b8461-db71-4881-ad4c-c3e402c9cd39\",\"rule_id\":\"43d6ec12-2b1c-47b5-8f35-e9de65551d3b\",\"revision\":0,\"current_rule\":{\"id\":\"4c1b8461-db71-4881-ad4c-c3e402c9cd39\",\"updated_at\":\"2024-12-04T19:45:46.723Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.723Z\",\"created_by\":\"elastic\",\"name\":\"Linux User Added to Privileged Group\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Linux User User Added to Privileged Group\\n\\nThe `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems.\\n\\nAttackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain.\\n\\nThis rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n\\n- Investigate whether the user was succesfully added to the privileged group.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Retrieve information about the privileged group to which the user was added.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific Group\\\",\\\"query\\\":\\\"SELECT * FROM groups WHERE groupname = {{group.name}}\\\"}}\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Delete the account that seems to be involved in malicious activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"43d6ec12-2b1c-47b5-8f35-e9de65551d3b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.args in (\\n \\\"root\\\", \\\"admin\\\", \\\"wheel\\\", \\\"staff\\\", \\\"sudo\\\",\\\"disk\\\", \\\"video\\\", \\\"shadow\\\", \\\"lxc\\\", \\\"lxd\\\"\\n) and\\n(\\n process.name in (\\\"usermod\\\", \\\"adduser\\\") or\\n process.name == \\\"gpasswd\\\" and \\n process.args in (\\\"-a\\\", \\\"--add\\\", \\\"-M\\\", \\\"--members\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Linux User Added to Privileged Group\",\"description\":\"Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Linux User User Added to Privileged Group\\n\\nThe `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems.\\n\\nAttackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain.\\n\\nThis rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n\\n- Investigate whether the user was succesfully added to the privileged group.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Retrieve information about the privileged group to which the user was added.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific Group\\\",\\\"query\\\":\\\"SELECT * FROM groups WHERE groupname = {{group.name}}\\\"}}\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Delete the account that seems to be involved in malicious activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":8,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"4c1b8461-db71-4881-ad4c-c3e402c9cd39\",\"rule_id\":\"43d6ec12-2b1c-47b5-8f35-e9de65551d3b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.660Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.723Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.args in (\\n \\\"root\\\", \\\"admin\\\", \\\"wheel\\\", \\\"staff\\\", \\\"sudo\\\",\\\"disk\\\", \\\"video\\\", \\\"shadow\\\", \\\"lxc\\\", \\\"lxd\\\"\\n) and\\n(\\n process.name in (\\\"usermod\\\", \\\"adduser\\\") or\\n (process.name == \\\"gpasswd\\\" and process.args in (\\\"-a\\\", \\\"--add\\\", \\\"-M\\\", \\\"--members\\\")) \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":8,\"merged_version\":8,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.args in (\\n \\\"root\\\", \\\"admin\\\", \\\"wheel\\\", \\\"staff\\\", \\\"sudo\\\",\\\"disk\\\", \\\"video\\\", \\\"shadow\\\", \\\"lxc\\\", \\\"lxd\\\"\\n) and\\n(\\n process.name in (\\\"usermod\\\", \\\"adduser\\\") or\\n process.name == \\\"gpasswd\\\" and \\n process.args in (\\\"-a\\\", \\\"--add\\\", \\\"-M\\\", \\\"--members\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.args in (\\n \\\"root\\\", \\\"admin\\\", \\\"wheel\\\", \\\"staff\\\", \\\"sudo\\\",\\\"disk\\\", \\\"video\\\", \\\"shadow\\\", \\\"lxc\\\", \\\"lxd\\\"\\n) and\\n(\\n process.name in (\\\"usermod\\\", \\\"adduser\\\") or\\n (process.name == \\\"gpasswd\\\" and process.args in (\\\"-a\\\", \\\"--add\\\", \\\"-M\\\", \\\"--members\\\")) \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.args in (\\n \\\"root\\\", \\\"admin\\\", \\\"wheel\\\", \\\"staff\\\", \\\"sudo\\\",\\\"disk\\\", \\\"video\\\", \\\"shadow\\\", \\\"lxc\\\", \\\"lxd\\\"\\n) and\\n(\\n process.name in (\\\"usermod\\\", \\\"adduser\\\") or\\n (process.name == \\\"gpasswd\\\" and process.args in (\\\"-a\\\", \\\"--add\\\", \\\"-M\\\", \\\"--members\\\")) \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"110345f8-8835-4667-998f-caba7b0dbacd\",\"rule_id\":\"440e2db4-bc7f-4c96-a068-65b78da59bde\",\"revision\":0,\"current_rule\":{\"id\":\"110345f8-8835-4667-998f-caba7b0dbacd\",\"updated_at\":\"2024-12-04T19:45:46.725Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.725Z\",\"created_by\":\"elastic\",\"name\":\"Startup Persistence by a Suspicious Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Startup Persistence by a Suspicious Process\\n\\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\\n\\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\\n\\n### Related rules\\n\\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"440e2db4-bc7f-4c96-a068-65b78da59bde\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.domain\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n user.domain != \\\"NT AUTHORITY\\\" and\\n file.path : (\\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\StartUp\\\\\\\\*\\\") and\\n process.name : (\\\"cmd.exe\\\",\\n \\\"powershell.exe\\\",\\n \\\"wmic.exe\\\",\\n \\\"mshta.exe\\\",\\n \\\"pwsh.exe\\\",\\n \\\"cscript.exe\\\",\\n \\\"wscript.exe\\\",\\n \\\"regsvr32.exe\\\",\\n \\\"RegAsm.exe\\\",\\n \\\"rundll32.exe\\\",\\n \\\"EQNEDT32.EXE\\\",\\n \\\"WINWORD.EXE\\\",\\n \\\"EXCEL.EXE\\\",\\n \\\"POWERPNT.EXE\\\",\\n \\\"MSPUB.EXE\\\",\\n \\\"MSACCESS.EXE\\\",\\n \\\"iexplore.exe\\\",\\n \\\"InstallUtil.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Startup Persistence by a Suspicious Process\",\"description\":\"Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Startup Persistence by a Suspicious Process\\n\\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\\n\\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\\n\\n### Related rules\\n\\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\",\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.domain\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"110345f8-8835-4667-998f-caba7b0dbacd\",\"rule_id\":\"440e2db4-bc7f-4c96-a068-65b78da59bde\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.660Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.725Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n user.domain != \\\"NT AUTHORITY\\\" and\\n file.path : (\\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\StartUp\\\\\\\\*\\\") and\\n process.name : (\\\"cmd.exe\\\",\\n \\\"powershell.exe\\\",\\n \\\"wmic.exe\\\",\\n \\\"mshta.exe\\\",\\n \\\"pwsh.exe\\\",\\n \\\"cscript.exe\\\",\\n \\\"wscript.exe\\\",\\n \\\"regsvr32.exe\\\",\\n \\\"RegAsm.exe\\\",\\n \\\"rundll32.exe\\\",\\n \\\"EQNEDT32.EXE\\\",\\n \\\"WINWORD.EXE\\\",\\n \\\"EXCEL.EXE\\\",\\n \\\"POWERPNT.EXE\\\",\\n \\\"MSPUB.EXE\\\",\\n \\\"MSACCESS.EXE\\\",\\n \\\"iexplore.exe\\\",\\n \\\"InstallUtil.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\"],\"target_version\":[\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\",\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\"],\"merged_version\":[\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\",\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"fa9b37c7-81a2-4654-944a-7af04298248f\",\"rule_id\":\"445a342e-03fb-42d0-8656-0367eb2dead5\",\"revision\":0,\"current_rule\":{\"id\":\"fa9b37c7-81a2-4654-944a-7af04298248f\",\"updated_at\":\"2024-12-04T19:45:46.728Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.728Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Windows Path Activity\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Persistence\",\"Tactic: Execution\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert.\"],\"from\":\"now-45m\",\"rule_id\":\"445a342e-03fb-42d0-8656-0367eb2dead5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"version\":105,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_path_activity\"],\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Windows Path Activity\",\"description\":\"Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Persistence\",\"Tactic: Execution\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert.\"],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"fa9b37c7-81a2-4654-944a-7af04298248f\",\"rule_id\":\"445a342e-03fb-42d0-8656-0367eb2dead5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.660Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.728Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_path_activity\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":105,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5b1eba63-6e0a-461c-b968-1cc433a39186\",\"rule_id\":\"44fc462c-1159-4fa8-b1b7-9b6296ab4f96\",\"revision\":0,\"current_rule\":{\"id\":\"5b1eba63-6e0a-461c-b968-1cc433a39186\",\"updated_at\":\"2024-12-04T19:45:46.736Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.736Z\",\"created_by\":\"elastic\",\"name\":\"Multiple Vault Web Credentials Read\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"44fc462c-1159-4fa8-b1b7-9b6296ab4f96\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\",\"subtechnique\":[{\"id\":\"T1555.004\",\"name\":\"Windows Credential Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1555/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"version\":10,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.Resource\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SchemaFriendlyName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.process.pid\",\"type\":\"long\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"sequence by winlog.computer_name, winlog.process.pid with maxspan=1s\\n\\n /* 2 consecutive vault reads from same pid for web creds */\\n\\n [any where event.code : \\\"5382\\\" and\\n (winlog.event_data.SchemaFriendlyName : \\\"Windows Web Password Credential\\\" and winlog.event_data.Resource : \\\"http*\\\") and\\n not winlog.event_data.SubjectLogonId : \\\"0x3e7\\\" and \\n not winlog.event_data.Resource : \\\"http://localhost/\\\"]\\n\\n [any where event.code : \\\"5382\\\" and\\n (winlog.event_data.SchemaFriendlyName : \\\"Windows Web Password Credential\\\" and winlog.event_data.Resource : \\\"http*\\\") and\\n not winlog.event_data.SubjectLogonId : \\\"0x3e7\\\" and \\n not winlog.event_data.Resource : \\\"http://localhost/\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Multiple Vault Web Credentials Read\",\"description\":\"Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":111,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\",\"subtechnique\":[{\"id\":\"T1555.004\",\"name\":\"Windows Credential Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1555/004/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.Resource\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SchemaFriendlyName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.process.pid\",\"type\":\"long\",\"ecs\":false}],\"id\":\"5b1eba63-6e0a-461c-b968-1cc433a39186\",\"rule_id\":\"44fc462c-1159-4fa8-b1b7-9b6296ab4f96\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.660Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.736Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by winlog.computer_name, winlog.process.pid with maxspan=1s\\n\\n /* 2 consecutive vault reads from same pid for web creds */\\n\\n [any where event.code : \\\"5382\\\" and\\n (winlog.event_data.SchemaFriendlyName : \\\"Windows Web Password Credential\\\" and winlog.event_data.Resource : \\\"http*\\\") and\\n not winlog.event_data.SubjectLogonId : \\\"0x3e7\\\" and \\n not winlog.event_data.Resource : \\\"http://localhost/\\\"]\\n\\n [any where event.code : \\\"5382\\\" and\\n (winlog.event_data.SchemaFriendlyName : \\\"Windows Web Password Credential\\\" and winlog.event_data.Resource : \\\"http*\\\") and\\n not winlog.event_data.SubjectLogonId : \\\"0x3e7\\\" and \\n not winlog.event_data.Resource : \\\"http://localhost/\\\"]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":10,\"target_version\":111,\"merged_version\":111,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0c7b9bee-60cd-4975-b99e-6d2371bbcf65\",\"rule_id\":\"45ac4800-840f-414c-b221-53dd36a5aaf7\",\"revision\":0,\"current_rule\":{\"id\":\"0c7b9bee-60cd-4975-b99e-6d2371bbcf65\",\"updated_at\":\"2024-12-04T19:45:46.746Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.746Z\",\"created_by\":\"elastic\",\"name\":\"Windows Event Logs Cleared\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Event Logs Cleared\\n\\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\\n\\nThis rule looks for the occurrence of clear actions on the `security` event log.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Verify if any other anti-forensics behaviors were observed.\\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Anabella Cristaldi\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"45ac4800-840f-414c-b221-53dd36a5aaf7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.001\",\"name\":\"Clear Windows Event Logs\",\"reference\":\"https://attack.mitre.org/techniques/T1070/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.api\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.provider_name\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:(\\\"audit-log-cleared\\\" or \\\"Log clear\\\") and winlog.api:\\\"wineventlog\\\" and\\n not winlog.provider_name:\\\"AD FS Auditing\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Windows Event Logs Cleared\",\"description\":\"Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Event Logs Cleared\\n\\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\\n\\nThis rule looks for the occurrence of clear actions on the `security` event log.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Verify if any other anti-forensics behaviors were observed.\\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Anabella Cristaldi\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.001\",\"name\":\"Clear Windows Event Logs\",\"reference\":\"https://attack.mitre.org/techniques/T1070/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.api\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.provider_name\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"0c7b9bee-60cd-4975-b99e-6d2371bbcf65\",\"rule_id\":\"45ac4800-840f-414c-b221-53dd36a5aaf7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.661Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.746Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:(\\\"audit-log-cleared\\\" or \\\"Log clear\\\") and winlog.api:\\\"wineventlog\\\" and\\n not winlog.provider_name:\\\"AD FS Auditing\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c16b0c45-f020-44a1-bcc2-f12208058b11\",\"rule_id\":\"45d273fb-1dca-457d-9855-bcb302180c21\",\"revision\":0,\"current_rule\":{\"id\":\"c16b0c45-f020-44a1-bcc2-f12208058b11\",\"updated_at\":\"2024-12-04T19:45:46.748Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.748Z\",\"created_by\":\"elastic\",\"name\":\"Encrypting Files with WinRar or 7z\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Encrypting Files with WinRar or 7z\\n\\nAttackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.\\n\\nThese steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Retrieve the encrypted file.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check if the password used in the encryption was included in the command line.\\n- Decrypt the `.rar`/`.zip` and check if the information is sensitive.\\n- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the file names included in the encrypted file.\\n- Investigate if the file was transferred to an attacker-controlled server.\\n\\n### False positive analysis\\n\\n- Backup software can use these utilities. Check the `process.parent.executable` and `process.parent.command_line` fields to determine what triggered the encryption.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"45d273fb-1dca-457d-9855-bcb302180c21\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1005\",\"name\":\"Data from Local System\",\"reference\":\"https://attack.mitre.org/techniques/T1005/\"},{\"id\":\"T1560\",\"name\":\"Archive Collected Data\",\"reference\":\"https://attack.mitre.org/techniques/T1560/\",\"subtechnique\":[{\"id\":\"T1560.001\",\"name\":\"Archive via Utility\",\"reference\":\"https://attack.mitre.org/techniques/T1560/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (\\n process.name:\\\"rar.exe\\\" or ?process.code_signature.subject_name == \\\"win.rar GmbH\\\" or\\n ?process.pe.original_file_name == \\\"Command line RAR\\\"\\n ) and\\n process.args == \\\"a\\\" and process.args : (\\\"-hp*\\\", \\\"-p*\\\", \\\"/hp*\\\", \\\"/p*\\\")\\n ) or\\n (\\n ?process.pe.original_file_name in (\\\"7z.exe\\\", \\\"7za.exe\\\") and\\n process.args == \\\"a\\\" and process.args : \\\"-p*\\\"\\n )\\n) and\\n not process.parent.executable : (\\n \\\"C:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\ManageEngine\\\\\\\\*\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"?:\\\\\\\\Nox\\\\\\\\bin\\\\\\\\Nox.exe\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Encrypting Files with WinRar or 7z\",\"description\":\"Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Encrypting Files with WinRar or 7z\\n\\nAttackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.\\n\\nThese steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Retrieve the encrypted file.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check if the password used in the encryption was included in the command line.\\n- Decrypt the `.rar`/`.zip` and check if the information is sensitive.\\n- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the file names included in the encrypted file.\\n- Investigate if the file was transferred to an attacker-controlled server.\\n\\n### False positive analysis\\n\\n- Backup software can use these utilities. Check the `process.parent.executable` and `process.parent.command_line` fields to determine what triggered the encryption.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":214,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1005\",\"name\":\"Data from Local System\",\"reference\":\"https://attack.mitre.org/techniques/T1005/\"},{\"id\":\"T1560\",\"name\":\"Archive Collected Data\",\"reference\":\"https://attack.mitre.org/techniques/T1560/\",\"subtechnique\":[{\"id\":\"T1560.001\",\"name\":\"Archive via Utility\",\"reference\":\"https://attack.mitre.org/techniques/T1560/001/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c16b0c45-f020-44a1-bcc2-f12208058b11\",\"rule_id\":\"45d273fb-1dca-457d-9855-bcb302180c21\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.661Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.748Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (\\n process.name:\\\"rar.exe\\\" or ?process.code_signature.subject_name == \\\"win.rar GmbH\\\" or\\n ?process.pe.original_file_name == \\\"Command line RAR\\\"\\n ) and\\n process.args == \\\"a\\\" and process.args : (\\\"-hp*\\\", \\\"-p*\\\", \\\"/hp*\\\", \\\"/p*\\\")\\n ) or\\n (\\n (process.name : (\\\"7z.exe\\\", \\\"7za.exe\\\") or ?process.pe.original_file_name in (\\\"7z.exe\\\", \\\"7za.exe\\\")) and\\n process.args == \\\"a\\\" and process.args : \\\"-p*\\\"\\n )\\n) and\\n not process.parent.executable : (\\n \\\"C:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\ManageEngine\\\\\\\\*\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"?:\\\\\\\\Nox\\\\\\\\bin\\\\\\\\Nox.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\ManageEngine\\\\\\\\*\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Nox\\\\\\\\bin\\\\\\\\Nox.exe\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":214,\"merged_version\":214,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/\"],\"target_version\":[\"https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merged_version\":[\"https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (\\n process.name:\\\"rar.exe\\\" or ?process.code_signature.subject_name == \\\"win.rar GmbH\\\" or\\n ?process.pe.original_file_name == \\\"Command line RAR\\\"\\n ) and\\n process.args == \\\"a\\\" and process.args : (\\\"-hp*\\\", \\\"-p*\\\", \\\"/hp*\\\", \\\"/p*\\\")\\n ) or\\n (\\n ?process.pe.original_file_name in (\\\"7z.exe\\\", \\\"7za.exe\\\") and\\n process.args == \\\"a\\\" and process.args : \\\"-p*\\\"\\n )\\n) and\\n not process.parent.executable : (\\n \\\"C:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\ManageEngine\\\\\\\\*\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"?:\\\\\\\\Nox\\\\\\\\bin\\\\\\\\Nox.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (\\n process.name:\\\"rar.exe\\\" or ?process.code_signature.subject_name == \\\"win.rar GmbH\\\" or\\n ?process.pe.original_file_name == \\\"Command line RAR\\\"\\n ) and\\n process.args == \\\"a\\\" and process.args : (\\\"-hp*\\\", \\\"-p*\\\", \\\"/hp*\\\", \\\"/p*\\\")\\n ) or\\n (\\n (process.name : (\\\"7z.exe\\\", \\\"7za.exe\\\") or ?process.pe.original_file_name in (\\\"7z.exe\\\", \\\"7za.exe\\\")) and\\n process.args == \\\"a\\\" and process.args : \\\"-p*\\\"\\n )\\n) and\\n not process.parent.executable : (\\n \\\"C:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\ManageEngine\\\\\\\\*\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"?:\\\\\\\\Nox\\\\\\\\bin\\\\\\\\Nox.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\ManageEngine\\\\\\\\*\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Nox\\\\\\\\bin\\\\\\\\Nox.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (\\n process.name:\\\"rar.exe\\\" or ?process.code_signature.subject_name == \\\"win.rar GmbH\\\" or\\n ?process.pe.original_file_name == \\\"Command line RAR\\\"\\n ) and\\n process.args == \\\"a\\\" and process.args : (\\\"-hp*\\\", \\\"-p*\\\", \\\"/hp*\\\", \\\"/p*\\\")\\n ) or\\n (\\n (process.name : (\\\"7z.exe\\\", \\\"7za.exe\\\") or ?process.pe.original_file_name in (\\\"7z.exe\\\", \\\"7za.exe\\\")) and\\n process.args == \\\"a\\\" and process.args : \\\"-p*\\\"\\n )\\n) and\\n not process.parent.executable : (\\n \\\"C:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\ManageEngine\\\\\\\\*\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"?:\\\\\\\\Nox\\\\\\\\bin\\\\\\\\Nox.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\ManageEngine\\\\\\\\*\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Nox\\\\\\\\bin\\\\\\\\Nox.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2f87115c-6e23-456e-ac3b-903ea75bd945\",\"rule_id\":\"4630d948-40d4-4cef-ac69-4002e29bc3db\",\"revision\":0,\"current_rule\":{\"id\":\"2f87115c-6e23-456e-ac3b-903ea75bd945\",\"updated_at\":\"2024-12-04T19:45:46.750Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.750Z\",\"created_by\":\"elastic\",\"name\":\"Adding Hidden File Attribute via Attrib\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Adding Hidden File Attribute via Attrib\\n\\nThe `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. \\n\\nAttackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it.\\n\\nThis rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the command line to identify the target file or folder.\\n - Examine the file, which process created it, header, etc.\\n - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Observe and collect information about the following activities in the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timeline_id\":\"e70679c2-6cde-4510-9764-4823df18f7db\",\"timeline_title\":\"Comprehensive Process Timeline\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"4630d948-40d4-4cef-ac69-4002e29bc3db\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1222\",\"name\":\"File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/\",\"subtechnique\":[{\"id\":\"T1222.001\",\"name\":\"Windows File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/001/\"}]},{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\",\"subtechnique\":[{\"id\":\"T1564.001\",\"name\":\"Hidden Files and Directories\",\"reference\":\"https://attack.mitre.org/techniques/T1564/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"attrib.exe\\\" or ?process.pe.original_file_name == \\\"ATTRIB.EXE\\\") and process.args : \\\"+h\\\" and\\n not (process.parent.name: \\\"cmd.exe\\\" and process.command_line: \\\"attrib +R +H +S +A *.cui\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Adding Hidden File Attribute via Attrib\",\"description\":\"Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"timeline_id\":\"e70679c2-6cde-4510-9764-4823df18f7db\",\"timeline_title\":\"Comprehensive Process Timeline\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Adding Hidden File Attribute via Attrib\\n\\nThe `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. \\n\\nAttackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it.\\n\\nThis rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the command line to identify the target file or folder.\\n - Examine the file, which process created it, header, etc.\\n - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Observe and collect information about the following activities in the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1222\",\"name\":\"File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/\",\"subtechnique\":[{\"id\":\"T1222.001\",\"name\":\"Windows File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/001/\"}]},{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\",\"subtechnique\":[{\"id\":\"T1564.001\",\"name\":\"Hidden Files and Directories\",\"reference\":\"https://attack.mitre.org/techniques/T1564/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2f87115c-6e23-456e-ac3b-903ea75bd945\",\"rule_id\":\"4630d948-40d4-4cef-ac69-4002e29bc3db\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.661Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.750Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"attrib.exe\\\" or ?process.pe.original_file_name == \\\"ATTRIB.EXE\\\") and process.args : \\\"+h\\\" and\\n not (process.parent.name: \\\"cmd.exe\\\" and process.command_line: \\\"attrib +R +H +S +A *.cui\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f229becf-c8de-4ef7-adba-99dc93f8e5b4\",\"rule_id\":\"4682fd2c-cfae-47ed-a543-9bed37657aa6\",\"revision\":0,\"current_rule\":{\"id\":\"f229becf-c8de-4ef7-adba-99dc93f8e5b4\",\"updated_at\":\"2024-12-04T19:45:46.753Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.753Z\",\"created_by\":\"elastic\",\"name\":\"Potential Local NTLM Relay via HTTP\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"4682fd2c-cfae-47ed-a543-9bed37657aa6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1212\",\"name\":\"Exploitation for Credential Access\",\"reference\":\"https://attack.mitre.org/techniques/T1212/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/med0x2e/NTLMRelay2Self\",\"https://github.com/topotam/PetitPotam\",\"https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"rundll32.exe\\\" and\\n\\n /* Rundll32 WbeDav Client */\\n process.args : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\davclnt.dll,DavSetCookie\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\davclnt.dll,DavSetCookie\\\") and\\n\\n /* Access to named pipe via http */\\n process.args : (\\\"http*/print/pipe/*\\\", \\\"http*/pipe/spoolss\\\", \\\"http*/pipe/srvsvc\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Local NTLM Relay via HTTP\",\"description\":\"Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/med0x2e/NTLMRelay2Self\",\"https://github.com/topotam/PetitPotam\",\"https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1212\",\"name\":\"Exploitation for Credential Access\",\"reference\":\"https://attack.mitre.org/techniques/T1212/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f229becf-c8de-4ef7-adba-99dc93f8e5b4\",\"rule_id\":\"4682fd2c-cfae-47ed-a543-9bed37657aa6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.661Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.753Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"rundll32.exe\\\" and\\n\\n /* Rundll32 WbeDav Client */\\n process.args : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\davclnt.dll,DavSetCookie\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\davclnt.dll,DavSetCookie\\\") and\\n\\n /* Access to named pipe via http */\\n process.args : (\\\"http*/print/pipe/*\\\", \\\"http*/pipe/spoolss\\\", \\\"http*/pipe/srvsvc\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"93d5cee1-32db-4830-a855-4e562cb1872d\",\"rule_id\":\"474fd20e-14cc-49c5-8160-d9ab4ba16c8b\",\"revision\":0,\"current_rule\":{\"id\":\"93d5cee1-32db-4830-a855-4e562cb1872d\",\"updated_at\":\"2024-12-04T19:45:46.757Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.757Z\",\"created_by\":\"elastic\",\"name\":\"System V Init Script Created\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the \\\"systemd-sysv-generator\\\" can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating System V Init Script Created\\n\\nThe `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.\\n\\nAttackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.\\n\\nThis rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n#### Possible Investigation Steps\\n\\n- Investigate the file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path LIKE '/etc/init.d/%'\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path LIKE '/etc/init.d/%'\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the maliciously created service/init.d files or restore it to the original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"474fd20e-14cc-49c5-8160-d9ab4ba16c8b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\"}]}],\"to\":\"now\",\"references\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\"],\"version\":11,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"creation\\\", \\\"file_create_event\\\", \\\"rename\\\", \\\"file_rename_event\\\")\\nand file.path : \\\"/etc/init.d/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"System V Init Script Created\",\"description\":\"Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the \\\"systemd-sysv-generator\\\" can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating System V Init Script Created\\n\\nThe `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.\\n\\nAttackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.\\n\\nThis rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n#### Possible Investigation Steps\\n\\n- Investigate the file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path LIKE '/etc/init.d/%'\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path LIKE '/etc/init.d/%'\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the maliciously created service/init.d files or restore it to the original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":13,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"93d5cee1-32db-4830-a855-4e562cb1872d\",\"rule_id\":\"474fd20e-14cc-49c5-8160-d9ab4ba16c8b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.661Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.757Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"creation\\\", \\\"file_create_event\\\", \\\"rename\\\", \\\"file_rename_event\\\")\\nand file.path : \\\"/etc/init.d/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.path like (\\\"/etc/init.d/*beat*\\\", \\\"/etc/init.d/elastic-agent*\\\") or\\n process.executable like (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\") or\\n process.name in (\\\"docker-init\\\", \\\"jumpcloud-agent\\\", \\\"crio\\\") or\\n process.executable == null or\\n (process.name == \\\"ln\\\" and file.path : \\\"/etc/init.d/rc*.d/*\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":11,\"target_version\":13,\"merged_version\":13,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\"],\"target_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"creation\\\", \\\"file_create_event\\\", \\\"rename\\\", \\\"file_rename_event\\\")\\nand file.path : \\\"/etc/init.d/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"creation\\\", \\\"file_create_event\\\", \\\"rename\\\", \\\"file_rename_event\\\")\\nand file.path : \\\"/etc/init.d/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.path like (\\\"/etc/init.d/*beat*\\\", \\\"/etc/init.d/elastic-agent*\\\") or\\n process.executable like (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\") or\\n process.name in (\\\"docker-init\\\", \\\"jumpcloud-agent\\\", \\\"crio\\\") or\\n process.executable == null or\\n (process.name == \\\"ln\\\" and file.path : \\\"/etc/init.d/rc*.d/*\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"creation\\\", \\\"file_create_event\\\", \\\"rename\\\", \\\"file_rename_event\\\")\\nand file.path : \\\"/etc/init.d/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.path like (\\\"/etc/init.d/*beat*\\\", \\\"/etc/init.d/elastic-agent*\\\") or\\n process.executable like (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\") or\\n process.name in (\\\"docker-init\\\", \\\"jumpcloud-agent\\\", \\\"crio\\\") or\\n process.executable == null or\\n (process.name == \\\"ln\\\" and file.path : \\\"/etc/init.d/rc*.d/*\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3a5ead1c-b7b0-4d24-b832-9190c945d902\",\"rule_id\":\"47e22836-4a16-4b35-beee-98f6c4ee9bf2\",\"revision\":0,\"current_rule\":{\"id\":\"3a5ead1c-b7b0-4d24-b832-9190c945d902\",\"updated_at\":\"2024-12-04T19:45:46.762Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.762Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Remote Registry Access via SeBackupPrivilege\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Remote Registry Access via SeBackupPrivilege\\n\\nSeBackupPrivilege is a privilege that allows file content retrieval, designed to enable users to create backup copies of the system. Since it is impossible to make a backup of something you cannot read, this privilege comes at the cost of providing the user with full read access to the file system. This privilege must bypass any access control list (ACL) placed in the system.\\n\\nThis rule identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the activities done by the subject user the login session. The field `winlog.event_data.SubjectLogonId` can be used to get this data.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate abnormal behaviors observed by the subject user such as network connections, registry or file modifications, and processes created.\\n- Investigate if the registry file was retrieved or exfiltrated.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Limit or disable the involved user account to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"47e22836-4a16-4b35-beee-98f6c4ee9bf2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"},{\"id\":\"T1003.004\",\"name\":\"LSA Secrets\",\"reference\":\"https://attack.mitre.org/techniques/T1003/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/mpgn/BackupOperatorToDA\",\"https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.PrivilegeList\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.RelativeTargetName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nObject Access >\\nAudit Detailed File Share (Success)\\n```\\n\\nThe 'Special Logon' audit policy must be configured (Success).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nLogon/Logoff >\\nSpecial Logon (Success)\\n```\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m\\n [iam where event.action == \\\"logged-in-special\\\" and\\n winlog.event_data.PrivilegeList : \\\"SeBackupPrivilege\\\" and\\n\\n /* excluding accounts with existing privileged access */\\n not winlog.event_data.PrivilegeList : \\\"SeDebugPrivilege\\\"]\\n [any where event.action == \\\"Detailed File Share\\\" and winlog.event_data.RelativeTargetName : \\\"winreg\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Remote Registry Access via SeBackupPrivilege\",\"description\":\"Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Remote Registry Access via SeBackupPrivilege\\n\\nSeBackupPrivilege is a privilege that allows file content retrieval, designed to enable users to create backup copies of the system. Since it is impossible to make a backup of something you cannot read, this privilege comes at the cost of providing the user with full read access to the file system. This privilege must bypass any access control list (ACL) placed in the system.\\n\\nThis rule identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the activities done by the subject user the login session. The field `winlog.event_data.SubjectLogonId` can be used to get this data.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate abnormal behaviors observed by the subject user such as network connections, registry or file modifications, and processes created.\\n- Investigate if the registry file was retrieved or exfiltrated.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Limit or disable the involved user account to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/mpgn/BackupOperatorToDA\",\"https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"},{\"id\":\"T1003.004\",\"name\":\"LSA Secrets\",\"reference\":\"https://attack.mitre.org/techniques/T1003/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nObject Access >\\nAudit Detailed File Share (Success)\\n```\\n\\nThe 'Special Logon' audit policy must be configured (Success).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nLogon/Logoff >\\nSpecial Logon (Success)\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.PrivilegeList\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.RelativeTargetName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"3a5ead1c-b7b0-4d24-b832-9190c945d902\",\"rule_id\":\"47e22836-4a16-4b35-beee-98f6c4ee9bf2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.661Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.762Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m\\n [iam where event.action == \\\"logged-in-special\\\" and\\n winlog.event_data.PrivilegeList : \\\"SeBackupPrivilege\\\" and\\n\\n /* excluding accounts with existing privileged access */\\n not winlog.event_data.PrivilegeList : \\\"SeDebugPrivilege\\\"]\\n [any where event.action == \\\"Detailed File Share\\\" and winlog.event_data.RelativeTargetName : \\\"winreg\\\"]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3289da0a-f108-4fc1-ac59-6687aa07ed9a\",\"rule_id\":\"483c4daf-b0c6-49e0-adf3-0bfa93231d6b\",\"revision\":0,\"current_rule\":{\"id\":\"3289da0a-f108-4fc1-ac59-6687aa07ed9a\",\"updated_at\":\"2024-12-04T19:45:46.771Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.771Z\",\"created_by\":\"elastic\",\"name\":\"Microsoft Exchange Server UM Spawning Suspicious Processes\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[\"Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule.\"],\"from\":\"now-9m\",\"rule_id\":\"483c4daf-b0c6-49e0-adf3-0bfa93231d6b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1210\",\"name\":\"Exploitation of Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1210/\"}]}],\"to\":\"now\",\"references\":[\"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers\",\"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"UMService.exe\\\", \\\"UMWorkerProcess.exe\\\") and\\n not process.executable :\\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\werfault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wermgr.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\V??\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange 2016\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"E:\\\\\\\\ExchangeServer\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"E:\\\\\\\\Exchange Server\\\\\\\\V15\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Microsoft Exchange Server UM Spawning Suspicious Processes\",\"description\":\"Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[\"Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule.\"],\"references\":[\"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers\",\"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1210\",\"name\":\"Exploitation of Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1210/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3289da0a-f108-4fc1-ac59-6687aa07ed9a\",\"rule_id\":\"483c4daf-b0c6-49e0-adf3-0bfa93231d6b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.661Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.771Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"UMService.exe\\\", \\\"UMWorkerProcess.exe\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\werfault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wermgr.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\V??\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange 2016\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"E:\\\\\\\\ExchangeServer\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"E:\\\\\\\\Exchange Server\\\\\\\\V15\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\werfault.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wermgr.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\V??\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Exchange 2016\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\ExchangeServer\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Exchange\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Exchange Server\\\\\\\\V15\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"UMService.exe\\\", \\\"UMWorkerProcess.exe\\\") and\\n not process.executable :\\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\werfault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wermgr.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\V??\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange 2016\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"E:\\\\\\\\ExchangeServer\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"E:\\\\\\\\Exchange Server\\\\\\\\V15\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"UMService.exe\\\", \\\"UMWorkerProcess.exe\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\werfault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wermgr.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\V??\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange 2016\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"E:\\\\\\\\ExchangeServer\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"E:\\\\\\\\Exchange Server\\\\\\\\V15\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\werfault.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wermgr.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\V??\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Exchange 2016\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\ExchangeServer\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Exchange\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Exchange Server\\\\\\\\V15\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"UMService.exe\\\", \\\"UMWorkerProcess.exe\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\werfault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wermgr.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\V??\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange 2016\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"E:\\\\\\\\ExchangeServer\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"E:\\\\\\\\Exchange Server\\\\\\\\V15\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\werfault.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wermgr.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\V??\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Exchange 2016\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\ExchangeServer\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Exchange\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Exchange Server\\\\\\\\V15\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5ad3f6ca-3270-48a5-9bc5-3af1c77e61b7\",\"rule_id\":\"48b6edfc-079d-4907-b43c-baffa243270d\",\"revision\":0,\"current_rule\":{\"id\":\"5ad3f6ca-3270-48a5-9bc5-3af1c77e61b7\",\"updated_at\":\"2024-12-04T19:45:46.778Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.778Z\",\"created_by\":\"elastic\",\"name\":\"Multiple Logon Failure from the same Source Address\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Multiple Logon Failure from the same Source Address\\n\\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\\n\\nThis rule identifies potential password guessing/brute force activity from a single address.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the logon failure reason code and the targeted user names.\\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\\n- Investigate the source IP address of the failed Network Logon attempts.\\n - Identify whether these attempts are coming from the internet or are internal.\\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\\n- Identify the source and the target computer and their roles in the IT environment.\\n- Check whether the involved credentials are used in automation or scheduled tasks.\\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\\n- Examine the source host for derived artifacts that indicate compromise:\\n - Observe and collect information about the following activities in the alert source host:\\n - Attempts to contact external domains and addresses.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\\n\\n### False positive analysis\\n\\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\\n- Authentication misconfiguration or obsolete credentials.\\n- Service account password expired.\\n- Domain trust relationship issues.\\n- Infrastructure or availability issues.\\n\\n### Related rules\\n\\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the source host to prevent further post-compromise behavior.\\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"48b6edfc-079d-4907-b43c-baffa243270d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.001\",\"name\":\"Password Guessing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/001/\"},{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625\",\"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624\",\"https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity\",\"https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638\"],\"version\":9,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"user.domain\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.Status\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\n- In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert.\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"],\"query\":\"sequence by winlog.computer_name, source.ip with maxspan=10s\\n [authentication where event.action == \\\"logon-failed\\\" and\\n /* event 4625 need to be logged */\\n winlog.logon.type : \\\"Network\\\" and\\n source.ip != null and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and\\n not user.name : (\\\"ANONYMOUS LOGON\\\", \\\"-\\\", \\\"*$\\\") and not user.domain == \\\"NT AUTHORITY\\\" and\\n\\n /*\\n noisy failure status codes often associated to authentication misconfiguration :\\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\\n 0XC000005E\\t- There are currently no logon servers available to service the logon request.\\n 0XC0000133\\t- Clocks between DC and other computer too far out of sync.\\n 0XC0000192\\tAn attempt was made to logon, but the Netlogon service was not started.\\n */\\n not winlog.event_data.Status : (\\\"0xC000015B\\\", \\\"0XC000005E\\\", \\\"0XC0000133\\\", \\\"0XC0000192\\\")] with runs=10\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Multiple Logon Failure from the same Source Address\",\"description\":\"Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Multiple Logon Failure from the same Source Address\\n\\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\\n\\nThis rule identifies potential password guessing/brute force activity from a single address.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the logon failure reason code and the targeted user names.\\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\\n- Investigate the source IP address of the failed Network Logon attempts.\\n - Identify whether these attempts are coming from the internet or are internal.\\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\\n- Identify the source and the target computer and their roles in the IT environment.\\n- Check whether the involved credentials are used in automation or scheduled tasks.\\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\\n- Examine the source host for derived artifacts that indicate compromise:\\n - Observe and collect information about the following activities in the alert source host:\\n - Attempts to contact external domains and addresses.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\\n\\n### False positive analysis\\n\\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\\n- Authentication misconfiguration or obsolete credentials.\\n- Service account password expired.\\n- Domain trust relationship issues.\\n- Infrastructure or availability issues.\\n\\n### Related rules\\n\\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the source host to prevent further post-compromise behavior.\\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":110,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625\",\"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624\",\"https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity\",\"https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.001\",\"name\":\"Password Guessing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/001/\"},{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]}]}],\"setup\":\"## Setup\\n\\n- In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert.\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"user.domain\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.Status\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"5ad3f6ca-3270-48a5-9bc5-3af1c77e61b7\",\"rule_id\":\"48b6edfc-079d-4907-b43c-baffa243270d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.661Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.778Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by winlog.computer_name, source.ip with maxspan=10s\\n [authentication where event.action == \\\"logon-failed\\\" and\\n /* event 4625 need to be logged */\\n winlog.logon.type : \\\"Network\\\" and\\n source.ip != null and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and\\n not user.name : (\\\"ANONYMOUS LOGON\\\", \\\"-\\\", \\\"*$\\\") and not user.domain == \\\"NT AUTHORITY\\\" and\\n\\n /*\\n noisy failure status codes often associated to authentication misconfiguration :\\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\\n 0XC000005E\\t- There are currently no logon servers available to service the logon request.\\n 0XC0000133\\t- Clocks between DC and other computer too far out of sync.\\n 0XC0000192\\tAn attempt was made to logon, but the Netlogon service was not started.\\n */\\n not winlog.event_data.Status : (\\\"0xC000015B\\\", \\\"0XC000005E\\\", \\\"0XC0000133\\\", \\\"0XC0000192\\\")] with runs=10\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":9,\"target_version\":110,\"merged_version\":110,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"404f2105-3fbd-4252-b182-c8c8b1d5cf3e\",\"rule_id\":\"494ebba4-ecb7-4be4-8c6f-654c686549ad\",\"revision\":0,\"current_rule\":{\"id\":\"404f2105-3fbd-4252-b182-c8c8b1d5cf3e\",\"updated_at\":\"2024-12-04T19:45:46.790Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.790Z\",\"created_by\":\"elastic\",\"name\":\"Potential Linux Backdoor User Account Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Linux Backdoor User Account Creation\\n\\nThe `usermod` command is used to modify user account attributes and settings in Linux-based operating systems.\\n\\nAttackers may create new accounts with a UID of 0 to maintain root access to target systems without leveraging the root user account.\\n\\nThis rule identifies the usage of the `usermod` command to set a user's UID to 0, indicating that the user becomes a root account. \\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n- Investigate the user account that got assigned a uid of 0, and analyze its corresponding attributes.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve User Accounts with a UID of 0\\\",\\\"query\\\":\\\"SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE\\\\n'0'\\\\n\\\"}}\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific Group\\\",\\\"query\\\":\\\"SELECT * FROM groups WHERE groupname = {{group.name}}\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Delete the created account.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"494ebba4-ecb7-4be4-8c6f-654c686549ad\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":7,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name == \\\"usermod\\\" and process.args : \\\"-u\\\" and process.args : \\\"0\\\" and process.args : \\\"-o\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Linux Backdoor User Account Creation\",\"description\":\"Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Linux Backdoor User Account Creation\\n\\nThe `usermod` command is used to modify user account attributes and settings in Linux-based operating systems.\\n\\nAttackers may create new accounts with a UID of 0 to maintain root access to target systems without leveraging the root user account.\\n\\nThis rule identifies the usage of the `usermod` command to set a user's UID to 0, indicating that the user becomes a root account. \\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n- Investigate the user account that got assigned a uid of 0, and analyze its corresponding attributes.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve User Accounts with a UID of 0\\\",\\\"query\\\":\\\"SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE\\\\n'0'\\\\n\\\"}}\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific Group\\\",\\\"query\\\":\\\"SELECT * FROM groups WHERE groupname = {{group.name}}\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Delete the created account.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":8,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"404f2105-3fbd-4252-b182-c8c8b1d5cf3e\",\"rule_id\":\"494ebba4-ecb7-4be4-8c6f-654c686549ad\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.661Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.790Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name == \\\"usermod\\\" and process.args : \\\"-u\\\" and process.args : \\\"0\\\" and process.args : \\\"-o\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":7,\"target_version\":8,\"merged_version\":8,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"790dc731-0379-4c2a-9973-c288675d46f4\",\"rule_id\":\"495e5f2e-2480-11ed-bea8-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"790dc731-0379-4c2a-9973-c288675d46f4\",\"updated_at\":\"2024-12-04T19:45:46.792Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.792Z\",\"created_by\":\"elastic\",\"name\":\"Application Removed from Blocklist in Google Workspace\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Resources: Investigation Guide\",\"Tactic: Defense Evasion\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Google Workspace administrators may be aware of malicious applications within the Google marketplace and block these applications for user security purposes. An adversary, with administrative privileges, may remove this application from the explicit block list to allow distribution of the application amongst users. This may also indicate the unauthorized use of an application that had been previously blocked before by a user with admin privileges.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Application Removed from Blocklist in Google Workspace\\n\\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\\n\\nMarketplace applications require access to specific Google Workspace resources. Individual users with the appropriate permissions can install applications in their Google Workspace domain. Administrators have additional permissions that allow them to install applications for an entire Google Workspace domain. Consent screens typically display permissions and privileges the user needs to install an application. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\\n\\nGoogle clearly states that they are not responsible for any Marketplace product that originates from a source that isn't Google.\\n\\nThis rule identifies a Marketplace blocklist update that consists of a Google Workspace account with administrative privileges manually removing a previously blocked application.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\\n- With access to the Google Workspace admin console, visit the `Security > Investigation` tool with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\\n- After identifying the involved user account, review other potentially related events within the last 48 hours.\\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\\n\\n### False positive analysis\\n\\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Applications can be added and removed from blocklists by Google Workspace administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-130m\",\"rule_id\":\"495e5f2e-2480-11ed-bea8-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/6328701?hl=en#\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.application.name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.admin.new_value\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.admin.old_value\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.category:\\\"iam\\\" and event.type:\\\"change\\\" and\\n event.action:\\\"CHANGE_APPLICATION_SETTING\\\" and\\n google_workspace.admin.application.name:\\\"Google Workspace Marketplace\\\" and\\n google_workspace.admin.old_value: *allowed*false* and google_workspace.admin.new_value: *allowed*true*\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Application Removed from Blocklist in Google Workspace\",\"description\":\"Google Workspace administrators may be aware of malicious applications within the Google marketplace and block these applications for user security purposes. An adversary, with administrative privileges, may remove this application from the explicit block list to allow distribution of the application amongst users. This may also indicate the unauthorized use of an application that had been previously blocked before by a user with admin privileges.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Application Removed from Blocklist in Google Workspace\\n\\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\\n\\nMarketplace applications require access to specific Google Workspace resources. Individual users with the appropriate permissions can install applications in their Google Workspace domain. Administrators have additional permissions that allow them to install applications for an entire Google Workspace domain. Consent screens typically display permissions and privileges the user needs to install an application. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\\n\\nGoogle clearly states that they are not responsible for any Marketplace product that originates from a source that isn't Google.\\n\\nThis rule identifies a Marketplace blocklist update that consists of a Google Workspace account with administrative privileges manually removing a previously blocked application.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\\n- With access to the Google Workspace admin console, visit the `Security > Investigation` tool with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\\n- After identifying the involved user account, review other potentially related events within the last 48 hours.\\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\\n\\n### False positive analysis\\n\\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Resources: Investigation Guide\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Applications can be added and removed from blocklists by Google Workspace administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://support.google.com/a/answer/6328701?hl=en#\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.application.name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.admin.new_value\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.admin.old_value\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"790dc731-0379-4c2a-9973-c288675d46f4\",\"rule_id\":\"495e5f2e-2480-11ed-bea8-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.661Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.792Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.category:\\\"iam\\\" and event.type:\\\"change\\\" and\\n event.action:\\\"CHANGE_APPLICATION_SETTING\\\" and\\n google_workspace.admin.application.name:\\\"Google Workspace Marketplace\\\" and\\n google_workspace.admin.old_value: *allowed*false* and google_workspace.admin.new_value: *allowed*true*\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/6328701?hl=en#\"],\"target_version\":[\"https://support.google.com/a/answer/6328701?hl=en#\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/6328701?hl=en#\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f6b901eb-1783-4b2b-9b0b-f03cfd679ce0\",\"rule_id\":\"4982ac3e-d0ee-4818-b95d-d9522d689259\",\"revision\":0,\"current_rule\":{\"id\":\"f6b901eb-1783-4b2b-9b0b-f03cfd679ce0\",\"updated_at\":\"2024-12-04T19:45:46.794Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.794Z\",\"created_by\":\"elastic\",\"name\":\"Process Discovery Using Built-in Tools\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule identifies the execution of commands that can be used to enumerate running processes. Adversaries may enumerate processes to identify installed applications and security solutions.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"4982ac3e-d0ee-4818-b95d-d9522d689259\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1057\",\"name\":\"Process Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1057/\"}]}],\"to\":\"now\",\"references\":[],\"version\":4,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-system.security*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name :(\\\"PsList.exe\\\", \\\"qprocess.exe\\\") or \\n (process.name : \\\"powershell.exe\\\" and process.args : (\\\"*get-process*\\\", \\\"*Win32_Process*\\\")) or \\n (process.name : \\\"wmic.exe\\\" and process.args : (\\\"process\\\", \\\"*Win32_Process*\\\")) or\\n (process.name : \\\"tasklist.exe\\\" and not process.args : (\\\"pid eq*\\\")) or\\n (process.name : \\\"query.exe\\\" and process.args : \\\"process\\\")\\n ) and not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Process Discovery Using Built-in Tools\",\"description\":\"This rule identifies the execution of commands that can be used to enumerate running processes. Adversaries may enumerate processes to identify installed applications and security solutions.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":106,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1057\",\"name\":\"Process Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1057/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f6b901eb-1783-4b2b-9b0b-f03cfd679ce0\",\"rule_id\":\"4982ac3e-d0ee-4818-b95d-d9522d689259\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.661Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.794Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name :(\\\"PsList.exe\\\", \\\"qprocess.exe\\\") or \\n (process.name : \\\"powershell.exe\\\" and process.args : (\\\"*get-process*\\\", \\\"*Win32_Process*\\\")) or \\n (process.name : \\\"wmic.exe\\\" and process.args : (\\\"process\\\", \\\"*Win32_Process*\\\")) or\\n (process.name : \\\"tasklist.exe\\\" and not process.args : (\\\"pid eq*\\\")) or\\n (process.name : \\\"query.exe\\\" and process.args : \\\"process\\\")\\n ) and not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-system.security*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":4,\"target_version\":106,\"merged_version\":106,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"ac85f86e-5692-4a48-b499-4b66b2da7970\",\"rule_id\":\"4a4e23cf-78a2-449c-bac3-701924c269d3\",\"revision\":0,\"current_rule\":{\"id\":\"ac85f86e-5692-4a48-b499-4b66b2da7970\",\"updated_at\":\"2024-12-04T19:45:46.797Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.797Z\",\"created_by\":\"elastic\",\"name\":\"Possible FIN7 DGA Command and Control Behavior\",\"tags\":[\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Domain: Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\nIn the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations.\"],\"from\":\"now-9m\",\"rule_id\":\"4a4e23cf-78a2-449c-bac3-701924c269d3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\"},{\"id\":\"T1568\",\"name\":\"Dynamic Resolution\",\"reference\":\"https://attack.mitre.org/techniques/T1568/\",\"subtechnique\":[{\"id\":\"T1568.002\",\"name\":\"Domain Generation Algorithms\",\"reference\":\"https://attack.mitre.org/techniques/T1568/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\"],\"version\":105,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"\",\"type\":\"query\",\"language\":\"lucene\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"],\"query\":\"(event.dataset: (network_traffic.tls OR network_traffic.http) OR\\n (event.category: (network OR network_traffic) AND type: (tls OR http) AND network.transport: tcp)) AND\\ndestination.domain:/[a-zA-Z]{4,5}\\\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Possible FIN7 DGA Command and Control Behavior\",\"description\":\"This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\nIn the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.\",\"output_index\":\"\",\"version\":106,\"tags\":[\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations.\"],\"references\":[\"https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\"},{\"id\":\"T1568\",\"name\":\"Dynamic Resolution\",\"reference\":\"https://attack.mitre.org/techniques/T1568/\",\"subtechnique\":[{\"id\":\"T1568.002\",\"name\":\"Domain Generation Algorithms\",\"reference\":\"https://attack.mitre.org/techniques/T1568/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"ac85f86e-5692-4a48-b499-4b66b2da7970\",\"rule_id\":\"4a4e23cf-78a2-449c-bac3-701924c269d3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.661Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.797Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"],\"query\":\"(event.dataset: (network_traffic.tls OR network_traffic.http) OR\\n (event.category: (network OR network_traffic) AND type: (tls OR http) AND network.transport: tcp)) AND\\ndestination.domain:/[a-zA-Z]{4,5}\\\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us\\n\",\"language\":\"lucene\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":105,\"target_version\":106,\"merged_version\":106,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Domain: Endpoint\"],\"target_version\":[\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"834d06a5-d955-4007-9f25-9b5f6917f6f6\",\"rule_id\":\"4aa58ac6-4dc0-4d18-b713-f58bf8bd015c\",\"revision\":0,\"current_rule\":{\"id\":\"834d06a5-d955-4007-9f25-9b5f6917f6f6\",\"updated_at\":\"2024-12-04T19:46:03.757Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.757Z\",\"created_by\":\"elastic\",\"name\":\"Potential Cross Site Scripting (XSS)\",\"tags\":[\"Data Source: APM\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Cross-Site Scripting (XSS) is a type of attack in which malicious scripts are injected into trusted websites. In XSS attacks, an attacker uses a benign web application to send malicious code, generally in the form of a browser-side script. This detection rule identifies the potential malicious executions of such browser-side scripts.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"4aa58ac6-4dc0-4d18-b713-f58bf8bd015c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1189\",\"name\":\"Drive-by Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1189/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/payloadbox/xss-payload-list\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"apm\",\"version\":\"^8.0.0\"}],\"required_fields\":[{\"name\":\"processor.name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"url.fragment\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"apm-*-transaction*\",\"traces-apm*\"],\"query\":\"any where processor.name == \\\"transaction\\\" and\\nurl.fragment : (\\\"\\\", \\\"\\\", \\\"*onerror=*\\\", \\\"*javascript*alert*\\\", \\\"*eval*(*)*\\\", \\\"*onclick=*\\\",\\n\\\"*alert(document.cookie)*\\\", \\\"*alert(document.domain)*\\\",\\\"*onresize=*\\\",\\\"*onload=*\\\",\\\"*onmouseover=*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Cross Site Scripting (XSS)\",\"description\":\"Cross-Site Scripting (XSS) is a type of attack in which malicious scripts are injected into trusted websites. In XSS attacks, an attacker uses a benign web application to send malicious code, generally in the form of a browser-side script. This detection rule identifies the potential malicious executions of such browser-side scripts.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Data Source: APM\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/payloadbox/xss-payload-list\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1189\",\"name\":\"Drive-by Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1189/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"apm\",\"version\":\"^8.0.0\"}],\"required_fields\":[{\"name\":\"processor.name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"url.fragment\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"834d06a5-d955-4007-9f25-9b5f6917f6f6\",\"rule_id\":\"4aa58ac6-4dc0-4d18-b713-f58bf8bd015c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.661Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.757Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where processor.name == \\\"transaction\\\" and\\nurl.fragment : (\\\"\\\", \\\"\\\", \\\"*onerror=*\\\", \\\"*javascript*alert*\\\", \\\"*eval*(*)*\\\", \\\"*onclick=*\\\",\\n\\\"*alert(document.cookie)*\\\", \\\"*alert(document.domain)*\\\",\\\"*onresize=*\\\",\\\"*onload=*\\\",\\\"*onmouseover=*\\\")\\n\",\"language\":\"eql\",\"index\":[\"apm-*-transaction*\",\"traces-apm*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Data Source: APM\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\"],\"target_version\":[\"Data Source: APM\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Rule Type: BBR\"],\"merged_version\":[\"Data Source: APM\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Rule Type: BBR\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"57c025be-d199-419e-9991-f95959915749\",\"rule_id\":\"4b438734-3793-4fda-bd42-ceeada0be8f9\",\"revision\":0,\"current_rule\":{\"id\":\"57c025be-d199-419e-9991-f95959915749\",\"updated_at\":\"2024-12-04T19:45:47.885Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.885Z\",\"created_by\":\"elastic\",\"name\":\"Disable Windows Firewall Rules via Netsh\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Disable Windows Firewall Rules via Netsh\\n\\nThe Windows Defender Firewall is a native component which provides host-based, two-way network traffic filtering for a device, and blocks unauthorized network traffic flowing into or out of the local device.\\n\\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\\n\\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `netsh.exe` utility.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the user to check if they are aware of the operation.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"4b438734-3793-4fda-bd42-ceeada0be8f9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.004\",\"name\":\"Disable or Modify System Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"netsh.exe\\\" and\\n (\\n (process.args : \\\"disable\\\" and process.args : \\\"firewall\\\" and process.args : \\\"set\\\") or\\n (process.args : \\\"advfirewall\\\" and process.args : \\\"off\\\" and process.args : \\\"state\\\")\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Disable Windows Firewall Rules via Netsh\",\"description\":\"Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Disable Windows Firewall Rules via Netsh\\n\\nThe Windows Defender Firewall is a native component which provides host-based, two-way network traffic filtering for a device, and blocks unauthorized network traffic flowing into or out of the local device.\\n\\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\\n\\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `netsh.exe` utility.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the user to check if they are aware of the operation.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.004\",\"name\":\"Disable or Modify System Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"57c025be-d199-419e-9991-f95959915749\",\"rule_id\":\"4b438734-3793-4fda-bd42-ceeada0be8f9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.661Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.885Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"netsh.exe\\\" and\\n (\\n (process.args : \\\"disable\\\" and process.args : \\\"firewall\\\" and process.args : \\\"set\\\") or\\n (process.args : \\\"advfirewall\\\" and process.args : \\\"off\\\" and process.args : \\\"state\\\")\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7f281506-1b66-4f78-80d8-3649e6a2d6aa\",\"rule_id\":\"4bd1c1af-79d4-4d37-9efa-6e0240640242\",\"revision\":0,\"current_rule\":{\"id\":\"7f281506-1b66-4f78-80d8-3649e6a2d6aa\",\"updated_at\":\"2024-12-04T19:45:47.759Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.759Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Process Execution Path - Alternate Data Stream\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"4bd1c1af-79d4-4d37-9efa-6e0240640242\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\",\"subtechnique\":[{\"id\":\"T1564.004\",\"name\":\"NTFS File Attributes\",\"reference\":\"https://attack.mitre.org/techniques/T1564/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.args : \\\"?:\\\\\\\\*:*\\\" and process.args_count == 1\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Process Execution Path - Alternate Data Stream\",\"description\":\"Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\",\"subtechnique\":[{\"id\":\"T1564.004\",\"name\":\"NTFS File Attributes\",\"reference\":\"https://attack.mitre.org/techniques/T1564/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true}],\"id\":\"7f281506-1b66-4f78-80d8-3649e6a2d6aa\",\"rule_id\":\"4bd1c1af-79d4-4d37-9efa-6e0240640242\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.661Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.759Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.args : \\\"?:\\\\\\\\*:*\\\" and process.args_count == 1\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1c28a44a-38df-4da6-8e10-ee737d03ce66\",\"rule_id\":\"4c59cff1-b78a-41b8-a9f1-4231984d1fb6\",\"revision\":0,\"current_rule\":{\"id\":\"1c28a44a-38df-4da6-8e10-ee737d03ce66\",\"updated_at\":\"2024-12-04T19:45:47.762Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.762Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Share Enumeration Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Collection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects scripts that contain PowerShell functions, structures, or Windows API functions related to windows share enumeration activities. Attackers, mainly ransomware groups, commonly identify and inspect network shares, looking for critical information for encryption and/or exfiltration.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Share Enumeration Script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can use PowerShell to enumerate shares to search for sensitive data like documents, scripts, and other kinds of valuable data for encryption, exfiltration, and lateral movement.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Check for additional PowerShell and command line logs that indicate that imported functions were run.\\n - Evaluate which information was potentially mapped and accessed by the attacker.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"4c59cff1-b78a-41b8-a9f1-4231984d1fb6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1135\",\"name\":\"Network Share Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1135/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1039\",\"name\":\"Data from Network Shared Drive\",\"reference\":\"https://attack.mitre.org/techniques/T1039/\"}]}],\"to\":\"now\",\"references\":[\"https://www.advintel.io/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations\",\"https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\",\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"version\":9,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\\n\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text:(\\n \\\"Invoke-ShareFinder\\\" or\\n \\\"Invoke-ShareFinderThreaded\\\" or\\n (\\n \\\"shi1_netname\\\" and\\n \\\"shi1_remark\\\"\\n ) or\\n (\\n \\\"NetShareEnum\\\" and\\n \\\"NetApiBufferFree\\\"\\n )\\n ) and not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Share Enumeration Script\",\"description\":\"Detects scripts that contain PowerShell functions, structures, or Windows API functions related to windows share enumeration activities. Attackers, mainly ransomware groups, commonly identify and inspect network shares, looking for critical information for encryption and/or exfiltration.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Share Enumeration Script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can use PowerShell to enumerate shares to search for sensitive data like documents, scripts, and other kinds of valuable data for encryption, exfiltration, and lateral movement.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Check for additional PowerShell and command line logs that indicate that imported functions were run.\\n - Evaluate which information was potentially mapped and accessed by the attacker.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":111,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Collection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.advintel.io/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations\",\"https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\",\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1135\",\"name\":\"Network Share Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1135/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1039\",\"name\":\"Data from Network Shared Drive\",\"reference\":\"https://attack.mitre.org/techniques/T1039/\"}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\\n\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1c28a44a-38df-4da6-8e10-ee737d03ce66\",\"rule_id\":\"4c59cff1-b78a-41b8-a9f1-4231984d1fb6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.661Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.762Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text:(\\n \\\"Invoke-ShareFinder\\\" or\\n \\\"Invoke-ShareFinderThreaded\\\" or\\n (\\n \\\"shi1_netname\\\" and\\n \\\"shi1_remark\\\"\\n ) or\\n (\\n \\\"NetShareEnum\\\" and\\n \\\"NetApiBufferFree\\\"\\n )\\n ) and not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":9,\"target_version\":111,\"merged_version\":111,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"96b998d9-4f32-41cf-8a1c-99619ede4b23\",\"rule_id\":\"4d4c35f4-414e-4d0c-bb7e-6db7c80a6957\",\"revision\":0,\"current_rule\":{\"id\":\"96b998d9-4f32-41cf-8a1c-99619ede4b23\",\"updated_at\":\"2024-12-04T19:45:47.764Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.764Z\",\"created_by\":\"elastic\",\"name\":\"Kernel Load or Unload via Kexec Detected\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to tamper with the system's trusted state, allowing e.g. a VM Escape.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"4d4c35f4-414e-4d0c-bb7e-6db7c80a6957\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1611\",\"name\":\"Escape to Host\",\"reference\":\"https://attack.mitre.org/techniques/T1611/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.006\",\"name\":\"Kernel Modules and Extensions\",\"reference\":\"https://attack.mitre.org/techniques/T1547/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1601\",\"name\":\"Modify System Image\",\"reference\":\"https://attack.mitre.org/techniques/T1601/\",\"subtechnique\":[{\"id\":\"T1601.001\",\"name\":\"Patch System Image\",\"reference\":\"https://attack.mitre.org/techniques/T1601/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.crowdstrike.com/blog/venom-vulnerability-details/\",\"https://www.makeuseof.com/what-is-venom-vulnerability/\",\"https://madaidans-insecurities.github.io/guides/linux-hardening.html\"],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name == \\\"kexec\\\" and process.args in (\\\"--exec\\\", \\\"-e\\\", \\\"--load\\\", \\\"-l\\\", \\\"--unload\\\", \\\"-u\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Kernel Load or Unload via Kexec Detected\",\"description\":\"This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to tamper with the system's trusted state, allowing e.g. a VM Escape.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.crowdstrike.com/blog/venom-vulnerability-details/\",\"https://www.makeuseof.com/what-is-venom-vulnerability/\",\"https://madaidans-insecurities.github.io/guides/linux-hardening.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1611\",\"name\":\"Escape to Host\",\"reference\":\"https://attack.mitre.org/techniques/T1611/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.006\",\"name\":\"Kernel Modules and Extensions\",\"reference\":\"https://attack.mitre.org/techniques/T1547/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1601\",\"name\":\"Modify System Image\",\"reference\":\"https://attack.mitre.org/techniques/T1601/\",\"subtechnique\":[{\"id\":\"T1601.001\",\"name\":\"Patch System Image\",\"reference\":\"https://attack.mitre.org/techniques/T1601/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"96b998d9-4f32-41cf-8a1c-99619ede4b23\",\"rule_id\":\"4d4c35f4-414e-4d0c-bb7e-6db7c80a6957\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.662Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.764Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name == \\\"kexec\\\" and process.args in (\\\"--exec\\\", \\\"-e\\\", \\\"--load\\\", \\\"-l\\\", \\\"--unload\\\", \\\"-u\\\") and not\\n process.parent.name in (\\\"kdumpctl\\\", \\\"unload.sh\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name == \\\"kexec\\\" and process.args in (\\\"--exec\\\", \\\"-e\\\", \\\"--load\\\", \\\"-l\\\", \\\"--unload\\\", \\\"-u\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name == \\\"kexec\\\" and process.args in (\\\"--exec\\\", \\\"-e\\\", \\\"--load\\\", \\\"-l\\\", \\\"--unload\\\", \\\"-u\\\") and not\\n process.parent.name in (\\\"kdumpctl\\\", \\\"unload.sh\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name == \\\"kexec\\\" and process.args in (\\\"--exec\\\", \\\"-e\\\", \\\"--load\\\", \\\"-l\\\", \\\"--unload\\\", \\\"-u\\\") and not\\n process.parent.name in (\\\"kdumpctl\\\", \\\"unload.sh\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0c2523fc-618c-4d09-b473-e4f2c7032f53\",\"rule_id\":\"4de76544-f0e5-486a-8f84-eae0b6063cdc\",\"revision\":0,\"current_rule\":{\"id\":\"0c2523fc-618c-4d09-b473-e4f2c7032f53\",\"updated_at\":\"2024-12-04T19:45:47.772Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.772Z\",\"created_by\":\"elastic\",\"name\":\"Disable Windows Event and Security Logs Using Built-in Tools\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Disable Windows Event and Security Logs Using Built-in Tools\\n\\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\\n\\nThis rule looks for the usage of different utilities to disable the EventLog service or specific event logs.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Verify if any other anti-forensics behaviors were observed.\\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Re-enable affected logging components, services, and security monitoring.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Ivan Ninichuck\",\"Austin Songer\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"4de76544-f0e5-486a-8f84-eae0b6063cdc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.001\",\"name\":\"Clear Windows Event Logs\",\"reference\":\"https://attack.mitre.org/techniques/T1070/001/\"}]},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.002\",\"name\":\"Disable Windows Event Logging\",\"reference\":\"https://attack.mitre.org/techniques/T1562/002/\"},{\"id\":\"T1562.006\",\"name\":\"Indicator Blocking\",\"reference\":\"https://attack.mitre.org/techniques/T1562/006/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman\",\"https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n ((process.name:\\\"logman.exe\\\" or ?process.pe.original_file_name == \\\"Logman.exe\\\") and\\n process.args : \\\"EventLog-*\\\" and process.args : (\\\"stop\\\", \\\"delete\\\")) or\\n\\n ((process.name : (\\\"pwsh.exe\\\", \\\"powershell.exe\\\", \\\"powershell_ise.exe\\\") or ?process.pe.original_file_name in\\n (\\\"pwsh.exe\\\", \\\"powershell.exe\\\", \\\"powershell_ise.exe\\\")) and\\n\\tprocess.args : \\\"Set-Service\\\" and process.args: \\\"EventLog\\\" and process.args : \\\"Disabled\\\") or\\n\\n ((process.name:\\\"auditpol.exe\\\" or ?process.pe.original_file_name == \\\"AUDITPOL.EXE\\\") and process.args : \\\"/success:disable\\\")\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Disable Windows Event and Security Logs Using Built-in Tools\",\"description\":\"Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Disable Windows Event and Security Logs Using Built-in Tools\\n\\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\\n\\nThis rule looks for the usage of different utilities to disable the EventLog service or specific event logs.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Verify if any other anti-forensics behaviors were observed.\\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Re-enable affected logging components, services, and security monitoring.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Ivan Ninichuck\",\"Austin Songer\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman\",\"https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.001\",\"name\":\"Clear Windows Event Logs\",\"reference\":\"https://attack.mitre.org/techniques/T1070/001/\"}]},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.002\",\"name\":\"Disable Windows Event Logging\",\"reference\":\"https://attack.mitre.org/techniques/T1562/002/\"},{\"id\":\"T1562.006\",\"name\":\"Indicator Blocking\",\"reference\":\"https://attack.mitre.org/techniques/T1562/006/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0c2523fc-618c-4d09-b473-e4f2c7032f53\",\"rule_id\":\"4de76544-f0e5-486a-8f84-eae0b6063cdc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.662Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.772Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (process.name:\\\"logman.exe\\\" or ?process.pe.original_file_name == \\\"Logman.exe\\\") and\\n process.args : \\\"EventLog-*\\\" and process.args : (\\\"stop\\\", \\\"delete\\\")\\n ) or\\n (\\n (\\n process.name : (\\\"pwsh.exe\\\", \\\"powershell.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"pwsh.exe\\\", \\\"powershell.exe\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n\\t process.args : \\\"Set-Service\\\" and process.args: \\\"EventLog\\\" and process.args : \\\"Disabled\\\"\\n ) or\\n (\\n (process.name:\\\"auditpol.exe\\\" or ?process.pe.original_file_name == \\\"AUDITPOL.EXE\\\") and process.args : \\\"/success:disable\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n ((process.name:\\\"logman.exe\\\" or ?process.pe.original_file_name == \\\"Logman.exe\\\") and\\n process.args : \\\"EventLog-*\\\" and process.args : (\\\"stop\\\", \\\"delete\\\")) or\\n\\n ((process.name : (\\\"pwsh.exe\\\", \\\"powershell.exe\\\", \\\"powershell_ise.exe\\\") or ?process.pe.original_file_name in\\n (\\\"pwsh.exe\\\", \\\"powershell.exe\\\", \\\"powershell_ise.exe\\\")) and\\n\\tprocess.args : \\\"Set-Service\\\" and process.args: \\\"EventLog\\\" and process.args : \\\"Disabled\\\") or\\n\\n ((process.name:\\\"auditpol.exe\\\" or ?process.pe.original_file_name == \\\"AUDITPOL.EXE\\\") and process.args : \\\"/success:disable\\\")\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (process.name:\\\"logman.exe\\\" or ?process.pe.original_file_name == \\\"Logman.exe\\\") and\\n process.args : \\\"EventLog-*\\\" and process.args : (\\\"stop\\\", \\\"delete\\\")\\n ) or\\n (\\n (\\n process.name : (\\\"pwsh.exe\\\", \\\"powershell.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"pwsh.exe\\\", \\\"powershell.exe\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n\\t process.args : \\\"Set-Service\\\" and process.args: \\\"EventLog\\\" and process.args : \\\"Disabled\\\"\\n ) or\\n (\\n (process.name:\\\"auditpol.exe\\\" or ?process.pe.original_file_name == \\\"AUDITPOL.EXE\\\") and process.args : \\\"/success:disable\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (process.name:\\\"logman.exe\\\" or ?process.pe.original_file_name == \\\"Logman.exe\\\") and\\n process.args : \\\"EventLog-*\\\" and process.args : (\\\"stop\\\", \\\"delete\\\")\\n ) or\\n (\\n (\\n process.name : (\\\"pwsh.exe\\\", \\\"powershell.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"pwsh.exe\\\", \\\"powershell.exe\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n\\t process.args : \\\"Set-Service\\\" and process.args: \\\"EventLog\\\" and process.args : \\\"Disabled\\\"\\n ) or\\n (\\n (process.name:\\\"auditpol.exe\\\" or ?process.pe.original_file_name == \\\"AUDITPOL.EXE\\\") and process.args : \\\"/success:disable\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"fe6d5f93-1f90-4244-b07f-a52344952ec1\",\"rule_id\":\"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\",\"revision\":0,\"current_rule\":{\"id\":\"fe6d5f93-1f90-4244-b07f-a52344952ec1\",\"updated_at\":\"2024-12-04T19:45:47.778Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.778Z\",\"created_by\":\"elastic\",\"name\":\"Multiple Logon Failure Followed by Logon Success\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Multiple Logon Failure Followed by Logon Success\\n\\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\\n\\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the logon failure reason code and the targeted user name.\\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\\n- Investigate the source IP address of the failed Network Logon attempts.\\n - Identify whether these attempts are coming from the internet or are internal.\\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\\n- Identify the source and the target computer and their roles in the IT environment.\\n- Check whether the involved credentials are used in automation or scheduled tasks.\\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\\n- Examine the source host for derived artifacts that indicate compromise:\\n - Observe and collect information about the following activities in the alert source host:\\n - Attempts to contact external domains and addresses.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\\n\\n### False positive analysis\\n\\n- Authentication misconfiguration or obsolete credentials.\\n- Service account password expired.\\n- Domain trust relationship issues.\\n- Infrastructure or availability issues.\\n\\n### Related rules\\n\\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the source host to prevent further post-compromise behavior.\\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.001\",\"name\":\"Password Guessing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/001/\"},{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625\"],\"version\":10,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"user.domain\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.Status\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetUserSid\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"],\"query\":\"sequence by winlog.computer_name, source.ip with maxspan=5s\\n [authentication where event.action == \\\"logon-failed\\\" and\\n /* event 4625 need to be logged */\\n winlog.logon.type : \\\"Network\\\" and user.id != null and \\n source.ip != null and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and \\n not winlog.event_data.TargetUserSid : \\\"S-1-0-0\\\" and not user.id : \\\"S-1-0-0\\\" and \\n not user.name : (\\\"ANONYMOUS LOGON\\\", \\\"-\\\", \\\"*$\\\") and not user.domain == \\\"NT AUTHORITY\\\" and\\n\\n /* noisy failure status codes often associated to authentication misconfiguration */\\n not winlog.event_data.Status : (\\\"0xC000015B\\\", \\\"0XC000005E\\\", \\\"0XC0000133\\\", \\\"0XC0000192\\\")] with runs=5\\n [authentication where event.action == \\\"logged-in\\\" and\\n /* event 4624 need to be logged */\\n winlog.logon.type : \\\"Network\\\" and\\n source.ip != null and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and\\n not user.name : (\\\"ANONYMOUS LOGON\\\", \\\"-\\\", \\\"*$\\\") and not user.domain == \\\"NT AUTHORITY\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Multiple Logon Failure Followed by Logon Success\",\"description\":\"Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Multiple Logon Failure Followed by Logon Success\\n\\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\\n\\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the logon failure reason code and the targeted user name.\\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\\n- Investigate the source IP address of the failed Network Logon attempts.\\n - Identify whether these attempts are coming from the internet or are internal.\\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\\n- Identify the source and the target computer and their roles in the IT environment.\\n- Check whether the involved credentials are used in automation or scheduled tasks.\\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\\n- Examine the source host for derived artifacts that indicate compromise:\\n - Observe and collect information about the following activities in the alert source host:\\n - Attempts to contact external domains and addresses.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\\n\\n### False positive analysis\\n\\n- Authentication misconfiguration or obsolete credentials.\\n- Service account password expired.\\n- Domain trust relationship issues.\\n- Infrastructure or availability issues.\\n\\n### Related rules\\n\\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the source host to prevent further post-compromise behavior.\\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":111,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.001\",\"name\":\"Password Guessing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/001/\"},{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"user.domain\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.Status\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetUserSid\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"fe6d5f93-1f90-4244-b07f-a52344952ec1\",\"rule_id\":\"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.662Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.778Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by winlog.computer_name, source.ip with maxspan=5s\\n [authentication where event.action == \\\"logon-failed\\\" and\\n /* event 4625 need to be logged */\\n winlog.logon.type : \\\"Network\\\" and user.id != null and \\n source.ip != null and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and \\n not winlog.event_data.TargetUserSid : \\\"S-1-0-0\\\" and not user.id : \\\"S-1-0-0\\\" and \\n not user.name : (\\\"ANONYMOUS LOGON\\\", \\\"-\\\", \\\"*$\\\") and not user.domain == \\\"NT AUTHORITY\\\" and\\n\\n /* noisy failure status codes often associated to authentication misconfiguration */\\n not winlog.event_data.Status : (\\\"0xC000015B\\\", \\\"0XC000005E\\\", \\\"0XC0000133\\\", \\\"0XC0000192\\\")] with runs=5\\n [authentication where event.action == \\\"logged-in\\\" and\\n /* event 4624 need to be logged */\\n winlog.logon.type : \\\"Network\\\" and\\n source.ip != null and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and\\n not user.name : (\\\"ANONYMOUS LOGON\\\", \\\"-\\\", \\\"*$\\\") and not user.domain == \\\"NT AUTHORITY\\\"]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":10,\"target_version\":111,\"merged_version\":111,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"31dd90b1-0bff-4741-9ef8-71abb28e871f\",\"rule_id\":\"4ed493fc-d637-4a36-80ff-ac84937e5461\",\"revision\":0,\"current_rule\":{\"id\":\"31dd90b1-0bff-4741-9ef8-71abb28e871f\",\"updated_at\":\"2024-12-04T19:45:47.782Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.782Z\",\"created_by\":\"elastic\",\"name\":\"Execution via MSSQL xp_cmdshell Stored Procedure\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Execution via MSSQL xp_cmdshell Stored Procedure\\n\\nMicrosoft SQL Server (MSSQL) has procedures meant to extend its functionality, the Extended Stored Procedures. These procedures are external functions written in C/C++; some provide interfaces for external programs. This is the case for xp_cmdshell, which spawns a Windows command shell and passes in a string for execution. Attackers can use this to execute commands on the system running the SQL server, commonly to escalate their privileges and establish persistence.\\n\\nThe xp_cmdshell procedure is disabled by default, but when used, it has the same security context as the MSSQL Server service account, which is often privileged.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately, but it brings inherent risk. The security team must monitor any activity of it. If recurrent tasks are being executed using this mechanism, consider adding exceptions — preferably with a full command line.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Ensure that SQL servers are not directly exposed to the internet. If there is a business justification for such, use an allowlist to allow only connections from known legitimate sources.\\n- Disable the xp_cmdshell stored procedure.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"4ed493fc-d637-4a36-80ff-ac84937e5461\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1505\",\"name\":\"Server Software Component\",\"reference\":\"https://attack.mitre.org/techniques/T1505/\",\"subtechnique\":[{\"id\":\"T1505.001\",\"name\":\"SQL Stored Procedures\",\"reference\":\"https://attack.mitre.org/techniques/T1505/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"sqlservr.exe\\\" and \\n (\\n (process.name : \\\"cmd.exe\\\" and \\n not process.args : (\\\"\\\\\\\\\\\\\\\\*\\\", \\\"diskfree\\\", \\\"rmdir\\\", \\\"mkdir\\\", \\\"dir\\\", \\\"del\\\", \\\"rename\\\", \\\"bcp\\\", \\\"*XMLNAMESPACES*\\\", \\n \\\"?:\\\\\\\\MSSQL\\\\\\\\Backup\\\\\\\\Jobs\\\\\\\\sql_agent_backup_job.ps1\\\", \\\"K:\\\\\\\\MSSQL\\\\\\\\Backup\\\\\\\\msdb\\\", \\\"K:\\\\\\\\MSSQL\\\\\\\\Backup\\\\\\\\Logins\\\")) or \\n \\n (process.name : \\\"vpnbridge.exe\\\" or ?process.pe.original_file_name : \\\"vpnbridge.exe\\\") or \\n\\n (process.name : \\\"certutil.exe\\\" or ?process.pe.original_file_name == \\\"CertUtil.exe\\\") or \\n\\n (process.name : \\\"bitsadmin.exe\\\" or ?process.pe.original_file_name == \\\"bitsadmin.exe\\\")\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Execution via MSSQL xp_cmdshell Stored Procedure\",\"description\":\"Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Execution via MSSQL xp_cmdshell Stored Procedure\\n\\nMicrosoft SQL Server (MSSQL) has procedures meant to extend its functionality, the Extended Stored Procedures. These procedures are external functions written in C/C++; some provide interfaces for external programs. This is the case for xp_cmdshell, which spawns a Windows command shell and passes in a string for execution. Attackers can use this to execute commands on the system running the SQL server, commonly to escalate their privileges and establish persistence.\\n\\nThe xp_cmdshell procedure is disabled by default, but when used, it has the same security context as the MSSQL Server service account, which is often privileged.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately, but it brings inherent risk. The security team must monitor any activity of it. If recurrent tasks are being executed using this mechanism, consider adding exceptions — preferably with a full command line.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Ensure that SQL servers are not directly exposed to the internet. If there is a business justification for such, use an allowlist to allow only connections from known legitimate sources.\\n- Disable the xp_cmdshell stored procedure.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1505\",\"name\":\"Server Software Component\",\"reference\":\"https://attack.mitre.org/techniques/T1505/\",\"subtechnique\":[{\"id\":\"T1505.001\",\"name\":\"SQL Stored Procedures\",\"reference\":\"https://attack.mitre.org/techniques/T1505/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"31dd90b1-0bff-4741-9ef8-71abb28e871f\",\"rule_id\":\"4ed493fc-d637-4a36-80ff-ac84937e5461\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.662Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.782Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"sqlservr.exe\\\" and \\n (\\n (process.name : \\\"cmd.exe\\\" and \\n not process.args : (\\\"\\\\\\\\\\\\\\\\*\\\", \\\"diskfree\\\", \\\"rmdir\\\", \\\"mkdir\\\", \\\"dir\\\", \\\"del\\\", \\\"rename\\\", \\\"bcp\\\", \\\"*XMLNAMESPACES*\\\", \\n \\\"?:\\\\\\\\MSSQL\\\\\\\\Backup\\\\\\\\Jobs\\\\\\\\sql_agent_backup_job.ps1\\\", \\\"K:\\\\\\\\MSSQL\\\\\\\\Backup\\\\\\\\msdb\\\", \\\"K:\\\\\\\\MSSQL\\\\\\\\Backup\\\\\\\\Logins\\\")) or \\n \\n (process.name : \\\"vpnbridge.exe\\\" or ?process.pe.original_file_name : \\\"vpnbridge.exe\\\") or \\n\\n (process.name : \\\"certutil.exe\\\" or ?process.pe.original_file_name == \\\"CertUtil.exe\\\") or \\n\\n (process.name : \\\"bitsadmin.exe\\\" or ?process.pe.original_file_name == \\\"bitsadmin.exe\\\")\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"42249f85-4d8c-45ee-93de-60b20a67816a\",\"rule_id\":\"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff\",\"revision\":0,\"current_rule\":{\"id\":\"42249f85-4d8c-45ee-93de-60b20a67816a\",\"updated_at\":\"2024-12-04T19:45:47.785Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.785Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Script Object Execution\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.010\",\"name\":\"Regsvr32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/010/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"any where host.os.type == \\\"windows\\\" and \\n (event.category == \\\"library\\\" or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and \\n (?dll.name : \\\"scrobj.dll\\\" or ?file.name : \\\"scrobj.dll\\\") and \\n process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe\\\") and \\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\smartscreen.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\taskhostw.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\system32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\SysWOW64\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mshta.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cmd.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\OpenWith.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WMIADAP.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Script Object Execution\",\"description\":\"Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.010\",\"name\":\"Regsvr32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/010/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"42249f85-4d8c-45ee-93de-60b20a67816a\",\"rule_id\":\"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.662Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.785Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and \\n (event.category : (\\\"library\\\", \\\"driver\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and \\n (?dll.name : \\\"scrobj.dll\\\" or ?file.name : \\\"scrobj.dll\\\") and \\n process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe\\\") and \\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\smartscreen.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\taskhostw.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\system32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\SysWOW64\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mshta.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cmd.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\OpenWith.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WMIADAP.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"any where host.os.type == \\\"windows\\\" and \\n (event.category == \\\"library\\\" or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and \\n (?dll.name : \\\"scrobj.dll\\\" or ?file.name : \\\"scrobj.dll\\\") and \\n process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe\\\") and \\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\smartscreen.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\taskhostw.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\system32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\SysWOW64\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mshta.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cmd.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\OpenWith.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WMIADAP.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"any where host.os.type == \\\"windows\\\" and \\n (event.category : (\\\"library\\\", \\\"driver\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and \\n (?dll.name : \\\"scrobj.dll\\\" or ?file.name : \\\"scrobj.dll\\\") and \\n process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe\\\") and \\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\smartscreen.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\taskhostw.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\system32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\SysWOW64\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mshta.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cmd.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\OpenWith.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WMIADAP.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"any where host.os.type == \\\"windows\\\" and \\n (event.category : (\\\"library\\\", \\\"driver\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and \\n (?dll.name : \\\"scrobj.dll\\\" or ?file.name : \\\"scrobj.dll\\\") and \\n process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe\\\") and \\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\smartscreen.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\taskhostw.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\system32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\SysWOW64\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mshta.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cmd.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\OpenWith.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WMIADAP.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"endgame-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"endgame-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9db24aad-45b7-4e51-a9ad-b949e3da9027\",\"rule_id\":\"4f855297-c8e0-4097-9d97-d653f7e471c4\",\"revision\":0,\"current_rule\":{\"id\":\"9db24aad-45b7-4e51-a9ad-b949e3da9027\",\"updated_at\":\"2024-12-04T19:46:03.760Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.760Z\",\"created_by\":\"elastic\",\"name\":\"Unusual High Confidence Misconduct Blocks Detected\",\"tags\":[\"Domain: LLM\",\"Data Source: AWS Bedrock\",\"Data Source: AWS S3\",\"Use Case: Policy Violation\",\"Mitre Atlas: T0051\",\"Mitre Atlas: T0054\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects repeated high-confidence 'BLOCKED' actions coupled with specific violation codes such as 'MISCONDUCT', indicating persistent misuse or attempts to probe the model's ethical boundaries.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"New model deployments.\",\"Testing updates to compliance policies.\"],\"from\":\"now-60m\",\"rule_id\":\"4f855297-c8e0-4097-9d97-d653f7e471c4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html\",\"https://atlas.mitre.org/techniques/AML.T0051\",\"https://atlas.mitre.org/techniques/AML.T0054\",\"https://www.elastic.co/security-labs/elastic-advances-llm-security\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\\n\\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\\n\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.policy.confidence == \\\"HIGH\\\" and gen_ai.policy.action == \\\"BLOCKED\\\" and gen_ai.compliance.violation_code == \\\"MISCONDUCT\\\"\\n| stats high_confidence_blocks = count() by user.id\\n| where high_confidence_blocks > 5\\n| sort high_confidence_blocks desc\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual High Confidence Misconduct Blocks Detected\",\"description\":\"Detects repeated high-confidence 'BLOCKED' actions coupled with specific violation codes such as 'MISCONDUCT', indicating persistent misuse or attempts to probe the model's ethical boundaries.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Amazon Bedrock Guardrail High Confidence Misconduct Blocks.\\n\\nAmazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.\\n\\nIt enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.\\n\\nThrough Guardrail, organizations can define \\\"denied topics\\\" to prevent the model from generating content on specific, undesired subjects,\\nand they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that queried denied topics and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's prompts and responses in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that queried denied topics, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: LLM\",\"Data Source: AWS Bedrock\",\"Data Source: AWS S3\",\"Use Case: Policy Violation\",\"Mitre Atlas: T0051\",\"Mitre Atlas: T0054\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-60m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"New model deployments.\",\"Testing updates to compliance policies.\"],\"references\":[\"https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html\",\"https://atlas.mitre.org/techniques/AML.T0051\",\"https://atlas.mitre.org/techniques/AML.T0054\",\"https://www.elastic.co/security-labs/elastic-advances-llm-security\"],\"max_signals\":100,\"threat\":[],\"setup\":\"## Setup\\n\\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\\n\\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\\n\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"9db24aad-45b7-4e51-a9ad-b949e3da9027\",\"rule_id\":\"4f855297-c8e0-4097-9d97-d653f7e471c4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.662Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.760Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws_bedrock.invocation-*\\n| MV_EXPAND gen_ai.compliance.violation_code\\n| MV_EXPAND gen_ai.policy.confidence\\n| where gen_ai.policy.action == \\\"BLOCKED\\\" and gen_ai.policy.confidence LIKE \\\"HIGH\\\" and gen_ai.compliance.violation_code LIKE \\\"MISCONDUCT\\\"\\n| keep user.id\\n| stats high_confidence_blocks = count() by user.id\\n| where high_confidence_blocks > 5\\n| sort high_confidence_blocks desc\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"note\":{\"has_base_version\":false,\"current_version\":\"\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating Amazon Bedrock Guardrail High Confidence Misconduct Blocks.\\n\\nAmazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.\\n\\nIt enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.\\n\\nThrough Guardrail, organizations can define \\\"denied topics\\\" to prevent the model from generating content on specific, undesired subjects,\\nand they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that queried denied topics and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's prompts and responses in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that queried denied topics, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating Amazon Bedrock Guardrail High Confidence Misconduct Blocks.\\n\\nAmazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.\\n\\nIt enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.\\n\\nThrough Guardrail, organizations can define \\\"denied topics\\\" to prevent the model from generating content on specific, undesired subjects,\\nand they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that queried denied topics and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's prompts and responses in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that queried denied topics, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.policy.confidence == \\\"HIGH\\\" and gen_ai.policy.action == \\\"BLOCKED\\\" and gen_ai.compliance.violation_code == \\\"MISCONDUCT\\\"\\n| stats high_confidence_blocks = count() by user.id\\n| where high_confidence_blocks > 5\\n| sort high_confidence_blocks desc\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| MV_EXPAND gen_ai.compliance.violation_code\\n| MV_EXPAND gen_ai.policy.confidence\\n| where gen_ai.policy.action == \\\"BLOCKED\\\" and gen_ai.policy.confidence LIKE \\\"HIGH\\\" and gen_ai.compliance.violation_code LIKE \\\"MISCONDUCT\\\"\\n| keep user.id\\n| stats high_confidence_blocks = count() by user.id\\n| where high_confidence_blocks > 5\\n| sort high_confidence_blocks desc\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| MV_EXPAND gen_ai.compliance.violation_code\\n| MV_EXPAND gen_ai.policy.confidence\\n| where gen_ai.policy.action == \\\"BLOCKED\\\" and gen_ai.policy.confidence LIKE \\\"HIGH\\\" and gen_ai.compliance.violation_code LIKE \\\"MISCONDUCT\\\"\\n| keep user.id\\n| stats high_confidence_blocks = count() by user.id\\n| where high_confidence_blocks > 5\\n| sort high_confidence_blocks desc\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2a543efa-f6e0-4171-a942-187337c36b4b\",\"rule_id\":\"4fe9d835-40e1-452d-8230-17c147cafad8\",\"revision\":0,\"current_rule\":{\"id\":\"2a543efa-f6e0-4171-a942-187337c36b4b\",\"updated_at\":\"2024-12-04T19:45:47.790Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.790Z\",\"created_by\":\"elastic\",\"name\":\"Execution via TSClient Mountpoint\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"4fe9d835-40e1-452d-8230-17c147cafad8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.executable : \\\"\\\\\\\\Device\\\\\\\\Mup\\\\\\\\tsclient\\\\\\\\*.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Execution via TSClient Mountpoint\",\"description\":\"Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2a543efa-f6e0-4171-a942-187337c36b4b\",\"rule_id\":\"4fe9d835-40e1-452d-8230-17c147cafad8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.662Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.790Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.executable : \\\"\\\\\\\\Device\\\\\\\\Mup\\\\\\\\tsclient\\\\\\\\*.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\"],\"target_version\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merged_version\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"39724c4e-a5a3-4a12-9e57-aa3d1f590eee\",\"rule_id\":\"51176ed2-2d90-49f2-9f3d-17196428b169\",\"revision\":0,\"current_rule\":{\"id\":\"39724c4e-a5a3-4a12-9e57-aa3d1f590eee\",\"updated_at\":\"2024-12-04T19:45:47.794Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.794Z\",\"created_by\":\"elastic\",\"name\":\"Windows System Information Discovery\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the execution of commands used to discover information about the system, which attackers may use after compromising a system to gain situational awareness.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"51176ed2-2d90-49f2-9f3d-17196428b169\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n process.name : \\\"cmd.exe\\\" and process.args : \\\"ver*\\\" and not\\n process.parent.executable : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Keybase\\\\\\\\upd.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\python*.exe\\\"\\n )\\n ) or \\n process.name : (\\\"systeminfo.exe\\\", \\\"hostname.exe\\\") or \\n (process.name : \\\"wmic.exe\\\" and process.args : \\\"os\\\" and process.args : \\\"get\\\")\\n) and not\\nprocess.parent.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\"\\n) and not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Windows System Information Discovery\",\"description\":\"Detects the execution of commands used to discover information about the system, which attackers may use after compromising a system to gain situational awareness.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":108,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"39724c4e-a5a3-4a12-9e57-aa3d1f590eee\",\"rule_id\":\"51176ed2-2d90-49f2-9f3d-17196428b169\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.662Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.794Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n process.name : \\\"cmd.exe\\\" and process.args : \\\"ver*\\\" and not\\n process.parent.executable : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Keybase\\\\\\\\upd.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\python*.exe\\\"\\n )\\n ) or \\n process.name : (\\\"systeminfo.exe\\\", \\\"hostname.exe\\\") or \\n (process.name : \\\"wmic.exe\\\" and process.args : \\\"os\\\" and process.args : \\\"get\\\")\\n) and not\\nprocess.parent.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\"\\n) and not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":108,\"merged_version\":108,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"070cf104-7a62-4b08-9112-242eee495c88\",\"rule_id\":\"5124e65f-df97-4471-8dcb-8e3953b3ea97\",\"revision\":0,\"current_rule\":{\"id\":\"070cf104-7a62-4b08-9112-242eee495c88\",\"updated_at\":\"2024-12-04T19:45:47.797Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.797Z\",\"created_by\":\"elastic\",\"name\":\"Hidden Files and Directories via Hidden Flag\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identify activity related where adversaries can add the 'hidden' flag to files to hide them from the user in an attempt to evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"5124e65f-df97-4471-8dcb-8e3953b3ea97\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\",\"subtechnique\":[{\"id\":\"T1564.001\",\"name\":\"Hidden Files and Directories\",\"reference\":\"https://attack.mitre.org/techniques/T1564/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"file where event.type == \\\"creation\\\" and process.name == \\\"chflags\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Hidden Files and Directories via Hidden Flag\",\"description\":\"Identify activity related where adversaries can add the 'hidden' flag to files to hide them from the user in an attempt to evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\",\"subtechnique\":[{\"id\":\"T1564.001\",\"name\":\"Hidden Files and Directories\",\"reference\":\"https://attack.mitre.org/techniques/T1564/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"070cf104-7a62-4b08-9112-242eee495c88\",\"rule_id\":\"5124e65f-df97-4471-8dcb-8e3953b3ea97\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.662Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.797Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"creation\\\" and process.name == \\\"chflags\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"rule_schedule\":{\"has_base_version\":false,\"current_version\":{\"interval\":\"60m\",\"lookback\":\"3540s\"},\"target_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merged_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"building_block\":{\"has_base_version\":false,\"current_version\":{\"type\":\"default\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where event.type == \\\"creation\\\" and process.name == \\\"chflags\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"creation\\\" and process.name == \\\"chflags\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"creation\\\" and process.name == \\\"chflags\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e285cb69-6b59-405f-89e5-eb9285a292d0\",\"rule_id\":\"513f0ffd-b317-4b9c-9494-92ce861f22c7\",\"revision\":0,\"current_rule\":{\"id\":\"e285cb69-6b59-405f-89e5-eb9285a292d0\",\"updated_at\":\"2024-12-04T19:45:40.203Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.203Z\",\"created_by\":\"elastic\",\"name\":\"Registry Persistence via AppCert DLL\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"513f0ffd-b317-4b9c-9494-92ce861f22c7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.009\",\"name\":\"AppCert DLLs\",\"reference\":\"https://attack.mitre.org/techniques/T1546/009/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.009\",\"name\":\"AppCert DLLs\",\"reference\":\"https://attack.mitre.org/techniques/T1546/009/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":312,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\*\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\*\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Registry Persistence via AppCert DLL\",\"description\":\"Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":412,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.009\",\"name\":\"AppCert DLLs\",\"reference\":\"https://attack.mitre.org/techniques/T1546/009/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.009\",\"name\":\"AppCert DLLs\",\"reference\":\"https://attack.mitre.org/techniques/T1546/009/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e285cb69-6b59-405f-89e5-eb9285a292d0\",\"rule_id\":\"513f0ffd-b317-4b9c-9494-92ce861f22c7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.662Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.203Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\*\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\*\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":312,\"target_version\":412,\"merged_version\":412,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"29b5fe70-ce69-49b8-9845-35c8c8d91ea4\",\"rule_id\":\"5188c68e-d3de-4e96-994d-9e242269446f\",\"revision\":0,\"current_rule\":{\"id\":\"29b5fe70-ce69-49b8-9845-35c8c8d91ea4\",\"updated_at\":\"2024-12-04T19:45:47.804Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.804Z\",\"created_by\":\"elastic\",\"name\":\"Service DACL Modification via sc.exe\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies DACL modifications to deny access to a service, making it unstoppable, or hide it from system and users.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"5188c68e-d3de-4e96-994d-9e242269446f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml\",\"https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings\",\"https://www.sans.org/blog/red-team-tactics-hiding-windows-services/\"],\"version\":103,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"sc.exe\\\" or ?process.pe.original_file_name : \\\"sc.exe\\\") and\\n process.args : \\\"sdset\\\" and process.args : \\\"*D;*\\\" and\\n process.args : (\\\"*;IU*\\\", \\\"*;SU*\\\", \\\"*;BA*\\\", \\\"*;SY*\\\", \\\"*;WD*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Service DACL Modification via sc.exe\",\"description\":\"Identifies DACL modifications to deny access to a service, making it unstoppable, or hide it from system and users.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":204,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml\",\"https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings\",\"https://www.sans.org/blog/red-team-tactics-hiding-windows-services/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"29b5fe70-ce69-49b8-9845-35c8c8d91ea4\",\"rule_id\":\"5188c68e-d3de-4e96-994d-9e242269446f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.662Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.804Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"sc.exe\\\" or ?process.pe.original_file_name : \\\"sc.exe\\\") and\\n process.args : \\\"sdset\\\" and process.args : \\\"*D;*\\\" and\\n process.args : (\\\"*;IU*\\\", \\\"*;SU*\\\", \\\"*;BA*\\\", \\\"*;SY*\\\", \\\"*;WD*\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":103,\"target_version\":204,\"merged_version\":204,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f5849979-f174-4f8b-8d3a-285c1e52bc54\",\"rule_id\":\"51ce96fb-9e52-4dad-b0ba-99b54440fc9a\",\"revision\":0,\"current_rule\":{\"id\":\"f5849979-f174-4f8b-8d3a-285c1e52bc54\",\"updated_at\":\"2024-12-04T19:45:47.812Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.812Z\",\"created_by\":\"elastic\",\"name\":\"Incoming DCOM Lateral Movement with MMC\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"51ce96fb-9e52-4dad-b0ba-99b54440fc9a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.003\",\"name\":\"Distributed Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1021/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.014\",\"name\":\"MMC\",\"reference\":\"https://attack.mitre.org/techniques/T1218/014/\"}]}]}],\"to\":\"now\",\"references\":[\"https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by host.id with maxspan=1m\\n [network where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"mmc.exe\\\" and source.port >= 49152 and\\n destination.port >= 49152 and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and network.transport == \\\"tcp\\\"\\n ] by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"mmc.exe\\\"\\n ] by process.parent.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Incoming DCOM Lateral Movement with MMC\",\"description\":\"Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.003\",\"name\":\"Distributed Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1021/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.014\",\"name\":\"MMC\",\"reference\":\"https://attack.mitre.org/techniques/T1218/014/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true}],\"id\":\"f5849979-f174-4f8b-8d3a-285c1e52bc54\",\"rule_id\":\"51ce96fb-9e52-4dad-b0ba-99b54440fc9a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.662Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.812Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=1m\\n [network where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"mmc.exe\\\" and source.port >= 49152 and\\n destination.port >= 49152 and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and network.transport == \\\"tcp\\\"\\n ] by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"mmc.exe\\\"\\n ] by process.parent.entity_id\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"15094995-f9c2-496b-8292-4156d51f28b1\",\"rule_id\":\"52376a86-ee86-4967-97ae-1a05f55816f0\",\"revision\":0,\"current_rule\":{\"id\":\"15094995-f9c2-496b-8292-4156d51f28b1\",\"updated_at\":\"2024-12-04T19:45:47.820Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.820Z\",\"created_by\":\"elastic\",\"name\":\"Linux Restricted Shell Breakout via Linux Binary(s)\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Shell Evasion via Linux Utilities\\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\\nenvironments by spawning an interactive system shell.\\nHere are some possible avenues of investigation:\\n- Examine the entry point to the host and user in action via the Analyse View.\\n - Identify the session entry leader and session user\\n- Examine the contents of session leading to the abuse via the Session View.\\n - Examine the command execution pattern in the session, which may lead to suspricous activities\\n- Examine the execution of commands in the spawned shell.\\n - Identify imment threat to the system from the executed commands\\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\\n\\n### Related rules\\n\\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\\n\\n### Response and remediation\\n\\nInitiate the incident response process based on the outcome of the triage.\\n\\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\\n - Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware execution via the maliciously spawned shell,\\n - Search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- If the triage revelaed defence evasion for imparing defenses\\n - Isolate the involved host to prevent further post-compromise behavior.\\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\\n - Isolate further login to the systems that can initae auto start scripts.\\n - Identify the auto start scripts and disable and remove the same from the systems\\n- If the triage revealed data crawling or data export via remote copy\\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"52376a86-ee86-4967-97ae-1a05f55816f0\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://gtfobins.github.io/gtfobins/apt/\",\"https://gtfobins.github.io/gtfobins/apt-get/\",\"https://gtfobins.github.io/gtfobins/nawk/\",\"https://gtfobins.github.io/gtfobins/mawk/\",\"https://gtfobins.github.io/gtfobins/awk/\",\"https://gtfobins.github.io/gtfobins/gawk/\",\"https://gtfobins.github.io/gtfobins/busybox/\",\"https://gtfobins.github.io/gtfobins/c89/\",\"https://gtfobins.github.io/gtfobins/c99/\",\"https://gtfobins.github.io/gtfobins/cpulimit/\",\"https://gtfobins.github.io/gtfobins/crash/\",\"https://gtfobins.github.io/gtfobins/env/\",\"https://gtfobins.github.io/gtfobins/expect/\",\"https://gtfobins.github.io/gtfobins/find/\",\"https://gtfobins.github.io/gtfobins/flock/\",\"https://gtfobins.github.io/gtfobins/gcc/\",\"https://gtfobins.github.io/gtfobins/mysql/\",\"https://gtfobins.github.io/gtfobins/nice/\",\"https://gtfobins.github.io/gtfobins/ssh/\",\"https://gtfobins.github.io/gtfobins/vi/\",\"https://gtfobins.github.io/gtfobins/vim/\",\"https://gtfobins.github.io/gtfobins/capsh/\",\"https://gtfobins.github.io/gtfobins/byebug/\",\"https://gtfobins.github.io/gtfobins/git/\",\"https://gtfobins.github.io/gtfobins/ftp/\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\nSession View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above.\\n#### To confirm that Session View data is enabled:\\n- Go to “Manage → Policies”, and edit one or more of your Elastic Defend integration policies.\\n- Select the” Policy settings” tab, then scroll down to the “Linux event collection” section near the bottom.\\n- Check the box for “Process events”, and turn on the “Include session data” toggle.\\n- If you want to include file and network alerts in Session View, check the boxes for “Network and File events”.\\n- If you want to enable terminal output capture, turn on the “Capture terminal output” toggle.\\nFor more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\n(\\n /* launching shell from capsh */\\n (process.name == \\\"capsh\\\" and process.args == \\\"--\\\") or\\n \\n /* launching shells from unusual parents or parent+arg combos */\\n (process.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") and (\\n (process.parent.name : \\\"*awk\\\" and process.parent.args : \\\"BEGIN {system(*)}\\\") or\\n (process.parent.name == \\\"git\\\" and process.parent.args : (\\\"*PAGER*\\\", \\\"!*sh\\\", \\\"exec *sh\\\") or \\n process.args : (\\\"*PAGER*\\\", \\\"!*sh\\\", \\\"exec *sh\\\") and not process.name == \\\"ssh\\\" ) or\\n (process.parent.name : (\\\"byebug\\\", \\\"ftp\\\", \\\"strace\\\", \\\"zip\\\", \\\"tar\\\") and \\n (\\n process.parent.args : \\\"BEGIN {system(*)}\\\" or\\n (process.parent.args : (\\\"*PAGER*\\\", \\\"!*sh\\\", \\\"exec *sh\\\") or process.args : (\\\"*PAGER*\\\", \\\"!*sh\\\", \\\"exec *sh\\\")) or\\n (\\n (process.parent.args : \\\"exec=*sh\\\" or (process.parent.args : \\\"-I\\\" and process.parent.args : \\\"*sh\\\")) or\\n (process.args : \\\"exec=*sh\\\" or (process.args : \\\"-I\\\" and process.args : \\\"*sh\\\"))\\n )\\n )\\n ) or\\n \\n /* shells specified in parent args */\\n /* nice rule is broken in 8.2 */\\n (process.parent.args : \\\"*sh\\\" and\\n (\\n (process.parent.name == \\\"nice\\\") or\\n (process.parent.name == \\\"cpulimit\\\" and process.parent.args == \\\"-f\\\") or\\n (process.parent.name == \\\"find\\\" and process.parent.args == \\\".\\\" and process.parent.args == \\\"-exec\\\" and \\n process.parent.args == \\\";\\\" and process.parent.args : \\\"/bin/*sh\\\") or\\n (process.parent.name == \\\"flock\\\" and process.parent.args == \\\"-u\\\" and process.parent.args == \\\"/\\\")\\n )\\n )\\n )) or\\n\\n /* shells specified in args */\\n (process.args : \\\"*sh\\\" and (\\n (process.parent.name == \\\"crash\\\" and process.parent.args == \\\"-h\\\") or\\n (process.name == \\\"sensible-pager\\\" and process.parent.name in (\\\"apt\\\", \\\"apt-get\\\") and process.parent.args == \\\"changelog\\\")\\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\\n \\n )) or\\n (process.name == \\\"busybox\\\" and event.action == \\\"exec\\\" and process.args_count == 2 and process.args : \\\"*sh\\\" and not \\n process.executable : \\\"/var/lib/docker/overlay2/*/merged/bin/busybox\\\" and not (process.parent.args == \\\"init\\\" and\\n process.parent.args == \\\"runc\\\") and not process.parent.args in (\\\"ls-remote\\\", \\\"push\\\", \\\"fetch\\\") and not process.parent.name == \\\"mkinitramfs\\\") or\\n (process.name == \\\"env\\\" and process.args_count == 2 and process.args : \\\"*sh\\\") or\\n (process.parent.name in (\\\"vi\\\", \\\"vim\\\") and process.parent.args == \\\"-c\\\" and process.parent.args : \\\":!*sh\\\") or\\n (process.parent.name in (\\\"c89\\\", \\\"c99\\\", \\\"gcc\\\") and process.parent.args : \\\"*sh,-s\\\" and process.parent.args == \\\"-wrapper\\\") or\\n (process.parent.name == \\\"expect\\\" and process.parent.args == \\\"-c\\\" and process.parent.args : \\\"spawn *sh;interact\\\") or\\n (process.parent.name == \\\"mysql\\\" and process.parent.args == \\\"-e\\\" and process.parent.args : \\\"\\\\\\\\!*sh\\\") or\\n (process.parent.name == \\\"ssh\\\" and process.parent.args == \\\"-o\\\" and process.parent.args : \\\"ProxyCommand=;*sh 0<&2 1>&2\\\")\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Linux Restricted Shell Breakout via Linux Binary(s)\",\"description\":\"Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Shell Evasion via Linux Utilities\\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\\nenvironments by spawning an interactive system shell.\\nHere are some possible avenues of investigation:\\n- Examine the entry point to the host and user in action via the Analyse View.\\n - Identify the session entry leader and session user\\n- Examine the contents of session leading to the abuse via the Session View.\\n - Examine the command execution pattern in the session, which may lead to suspricous activities\\n- Examine the execution of commands in the spawned shell.\\n - Identify imment threat to the system from the executed commands\\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\\n\\n### Related rules\\n\\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\\n\\n### Response and remediation\\n\\nInitiate the incident response process based on the outcome of the triage.\\n\\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\\n - Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware execution via the maliciously spawned shell,\\n - Search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- If the triage revelaed defence evasion for imparing defenses\\n - Isolate the involved host to prevent further post-compromise behavior.\\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\\n - Isolate further login to the systems that can initae auto start scripts.\\n - Identify the auto start scripts and disable and remove the same from the systems\\n- If the triage revealed data crawling or data export via remote copy\\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":113,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://gtfobins.github.io/gtfobins/apt/\",\"https://gtfobins.github.io/gtfobins/apt-get/\",\"https://gtfobins.github.io/gtfobins/nawk/\",\"https://gtfobins.github.io/gtfobins/mawk/\",\"https://gtfobins.github.io/gtfobins/awk/\",\"https://gtfobins.github.io/gtfobins/gawk/\",\"https://gtfobins.github.io/gtfobins/busybox/\",\"https://gtfobins.github.io/gtfobins/c89/\",\"https://gtfobins.github.io/gtfobins/c99/\",\"https://gtfobins.github.io/gtfobins/cpulimit/\",\"https://gtfobins.github.io/gtfobins/crash/\",\"https://gtfobins.github.io/gtfobins/env/\",\"https://gtfobins.github.io/gtfobins/expect/\",\"https://gtfobins.github.io/gtfobins/find/\",\"https://gtfobins.github.io/gtfobins/flock/\",\"https://gtfobins.github.io/gtfobins/gcc/\",\"https://gtfobins.github.io/gtfobins/mysql/\",\"https://gtfobins.github.io/gtfobins/nice/\",\"https://gtfobins.github.io/gtfobins/ssh/\",\"https://gtfobins.github.io/gtfobins/vi/\",\"https://gtfobins.github.io/gtfobins/vim/\",\"https://gtfobins.github.io/gtfobins/capsh/\",\"https://gtfobins.github.io/gtfobins/byebug/\",\"https://gtfobins.github.io/gtfobins/git/\",\"https://gtfobins.github.io/gtfobins/ftp/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\nSession View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above.\\n#### To confirm that Session View data is enabled:\\n- Go to “Manage → Policies”, and edit one or more of your Elastic Defend integration policies.\\n- Select the” Policy settings” tab, then scroll down to the “Linux event collection” section near the bottom.\\n- Check the box for “Process events”, and turn on the “Include session data” toggle.\\n- If you want to include file and network alerts in Session View, check the boxes for “Network and File events”.\\n- If you want to enable terminal output capture, turn on the “Capture terminal output” toggle.\\nFor more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"15094995-f9c2-496b-8292-4156d51f28b1\",\"rule_id\":\"52376a86-ee86-4967-97ae-1a05f55816f0\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.662Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.820Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\n(\\n /* launching shell from capsh */\\n (process.name == \\\"capsh\\\" and process.args == \\\"--\\\") or\\n \\n /* launching shells from unusual parents or parent+arg combos */\\n (process.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") and (\\n (process.parent.name : \\\"*awk\\\" and process.parent.args : \\\"BEGIN {system(*)}\\\") or\\n (process.parent.name == \\\"git\\\" and process.parent.args : (\\\"*PAGER*\\\", \\\"!*sh\\\", \\\"exec *sh\\\") or \\n process.args : (\\\"*PAGER*\\\", \\\"!*sh\\\", \\\"exec *sh\\\") and not process.name == \\\"ssh\\\" ) or\\n (process.parent.name : (\\\"byebug\\\", \\\"ftp\\\", \\\"strace\\\", \\\"zip\\\", \\\"tar\\\") and \\n (\\n process.parent.args : \\\"BEGIN {system(*)}\\\" or\\n (process.parent.args : (\\\"*PAGER*\\\", \\\"!*sh\\\", \\\"exec *sh\\\") or process.args : (\\\"*PAGER*\\\", \\\"!*sh\\\", \\\"exec *sh\\\")) or\\n (\\n (process.parent.args : \\\"exec=*sh\\\" or (process.parent.args : \\\"-I\\\" and process.parent.args : \\\"*sh\\\")) or\\n (process.args : \\\"exec=*sh\\\" or (process.args : \\\"-I\\\" and process.args : \\\"*sh\\\"))\\n )\\n )\\n ) or\\n \\n /* shells specified in parent args */\\n /* nice rule is broken in 8.2 */\\n (process.parent.args : \\\"*sh\\\" and\\n (\\n (process.parent.name == \\\"nice\\\") or\\n (process.parent.name == \\\"cpulimit\\\" and process.parent.args == \\\"-f\\\") or\\n (process.parent.name == \\\"find\\\" and process.parent.args == \\\".\\\" and process.parent.args == \\\"-exec\\\" and \\n process.parent.args == \\\";\\\" and process.parent.args : \\\"/bin/*sh\\\") or\\n (process.parent.name == \\\"flock\\\" and process.parent.args == \\\"-u\\\" and process.parent.args == \\\"/\\\")\\n )\\n )\\n )) or\\n\\n /* shells specified in args */\\n (process.args : \\\"*sh\\\" and (\\n (process.parent.name == \\\"crash\\\" and process.parent.args == \\\"-h\\\") or\\n (process.name == \\\"sensible-pager\\\" and process.parent.name in (\\\"apt\\\", \\\"apt-get\\\") and process.parent.args == \\\"changelog\\\")\\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\\n \\n )) or\\n (process.name == \\\"busybox\\\" and event.action == \\\"exec\\\" and process.args_count == 2 and process.args : \\\"*sh\\\" and not \\n process.executable : \\\"/var/lib/docker/overlay2/*/merged/bin/busybox\\\" and not (process.parent.args == \\\"init\\\" and\\n process.parent.args == \\\"runc\\\") and not process.parent.args in (\\\"ls-remote\\\", \\\"push\\\", \\\"fetch\\\") and not process.parent.name == \\\"mkinitramfs\\\") or\\n (process.name == \\\"env\\\" and process.args_count == 2 and process.args : \\\"*sh\\\") or\\n (process.parent.name in (\\\"vi\\\", \\\"vim\\\") and process.parent.args == \\\"-c\\\" and process.parent.args : \\\":!*sh\\\") or\\n (process.parent.name in (\\\"c89\\\", \\\"c99\\\", \\\"gcc\\\") and process.parent.args : \\\"*sh,-s\\\" and process.parent.args == \\\"-wrapper\\\") or\\n (process.parent.name == \\\"expect\\\" and process.parent.args == \\\"-c\\\" and process.parent.args : \\\"spawn *sh;interact\\\") or\\n (process.parent.name == \\\"mysql\\\" and process.parent.args == \\\"-e\\\" and process.parent.args : \\\"\\\\\\\\!*sh\\\") or\\n (process.parent.name == \\\"ssh\\\" and process.parent.args == \\\"-o\\\" and process.parent.args : \\\"ProxyCommand=;*sh 0<&2 1>&2\\\")\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":113,\"merged_version\":113,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://gtfobins.github.io/gtfobins/apt/\",\"https://gtfobins.github.io/gtfobins/apt-get/\",\"https://gtfobins.github.io/gtfobins/nawk/\",\"https://gtfobins.github.io/gtfobins/mawk/\",\"https://gtfobins.github.io/gtfobins/awk/\",\"https://gtfobins.github.io/gtfobins/gawk/\",\"https://gtfobins.github.io/gtfobins/busybox/\",\"https://gtfobins.github.io/gtfobins/c89/\",\"https://gtfobins.github.io/gtfobins/c99/\",\"https://gtfobins.github.io/gtfobins/cpulimit/\",\"https://gtfobins.github.io/gtfobins/crash/\",\"https://gtfobins.github.io/gtfobins/env/\",\"https://gtfobins.github.io/gtfobins/expect/\",\"https://gtfobins.github.io/gtfobins/find/\",\"https://gtfobins.github.io/gtfobins/flock/\",\"https://gtfobins.github.io/gtfobins/gcc/\",\"https://gtfobins.github.io/gtfobins/mysql/\",\"https://gtfobins.github.io/gtfobins/nice/\",\"https://gtfobins.github.io/gtfobins/ssh/\",\"https://gtfobins.github.io/gtfobins/vi/\",\"https://gtfobins.github.io/gtfobins/vim/\",\"https://gtfobins.github.io/gtfobins/capsh/\",\"https://gtfobins.github.io/gtfobins/byebug/\",\"https://gtfobins.github.io/gtfobins/git/\",\"https://gtfobins.github.io/gtfobins/ftp/\"],\"target_version\":[\"https://gtfobins.github.io/gtfobins/apt/\",\"https://gtfobins.github.io/gtfobins/apt-get/\",\"https://gtfobins.github.io/gtfobins/nawk/\",\"https://gtfobins.github.io/gtfobins/mawk/\",\"https://gtfobins.github.io/gtfobins/awk/\",\"https://gtfobins.github.io/gtfobins/gawk/\",\"https://gtfobins.github.io/gtfobins/busybox/\",\"https://gtfobins.github.io/gtfobins/c89/\",\"https://gtfobins.github.io/gtfobins/c99/\",\"https://gtfobins.github.io/gtfobins/cpulimit/\",\"https://gtfobins.github.io/gtfobins/crash/\",\"https://gtfobins.github.io/gtfobins/env/\",\"https://gtfobins.github.io/gtfobins/expect/\",\"https://gtfobins.github.io/gtfobins/find/\",\"https://gtfobins.github.io/gtfobins/flock/\",\"https://gtfobins.github.io/gtfobins/gcc/\",\"https://gtfobins.github.io/gtfobins/mysql/\",\"https://gtfobins.github.io/gtfobins/nice/\",\"https://gtfobins.github.io/gtfobins/ssh/\",\"https://gtfobins.github.io/gtfobins/vi/\",\"https://gtfobins.github.io/gtfobins/vim/\",\"https://gtfobins.github.io/gtfobins/capsh/\",\"https://gtfobins.github.io/gtfobins/byebug/\",\"https://gtfobins.github.io/gtfobins/git/\",\"https://gtfobins.github.io/gtfobins/ftp/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://gtfobins.github.io/gtfobins/apt/\",\"https://gtfobins.github.io/gtfobins/apt-get/\",\"https://gtfobins.github.io/gtfobins/nawk/\",\"https://gtfobins.github.io/gtfobins/mawk/\",\"https://gtfobins.github.io/gtfobins/awk/\",\"https://gtfobins.github.io/gtfobins/gawk/\",\"https://gtfobins.github.io/gtfobins/busybox/\",\"https://gtfobins.github.io/gtfobins/c89/\",\"https://gtfobins.github.io/gtfobins/c99/\",\"https://gtfobins.github.io/gtfobins/cpulimit/\",\"https://gtfobins.github.io/gtfobins/crash/\",\"https://gtfobins.github.io/gtfobins/env/\",\"https://gtfobins.github.io/gtfobins/expect/\",\"https://gtfobins.github.io/gtfobins/find/\",\"https://gtfobins.github.io/gtfobins/flock/\",\"https://gtfobins.github.io/gtfobins/gcc/\",\"https://gtfobins.github.io/gtfobins/mysql/\",\"https://gtfobins.github.io/gtfobins/nice/\",\"https://gtfobins.github.io/gtfobins/ssh/\",\"https://gtfobins.github.io/gtfobins/vi/\",\"https://gtfobins.github.io/gtfobins/vim/\",\"https://gtfobins.github.io/gtfobins/capsh/\",\"https://gtfobins.github.io/gtfobins/byebug/\",\"https://gtfobins.github.io/gtfobins/git/\",\"https://gtfobins.github.io/gtfobins/ftp/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"72cc54b8-3d1d-402f-bf9b-3897f764b2f4\",\"rule_id\":\"52aaab7b-b51c-441a-89ce-4387b3aea886\",\"revision\":0,\"current_rule\":{\"id\":\"72cc54b8-3d1d-402f-bf9b-3897f764b2f4\",\"updated_at\":\"2024-12-04T19:45:47.822Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.822Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Network Connection via RunDLL32\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command and Control activity.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Network Connection via RunDLL32\\n\\nRunDLL32 is a built-in Windows utility and also a vital component used by the operating system itself. The functionality provided by RunDLL32 to execute Dynamic Link Libraries (DLLs) is widely abused by attackers, because it makes it hard to differentiate malicious activity from normal operations.\\n\\nThis rule looks for external network connections established using RunDLL32 when the utility is being executed with no arguments, which can potentially indicate command and control activity.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the target host that RunDLL32 is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Identify the target computer and its role in the IT environment.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"52aaab7b-b51c-441a-89ce-4387b3aea886\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\",\"subtechnique\":[{\"id\":\"T1071.001\",\"name\":\"Web Protocols\",\"reference\":\"https://attack.mitre.org/techniques/T1071/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\",\"https://redcanary.com/threat-detection-report/techniques/rundll32/\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by host.id, process.entity_id with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"rundll32.exe\\\" and process.args_count == 1]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"rundll32.exe\\\" and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\",\\n \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\",\\n \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\",\\n \\\"FE80::/10\\\", \\\"FF00::/8\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Network Connection via RunDLL32\",\"description\":\"Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command and Control activity.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Network Connection via RunDLL32\\n\\nRunDLL32 is a built-in Windows utility and also a vital component used by the operating system itself. The functionality provided by RunDLL32 to execute Dynamic Link Libraries (DLLs) is widely abused by attackers, because it makes it hard to differentiate malicious activity from normal operations.\\n\\nThis rule looks for external network connections established using RunDLL32 when the utility is being executed with no arguments, which can potentially indicate command and control activity.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the target host that RunDLL32 is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Identify the target computer and its role in the IT environment.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\",\"https://redcanary.com/threat-detection-report/techniques/rundll32/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\",\"subtechnique\":[{\"id\":\"T1071.001\",\"name\":\"Web Protocols\",\"reference\":\"https://attack.mitre.org/techniques/T1071/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"72cc54b8-3d1d-402f-bf9b-3897f764b2f4\",\"rule_id\":\"52aaab7b-b51c-441a-89ce-4387b3aea886\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.662Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.822Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id, process.entity_id with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"rundll32.exe\\\" and process.args_count == 1]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"rundll32.exe\\\" and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\",\\n \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\",\\n \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\",\\n \\\"FE80::/10\\\", \\\"FF00::/8\\\")]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"da0e47aa-156e-43a9-8cc7-f2d854a025d0\",\"rule_id\":\"53617418-17b4-4e9c-8a2c-8deb8086ca4b\",\"revision\":0,\"current_rule\":{\"id\":\"da0e47aa-156e-43a9-8cc7-f2d854a025d0\",\"updated_at\":\"2024-12-04T19:45:47.829Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.829Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Network Activity to the Internet by Previously Unknown Executable\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Network Activity to the Internet by Previously Unknown Executable\\n\\nAfter being installed, malware will often call out to its command and control server to receive further instructions by its operators.\\n\\nThis rule leverages the new terms rule type to detect previously unknown processes, initiating network connections to external IP-addresses. \\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n\\n- Identify any signs of suspicious network activity or anomalies that may indicate malicious behavior. This could include unexpected traffic patterns or unusual network behavior.\\n - Investigate listening ports and open sockets to look for potential malicious processes, reverse shells or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Process Info\\\",\\\"query\\\":\\\"SELECT name, cmdline, parent, path, uid FROM processes\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n\\n### Related rules\\n\\n- Network Activity Detected via cat - afd04601-12fc-4149-9b78-9c3f8fe45d39\\n\\n### False positive analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-59m\",\"rule_id\":\"53617418-17b4-4e9c-8a2c-8deb8086ca4b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\"}]}],\"to\":\"now\",\"references\":[],\"version\":10,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n- Filebeat\\n- Packetbeat\\n\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest to select \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n### Filebeat Setup\\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\\n\\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\\n- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\\n\\n### Packetbeat Setup\\nPacketbeat is a real-time network packet analyzer that you can use for application monitoring, performance analytics, and threat detection. Packetbeat works by capturing the network traffic between your application servers, decoding the application layer protocols (HTTP, MySQL, Redis, and so on), correlating the requests with the responses, and recording the interesting fields for each transaction.\\n\\n#### The following steps should be executed in order to add the Packetbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setup-repositories.html).\\n- To run Packetbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/running-on-docker.html).\\n- For quick start information for Packetbeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-installation-configuration.html).\\n- For complete “Setup and Run Packetbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html).\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and\\nprocess.executable:(\\n (/etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or\\n /etc/update-motd.d/* or /home/*/.* or /tmp/* or /usr/lib/update-notifier/* or /var/log/* or /var/tmp/*\\n) and\\nnot (/tmp/newroot/* or /tmp/snap.rootfs*) and\\nnot /etc/cron.hourly/BitdefenderRedline) and\\nsource.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\\nnot process.name:(\\n apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or git-remote-https or java or kite-update or kited or node\\n or rpm or saml2aws or selenium-manager or solana-validator or wget or yum or ansible* or aws* or php* or pip* or python*\\n or steam* or terraform*\\n) and\\nnot destination.ip:(\\n 0.0.0.0 or 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or\\n 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or 192.168.0.0/16 or\\n 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or 198.51.100.0/24 or 203.0.113.0/24\\n or 224.0.0.0/4 or 240.0.0.0/4 or \\\"::1\\\" or \\\"FE80::/10\\\" or \\\"FF00::/8\\\"\\n)\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-20d\",\"index\":[\"auditbeat-*\",\"filebeat-*\",\"packetbeat-*\",\"logs-endpoint.events.*\",\"endgame-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Network Activity to the Internet by Previously Unknown Executable\",\"description\":\"This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Network Activity to the Internet by Previously Unknown Executable\\n\\nAfter being installed, malware will often call out to its command and control server to receive further instructions by its operators.\\n\\nThis rule leverages the new terms rule type to detect previously unknown processes, initiating network connections to external IP-addresses. \\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n\\n- Identify any signs of suspicious network activity or anomalies that may indicate malicious behavior. This could include unexpected traffic patterns or unusual network behavior.\\n - Investigate listening ports and open sockets to look for potential malicious processes, reverse shells or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Process Info\\\",\\\"query\\\":\\\"SELECT name, cmdline, parent, path, uid FROM processes\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n\\n### Related rules\\n\\n- Network Activity Detected via cat - afd04601-12fc-4149-9b78-9c3f8fe45d39\\n\\n### False positive analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":11,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-59m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n- Filebeat\\n- Packetbeat\\n\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest to select \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n### Filebeat Setup\\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\\n\\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\\n- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\\n\\n### Packetbeat Setup\\nPacketbeat is a real-time network packet analyzer that you can use for application monitoring, performance analytics, and threat detection. Packetbeat works by capturing the network traffic between your application servers, decoding the application layer protocols (HTTP, MySQL, Redis, and so on), correlating the requests with the responses, and recording the interesting fields for each transaction.\\n\\n#### The following steps should be executed in order to add the Packetbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setup-repositories.html).\\n- To run Packetbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/running-on-docker.html).\\n- For quick start information for Packetbeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-installation-configuration.html).\\n- For complete “Setup and Run Packetbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"da0e47aa-156e-43a9-8cc7-f2d854a025d0\",\"rule_id\":\"53617418-17b4-4e9c-8a2c-8deb8086ca4b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.662Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.829Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and\\nprocess.executable : (\\n /etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or\\n /etc/update-motd.d/* or /home/*/.* or /tmp/* or /usr/lib/update-notifier/* or /var/log/* or /var/tmp/*\\n) and process.name : * and\\nnot (\\n process.executable : (\\n /tmp/newroot/* or /tmp/snap.rootfs* or /etc/cron.hourly/BitdefenderRedline or /tmp/go-build* or /srv/snp/docker/* or\\n /run/containerd/* or /tmp/.mount* or /run/k3s/containerd/* or /tmp/selenium* or /tmp/tmp.*/juliainstaller or\\n /tmp/.criu.mntns* or /home/*/.local/share/containers/* or /etc/update-motd.d/*\\n ) or\\n source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) or\\n process.name : (\\n apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or git-remote-https or java or kite-update or\\n kited or node or rpm or saml2aws or selenium-manager or solana-validator or wget or yum or ansible* or aws* or\\n php* or pip* or python* or steam* or terraform*\\n ) or\\n destination.ip:(\\n 0.0.0.0 or 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or\\n 192.0.0.0/29 or 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or\\n 192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or\\n 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or \\\"::1\\\" or \\\"FE80::/10\\\" or \\\"FF00::/8\\\"\\n )\\n)\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-20d\",\"index\":[\"auditbeat-*\",\"filebeat-*\",\"packetbeat-*\",\"logs-endpoint.events.*\",\"endgame-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":10,\"target_version\":11,\"merged_version\":11,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and\\nprocess.executable:(\\n (/etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or\\n /etc/update-motd.d/* or /home/*/.* or /tmp/* or /usr/lib/update-notifier/* or /var/log/* or /var/tmp/*\\n) and\\nnot (/tmp/newroot/* or /tmp/snap.rootfs*) and\\nnot /etc/cron.hourly/BitdefenderRedline) and\\nsource.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\\nnot process.name:(\\n apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or git-remote-https or java or kite-update or kited or node\\n or rpm or saml2aws or selenium-manager or solana-validator or wget or yum or ansible* or aws* or php* or pip* or python*\\n or steam* or terraform*\\n) and\\nnot destination.ip:(\\n 0.0.0.0 or 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or\\n 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or 192.168.0.0/16 or\\n 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or 198.51.100.0/24 or 203.0.113.0/24\\n or 224.0.0.0/4 or 240.0.0.0/4 or \\\"::1\\\" or \\\"FE80::/10\\\" or \\\"FF00::/8\\\"\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and\\nprocess.executable : (\\n /etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or\\n /etc/update-motd.d/* or /home/*/.* or /tmp/* or /usr/lib/update-notifier/* or /var/log/* or /var/tmp/*\\n) and process.name : * and\\nnot (\\n process.executable : (\\n /tmp/newroot/* or /tmp/snap.rootfs* or /etc/cron.hourly/BitdefenderRedline or /tmp/go-build* or /srv/snp/docker/* or\\n /run/containerd/* or /tmp/.mount* or /run/k3s/containerd/* or /tmp/selenium* or /tmp/tmp.*/juliainstaller or\\n /tmp/.criu.mntns* or /home/*/.local/share/containers/* or /etc/update-motd.d/*\\n ) or\\n source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) or\\n process.name : (\\n apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or git-remote-https or java or kite-update or\\n kited or node or rpm or saml2aws or selenium-manager or solana-validator or wget or yum or ansible* or aws* or\\n php* or pip* or python* or steam* or terraform*\\n ) or\\n destination.ip:(\\n 0.0.0.0 or 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or\\n 192.0.0.0/29 or 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or\\n 192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or\\n 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or \\\"::1\\\" or \\\"FE80::/10\\\" or \\\"FF00::/8\\\"\\n )\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and\\nprocess.executable : (\\n /etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or\\n /etc/update-motd.d/* or /home/*/.* or /tmp/* or /usr/lib/update-notifier/* or /var/log/* or /var/tmp/*\\n) and process.name : * and\\nnot (\\n process.executable : (\\n /tmp/newroot/* or /tmp/snap.rootfs* or /etc/cron.hourly/BitdefenderRedline or /tmp/go-build* or /srv/snp/docker/* or\\n /run/containerd/* or /tmp/.mount* or /run/k3s/containerd/* or /tmp/selenium* or /tmp/tmp.*/juliainstaller or\\n /tmp/.criu.mntns* or /home/*/.local/share/containers/* or /etc/update-motd.d/*\\n ) or\\n source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) or\\n process.name : (\\n apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or git-remote-https or java or kite-update or\\n kited or node or rpm or saml2aws or selenium-manager or solana-validator or wget or yum or ansible* or aws* or\\n php* or pip* or python* or steam* or terraform*\\n ) or\\n destination.ip:(\\n 0.0.0.0 or 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or\\n 192.0.0.0/29 or 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or\\n 192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or\\n 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or \\\"::1\\\" or \\\"FE80::/10\\\" or \\\"FF00::/8\\\"\\n )\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"91ef676e-1c27-4be1-b2e1-511aea9cb6ee\",\"rule_id\":\"53a26770-9cbd-40c5-8b57-61d01a325e14\",\"revision\":1,\"current_rule\":{\"id\":\"91ef676e-1c27-4be1-b2e1-511aea9cb6ee\",\"updated_at\":\"2024-12-04T19:49:59.665Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.839Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious PDF Reader Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":1,\"description\":\"Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious PDF Reader Child Process\\n\\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\\n\\nThis rule looks for commonly abused built-in utilities spawned by a PDF reader process, which is likely a malicious behavior.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\\n- Determine if the collected files are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"53a26770-9cbd-40c5-8b57-61d01a325e14\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1203\",\"name\":\"Exploitation for Client Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1203/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[{\"id\":\"45fc22d6-c943-4028-911f-83dcfe3c000e\",\"list_id\":\"a8b5c0c7-6f1d-4399-b366-88e640119be2\",\"type\":\"rule_default\",\"namespace_type\":\"single\"}],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":true},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"AcroRd32.exe\\\",\\n \\\"Acrobat.exe\\\",\\n \\\"FoxitPhantomPDF.exe\\\",\\n \\\"FoxitReader.exe\\\") and\\n process.name : (\\\"arp.exe\\\", \\\"dsquery.exe\\\", \\\"dsget.exe\\\", \\\"gpresult.exe\\\", \\\"hostname.exe\\\", \\\"ipconfig.exe\\\", \\\"nbtstat.exe\\\",\\n \\\"net.exe\\\", \\\"net1.exe\\\", \\\"netsh.exe\\\", \\\"netstat.exe\\\", \\\"nltest.exe\\\", \\\"ping.exe\\\", \\\"qprocess.exe\\\",\\n \\\"quser.exe\\\", \\\"qwinsta.exe\\\", \\\"reg.exe\\\", \\\"sc.exe\\\", \\\"systeminfo.exe\\\", \\\"tasklist.exe\\\", \\\"tracert.exe\\\",\\n \\\"whoami.exe\\\", \\\"bginfo.exe\\\", \\\"cdb.exe\\\", \\\"cmstp.exe\\\", \\\"csi.exe\\\", \\\"dnx.exe\\\", \\\"fsi.exe\\\", \\\"ieexec.exe\\\",\\n \\\"iexpress.exe\\\", \\\"installutil.exe\\\", \\\"Microsoft.Workflow.Compiler.exe\\\", \\\"msbuild.exe\\\", \\\"mshta.exe\\\",\\n \\\"msxsl.exe\\\", \\\"odbcconf.exe\\\", \\\"rcsi.exe\\\", \\\"regsvr32.exe\\\", \\\"xwizard.exe\\\", \\\"atbroker.exe\\\",\\n \\\"forfiles.exe\\\", \\\"schtasks.exe\\\", \\\"regasm.exe\\\", \\\"regsvcs.exe\\\", \\\"cmd.exe\\\", \\\"cscript.exe\\\",\\n \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"wmic.exe\\\", \\\"wscript.exe\\\", \\\"bitsadmin.exe\\\", \\\"certutil.exe\\\", \\\"ftp.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious PDF Reader Child Process\",\"description\":\"Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious PDF Reader Child Process\\n\\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\\n\\nThis rule looks for commonly abused built-in utilities spawned by a PDF reader process, which is likely a malicious behavior.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\\n- Determine if the collected files are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1203\",\"name\":\"Exploitation for Client Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1203/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"91ef676e-1c27-4be1-b2e1-511aea9cb6ee\",\"rule_id\":\"53a26770-9cbd-40c5-8b57-61d01a325e14\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.662Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.839Z\",\"created_by\":\"elastic\",\"revision\":2,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"AcroRd32.exe\\\",\\n \\\"Acrobat.exe\\\",\\n \\\"FoxitPhantomPDF.exe\\\",\\n \\\"FoxitReader.exe\\\") and\\n process.name : (\\\"arp.exe\\\", \\\"dsquery.exe\\\", \\\"dsget.exe\\\", \\\"gpresult.exe\\\", \\\"hostname.exe\\\", \\\"ipconfig.exe\\\", \\\"nbtstat.exe\\\",\\n \\\"net.exe\\\", \\\"net1.exe\\\", \\\"netsh.exe\\\", \\\"netstat.exe\\\", \\\"nltest.exe\\\", \\\"ping.exe\\\", \\\"qprocess.exe\\\",\\n \\\"quser.exe\\\", \\\"qwinsta.exe\\\", \\\"reg.exe\\\", \\\"sc.exe\\\", \\\"systeminfo.exe\\\", \\\"tasklist.exe\\\", \\\"tracert.exe\\\",\\n \\\"whoami.exe\\\", \\\"bginfo.exe\\\", \\\"cdb.exe\\\", \\\"cmstp.exe\\\", \\\"csi.exe\\\", \\\"dnx.exe\\\", \\\"fsi.exe\\\", \\\"ieexec.exe\\\",\\n \\\"iexpress.exe\\\", \\\"installutil.exe\\\", \\\"Microsoft.Workflow.Compiler.exe\\\", \\\"msbuild.exe\\\", \\\"mshta.exe\\\",\\n \\\"msxsl.exe\\\", \\\"odbcconf.exe\\\", \\\"rcsi.exe\\\", \\\"regsvr32.exe\\\", \\\"xwizard.exe\\\", \\\"atbroker.exe\\\",\\n \\\"forfiles.exe\\\", \\\"schtasks.exe\\\", \\\"regasm.exe\\\", \\\"regsvcs.exe\\\", \\\"cmd.exe\\\", \\\"cscript.exe\\\",\\n \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"wmic.exe\\\", \\\"wscript.exe\\\", \\\"bitsadmin.exe\\\", \\\"certutil.exe\\\", \\\"ftp.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"821da973-626f-449e-bc02-3af1669855b1\",\"rule_id\":\"53dedd83-1be7-430f-8026-363256395c8b\",\"revision\":0,\"current_rule\":{\"id\":\"821da973-626f-449e-bc02-3af1669855b1\",\"updated_at\":\"2024-12-04T19:45:47.841Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.841Z\",\"created_by\":\"elastic\",\"name\":\"Binary Content Copy via Cmd.exe\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"53dedd83-1be7-430f-8026-363256395c8b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1140\",\"name\":\"Deobfuscate/Decode Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1140/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":4,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"cmd.exe\\\" and (\\n (process.args : \\\"type\\\" and process.args : (\\\">\\\", \\\">>\\\")) or\\n (process.args : \\\"copy\\\" and process.args : \\\"/b\\\"))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Binary Content Copy via Cmd.exe\",\"description\":\"Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":106,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1140\",\"name\":\"Deobfuscate/Decode Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1140/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"821da973-626f-449e-bc02-3af1669855b1\",\"rule_id\":\"53dedd83-1be7-430f-8026-363256395c8b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.663Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.841Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"cmd.exe\\\" and (\\n (process.args : \\\"type\\\" and process.args : (\\\">\\\", \\\">>\\\")) or\\n (process.args : \\\"copy\\\" and process.args : \\\"/b\\\"))\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":4,\"target_version\":106,\"merged_version\":106,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"32642744-8386-4a5a-96ef-7c8a80cd9af0\",\"rule_id\":\"54902e45-3467-49a4-8abc-529f2c8cfb80\",\"revision\":0,\"current_rule\":{\"id\":\"32642744-8386-4a5a-96ef-7c8a80cd9af0\",\"updated_at\":\"2024-12-04T19:45:40.181Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.181Z\",\"created_by\":\"elastic\",\"name\":\"Uncommon Registry Persistence Change\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timeline_id\":\"3e47ef71-ebfc-4520-975c-cb27fc090799\",\"timeline_title\":\"Comprehensive Registry Timeline\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"54902e45-3467-49a4-8abc-529f2c8cfb80\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.002\",\"name\":\"Screensaver\",\"reference\":\"https://attack.mitre.org/techniques/T1546/002/\"}]},{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[\"https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n length(registry.data.strings) > 0 and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Runonce\\\\\\\\*\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\Load\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\Run\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\IconServiceLib\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\AppSetup\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Taskman\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Userinit\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\VmApplet\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\Shell\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Logoff\\\\\\\\Script\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Logon\\\\\\\\Script\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Shutdown\\\\\\\\Script\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Startup\\\\\\\\Script\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\Shell\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Logoff\\\\\\\\Script\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Logon\\\\\\\\Script\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Shutdown\\\\\\\\Script\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Startup\\\\\\\\Script\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Active Setup\\\\\\\\Installed Components\\\\\\\\*\\\\\\\\ShellComponent\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows CE Services\\\\\\\\AutoStartOnConnect\\\\\\\\MicrosoftActiveSync\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows CE Services\\\\\\\\AutoStartOnDisconnect\\\\\\\\MicrosoftActiveSync\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Ctf\\\\\\\\LangBarAddin\\\\\\\\*\\\\\\\\FilePath\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Internet Explorer\\\\\\\\Extensions\\\\\\\\*\\\\\\\\Exec\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Internet Explorer\\\\\\\\Extensions\\\\\\\\*\\\\\\\\Script\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Command Processor\\\\\\\\Autorun\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Ctf\\\\\\\\LangBarAddin\\\\\\\\*\\\\\\\\FilePath\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Internet Explorer\\\\\\\\Extensions\\\\\\\\*\\\\\\\\Exec\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Internet Explorer\\\\\\\\Extensions\\\\\\\\*\\\\\\\\Script\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Command Processor\\\\\\\\Autorun\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Control Panel\\\\\\\\Desktop\\\\\\\\scrnsave.exe\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\VerifierDlls\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\GpExtensions\\\\\\\\*\\\\\\\\DllName\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\SafeBoot\\\\\\\\AlternateShell\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\Wds\\\\\\\\rdpwd\\\\\\\\StartupPrograms\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\InitialProgram\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\BootExecute\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\SetupExecute\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\Execute\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\S0InitialCommand\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\ServiceControlManagerExtension\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\BootVerificationProgram\\\\\\\\ImagePath\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\Setup\\\\\\\\CmdLine\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Environment\\\\\\\\UserInitMprLogonScript\\\") and\\n\\n not registry.data.strings : (\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\userinit.exe\\\", \\\"cmd.exe\\\", \\\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Program Files\\\\\\\\*.exe\\\") and\\n not (process.name : \\\"rundll32.exe\\\" and registry.path : \\\"*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Internet Explorer\\\\\\\\Extensions\\\\\\\\*\\\\\\\\Script\\\") and\\n not process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"C:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\") and\\n not (process.name : (\\\"TiWorker.exe\\\", \\\"poqexec.exe\\\") and registry.value : \\\"SetupExecute\\\" and\\n registry.data.strings : (\\n \\\"C:\\\\\\\\windows\\\\\\\\System32\\\\\\\\poqexec.exe /display_progress \\\\\\\\SystemRoot\\\\\\\\WinSxS\\\\\\\\pending.xml\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\poqexec.exe /skip_critical_poq /display_progress \\\\\\\\SystemRoot\\\\\\\\WinSxS\\\\\\\\pending.xml\\\"\\n )\\n ) and\\n not (process.name : \\\"svchost.exe\\\" and registry.value : \\\"SCRNSAVE.EXE\\\" and\\n registry.data.strings : (\\n \\\"%windir%\\\\\\\\system32\\\\\\\\rundll32.exe user32.dll,LockWorkStation\\\",\\n \\\"scrnsave.scr\\\",\\n \\\"%windir%\\\\\\\\system32\\\\\\\\Ribbons.scr\\\"\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Uncommon Registry Persistence Change\",\"description\":\"Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"timeline_id\":\"3e47ef71-ebfc-4520-975c-cb27fc090799\",\"timeline_title\":\"Comprehensive Registry Timeline\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.002\",\"name\":\"Screensaver\",\"reference\":\"https://attack.mitre.org/techniques/T1546/002/\"}]},{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"32642744-8386-4a5a-96ef-7c8a80cd9af0\",\"rule_id\":\"54902e45-3467-49a4-8abc-529f2c8cfb80\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.663Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.181Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n length(registry.data.strings) > 0 and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Runonce\\\\\\\\*\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\Load\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\Run\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\IconServiceLib\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\AppSetup\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Taskman\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Userinit\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\VmApplet\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\Shell\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Logoff\\\\\\\\Script\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Logon\\\\\\\\Script\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Shutdown\\\\\\\\Script\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Startup\\\\\\\\Script\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\Shell\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Logoff\\\\\\\\Script\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Logon\\\\\\\\Script\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Shutdown\\\\\\\\Script\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Startup\\\\\\\\Script\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Active Setup\\\\\\\\Installed Components\\\\\\\\*\\\\\\\\ShellComponent\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows CE Services\\\\\\\\AutoStartOnConnect\\\\\\\\MicrosoftActiveSync\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows CE Services\\\\\\\\AutoStartOnDisconnect\\\\\\\\MicrosoftActiveSync\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Ctf\\\\\\\\LangBarAddin\\\\\\\\*\\\\\\\\FilePath\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Internet Explorer\\\\\\\\Extensions\\\\\\\\*\\\\\\\\Exec\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Internet Explorer\\\\\\\\Extensions\\\\\\\\*\\\\\\\\Script\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Command Processor\\\\\\\\Autorun\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Ctf\\\\\\\\LangBarAddin\\\\\\\\*\\\\\\\\FilePath\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Internet Explorer\\\\\\\\Extensions\\\\\\\\*\\\\\\\\Exec\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Internet Explorer\\\\\\\\Extensions\\\\\\\\*\\\\\\\\Script\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Command Processor\\\\\\\\Autorun\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Control Panel\\\\\\\\Desktop\\\\\\\\scrnsave.exe\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\VerifierDlls\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\GpExtensions\\\\\\\\*\\\\\\\\DllName\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\SafeBoot\\\\\\\\AlternateShell\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\Wds\\\\\\\\rdpwd\\\\\\\\StartupPrograms\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\InitialProgram\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\BootExecute\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\SetupExecute\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\Execute\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\S0InitialCommand\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\ServiceControlManagerExtension\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\BootVerificationProgram\\\\\\\\ImagePath\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\Setup\\\\\\\\CmdLine\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Environment\\\\\\\\UserInitMprLogonScript\\\") and\\n\\n not registry.data.strings : (\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\userinit.exe\\\", \\\"cmd.exe\\\", \\\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Program Files\\\\\\\\*.exe\\\") and\\n not (process.name : \\\"rundll32.exe\\\" and registry.path : \\\"*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Internet Explorer\\\\\\\\Extensions\\\\\\\\*\\\\\\\\Script\\\") and\\n not process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"C:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\") and\\n not (process.name : (\\\"TiWorker.exe\\\", \\\"poqexec.exe\\\") and registry.value : \\\"SetupExecute\\\" and\\n registry.data.strings : (\\n \\\"C:\\\\\\\\windows\\\\\\\\System32\\\\\\\\poqexec.exe /display_progress \\\\\\\\SystemRoot\\\\\\\\WinSxS\\\\\\\\pending.xml\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\poqexec.exe /skip_critical_poq /display_progress \\\\\\\\SystemRoot\\\\\\\\WinSxS\\\\\\\\pending.xml\\\"\\n )\\n ) and\\n not (process.name : \\\"svchost.exe\\\" and registry.value : \\\"SCRNSAVE.EXE\\\" and\\n registry.data.strings : (\\n \\\"%windir%\\\\\\\\system32\\\\\\\\rundll32.exe user32.dll,LockWorkStation\\\",\\n \\\"scrnsave.scr\\\",\\n \\\"%windir%\\\\\\\\system32\\\\\\\\Ribbons.scr\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c49cfcec-7199-430a-a9cd-3270083ee0bf\",\"rule_id\":\"54a81f68-5f2a-421e-8eed-f888278bb712\",\"revision\":0,\"current_rule\":{\"id\":\"c49cfcec-7199-430a-a9cd-3270083ee0bf\",\"updated_at\":\"2024-12-04T19:45:47.843Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.843Z\",\"created_by\":\"elastic\",\"name\":\"Exchange Mailbox Export via PowerShell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Exchange Mailbox Export via PowerShell\\n\\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the export operation:\\n - Identify the user account that performed the action and whether it should perform this kind of action.\\n - Contact the account owner and confirm whether they are aware of this activity.\\n - Check if this operation was approved and performed according to the organization's change management policy.\\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \\\"Mailbox Import Export\\\" privilege for abnormal activity.\\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\\n- If the operation was completed successfully:\\n - Check if the file is on the path specified in the command.\\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Review the privileges of users with the \\\"Mailbox Import Export\\\" privilege to ensure that the least privilege principle is being followed.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate exchange system administration activity.\"],\"from\":\"now-9m\",\"rule_id\":\"54a81f68-5f2a-421e-8eed-f888278bb712\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1005\",\"name\":\"Data from Local System\",\"reference\":\"https://attack.mitre.org/techniques/T1005/\"},{\"id\":\"T1114\",\"name\":\"Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/\",\"subtechnique\":[{\"id\":\"T1114.001\",\"name\":\"Local Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/001/\"},{\"id\":\"T1114.002\",\"name\":\"Remote Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\",\"https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : \\\"New-MailboxExportRequest\\\"\\n\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Exchange\\\\\\\\RemotePowerShell\\\\\\\\*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\tmp_????????.???\\\\\\\\tmp_????????.???.ps?1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\TEMP\\\\\\\\tmp_????????.???\\\\\\\\tmp_????????.???.ps?1\"}}}}],\"actions\":[]},\"target_rule\":{\"name\":\"Exchange Mailbox Export via PowerShell\",\"description\":\"Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Exchange Mailbox Export via PowerShell\\n\\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the export operation:\\n - Identify the user account that performed the action and whether it should perform this kind of action.\\n - Contact the account owner and confirm whether they are aware of this activity.\\n - Check if this operation was approved and performed according to the organization's change management policy.\\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \\\"Mailbox Import Export\\\" privilege for abnormal activity.\\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\\n- If the operation was completed successfully:\\n - Check if the file is on the path specified in the command.\\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Review the privileges of users with the \\\"Mailbox Import Export\\\" privilege to ensure that the least privilege principle is being followed.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate exchange system administration activity.\"],\"references\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\",\"https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1005\",\"name\":\"Data from Local System\",\"reference\":\"https://attack.mitre.org/techniques/T1005/\"},{\"id\":\"T1114\",\"name\":\"Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/\",\"subtechnique\":[{\"id\":\"T1114.001\",\"name\":\"Local Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/001/\"},{\"id\":\"T1114.002\",\"name\":\"Remote Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"c49cfcec-7199-430a-a9cd-3270083ee0bf\",\"rule_id\":\"54a81f68-5f2a-421e-8eed-f888278bb712\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.663Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.843Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Exchange\\\\\\\\RemotePowerShell\\\\\\\\*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\tmp_????????.???\\\\\\\\tmp_????????.???.ps?1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\TEMP\\\\\\\\tmp_????????.???\\\\\\\\tmp_????????.???.ps?1\"}}}}],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : \\\"New-MailboxExportRequest\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"01e6e529-11ac-4799-ac57-bbb0401594a6\",\"rule_id\":\"54c3d186-0461-4dc3-9b33-2dc5c7473936\",\"revision\":0,\"current_rule\":{\"id\":\"01e6e529-11ac-4799-ac57-bbb0401594a6\",\"updated_at\":\"2024-12-04T19:45:40.209Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.209Z\",\"created_by\":\"elastic\",\"name\":\"Network Logon Provider Registry Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Network Logon Provider Registry Modification\\n\\nNetwork logon providers are components in Windows responsible for handling the authentication process during a network logon.\\n\\nThis rule identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in plain text during user logon.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Examine the `registry.data.strings` field to identify the DLL registered.\\n- Identify the process responsible for the registry operation and the file creation and investigate their process execution chains (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n - Investigate any abnormal behavior by the subject process, such as network connections, DLLs loaded, registry or file modifications, and any spawned child processes.\\n- Retrieve the file and examine if it is signed with valid digital signatures from vendors that are supposed to implement this kind of software and approved to use in the environment. Check for prevalence in the environment and whether they are located in expected locations.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the executables of the processes using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n\\n### False positive analysis\\n\\n- False Positives can include legitimate software installations or updates that modify the network logon provider registry. These modifications may be necessary for the proper functioning of the software and are not indicative of malicious activity.\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Authorized third party network logon providers.\"],\"from\":\"now-9m\",\"rule_id\":\"54c3d186-0461-4dc3-9b33-2dc5c7473936\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy\",\"https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.data.strings : \\\"?*\\\" and registry.value : \\\"ProviderPath\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\NetworkProvider\\\\\\\\ProviderPath\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\NetworkProvider\\\\\\\\ProviderPath\\\"\\n ) and\\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\\n not (\\n user.id : \\\"S-1-5-18\\\" and\\n registry.data.strings : (\\n \\\"%SystemRoot%\\\\\\\\System32\\\\\\\\ntlanman.dll\\\",\\n \\\"%SystemRoot%\\\\\\\\System32\\\\\\\\drprov.dll\\\",\\n \\\"%SystemRoot%\\\\\\\\System32\\\\\\\\davclnt.dll\\\",\\n \\\"%SystemRoot%\\\\\\\\System32\\\\\\\\vmhgfs.dll\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Citrix\\\\\\\\ICA Client\\\\\\\\x64\\\\\\\\pnsson.dll\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Dell\\\\\\\\SARemediation\\\\\\\\agent\\\\\\\\DellMgmtNP.dll\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CheckPoint\\\\\\\\Endpoint Connect\\\\\\\\\\\\\\\\epcgina.dll\\\"\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Network Logon Provider Registry Modification\",\"description\":\"Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Network Logon Provider Registry Modification\\n\\nNetwork logon providers are components in Windows responsible for handling the authentication process during a network logon.\\n\\nThis rule identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in plain text during user logon.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Examine the `registry.data.strings` field to identify the DLL registered.\\n- Identify the process responsible for the registry operation and the file creation and investigate their process execution chains (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n - Investigate any abnormal behavior by the subject process, such as network connections, DLLs loaded, registry or file modifications, and any spawned child processes.\\n- Retrieve the file and examine if it is signed with valid digital signatures from vendors that are supposed to implement this kind of software and approved to use in the environment. Check for prevalence in the environment and whether they are located in expected locations.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the executables of the processes using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n\\n### False positive analysis\\n\\n- False Positives can include legitimate software installations or updates that modify the network logon provider registry. These modifications may be necessary for the proper functioning of the software and are not indicative of malicious activity.\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Authorized third party network logon providers.\"],\"references\":[\"https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy\",\"https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"01e6e529-11ac-4799-ac57-bbb0401594a6\",\"rule_id\":\"54c3d186-0461-4dc3-9b33-2dc5c7473936\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.663Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.209Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.data.strings : \\\"?*\\\" and registry.value : \\\"ProviderPath\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\NetworkProvider\\\\\\\\ProviderPath\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\NetworkProvider\\\\\\\\ProviderPath\\\"\\n ) and\\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\\n not (\\n user.id : \\\"S-1-5-18\\\" and\\n registry.data.strings : (\\n \\\"%SystemRoot%\\\\\\\\System32\\\\\\\\ntlanman.dll\\\",\\n \\\"%SystemRoot%\\\\\\\\System32\\\\\\\\drprov.dll\\\",\\n \\\"%SystemRoot%\\\\\\\\System32\\\\\\\\davclnt.dll\\\",\\n \\\"%SystemRoot%\\\\\\\\System32\\\\\\\\vmhgfs.dll\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Citrix\\\\\\\\ICA Client\\\\\\\\x64\\\\\\\\pnsson.dll\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Dell\\\\\\\\SARemediation\\\\\\\\agent\\\\\\\\DellMgmtNP.dll\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CheckPoint\\\\\\\\Endpoint Connect\\\\\\\\\\\\\\\\epcgina.dll\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"cdd80eec-8642-4c77-9f45-f6784057a91b\",\"rule_id\":\"55c2bf58-2a39-4c58-a384-c8b1978153c2\",\"revision\":0,\"current_rule\":{\"id\":\"cdd80eec-8642-4c77-9f45-f6784057a91b\",\"updated_at\":\"2024-12-04T19:45:47.850Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.850Z\",\"created_by\":\"elastic\",\"name\":\"Windows Service Installed via an Unusual Client\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"55c2bf58-2a39-4c58-a384-c8b1978153c2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.x86matthew.com/view_post?id=create_svc_rpc\",\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ClientProcessId\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ParentProcessId\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ServiceFileName\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Security System Extension' logging policy must be configured for (Success)\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nSystem >\\nAudit Security System Extension (Success)\\n```\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"configuration where host.os.type == \\\"windows\\\" and\\n event.action == \\\"service-installed\\\" and\\n (winlog.event_data.ClientProcessId == \\\"0\\\" or winlog.event_data.ParentProcessId == \\\"0\\\") and\\n not winlog.event_data.ServiceFileName : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\VeeamLogShipper\\\\\\\\VeeamLogShipper.exe\\\",\\n \\\"%SystemRoot%\\\\\\\\system32\\\\\\\\Drivers\\\\\\\\Crowdstrike\\\\\\\\*-CsInstallerService.exe\\\",\\n \\\"\\\\\\\"%windir%\\\\\\\\AdminArsenal\\\\\\\\PDQInventory-Scanner\\\\\\\\service-1\\\\\\\\PDQInventory-Scanner-1.exe\\\\\\\" \\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Windows Service Installed via an Unusual Client\",\"description\":\"Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.x86matthew.com/view_post?id=create_svc_rpc\",\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Security System Extension' logging policy must be configured for (Success)\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nSystem >\\nAudit Security System Extension (Success)\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ClientProcessId\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ParentProcessId\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ServiceFileName\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"cdd80eec-8642-4c77-9f45-f6784057a91b\",\"rule_id\":\"55c2bf58-2a39-4c58-a384-c8b1978153c2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.663Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.850Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"configuration where host.os.type == \\\"windows\\\" and\\n event.action == \\\"service-installed\\\" and\\n (winlog.event_data.ClientProcessId == \\\"0\\\" or winlog.event_data.ParentProcessId == \\\"0\\\") and\\n not winlog.event_data.ServiceFileName : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\VeeamLogShipper\\\\\\\\VeeamLogShipper.exe\\\",\\n \\\"%SystemRoot%\\\\\\\\system32\\\\\\\\Drivers\\\\\\\\Crowdstrike\\\\\\\\*-CsInstallerService.exe\\\",\\n \\\"\\\\\\\"%windir%\\\\\\\\AdminArsenal\\\\\\\\PDQInventory-Scanner\\\\\\\\service-1\\\\\\\\PDQInventory-Scanner-1.exe\\\\\\\" \\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.x86matthew.com/view_post?id=create_svc_rpc\",\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md\"],\"target_version\":[\"https://www.x86matthew.com/view_post?id=create_svc_rpc\",\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merged_version\":[\"https://www.x86matthew.com/view_post?id=create_svc_rpc\",\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bd3010b0-362d-4717-9b1d-fee582ab6914\",\"rule_id\":\"55d551c6-333b-4665-ab7e-5d14a59715ce\",\"revision\":0,\"current_rule\":{\"id\":\"bd3010b0-362d-4717-9b1d-fee582ab6914\",\"updated_at\":\"2024-12-04T19:45:47.852Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.852Z\",\"created_by\":\"elastic\",\"name\":\"PsExec Network Connection\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating PsExec Network Connection\\n\\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. Microsoft develops it as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\\n\\nThis rule identifies PsExec execution by looking for the creation of `PsExec.exe`, the default name for the utility, followed by a network connection done by the process.\\n\\n#### Possible investigation steps\\n\\n- Check if the usage of this tool complies with the organization's administration policy.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Identify the target computer and its role in the IT environment.\\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - Prioritize cases involving critical servers and users.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool.\"],\"from\":\"now-9m\",\"rule_id\":\"55d551c6-333b-4665-ab7e-5d14a59715ce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1569\",\"name\":\"System Services\",\"reference\":\"https://attack.mitre.org/techniques/T1569/\",\"subtechnique\":[{\"id\":\"T1569.002\",\"name\":\"Service Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1569/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]},{\"id\":\"T1570\",\"name\":\"Lateral Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1570/\"}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and process.name : \\\"PsExec.exe\\\" and event.type == \\\"start\\\" and\\n\\n /* This flag suppresses the display of the license dialog and may\\n indicate that psexec executed for the first time in the machine */\\n process.args : \\\"-accepteula\\\" and\\n\\n not process.executable : (\\\"?:\\\\\\\\ProgramData\\\\\\\\Docusnap\\\\\\\\Discovery\\\\\\\\discovery\\\\\\\\plugins\\\\\\\\17\\\\\\\\Bin\\\\\\\\psexec.exe\\\",\\n \\\"?:\\\\\\\\Docusnap 11\\\\\\\\Bin\\\\\\\\psexec.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Docusnap X\\\\\\\\Bin\\\\\\\\psexec.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Docusnap X\\\\\\\\Tools\\\\\\\\dsDNS.exe\\\") and\\n not process.parent.executable : \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Cynet\\\\\\\\Cynet Scanner\\\\\\\\CynetScanner.exe\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"PsExec.exe\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PsExec Network Connection\",\"description\":\"Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PsExec Network Connection\\n\\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. Microsoft develops it as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\\n\\nThis rule identifies PsExec execution by looking for the creation of `PsExec.exe`, the default name for the utility, followed by a network connection done by the process.\\n\\n#### Possible investigation steps\\n\\n- Check if the usage of this tool complies with the organization's administration policy.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Identify the target computer and its role in the IT environment.\\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - Prioritize cases involving critical servers and users.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1569\",\"name\":\"System Services\",\"reference\":\"https://attack.mitre.org/techniques/T1569/\",\"subtechnique\":[{\"id\":\"T1569.002\",\"name\":\"Service Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1569/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]},{\"id\":\"T1570\",\"name\":\"Lateral Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1570/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"bd3010b0-362d-4717-9b1d-fee582ab6914\",\"rule_id\":\"55d551c6-333b-4665-ab7e-5d14a59715ce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.663Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.852Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and process.name : \\\"PsExec.exe\\\" and event.type == \\\"start\\\" and\\n\\n /* This flag suppresses the display of the license dialog and may\\n indicate that psexec executed for the first time in the machine */\\n process.args : \\\"-accepteula\\\" and\\n\\n not process.executable : (\\\"?:\\\\\\\\ProgramData\\\\\\\\Docusnap\\\\\\\\Discovery\\\\\\\\discovery\\\\\\\\plugins\\\\\\\\17\\\\\\\\Bin\\\\\\\\psexec.exe\\\",\\n \\\"?:\\\\\\\\Docusnap 11\\\\\\\\Bin\\\\\\\\psexec.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Docusnap X\\\\\\\\Bin\\\\\\\\psexec.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Docusnap X\\\\\\\\Tools\\\\\\\\dsDNS.exe\\\") and\\n not process.parent.executable : \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Cynet\\\\\\\\Cynet Scanner\\\\\\\\CynetScanner.exe\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"PsExec.exe\\\"]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c29f3c48-c64f-4c7b-948c-3dadaff14289\",\"rule_id\":\"56004189-4e69-4a39-b4a9-195329d226e9\",\"revision\":0,\"current_rule\":{\"id\":\"c29f3c48-c64f-4c7b-948c-3dadaff14289\",\"updated_at\":\"2024-12-04T19:45:47.857Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.857Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Process Spawned by a Host\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"A machine learning job has detected a suspicious Windows process. This process has been classified as suspicious in two ways. It was predicted to be suspicious by the ProblemChild supervised ML model, and it was found to be an unusual process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-45m\",\"rule_id\":\"56004189-4e69-4a39-b4a9-195329d226e9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"problem_child_rare_process_by_host\"],\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Process Spawned by a Host\",\"description\":\"A machine learning job has detected a suspicious Windows process. This process has been classified as suspicious in two ways. It was predicted to be suspicious by the ProblemChild supervised ML model, and it was found to be an unusual process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\\n\",\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"c29f3c48-c64f-4c7b-948c-3dadaff14289\",\"rule_id\":\"56004189-4e69-4a39-b4a9-195329d226e9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.663Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.857Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"problem_child_rare_process_by_host\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8ec857aa-8821-4206-9f32-aa83de1ffd4c\",\"rule_id\":\"56557cde-d923-4b88-adee-c61b3f3b5dc3\",\"revision\":0,\"current_rule\":{\"id\":\"8ec857aa-8821-4206-9f32-aa83de1ffd4c\",\"updated_at\":\"2024-12-04T19:45:47.860Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.860Z\",\"created_by\":\"elastic\",\"name\":\"Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Use Case: Vulnerability\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-6m\",\"rule_id\":\"56557cde-d923-4b88-adee-c61b3f3b5dc3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1553\",\"name\":\"Subvert Trust Controls\",\"reference\":\"https://attack.mitre.org/techniques/T1553/\",\"subtechnique\":[{\"id\":\"T1553.002\",\"name\":\"Code Signing\",\"reference\":\"https://attack.mitre.org/techniques/T1553/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":104,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"message\",\"type\":\"match_only_text\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.*\",\"logs-system.security*\"],\"query\":\"event.provider:\\\"Microsoft-Windows-Audit-CVE\\\" and message:\\\"[CVE-2020-0601]\\\" and host.os.type:windows\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)\",\"description\":\"A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Use Case: Vulnerability\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1553\",\"name\":\"Subvert Trust Controls\",\"reference\":\"https://attack.mitre.org/techniques/T1553/\",\"subtechnique\":[{\"id\":\"T1553.002\",\"name\":\"Code Signing\",\"reference\":\"https://attack.mitre.org/techniques/T1553/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"message\",\"type\":\"match_only_text\",\"ecs\":true}],\"id\":\"8ec857aa-8821-4206-9f32-aa83de1ffd4c\",\"rule_id\":\"56557cde-d923-4b88-adee-c61b3f3b5dc3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.663Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.860Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.*\",\"logs-system.security*\"],\"query\":\"event.provider:\\\"Microsoft-Windows-Audit-CVE\\\" and message:\\\"[CVE-2020-0601]\\\" and host.os.type:windows\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":104,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Use Case: Vulnerability\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Use Case: Vulnerability\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Use Case: Vulnerability\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"848ad196-d748-4bd0-8e41-f6786e759e80\",\"rule_id\":\"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\",\"revision\":0,\"current_rule\":{\"id\":\"848ad196-d748-4bd0-8e41-f6786e759e80\",\"updated_at\":\"2024-12-04T19:45:47.869Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.869Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell PSReflect Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell PSReflect Script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily—all without touching the disk.\\n\\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\\n\\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate PowerShell scripts that make use of PSReflect to access the win32 API\"],\"from\":\"now-9m\",\"rule_id\":\"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1\",\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"version\":211,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\\n\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text:(\\n \\\"New-InMemoryModule\\\" or\\n \\\"Add-Win32Type\\\" or\\n psenum or\\n DefineDynamicAssembly or\\n DefineDynamicModule or\\n \\\"Reflection.TypeAttributes\\\" or\\n \\\"Reflection.Emit.OpCodes\\\" or\\n \\\"Reflection.Emit.CustomAttributeBuilder\\\" or\\n \\\"Runtime.InteropServices.DllImportAttribute\\\"\\n ) and\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ProgramData\\\\\\\\MaaS360\\\\\\\\Cloud Extender\\\\\\\\AR\\\\\\\\Scripts\\\\\\\\ASModuleCommon.ps1\"}}}}],\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell PSReflect Script\",\"description\":\"Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell PSReflect Script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily—all without touching the disk.\\n\\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\\n\\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate PowerShell scripts that make use of PSReflect to access the win32 API\"],\"references\":[\"https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1\",\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\\n\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"848ad196-d748-4bd0-8e41-f6786e759e80\",\"rule_id\":\"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.663Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.869Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ProgramData\\\\\\\\MaaS360\\\\\\\\Cloud Extender\\\\\\\\AR\\\\\\\\Scripts\\\\\\\\ASModuleCommon.ps1\"}}}}],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text:(\\n \\\"New-InMemoryModule\\\" or\\n \\\"Add-Win32Type\\\" or\\n psenum or\\n DefineDynamicAssembly or\\n DefineDynamicModule or\\n \\\"Reflection.TypeAttributes\\\" or\\n \\\"Reflection.Emit.OpCodes\\\" or\\n \\\"Reflection.Emit.CustomAttributeBuilder\\\" or\\n \\\"Runtime.InteropServices.DllImportAttribute\\\"\\n ) and\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":211,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5e008dca-8f5c-4be9-bc79-564740961f5d\",\"rule_id\":\"5700cb81-df44-46aa-a5d7-337798f53eb8\",\"revision\":0,\"current_rule\":{\"id\":\"5e008dca-8f5c-4be9-bc79-564740961f5d\",\"updated_at\":\"2024-12-04T19:45:47.874Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.874Z\",\"created_by\":\"elastic\",\"name\":\"VNC (Virtual Network Computing) from the Internet\",\"tags\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious.\"],\"from\":\"now-9m\",\"rule_id\":\"5700cb81-df44-46aa-a5d7-337798f53eb8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1219\",\"name\":\"Remote Access Software\",\"reference\":\"https://attack.mitre.org/techniques/T1219/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]}],\"to\":\"now\",\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"version\":104,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\\n network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\\n not source.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n ) and\\n destination.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"VNC (Virtual Network Computing) from the Internet\",\"description\":\"This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious.\"],\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1219\",\"name\":\"Remote Access Software\",\"reference\":\"https://attack.mitre.org/techniques/T1219/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"5e008dca-8f5c-4be9-bc79-564740961f5d\",\"rule_id\":\"5700cb81-df44-46aa-a5d7-337798f53eb8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.663Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.874Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\\n network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\\n not source.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n ) and\\n destination.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":104,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"target_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"target_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merged_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"766092cd-a124-4237-9ef0-15a2f2abab82\",\"rule_id\":\"577ec21e-56fe-4065-91d8-45eb8224fe77\",\"revision\":0,\"current_rule\":{\"id\":\"766092cd-a124-4237-9ef0-15a2f2abab82\",\"updated_at\":\"2024-12-04T19:45:48.951Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.951Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell MiniDump Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects PowerShell scripts capable of dumping process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell MiniDump Script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can abuse Process Memory Dump capabilities to extract credentials from LSASS or to obtain other privileged information stored in the process memory.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Check if the imported function was executed and which process it targeted.\\n\\n### False positive analysis\\n\\n- Regular users do not have a business justification for using scripting utilities to dump process memory, making false positives unlikely.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"PowerShell scripts that use this capability for troubleshooting.\"],\"from\":\"now-9m\",\"rule_id\":\"577ec21e-56fe-4065-91d8-45eb8224fe77\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1\",\"https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1\",\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell MiniDump Script\",\"description\":\"This rule detects PowerShell scripts capable of dumping process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell MiniDump Script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can abuse Process Memory Dump capabilities to extract credentials from LSASS or to obtain other privileged information stored in the process memory.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Check if the imported function was executed and which process it targeted.\\n\\n### False positive analysis\\n\\n- Regular users do not have a business justification for using scripting utilities to dump process memory, making false positives unlikely.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"PowerShell scripts that use this capability for troubleshooting.\"],\"references\":[\"https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1\",\"https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1\",\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"766092cd-a124-4237-9ef0-15a2f2abab82\",\"rule_id\":\"577ec21e-56fe-4065-91d8-45eb8224fe77\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.663Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.951Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"14478b7e-2c17-4ae3-aea1-27b0a5064aea\",\"rule_id\":\"57bccf1d-daf5-4e1a-9049-ff79b5254704\",\"revision\":0,\"current_rule\":{\"id\":\"14478b7e-2c17-4ae3-aea1-27b0a5064aea\",\"updated_at\":\"2024-12-04T19:45:48.821Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.821Z\",\"created_by\":\"elastic\",\"name\":\"File Staged in Root Folder of Recycle Bin\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies files written to the root of the Recycle Bin folder instead of subdirectories. Adversaries may place files in the root of the Recycle Bin in preparation for exfiltration or to evade defenses.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"57bccf1d-daf5-4e1a-9049-ff79b5254704\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1074\",\"name\":\"Data Staged\",\"reference\":\"https://attack.mitre.org/techniques/T1074/\",\"subtechnique\":[{\"id\":\"T1074.001\",\"name\":\"Local Data Staging\",\"reference\":\"https://attack.mitre.org/techniques/T1074/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":4,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n file.path : \\\"?:\\\\\\\\$RECYCLE.BIN\\\\\\\\*\\\" and\\n not file.path : \\\"?:\\\\\\\\$RECYCLE.BIN\\\\\\\\*\\\\\\\\*\\\" and\\n not file.name : \\\"desktop.ini\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"File Staged in Root Folder of Recycle Bin\",\"description\":\"Identifies files written to the root of the Recycle Bin folder instead of subdirectories. Adversaries may place files in the root of the Recycle Bin in preparation for exfiltration or to evade defenses.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":106,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1074\",\"name\":\"Data Staged\",\"reference\":\"https://attack.mitre.org/techniques/T1074/\",\"subtechnique\":[{\"id\":\"T1074.001\",\"name\":\"Local Data Staging\",\"reference\":\"https://attack.mitre.org/techniques/T1074/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"14478b7e-2c17-4ae3-aea1-27b0a5064aea\",\"rule_id\":\"57bccf1d-daf5-4e1a-9049-ff79b5254704\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.663Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.821Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n file.path : \\\"?:\\\\\\\\$RECYCLE.BIN\\\\\\\\*\\\" and\\n not file.path : \\\"?:\\\\\\\\$RECYCLE.BIN\\\\\\\\*\\\\\\\\*\\\" and\\n not file.name : \\\"desktop.ini\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":4,\"target_version\":106,\"merged_version\":106,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9e508560-c4ec-4b9a-8e39-37a26dbae8c8\",\"rule_id\":\"57bfa0a9-37c0-44d6-b724-54bf16787492\",\"revision\":0,\"current_rule\":{\"id\":\"9e508560-c4ec-4b9a-8e39-37a26dbae8c8\",\"updated_at\":\"2024-12-04T19:45:48.824Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.824Z\",\"created_by\":\"elastic\",\"name\":\"DNS Global Query Block List Modified or Disabled\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies changes to the DNS Global Query Block List (GQBL), a security feature that prevents the resolution of certain DNS names often exploited in attacks like WPAD spoofing. Attackers with certain privileges, such as DNSAdmins, can modify or disable the GQBL, allowing exploitation of hosts running WPAD with default settings for privilege escalation and lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"57bfa0a9-37c0-44d6-b724-54bf16787492\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1557\",\"name\":\"Adversary-in-the-Middle\",\"reference\":\"https://attack.mitre.org/techniques/T1557/\"}]}],\"to\":\"now\",\"references\":[\"https://cube0x0.github.io/Pocing-Beyond-DA/\",\"https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing\",\"https://www.netspi.com/blog/technical-blog/network-penetration-testing/adidns-revisited/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n(\\n (registry.value : \\\"EnableGlobalQueryBlockList\\\" and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")) or\\n (registry.value : \\\"GlobalQueryBlockList\\\" and not registry.data.strings : \\\"wpad\\\")\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"DNS Global Query Block List Modified or Disabled\",\"description\":\"Identifies changes to the DNS Global Query Block List (GQBL), a security feature that prevents the resolution of certain DNS names often exploited in attacks like WPAD spoofing. Attackers with certain privileges, such as DNSAdmins, can modify or disable the GQBL, allowing exploitation of hosts running WPAD with default settings for privilege escalation and lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":203,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://cube0x0.github.io/Pocing-Beyond-DA/\",\"https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing\",\"https://www.netspi.com/blog/technical-blog/network-penetration-testing/adidns-revisited/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1557\",\"name\":\"Adversary-in-the-Middle\",\"reference\":\"https://attack.mitre.org/techniques/T1557/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"9e508560-c4ec-4b9a-8e39-37a26dbae8c8\",\"rule_id\":\"57bfa0a9-37c0-44d6-b724-54bf16787492\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.663Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.824Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n(\\n (registry.value : \\\"EnableGlobalQueryBlockList\\\" and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")) or\\n (registry.value : \\\"GlobalQueryBlockList\\\" and not registry.data.strings : \\\"wpad\\\")\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":203,\"merged_version\":203,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e2e8f252-1593-4e90-b3c1-a0b29a4a3145\",\"rule_id\":\"581add16-df76-42bb-af8e-c979bfb39a59\",\"revision\":0,\"current_rule\":{\"id\":\"e2e8f252-1593-4e90-b3c1-a0b29a4a3145\",\"updated_at\":\"2024-12-04T19:45:48.828Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.828Z\",\"created_by\":\"elastic\",\"name\":\"Deleting Backup Catalogs with Wbadmin\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Deleting Backup Catalogs with Wbadmin\\n\\nWindows Server Backup stores the details about your backups (what volumes are backed up and where the backups are located) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files. Deleting these files is a common step in threat actor playbooks.\\n\\nThis rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Check if any files on the host machine have been encrypted.\\n\\n### False positive analysis\\n\\n- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate.\\n\\n### Related rules\\n\\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\\n- If any backups were affected:\\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"581add16-df76-42bb-af8e-c979bfb39a59\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1485\",\"name\":\"Data Destruction\",\"reference\":\"https://attack.mitre.org/techniques/T1485/\"},{\"id\":\"T1490\",\"name\":\"Inhibit System Recovery\",\"reference\":\"https://attack.mitre.org/techniques/T1490/\"}]}],\"to\":\"now\",\"references\":[],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"wbadmin.exe\\\" or ?process.pe.original_file_name == \\\"WBADMIN.EXE\\\") and\\n process.args : \\\"catalog\\\" and process.args : \\\"delete\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Deleting Backup Catalogs with Wbadmin\",\"description\":\"Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Deleting Backup Catalogs with Wbadmin\\n\\nWindows Server Backup stores the details about your backups (what volumes are backed up and where the backups are located) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files. Deleting these files is a common step in threat actor playbooks.\\n\\nThis rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Check if any files on the host machine have been encrypted.\\n\\n### False positive analysis\\n\\n- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate.\\n\\n### Related rules\\n\\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\\n- If any backups were affected:\\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1485\",\"name\":\"Data Destruction\",\"reference\":\"https://attack.mitre.org/techniques/T1485/\"},{\"id\":\"T1490\",\"name\":\"Inhibit System Recovery\",\"reference\":\"https://attack.mitre.org/techniques/T1490/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e2e8f252-1593-4e90-b3c1-a0b29a4a3145\",\"rule_id\":\"581add16-df76-42bb-af8e-c979bfb39a59\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.665Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.828Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"wbadmin.exe\\\" or ?process.pe.original_file_name == \\\"WBADMIN.EXE\\\") and\\n process.args : \\\"catalog\\\" and process.args : \\\"delete\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"43f251f8-9f51-4a8e-b901-b03bebacf967\",\"rule_id\":\"58aa72ca-d968-4f34-b9f7-bea51d75eb50\",\"revision\":0,\"current_rule\":{\"id\":\"43f251f8-9f51-4a8e-b901-b03bebacf967\",\"updated_at\":\"2024-12-04T19:45:40.184Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.184Z\",\"created_by\":\"elastic\",\"name\":\"RDP Enabled via Registry\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating RDP Enabled via Registry\\n\\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\\n\\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\\n\\nThis rule detects modification of the fDenyTSConnections registry key to the value `0`, which specifies that remote desktop connections are enabled. Attackers can abuse remote registry, use psexec, etc., to enable RDP and move laterally.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the user to check if they are aware of the operation.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\\n- Check if the host is directly exposed to the internet.\\n- Check whether privileged accounts accessed the host shortly after the modification.\\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether they are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If RDP is needed, make sure to secure it using firewall rules:\\n - Allowlist RDP traffic to specific trusted hosts.\\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"58aa72ca-d968-4f34-b9f7-bea51d75eb50\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\fDenyTSConnections\\\" and\\n registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\") and\\n not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesRemote.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesAdvanced.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemSettingsAdminFlows.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\\\\\\TiWorker.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"RDP Enabled via Registry\",\"description\":\"Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating RDP Enabled via Registry\\n\\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\\n\\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\\n\\nThis rule detects modification of the fDenyTSConnections registry key to the value `0`, which specifies that remote desktop connections are enabled. Attackers can abuse remote registry, use psexec, etc., to enable RDP and move laterally.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the user to check if they are aware of the operation.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\\n- Check if the host is directly exposed to the internet.\\n- Check whether privileged accounts accessed the host shortly after the modification.\\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether they are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If RDP is needed, make sure to secure it using firewall rules:\\n - Allowlist RDP traffic to specific trusted hosts.\\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"43f251f8-9f51-4a8e-b901-b03bebacf967\",\"rule_id\":\"58aa72ca-d968-4f34-b9f7-bea51d75eb50\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.665Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.184Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\fDenyTSConnections\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\fDenyTSConnections\\\",\\n \\\"MACHINE\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\fDenyTSConnections\\\"\\n ) and\\n registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\") and\\n not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesRemote.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesAdvanced.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemSettingsAdminFlows.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\\\\\\TiWorker.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\fDenyTSConnections\\\" and\\n registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\") and\\n not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesRemote.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesAdvanced.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemSettingsAdminFlows.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\\\\\\TiWorker.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\fDenyTSConnections\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\fDenyTSConnections\\\",\\n \\\"MACHINE\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\fDenyTSConnections\\\"\\n ) and\\n registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\") and\\n not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesRemote.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesAdvanced.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemSettingsAdminFlows.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\\\\\\TiWorker.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\fDenyTSConnections\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\fDenyTSConnections\\\",\\n \\\"MACHINE\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\fDenyTSConnections\\\"\\n ) and\\n registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\") and\\n not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesRemote.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesAdvanced.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemSettingsAdminFlows.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\\\\\\TiWorker.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a7c5f068-6cc2-4128-94c3-64e04b0c059f\",\"rule_id\":\"58bc134c-e8d2-4291-a552-b4b3e537c60b\",\"revision\":0,\"current_rule\":{\"id\":\"a7c5f068-6cc2-4128-94c3-64e04b0c059f\",\"updated_at\":\"2024-12-04T19:45:48.833Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.833Z\",\"created_by\":\"elastic\",\"name\":\"Potential Lateral Tool Transfer via SMB Share\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Lateral Tool Transfer via SMB Share\\n\\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc. Attackers can also leverage file shares that employees frequently access to host malicious files to gain a foothold in other machines.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve the created file and determine if it is malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Review the privileges needed to write to the network share and restrict write access as needed.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"58bc134c-e8d2-4291-a552-b4b3e537c60b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]},{\"id\":\"T1570\",\"name\":\"Lateral Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1570/\"}]}],\"to\":\"now\",\"references\":[],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.header_bytes\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"logs-endpoint.events.network-*\"],\"query\":\"sequence by host.id with maxspan=30s\\n [network where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.pid == 4 and destination.port == 445 and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and\\n network.transport == \\\"tcp\\\" and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"\\n ] by process.entity_id\\n /* add more executable extensions here if they are not noisy in your environment */\\n [file where host.os.type == \\\"windows\\\" and event.type in (\\\"creation\\\", \\\"change\\\") and process.pid == 4 and \\n (file.Ext.header_bytes : \\\"4d5a*\\\" or file.extension : (\\\"exe\\\", \\\"scr\\\", \\\"pif\\\", \\\"com\\\", \\\"dll\\\"))] by process.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Lateral Tool Transfer via SMB Share\",\"description\":\"Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Lateral Tool Transfer via SMB Share\\n\\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc. Attackers can also leverage file shares that employees frequently access to host malicious files to gain a foothold in other machines.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve the created file and determine if it is malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Review the privileges needed to write to the network share and restrict write access as needed.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":109,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]},{\"id\":\"T1570\",\"name\":\"Lateral Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1570/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.header_bytes\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"a7c5f068-6cc2-4128-94c3-64e04b0c059f\",\"rule_id\":\"58bc134c-e8d2-4291-a552-b4b3e537c60b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.665Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.833Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=30s\\n [network where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.pid == 4 and destination.port == 445 and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and\\n network.transport == \\\"tcp\\\" and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"\\n ] by process.entity_id\\n /* add more executable extensions here if they are not noisy in your environment */\\n [file where host.os.type == \\\"windows\\\" and event.type in (\\\"creation\\\", \\\"change\\\") and process.pid == 4 and \\n (file.Ext.header_bytes : \\\"4d5a*\\\" or file.extension : (\\\"exe\\\", \\\"scr\\\", \\\"pif\\\", \\\"com\\\", \\\"dll\\\"))] by process.entity_id\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"logs-endpoint.events.network-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":109,\"merged_version\":109,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merged_version\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"ae4cc076-0683-473f-ae07-d62434ff5ff0\",\"rule_id\":\"5a14d01d-7ac8-4545-914c-b687c2cf66b3\",\"revision\":0,\"current_rule\":{\"id\":\"ae4cc076-0683-473f-ae07-d62434ff5ff0\",\"updated_at\":\"2024-12-04T19:45:48.851Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.851Z\",\"created_by\":\"elastic\",\"name\":\"UAC Bypass Attempt via Privileged IFileOperation COM Interface\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"5a14d01d-7ac8-4545-914c-b687c2cf66b3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.002\",\"name\":\"DLL Side-Loading\",\"reference\":\"https://attack.mitre.org/techniques/T1574/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/hfiref0x/UACME\",\"https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type : \\\"change\\\" and process.name : \\\"dllhost.exe\\\" and\\n /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\\n file.name : (\\\"wow64log.dll\\\", \\\"comctl32.dll\\\", \\\"DismCore.dll\\\", \\\"OskSupport.dll\\\", \\\"duser.dll\\\", \\\"Accessibility.ni.dll\\\") and\\n /* has no impact on rule logic just to avoid OS install related FPs */\\n not file.path : (\\\"C:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\*\\\", \\\"C:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"UAC Bypass Attempt via Privileged IFileOperation COM Interface\",\"description\":\"Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/hfiref0x/UACME\",\"https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.002\",\"name\":\"DLL Side-Loading\",\"reference\":\"https://attack.mitre.org/techniques/T1574/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"ae4cc076-0683-473f-ae07-d62434ff5ff0\",\"rule_id\":\"5a14d01d-7ac8-4545-914c-b687c2cf66b3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.665Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.851Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type : \\\"change\\\" and process.name : \\\"dllhost.exe\\\" and\\n /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\\n file.name : (\\\"wow64log.dll\\\", \\\"comctl32.dll\\\", \\\"DismCore.dll\\\", \\\"OskSupport.dll\\\", \\\"duser.dll\\\", \\\"Accessibility.ni.dll\\\") and\\n /* has no impact on rule logic just to avoid OS install related FPs */\\n not file.path : (\\\"C:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\*\\\", \\\"C:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"14bf0c5c-9e4b-4624-b47a-02c323542364\",\"rule_id\":\"5aee924b-6ceb-4633-980e-1bde8cdb40c5\",\"revision\":0,\"current_rule\":{\"id\":\"14bf0c5c-9e4b-4624-b47a-02c323542364\",\"updated_at\":\"2024-12-04T19:45:48.861Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.861Z\",\"created_by\":\"elastic\",\"name\":\"Potential Secure File Deletion via SDelete Utility\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Impact\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Secure File Deletion via SDelete Utility\\n\\nSDelete is a tool primarily used for securely deleting data from storage devices, making it unrecoverable. Microsoft develops it as part of the Sysinternals Suite. Although commonly used to delete data securely, attackers can abuse it to delete forensic indicators and remove files as a post-action to a destructive action such as ransomware or data theft to hinder recovery efforts.\\n\\nThis rule identifies file name patterns generated by the use of SDelete utility to securely delete a file via multiple file overwrite and rename operations.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Examine the command line and identify the files deleted, their importance and whether they could be the target of antiforensics activity.\\n\\n### False positive analysis\\n\\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and there are justifications for the execution.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - Prioritize cases involving critical servers and users.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If important data was encrypted, deleted, or modified, activate your data recovery plan.\\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"5aee924b-6ceb-4633-980e-1bde8cdb40c5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.004\",\"name\":\"File Deletion\",\"reference\":\"https://attack.mitre.org/techniques/T1070/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1485\",\"name\":\"Data Destruction\",\"reference\":\"https://attack.mitre.org/techniques/T1485/\"}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and file.name : \\\"*AAA.AAA\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Secure File Deletion via SDelete Utility\",\"description\":\"Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Secure File Deletion via SDelete Utility\\n\\nSDelete is a tool primarily used for securely deleting data from storage devices, making it unrecoverable. Microsoft develops it as part of the Sysinternals Suite. Although commonly used to delete data securely, attackers can abuse it to delete forensic indicators and remove files as a post-action to a destructive action such as ransomware or data theft to hinder recovery efforts.\\n\\nThis rule identifies file name patterns generated by the use of SDelete utility to securely delete a file via multiple file overwrite and rename operations.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Examine the command line and identify the files deleted, their importance and whether they could be the target of antiforensics activity.\\n\\n### False positive analysis\\n\\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and there are justifications for the execution.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - Prioritize cases involving critical servers and users.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If important data was encrypted, deleted, or modified, activate your data recovery plan.\\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Impact\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.004\",\"name\":\"File Deletion\",\"reference\":\"https://attack.mitre.org/techniques/T1070/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1485\",\"name\":\"Data Destruction\",\"reference\":\"https://attack.mitre.org/techniques/T1485/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"14bf0c5c-9e4b-4624-b47a-02c323542364\",\"rule_id\":\"5aee924b-6ceb-4633-980e-1bde8cdb40c5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.665Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.861Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and file.name : \\\"*AAA.AAA\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Impact\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Impact\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Impact\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"85ed98d7-3c30-4d8b-a6b7-c9b1b793b9d5\",\"rule_id\":\"5b06a27f-ad72-4499-91db-0c69667bffa5\",\"revision\":0,\"current_rule\":{\"id\":\"85ed98d7-3c30-4d8b-a6b7-c9b1b793b9d5\",\"updated_at\":\"2024-12-04T19:45:48.866Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.866Z\",\"created_by\":\"elastic\",\"name\":\"SUID/SGUID Enumeration Detected\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for the usage of the \\\"find\\\" command in conjunction with SUID and SGUID permission arguments. SUID (Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"5b06a27f-ad72-4499-91db-0c69667bffa5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1083\",\"name\":\"File and Directory Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1083/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.001\",\"name\":\"Setuid and Setgid\",\"reference\":\"https://attack.mitre.org/techniques/T1548/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.Ext.real.id\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.Ext.real.id\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\nprocess.name == \\\"find\\\" and process.args : \\\"-perm\\\" and process.args : (\\n \\\"/6000\\\", \\\"-6000\\\", \\\"/4000\\\", \\\"-4000\\\", \\\"/2000\\\", \\\"-2000\\\", \\\"/u=s\\\", \\\"-u=s\\\", \\\"/g=s\\\", \\\"-g=s\\\", \\\"/u=s,g=s\\\", \\\"/g=s,u=s\\\"\\n) and not (\\n user.Ext.real.id == \\\"0\\\" or group.Ext.real.id == \\\"0\\\" or process.args_count >= 12 or \\n (process.args : \\\"/usr/bin/pkexec\\\" and process.args : \\\"-xdev\\\" and process.args_count == 7)\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"SUID/SGUID Enumeration Detected\",\"description\":\"This rule monitors for the usage of the \\\"find\\\" command in conjunction with SUID and SGUID permission arguments. SUID (Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":6,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1083\",\"name\":\"File and Directory Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1083/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.001\",\"name\":\"Setuid and Setgid\",\"reference\":\"https://attack.mitre.org/techniques/T1548/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.Ext.real.id\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.Ext.real.id\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"85ed98d7-3c30-4d8b-a6b7-c9b1b793b9d5\",\"rule_id\":\"5b06a27f-ad72-4499-91db-0c69667bffa5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.665Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.866Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\nprocess.name == \\\"find\\\" and process.args : \\\"-perm\\\" and process.args : (\\n \\\"/6000\\\", \\\"-6000\\\", \\\"/4000\\\", \\\"-4000\\\", \\\"/2000\\\", \\\"-2000\\\", \\\"/u=s\\\", \\\"-u=s\\\", \\\"/g=s\\\", \\\"-g=s\\\", \\\"/u=s,g=s\\\", \\\"/g=s,u=s\\\"\\n) and not (\\n user.Ext.real.id == \\\"0\\\" or group.Ext.real.id == \\\"0\\\" or process.args_count >= 12 or \\n (process.args : \\\"/usr/bin/pkexec\\\" and process.args : \\\"-xdev\\\" and process.args_count == 7)\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":6,\"merged_version\":6,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3f248845-dc8d-4ad8-b9fa-4bd0517d922f\",\"rule_id\":\"5b18eef4-842c-4b47-970f-f08d24004bde\",\"revision\":0,\"current_rule\":{\"id\":\"3f248845-dc8d-4ad8-b9fa-4bd0517d922f\",\"updated_at\":\"2024-12-04T19:45:48.868Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.868Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious which Enumeration\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a system to escalate privileges or move latteraly across the network.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"5b18eef4-842c-4b47-970f-f08d24004bde\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"to\":\"now\",\"references\":[],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.name == \\\"which\\\" and process.args_count >= 10 and not process.parent.name == \\\"jem\\\" and \\nnot process.args == \\\"--tty-only\\\"\\n\\n/* potential tuning if rule would turn out to be noisy\\nand process.args in (\\\"nmap\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", nc.traditional\\\", \\\"gcc\\\", \\\"g++\\\", \\\"socat\\\") and \\nprocess.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n*/\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious which Enumeration\",\"description\":\"This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a system to escalate privileges or move latteraly across the network.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3f248845-dc8d-4ad8-b9fa-4bd0517d922f\",\"rule_id\":\"5b18eef4-842c-4b47-970f-f08d24004bde\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.665Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.868Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.name == \\\"which\\\" and process.args_count >= 10 and not (\\n process.parent.name == \\\"jem\\\" or\\n process.parent.executable like (\\\"/vz/root/*\\\", \\\"/var/lib/docker/*\\\") or\\n process.args == \\\"--tty-only\\\"\\n)\\n\\n/* potential tuning if rule would turn out to be noisy\\nand process.args in (\\\"nmap\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", nc.traditional\\\", \\\"gcc\\\", \\\"g++\\\", \\\"socat\\\") and \\nprocess.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n*/\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.name == \\\"which\\\" and process.args_count >= 10 and not process.parent.name == \\\"jem\\\" and \\nnot process.args == \\\"--tty-only\\\"\\n\\n/* potential tuning if rule would turn out to be noisy\\nand process.args in (\\\"nmap\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", nc.traditional\\\", \\\"gcc\\\", \\\"g++\\\", \\\"socat\\\") and \\nprocess.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n*/\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.name == \\\"which\\\" and process.args_count >= 10 and not (\\n process.parent.name == \\\"jem\\\" or\\n process.parent.executable like (\\\"/vz/root/*\\\", \\\"/var/lib/docker/*\\\") or\\n process.args == \\\"--tty-only\\\"\\n)\\n\\n/* potential tuning if rule would turn out to be noisy\\nand process.args in (\\\"nmap\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", nc.traditional\\\", \\\"gcc\\\", \\\"g++\\\", \\\"socat\\\") and \\nprocess.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n*/\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.name == \\\"which\\\" and process.args_count >= 10 and not (\\n process.parent.name == \\\"jem\\\" or\\n process.parent.executable like (\\\"/vz/root/*\\\", \\\"/var/lib/docker/*\\\") or\\n process.args == \\\"--tty-only\\\"\\n)\\n\\n/* potential tuning if rule would turn out to be noisy\\nand process.args in (\\\"nmap\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", nc.traditional\\\", \\\"gcc\\\", \\\"g++\\\", \\\"socat\\\") and \\nprocess.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n*/\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4910a749-99f5-4881-9d29-10e526640130\",\"rule_id\":\"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8\",\"revision\":0,\"current_rule\":{\"id\":\"4910a749-99f5-4881-9d29-10e526640130\",\"updated_at\":\"2024-12-04T19:45:48.873Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.873Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious PrintSpooler Service Executable File Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"to\":\"now\",\"references\":[\"https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/\",\"https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n process.name : \\\"spoolsv.exe\\\" and file.extension : \\\"dll\\\" and\\n file.path : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*\\\") and\\n not file.path : (\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\SysWOW64\\\\\\\\PrintConfig.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\x5lrs.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\sysWOW64\\\\\\\\x5lrs.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\PrintConfig.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\spool\\\\\\\\DRIVERS\\\\\\\\x64\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\spool\\\\\\\\DRIVERS\\\\\\\\W32X86\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\spool\\\\\\\\PRTPROCS\\\\\\\\x64\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\spool\\\\\\\\{????????-????-????-????-????????????}\\\\\\\\*.dll\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious PrintSpooler Service Executable File Creation\",\"description\":\"Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/\",\"https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"4910a749-99f5-4881-9d29-10e526640130\",\"rule_id\":\"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.665Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.873Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.category : \\\"file\\\" and host.os.type : \\\"windows\\\" and event.type : \\\"creation\\\" and\\n process.name : \\\"spoolsv.exe\\\" and file.extension : \\\"dll\\\"\\n\",\"new_terms_fields\":[\"host.id\",\"file.path\"],\"history_window_start\":\"now-14d\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"],\"filters\":[{\"meta\":{\"negate\":false},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\PrintConfig.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\x5lrs.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\spool\\\\\\\\DRIVERS\\\\\\\\x64\\\\\\\\*.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\spool\\\\\\\\DRIVERS\\\\\\\\W32X86\\\\\\\\*.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\spool\\\\\\\\PRTPROCS\\\\\\\\x64\\\\\\\\*.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\spool\\\\\\\\{????????-????-????-????-????????????}\\\\\\\\*.dll\"}}}}],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"severity\":{\"has_base_version\":false,\"current_version\":\"high\",\"target_version\":\"low\",\"merged_version\":\"low\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"risk_score\":{\"has_base_version\":false,\"current_version\":73,\"target_version\":21,\"merged_version\":21,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"type\":{\"has_base_version\":false,\"current_version\":\"eql\",\"target_version\":\"new_terms\",\"merged_version\":\"new_terms\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NON_SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"target_version\":{\"type\":\"inline_query\",\"query\":\"event.category : \\\"file\\\" and host.os.type : \\\"windows\\\" and event.type : \\\"creation\\\" and\\n process.name : \\\"spoolsv.exe\\\" and file.extension : \\\"dll\\\"\\n\",\"language\":\"kuery\",\"filters\":[{\"meta\":{\"negate\":false},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\PrintConfig.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\x5lrs.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\spool\\\\\\\\DRIVERS\\\\\\\\x64\\\\\\\\*.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\spool\\\\\\\\DRIVERS\\\\\\\\W32X86\\\\\\\\*.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\spool\\\\\\\\PRTPROCS\\\\\\\\x64\\\\\\\\*.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\spool\\\\\\\\{????????-????-????-????-????????????}\\\\\\\\*.dll\"}}}}]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"event.category : \\\"file\\\" and host.os.type : \\\"windows\\\" and event.type : \\\"creation\\\" and\\n process.name : \\\"spoolsv.exe\\\" and file.extension : \\\"dll\\\"\\n\",\"language\":\"kuery\",\"filters\":[{\"meta\":{\"negate\":false},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\PrintConfig.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\x5lrs.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\spool\\\\\\\\DRIVERS\\\\\\\\x64\\\\\\\\*.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\spool\\\\\\\\DRIVERS\\\\\\\\W32X86\\\\\\\\*.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\spool\\\\\\\\PRTPROCS\\\\\\\\x64\\\\\\\\*.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\spool\\\\\\\\{????????-????-????-????-????????????}\\\\\\\\*.dll\"}}}}]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n process.name : \\\"spoolsv.exe\\\" and file.extension : \\\"dll\\\" and\\n file.path : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*\\\") and\\n not file.path : (\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\SysWOW64\\\\\\\\PrintConfig.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\x5lrs.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\sysWOW64\\\\\\\\x5lrs.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\PrintConfig.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\spool\\\\\\\\DRIVERS\\\\\\\\x64\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\spool\\\\\\\\DRIVERS\\\\\\\\W32X86\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\spool\\\\\\\\PRTPROCS\\\\\\\\x64\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\spool\\\\\\\\{????????-????-????-????-????????????}\\\\\\\\*.dll\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"new_terms_fields\":{\"has_base_version\":false,\"target_version\":[\"host.id\",\"file.path\"],\"merged_version\":[\"host.id\",\"file.path\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"history_window_start\":{\"has_base_version\":false,\"target_version\":\"now-14d\",\"merged_version\":\"now-14d\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":13,\"num_fields_with_conflicts\":12,\"num_fields_with_non_solvable_conflicts\":1}},{\"id\":\"c6ec4463-0d4a-4749-9037-0ed60f160cf0\",\"rule_id\":\"5c602cba-ae00-4488-845d-24de2b6d8055\",\"revision\":0,\"current_rule\":{\"id\":\"c6ec4463-0d4a-4749-9037-0ed60f160cf0\",\"updated_at\":\"2024-12-04T19:46:03.767Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.767Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Script with Veeam Credential Access Capabilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies PowerShell scripts that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"5c602cba-ae00-4488-845d-24de2b6d8055\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html\",\"https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\n \\\"[dbo].[Credentials]\\\" and\\n (\\\"Veeam\\\" or \\\"VeeamBackup\\\")\\n ) or\\n \\\"ProtectedStorage]::GetLocalString\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Script with Veeam Credential Access Capabilities\",\"description\":\"Identifies PowerShell scripts that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html\",\"https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"c6ec4463-0d4a-4749-9037-0ed60f160cf0\",\"rule_id\":\"5c602cba-ae00-4488-845d-24de2b6d8055\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.665Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.767Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\n \\\"[dbo].[Credentials]\\\" and\\n (\\\"Veeam\\\" or \\\"VeeamBackup\\\")\\n ) or\\n \\\"ProtectedStorage]::GetLocalString\\\"\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d1d66543-3031-4361-8ba0-333debd7715f\",\"rule_id\":\"5c6f4c58-b381-452a-8976-f1b1c6aa0def\",\"revision\":0,\"current_rule\":{\"id\":\"d1d66543-3031-4361-8ba0-333debd7715f\",\"updated_at\":\"2024-12-04T19:45:48.880Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.880Z\",\"created_by\":\"elastic\",\"name\":\"FirstTime Seen Account Performing DCSync\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating FirstTime Seen Account Performing DCSync\\n\\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\\n\\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\\n\\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys that are used legitimately for creating tickets, but also for forging tickets by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\\n\\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\\n\\nThis rule monitors for when a Windows Event ID 4662 (Operation was performed on an Active Directory object) with the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set) is seen in the environment for the first time in the last 15 days.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\\n\\n### False positive analysis\\n\\n- Administrators may use custom accounts on Azure AD Connect; investigate if this is part of a new Azure AD account setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. Investigate if this is part of a new product setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the entire domain or the `krbtgt` user was compromised:\\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"5c6f4c58-b381-452a-8976-f1b1c6aa0def\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.006\",\"name\":\"DCSync\",\"reference\":\"https://attack.mitre.org/techniques/T1003/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md\",\"https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync\",\"https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync\"],\"version\":10,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.Properties\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Access (Success,Failure)\\n```\\n\",\"type\":\"new_terms\",\"query\":\"event.action:(\\\"Directory Service Access\\\" or \\\"object-operation-performed\\\") and event.code:\\\"4662\\\" and\\n winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or\\n *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or\\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and\\n not winlog.event_data.SubjectUserName:(*$ or MSOL_*)\\n\",\"new_terms_fields\":[\"winlog.event_data.SubjectUserName\"],\"history_window_start\":\"now-15d\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"FirstTime Seen Account Performing DCSync\",\"description\":\"This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating FirstTime Seen Account Performing DCSync\\n\\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\\n\\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\\n\\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys that are used legitimately for creating tickets, but also for forging tickets by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\\n\\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\\n\\nThis rule monitors for when a Windows Event ID 4662 (Operation was performed on an Active Directory object) with the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set) is seen in the environment for the first time in the last 15 days.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\\n\\n### False positive analysis\\n\\n- Administrators may use custom accounts on Azure AD Connect; investigate if this is part of a new Azure AD account setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. Investigate if this is part of a new product setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the entire domain or the `krbtgt` user was compromised:\\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":113,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md\",\"https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync\",\"https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.006\",\"name\":\"DCSync\",\"reference\":\"https://attack.mitre.org/techniques/T1003/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Access (Success,Failure)\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.Properties\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"d1d66543-3031-4361-8ba0-333debd7715f\",\"rule_id\":\"5c6f4c58-b381-452a-8976-f1b1c6aa0def\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.666Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.880Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.action:(\\\"Directory Service Access\\\" or \\\"object-operation-performed\\\") and event.code:\\\"4662\\\" and\\n winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or\\n *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or\\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and\\n not winlog.event_data.SubjectUserName:(*$ or MSOL_*)\\n\",\"new_terms_fields\":[\"winlog.event_data.SubjectUserName\"],\"history_window_start\":\"now-15d\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":10,\"target_version\":113,\"merged_version\":113,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a5db82cf-28fe-4474-8615-97902edc71d0\",\"rule_id\":\"5c895b4f-9133-4e68-9e23-59902175355c\",\"revision\":0,\"current_rule\":{\"id\":\"a5db82cf-28fe-4474-8615-97902edc71d0\",\"updated_at\":\"2024-12-04T19:45:48.883Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.883Z\",\"created_by\":\"elastic\",\"name\":\"Potential Meterpreter Reverse Shell\",\"tags\":[\"Data Source: Auditd Manager\",\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting this pattern is indicative of a successful meterpreter shell connection.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"5c895b4f-9133-4e68-9e23-59902175355c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\"}]}],\"to\":\"now\",\"references\":[],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"auditd.data.a2\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.syscall\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Auditbeat\\n- Auditd Manager\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n### Auditd Manager Integration Setup\\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"auditd_manager\\\" on a Linux System:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.\\n- Click “Add Auditd Manager”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\\n\\n#### Rule Specific Setup Note\\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\n- For this detection rule the following additional audit rules are required to be added to the integration:\\n -w /proc/net/ -p r -k audit_proc\\n -w /etc/machine-id -p wa -k machineid\\n -w /etc/passwd -p wa -k passwd\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"sample by host.id, process.pid, user.id\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"open\\\" and auditd.data.a2 == \\\"1b6\\\" and file.path == \\\"/etc/machine-id\\\"]\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"open\\\" and auditd.data.a2 == \\\"1b6\\\" and file.path == \\\"/etc/passwd\\\"]\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"open\\\" and auditd.data.a2 == \\\"1b6\\\" and file.path == \\\"/proc/net/route\\\"]\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"open\\\" and auditd.data.a2 == \\\"1b6\\\" and file.path == \\\"/proc/net/ipv6_route\\\"]\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"open\\\" and auditd.data.a2 == \\\"1b6\\\" and file.path == \\\"/proc/net/if_inet6\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Meterpreter Reverse Shell\",\"description\":\"This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting this pattern is indicative of a successful meterpreter shell connection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Data Source: Auditd Manager\",\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\",\"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Auditbeat\\n- Auditd Manager\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n### Auditd Manager Integration Setup\\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"auditd_manager\\\" on a Linux System:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.\\n- Click “Add Auditd Manager”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\\n\\n#### Rule Specific Setup Note\\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\n- For this detection rule the following additional audit rules are required to be added to the integration:\\n -w /proc/net/ -p r -k audit_proc\\n -w /etc/machine-id -p wa -k machineid\\n -w /etc/passwd -p wa -k passwd\\n\",\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"auditd.data.a2\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.syscall\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a5db82cf-28fe-4474-8615-97902edc71d0\",\"rule_id\":\"5c895b4f-9133-4e68-9e23-59902175355c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.666Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.883Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sample by host.id, process.pid, user.id\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"open\\\" and auditd.data.a2 == \\\"1b6\\\" and file.path == \\\"/etc/machine-id\\\"]\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"open\\\" and auditd.data.a2 == \\\"1b6\\\" and file.path == \\\"/etc/passwd\\\"]\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"open\\\" and auditd.data.a2 == \\\"1b6\\\" and file.path == \\\"/proc/net/route\\\"]\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"open\\\" and auditd.data.a2 == \\\"1b6\\\" and file.path == \\\"/proc/net/ipv6_route\\\"]\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"open\\\" and auditd.data.a2 == \\\"1b6\\\" and file.path == \\\"/proc/net/if_inet6\\\"]\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\",\"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\",\"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"74612fc5-dd90-4bd3-839b-513e4889f540\",\"rule_id\":\"5cd55388-a19c-47c7-8ec4-f41656c2fded\",\"revision\":0,\"current_rule\":{\"id\":\"74612fc5-dd90-4bd3-839b-513e4889f540\",\"updated_at\":\"2024-12-04T19:45:48.894Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.894Z\",\"created_by\":\"elastic\",\"name\":\"Outbound Scheduled Task Activity via PowerShell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks may be created during installation of new software.\"],\"from\":\"now-9m\",\"rule_id\":\"5cd55388-a19c-47c7-8ec4-f41656c2fded\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]},{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.address\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.library-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by host.id, process.entity_id with maxspan = 5s\\n [any where host.os.type == \\\"windows\\\" and (event.category == \\\"library\\\" or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n (?dll.name : \\\"taskschd.dll\\\" or file.name : \\\"taskschd.dll\\\") and process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\")]\\n [network where host.os.type == \\\"windows\\\" and process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") and destination.port == 135 and not destination.address in (\\\"127.0.0.1\\\", \\\"::1\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Outbound Scheduled Task Activity via PowerShell\",\"description\":\"Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks may be created during installation of new software.\"],\"references\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]},{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.address\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"74612fc5-dd90-4bd3-839b-513e4889f540\",\"rule_id\":\"5cd55388-a19c-47c7-8ec4-f41656c2fded\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.666Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.894Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id, process.entity_id with maxspan = 5s\\n [any where host.os.type == \\\"windows\\\" and (event.category == \\\"library\\\" or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n (?dll.name : \\\"taskschd.dll\\\" or file.name : \\\"taskschd.dll\\\") and process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\")]\\n [network where host.os.type == \\\"windows\\\" and process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") and destination.port == 135 and not destination.address in (\\\"127.0.0.1\\\", \\\"::1\\\")]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.library-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\"],\"target_version\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merged_version\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"96f7c180-8673-408d-93fc-245dec7dbb5b\",\"rule_id\":\"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae\",\"revision\":0,\"current_rule\":{\"id\":\"96f7c180-8673-408d-93fc-245dec7dbb5b\",\"updated_at\":\"2024-12-04T19:45:48.896Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.896Z\",\"created_by\":\"elastic\",\"name\":\"User Added to Privileged Group\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating User Added to Privileged Group in Active Directory\\n\\nPrivileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.\\n\\nAttackers can add users to privileged groups to maintain a level of access if their other privileged accounts are uncovered by the security team. This allows them to keep operating after the security team discovers abused accounts.\\n\\nThis rule monitors events related to a user being added to a privileged group.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should manage members of this group.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- This attack abuses a legitimate Active Directory mechanism, so it is important to determine whether the activity is legitimate, if the administrator is authorized to perform this operation, and if there is a need to grant the account this level of privilege.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If the admin is not aware of the operation, activate your Active Directory incident response plan.\\n- If the user does not need the administrator privileges, remove the account from the privileged group.\\n- Review the privileges of the administrator account that performed the action.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Skoetting\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.api\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"iam where winlog.api == \\\"wineventlog\\\" and event.action == \\\"added-member-to-group\\\" and\\n(\\n (\\n group.name : (\\n \\\"Admin*\\\",\\n \\\"Local Administrators\\\",\\n \\\"Domain Admins\\\",\\n \\\"Enterprise Admins\\\",\\n \\\"Backup Admins\\\",\\n \\\"Schema Admins\\\",\\n \\\"DnsAdmins\\\",\\n \\\"Exchange Organization Administrators\\\",\\n \\\"Print Operators\\\",\\n \\\"Server Operators\\\",\\n \\\"Account Operators\\\"\\n )\\n ) or\\n (\\n group.id : (\\n \\\"S-1-5-32-544\\\",\\n \\\"S-1-5-21-*-544\\\",\\n \\\"S-1-5-21-*-512\\\",\\n \\\"S-1-5-21-*-519\\\",\\n \\\"S-1-5-21-*-551\\\",\\n \\\"S-1-5-21-*-518\\\",\\n \\\"S-1-5-21-*-1101\\\",\\n \\\"S-1-5-21-*-1102\\\",\\n \\\"S-1-5-21-*-550\\\",\\n \\\"S-1-5-21-*-549\\\",\\n \\\"S-1-5-21-*-548\\\"\\n )\\n )\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"User Added to Privileged Group\",\"description\":\"Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating User Added to Privileged Group in Active Directory\\n\\nPrivileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.\\n\\nAttackers can add users to privileged groups to maintain a level of access if their other privileged accounts are uncovered by the security team. This allows them to keep operating after the security team discovers abused accounts.\\n\\nThis rule monitors events related to a user being added to a privileged group.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should manage members of this group.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- This attack abuses a legitimate Active Directory mechanism, so it is important to determine whether the activity is legitimate, if the administrator is authorized to perform this operation, and if there is a need to grant the account this level of privilege.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If the admin is not aware of the operation, activate your Active Directory incident response plan.\\n- If the user does not need the administrator privileges, remove the account from the privileged group.\\n- Review the privileges of the administrator account that performed the action.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Skoetting\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.api\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"96f7c180-8673-408d-93fc-245dec7dbb5b\",\"rule_id\":\"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.666Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.896Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where winlog.api == \\\"wineventlog\\\" and event.action == \\\"added-member-to-group\\\" and\\n(\\n (\\n group.name : (\\n \\\"Admin*\\\",\\n \\\"Local Administrators\\\",\\n \\\"Domain Admins\\\",\\n \\\"Enterprise Admins\\\",\\n \\\"Backup Admins\\\",\\n \\\"Schema Admins\\\",\\n \\\"DnsAdmins\\\",\\n \\\"Exchange Organization Administrators\\\",\\n \\\"Print Operators\\\",\\n \\\"Server Operators\\\",\\n \\\"Account Operators\\\"\\n )\\n ) or\\n (\\n group.id : (\\n \\\"S-1-5-32-544\\\",\\n \\\"S-1-5-21-*-544\\\",\\n \\\"S-1-5-21-*-512\\\",\\n \\\"S-1-5-21-*-519\\\",\\n \\\"S-1-5-21-*-551\\\",\\n \\\"S-1-5-21-*-518\\\",\\n \\\"S-1-5-21-*-1101\\\",\\n \\\"S-1-5-21-*-1102\\\",\\n \\\"S-1-5-21-*-550\\\",\\n \\\"S-1-5-21-*-549\\\",\\n \\\"S-1-5-21-*-548\\\"\\n )\\n )\\n)\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f155262a-fdd8-4b2d-9e88-3ac4a9af3e66\",\"rule_id\":\"5cf6397e-eb91-4f31-8951-9f0eaa755a31\",\"revision\":0,\"current_rule\":{\"id\":\"f155262a-fdd8-4b2d-9e88-3ac4a9af3e66\",\"updated_at\":\"2024-12-04T19:45:48.899Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.899Z\",\"created_by\":\"elastic\",\"name\":\"Persistence via PowerShell profile\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation or modification of a PowerShell profile. PowerShell profile is a script that is executed when PowerShell starts to customize the user environment, which can be abused by attackers to persist in a environment where PowerShell is common.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Persistence via PowerShell profile\\n\\nPowerShell profiles are scripts executed when PowerShell starts, customizing the user environment. They are commonly used in Windows environments for legitimate purposes, such as setting variables or loading modules. However, adversaries can abuse PowerShell profiles to establish persistence by inserting malicious code that executes each time PowerShell is launched.\\n\\nThis rule identifies the creation or modification of a PowerShell profile. It does this by monitoring file events on Windows systems, specifically targeting profile-related file paths and names, such as `profile.ps1` and `Microsoft.Powershell_profile.ps1`. By detecting these activities, security analysts can investigate potential abuse of PowerShell profiles for malicious persistence.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Retrive and inspect the PowerShell profile content; look for suspicious DLL imports, collection or persistence capabilities, suspicious functions, encoded or compressed data, suspicious commands, and other potentially malicious characteristics.\\n- Identify the process responsible for the PowerShell profile creation/modification. Use the Elastic Defend events to examine all the activity of the subject process by filtering by the process's `process.entity_id`.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Check for additional PowerShell and command-line logs that indicate that any suspicious command or function were run.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Observe and collect information about the following activities in the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n\\n### False positive analysis\\n\\n- This is a dual-use mechanism, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the script doesn't contain malicious functions or potential for abuse, no other suspicious activity was identified, and the user has business justifications to use PowerShell.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n - Consider enabling and collecting PowerShell logs such as transcription, module, and script block logging, to improve visibility into PowerShell activities.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"5cf6397e-eb91-4f31-8951-9f0eaa755a31\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.013\",\"name\":\"PowerShell Profile\",\"reference\":\"https://attack.mitre.org/techniques/T1546/013/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.013\",\"name\":\"PowerShell Profile\",\"reference\":\"https://attack.mitre.org/techniques/T1546/013/\"}]}]}],\"to\":\"now\",\"references\":[\"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles\",\"https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/\"],\"version\":9,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.path : (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Documents\\\\\\\\WindowsPowerShell\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Documents\\\\\\\\PowerShell\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\*\\\") and\\n file.name : (\\\"profile.ps1\\\", \\\"Microsoft.Powershell_profile.ps1\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Persistence via PowerShell profile\",\"description\":\"Identifies the creation or modification of a PowerShell profile. PowerShell profile is a script that is executed when PowerShell starts to customize the user environment, which can be abused by attackers to persist in a environment where PowerShell is common.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Persistence via PowerShell profile\\n\\nPowerShell profiles are scripts executed when PowerShell starts, customizing the user environment. They are commonly used in Windows environments for legitimate purposes, such as setting variables or loading modules. However, adversaries can abuse PowerShell profiles to establish persistence by inserting malicious code that executes each time PowerShell is launched.\\n\\nThis rule identifies the creation or modification of a PowerShell profile. It does this by monitoring file events on Windows systems, specifically targeting profile-related file paths and names, such as `profile.ps1` and `Microsoft.Powershell_profile.ps1`. By detecting these activities, security analysts can investigate potential abuse of PowerShell profiles for malicious persistence.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Retrive and inspect the PowerShell profile content; look for suspicious DLL imports, collection or persistence capabilities, suspicious functions, encoded or compressed data, suspicious commands, and other potentially malicious characteristics.\\n- Identify the process responsible for the PowerShell profile creation/modification. Use the Elastic Defend events to examine all the activity of the subject process by filtering by the process's `process.entity_id`.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Check for additional PowerShell and command-line logs that indicate that any suspicious command or function were run.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Observe and collect information about the following activities in the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n\\n### False positive analysis\\n\\n- This is a dual-use mechanism, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the script doesn't contain malicious functions or potential for abuse, no other suspicious activity was identified, and the user has business justifications to use PowerShell.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n - Consider enabling and collecting PowerShell logs such as transcription, module, and script block logging, to improve visibility into PowerShell activities.\\n\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles\",\"https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.013\",\"name\":\"PowerShell Profile\",\"reference\":\"https://attack.mitre.org/techniques/T1546/013/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.013\",\"name\":\"PowerShell Profile\",\"reference\":\"https://attack.mitre.org/techniques/T1546/013/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f155262a-fdd8-4b2d-9e88-3ac4a9af3e66\",\"rule_id\":\"5cf6397e-eb91-4f31-8951-9f0eaa755a31\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.666Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.899Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.path : (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Documents\\\\\\\\WindowsPowerShell\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Documents\\\\\\\\PowerShell\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\*\\\") and\\n file.name : (\\\"profile.ps1\\\", \\\"Microsoft.Powershell_profile.ps1\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":9,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"cf1f58c6-a208-446d-8547-341c14f018eb\",\"rule_id\":\"5d1d6907-0747-4d5d-9b24-e4a18853dc0a\",\"revision\":0,\"current_rule\":{\"id\":\"cf1f58c6-a208-446d-8547-341c14f018eb\",\"updated_at\":\"2024-12-04T19:45:48.903Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.903Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Execution via Scheduled Task\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks running third party software.\"],\"from\":\"now-9m\",\"rule_id\":\"5d1d6907-0747-4d5d-9b24-e4a18853dc0a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n /* Schedule service cmdline on Win10+ */\\n process.parent.name : \\\"svchost.exe\\\" and process.parent.args : \\\"Schedule\\\" and\\n /* add suspicious programs here */\\n process.pe.original_file_name in\\n (\\n \\\"cscript.exe\\\",\\n \\\"wscript.exe\\\",\\n \\\"PowerShell.EXE\\\",\\n \\\"Cmd.Exe\\\",\\n \\\"MSHTA.EXE\\\",\\n \\\"RUNDLL32.EXE\\\",\\n \\\"REGSVR32.EXE\\\",\\n \\\"MSBuild.exe\\\",\\n \\\"InstallUtil.exe\\\",\\n \\\"RegAsm.exe\\\",\\n \\\"RegSvcs.exe\\\",\\n \\\"msxsl.exe\\\",\\n \\\"CONTROL.EXE\\\",\\n \\\"EXPLORER.EXE\\\",\\n \\\"Microsoft.Workflow.Compiler.exe\\\",\\n \\\"msiexec.exe\\\"\\n ) and\\n /* add suspicious paths here */\\n process.args : (\\n \\\"C:\\\\\\\\Users\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\PerfLogs\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Intel\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Debug\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\HP\\\\\\\\*\\\") and\\n\\n not (process.name : \\\"cmd.exe\\\" and process.args : \\\"?:\\\\\\\\*.bat\\\" and process.working_directory : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\\\\") and\\n not (process.name : \\\"cscript.exe\\\" and process.args : \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\calluxxprovider.vbs\\\") and\\n not (process.name : \\\"powershell.exe\\\" and process.args : (\\\"-File\\\", \\\"-PSConsoleFile\\\") and user.id : \\\"S-1-5-18\\\") and\\n not (process.name : \\\"msiexec.exe\\\" and user.id : \\\"S-1-5-18\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Execution via Scheduled Task\",\"description\":\"Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks running third party software.\"],\"references\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"cf1f58c6-a208-446d-8547-341c14f018eb\",\"rule_id\":\"5d1d6907-0747-4d5d-9b24-e4a18853dc0a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.666Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.903Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n /* Schedule service cmdline on Win10+ */\\n process.parent.name : \\\"svchost.exe\\\" and process.parent.args : \\\"Schedule\\\" and\\n /* add suspicious programs here */\\n process.pe.original_file_name in\\n (\\n \\\"cscript.exe\\\",\\n \\\"wscript.exe\\\",\\n \\\"PowerShell.EXE\\\",\\n \\\"Cmd.Exe\\\",\\n \\\"MSHTA.EXE\\\",\\n \\\"RUNDLL32.EXE\\\",\\n \\\"REGSVR32.EXE\\\",\\n \\\"MSBuild.exe\\\",\\n \\\"InstallUtil.exe\\\",\\n \\\"RegAsm.exe\\\",\\n \\\"RegSvcs.exe\\\",\\n \\\"msxsl.exe\\\",\\n \\\"CONTROL.EXE\\\",\\n \\\"EXPLORER.EXE\\\",\\n \\\"Microsoft.Workflow.Compiler.exe\\\",\\n \\\"msiexec.exe\\\"\\n ) and\\n /* add suspicious paths here */\\n process.args : (\\n \\\"C:\\\\\\\\Users\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\PerfLogs\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Intel\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Debug\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\HP\\\\\\\\*\\\") and\\n\\n not (process.name : \\\"cmd.exe\\\" and process.args : \\\"?:\\\\\\\\*.bat\\\" and process.working_directory : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\\\\") and\\n not (process.name : \\\"cscript.exe\\\" and process.args : \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\calluxxprovider.vbs\\\") and\\n not (process.name : \\\"powershell.exe\\\" and process.args : (\\\"-File\\\", \\\"-PSConsoleFile\\\") and user.id : \\\"S-1-5-18\\\") and\\n not (process.name : \\\"msiexec.exe\\\" and user.id : \\\"S-1-5-18\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"merged_version\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"ff3141ab-e4a0-4527-8d1c-98db8a5d20b1\",\"rule_id\":\"5d676480-9655-4507-adc6-4eec311efff8\",\"revision\":0,\"current_rule\":{\"id\":\"ff3141ab-e4a0-4527-8d1c-98db8a5d20b1\",\"updated_at\":\"2024-12-04T19:46:03.772Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.772Z\",\"created_by\":\"elastic\",\"name\":\"Unsigned DLL loaded by DNS Service\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies unusual DLLs loaded by the DNS Server process, potentially indicating the abuse of the ServerLevelPluginDll functionality. This can lead to privilege escalation and remote code execution with SYSTEM privileges.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"5d676480-9655-4507-adc6-4eec311efff8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"to\":\"now\",\"references\":[\"https://cube0x0.github.io/Pocing-Beyond-DA/\",\"https://adsecurity.org/?p=4064\",\"https://github.com/gtworek/PSBits/tree/master/ServerLevelPluginDll\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"any where host.os.type == \\\"windows\\\" and event.category : (\\\"library\\\", \\\"process\\\") and\\n event.type : (\\\"start\\\", \\\"change\\\") and event.action : (\\\"load\\\", \\\"Image loaded*\\\") and\\n process.executable : \\\"?:\\\\\\\\windows\\\\\\\\system32\\\\\\\\dns.exe\\\" and \\n not ?dll.code_signature.trusted == true and\\n not file.code_signature.status == \\\"Valid\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unsigned DLL loaded by DNS Service\",\"description\":\"Identifies unusual DLLs loaded by the DNS Server process, potentially indicating the abuse of the ServerLevelPluginDll functionality. This can lead to privilege escalation and remote code execution with SYSTEM privileges.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://cube0x0.github.io/Pocing-Beyond-DA/\",\"https://adsecurity.org/?p=4064\",\"https://github.com/gtworek/PSBits/tree/master/ServerLevelPluginDll\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"ff3141ab-e4a0-4527-8d1c-98db8a5d20b1\",\"rule_id\":\"5d676480-9655-4507-adc6-4eec311efff8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.666Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.772Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and event.category : (\\\"library\\\", \\\"process\\\") and\\n event.type : (\\\"start\\\", \\\"change\\\") and event.action : (\\\"load\\\", \\\"Image loaded*\\\") and\\n process.executable : \\\"?:\\\\\\\\windows\\\\\\\\system32\\\\\\\\dns.exe\\\" and \\n not ?dll.code_signature.trusted == true and\\n not file.code_signature.status == \\\"Valid\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2b9df3e4-c56d-4c87-b981-73d0a070daab\",\"rule_id\":\"5e161522-2545-11ed-ac47-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"2b9df3e4-c56d-4c87-b981-73d0a070daab\",\"updated_at\":\"2024-12-04T19:45:48.908Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.908Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace 2SV Policy Disabled\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Google Workspace admins may setup 2-step verification (2SV) to add an extra layer of security to user accounts by asking users to verify their identity when they use login credentials. Admins have the ability to enforce 2SV from the admin console as well as the methods acceptable for verification and enrollment period. 2SV requires enablement on admin accounts prior to it being enabled for users within organization units. Adversaries may disable 2SV to lower the security requirements to access a valid account.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace 2SV Policy Disabled\\n\\nGoogle Workspace administrators manage password policies to enforce password requirements for an organization's compliance needs. Administrators have the capability to set restrictions on password length, reset frequencies, reuse capability, expiration, and much more. Google Workspace also allows multi-factor authentication (MFA) and 2-step verification (2SV) for authentication. 2SV allows users to verify their identity using security keys, Google prompt, authentication codes, text messages, and more.\\n\\n2SV adds an extra authentication layer for Google Workspace users to verify their identity. If 2SV or MFA aren't implemented, users only authenticate with their user name and password credentials. This authentication method has often been compromised and can be susceptible to credential access techniques when weak password policies are used.\\n\\nThis rule detects when a 2SV policy is disabled in Google Workspace.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user account(s) by reviewing `user.name` or `source.user.email` in the alert.\\n- Identify what password setting was created or adjusted by reviewing `google_workspace.admin.setting.name`.\\n- Review if a password setting was enabled or disabled by reviewing `google_workspace.admin.new_value` and `google_workspace.admin.old_value`.\\n- After identifying the involved user account, verify administrative privileges are scoped properly.\\n- Filter `event.dataset` for `google_workspace.login` and aggregate by `user.name`, `event.action`.\\n - The `google_workspace.login.challenge_method` field can be used to identify the challenge method that was used for failed and successful logins.\\n\\n### False positive analysis\\n\\n- After finding the user account that updated the password policy, verify whether the action was intentional.\\n- Verify whether the user should have Google Workspace administrative privileges that allow them to modify password policies.\\n- Review organizational units or groups the role may have been added to and ensure its privileges are properly aligned.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may remove 2-step verification (2SV) temporarily for testing or during maintenance. If 2SV was previously enabled, it is not common to disable this policy for extended periods of time.\"],\"from\":\"now-130m\",\"rule_id\":\"5e161522-2545-11ed-ac47-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/9176657?hl=en\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.login\\\" and event.action:\\\"2sv_disable\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace 2SV Policy Disabled\",\"description\":\"Google Workspace admins may setup 2-step verification (2SV) to add an extra layer of security to user accounts by asking users to verify their identity when they use login credentials. Admins have the ability to enforce 2SV from the admin console as well as the methods acceptable for verification and enrollment period. 2SV requires enablement on admin accounts prior to it being enabled for users within organization units. Adversaries may disable 2SV to lower the security requirements to access a valid account.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace 2SV Policy Disabled\\n\\nGoogle Workspace administrators manage password policies to enforce password requirements for an organization's compliance needs. Administrators have the capability to set restrictions on password length, reset frequencies, reuse capability, expiration, and much more. Google Workspace also allows multi-factor authentication (MFA) and 2-step verification (2SV) for authentication. 2SV allows users to verify their identity using security keys, Google prompt, authentication codes, text messages, and more.\\n\\n2SV adds an extra authentication layer for Google Workspace users to verify their identity. If 2SV or MFA aren't implemented, users only authenticate with their user name and password credentials. This authentication method has often been compromised and can be susceptible to credential access techniques when weak password policies are used.\\n\\nThis rule detects when a 2SV policy is disabled in Google Workspace.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user account(s) by reviewing `user.name` or `source.user.email` in the alert.\\n- Identify what password setting was created or adjusted by reviewing `google_workspace.admin.setting.name`.\\n- Review if a password setting was enabled or disabled by reviewing `google_workspace.admin.new_value` and `google_workspace.admin.old_value`.\\n- After identifying the involved user account, verify administrative privileges are scoped properly.\\n- Filter `event.dataset` for `google_workspace.login` and aggregate by `user.name`, `event.action`.\\n - The `google_workspace.login.challenge_method` field can be used to identify the challenge method that was used for failed and successful logins.\\n\\n### False positive analysis\\n\\n- After finding the user account that updated the password policy, verify whether the action was intentional.\\n- Verify whether the user should have Google Workspace administrative privileges that allow them to modify password policies.\\n- Review organizational units or groups the role may have been added to and ensure its privileges are properly aligned.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may remove 2-step verification (2SV) temporarily for testing or during maintenance. If 2SV was previously enabled, it is not common to disable this policy for extended periods of time.\"],\"references\":[\"https://support.google.com/a/answer/9176657?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2b9df3e4-c56d-4c87-b981-73d0a070daab\",\"rule_id\":\"5e161522-2545-11ed-ac47-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.666Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.908Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.login\\\" and event.action:\\\"2sv_disable\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/9176657?hl=en\"],\"target_version\":[\"https://support.google.com/a/answer/9176657?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/9176657?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"fde6003d-d87c-4a18-9a2e-e247c25c9a1e\",\"rule_id\":\"5f0234fd-7f21-42af-8391-511d5fd11d5c\",\"revision\":0,\"current_rule\":{\"id\":\"fde6003d-d87c-4a18-9a2e-e247c25c9a1e\",\"updated_at\":\"2024-12-04T19:45:48.913Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.913Z\",\"created_by\":\"elastic\",\"name\":\"AWS S3 Bucket Enumeration or Brute Force\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS S3\",\"Resources: Investigation Guide\",\"Use Case: Log Auditing\",\"Tactic: Impact\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a high number of failed S3 operations from a single source and account (or anonymous account) within a short timeframe. This activity can be indicative of attempting to cause an increase in billing to an account for excessive random operations, cause resource exhaustion, or enumerating bucket names for discovery.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS S3 Bucket Enumeration or Brute Force\\n\\nAWS S3 buckets can be be brute forced to cause financial impact against the resource owner. What makes this even riskier is that even private, locked down buckets can still trigger a potential cost, even with an \\\"Access Denied\\\", while also being accessible from unauthenticated, anonymous accounts. This also appears to work on several or all [operations](https://docs.aws.amazon.com/cli/latest/reference/s3api/) (GET, PUT, list-objects, etc.). Additionally, buckets are trivially discoverable by default as long as the bucket name is known, making it vulnerable to enumeration for discovery.\\n\\nAttackers may attempt to enumerate names until a valid bucket is discovered and then pivot to cause financial impact, enumerate for more information, or brute force in other ways to attempt to exfil data.\\n\\n#### Possible investigation steps\\n\\n- Examine the history of the operation requests from the same `source.address` and `cloud.account.id` to determine if there is other suspicious activity.\\n- Review similar requests and look at the `user.agent` info to ascertain the source of the requests (though do not overly rely on this since it is controlled by the requestor).\\n- Review other requests to the same `aws.s3.object.key` as well as other `aws.s3.object.key` accessed by the same `cloud.account.id` or `source.address`.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the `source.address` and `cloud.account.id` - there are some valid operations from within AWS directly that can cause failures and false positives. Additionally, failed automation can also caeuse false positives, but should be identifiable by reviewing the `source.address` and `cloud.account.id`.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n- Check for PutBucketPolicy event actions as well to see if they have been tampered with. While we monitor for denied, a single successful action to add a backdoor into the bucket via policy updates (however they got permissions) may be critical to identify during TDIR.\\n\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Known or internal account IDs or automation\"],\"from\":\"now-6m\",\"rule_id\":\"5f0234fd-7f21-42af-8391-511d5fd11d5c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1657\",\"name\":\"Financial Theft\",\"reference\":\"https://attack.mitre.org/techniques/T1657/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1580\",\"name\":\"Cloud Infrastructure Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1580/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1530\",\"name\":\"Data from Cloud Storage\",\"reference\":\"https://attack.mitre.org/techniques/T1530/\"}]}],\"to\":\"now\",\"references\":[\"https://medium.com/@maciej.pocwierz/how-an-empty-s3-bucket-can-make-your-aws-bill-explode-934a383cb8b1\",\"https://docs.aws.amazon.com/cli/latest/reference/s3api/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail*\\n| where event.provider == \\\"s3.amazonaws.com\\\" and aws.cloudtrail.error_code == \\\"AccessDenied\\\"\\n| stats failed_requests = count(*) by tls.client.server_name, source.address, cloud.account.id\\n // can modify the failed request count or tweak time window to fit environment\\n // can add `not cloud.account.id in (KNOWN)` or specify in exceptions\\n| where failed_requests > 40\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS S3 Bucket Enumeration or Brute Force\",\"description\":\"Identifies a high number of failed S3 operations from a single source and account (or anonymous account) within a short timeframe. This activity can be indicative of attempting to cause an increase in billing to an account for excessive random operations, cause resource exhaustion, or enumerating bucket names for discovery.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS S3 Bucket Enumeration or Brute Force\\n\\nAWS S3 buckets can be be brute forced to cause financial impact against the resource owner. What makes this even riskier is that even private, locked down buckets can still trigger a potential cost, even with an \\\"Access Denied\\\", while also being accessible from unauthenticated, anonymous accounts. This also appears to work on several or all [operations](https://docs.aws.amazon.com/cli/latest/reference/s3api/) (GET, PUT, list-objects, etc.). Additionally, buckets are trivially discoverable by default as long as the bucket name is known, making it vulnerable to enumeration for discovery.\\n\\nAttackers may attempt to enumerate names until a valid bucket is discovered and then pivot to cause financial impact, enumerate for more information, or brute force in other ways to attempt to exfil data.\\n\\n#### Possible investigation steps\\n\\n- Examine the history of the operation requests from the same `source.address` and `cloud.account.id` to determine if there is other suspicious activity.\\n- Review similar requests and look at the `user.agent` info to ascertain the source of the requests (though do not overly rely on this since it is controlled by the requestor).\\n- Review other requests to the same `aws.s3.object.key` as well as other `aws.s3.object.key` accessed by the same `cloud.account.id` or `source.address`.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the `source.address` and `cloud.account.id` - there are some valid operations from within AWS directly that can cause failures and false positives. Additionally, failed automation can also caeuse false positives, but should be identifiable by reviewing the `source.address` and `cloud.account.id`.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n- Check for PutBucketPolicy event actions as well to see if they have been tampered with. While we monitor for denied, a single successful action to add a backdoor into the bucket via policy updates (however they got permissions) may be critical to identify during TDIR.\\n\\n\",\"output_index\":\"\",\"investigation_fields\":{\"field_names\":[\"source.address\",\"tls.client.server_name\",\"cloud.account.id\",\"failed_requests\"]},\"version\":4,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS S3\",\"Resources: Investigation Guide\",\"Use Case: Log Auditing\",\"Tactic: Impact\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Known or internal account IDs or automation\"],\"references\":[\"https://medium.com/@maciej.pocwierz/how-an-empty-s3-bucket-can-make-your-aws-bill-explode-934a383cb8b1\",\"https://docs.aws.amazon.com/cli/latest/reference/s3api/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1657\",\"name\":\"Financial Theft\",\"reference\":\"https://attack.mitre.org/techniques/T1657/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1580\",\"name\":\"Cloud Infrastructure Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1580/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1530\",\"name\":\"Data from Cloud Storage\",\"reference\":\"https://attack.mitre.org/techniques/T1530/\"}]}],\"setup\":\"\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"fde6003d-d87c-4a18-9a2e-e247c25c9a1e\",\"rule_id\":\"5f0234fd-7f21-42af-8391-511d5fd11d5c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.666Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.913Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail*\\n| where event.provider == \\\"s3.amazonaws.com\\\" and aws.cloudtrail.error_code == \\\"AccessDenied\\\"\\n// keep only relevant fields\\n| keep tls.client.server_name, source.address, cloud.account.id\\n| stats failed_requests = count(*) by tls.client.server_name, source.address, cloud.account.id\\n // can modify the failed request count or tweak time window to fit environment\\n // can add `not cloud.account.id in (KNOWN)` or specify in exceptions\\n| where failed_requests > 40\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"investigation_fields\":{\"has_base_version\":false,\"target_version\":{\"field_names\":[\"source.address\",\"tls.client.server_name\",\"cloud.account.id\",\"failed_requests\"]},\"merged_version\":{\"field_names\":[\"source.address\",\"tls.client.server_name\",\"cloud.account.id\",\"failed_requests\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-aws.cloudtrail*\\n| where event.provider == \\\"s3.amazonaws.com\\\" and aws.cloudtrail.error_code == \\\"AccessDenied\\\"\\n| stats failed_requests = count(*) by tls.client.server_name, source.address, cloud.account.id\\n // can modify the failed request count or tweak time window to fit environment\\n // can add `not cloud.account.id in (KNOWN)` or specify in exceptions\\n| where failed_requests > 40\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-aws.cloudtrail*\\n| where event.provider == \\\"s3.amazonaws.com\\\" and aws.cloudtrail.error_code == \\\"AccessDenied\\\"\\n// keep only relevant fields\\n| keep tls.client.server_name, source.address, cloud.account.id\\n| stats failed_requests = count(*) by tls.client.server_name, source.address, cloud.account.id\\n // can modify the failed request count or tweak time window to fit environment\\n // can add `not cloud.account.id in (KNOWN)` or specify in exceptions\\n| where failed_requests > 40\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-aws.cloudtrail*\\n| where event.provider == \\\"s3.amazonaws.com\\\" and aws.cloudtrail.error_code == \\\"AccessDenied\\\"\\n// keep only relevant fields\\n| keep tls.client.server_name, source.address, cloud.account.id\\n| stats failed_requests = count(*) by tls.client.server_name, source.address, cloud.account.id\\n // can modify the failed request count or tweak time window to fit environment\\n // can add `not cloud.account.id in (KNOWN)` or specify in exceptions\\n| where failed_requests > 40\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"cbb3e24b-5ad1-4cc2-aca2-b220fdadeab5\",\"rule_id\":\"5f2f463e-6997-478c-8405-fb41cc283281\",\"revision\":0,\"current_rule\":{\"id\":\"cbb3e24b-5ad1-4cc2-aca2-b220fdadeab5\",\"updated_at\":\"2024-12-04T19:46:03.774Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.774Z\",\"created_by\":\"elastic\",\"name\":\"Potential File Download via a Headless Browser\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Windows\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of a browser to download a file from a remote URL and from a suspicious parent process. Adversaries may use browsers to avoid ingress tool transfer restrictions.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential File Download via a Headless Browser\\n\\n- Investigate the process execution chain (parent process tree).\\n- Investigate the process network and file events.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"5f2f463e-6997-478c-8405-fb41cc283281\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"to\":\"now\",\"references\":[\"https://lolbas-project.github.io/lolbas/Binaries/Msedge/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"chrome.exe\\\", \\\"msedge.exe\\\", \\\"brave.exe\\\", \\\"browser.exe\\\", \\\"dragon.exe\\\", \\\"vivaldi.exe\\\") and\\n (process.args : \\\"--headless*\\\" or process.args : \\\"data:text/html;base64,*\\\") and\\n process.parent.name :\\n (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"wscript.exe\\\", \\\"cscript.exe\\\", \\\"mshta.exe\\\", \\\"conhost.exe\\\", \\\"msiexec.exe\\\",\\n \\\"explorer.exe\\\", \\\"rundll32.exe\\\", \\\"winword.exe\\\", \\\"excel.exe\\\", \\\"onenote.exe\\\", \\\"hh.exe\\\", \\\"powerpnt.exe\\\", \\\"forfiles.exe\\\",\\n \\\"pcalua.exe\\\", \\\"wmiprvse.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential File Download via a Headless Browser\",\"description\":\"Identifies the use of a browser to download a file from a remote URL and from a suspicious parent process. Adversaries may use browsers to avoid ingress tool transfer restrictions.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential File Download via a Headless Browser\\n\\n- Investigate the process execution chain (parent process tree).\\n- Investigate the process network and file events.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":203,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Windows\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://lolbas-project.github.io/lolbas/Binaries/Msedge/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"cbb3e24b-5ad1-4cc2-aca2-b220fdadeab5\",\"rule_id\":\"5f2f463e-6997-478c-8405-fb41cc283281\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.666Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.774Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"chrome.exe\\\", \\\"msedge.exe\\\", \\\"brave.exe\\\", \\\"browser.exe\\\", \\\"dragon.exe\\\", \\\"vivaldi.exe\\\") and\\n (process.args : \\\"--headless*\\\" or process.args : \\\"data:text/html;base64,*\\\") and\\n process.parent.name :\\n (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"wscript.exe\\\", \\\"cscript.exe\\\", \\\"mshta.exe\\\", \\\"conhost.exe\\\", \\\"msiexec.exe\\\",\\n \\\"explorer.exe\\\", \\\"rundll32.exe\\\", \\\"winword.exe\\\", \\\"excel.exe\\\", \\\"onenote.exe\\\", \\\"hh.exe\\\", \\\"powerpnt.exe\\\", \\\"forfiles.exe\\\",\\n \\\"pcalua.exe\\\", \\\"wmiprvse.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":203,\"merged_version\":203,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Windows\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Windows\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Windows\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"96e852a0-3151-4da5-8833-85c7864192e6\",\"rule_id\":\"610949a1-312f-4e04-bb55-3a79b8c95267\",\"revision\":0,\"current_rule\":{\"id\":\"96e852a0-3151-4da5-8833-85c7864192e6\",\"updated_at\":\"2024-12-04T19:45:48.927Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.927Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Process Network Connection\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Process Network Connection\\n\\nThis rule identifies network activity from unexpected system utilities and applications. These applications are commonly abused by attackers to execute code, evade detections, and bypass security protections.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the target host that the process is communicating with.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"610949a1-312f-4e04-bb55-3a79b8c95267\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\"}]}],\"to\":\"now\",\"references\":[],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and (process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"xwizard.exe\\\") and\\n event.type == \\\"start\\\"]\\n [network where host.os.type == \\\"windows\\\" and (process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"xwizard.exe\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Process Network Connection\",\"description\":\"Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Process Network Connection\\n\\nThis rule identifies network activity from unexpected system utilities and applications. These applications are commonly abused by attackers to execute code, evade detections, and bypass security protections.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the target host that the process is communicating with.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"96e852a0-3151-4da5-8833-85c7864192e6\",\"rule_id\":\"610949a1-312f-4e04-bb55-3a79b8c95267\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.666Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.927Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and (process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"xwizard.exe\\\") and\\n event.type == \\\"start\\\"]\\n [network where host.os.type == \\\"windows\\\" and (process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"xwizard.exe\\\")]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"df2fad4b-6d57-4050-99e9-a042d12bafed\",\"rule_id\":\"61766ef9-48a5-4247-ad74-3349de7eb2ad\",\"revision\":0,\"current_rule\":{\"id\":\"df2fad4b-6d57-4050-99e9-a042d12bafed\",\"updated_at\":\"2024-12-04T19:45:48.929Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.929Z\",\"created_by\":\"elastic\",\"name\":\"Interactive Logon by an Unusual Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may create a new token to escalate privileges and bypass access controls.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"61766ef9-48a5-4247-ad74-3349de7eb2ad\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\",\"subtechnique\":[{\"id\":\"T1134.002\",\"name\":\"Create Process with Token\",\"reference\":\"https://attack.mitre.org/techniques/T1134/002/\"},{\"id\":\"T1134.003\",\"name\":\"Make and Impersonate Token\",\"reference\":\"https://attack.mitre.org/techniques/T1134/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://attack.mitre.org/techniques/T1134/002/\"],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.LogonProcessName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetUserSid\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nAudit event 4624 is needed to trigger this rule.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"authentication where \\n host.os.type : \\\"windows\\\" and winlog.event_data.LogonProcessName : \\\"Advapi*\\\" and \\n winlog.logon.type == \\\"Interactive\\\" and winlog.event_data.SubjectUserSid : (\\\"S-1-5-21*\\\", \\\"S-1-12-*\\\") and \\n winlog.event_data.TargetUserSid : (\\\"S-1-5-21*\\\", \\\"S-1-12-*\\\") and process.executable : \\\"C:\\\\\\\\*\\\" and \\n not startswith~(winlog.event_data.SubjectUserSid, winlog.event_data.TargetUserSid) and \\n not process.executable : \\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winlogon.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wininit.exe\\\", \\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Interactive Logon by an Unusual Process\",\"description\":\"Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may create a new token to escalate privileges and bypass access controls.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://attack.mitre.org/techniques/T1134/002/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\",\"subtechnique\":[{\"id\":\"T1134.002\",\"name\":\"Create Process with Token\",\"reference\":\"https://attack.mitre.org/techniques/T1134/002/\"},{\"id\":\"T1134.003\",\"name\":\"Make and Impersonate Token\",\"reference\":\"https://attack.mitre.org/techniques/T1134/003/\"}]}]}],\"setup\":\"## Setup\\n\\nAudit event 4624 is needed to trigger this rule.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.LogonProcessName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetUserSid\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"df2fad4b-6d57-4050-99e9-a042d12bafed\",\"rule_id\":\"61766ef9-48a5-4247-ad74-3349de7eb2ad\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.666Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.929Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"authentication where \\n host.os.type : \\\"windows\\\" and winlog.event_data.LogonProcessName : \\\"Advapi*\\\" and \\n winlog.logon.type == \\\"Interactive\\\" and winlog.event_data.SubjectUserSid : (\\\"S-1-5-21*\\\", \\\"S-1-12-*\\\") and \\n winlog.event_data.TargetUserSid : (\\\"S-1-5-21*\\\", \\\"S-1-12-*\\\") and process.executable : \\\"C:\\\\\\\\*\\\" and \\n not startswith~(winlog.event_data.SubjectUserSid, winlog.event_data.TargetUserSid) and \\n not process.executable : \\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winlogon.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wininit.exe\\\", \\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9b70ff72-a6cb-4d9c-a43a-719cb8dd57d9\",\"rule_id\":\"61ac3638-40a3-44b2-855a-985636ca985e\",\"revision\":0,\"current_rule\":{\"id\":\"9b70ff72-a6cb-4d9c-a43a-719cb8dd57d9\",\"updated_at\":\"2024-12-04T19:45:48.932Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.932Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Suspicious Discovery Related Windows API Functions\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Collection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries like PSReflect or Get-ProcAddress Cmdlet.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\\n\\n### False positive analysis\\n\\n- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. However, analysts should keep in mind that this is not a common way of getting information, making it suspicious.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate PowerShell scripts that make use of these functions.\"],\"from\":\"now-9m\",\"rule_id\":\"61ac3638-40a3-44b2-855a-985636ca985e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1069\",\"name\":\"Permission Groups Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1069/\",\"subtechnique\":[{\"id\":\"T1069.001\",\"name\":\"Local Groups\",\"reference\":\"https://attack.mitre.org/techniques/T1069/001/\"}]},{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\",\"subtechnique\":[{\"id\":\"T1087.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/001/\"}]},{\"id\":\"T1482\",\"name\":\"Domain Trust Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1482/\"},{\"id\":\"T1135\",\"name\":\"Network Share Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1135/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1039\",\"name\":\"Data from Network Shared Drive\",\"reference\":\"https://attack.mitre.org/techniques/T1039/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413\",\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"version\":214,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n NetShareEnum or\\n NetWkstaUserEnum or\\n NetSessionEnum or\\n NetLocalGroupEnum or\\n NetLocalGroupGetMembers or\\n DsGetSiteName or\\n DsEnumerateDomainTrusts or\\n WTSEnumerateSessionsEx or\\n WTSQuerySessionInformation or\\n LsaGetLogonSessionData or\\n QueryServiceObjectSecurity or\\n GetComputerNameEx or\\n NetWkstaGetInfo or\\n GetUserNameEx or\\n NetUserEnum or\\n NetUserGetInfo or\\n NetGroupEnum or\\n NetGroupGetInfo or\\n NetGroupGetUsers or\\n NetWkstaTransportEnum or\\n NetServerGetInfo or\\n LsaEnumerateTrustedDomains or\\n NetScheduleJobEnum or\\n NetUserModalsGet\\n ) and\\n not powershell.file.script_block_text : (\\n (\\\"DsGetSiteName\\\" and (\\\"DiscoverWindowsComputerProperties.ps1\\\" and \\\"param($SourceType, $SourceId, $ManagedEntityId, $ComputerIdentity)\\\")) or\\n (\\\"# Copyright: (c) 2018, Ansible Project\\\" and \\\"#Requires -Module Ansible.ModuleUtils.AddType\\\" and \\\"#AnsibleRequires -CSharpUtil Ansible.Basic\\\") or\\n (\\\"Ansible.Windows.Setup\\\" and \\\"Ansible.Windows.Setup\\\" and \\\"NativeMethods.NetWkstaGetInfo(null, 100, out netBuffer);\\\")\\n )\\n\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\DataCollection\\\\\\\\*\"}}}}],\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Suspicious Discovery Related Windows API Functions\",\"description\":\"This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries like PSReflect or Get-ProcAddress Cmdlet.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\\n\\n### False positive analysis\\n\\n- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. However, analysts should keep in mind that this is not a common way of getting information, making it suspicious.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":316,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Collection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate PowerShell scripts that make use of these functions.\"],\"references\":[\"https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413\",\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1069\",\"name\":\"Permission Groups Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1069/\",\"subtechnique\":[{\"id\":\"T1069.001\",\"name\":\"Local Groups\",\"reference\":\"https://attack.mitre.org/techniques/T1069/001/\"}]},{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\",\"subtechnique\":[{\"id\":\"T1087.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/001/\"}]},{\"id\":\"T1482\",\"name\":\"Domain Trust Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1482/\"},{\"id\":\"T1135\",\"name\":\"Network Share Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1135/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1039\",\"name\":\"Data from Network Shared Drive\",\"reference\":\"https://attack.mitre.org/techniques/T1039/\"}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"9b70ff72-a6cb-4d9c-a43a-719cb8dd57d9\",\"rule_id\":\"61ac3638-40a3-44b2-855a-985636ca985e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.666Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.932Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\DataCollection\\\\\\\\*\"}}}}],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n NetShareEnum or\\n NetWkstaUserEnum or\\n NetSessionEnum or\\n NetLocalGroupEnum or\\n NetLocalGroupGetMembers or\\n DsGetSiteName or\\n DsEnumerateDomainTrusts or\\n WTSEnumerateSessionsEx or\\n WTSQuerySessionInformation or\\n LsaGetLogonSessionData or\\n QueryServiceObjectSecurity or\\n GetComputerNameEx or\\n NetWkstaGetInfo or\\n GetUserNameEx or\\n NetUserEnum or\\n NetUserGetInfo or\\n NetGroupEnum or\\n NetGroupGetInfo or\\n NetGroupGetUsers or\\n NetWkstaTransportEnum or\\n NetServerGetInfo or\\n LsaEnumerateTrustedDomains or\\n NetScheduleJobEnum or\\n NetUserModalsGet\\n ) and\\n not powershell.file.script_block_text : (\\n (\\\"DsGetSiteName\\\" and (\\\"DiscoverWindowsComputerProperties.ps1\\\" and \\\"param($SourceType, $SourceId, $ManagedEntityId, $ComputerIdentity)\\\")) or\\n (\\\"# Copyright: (c) 2018, Ansible Project\\\" and \\\"#Requires -Module Ansible.ModuleUtils.AddType\\\" and \\\"#AnsibleRequires -CSharpUtil Ansible.Basic\\\") or\\n (\\\"Ansible.Windows.Setup\\\" and \\\"Ansible.Windows.Setup\\\" and \\\"NativeMethods.NetWkstaGetInfo(null, 100, out netBuffer);\\\")\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":214,\"target_version\":316,\"merged_version\":316,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0f4c47e2-24c8-43bb-9a90-b0a6baf38290\",\"rule_id\":\"61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7\",\"revision\":0,\"current_rule\":{\"id\":\"0f4c47e2-24c8-43bb-9a90-b0a6baf38290\",\"updated_at\":\"2024-12-04T19:45:48.934Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.934Z\",\"created_by\":\"elastic\",\"name\":\"AdminSDHolder SDProp Exclusion Added\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating AdminSDHolder SDProp Exclusion Added\\n\\nThe SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object.\\n\\nThe dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory.\\n\\nAdministrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):\\n\\n- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001).\\n\\nThe usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges.\\n\\nThis rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:\\n - Account Operators eq 1\\n - Server Operators eq 2\\n - Print Operators eq 4\\n - Backup Operators eq 8\\n The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit.\\n\\n### False positive analysis\\n\\n- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.\\n\\n### Response and remediation\\n\\n- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]},{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[\"https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad\",\"https://petri.com/active-directory-security-understanding-adminsdholder-object\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success)\\n```\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"any where event.action in (\\\"Directory Service Changes\\\", \\\"directory-service-object-modified\\\") and\\n event.code == \\\"5136\\\" and\\n winlog.event_data.AttributeLDAPDisplayName : \\\"dSHeuristics\\\" and\\n length(winlog.event_data.AttributeValue) > 15 and\\n winlog.event_data.AttributeValue regex~ \\\"[0-9]{15}([1-9a-f]).*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AdminSDHolder SDProp Exclusion Added\",\"description\":\"Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating AdminSDHolder SDProp Exclusion Added\\n\\nThe SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object.\\n\\nThe dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory.\\n\\nAdministrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):\\n\\n- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001).\\n\\nThe usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges.\\n\\nThis rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:\\n - Account Operators eq 1\\n - Server Operators eq 2\\n - Print Operators eq 4\\n - Backup Operators eq 8\\n The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit.\\n\\n### False positive analysis\\n\\n- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.\\n\\n### Response and remediation\\n\\n- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":212,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad\",\"https://petri.com/active-directory-security-understanding-adminsdholder-object\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]},{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success)\\n```\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"0f4c47e2-24c8-43bb-9a90-b0a6baf38290\",\"rule_id\":\"61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.666Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.934Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where event.action in (\\\"Directory Service Changes\\\", \\\"directory-service-object-modified\\\") and\\n event.code == \\\"5136\\\" and\\n winlog.event_data.AttributeLDAPDisplayName : \\\"dSHeuristics\\\" and\\n length(winlog.event_data.AttributeValue) > 15 and\\n winlog.event_data.AttributeValue regex~ \\\"[0-9]{15}([1-9a-f]).*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":212,\"merged_version\":212,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a6646439-8f29-46cc-a442-6ad94a65daba\",\"rule_id\":\"622ecb68-fa81-4601-90b5-f8cd661e4520\",\"revision\":0,\"current_rule\":{\"id\":\"a6646439-8f29-46cc-a442-6ad94a65daba\",\"updated_at\":\"2024-12-04T19:45:48.939Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.939Z\",\"created_by\":\"elastic\",\"name\":\"Incoming DCOM Lateral Movement via MSHTA\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evade detection.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"622ecb68-fa81-4601-90b5-f8cd661e4520\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.003\",\"name\":\"Distributed Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1021/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.005\",\"name\":\"Mshta\",\"reference\":\"https://attack.mitre.org/techniques/T1218/005/\"}]}]}],\"to\":\"now\",\"references\":[\"https://codewhitesec.blogspot.com/2018/07/lethalhta.html\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"mshta.exe\\\" and process.args : \\\"-Embedding\\\"\\n ] by host.id, process.entity_id\\n [network where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"mshta.exe\\\" and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and network.transport == \\\"tcp\\\" and\\n source.port > 49151 and destination.port > 49151 and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"\\n ] by host.id, process.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Incoming DCOM Lateral Movement via MSHTA\",\"description\":\"Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evade detection.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://codewhitesec.blogspot.com/2018/07/lethalhta.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.003\",\"name\":\"Distributed Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1021/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.005\",\"name\":\"Mshta\",\"reference\":\"https://attack.mitre.org/techniques/T1218/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true}],\"id\":\"a6646439-8f29-46cc-a442-6ad94a65daba\",\"rule_id\":\"622ecb68-fa81-4601-90b5-f8cd661e4520\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.666Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.939Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"mshta.exe\\\" and process.args : \\\"-Embedding\\\"\\n ] by host.id, process.entity_id\\n [network where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"mshta.exe\\\" and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and network.transport == \\\"tcp\\\" and\\n source.port > 49151 and destination.port > 49151 and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"\\n ] by host.id, process.entity_id\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b5805976-1427-45e6-a4a7-463f1325d7f2\",\"rule_id\":\"62a70f6f-3c37-43df-a556-f64fa475fba2\",\"revision\":0,\"current_rule\":{\"id\":\"b5805976-1427-45e6-a4a7-463f1325d7f2\",\"updated_at\":\"2024-12-04T19:45:48.941Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.941Z\",\"created_by\":\"elastic\",\"name\":\"Account Configured with Never-Expiring Password\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the creation and modification of an account with the \\\"Don't Expire Password\\\" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Account Configured with Never-Expiring Password\\n\\nActive Directory provides a setting that prevents users' passwords from expiring. Enabling this setting is bad practice and can expose environments to vulnerabilities that weaken security posture, especially when these accounts are privileged.\\n\\nThe setting is usually configured so a user account can act as a service account. Attackers can abuse these accounts to persist in the domain and maintain long-term access using compromised accounts with a never-expiring password set.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/source host during the past 48 hours.\\n- Inspect the account for suspicious or abnormal behaviors in the alert timeframe.\\n\\n### False positive analysis\\n\\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\\n- Using user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor potential benign true positives (B-TPs), especially if the account is privileged. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Reset the password of the account and update its password settings.\\n- Search for other occurrences on the domain.\\n - Using the [Active Directory PowerShell module](https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser):\\n - `get-aduser -filter { passwordNeverExpires -eq $true -and enabled -eq $true } | ft`\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"User accounts can be used as service accounts and have their password set never to expire. This is a bad security practice that exposes the account to Credential Access attacks. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically.\"],\"from\":\"now-9m\",\"rule_id\":\"62a70f6f-3c37-43df-a556-f64fa475fba2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[\"https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire\",\"http://web.archive.org/web/20230329171952/https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"message\",\"type\":\"match_only_text\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.api\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:\\\"modified-user-account\\\" and winlog.api:\\\"wineventlog\\\" and event.code:\\\"4738\\\" and\\n message:\\\"'Don't Expire Password' - Enabled\\\" and not user.id:\\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Account Configured with Never-Expiring Password\",\"description\":\"Detects the creation and modification of an account with the \\\"Don't Expire Password\\\" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Account Configured with Never-Expiring Password\\n\\nActive Directory provides a setting that prevents users' passwords from expiring. Enabling this setting is bad practice and can expose environments to vulnerabilities that weaken security posture, especially when these accounts are privileged.\\n\\nThe setting is usually configured so a user account can act as a service account. Attackers can abuse these accounts to persist in the domain and maintain long-term access using compromised accounts with a never-expiring password set.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/source host during the past 48 hours.\\n- Inspect the account for suspicious or abnormal behaviors in the alert timeframe.\\n\\n### False positive analysis\\n\\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\\n- Using user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor potential benign true positives (B-TPs), especially if the account is privileged. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Reset the password of the account and update its password settings.\\n- Search for other occurrences on the domain.\\n - Using the [Active Directory PowerShell module](https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser):\\n - `get-aduser -filter { passwordNeverExpires -eq $true -and enabled -eq $true } | ft`\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"User accounts can be used as service accounts and have their password set never to expire. This is a bad security practice that exposes the account to Credential Access attacks. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically.\"],\"references\":[\"https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire\",\"http://web.archive.org/web/20230329171952/https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"message\",\"type\":\"match_only_text\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.api\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"b5805976-1427-45e6-a4a7-463f1325d7f2\",\"rule_id\":\"62a70f6f-3c37-43df-a556-f64fa475fba2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.666Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.941Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:\\\"modified-user-account\\\" and winlog.api:\\\"wineventlog\\\" and event.code:\\\"4738\\\" and\\n message:\\\"'Don't Expire Password' - Enabled\\\" and not user.id:\\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d6589a0a-1af4-48f5-8f5b-d64db577f80f\",\"rule_id\":\"63431796-f813-43af-820b-492ee2efec8e\",\"revision\":0,\"current_rule\":{\"id\":\"d6589a0a-1af4-48f5-8f5b-d64db577f80f\",\"updated_at\":\"2024-12-04T19:45:48.946Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.946Z\",\"created_by\":\"elastic\",\"name\":\"Network Connection Initiated by SSHD Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule identifies an egress internet connection initiated by an SSH Daemon child process. This behavior is indicative of the alteration of a shell configuration file or other mechanism that launches a process when a new SSH login occurs. Attackers can also backdoor the SSH daemon to allow for persistence, call out to a C2 or to steal credentials.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"63431796-f813-43af-820b-492ee2efec8e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.004\",\"name\":\"Unix Shell Configuration Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1546/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.004\",\"name\":\"SSH\",\"reference\":\"https://attack.mitre.org/techniques/T1021/004/\"}]},{\"id\":\"T1563\",\"name\":\"Remote Service Session Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/\",\"subtechnique\":[{\"id\":\"T1563.001\",\"name\":\"SSH Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://hadess.io/the-art-of-linux-persistence/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"sequence by host.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.executable == \\\"/usr/sbin/sshd\\\"] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\", \\\"172.31.0.0/16\\\"\\n )\\n ) and not process.executable in (\\\"/bin/yum\\\", \\\"/usr/bin/yum\\\")\\n ] by process.parent.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Network Connection Initiated by SSHD Child Process\",\"description\":\"This rule identifies an egress internet connection initiated by an SSH Daemon child process. This behavior is indicative of the alteration of a shell configuration file or other mechanism that launches a process when a new SSH login occurs. Attackers can also backdoor the SSH daemon to allow for persistence, call out to a C2 or to steal credentials.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://hadess.io/the-art-of-linux-persistence/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.004\",\"name\":\"Unix Shell Configuration Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1546/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.004\",\"name\":\"SSH\",\"reference\":\"https://attack.mitre.org/techniques/T1021/004/\"}]},{\"id\":\"T1563\",\"name\":\"Remote Service Session Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/\",\"subtechnique\":[{\"id\":\"T1563.001\",\"name\":\"SSH Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d6589a0a-1af4-48f5-8f5b-d64db577f80f\",\"rule_id\":\"63431796-f813-43af-820b-492ee2efec8e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.667Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.946Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.executable == \\\"/usr/sbin/sshd\\\"] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\", \\\"172.31.0.0/16\\\"\\n )\\n ) and not (\\n process.executable in (\\\"/bin/yum\\\", \\\"/usr/bin/yum\\\") or\\n process.name in (\\\"login_duo\\\", \\\"ssh\\\", \\\"sshd\\\", \\\"sshd-session\\\")\\n )\\n ] by process.parent.entity_id\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by host.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.executable == \\\"/usr/sbin/sshd\\\"] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\", \\\"172.31.0.0/16\\\"\\n )\\n ) and not process.executable in (\\\"/bin/yum\\\", \\\"/usr/bin/yum\\\")\\n ] by process.parent.entity_id\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by host.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.executable == \\\"/usr/sbin/sshd\\\"] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\", \\\"172.31.0.0/16\\\"\\n )\\n ) and not (\\n process.executable in (\\\"/bin/yum\\\", \\\"/usr/bin/yum\\\") or\\n process.name in (\\\"login_duo\\\", \\\"ssh\\\", \\\"sshd\\\", \\\"sshd-session\\\")\\n )\\n ] by process.parent.entity_id\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by host.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.executable == \\\"/usr/sbin/sshd\\\"] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\", \\\"172.31.0.0/16\\\"\\n )\\n ) and not (\\n process.executable in (\\\"/bin/yum\\\", \\\"/usr/bin/yum\\\") or\\n process.name in (\\\"login_duo\\\", \\\"ssh\\\", \\\"sshd\\\", \\\"sshd-session\\\")\\n )\\n ] by process.parent.entity_id\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"fee9de56-691c-4348-b41e-f498bf8dd222\",\"rule_id\":\"63e65ec3-43b1-45b0-8f2d-45b34291dc44\",\"revision\":0,\"current_rule\":{\"id\":\"fee9de56-691c-4348-b41e-f498bf8dd222\",\"updated_at\":\"2024-12-04T19:45:49.908Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.908Z\",\"created_by\":\"elastic\",\"name\":\"Network Connection via Signed Binary\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Network Connection via Signed Binary\\n\\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\\n\\nThis rule looks for the execution of `expand.exe`, `extrac32.exe`, `ieexec.exe`, or `makecab.exe` utilities, followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities to bypass detections and evade defenses.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\\n- Investigate the target host that the signed binary is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of destination IP address and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"63e65ec3-43b1-45b0-8f2d-45b34291dc44\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"to\":\"now\",\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and (process.name : \\\"expand.exe\\\" or process.name : \\\"extrac32.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or process.name : \\\"makecab.exe\\\") and\\n event.type == \\\"start\\\"]\\n [network where host.os.type == \\\"windows\\\" and (process.name : \\\"expand.exe\\\" or process.name : \\\"extrac32.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or process.name : \\\"makecab.exe\\\") and\\n not cidrmatch(destination.ip,\\n \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\",\\n \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\",\\n \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\n \\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\", \\\"FF00::/8\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Network Connection via Signed Binary\",\"description\":\"Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Network Connection via Signed Binary\\n\\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\\n\\nThis rule looks for the execution of `expand.exe`, `extrac32.exe`, `ieexec.exe`, or `makecab.exe` utilities, followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities to bypass detections and evade defenses.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\\n- Investigate the target host that the signed binary is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of destination IP address and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"fee9de56-691c-4348-b41e-f498bf8dd222\",\"rule_id\":\"63e65ec3-43b1-45b0-8f2d-45b34291dc44\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.667Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.908Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and (process.name : \\\"expand.exe\\\" or process.name : \\\"extrac32.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or process.name : \\\"makecab.exe\\\") and\\n event.type == \\\"start\\\"]\\n [network where host.os.type == \\\"windows\\\" and (process.name : \\\"expand.exe\\\" or process.name : \\\"extrac32.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or process.name : \\\"makecab.exe\\\") and\\n not cidrmatch(destination.ip,\\n \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\",\\n \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\",\\n \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\n \\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\", \\\"FF00::/8\\\")]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"feee5663-d92d-4369-b770-cf4174503063\",\"rule_id\":\"64cfca9e-0f6f-4048-8251-9ec56a055e9e\",\"revision\":0,\"current_rule\":{\"id\":\"feee5663-d92d-4369-b770-cf4174503063\",\"updated_at\":\"2024-12-04T19:45:49.916Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.916Z\",\"created_by\":\"elastic\",\"name\":\"Network Connection via Recently Compiled Executable\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. Attackers may spawn reverse shells to establish persistence onto a target system.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"64cfca9e-0f6f-4048-8251-9ec56a055e9e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\"}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"sequence by host.id with maxspan=1m\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.name in (\\\"gcc\\\", \\\"g++\\\", \\\"cc\\\")] by process.args\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and process.name == \\\"ld\\\"] by file.name\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\"] by process.name\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and destination.ip != null and \\n not cidrmatch(destination.ip, \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"224.0.0.0/4\\\", \\\"::1\\\")] by process.name\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Network Connection via Recently Compiled Executable\",\"description\":\"This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. Attackers may spawn reverse shells to establish persistence onto a target system.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":6,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"feee5663-d92d-4369-b770-cf4174503063\",\"rule_id\":\"64cfca9e-0f6f-4048-8251-9ec56a055e9e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.667Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.916Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=1m\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.name in (\\\"gcc\\\", \\\"g++\\\", \\\"cc\\\")] by process.args\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and process.name == \\\"ld\\\"] by file.name\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\"] by process.name\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and destination.ip != null and not (\\n cidrmatch(destination.ip, \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"224.0.0.0/4\\\", \\\"::1\\\") or\\n process.name in (\\\"simpleX\\\", \\\"conftest\\\", \\\"ssh\\\", \\\"python\\\", \\\"ispnull\\\", \\\"pvtui\\\")\\n )] by process.name\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":6,\"merged_version\":6,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by host.id with maxspan=1m\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.name in (\\\"gcc\\\", \\\"g++\\\", \\\"cc\\\")] by process.args\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and process.name == \\\"ld\\\"] by file.name\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\"] by process.name\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and destination.ip != null and \\n not cidrmatch(destination.ip, \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"224.0.0.0/4\\\", \\\"::1\\\")] by process.name\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by host.id with maxspan=1m\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.name in (\\\"gcc\\\", \\\"g++\\\", \\\"cc\\\")] by process.args\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and process.name == \\\"ld\\\"] by file.name\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\"] by process.name\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and destination.ip != null and not (\\n cidrmatch(destination.ip, \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"224.0.0.0/4\\\", \\\"::1\\\") or\\n process.name in (\\\"simpleX\\\", \\\"conftest\\\", \\\"ssh\\\", \\\"python\\\", \\\"ispnull\\\", \\\"pvtui\\\")\\n )] by process.name\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by host.id with maxspan=1m\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.name in (\\\"gcc\\\", \\\"g++\\\", \\\"cc\\\")] by process.args\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and process.name == \\\"ld\\\"] by file.name\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\"] by process.name\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and destination.ip != null and not (\\n cidrmatch(destination.ip, \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"224.0.0.0/4\\\", \\\"::1\\\") or\\n process.name in (\\\"simpleX\\\", \\\"conftest\\\", \\\"ssh\\\", \\\"python\\\", \\\"ispnull\\\", \\\"pvtui\\\")\\n )] by process.name\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"ccd68042-857e-464b-a385-ffcc808d0e6e\",\"rule_id\":\"665e7a4f-c58e-4fc6-bc83-87a7572670ac\",\"revision\":0,\"current_rule\":{\"id\":\"ccd68042-857e-464b-a385-ffcc808d0e6e\",\"updated_at\":\"2024-12-04T19:45:49.931Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.931Z\",\"created_by\":\"elastic\",\"name\":\"WebServer Access Logs Deleted\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"665e7a4f-c58e-4fc6-bc83-87a7572670ac\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\"}]}],\"to\":\"now\",\"references\":[],\"version\":105,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"winlogbeat-*\",\"logs-endpoint.events.*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"file where event.type == \\\"deletion\\\" and\\n file.path : (\\\"C:\\\\\\\\inetpub\\\\\\\\logs\\\\\\\\LogFiles\\\\\\\\*.log\\\",\\n \\\"/var/log/apache*/access.log\\\",\\n \\\"/etc/httpd/logs/access_log\\\",\\n \\\"/var/log/httpd/access_log\\\",\\n \\\"/var/www/*/logs/access.log\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"WebServer Access Logs Deleted\",\"description\":\"Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"ccd68042-857e-464b-a385-ffcc808d0e6e\",\"rule_id\":\"665e7a4f-c58e-4fc6-bc83-87a7572670ac\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.667Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.931Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where event.type == \\\"deletion\\\" and\\n file.path : (\\\"C:\\\\\\\\inetpub\\\\\\\\logs\\\\\\\\LogFiles\\\\\\\\*.log\\\",\\n \\\"/var/log/apache*/access.log\\\",\\n \\\"/etc/httpd/logs/access_log\\\",\\n \\\"/var/log/httpd/access_log\\\",\\n \\\"/var/www/*/logs/access.log\\\")\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"winlogbeat-*\",\"logs-endpoint.events.*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":105,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f02560b7-018b-4978-b854-272e71fb7fe3\",\"rule_id\":\"66883649-f908-4a5b-a1e0-54090a1d3a32\",\"revision\":0,\"current_rule\":{\"id\":\"f02560b7-018b-4978-b854-272e71fb7fe3\",\"updated_at\":\"2024-12-04T19:45:49.936Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.936Z\",\"created_by\":\"elastic\",\"name\":\"Connection to Commonly Abused Web Services\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Connection to Commonly Abused Web Services\\n\\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\\n\\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the user in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"user.id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{user.id}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the host in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"host.name\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{host.name}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n- Verify whether the digital signature exists in the executable.\\n- Identify the operation type (upload, download, tunneling, etc.).\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - !{investigate{\\\"label\\\":\\\"Investigate the Subject Process Network Events\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"process.entity_id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{process.entity_id}}\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"event.category\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"network\\\",\\\"valueType\\\":\\\"string\\\"}]]}}\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"66883649-f908-4a5b-a1e0-54090a1d3a32\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1102\",\"name\":\"Web Service\",\"reference\":\"https://attack.mitre.org/techniques/T1102/\"},{\"id\":\"T1568\",\"name\":\"Dynamic Resolution\",\"reference\":\"https://attack.mitre.org/techniques/T1568/\",\"subtechnique\":[{\"id\":\"T1568.002\",\"name\":\"Domain Generation Algorithms\",\"reference\":\"https://attack.mitre.org/techniques/T1568/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1567\",\"name\":\"Exfiltration Over Web Service\",\"reference\":\"https://attack.mitre.org/techniques/T1567/\",\"subtechnique\":[{\"id\":\"T1567.001\",\"name\":\"Exfiltration to Code Repository\",\"reference\":\"https://attack.mitre.org/techniques/T1567/001/\"},{\"id\":\"T1567.002\",\"name\":\"Exfiltration to Cloud Storage\",\"reference\":\"https://attack.mitre.org/techniques/T1567/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":114,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.network-*\"],\"query\":\"network where host.os.type == \\\"windows\\\" and network.protocol == \\\"dns\\\" and\\n process.name != null and user.id not in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n /* Add new WebSvc domains here */\\n dns.question.name :\\n (\\n \\\"raw.githubusercontent.*\\\",\\n \\\"pastebin.*\\\",\\n \\\"paste4btc.com\\\",\\n \\\"paste.ee\\\",\\n \\\"ghostbin.com\\\",\\n \\\"drive.google.com\\\",\\n \\\"?.docs.live.net\\\",\\n \\\"api.dropboxapi.*\\\",\\n \\\"content.dropboxapi.*\\\",\\n \\\"dl.dropboxusercontent.*\\\",\\n \\\"api.onedrive.com\\\",\\n \\\"*.onedrive.org\\\",\\n \\\"onedrive.live.com\\\",\\n \\\"filebin.net\\\",\\n \\\"*.ngrok.io\\\",\\n \\\"ngrok.com\\\",\\n \\\"*.portmap.*\\\",\\n \\\"*serveo.net\\\",\\n \\\"*localtunnel.me\\\",\\n \\\"*pagekite.me\\\",\\n \\\"*localxpose.io\\\",\\n \\\"*notabug.org\\\",\\n \\\"rawcdn.githack.*\\\",\\n \\\"paste.nrecom.net\\\",\\n \\\"zerobin.net\\\",\\n \\\"controlc.com\\\",\\n \\\"requestbin.net\\\",\\n \\\"slack.com\\\",\\n \\\"api.slack.com\\\",\\n \\\"slack-redir.net\\\",\\n \\\"slack-files.com\\\",\\n \\\"cdn.discordapp.com\\\",\\n \\\"discordapp.com\\\",\\n \\\"discord.com\\\",\\n \\\"apis.azureedge.net\\\",\\n \\\"cdn.sql.gg\\\",\\n \\\"?.top4top.io\\\",\\n \\\"top4top.io\\\",\\n \\\"www.uplooder.net\\\",\\n \\\"*.cdnmegafiles.com\\\",\\n \\\"transfer.sh\\\",\\n \\\"gofile.io\\\",\\n \\\"updates.peer2profit.com\\\",\\n \\\"api.telegram.org\\\",\\n \\\"t.me\\\",\\n \\\"meacz.gq\\\",\\n \\\"rwrd.org\\\",\\n \\\"*.publicvm.com\\\",\\n \\\"*.blogspot.com\\\",\\n \\\"api.mylnikov.org\\\",\\n \\\"file.io\\\",\\n \\\"stackoverflow.com\\\",\\n \\\"*files.1drv.com\\\",\\n \\\"api.anonfile.com\\\",\\n \\\"*hosting-profi.de\\\",\\n \\\"ipbase.com\\\",\\n \\\"ipfs.io\\\",\\n \\\"*up.freeo*.space\\\",\\n \\\"api.mylnikov.org\\\",\\n \\\"script.google.com\\\",\\n \\\"script.googleusercontent.com\\\",\\n \\\"api.notion.com\\\",\\n \\\"graph.microsoft.com\\\",\\n \\\"*.sharepoint.com\\\",\\n \\\"mbasic.facebook.com\\\",\\n \\\"login.live.com\\\",\\n \\\"api.gofile.io\\\",\\n \\\"api.anonfiles.com\\\",\\n \\\"api.notion.com\\\",\\n \\\"api.trello.com\\\",\\n \\\"gist.githubusercontent.com\\\",\\n \\\"files.pythonhosted.org\\\",\\n \\\"g.live.com\\\",\\n \\\"*.zulipchat.com\\\",\\n \\\"webhook.site\\\",\\n \\\"run.mocky.io\\\",\\n \\\"mockbin.org\\\", \\n \\\"www.googleapis.com\\\", \\n \\\"googleapis.com\\\") and\\n \\n /* Insert noisy false positives here */\\n not (\\n (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WWAHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\smartscreen.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MicrosoftEdgeCP.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\BraveSoftware\\\\\\\\*\\\\\\\\Application\\\\\\\\brave.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Vivaldi\\\\\\\\Application\\\\\\\\vivaldi.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Opera*\\\\\\\\opera.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Fiddler\\\\\\\\Fiddler.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Microsoft VS Code\\\\\\\\Code.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\OneDrive.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mobsync.exe\\\"\\n )\\n ) or\\n \\n /* Discord App */\\n (process.name : \\\"Discord.exe\\\" and (process.code_signature.subject_name : \\\"Discord Inc.\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"discord.com\\\", \\\"cdn.discordapp.com\\\", \\\"discordapp.com\\\")\\n ) or \\n\\n /* MS Sharepoint */\\n (process.name : \\\"Microsoft.SharePoint.exe\\\" and (process.code_signature.subject_name : \\\"Microsoft Corporation\\\" and\\n process.code_signature.trusted == true) and dns.question.name : \\\"onedrive.live.com\\\"\\n ) or \\n\\n /* Firefox */\\n (process.name : \\\"firefox.exe\\\" and (process.code_signature.subject_name : \\\"Mozilla Corporation\\\" and\\n process.code_signature.trusted == true)\\n ) or \\n\\n /* Dropbox */\\n (process.name : \\\"Dropbox.exe\\\" and (process.code_signature.subject_name : \\\"Dropbox, Inc\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"api.dropboxapi.com\\\", \\\"*.dropboxusercontent.com\\\")\\n ) or \\n\\n /* Obsidian - Plugins are stored on raw.githubusercontent.com */\\n (process.name : \\\"Obsidian.exe\\\" and (process.code_signature.subject_name : \\\"Dynalist Inc\\\" and\\n process.code_signature.trusted == true) and dns.question.name : \\\"raw.githubusercontent.com\\\"\\n ) or \\n\\n /* WebExperienceHostApp */\\n (process.name : \\\"WebExperienceHostApp.exe\\\" and (process.code_signature.subject_name : \\\"Microsoft Windows\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"onedrive.live.com\\\", \\\"skyapi.onedrive.live.com\\\")\\n ) or\\n\\n (process.code_signature.subject_name : \\\"Microsoft *\\\" and process.code_signature.trusted == true and\\n dns.question.name : (\\\"*.sharepoint.com\\\", \\\"graph.microsoft.com\\\", \\\"g.live.com\\\", \\\"login.live.com\\\", \\\"login.live.com\\\")) or\\n\\n (process.code_signature.trusted == true and\\n process.code_signature.subject_name :\\n (\\\"Johannes Schindelin\\\",\\n \\\"Redis Inc.\\\",\\n \\\"Slack Technologies, LLC\\\",\\n \\\"Cisco Systems, Inc.\\\",\\n \\\"Dropbox, Inc\\\",\\n \\\"Amazon.com Services LLC\\\"))\\n ) \\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Connection to Commonly Abused Web Services\",\"description\":\"Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Connection to Commonly Abused Web Services\\n\\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\\n\\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the user in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"user.id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{user.id}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the host in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"host.name\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{host.name}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n- Verify whether the digital signature exists in the executable.\\n- Identify the operation type (upload, download, tunneling, etc.).\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - !{investigate{\\\"label\\\":\\\"Investigate the Subject Process Network Events\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.category\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"network\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"process.entity_id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{process.entity_id}}\\\",\\\"valueType\\\":\\\"string\\\"}]]}}\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":116,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/operation-bleeding-bear\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1102\",\"name\":\"Web Service\",\"reference\":\"https://attack.mitre.org/techniques/T1102/\"},{\"id\":\"T1568\",\"name\":\"Dynamic Resolution\",\"reference\":\"https://attack.mitre.org/techniques/T1568/\",\"subtechnique\":[{\"id\":\"T1568.002\",\"name\":\"Domain Generation Algorithms\",\"reference\":\"https://attack.mitre.org/techniques/T1568/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1567\",\"name\":\"Exfiltration Over Web Service\",\"reference\":\"https://attack.mitre.org/techniques/T1567/\",\"subtechnique\":[{\"id\":\"T1567.001\",\"name\":\"Exfiltration to Code Repository\",\"reference\":\"https://attack.mitre.org/techniques/T1567/001/\"},{\"id\":\"T1567.002\",\"name\":\"Exfiltration to Cloud Storage\",\"reference\":\"https://attack.mitre.org/techniques/T1567/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f02560b7-018b-4978-b854-272e71fb7fe3\",\"rule_id\":\"66883649-f908-4a5b-a1e0-54090a1d3a32\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.667Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.936Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"network where host.os.type == \\\"windows\\\" and network.protocol == \\\"dns\\\" and\\n process.name != null and user.id not in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n /* Add new WebSvc domains here */\\n dns.question.name :\\n (\\n \\\"raw.githubusercontent.*\\\",\\n \\\"pastebin.*\\\",\\n \\\"paste4btc.com\\\",\\n \\\"paste.ee\\\",\\n \\\"ghostbin.com\\\",\\n \\\"drive.google.com\\\",\\n \\\"?.docs.live.net\\\",\\n \\\"api.dropboxapi.*\\\",\\n \\\"content.dropboxapi.*\\\",\\n \\\"dl.dropboxusercontent.*\\\",\\n \\\"api.onedrive.com\\\",\\n \\\"*.onedrive.org\\\",\\n \\\"onedrive.live.com\\\",\\n \\\"filebin.net\\\",\\n \\\"*.ngrok.io\\\",\\n \\\"ngrok.com\\\",\\n \\\"*.portmap.*\\\",\\n \\\"*serveo.net\\\",\\n \\\"*localtunnel.me\\\",\\n \\\"*pagekite.me\\\",\\n \\\"*localxpose.io\\\",\\n \\\"*notabug.org\\\",\\n \\\"rawcdn.githack.*\\\",\\n \\\"paste.nrecom.net\\\",\\n \\\"zerobin.net\\\",\\n \\\"controlc.com\\\",\\n \\\"requestbin.net\\\",\\n \\\"slack.com\\\",\\n \\\"api.slack.com\\\",\\n \\\"slack-redir.net\\\",\\n \\\"slack-files.com\\\",\\n \\\"cdn.discordapp.com\\\",\\n \\\"discordapp.com\\\",\\n \\\"discord.com\\\",\\n \\\"apis.azureedge.net\\\",\\n \\\"cdn.sql.gg\\\",\\n \\\"?.top4top.io\\\",\\n \\\"top4top.io\\\",\\n \\\"www.uplooder.net\\\",\\n \\\"*.cdnmegafiles.com\\\",\\n \\\"transfer.sh\\\",\\n \\\"gofile.io\\\",\\n \\\"updates.peer2profit.com\\\",\\n \\\"api.telegram.org\\\",\\n \\\"t.me\\\",\\n \\\"meacz.gq\\\",\\n \\\"rwrd.org\\\",\\n \\\"*.publicvm.com\\\",\\n \\\"*.blogspot.com\\\",\\n \\\"api.mylnikov.org\\\",\\n \\\"file.io\\\",\\n \\\"stackoverflow.com\\\",\\n \\\"*files.1drv.com\\\",\\n \\\"api.anonfile.com\\\",\\n \\\"*hosting-profi.de\\\",\\n \\\"ipbase.com\\\",\\n \\\"ipfs.io\\\",\\n \\\"*up.freeo*.space\\\",\\n \\\"api.mylnikov.org\\\",\\n \\\"script.google.com\\\",\\n \\\"script.googleusercontent.com\\\",\\n \\\"api.notion.com\\\",\\n \\\"graph.microsoft.com\\\",\\n \\\"*.sharepoint.com\\\",\\n \\\"mbasic.facebook.com\\\",\\n \\\"login.live.com\\\",\\n \\\"api.gofile.io\\\",\\n \\\"api.anonfiles.com\\\",\\n \\\"api.notion.com\\\",\\n \\\"api.trello.com\\\",\\n \\\"gist.githubusercontent.com\\\",\\n \\\"files.pythonhosted.org\\\",\\n \\\"g.live.com\\\",\\n \\\"*.zulipchat.com\\\",\\n \\\"webhook.site\\\",\\n \\\"run.mocky.io\\\",\\n \\\"mockbin.org\\\", \\n \\\"www.googleapis.com\\\", \\n \\\"googleapis.com\\\",\\n \\\"global.rel.tunnels.api.visualstudio.com\\\",\\n \\\"*.devtunnels.ms\\\") and\\n \\n /* Insert noisy false positives here */\\n not (\\n (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WWAHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\smartscreen.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MicrosoftEdgeCP.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\BraveSoftware\\\\\\\\*\\\\\\\\Application\\\\\\\\brave.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Vivaldi\\\\\\\\Application\\\\\\\\vivaldi.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Opera*\\\\\\\\opera.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Fiddler\\\\\\\\Fiddler.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Microsoft VS Code\\\\\\\\Code.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\OneDrive.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mobsync.exe\\\"\\n )\\n ) or\\n \\n /* Discord App */\\n (process.name : \\\"Discord.exe\\\" and (process.code_signature.subject_name : \\\"Discord Inc.\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"discord.com\\\", \\\"cdn.discordapp.com\\\", \\\"discordapp.com\\\")\\n ) or \\n\\n /* MS Sharepoint */\\n (process.name : \\\"Microsoft.SharePoint.exe\\\" and (process.code_signature.subject_name : \\\"Microsoft Corporation\\\" and\\n process.code_signature.trusted == true) and dns.question.name : \\\"onedrive.live.com\\\"\\n ) or \\n\\n /* Firefox */\\n (process.name : \\\"firefox.exe\\\" and (process.code_signature.subject_name : \\\"Mozilla Corporation\\\" and\\n process.code_signature.trusted == true)\\n ) or \\n\\n /* Dropbox */\\n (process.name : \\\"Dropbox.exe\\\" and (process.code_signature.subject_name : \\\"Dropbox, Inc\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"api.dropboxapi.com\\\", \\\"*.dropboxusercontent.com\\\")\\n ) or \\n\\n /* Obsidian - Plugins are stored on raw.githubusercontent.com */\\n (process.name : \\\"Obsidian.exe\\\" and (process.code_signature.subject_name : \\\"Dynalist Inc\\\" and\\n process.code_signature.trusted == true) and dns.question.name : \\\"raw.githubusercontent.com\\\"\\n ) or \\n\\n /* WebExperienceHostApp */\\n (process.name : \\\"WebExperienceHostApp.exe\\\" and (process.code_signature.subject_name : \\\"Microsoft Windows\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"onedrive.live.com\\\", \\\"skyapi.onedrive.live.com\\\")\\n ) or\\n\\n (process.code_signature.subject_name : \\\"Microsoft *\\\" and process.code_signature.trusted == true and\\n dns.question.name : (\\\"*.sharepoint.com\\\", \\\"graph.microsoft.com\\\", \\\"g.live.com\\\", \\\"login.live.com\\\", \\\"login.live.com\\\")) or\\n\\n (process.code_signature.trusted == true and\\n process.code_signature.subject_name :\\n (\\\"Johannes Schindelin\\\",\\n \\\"Redis Inc.\\\",\\n \\\"Slack Technologies, LLC\\\",\\n \\\"Cisco Systems, Inc.\\\",\\n \\\"Dropbox, Inc\\\",\\n \\\"Amazon.com Services LLC\\\"))\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.network-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":114,\"target_version\":116,\"merged_version\":116,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/operation-bleeding-bear\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merged_version\":[\"https://www.elastic.co/security-labs/operation-bleeding-bear\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"note\":{\"has_base_version\":false,\"current_version\":\"## Triage and analysis\\n\\n### Investigating Connection to Commonly Abused Web Services\\n\\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\\n\\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the user in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"user.id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{user.id}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the host in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"host.name\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{host.name}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n- Verify whether the digital signature exists in the executable.\\n- Identify the operation type (upload, download, tunneling, etc.).\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - !{investigate{\\\"label\\\":\\\"Investigate the Subject Process Network Events\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"process.entity_id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{process.entity_id}}\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"event.category\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"network\\\",\\\"valueType\\\":\\\"string\\\"}]]}}\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating Connection to Commonly Abused Web Services\\n\\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\\n\\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the user in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"user.id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{user.id}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the host in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"host.name\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{host.name}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n- Verify whether the digital signature exists in the executable.\\n- Identify the operation type (upload, download, tunneling, etc.).\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - !{investigate{\\\"label\\\":\\\"Investigate the Subject Process Network Events\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.category\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"network\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"process.entity_id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{process.entity_id}}\\\",\\\"valueType\\\":\\\"string\\\"}]]}}\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating Connection to Commonly Abused Web Services\\n\\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\\n\\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the user in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"user.id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{user.id}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the host in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"host.name\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{host.name}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n- Verify whether the digital signature exists in the executable.\\n- Identify the operation type (upload, download, tunneling, etc.).\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - !{investigate{\\\"label\\\":\\\"Investigate the Subject Process Network Events\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.category\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"network\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"process.entity_id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{process.entity_id}}\\\",\\\"valueType\\\":\\\"string\\\"}]]}}\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"network where host.os.type == \\\"windows\\\" and network.protocol == \\\"dns\\\" and\\n process.name != null and user.id not in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n /* Add new WebSvc domains here */\\n dns.question.name :\\n (\\n \\\"raw.githubusercontent.*\\\",\\n \\\"pastebin.*\\\",\\n \\\"paste4btc.com\\\",\\n \\\"paste.ee\\\",\\n \\\"ghostbin.com\\\",\\n \\\"drive.google.com\\\",\\n \\\"?.docs.live.net\\\",\\n \\\"api.dropboxapi.*\\\",\\n \\\"content.dropboxapi.*\\\",\\n \\\"dl.dropboxusercontent.*\\\",\\n \\\"api.onedrive.com\\\",\\n \\\"*.onedrive.org\\\",\\n \\\"onedrive.live.com\\\",\\n \\\"filebin.net\\\",\\n \\\"*.ngrok.io\\\",\\n \\\"ngrok.com\\\",\\n \\\"*.portmap.*\\\",\\n \\\"*serveo.net\\\",\\n \\\"*localtunnel.me\\\",\\n \\\"*pagekite.me\\\",\\n \\\"*localxpose.io\\\",\\n \\\"*notabug.org\\\",\\n \\\"rawcdn.githack.*\\\",\\n \\\"paste.nrecom.net\\\",\\n \\\"zerobin.net\\\",\\n \\\"controlc.com\\\",\\n \\\"requestbin.net\\\",\\n \\\"slack.com\\\",\\n \\\"api.slack.com\\\",\\n \\\"slack-redir.net\\\",\\n \\\"slack-files.com\\\",\\n \\\"cdn.discordapp.com\\\",\\n \\\"discordapp.com\\\",\\n \\\"discord.com\\\",\\n \\\"apis.azureedge.net\\\",\\n \\\"cdn.sql.gg\\\",\\n \\\"?.top4top.io\\\",\\n \\\"top4top.io\\\",\\n \\\"www.uplooder.net\\\",\\n \\\"*.cdnmegafiles.com\\\",\\n \\\"transfer.sh\\\",\\n \\\"gofile.io\\\",\\n \\\"updates.peer2profit.com\\\",\\n \\\"api.telegram.org\\\",\\n \\\"t.me\\\",\\n \\\"meacz.gq\\\",\\n \\\"rwrd.org\\\",\\n \\\"*.publicvm.com\\\",\\n \\\"*.blogspot.com\\\",\\n \\\"api.mylnikov.org\\\",\\n \\\"file.io\\\",\\n \\\"stackoverflow.com\\\",\\n \\\"*files.1drv.com\\\",\\n \\\"api.anonfile.com\\\",\\n \\\"*hosting-profi.de\\\",\\n \\\"ipbase.com\\\",\\n \\\"ipfs.io\\\",\\n \\\"*up.freeo*.space\\\",\\n \\\"api.mylnikov.org\\\",\\n \\\"script.google.com\\\",\\n \\\"script.googleusercontent.com\\\",\\n \\\"api.notion.com\\\",\\n \\\"graph.microsoft.com\\\",\\n \\\"*.sharepoint.com\\\",\\n \\\"mbasic.facebook.com\\\",\\n \\\"login.live.com\\\",\\n \\\"api.gofile.io\\\",\\n \\\"api.anonfiles.com\\\",\\n \\\"api.notion.com\\\",\\n \\\"api.trello.com\\\",\\n \\\"gist.githubusercontent.com\\\",\\n \\\"files.pythonhosted.org\\\",\\n \\\"g.live.com\\\",\\n \\\"*.zulipchat.com\\\",\\n \\\"webhook.site\\\",\\n \\\"run.mocky.io\\\",\\n \\\"mockbin.org\\\", \\n \\\"www.googleapis.com\\\", \\n \\\"googleapis.com\\\") and\\n \\n /* Insert noisy false positives here */\\n not (\\n (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WWAHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\smartscreen.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MicrosoftEdgeCP.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\BraveSoftware\\\\\\\\*\\\\\\\\Application\\\\\\\\brave.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Vivaldi\\\\\\\\Application\\\\\\\\vivaldi.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Opera*\\\\\\\\opera.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Fiddler\\\\\\\\Fiddler.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Microsoft VS Code\\\\\\\\Code.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\OneDrive.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mobsync.exe\\\"\\n )\\n ) or\\n \\n /* Discord App */\\n (process.name : \\\"Discord.exe\\\" and (process.code_signature.subject_name : \\\"Discord Inc.\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"discord.com\\\", \\\"cdn.discordapp.com\\\", \\\"discordapp.com\\\")\\n ) or \\n\\n /* MS Sharepoint */\\n (process.name : \\\"Microsoft.SharePoint.exe\\\" and (process.code_signature.subject_name : \\\"Microsoft Corporation\\\" and\\n process.code_signature.trusted == true) and dns.question.name : \\\"onedrive.live.com\\\"\\n ) or \\n\\n /* Firefox */\\n (process.name : \\\"firefox.exe\\\" and (process.code_signature.subject_name : \\\"Mozilla Corporation\\\" and\\n process.code_signature.trusted == true)\\n ) or \\n\\n /* Dropbox */\\n (process.name : \\\"Dropbox.exe\\\" and (process.code_signature.subject_name : \\\"Dropbox, Inc\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"api.dropboxapi.com\\\", \\\"*.dropboxusercontent.com\\\")\\n ) or \\n\\n /* Obsidian - Plugins are stored on raw.githubusercontent.com */\\n (process.name : \\\"Obsidian.exe\\\" and (process.code_signature.subject_name : \\\"Dynalist Inc\\\" and\\n process.code_signature.trusted == true) and dns.question.name : \\\"raw.githubusercontent.com\\\"\\n ) or \\n\\n /* WebExperienceHostApp */\\n (process.name : \\\"WebExperienceHostApp.exe\\\" and (process.code_signature.subject_name : \\\"Microsoft Windows\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"onedrive.live.com\\\", \\\"skyapi.onedrive.live.com\\\")\\n ) or\\n\\n (process.code_signature.subject_name : \\\"Microsoft *\\\" and process.code_signature.trusted == true and\\n dns.question.name : (\\\"*.sharepoint.com\\\", \\\"graph.microsoft.com\\\", \\\"g.live.com\\\", \\\"login.live.com\\\", \\\"login.live.com\\\")) or\\n\\n (process.code_signature.trusted == true and\\n process.code_signature.subject_name :\\n (\\\"Johannes Schindelin\\\",\\n \\\"Redis Inc.\\\",\\n \\\"Slack Technologies, LLC\\\",\\n \\\"Cisco Systems, Inc.\\\",\\n \\\"Dropbox, Inc\\\",\\n \\\"Amazon.com Services LLC\\\"))\\n ) \\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"network where host.os.type == \\\"windows\\\" and network.protocol == \\\"dns\\\" and\\n process.name != null and user.id not in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n /* Add new WebSvc domains here */\\n dns.question.name :\\n (\\n \\\"raw.githubusercontent.*\\\",\\n \\\"pastebin.*\\\",\\n \\\"paste4btc.com\\\",\\n \\\"paste.ee\\\",\\n \\\"ghostbin.com\\\",\\n \\\"drive.google.com\\\",\\n \\\"?.docs.live.net\\\",\\n \\\"api.dropboxapi.*\\\",\\n \\\"content.dropboxapi.*\\\",\\n \\\"dl.dropboxusercontent.*\\\",\\n \\\"api.onedrive.com\\\",\\n \\\"*.onedrive.org\\\",\\n \\\"onedrive.live.com\\\",\\n \\\"filebin.net\\\",\\n \\\"*.ngrok.io\\\",\\n \\\"ngrok.com\\\",\\n \\\"*.portmap.*\\\",\\n \\\"*serveo.net\\\",\\n \\\"*localtunnel.me\\\",\\n \\\"*pagekite.me\\\",\\n \\\"*localxpose.io\\\",\\n \\\"*notabug.org\\\",\\n \\\"rawcdn.githack.*\\\",\\n \\\"paste.nrecom.net\\\",\\n \\\"zerobin.net\\\",\\n \\\"controlc.com\\\",\\n \\\"requestbin.net\\\",\\n \\\"slack.com\\\",\\n \\\"api.slack.com\\\",\\n \\\"slack-redir.net\\\",\\n \\\"slack-files.com\\\",\\n \\\"cdn.discordapp.com\\\",\\n \\\"discordapp.com\\\",\\n \\\"discord.com\\\",\\n \\\"apis.azureedge.net\\\",\\n \\\"cdn.sql.gg\\\",\\n \\\"?.top4top.io\\\",\\n \\\"top4top.io\\\",\\n \\\"www.uplooder.net\\\",\\n \\\"*.cdnmegafiles.com\\\",\\n \\\"transfer.sh\\\",\\n \\\"gofile.io\\\",\\n \\\"updates.peer2profit.com\\\",\\n \\\"api.telegram.org\\\",\\n \\\"t.me\\\",\\n \\\"meacz.gq\\\",\\n \\\"rwrd.org\\\",\\n \\\"*.publicvm.com\\\",\\n \\\"*.blogspot.com\\\",\\n \\\"api.mylnikov.org\\\",\\n \\\"file.io\\\",\\n \\\"stackoverflow.com\\\",\\n \\\"*files.1drv.com\\\",\\n \\\"api.anonfile.com\\\",\\n \\\"*hosting-profi.de\\\",\\n \\\"ipbase.com\\\",\\n \\\"ipfs.io\\\",\\n \\\"*up.freeo*.space\\\",\\n \\\"api.mylnikov.org\\\",\\n \\\"script.google.com\\\",\\n \\\"script.googleusercontent.com\\\",\\n \\\"api.notion.com\\\",\\n \\\"graph.microsoft.com\\\",\\n \\\"*.sharepoint.com\\\",\\n \\\"mbasic.facebook.com\\\",\\n \\\"login.live.com\\\",\\n \\\"api.gofile.io\\\",\\n \\\"api.anonfiles.com\\\",\\n \\\"api.notion.com\\\",\\n \\\"api.trello.com\\\",\\n \\\"gist.githubusercontent.com\\\",\\n \\\"files.pythonhosted.org\\\",\\n \\\"g.live.com\\\",\\n \\\"*.zulipchat.com\\\",\\n \\\"webhook.site\\\",\\n \\\"run.mocky.io\\\",\\n \\\"mockbin.org\\\", \\n \\\"www.googleapis.com\\\", \\n \\\"googleapis.com\\\",\\n \\\"global.rel.tunnels.api.visualstudio.com\\\",\\n \\\"*.devtunnels.ms\\\") and\\n \\n /* Insert noisy false positives here */\\n not (\\n (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WWAHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\smartscreen.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MicrosoftEdgeCP.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\BraveSoftware\\\\\\\\*\\\\\\\\Application\\\\\\\\brave.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Vivaldi\\\\\\\\Application\\\\\\\\vivaldi.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Opera*\\\\\\\\opera.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Fiddler\\\\\\\\Fiddler.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Microsoft VS Code\\\\\\\\Code.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\OneDrive.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mobsync.exe\\\"\\n )\\n ) or\\n \\n /* Discord App */\\n (process.name : \\\"Discord.exe\\\" and (process.code_signature.subject_name : \\\"Discord Inc.\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"discord.com\\\", \\\"cdn.discordapp.com\\\", \\\"discordapp.com\\\")\\n ) or \\n\\n /* MS Sharepoint */\\n (process.name : \\\"Microsoft.SharePoint.exe\\\" and (process.code_signature.subject_name : \\\"Microsoft Corporation\\\" and\\n process.code_signature.trusted == true) and dns.question.name : \\\"onedrive.live.com\\\"\\n ) or \\n\\n /* Firefox */\\n (process.name : \\\"firefox.exe\\\" and (process.code_signature.subject_name : \\\"Mozilla Corporation\\\" and\\n process.code_signature.trusted == true)\\n ) or \\n\\n /* Dropbox */\\n (process.name : \\\"Dropbox.exe\\\" and (process.code_signature.subject_name : \\\"Dropbox, Inc\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"api.dropboxapi.com\\\", \\\"*.dropboxusercontent.com\\\")\\n ) or \\n\\n /* Obsidian - Plugins are stored on raw.githubusercontent.com */\\n (process.name : \\\"Obsidian.exe\\\" and (process.code_signature.subject_name : \\\"Dynalist Inc\\\" and\\n process.code_signature.trusted == true) and dns.question.name : \\\"raw.githubusercontent.com\\\"\\n ) or \\n\\n /* WebExperienceHostApp */\\n (process.name : \\\"WebExperienceHostApp.exe\\\" and (process.code_signature.subject_name : \\\"Microsoft Windows\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"onedrive.live.com\\\", \\\"skyapi.onedrive.live.com\\\")\\n ) or\\n\\n (process.code_signature.subject_name : \\\"Microsoft *\\\" and process.code_signature.trusted == true and\\n dns.question.name : (\\\"*.sharepoint.com\\\", \\\"graph.microsoft.com\\\", \\\"g.live.com\\\", \\\"login.live.com\\\", \\\"login.live.com\\\")) or\\n\\n (process.code_signature.trusted == true and\\n process.code_signature.subject_name :\\n (\\\"Johannes Schindelin\\\",\\n \\\"Redis Inc.\\\",\\n \\\"Slack Technologies, LLC\\\",\\n \\\"Cisco Systems, Inc.\\\",\\n \\\"Dropbox, Inc\\\",\\n \\\"Amazon.com Services LLC\\\"))\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"network where host.os.type == \\\"windows\\\" and network.protocol == \\\"dns\\\" and\\n process.name != null and user.id not in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n /* Add new WebSvc domains here */\\n dns.question.name :\\n (\\n \\\"raw.githubusercontent.*\\\",\\n \\\"pastebin.*\\\",\\n \\\"paste4btc.com\\\",\\n \\\"paste.ee\\\",\\n \\\"ghostbin.com\\\",\\n \\\"drive.google.com\\\",\\n \\\"?.docs.live.net\\\",\\n \\\"api.dropboxapi.*\\\",\\n \\\"content.dropboxapi.*\\\",\\n \\\"dl.dropboxusercontent.*\\\",\\n \\\"api.onedrive.com\\\",\\n \\\"*.onedrive.org\\\",\\n \\\"onedrive.live.com\\\",\\n \\\"filebin.net\\\",\\n \\\"*.ngrok.io\\\",\\n \\\"ngrok.com\\\",\\n \\\"*.portmap.*\\\",\\n \\\"*serveo.net\\\",\\n \\\"*localtunnel.me\\\",\\n \\\"*pagekite.me\\\",\\n \\\"*localxpose.io\\\",\\n \\\"*notabug.org\\\",\\n \\\"rawcdn.githack.*\\\",\\n \\\"paste.nrecom.net\\\",\\n \\\"zerobin.net\\\",\\n \\\"controlc.com\\\",\\n \\\"requestbin.net\\\",\\n \\\"slack.com\\\",\\n \\\"api.slack.com\\\",\\n \\\"slack-redir.net\\\",\\n \\\"slack-files.com\\\",\\n \\\"cdn.discordapp.com\\\",\\n \\\"discordapp.com\\\",\\n \\\"discord.com\\\",\\n \\\"apis.azureedge.net\\\",\\n \\\"cdn.sql.gg\\\",\\n \\\"?.top4top.io\\\",\\n \\\"top4top.io\\\",\\n \\\"www.uplooder.net\\\",\\n \\\"*.cdnmegafiles.com\\\",\\n \\\"transfer.sh\\\",\\n \\\"gofile.io\\\",\\n \\\"updates.peer2profit.com\\\",\\n \\\"api.telegram.org\\\",\\n \\\"t.me\\\",\\n \\\"meacz.gq\\\",\\n \\\"rwrd.org\\\",\\n \\\"*.publicvm.com\\\",\\n \\\"*.blogspot.com\\\",\\n \\\"api.mylnikov.org\\\",\\n \\\"file.io\\\",\\n \\\"stackoverflow.com\\\",\\n \\\"*files.1drv.com\\\",\\n \\\"api.anonfile.com\\\",\\n \\\"*hosting-profi.de\\\",\\n \\\"ipbase.com\\\",\\n \\\"ipfs.io\\\",\\n \\\"*up.freeo*.space\\\",\\n \\\"api.mylnikov.org\\\",\\n \\\"script.google.com\\\",\\n \\\"script.googleusercontent.com\\\",\\n \\\"api.notion.com\\\",\\n \\\"graph.microsoft.com\\\",\\n \\\"*.sharepoint.com\\\",\\n \\\"mbasic.facebook.com\\\",\\n \\\"login.live.com\\\",\\n \\\"api.gofile.io\\\",\\n \\\"api.anonfiles.com\\\",\\n \\\"api.notion.com\\\",\\n \\\"api.trello.com\\\",\\n \\\"gist.githubusercontent.com\\\",\\n \\\"files.pythonhosted.org\\\",\\n \\\"g.live.com\\\",\\n \\\"*.zulipchat.com\\\",\\n \\\"webhook.site\\\",\\n \\\"run.mocky.io\\\",\\n \\\"mockbin.org\\\", \\n \\\"www.googleapis.com\\\", \\n \\\"googleapis.com\\\",\\n \\\"global.rel.tunnels.api.visualstudio.com\\\",\\n \\\"*.devtunnels.ms\\\") and\\n \\n /* Insert noisy false positives here */\\n not (\\n (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WWAHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\smartscreen.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MicrosoftEdgeCP.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\BraveSoftware\\\\\\\\*\\\\\\\\Application\\\\\\\\brave.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Vivaldi\\\\\\\\Application\\\\\\\\vivaldi.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Opera*\\\\\\\\opera.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Fiddler\\\\\\\\Fiddler.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Microsoft VS Code\\\\\\\\Code.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\OneDrive.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mobsync.exe\\\"\\n )\\n ) or\\n \\n /* Discord App */\\n (process.name : \\\"Discord.exe\\\" and (process.code_signature.subject_name : \\\"Discord Inc.\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"discord.com\\\", \\\"cdn.discordapp.com\\\", \\\"discordapp.com\\\")\\n ) or \\n\\n /* MS Sharepoint */\\n (process.name : \\\"Microsoft.SharePoint.exe\\\" and (process.code_signature.subject_name : \\\"Microsoft Corporation\\\" and\\n process.code_signature.trusted == true) and dns.question.name : \\\"onedrive.live.com\\\"\\n ) or \\n\\n /* Firefox */\\n (process.name : \\\"firefox.exe\\\" and (process.code_signature.subject_name : \\\"Mozilla Corporation\\\" and\\n process.code_signature.trusted == true)\\n ) or \\n\\n /* Dropbox */\\n (process.name : \\\"Dropbox.exe\\\" and (process.code_signature.subject_name : \\\"Dropbox, Inc\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"api.dropboxapi.com\\\", \\\"*.dropboxusercontent.com\\\")\\n ) or \\n\\n /* Obsidian - Plugins are stored on raw.githubusercontent.com */\\n (process.name : \\\"Obsidian.exe\\\" and (process.code_signature.subject_name : \\\"Dynalist Inc\\\" and\\n process.code_signature.trusted == true) and dns.question.name : \\\"raw.githubusercontent.com\\\"\\n ) or \\n\\n /* WebExperienceHostApp */\\n (process.name : \\\"WebExperienceHostApp.exe\\\" and (process.code_signature.subject_name : \\\"Microsoft Windows\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"onedrive.live.com\\\", \\\"skyapi.onedrive.live.com\\\")\\n ) or\\n\\n (process.code_signature.subject_name : \\\"Microsoft *\\\" and process.code_signature.trusted == true and\\n dns.question.name : (\\\"*.sharepoint.com\\\", \\\"graph.microsoft.com\\\", \\\"g.live.com\\\", \\\"login.live.com\\\", \\\"login.live.com\\\")) or\\n\\n (process.code_signature.trusted == true and\\n process.code_signature.subject_name :\\n (\\\"Johannes Schindelin\\\",\\n \\\"Redis Inc.\\\",\\n \\\"Slack Technologies, LLC\\\",\\n \\\"Cisco Systems, Inc.\\\",\\n \\\"Dropbox, Inc\\\",\\n \\\"Amazon.com Services LLC\\\"))\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b07dbb7b-b0f7-4449-baec-a7790e633a6a\",\"rule_id\":\"670b3b5a-35e5-42db-bd36-6c5b9b4b7313\",\"revision\":0,\"current_rule\":{\"id\":\"b07dbb7b-b0f7-4449-baec-a7790e633a6a\",\"updated_at\":\"2024-12-04T19:45:49.943Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.943Z\",\"created_by\":\"elastic\",\"name\":\"Modification of the msPKIAccountCredentials\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Data Source: Active Directory\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"670b3b5a-35e5-42db-bd36-6c5b9b4b7313\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"to\":\"now\",\"references\":[\"https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming\",\"https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx\",\"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136\"],\"version\":10,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.OperationType\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:(\\\"Directory Service Changes\\\" or \\\"directory-service-object-modified\\\") and event.code:\\\"5136\\\" and\\n winlog.event_data.AttributeLDAPDisplayName:\\\"msPKIAccountCredentials\\\" and winlog.event_data.OperationType:\\\"%%14674\\\" and\\n not winlog.event_data.SubjectUserSid : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Modification of the msPKIAccountCredentials\",\"description\":\"Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":113,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Data Source: Active Directory\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming\",\"https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx\",\"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.OperationType\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"b07dbb7b-b0f7-4449-baec-a7790e633a6a\",\"rule_id\":\"670b3b5a-35e5-42db-bd36-6c5b9b4b7313\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.667Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.943Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:(\\\"Directory Service Changes\\\" or \\\"directory-service-object-modified\\\") and event.code:\\\"5136\\\" and\\n winlog.event_data.AttributeLDAPDisplayName:\\\"msPKIAccountCredentials\\\" and winlog.event_data.OperationType:\\\"%%14674\\\" and\\n not winlog.event_data.SubjectUserSid : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":10,\"target_version\":113,\"merged_version\":113,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Data Source: Active Directory\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Data Source: Active Directory\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Data Source: Active Directory\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0774bf05-bdb4-4812-9294-f6ed5ec9fd43\",\"rule_id\":\"6839c821-011d-43bd-bd5b-acff00257226\",\"revision\":0,\"current_rule\":{\"id\":\"0774bf05-bdb4-4812-9294-f6ed5ec9fd43\",\"updated_at\":\"2024-12-04T19:45:40.172Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.172Z\",\"created_by\":\"elastic\",\"name\":\"Image File Execution Options Injection\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"6839c821-011d-43bd-bd5b-acff00257226\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.012\",\"name\":\"Image File Execution Options Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1546/012/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[\"https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"Debugger\\\", \\\"MonitorProcess\\\") and length(registry.data.strings) > 0 and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*.exe\\\\\\\\Debugger\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\Debugger\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*.exe\\\\\\\\Debugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\Debugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\"\\n ) and\\n /* add FPs here */\\n not registry.data.strings regex~ (\\\"\\\"\\\"C:\\\\\\\\Program Files( \\\\(x86\\\\))?\\\\\\\\ThinKiosk\\\\\\\\thinkiosk\\\\.exe\\\"\\\"\\\", \\\"\\\"\\\".*\\\\\\\\PSAppDeployToolkit\\\\\\\\.*\\\"\\\"\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Image File Execution Options Injection\",\"description\":\"The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.012\",\"name\":\"Image File Execution Options Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1546/012/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0774bf05-bdb4-4812-9294-f6ed5ec9fd43\",\"rule_id\":\"6839c821-011d-43bd-bd5b-acff00257226\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.667Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.172Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"Debugger\\\", \\\"MonitorProcess\\\") and length(registry.data.strings) > 0 and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*.exe\\\\\\\\Debugger\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\Debugger\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*.exe\\\\\\\\Debugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\Debugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*.exe\\\\\\\\Debugger\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\Debugger\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\"\\n ) and\\n /* add FPs here */\\n not registry.data.strings regex~ (\\\"\\\"\\\"C:\\\\\\\\Program Files( \\\\(x86\\\\))?\\\\\\\\ThinKiosk\\\\\\\\thinkiosk\\\\.exe\\\"\\\"\\\", \\\"\\\"\\\".*\\\\\\\\PSAppDeployToolkit\\\\\\\\.*\\\"\\\"\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"Debugger\\\", \\\"MonitorProcess\\\") and length(registry.data.strings) > 0 and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*.exe\\\\\\\\Debugger\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\Debugger\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*.exe\\\\\\\\Debugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\Debugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\"\\n ) and\\n /* add FPs here */\\n not registry.data.strings regex~ (\\\"\\\"\\\"C:\\\\\\\\Program Files( \\\\(x86\\\\))?\\\\\\\\ThinKiosk\\\\\\\\thinkiosk\\\\.exe\\\"\\\"\\\", \\\"\\\"\\\".*\\\\\\\\PSAppDeployToolkit\\\\\\\\.*\\\"\\\"\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"Debugger\\\", \\\"MonitorProcess\\\") and length(registry.data.strings) > 0 and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*.exe\\\\\\\\Debugger\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\Debugger\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*.exe\\\\\\\\Debugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\Debugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*.exe\\\\\\\\Debugger\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\Debugger\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\"\\n ) and\\n /* add FPs here */\\n not registry.data.strings regex~ (\\\"\\\"\\\"C:\\\\\\\\Program Files( \\\\(x86\\\\))?\\\\\\\\ThinKiosk\\\\\\\\thinkiosk\\\\.exe\\\"\\\"\\\", \\\"\\\"\\\".*\\\\\\\\PSAppDeployToolkit\\\\\\\\.*\\\"\\\"\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"Debugger\\\", \\\"MonitorProcess\\\") and length(registry.data.strings) > 0 and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*.exe\\\\\\\\Debugger\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\Debugger\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*.exe\\\\\\\\Debugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\Debugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*.exe\\\\\\\\Debugger\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\Debugger\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\"\\n ) and\\n /* add FPs here */\\n not registry.data.strings regex~ (\\\"\\\"\\\"C:\\\\\\\\Program Files( \\\\(x86\\\\))?\\\\\\\\ThinKiosk\\\\\\\\thinkiosk\\\\.exe\\\"\\\"\\\", \\\"\\\"\\\".*\\\\\\\\PSAppDeployToolkit\\\\\\\\.*\\\"\\\"\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5af11627-7f37-4bff-851c-c2984b35042b\",\"rule_id\":\"68921d85-d0dc-48b3-865f-43291ca2c4f2\",\"revision\":0,\"current_rule\":{\"id\":\"5af11627-7f37-4bff-851c-c2984b35042b\",\"updated_at\":\"2024-12-04T19:45:49.961Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.961Z\",\"created_by\":\"elastic\",\"name\":\"Persistence via TelemetryController Scheduled Task Hijack\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"68921d85-d0dc-48b3-865f-43291ca2c4f2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]}],\"to\":\"now\",\"references\":[\"https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"CompatTelRunner.exe\\\" and process.args : \\\"-cv*\\\" and\\n not process.name : (\\\"conhost.exe\\\",\\n \\\"DeviceCensus.exe\\\",\\n \\\"CompatTelRunner.exe\\\",\\n \\\"DismHost.exe\\\",\\n \\\"rundll32.exe\\\",\\n \\\"powershell.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Persistence via TelemetryController Scheduled Task Hijack\",\"description\":\"Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"5af11627-7f37-4bff-851c-c2984b35042b\",\"rule_id\":\"68921d85-d0dc-48b3-865f-43291ca2c4f2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.667Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.961Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"CompatTelRunner.exe\\\" and process.args : \\\"-cv*\\\" and\\n not process.name : (\\\"conhost.exe\\\",\\n \\\"DeviceCensus.exe\\\",\\n \\\"CompatTelRunner.exe\\\",\\n \\\"DismHost.exe\\\",\\n \\\"rundll32.exe\\\",\\n \\\"powershell.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2e8ce13a-f327-4796-b89d-8324caf2edb1\",\"rule_id\":\"68994a6c-c7ba-4e82-b476-26a26877adf6\",\"revision\":0,\"current_rule\":{\"id\":\"2e8ce13a-f327-4796-b89d-8324caf2edb1\",\"updated_at\":\"2024-12-04T19:45:49.968Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.968Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace Admin Role Assigned to a User\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Assigning the administrative role to a user will grant them access to the Google Admin console and grant them administrator privileges which allow them to access and manage various resources and applications. An adversary may create a new administrator account for persistence or apply the admin role to an existing user to carry out further intrusion efforts. Users with super-admin privileges can bypass single-sign on if enabled in Google Workspace.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Admin Role Assigned to a User\\n\\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups. These assignments should follow the principle of least privilege (PoLP). Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created when prebuilt roles are not sufficient.\\n\\nAdministrator roles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Administrative roles also give users access to the admin console, where domain-wide settings can be adjusted. Threat actors might rely on these new privileges to advance their intrusion efforts and laterally move throughout the organization. Users with unexpected administrative privileges may also cause operational dysfunction if unfamiliar settings are adjusted without warning.\\n\\nThis rule identifies when a Google Workspace administrative role is assigned to a user.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n - The `user.target.email` field contains the user who received the admin role.\\n- Identify the role given to the user by reviewing the `google_workspace.admin.role.name` field in the alert.\\n- After identifying the involved user, verify their administrative privileges are scoped properly.\\n- To identify other users with this role, search the alert for `event.action: ASSIGN_ROLE`.\\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\\n - Adjust the relative time accordingly to identify all users that were assigned this admin role.\\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\\n - Add `user.email` with the target user account that recently received this new admin role.\\n- After identifying the involved user, create a filter with their `user.name` or `user.target.email`. Review the last 48 hours of their activity for anything that may indicate a compromise.\\n\\n### False positive analysis\\n\\n- After identifying user account that added the admin role, verify the action was intentional.\\n- Verify that the target user who was assigned the admin role should have administrative privileges in Google Workspace.\\n- Review organizational units or groups the target user might have been added to and ensure the admin role permissions align.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Google Workspace admin role assignments may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-130m\",\"rule_id\":\"68994a6c-c7ba-4e82-b476-26a26877adf6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/172176?hl=en\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.role.name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.event.type\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.category:\\\"iam\\\" and event.action:\\\"ASSIGN_ROLE\\\"\\n and google_workspace.event.type:\\\"DELEGATED_ADMIN_SETTINGS\\\" and google_workspace.admin.role.name : *_ADMIN_ROLE\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace Admin Role Assigned to a User\",\"description\":\"Assigning the administrative role to a user will grant them access to the Google Admin console and grant them administrator privileges which allow them to access and manage various resources and applications. An adversary may create a new administrator account for persistence or apply the admin role to an existing user to carry out further intrusion efforts. Users with super-admin privileges can bypass single-sign on if enabled in Google Workspace.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Admin Role Assigned to a User\\n\\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups. These assignments should follow the principle of least privilege (PoLP). Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created when prebuilt roles are not sufficient.\\n\\nAdministrator roles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Administrative roles also give users access to the admin console, where domain-wide settings can be adjusted. Threat actors might rely on these new privileges to advance their intrusion efforts and laterally move throughout the organization. Users with unexpected administrative privileges may also cause operational dysfunction if unfamiliar settings are adjusted without warning.\\n\\nThis rule identifies when a Google Workspace administrative role is assigned to a user.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n - The `user.target.email` field contains the user who received the admin role.\\n- Identify the role given to the user by reviewing the `google_workspace.admin.role.name` field in the alert.\\n- After identifying the involved user, verify their administrative privileges are scoped properly.\\n- To identify other users with this role, search the alert for `event.action: ASSIGN_ROLE`.\\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\\n - Adjust the relative time accordingly to identify all users that were assigned this admin role.\\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\\n - Add `user.email` with the target user account that recently received this new admin role.\\n- After identifying the involved user, create a filter with their `user.name` or `user.target.email`. Review the last 48 hours of their activity for anything that may indicate a compromise.\\n\\n### False positive analysis\\n\\n- After identifying user account that added the admin role, verify the action was intentional.\\n- Verify that the target user who was assigned the admin role should have administrative privileges in Google Workspace.\\n- Review organizational units or groups the target user might have been added to and ensure the admin role permissions align.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Google Workspace admin role assignments may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://support.google.com/a/answer/172176?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.role.name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.event.type\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"2e8ce13a-f327-4796-b89d-8324caf2edb1\",\"rule_id\":\"68994a6c-c7ba-4e82-b476-26a26877adf6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.667Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.968Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.category:\\\"iam\\\" and event.action:\\\"ASSIGN_ROLE\\\"\\n and google_workspace.event.type:\\\"DELEGATED_ADMIN_SETTINGS\\\" and google_workspace.admin.role.name : *_ADMIN_ROLE\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/172176?hl=en\"],\"target_version\":[\"https://support.google.com/a/answer/172176?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/172176?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"22c4dafb-b6bc-40fa-afcb-71a4ab1d0277\",\"rule_id\":\"689b9d57-e4d5-4357-ad17-9c334609d79a\",\"revision\":0,\"current_rule\":{\"id\":\"22c4dafb-b6bc-40fa-afcb-71a4ab1d0277\",\"updated_at\":\"2024-12-04T19:45:40.189Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.189Z\",\"created_by\":\"elastic\",\"name\":\"Scheduled Task Created by a Windows Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\nDecode the base64 encoded Tasks Actions registry value to investigate the task's configured action.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks may be created during installation of new software.\"],\"from\":\"now-9m\",\"rule_id\":\"689b9d57-e4d5-4357-ad17-9c334609d79a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"sequence by host.id with maxspan = 30s\\n [any where host.os.type == \\\"windows\\\" and \\n (event.category : (\\\"library\\\", \\\"driver\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n (?dll.name : \\\"taskschd.dll\\\" or file.name : \\\"taskschd.dll\\\") and\\n process.name : (\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\")]\\n [registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Actions\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\TaskCache\\\\\\\\Tasks\\\\\\\\*\\\\\\\\Actions\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\TaskCache\\\\\\\\Tasks\\\\\\\\*\\\\\\\\Actions\\\"\\n )]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Scheduled Task Created by a Windows Script\",\"description\":\"A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\nDecode the base64 encoded Tasks Actions registry value to investigate the task's configured action.\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks may be created during installation of new software.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"22c4dafb-b6bc-40fa-afcb-71a4ab1d0277\",\"rule_id\":\"689b9d57-e4d5-4357-ad17-9c334609d79a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.667Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.189Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan = 30s\\n [any where host.os.type == \\\"windows\\\" and \\n (event.category : (\\\"library\\\", \\\"driver\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n (?dll.name : \\\"taskschd.dll\\\" or file.name : \\\"taskschd.dll\\\") and\\n process.name : (\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\")]\\n [registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Actions\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\TaskCache\\\\\\\\Tasks\\\\\\\\*\\\\\\\\Actions\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\TaskCache\\\\\\\\Tasks\\\\\\\\*\\\\\\\\Actions\\\"\\n )]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e1be2e25-86df-404c-b5a9-bf2b89460b38\",\"rule_id\":\"68ad737b-f90a-4fe5-bda6-a68fa460044e\",\"revision\":0,\"current_rule\":{\"id\":\"e1be2e25-86df-404c-b5a9-bf2b89460b38\",\"updated_at\":\"2024-12-04T19:45:49.973Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.973Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Access to LDAP Attributes\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: System\",\"Data Source: Active Directory\",\"Data Source: Windows\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identify read access to a high number of Active Directory object attributes. The knowledge of objects properties can help adversaries find vulnerabilities, elevate privileges or collect sensitive information.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"68ad737b-f90a-4fe5-bda6-a68fa460044e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1069\",\"name\":\"Permission Groups Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1069/\"}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessMaskDescription\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.Properties\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"],\"query\":\"any where event.action in (\\\"Directory Service Access\\\", \\\"object-operation-performed\\\") and\\n event.code == \\\"4662\\\" and not winlog.event_data.SubjectUserSid : \\\"S-1-5-18\\\" and\\n winlog.event_data.AccessMaskDescription == \\\"Read Property\\\" and length(winlog.event_data.Properties) >= 2000\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Access to LDAP Attributes\",\"description\":\"Identify read access to a high number of Active Directory object attributes. The knowledge of objects properties can help adversaries find vulnerabilities, elevate privileges or collect sensitive information.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":102,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: System\",\"Data Source: Active Directory\",\"Data Source: Windows\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1069\",\"name\":\"Permission Groups Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1069/\"}]}],\"setup\":\"The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessMaskDescription\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.Properties\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"e1be2e25-86df-404c-b5a9-bf2b89460b38\",\"rule_id\":\"68ad737b-f90a-4fe5-bda6-a68fa460044e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.667Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.973Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where event.action in (\\\"Directory Service Access\\\", \\\"object-operation-performed\\\") and\\n event.code == \\\"4662\\\" and not winlog.event_data.SubjectUserSid : \\\"S-1-5-18\\\" and\\n winlog.event_data.AccessMaskDescription == \\\"Read Property\\\" and length(winlog.event_data.Properties) >= 2000\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":102,\"merged_version\":102,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0bb9c000-2cf0-4a6f-9ef5-8e97eddfcf98\",\"rule_id\":\"68d56fdc-7ffa-4419-8e95-81641bd6f845\",\"revision\":0,\"current_rule\":{\"id\":\"0bb9c000-2cf0-4a6f-9ef5-8e97eddfcf98\",\"updated_at\":\"2024-12-04T19:45:49.976Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.976Z\",\"created_by\":\"elastic\",\"name\":\"UAC Bypass via ICMLuaUtil Elevated COM Interface\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"68d56fdc-7ffa-4419-8e95-81641bd6f845\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1559\",\"name\":\"Inter-Process Communication\",\"reference\":\"https://attack.mitre.org/techniques/T1559/\",\"subtechnique\":[{\"id\":\"T1559.001\",\"name\":\"Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1559/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name == \\\"dllhost.exe\\\" and\\n process.parent.args in (\\\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\\\", \\\"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\\\") and\\n process.pe.original_file_name != \\\"WerFault.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"UAC Bypass via ICMLuaUtil Elevated COM Interface\",\"description\":\"Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1559\",\"name\":\"Inter-Process Communication\",\"reference\":\"https://attack.mitre.org/techniques/T1559/\",\"subtechnique\":[{\"id\":\"T1559.001\",\"name\":\"Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1559/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0bb9c000-2cf0-4a6f-9ef5-8e97eddfcf98\",\"rule_id\":\"68d56fdc-7ffa-4419-8e95-81641bd6f845\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.667Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.976Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name == \\\"dllhost.exe\\\" and\\n process.parent.args in (\\\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\\\", \\\"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\\\") and\\n process.pe.original_file_name != \\\"WerFault.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"57ef5966-2477-4eac-ae4a-9fce5dd86794\",\"rule_id\":\"696015ef-718e-40ff-ac4a-cc2ba88dbeeb\",\"revision\":0,\"current_rule\":{\"id\":\"57ef5966-2477-4eac-ae4a-9fce5dd86794\",\"updated_at\":\"2024-12-04T19:45:49.981Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.981Z\",\"created_by\":\"elastic\",\"name\":\"AWS IAM User Created Access Keys For Another User\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by creating a new set of credentials for an existing user. This rule looks for use of the IAM `CreateAccessKey` API operation to create new programatic access keys for another IAM user.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS IAM User Created Access Keys For Another User\\n\\nAWS access keys created for IAM users or root user are long-term credentials that provide programatic access to AWS. \\nWith access to the `iam:CreateAccessKey` permission, a set of compromised credentials could be used to create a new \\nset of credentials for another user for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `CreateAccessKey` operation where the user.name is different from the user.target.name.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify both related accounts and their role in the environment.\\n- Review IAM permission policies for the user identities.\\n- Identify the applications or users that should use these accounts.\\n- Investigate other alerts associated with the accounts during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owners and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `CreateAccessKey` operation. Verify the `aws.cloudtrail.user_identity.arn` should use this operation against the `user.target.name` account.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the newly created credentials from the affected user(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `CreateAccessKey` for the targeted user.\"],\"from\":\"now-6m\",\"rule_id\":\"696015ef-718e-40ff-ac4a-cc2ba88dbeeb\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.001\",\"name\":\"Additional Cloud Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1098/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.001\",\"name\":\"Additional Cloud Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1098/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/#iamcreateaccesskey\",\"https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence\",\"https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud\",\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-*\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"CreateAccessKey\\\" and event.outcome == \\\"success\\\" and user.name != user.target.name\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS IAM User Created Access Keys For Another User\",\"description\":\"An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by creating a new set of credentials for an existing user. This rule looks for use of the IAM `CreateAccessKey` API operation to create new programmatic access keys for another IAM user.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS IAM User Created Access Keys For Another User\\n\\nAWS access keys created for IAM users or root user are long-term credentials that provide programmatic access to AWS.\\nWith access to the `iam:CreateAccessKey` permission, a set of compromised credentials could be used to create a new\\nset of credentials for another user for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `CreateAccessKey` operation where the user.name is different from the user.target.name.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify both related accounts and their role in the environment.\\n- Review IAM permission policies for the user identities.\\n- Identify the applications or users that should use these accounts.\\n- Investigate other alerts associated with the accounts during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owners and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `CreateAccessKey` operation. Verify the `aws.cloudtrail.user_identity.arn` should use this operation against the `user.target.name` account.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the newly created credentials from the affected user(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment.\\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"investigation_fields\":{\"field_names\":[\"@timestamp\",\"user.name\",\"source.address\",\"aws.cloudtrail.user_identity.arn\",\"aws.cloudtrail.user_identity.type\",\"user_agent.original\",\"user.target.name\",\"event.action\",\"event.outcome\",\"cloud.region\",\"event.provider\",\"aws.cloudtrail.request_parameters\",\"aws.cloudtrail.response_elements\"]},\"version\":4,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `CreateAccessKey` for the targeted user.\"],\"references\":[\"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/#iamcreateaccesskey\",\"https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence\",\"https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud\",\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.001\",\"name\":\"Additional Cloud Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1098/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.001\",\"name\":\"Additional Cloud Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1098/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"57ef5966-2477-4eac-ae4a-9fce5dd86794\",\"rule_id\":\"696015ef-718e-40ff-ac4a-cc2ba88dbeeb\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.667Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.981Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"iam.amazonaws.com\\\"\\n and event.action == \\\"CreateAccessKey\\\"\\n and event.outcome == \\\"success\\\"\\n and user.name != user.target.name\\n| keep\\n @timestamp,\\n cloud.region,\\n event.provider,\\n event.action,\\n event.outcome,\\n user.name,\\n source.address,\\n user.target.name,\\n user_agent.original,\\n aws.cloudtrail.request_parameters,\\n aws.cloudtrail.response_elements,\\n aws.cloudtrail.user_identity.arn,\\n aws.cloudtrail.user_identity.type,\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"description\":{\"has_base_version\":false,\"current_version\":\"An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by creating a new set of credentials for an existing user. This rule looks for use of the IAM `CreateAccessKey` API operation to create new programatic access keys for another IAM user.\",\"target_version\":\"An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by creating a new set of credentials for an existing user. This rule looks for use of the IAM `CreateAccessKey` API operation to create new programmatic access keys for another IAM user.\",\"merged_version\":\"An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by creating a new set of credentials for an existing user. This rule looks for use of the IAM `CreateAccessKey` API operation to create new programmatic access keys for another IAM user.\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"note\":{\"has_base_version\":false,\"current_version\":\"## Triage and analysis\\n\\n### Investigating AWS IAM User Created Access Keys For Another User\\n\\nAWS access keys created for IAM users or root user are long-term credentials that provide programatic access to AWS. \\nWith access to the `iam:CreateAccessKey` permission, a set of compromised credentials could be used to create a new \\nset of credentials for another user for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `CreateAccessKey` operation where the user.name is different from the user.target.name.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify both related accounts and their role in the environment.\\n- Review IAM permission policies for the user identities.\\n- Identify the applications or users that should use these accounts.\\n- Investigate other alerts associated with the accounts during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owners and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `CreateAccessKey` operation. Verify the `aws.cloudtrail.user_identity.arn` should use this operation against the `user.target.name` account.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the newly created credentials from the affected user(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating AWS IAM User Created Access Keys For Another User\\n\\nAWS access keys created for IAM users or root user are long-term credentials that provide programmatic access to AWS.\\nWith access to the `iam:CreateAccessKey` permission, a set of compromised credentials could be used to create a new\\nset of credentials for another user for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `CreateAccessKey` operation where the user.name is different from the user.target.name.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify both related accounts and their role in the environment.\\n- Review IAM permission policies for the user identities.\\n- Identify the applications or users that should use these accounts.\\n- Investigate other alerts associated with the accounts during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owners and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `CreateAccessKey` operation. Verify the `aws.cloudtrail.user_identity.arn` should use this operation against the `user.target.name` account.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the newly created credentials from the affected user(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment.\\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating AWS IAM User Created Access Keys For Another User\\n\\nAWS access keys created for IAM users or root user are long-term credentials that provide programmatic access to AWS.\\nWith access to the `iam:CreateAccessKey` permission, a set of compromised credentials could be used to create a new\\nset of credentials for another user for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `CreateAccessKey` operation where the user.name is different from the user.target.name.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify both related accounts and their role in the environment.\\n- Review IAM permission policies for the user identities.\\n- Identify the applications or users that should use these accounts.\\n- Investigate other alerts associated with the accounts during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owners and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `CreateAccessKey` operation. Verify the `aws.cloudtrail.user_identity.arn` should use this operation against the `user.target.name` account.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the newly created credentials from the affected user(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment.\\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"investigation_fields\":{\"has_base_version\":false,\"target_version\":{\"field_names\":[\"@timestamp\",\"user.name\",\"source.address\",\"aws.cloudtrail.user_identity.arn\",\"aws.cloudtrail.user_identity.type\",\"user_agent.original\",\"user.target.name\",\"event.action\",\"event.outcome\",\"cloud.region\",\"event.provider\",\"aws.cloudtrail.request_parameters\",\"aws.cloudtrail.response_elements\"]},\"merged_version\":{\"field_names\":[\"@timestamp\",\"user.name\",\"source.address\",\"aws.cloudtrail.user_identity.arn\",\"aws.cloudtrail.user_identity.type\",\"user_agent.original\",\"user.target.name\",\"event.action\",\"event.outcome\",\"cloud.region\",\"event.provider\",\"aws.cloudtrail.request_parameters\",\"aws.cloudtrail.response_elements\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-aws.cloudtrail-*\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"CreateAccessKey\\\" and event.outcome == \\\"success\\\" and user.name != user.target.name\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"iam.amazonaws.com\\\"\\n and event.action == \\\"CreateAccessKey\\\"\\n and event.outcome == \\\"success\\\"\\n and user.name != user.target.name\\n| keep\\n @timestamp,\\n cloud.region,\\n event.provider,\\n event.action,\\n event.outcome,\\n user.name,\\n source.address,\\n user.target.name,\\n user_agent.original,\\n aws.cloudtrail.request_parameters,\\n aws.cloudtrail.response_elements,\\n aws.cloudtrail.user_identity.arn,\\n aws.cloudtrail.user_identity.type,\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"iam.amazonaws.com\\\"\\n and event.action == \\\"CreateAccessKey\\\"\\n and event.outcome == \\\"success\\\"\\n and user.name != user.target.name\\n| keep\\n @timestamp,\\n cloud.region,\\n event.provider,\\n event.action,\\n event.outcome,\\n user.name,\\n source.address,\\n user.target.name,\\n user_agent.original,\\n aws.cloudtrail.request_parameters,\\n aws.cloudtrail.response_elements,\\n aws.cloudtrail.user_identity.arn,\\n aws.cloudtrail.user_identity.type,\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"94330b7f-c02c-4be3-a2ab-fc517ea2927a\",\"rule_id\":\"69c116bb-d86f-48b0-857d-3648511a6cac\",\"revision\":0,\"current_rule\":{\"id\":\"94330b7f-c02c-4be3-a2ab-fc517ea2927a\",\"updated_at\":\"2024-12-04T19:46:03.788Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.788Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious rc.local Error Message\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors the syslog log file for error messages related to the rc.local process. The rc.local file is a script that is executed during the boot process on Linux systems. Attackers may attempt to modify the rc.local file to execute malicious commands or scripts during system startup. This rule detects error messages such as \\\"Connection refused,\\\" \\\"No such file or directory,\\\" or \\\"command not found\\\" in the syslog log file, which may indicate that the rc.local file has been tampered with.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"69c116bb-d86f-48b0-857d-3648511a6cac\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"message\",\"type\":\"match_only_text\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Filebeat\\n\\n### Filebeat Setup\\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\\n\\n#### The following steps should be executed in order to add the Filebeat for the Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\\n- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\\n\\n#### Rule Specific Setup Note\\n- This rule requires the Filebeat System Module to be enabled.\\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"logs-system.syslog-*\"],\"query\":\"host.os.type:linux and event.dataset:system.syslog and process.name:rc.local and\\nmessage:(\\\"Connection refused\\\" or \\\"No such file or directory\\\" or \\\"command not found\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious rc.local Error Message\",\"description\":\"This rule monitors the syslog log file for error messages related to the rc.local process. The rc.local file is a script that is executed during the boot process on Linux systems. Attackers may attempt to modify the rc.local file to execute malicious commands or scripts during system startup. This rule detects error messages such as \\\"Connection refused,\\\" \\\"No such file or directory,\\\" or \\\"command not found\\\" in the syslog log file, which may indicate that the rc.local file has been tampered with.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Filebeat\\n\\n### Filebeat Setup\\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\\n\\n#### The following steps should be executed in order to add the Filebeat for the Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\\n- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\\n\\n#### Rule Specific Setup Note\\n- This rule requires the Filebeat System Module to be enabled.\\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"message\",\"type\":\"match_only_text\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"94330b7f-c02c-4be3-a2ab-fc517ea2927a\",\"rule_id\":\"69c116bb-d86f-48b0-857d-3648511a6cac\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.667Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.788Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"logs-system.syslog-*\"],\"query\":\"host.os.type:linux and event.dataset:system.syslog and process.name:rc.local and\\nmessage:(\\\"Connection refused\\\" or \\\"No such file or directory\\\" or \\\"command not found\\\")\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\"],\"target_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f1f0b7c3-df26-487f-a1e6-4364996270b2\",\"rule_id\":\"69c251fb-a5d6-4035-b5ec-40438bd829ff\",\"revision\":0,\"current_rule\":{\"id\":\"f1f0b7c3-df26-487f-a1e6-4364996270b2\",\"updated_at\":\"2024-12-04T19:45:49.983Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.983Z\",\"created_by\":\"elastic\",\"name\":\"Modification of Boot Configuration\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Modification of Boot Configuration\\n\\nBoot entry parameters, or boot parameters, are optional, system-specific settings that represent configuration options. These are stored in a boot configuration data (BCD) store, and administrators can use utilities like `bcdedit.exe` to configure these.\\n\\nThis rule identifies the usage of `bcdedit.exe` to:\\n\\n- Disable Windows Error Recovery (recoveryenabled).\\n- Ignore errors if there is a failed boot, failed shutdown, or failed checkpoint (bootstatuspolicy ignoreallfailures).\\n\\nThese are common steps in destructive attacks by adversaries leveraging ransomware.\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Check if any files on the host machine have been encrypted.\\n\\n### False positive analysis\\n\\n- The usage of these options is not inherently malicious. Administrators can modify these configurations to force a machine to boot for troubleshooting or data recovery purposes.\\n\\n### Related rules\\n\\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"69c251fb-a5d6-4035-b5ec-40438bd829ff\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1490\",\"name\":\"Inhibit System Recovery\",\"reference\":\"https://attack.mitre.org/techniques/T1490/\"}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"bcdedit.exe\\\" or ?process.pe.original_file_name == \\\"bcdedit.exe\\\") and\\n (\\n (process.args : \\\"/set\\\" and process.args : \\\"bootstatuspolicy\\\" and process.args : \\\"ignoreallfailures\\\") or\\n (process.args : \\\"no\\\" and process.args : \\\"recoveryenabled\\\")\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Modification of Boot Configuration\",\"description\":\"Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Modification of Boot Configuration\\n\\nBoot entry parameters, or boot parameters, are optional, system-specific settings that represent configuration options. These are stored in a boot configuration data (BCD) store, and administrators can use utilities like `bcdedit.exe` to configure these.\\n\\nThis rule identifies the usage of `bcdedit.exe` to:\\n\\n- Disable Windows Error Recovery (recoveryenabled).\\n- Ignore errors if there is a failed boot, failed shutdown, or failed checkpoint (bootstatuspolicy ignoreallfailures).\\n\\nThese are common steps in destructive attacks by adversaries leveraging ransomware.\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Check if any files on the host machine have been encrypted.\\n\\n### False positive analysis\\n\\n- The usage of these options is not inherently malicious. Administrators can modify these configurations to force a machine to boot for troubleshooting or data recovery purposes.\\n\\n### Related rules\\n\\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1490\",\"name\":\"Inhibit System Recovery\",\"reference\":\"https://attack.mitre.org/techniques/T1490/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f1f0b7c3-df26-487f-a1e6-4364996270b2\",\"rule_id\":\"69c251fb-a5d6-4035-b5ec-40438bd829ff\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.667Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.983Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"bcdedit.exe\\\" or ?process.pe.original_file_name == \\\"bcdedit.exe\\\") and\\n (\\n (process.args : \\\"/set\\\" and process.args : \\\"bootstatuspolicy\\\" and process.args : \\\"ignoreallfailures\\\") or\\n (process.args : \\\"no\\\" and process.args : \\\"recoveryenabled\\\")\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1cbd1908-5473-4027-af3c-039007ee30ea\",\"rule_id\":\"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7\",\"revision\":0,\"current_rule\":{\"id\":\"1cbd1908-5473-4027-af3c-039007ee30ea\",\"updated_at\":\"2024-12-04T19:45:49.991Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.991Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Service Host Child Process - Childless Service\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Changes to Windows services or a rarely executed child process.\"],\"from\":\"now-9m\",\"rule_id\":\"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\",\"subtechnique\":[{\"id\":\"T1055.012\",\"name\":\"Process Hollowing\",\"reference\":\"https://attack.mitre.org/techniques/T1055/012/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\",\"subtechnique\":[{\"id\":\"T1055.012\",\"name\":\"Process Hollowing\",\"reference\":\"https://attack.mitre.org/techniques/T1055/012/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"svchost.exe\\\" and\\n\\n /* based on svchost service arguments -s svcname where the service is known to be childless */\\n process.parent.args : (\\n \\\"WdiSystemHost\\\", \\\"LicenseManager\\\", \\\"StorSvc\\\", \\\"CDPSvc\\\", \\\"cdbhsvc\\\", \\\"BthAvctpSvc\\\", \\\"SstpSvc\\\", \\\"WdiServiceHost\\\",\\n \\\"imgsvc\\\", \\\"TrkWks\\\", \\\"WpnService\\\", \\\"IKEEXT\\\", \\\"PolicyAgent\\\", \\\"CryptSvc\\\", \\\"netprofm\\\", \\\"ProfSvc\\\", \\\"StateRepository\\\",\\n \\\"camsvc\\\", \\\"LanmanWorkstation\\\", \\\"NlaSvc\\\", \\\"EventLog\\\", \\\"hidserv\\\", \\\"DisplayEnhancementService\\\", \\\"ShellHWDetection\\\",\\n \\\"AppHostSvc\\\", \\\"fhsvc\\\", \\\"CscService\\\", \\\"PushToInstall\\\"\\n ) and\\n\\n /* unknown FPs can be added here */\\n not process.name : (\\\"WerFault.exe\\\", \\\"WerFaultSecure.exe\\\", \\\"wermgr.exe\\\") and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RelPost.exe\\\" and process.parent.args : \\\"WdiSystemHost\\\") and\\n not (\\n process.name : \\\"rundll32.exe\\\" and\\n process.args : \\\"?:\\\\\\\\WINDOWS\\\\\\\\System32\\\\\\\\winethc.dll,ForceProxyDetectionOnNextRun\\\" and\\n process.parent.args : \\\"WdiServiceHost\\\"\\n ) and\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Kodak\\\\\\\\kds_?????\\\\\\\\lib\\\\\\\\lexexe.exe\\\"\\n ) and process.parent.args : \\\"imgsvc\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Service Host Child Process - Childless Service\",\"description\":\"Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Changes to Windows services or a rarely executed child process.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\",\"subtechnique\":[{\"id\":\"T1055.012\",\"name\":\"Process Hollowing\",\"reference\":\"https://attack.mitre.org/techniques/T1055/012/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\",\"subtechnique\":[{\"id\":\"T1055.012\",\"name\":\"Process Hollowing\",\"reference\":\"https://attack.mitre.org/techniques/T1055/012/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1cbd1908-5473-4027-af3c-039007ee30ea\",\"rule_id\":\"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.668Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.991Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"svchost.exe\\\" and\\n\\n /* based on svchost service arguments -s svcname where the service is known to be childless */\\n process.parent.args : (\\n \\\"WdiSystemHost\\\", \\\"LicenseManager\\\", \\\"StorSvc\\\", \\\"CDPSvc\\\", \\\"cdbhsvc\\\", \\\"BthAvctpSvc\\\", \\\"SstpSvc\\\", \\\"WdiServiceHost\\\",\\n \\\"imgsvc\\\", \\\"TrkWks\\\", \\\"WpnService\\\", \\\"IKEEXT\\\", \\\"PolicyAgent\\\", \\\"CryptSvc\\\", \\\"netprofm\\\", \\\"ProfSvc\\\", \\\"StateRepository\\\",\\n \\\"camsvc\\\", \\\"LanmanWorkstation\\\", \\\"NlaSvc\\\", \\\"EventLog\\\", \\\"hidserv\\\", \\\"DisplayEnhancementService\\\", \\\"ShellHWDetection\\\",\\n \\\"AppHostSvc\\\", \\\"fhsvc\\\", \\\"CscService\\\", \\\"PushToInstall\\\"\\n ) and\\n\\n /* unknown FPs can be added here */\\n not process.name : (\\\"WerFault.exe\\\", \\\"WerFaultSecure.exe\\\", \\\"wermgr.exe\\\") and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RelPost.exe\\\" and process.parent.args : \\\"WdiSystemHost\\\") and\\n not (\\n process.name : \\\"rundll32.exe\\\" and\\n process.args : \\\"?:\\\\\\\\WINDOWS\\\\\\\\System32\\\\\\\\winethc.dll,ForceProxyDetectionOnNextRun\\\" and\\n process.parent.args : \\\"WdiServiceHost\\\"\\n ) and\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Kodak\\\\\\\\kds_?????\\\\\\\\lib\\\\\\\\lexexe.exe\\\"\\n ) and process.parent.args : \\\"imgsvc\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3ea58a8a-e9e1-45f8-aa56-0fe5bd6ac46e\",\"rule_id\":\"6aace640-e631-4870-ba8e-5fdda09325db\",\"revision\":0,\"current_rule\":{\"id\":\"3ea58a8a-e9e1-45f8-aa56-0fe5bd6ac46e\",\"updated_at\":\"2024-12-04T19:45:49.993Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.993Z\",\"created_by\":\"elastic\",\"name\":\"Exporting Exchange Mailbox via PowerShell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Exporting Exchange Mailbox via PowerShell\\n\\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\\n\\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\\n\\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the export operation:\\n - Identify the user account that performed the action and whether it should perform this kind of action.\\n - Contact the account owner and confirm whether they are aware of this activity.\\n - Check if this operation was approved and performed according to the organization's change management policy.\\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \\\"Mailbox Import Export\\\" privilege for abnormal activity.\\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\\n- If the operation was completed successfully:\\n - Check if the file is on the path specified in the command.\\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Review the privileges of users with the \\\"Mailbox Import Export\\\" privilege to ensure that the least privilege principle is being followed.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate exchange system administration activity.\"],\"from\":\"now-9m\",\"rule_id\":\"6aace640-e631-4870-ba8e-5fdda09325db\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1005\",\"name\":\"Data from Local System\",\"reference\":\"https://attack.mitre.org/techniques/T1005/\"},{\"id\":\"T1114\",\"name\":\"Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/\",\"subtechnique\":[{\"id\":\"T1114.002\",\"name\":\"Remote Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\",\"https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps\"],\"version\":314,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name: (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") and\\n process.command_line : (\\\"*MailboxExportRequest*\\\", \\\"*-Mailbox*-ContentFilter*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Exporting Exchange Mailbox via PowerShell\",\"description\":\"Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Exporting Exchange Mailbox via PowerShell\\n\\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\\n\\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\\n\\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the export operation:\\n - Identify the user account that performed the action and whether it should perform this kind of action.\\n - Contact the account owner and confirm whether they are aware of this activity.\\n - Check if this operation was approved and performed according to the organization's change management policy.\\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \\\"Mailbox Import Export\\\" privilege for abnormal activity.\\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\\n- If the operation was completed successfully:\\n - Check if the file is on the path specified in the command.\\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Review the privileges of users with the \\\"Mailbox Import Export\\\" privilege to ensure that the least privilege principle is being followed.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":417,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate exchange system administration activity.\"],\"references\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\",\"https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1005\",\"name\":\"Data from Local System\",\"reference\":\"https://attack.mitre.org/techniques/T1005/\"},{\"id\":\"T1114\",\"name\":\"Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/\",\"subtechnique\":[{\"id\":\"T1114.002\",\"name\":\"Remote Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3ea58a8a-e9e1-45f8-aa56-0fe5bd6ac46e\",\"rule_id\":\"6aace640-e631-4870-ba8e-5fdda09325db\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.668Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.993Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name: (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") and\\n process.command_line : (\\\"*MailboxExportRequest*\\\", \\\"*-Mailbox*-ContentFilter*\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":314,\"target_version\":417,\"merged_version\":417,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\",\"https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps\"],\"target_version\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\",\"https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merged_version\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\",\"https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d6605276-db55-4bc9-8aee-7ad35e834629\",\"rule_id\":\"6bed021a-0afb-461c-acbe-ffdb9574d3f3\",\"revision\":0,\"current_rule\":{\"id\":\"d6605276-db55-4bc9-8aee-7ad35e834629\",\"updated_at\":\"2024-12-04T19:45:50.005Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.005Z\",\"created_by\":\"elastic\",\"name\":\"Remote Computer Account DnsHostName Update\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Use Case: Vulnerability\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the remote update to a computer account's DnsHostName attribute. If the new value set is a valid domain controller DNS hostname and the subject computer name is not a domain controller, then it's highly likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"6bed021a-0afb-461c-acbe-ffdb9574d3f3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"},{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4\",\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26923\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.DnsHostName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetUserName\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"iam where event.action == \\\"changed-computer-account\\\" and user.id : (\\\"S-1-5-21-*\\\", \\\"S-1-12-1-*\\\") and\\n\\n /* if DnsHostName value equal a DC DNS hostname then it's highly suspicious */\\n winlog.event_data.DnsHostName : \\\"??*\\\" and\\n\\n /* exclude FPs where DnsHostName starts with the ComputerName that was changed */\\n not startswith~(winlog.event_data.DnsHostName, substring(winlog.event_data.TargetUserName, 0, length(winlog.event_data.TargetUserName) - 1))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Remote Computer Account DnsHostName Update\",\"description\":\"Identifies the remote update to a computer account's DnsHostName attribute. If the new value set is a valid domain controller DNS hostname and the subject computer name is not a domain controller, then it's highly likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Use Case: Vulnerability\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4\",\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26923\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"},{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.DnsHostName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetUserName\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"d6605276-db55-4bc9-8aee-7ad35e834629\",\"rule_id\":\"6bed021a-0afb-461c-acbe-ffdb9574d3f3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.668Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.005Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where event.action == \\\"changed-computer-account\\\" and user.id : (\\\"S-1-5-21-*\\\", \\\"S-1-12-1-*\\\") and\\n\\n /* if DnsHostName value equal a DC DNS hostname then it's highly suspicious */\\n winlog.event_data.DnsHostName : \\\"??*\\\" and\\n\\n /* exclude FPs where DnsHostName starts with the ComputerName that was changed */\\n not startswith~(winlog.event_data.DnsHostName, substring(winlog.event_data.TargetUserName, 0, length(winlog.event_data.TargetUserName) - 1))\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Use Case: Vulnerability\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Use Case: Vulnerability\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Use Case: Vulnerability\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a206b3a9-a89d-4b48-9d5c-966fe290e327\",\"rule_id\":\"6cd1779c-560f-4b68-a8f1-11009b27fe63\",\"revision\":0,\"current_rule\":{\"id\":\"a206b3a9-a89d-4b48-9d5c-966fe290e327\",\"updated_at\":\"2024-12-04T19:45:50.010Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.010Z\",\"created_by\":\"elastic\",\"name\":\"Microsoft Exchange Server UM Writing Suspicious Files\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\nPositive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).\\n\\nMicrosoft highly recommends that the best course of action is patching, but this may not protect already compromised systems\\nfrom existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support\\n[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[\"Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.\",\"This rule was tuned using the following baseline: https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to help determine normalcy.\"],\"from\":\"now-9m\",\"rule_id\":\"6cd1779c-560f-4b68-a8f1-11009b27fe63\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1210\",\"name\":\"Exploitation of Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1210/\"}]}],\"to\":\"now\",\"references\":[\"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers\",\"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n process.name : (\\\"UMWorkerProcess.exe\\\", \\\"umservice.exe\\\") and\\n file.extension : (\\\"php\\\", \\\"jsp\\\", \\\"js\\\", \\\"aspx\\\", \\\"asmx\\\", \\\"asax\\\", \\\"cfm\\\", \\\"shtml\\\") and\\n (\\n file.path : \\\"?:\\\\\\\\inetpub\\\\\\\\wwwroot\\\\\\\\aspnet_client\\\\\\\\*\\\" or\\n\\n (file.path : \\\"?:\\\\\\\\*\\\\\\\\Microsoft\\\\\\\\Exchange Server*\\\\\\\\FrontEnd\\\\\\\\HttpProxy\\\\\\\\owa\\\\\\\\auth\\\\\\\\*\\\" and\\n not (file.path : \\\"?:\\\\\\\\*\\\\\\\\Microsoft\\\\\\\\Exchange Server*\\\\\\\\FrontEnd\\\\\\\\HttpProxy\\\\\\\\owa\\\\\\\\auth\\\\\\\\version\\\\\\\\*\\\" or\\n file.name : (\\\"errorFE.aspx\\\", \\\"expiredpassword.aspx\\\", \\\"frowny.aspx\\\", \\\"GetIdToken.htm\\\", \\\"logoff.aspx\\\",\\n \\\"logon.aspx\\\", \\\"OutlookCN.aspx\\\", \\\"RedirSuiteServiceProxy.aspx\\\", \\\"signout.aspx\\\"))) or\\n\\n (file.path : \\\"?:\\\\\\\\*\\\\\\\\Microsoft\\\\\\\\Exchange Server*\\\\\\\\FrontEnd\\\\\\\\HttpProxy\\\\\\\\ecp\\\\\\\\auth\\\\\\\\*\\\" and\\n not file.name : \\\"TimeoutLogoff.aspx\\\")\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Microsoft Exchange Server UM Writing Suspicious Files\",\"description\":\"Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\nPositive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).\\n\\nMicrosoft highly recommends that the best course of action is patching, but this may not protect already compromised systems\\nfrom existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support\\n[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)\\n\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[\"Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.\",\"This rule was tuned using the following baseline: https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to help determine normalcy.\"],\"references\":[\"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers\",\"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1210\",\"name\":\"Exploitation of Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1210/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a206b3a9-a89d-4b48-9d5c-966fe290e327\",\"rule_id\":\"6cd1779c-560f-4b68-a8f1-11009b27fe63\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.668Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.010Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n process.name : (\\\"UMWorkerProcess.exe\\\", \\\"umservice.exe\\\") and\\n file.extension : (\\\"php\\\", \\\"jsp\\\", \\\"js\\\", \\\"aspx\\\", \\\"asmx\\\", \\\"asax\\\", \\\"cfm\\\", \\\"shtml\\\") and\\n (\\n file.path : \\\"?:\\\\\\\\inetpub\\\\\\\\wwwroot\\\\\\\\aspnet_client\\\\\\\\*\\\" or\\n\\n (file.path : \\\"?:\\\\\\\\*\\\\\\\\Microsoft\\\\\\\\Exchange Server*\\\\\\\\FrontEnd\\\\\\\\HttpProxy\\\\\\\\owa\\\\\\\\auth\\\\\\\\*\\\" and\\n not (file.path : \\\"?:\\\\\\\\*\\\\\\\\Microsoft\\\\\\\\Exchange Server*\\\\\\\\FrontEnd\\\\\\\\HttpProxy\\\\\\\\owa\\\\\\\\auth\\\\\\\\version\\\\\\\\*\\\" or\\n file.name : (\\\"errorFE.aspx\\\", \\\"expiredpassword.aspx\\\", \\\"frowny.aspx\\\", \\\"GetIdToken.htm\\\", \\\"logoff.aspx\\\",\\n \\\"logon.aspx\\\", \\\"OutlookCN.aspx\\\", \\\"RedirSuiteServiceProxy.aspx\\\", \\\"signout.aspx\\\"))) or\\n\\n (file.path : \\\"?:\\\\\\\\*\\\\\\\\Microsoft\\\\\\\\Exchange Server*\\\\\\\\FrontEnd\\\\\\\\HttpProxy\\\\\\\\ecp\\\\\\\\auth\\\\\\\\*\\\" and\\n not file.name : \\\"TimeoutLogoff.aspx\\\")\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8360a07e-b93e-4d53-827a-579b12957b7f\",\"rule_id\":\"6d448b96-c922-4adb-b51c-b767f1ea5b76\",\"revision\":0,\"current_rule\":{\"id\":\"8360a07e-b93e-4d53-827a-579b12957b7f\",\"updated_at\":\"2024-12-04T19:45:50.012Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.012Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Process For a Windows Host\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Process For a Windows Host\\n\\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\\n\\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\\n - Investigate the process metadata — such as the digital signature, directory, etc. — to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Retrieve Service Unisgned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert.\"],\"from\":\"now-45m\",\"rule_id\":\"6d448b96-c922-4adb-b51c-b767f1ea5b76\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_rare_process_by_host_windows\"],\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Process For a Windows Host\",\"description\":\"Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Process For a Windows Host\\n\\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\\n\\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\\n - Investigate the process metadata — such as the digital signature, directory, etc. — to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Retrieve Service Unisgned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert.\"],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"8360a07e-b93e-4d53-827a-579b12957b7f\",\"rule_id\":\"6d448b96-c922-4adb-b51c-b767f1ea5b76\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.668Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.012Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_rare_process_by_host_windows\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"33c761b4-5b75-4975-a073-48d4d80ad662\",\"rule_id\":\"6e1a2cc4-d260-11ed-8829-f661ea17fbcc\",\"revision\":0,\"current_rule\":{\"id\":\"33c761b4-5b75-4975-a073-48d4d80ad662\",\"updated_at\":\"2024-12-04T19:45:50.017Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.017Z\",\"created_by\":\"elastic\",\"name\":\"First Time Seen Commonly Abused Remote Access Tool Execution\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Adversaries may install legitimate remote access tools (RAT) to compromised endpoints for further command-and-control (C2). Adversaries can rely on installed RATs for persistence, execution of native commands and more. This rule detects when a process is started whose name or code signature resembles commonly abused RATs. This is a New Terms rule type indicating the host has not seen this RAT process started before within the last 30 days.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating First Time Seen Commonly Abused Remote Access Tool Execution\\n\\nRemote access software is a class of tools commonly used by IT departments to provide support by connecting securely to users' computers. Remote access is an ever-growing market where new companies constantly offer new ways of quickly accessing remote systems.\\n\\nAt the same pace as IT departments adopt these tools, the attackers also adopt them as part of their workflow to connect into an interactive session, maintain access with legitimate software as a persistence mechanism, drop malicious software, etc.\\n\\nThis rule detects when a remote access tool is seen in the environment for the first time in the last 15 days, enabling analysts to investigate and enforce the correct usage of such tools.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Check if the execution of the remote access tool is approved by the organization's IT department.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n - If the tool is not approved for use in the organization, the employee could have been tricked into installing it and providing access to a malicious third party. Investigate whether this third party could be attempting to scam the end-user or gain access to the environment through social engineering.\\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n\\n### False positive analysis\\n\\n- If an authorized support person or administrator used the tool to conduct legitimate support or remote access, consider reinforcing that only tooling approved by the IT policy should be used. The analyst can dismiss the alert if no other suspicious behavior is observed involving the host or users.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If an unauthorized third party did the access via social engineering, consider improvements to the security awareness program.\\n- Enforce that only tooling approved by the IT policy should be used for remote access purposes and only by authorized staff.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"6e1a2cc4-d260-11ed-8829-f661ea17fbcc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1219\",\"name\":\"Remote Access Software\",\"reference\":\"https://attack.mitre.org/techniques/T1219/\"}]}],\"to\":\"now\",\"references\":[\"https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\",\"https://attack.mitre.org/techniques/T1219/\",\"https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json\"],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name.caseless\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"host.os.type: \\\"windows\\\" and\\n\\n event.category: \\\"process\\\" and event.type : \\\"start\\\" and\\n\\n (\\n process.code_signature.subject_name : (\\n \\\"Action1 Corporation\\\" or\\n \\\"AeroAdmin LLC\\\" or\\n \\\"Ammyy LLC\\\" or\\n \\\"Atera Networks Ltd\\\" or\\n \\\"AWERAY PTE. LTD.\\\" or\\n \\\"BeamYourScreen GmbH\\\" or\\n \\\"Bomgar Corporation\\\" or\\n \\\"DUC FABULOUS CO.,LTD\\\" or\\n \\\"DOMOTZ INC.\\\" or\\n \\\"DWSNET OÜ\\\" or\\n \\\"FleetDeck Inc\\\" or\\n \\\"GlavSoft LLC\\\" or\\n \\\"GlavSoft LLC.\\\" or\\n \\\"Hefei Pingbo Network Technology Co. Ltd\\\" or\\n \\\"IDrive, Inc.\\\" or\\n \\\"IMPERO SOLUTIONS LIMITED\\\" or\\n \\\"Instant Housecall\\\" or\\n \\\"ISL Online Ltd.\\\" or\\n \\\"LogMeIn, Inc.\\\" or\\n \\\"Monitoring Client\\\" or\\n \\\"MMSOFT Design Ltd.\\\" or\\n \\\"Nanosystems S.r.l.\\\" or\\n \\\"NetSupport Ltd\\\" or\\n \\\"NinjaRMM, LLC\\\" or\\n \\\"Parallels International GmbH\\\" or\\n \\\"philandro Software GmbH\\\" or\\n \\\"Pro Softnet Corporation\\\" or\\n \\\"RealVNC\\\" or\\n \\\"RealVNC Limited\\\" or\\n \\\"BreakingSecurity.net\\\" or\\n \\\"Remote Utilities LLC\\\" or\\n \\\"Rocket Software, Inc.\\\" or\\n \\\"SAFIB\\\" or\\n \\\"Servably, Inc.\\\" or\\n \\\"ShowMyPC INC\\\" or\\n \\\"Splashtop Inc.\\\" or\\n \\\"Superops Inc.\\\" or\\n \\\"TeamViewer\\\" or\\n \\\"TeamViewer GmbH\\\" or\\n \\\"TeamViewer Germany GmbH\\\" or\\n \\\"Techinline Limited\\\" or\\n \\\"uvnc bvba\\\" or\\n \\\"Yakhnovets Denis Aleksandrovich IP\\\" or\\n \\\"Zhou Huabing\\\"\\n ) or\\n\\n process.name.caseless : (\\n AA_v*.exe or\\n \\\"AeroAdmin.exe\\\" or\\n \\\"AnyDesk.exe\\\" or\\n \\\"apc_Admin.exe\\\" or\\n \\\"apc_host.exe\\\" or\\n \\\"AteraAgent.exe\\\" or\\n aweray_remote*.exe or\\n \\\"AweSun.exe\\\" or\\n \\\"B4-Service.exe\\\" or\\n \\\"BASupSrvc.exe\\\" or\\n \\\"bomgar-scc.exe\\\" or\\n \\\"domotzagent.exe\\\" or\\n \\\"domotz-windows-x64-10.exe\\\" or\\n \\\"dwagsvc.exe\\\" or\\n \\\"DWRCC.exe\\\" or\\n \\\"ImperoClientSVC.exe\\\" or\\n \\\"ImperoServerSVC.exe\\\" or\\n \\\"ISLLight.exe\\\" or\\n \\\"ISLLightClient.exe\\\" or\\n fleetdeck_commander*.exe or\\n \\\"getscreen.exe\\\" or\\n \\\"LMIIgnition.exe\\\" or\\n \\\"LogMeIn.exe\\\" or\\n \\\"ManageEngine_Remote_Access_Plus.exe\\\" or\\n \\\"Mikogo-Service.exe\\\" or\\n \\\"NinjaRMMAgent.exe\\\" or\\n \\\"NinjaRMMAgenPatcher.exe\\\" or\\n \\\"ninjarmm-cli.exe\\\" or\\n \\\"r_server.exe\\\" or\\n \\\"radmin.exe\\\" or\\n \\\"radmin3.exe\\\" or\\n \\\"RCClient.exe\\\" or\\n \\\"RCService.exe\\\" or\\n \\\"RemoteDesktopManager.exe\\\" or\\n \\\"RemotePC.exe\\\" or\\n \\\"RemotePCDesktop.exe\\\" or\\n \\\"RemotePCService.exe\\\" or\\n \\\"rfusclient.exe\\\" or\\n \\\"ROMServer.exe\\\" or\\n \\\"ROMViewer.exe\\\" or\\n \\\"RPCSuite.exe\\\" or\\n \\\"rserver3.exe\\\" or\\n \\\"rustdesk.exe\\\" or\\n \\\"rutserv.exe\\\" or\\n \\\"rutview.exe\\\" or\\n \\\"saazapsc.exe\\\" or\\n ScreenConnect*.exe or\\n \\\"smpcview.exe\\\" or\\n \\\"spclink.exe\\\" or\\n \\\"Splashtop-streamer.exe\\\" or\\n \\\"SRService.exe\\\" or\\n \\\"strwinclt.exe\\\" or\\n \\\"Supremo.exe\\\" or\\n \\\"SupremoService.exe\\\" or\\n \\\"teamviewer.exe\\\" or\\n \\\"TiClientCore.exe\\\" or\\n \\\"TSClient.exe\\\" or\\n \\\"tvn.exe\\\" or\\n \\\"tvnserver.exe\\\" or\\n \\\"tvnviewer.exe\\\" or\\n UltraVNC*.exe or\\n UltraViewer*.exe or\\n \\\"vncserver.exe\\\" or\\n \\\"vncviewer.exe\\\" or\\n \\\"winvnc.exe\\\" or\\n \\\"winwvc.exe\\\" or\\n \\\"Zaservice.exe\\\" or\\n \\\"ZohoURS.exe\\\"\\n ) or\\n process.name : (\\n AA_v*.exe or\\n \\\"AeroAdmin.exe\\\" or\\n \\\"AnyDesk.exe\\\" or\\n \\\"apc_Admin.exe\\\" or\\n \\\"apc_host.exe\\\" or\\n \\\"AteraAgent.exe\\\" or\\n aweray_remote*.exe or\\n \\\"AweSun.exe\\\" or\\n \\\"B4-Service.exe\\\" or\\n \\\"BASupSrvc.exe\\\" or\\n \\\"bomgar-scc.exe\\\" or\\n \\\"domotzagent.exe\\\" or\\n \\\"domotz-windows-x64-10.exe\\\" or\\n \\\"dwagsvc.exe\\\" or\\n \\\"DWRCC.exe\\\" or\\n \\\"ImperoClientSVC.exe\\\" or\\n \\\"ImperoServerSVC.exe\\\" or\\n \\\"ISLLight.exe\\\" or\\n \\\"ISLLightClient.exe\\\" or\\n fleetdeck_commander*.exe or\\n \\\"getscreen.exe\\\" or\\n \\\"LMIIgnition.exe\\\" or\\n \\\"LogMeIn.exe\\\" or\\n \\\"ManageEngine_Remote_Access_Plus.exe\\\" or\\n \\\"Mikogo-Service.exe\\\" or\\n \\\"NinjaRMMAgent.exe\\\" or\\n \\\"NinjaRMMAgenPatcher.exe\\\" or\\n \\\"ninjarmm-cli.exe\\\" or\\n \\\"r_server.exe\\\" or\\n \\\"radmin.exe\\\" or\\n \\\"radmin3.exe\\\" or\\n \\\"RCClient.exe\\\" or\\n \\\"RCService.exe\\\" or\\n \\\"RemoteDesktopManager.exe\\\" or\\n \\\"RemotePC.exe\\\" or\\n \\\"RemotePCDesktop.exe\\\" or\\n \\\"RemotePCService.exe\\\" or\\n \\\"rfusclient.exe\\\" or\\n \\\"ROMServer.exe\\\" or\\n \\\"ROMViewer.exe\\\" or\\n \\\"RPCSuite.exe\\\" or\\n \\\"rserver3.exe\\\" or\\n \\\"rustdesk.exe\\\" or\\n \\\"rutserv.exe\\\" or\\n \\\"rutview.exe\\\" or\\n \\\"saazapsc.exe\\\" or\\n ScreenConnect*.exe or\\n \\\"smpcview.exe\\\" or\\n \\\"spclink.exe\\\" or\\n \\\"Splashtop-streamer.exe\\\" or\\n \\\"SRService.exe\\\" or\\n \\\"strwinclt.exe\\\" or\\n \\\"Supremo.exe\\\" or\\n \\\"SupremoService.exe\\\" or\\n \\\"teamviewer.exe\\\" or\\n \\\"TiClientCore.exe\\\" or\\n \\\"TSClient.exe\\\" or\\n \\\"tvn.exe\\\" or\\n \\\"tvnserver.exe\\\" or\\n \\\"tvnviewer.exe\\\" or\\n UltraVNC*.exe or\\n UltraViewer*.exe or\\n \\\"vncserver.exe\\\" or\\n \\\"vncviewer.exe\\\" or\\n \\\"winvnc.exe\\\" or\\n \\\"winwvc.exe\\\" or\\n \\\"Zaservice.exe\\\" or\\n \\\"ZohoURS.exe\\\"\\n )\\n\\t) and\\n\\n\\tnot (process.pe.original_file_name : (\\\"G2M.exe\\\" or \\\"Updater.exe\\\" or \\\"powershell.exe\\\") and process.code_signature.subject_name : \\\"LogMeIn, Inc.\\\")\\n\",\"new_terms_fields\":[\"host.id\"],\"history_window_start\":\"now-15d\",\"index\":[\"logs-endpoint.events.process-*\",\"endgame-*\",\"winlogbeat-*\",\"logs-windows.*\",\"logs-system.security*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Time Seen Commonly Abused Remote Access Tool Execution\",\"description\":\"Adversaries may install legitimate remote access tools (RAT) to compromised endpoints for further command-and-control (C2). Adversaries can rely on installed RATs for persistence, execution of native commands and more. This rule detects when a process is started whose name or code signature resembles commonly abused RATs. This is a New Terms rule type indicating the host has not seen this RAT process started before within the last 30 days.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating First Time Seen Commonly Abused Remote Access Tool Execution\\n\\nRemote access software is a class of tools commonly used by IT departments to provide support by connecting securely to users' computers. Remote access is an ever-growing market where new companies constantly offer new ways of quickly accessing remote systems.\\n\\nAt the same pace as IT departments adopt these tools, the attackers also adopt them as part of their workflow to connect into an interactive session, maintain access with legitimate software as a persistence mechanism, drop malicious software, etc.\\n\\nThis rule detects when a remote access tool is seen in the environment for the first time in the last 15 days, enabling analysts to investigate and enforce the correct usage of such tools.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Check if the execution of the remote access tool is approved by the organization's IT department.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n - If the tool is not approved for use in the organization, the employee could have been tricked into installing it and providing access to a malicious third party. Investigate whether this third party could be attempting to scam the end-user or gain access to the environment through social engineering.\\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n\\n### False positive analysis\\n\\n- If an authorized support person or administrator used the tool to conduct legitimate support or remote access, consider reinforcing that only tooling approved by the IT policy should be used. The analyst can dismiss the alert if no other suspicious behavior is observed involving the host or users.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If an unauthorized third party did the access via social engineering, consider improvements to the security awareness program.\\n- Enforce that only tooling approved by the IT policy should be used for remote access purposes and only by authorized staff.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":108,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\",\"https://attack.mitre.org/techniques/T1219/\",\"https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1219\",\"name\":\"Remote Access Software\",\"reference\":\"https://attack.mitre.org/techniques/T1219/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name.caseless\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"33c761b4-5b75-4975-a073-48d4d80ad662\",\"rule_id\":\"6e1a2cc4-d260-11ed-8829-f661ea17fbcc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.668Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.017Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type: \\\"windows\\\" and\\n\\n event.category: \\\"process\\\" and event.type : \\\"start\\\" and\\n\\n (\\n process.code_signature.subject_name : (\\n \\\"Action1 Corporation\\\" or\\n \\\"AeroAdmin LLC\\\" or\\n \\\"Ammyy LLC\\\" or\\n \\\"Atera Networks Ltd\\\" or\\n \\\"AWERAY PTE. LTD.\\\" or\\n \\\"BeamYourScreen GmbH\\\" or\\n \\\"Bomgar Corporation\\\" or\\n \\\"DUC FABULOUS CO.,LTD\\\" or\\n \\\"DOMOTZ INC.\\\" or\\n \\\"DWSNET OÜ\\\" or\\n \\\"FleetDeck Inc\\\" or\\n \\\"GlavSoft LLC\\\" or\\n \\\"GlavSoft LLC.\\\" or\\n \\\"Hefei Pingbo Network Technology Co. Ltd\\\" or\\n \\\"IDrive, Inc.\\\" or\\n \\\"IMPERO SOLUTIONS LIMITED\\\" or\\n \\\"Instant Housecall\\\" or\\n \\\"ISL Online Ltd.\\\" or\\n \\\"LogMeIn, Inc.\\\" or\\n \\\"Monitoring Client\\\" or\\n \\\"MMSOFT Design Ltd.\\\" or\\n \\\"Nanosystems S.r.l.\\\" or\\n \\\"NetSupport Ltd\\\" or\\n \\\"NinjaRMM, LLC\\\" or\\n \\\"Parallels International GmbH\\\" or\\n \\\"philandro Software GmbH\\\" or\\n \\\"Pro Softnet Corporation\\\" or\\n \\\"RealVNC\\\" or\\n \\\"RealVNC Limited\\\" or\\n \\\"BreakingSecurity.net\\\" or\\n \\\"Remote Utilities LLC\\\" or\\n \\\"Rocket Software, Inc.\\\" or\\n \\\"SAFIB\\\" or\\n \\\"Servably, Inc.\\\" or\\n \\\"ShowMyPC INC\\\" or\\n \\\"Splashtop Inc.\\\" or\\n \\\"Superops Inc.\\\" or\\n \\\"TeamViewer\\\" or\\n \\\"TeamViewer GmbH\\\" or\\n \\\"TeamViewer Germany GmbH\\\" or\\n \\\"Techinline Limited\\\" or\\n \\\"uvnc bvba\\\" or\\n \\\"Yakhnovets Denis Aleksandrovich IP\\\" or\\n \\\"Zhou Huabing\\\"\\n ) or\\n\\n process.name.caseless : (\\n AA_v*.exe or\\n \\\"AeroAdmin.exe\\\" or\\n \\\"AnyDesk.exe\\\" or\\n \\\"apc_Admin.exe\\\" or\\n \\\"apc_host.exe\\\" or\\n \\\"AteraAgent.exe\\\" or\\n aweray_remote*.exe or\\n \\\"AweSun.exe\\\" or\\n \\\"B4-Service.exe\\\" or\\n \\\"BASupSrvc.exe\\\" or\\n \\\"bomgar-scc.exe\\\" or\\n \\\"domotzagent.exe\\\" or\\n \\\"domotz-windows-x64-10.exe\\\" or\\n \\\"dwagsvc.exe\\\" or\\n \\\"DWRCC.exe\\\" or\\n \\\"ImperoClientSVC.exe\\\" or\\n \\\"ImperoServerSVC.exe\\\" or\\n \\\"ISLLight.exe\\\" or\\n \\\"ISLLightClient.exe\\\" or\\n fleetdeck_commander*.exe or\\n \\\"getscreen.exe\\\" or\\n \\\"LMIIgnition.exe\\\" or\\n \\\"LogMeIn.exe\\\" or\\n \\\"ManageEngine_Remote_Access_Plus.exe\\\" or\\n \\\"Mikogo-Service.exe\\\" or\\n \\\"NinjaRMMAgent.exe\\\" or\\n \\\"NinjaRMMAgenPatcher.exe\\\" or\\n \\\"ninjarmm-cli.exe\\\" or\\n \\\"r_server.exe\\\" or\\n \\\"radmin.exe\\\" or\\n \\\"radmin3.exe\\\" or\\n \\\"RCClient.exe\\\" or\\n \\\"RCService.exe\\\" or\\n \\\"RemoteDesktopManager.exe\\\" or\\n \\\"RemotePC.exe\\\" or\\n \\\"RemotePCDesktop.exe\\\" or\\n \\\"RemotePCService.exe\\\" or\\n \\\"rfusclient.exe\\\" or\\n \\\"ROMServer.exe\\\" or\\n \\\"ROMViewer.exe\\\" or\\n \\\"RPCSuite.exe\\\" or\\n \\\"rserver3.exe\\\" or\\n \\\"rustdesk.exe\\\" or\\n \\\"rutserv.exe\\\" or\\n \\\"rutview.exe\\\" or\\n \\\"saazapsc.exe\\\" or\\n ScreenConnect*.exe or\\n \\\"smpcview.exe\\\" or\\n \\\"spclink.exe\\\" or\\n \\\"Splashtop-streamer.exe\\\" or\\n \\\"SRService.exe\\\" or\\n \\\"strwinclt.exe\\\" or\\n \\\"Supremo.exe\\\" or\\n \\\"SupremoService.exe\\\" or\\n \\\"teamviewer.exe\\\" or\\n \\\"TiClientCore.exe\\\" or\\n \\\"TSClient.exe\\\" or\\n \\\"tvn.exe\\\" or\\n \\\"tvnserver.exe\\\" or\\n \\\"tvnviewer.exe\\\" or\\n UltraVNC*.exe or\\n UltraViewer*.exe or\\n \\\"vncserver.exe\\\" or\\n \\\"vncviewer.exe\\\" or\\n \\\"winvnc.exe\\\" or\\n \\\"winwvc.exe\\\" or\\n \\\"Zaservice.exe\\\" or\\n \\\"ZohoURS.exe\\\"\\n ) or\\n process.name : (\\n AA_v*.exe or\\n \\\"AeroAdmin.exe\\\" or\\n \\\"AnyDesk.exe\\\" or\\n \\\"apc_Admin.exe\\\" or\\n \\\"apc_host.exe\\\" or\\n \\\"AteraAgent.exe\\\" or\\n aweray_remote*.exe or\\n \\\"AweSun.exe\\\" or\\n \\\"B4-Service.exe\\\" or\\n \\\"BASupSrvc.exe\\\" or\\n \\\"bomgar-scc.exe\\\" or\\n \\\"domotzagent.exe\\\" or\\n \\\"domotz-windows-x64-10.exe\\\" or\\n \\\"dwagsvc.exe\\\" or\\n \\\"DWRCC.exe\\\" or\\n \\\"ImperoClientSVC.exe\\\" or\\n \\\"ImperoServerSVC.exe\\\" or\\n \\\"ISLLight.exe\\\" or\\n \\\"ISLLightClient.exe\\\" or\\n fleetdeck_commander*.exe or\\n \\\"getscreen.exe\\\" or\\n \\\"LMIIgnition.exe\\\" or\\n \\\"LogMeIn.exe\\\" or\\n \\\"ManageEngine_Remote_Access_Plus.exe\\\" or\\n \\\"Mikogo-Service.exe\\\" or\\n \\\"NinjaRMMAgent.exe\\\" or\\n \\\"NinjaRMMAgenPatcher.exe\\\" or\\n \\\"ninjarmm-cli.exe\\\" or\\n \\\"r_server.exe\\\" or\\n \\\"radmin.exe\\\" or\\n \\\"radmin3.exe\\\" or\\n \\\"RCClient.exe\\\" or\\n \\\"RCService.exe\\\" or\\n \\\"RemoteDesktopManager.exe\\\" or\\n \\\"RemotePC.exe\\\" or\\n \\\"RemotePCDesktop.exe\\\" or\\n \\\"RemotePCService.exe\\\" or\\n \\\"rfusclient.exe\\\" or\\n \\\"ROMServer.exe\\\" or\\n \\\"ROMViewer.exe\\\" or\\n \\\"RPCSuite.exe\\\" or\\n \\\"rserver3.exe\\\" or\\n \\\"rustdesk.exe\\\" or\\n \\\"rutserv.exe\\\" or\\n \\\"rutview.exe\\\" or\\n \\\"saazapsc.exe\\\" or\\n ScreenConnect*.exe or\\n \\\"smpcview.exe\\\" or\\n \\\"spclink.exe\\\" or\\n \\\"Splashtop-streamer.exe\\\" or\\n \\\"SRService.exe\\\" or\\n \\\"strwinclt.exe\\\" or\\n \\\"Supremo.exe\\\" or\\n \\\"SupremoService.exe\\\" or\\n \\\"teamviewer.exe\\\" or\\n \\\"TiClientCore.exe\\\" or\\n \\\"TSClient.exe\\\" or\\n \\\"tvn.exe\\\" or\\n \\\"tvnserver.exe\\\" or\\n \\\"tvnviewer.exe\\\" or\\n UltraVNC*.exe or\\n UltraViewer*.exe or\\n \\\"vncserver.exe\\\" or\\n \\\"vncviewer.exe\\\" or\\n \\\"winvnc.exe\\\" or\\n \\\"winwvc.exe\\\" or\\n \\\"Zaservice.exe\\\" or\\n \\\"ZohoURS.exe\\\"\\n )\\n\\t) and\\n\\n\\tnot (process.pe.original_file_name : (\\\"G2M.exe\\\" or \\\"Updater.exe\\\" or \\\"powershell.exe\\\") and process.code_signature.subject_name : \\\"LogMeIn, Inc.\\\")\\n\",\"new_terms_fields\":[\"host.id\"],\"history_window_start\":\"now-15d\",\"index\":[\"logs-endpoint.events.process-*\",\"endgame-*\",\"winlogbeat-*\",\"logs-windows.*\",\"logs-system.security*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":108,\"merged_version\":108,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4729402a-0d68-49dd-a7b4-319d98c6d997\",\"rule_id\":\"6e40d56f-5c0e-4ac6-aece-bee96645b172\",\"revision\":0,\"current_rule\":{\"id\":\"4729402a-0d68-49dd-a7b4-319d98c6d997\",\"updated_at\":\"2024-12-04T19:45:50.020Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.020Z\",\"created_by\":\"elastic\",\"name\":\"Anomalous Process For a Windows Population\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Persistence\",\"Tactic: Execution\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Anomalous Process For a Windows Population\\n\\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\\n\\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for all of the monitored Windows hosts in your environment.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\\n - Investigate the process metadata — such as the digital signature, directory, etc. — to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSyste' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Retrieve Service Unisgned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert.\"],\"from\":\"now-45m\",\"rule_id\":\"6e40d56f-5c0e-4ac6-aece-bee96645b172\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_process_all_hosts\"],\"actions\":[]},\"target_rule\":{\"name\":\"Anomalous Process For a Windows Population\",\"description\":\"Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Anomalous Process For a Windows Population\\n\\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\\n\\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for all of the monitored Windows hosts in your environment.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\\n - Investigate the process metadata — such as the digital signature, directory, etc. — to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSyste' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Retrieve Service Unisgned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Persistence\",\"Tactic: Execution\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert.\"],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"4729402a-0d68-49dd-a7b4-319d98c6d997\",\"rule_id\":\"6e40d56f-5c0e-4ac6-aece-bee96645b172\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.668Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.020Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_process_all_hosts\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"53ef0680-aecb-426b-b77e-9e0d8b9eb5be\",\"rule_id\":\"6e9130a5-9be6-48e5-943a-9628bfc74b18\",\"revision\":0,\"current_rule\":{\"id\":\"53ef0680-aecb-426b-b77e-9e0d8b9eb5be\",\"updated_at\":\"2024-12-04T19:45:50.022Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.022Z\",\"created_by\":\"elastic\",\"name\":\"AdminSDHolder Backdoor\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"6e9130a5-9be6-48e5-943a-9628bfc74b18\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]},{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[\"https://adsecurity.org/?p=1906\",\"https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ObjectDN\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:(\\\"Directory Service Changes\\\" or \\\"directory-service-object-modified\\\") and event.code:5136 and\\n winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System*\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AdminSDHolder Backdoor\",\"description\":\"Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://adsecurity.org/?p=1906\",\"https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]},{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ObjectDN\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"53ef0680-aecb-426b-b77e-9e0d8b9eb5be\",\"rule_id\":\"6e9130a5-9be6-48e5-943a-9628bfc74b18\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.668Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.022Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:(\\\"Directory Service Changes\\\" or \\\"directory-service-object-modified\\\") and event.code:5136 and\\n winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System*\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d69bb234-06d0-4fd1-816e-98cc33a63c57\",\"rule_id\":\"6ea41894-66c3-4df7-ad6b-2c5074eb3df8\",\"revision\":0,\"current_rule\":{\"id\":\"d69bb234-06d0-4fd1-816e-98cc33a63c57\",\"updated_at\":\"2024-12-04T19:45:50.027Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.027Z\",\"created_by\":\"elastic\",\"name\":\"Potential Windows Error Manager Masquerading\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Windows Error Manager Masquerading\\n\\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\\n\\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legit Application Crash with rare Werfault commandline value\"],\"from\":\"now-9m\",\"rule_id\":\"6ea41894-66c3-4df7-ad6b-2c5074eb3df8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]}]}],\"to\":\"now\",\"references\":[\"https://twitter.com/SBousseaden/status/1235533224337641473\",\"https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/\",\"https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by host.id, process.entity_id with maxspan = 5s\\n [process where host.os.type == \\\"windows\\\" and event.type:\\\"start\\\" and process.name : (\\\"wermgr.exe\\\", \\\"WerFault.exe\\\") and process.args_count == 1]\\n [network where host.os.type == \\\"windows\\\" and process.name : (\\\"wermgr.exe\\\", \\\"WerFault.exe\\\") and network.protocol != \\\"dns\\\" and\\n network.direction : (\\\"outgoing\\\", \\\"egress\\\") and destination.ip !=\\\"::1\\\" and destination.ip !=\\\"127.0.0.1\\\"\\n ]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Windows Error Manager Masquerading\",\"description\":\"Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Windows Error Manager Masquerading\\n\\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\\n\\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legit Application Crash with rare Werfault commandline value\"],\"references\":[\"https://twitter.com/SBousseaden/status/1235533224337641473\",\"https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/\",\"https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/\",\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d69bb234-06d0-4fd1-816e-98cc33a63c57\",\"rule_id\":\"6ea41894-66c3-4df7-ad6b-2c5074eb3df8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.668Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.027Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id, process.entity_id with maxspan = 5s\\n [process where host.os.type == \\\"windows\\\" and event.type:\\\"start\\\" and process.name : (\\\"wermgr.exe\\\", \\\"WerFault.exe\\\") and process.args_count == 1]\\n [network where host.os.type == \\\"windows\\\" and process.name : (\\\"wermgr.exe\\\", \\\"WerFault.exe\\\") and network.protocol != \\\"dns\\\" and\\n network.direction : (\\\"outgoing\\\", \\\"egress\\\") and destination.ip !=\\\"::1\\\" and destination.ip !=\\\"127.0.0.1\\\"\\n ]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://twitter.com/SBousseaden/status/1235533224337641473\",\"https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/\",\"https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/\"],\"target_version\":[\"https://twitter.com/SBousseaden/status/1235533224337641473\",\"https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/\",\"https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/\",\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\"],\"merged_version\":[\"https://twitter.com/SBousseaden/status/1235533224337641473\",\"https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/\",\"https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/\",\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9602b280-3a4c-4590-aeb5-38695ab0b4d0\",\"rule_id\":\"6ea55c81-e2ba-42f2-a134-bccf857ba922\",\"revision\":0,\"current_rule\":{\"id\":\"9602b280-3a4c-4590-aeb5-38695ab0b4d0\",\"updated_at\":\"2024-12-04T19:45:50.029Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.029Z\",\"created_by\":\"elastic\",\"name\":\"Security Software Discovery using WMIC\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.\",\"risk_score\":47,\"severity\":\"medium\",\"building_block_type\":\"default\",\"note\":\"## Triage and analysis\\n\\n### Investigating Security Software Discovery using WMIC\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `wmic` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"6ea55c81-e2ba-42f2-a134-bccf857ba922\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1518\",\"name\":\"Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/\",\"subtechnique\":[{\"id\":\"T1518.001\",\"name\":\"Security Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"to\":\"now\",\"references\":[],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(process.name : \\\"wmic.exe\\\" or ?process.pe.original_file_name : \\\"wmic.exe\\\") and\\nprocess.args : \\\"/namespace:\\\\\\\\\\\\\\\\root\\\\\\\\SecurityCenter2\\\" and process.args : \\\"Get\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Security Software Discovery using WMIC\",\"description\":\"Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Security Software Discovery using WMIC\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `wmic` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":214,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1518\",\"name\":\"Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/\",\"subtechnique\":[{\"id\":\"T1518.001\",\"name\":\"Security Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"9602b280-3a4c-4590-aeb5-38695ab0b4d0\",\"rule_id\":\"6ea55c81-e2ba-42f2-a134-bccf857ba922\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.668Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.029Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(process.name : \\\"wmic.exe\\\" or ?process.pe.original_file_name : \\\"wmic.exe\\\") and\\nprocess.args : \\\"/namespace:\\\\\\\\\\\\\\\\root\\\\\\\\SecurityCenter2\\\" and process.args : \\\"Get\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":214,\"merged_version\":214,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"310793ea-71e1-4363-9b85-312131629961\",\"rule_id\":\"6f024bde-7085-489b-8250-5957efdf1caf\",\"revision\":0,\"current_rule\":{\"id\":\"310793ea-71e1-4363-9b85-312131629961\",\"updated_at\":\"2024-12-04T19:46:03.792Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.792Z\",\"created_by\":\"elastic\",\"name\":\"Active Directory Group Modification by SYSTEM\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain account.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"6f024bde-7085-489b-8250-5957efdf1caf\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.api\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"],\"query\":\"iam where winlog.api == \\\"wineventlog\\\" and event.code == \\\"4728\\\" and\\nwinlog.event_data.SubjectUserSid : \\\"S-1-5-18\\\" and\\n\\n/* DOMAIN_USERS and local groups */\\nnot group.id : \\\"S-1-5-21-*-513\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Active Directory Group Modification by SYSTEM\",\"description\":\"Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain account.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":102,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.api\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"310793ea-71e1-4363-9b85-312131629961\",\"rule_id\":\"6f024bde-7085-489b-8250-5957efdf1caf\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.668Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.792Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where winlog.api == \\\"wineventlog\\\" and event.code == \\\"4728\\\" and\\nwinlog.event_data.SubjectUserSid : \\\"S-1-5-18\\\" and\\n\\n/* DOMAIN_USERS and local groups */\\nnot group.id : \\\"S-1-5-21-*-513\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":102,\"merged_version\":102,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a75eb231-a420-4e79-9462-79b5e60a6d3b\",\"rule_id\":\"6f435062-b7fc-4af9-acea-5b1ead65c5a5\",\"revision\":0,\"current_rule\":{\"id\":\"a75eb231-a420-4e79-9462-79b5e60a6d3b\",\"updated_at\":\"2024-12-04T19:45:50.034Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.034Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace Role Modified\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Resources: Investigation Guide\",\"Tactic: Persistence\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Role Modified\\n\\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt admin roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred. Each Google Workspace service has a set of custodial privileges that can be added to custom roles.\\n\\nRoles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Threat actors might modify existing roles with new privileges to advance their intrusion efforts and laterally move throughout the organization. Users with unexpected privileges might also cause operational dysfunction if unfamiliar settings are adjusted without warning.\\n\\nThis rule identifies when a Google Workspace role is modified.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- Identify the role modified by reviewing the `google_workspace.admin.role.name` field in the alert.\\n- Identify the privilege that was added or removed by reviewing the `google_workspace.admin.privilege.name` field in the alert.\\n- After identifying the involved user, verify administrative privileges are scoped properly.\\n- To identify other users with this role, search for `event.action: ASSIGN_ROLE`\\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\\n - Adjust the relative time accordingly to identify all users that were assigned this role.\\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\\n- If a privilege was added, monitor users assigned this role for the next 24 hours and look for attempts to use the new privilege.\\n - The `event.provider` field will help filter for specific services in Google Workspace such as Drive or Admin.\\n - The `event.action` field will help trace actions that are being taken by users.\\n\\n### False positive analysis\\n\\n- After identifying the user account that modified the role, verify the action was intentional.\\n- Verify that the user is expected to have administrative privileges in Google Workspace to modify roles.\\n- Review organizational units or groups the role might have been added to and ensure the new privileges align properly.\\n- Use the `user.name` to filter for `event.action` where `ADD_PRIVILEGE` or `UPDATE_ROLE` has been seen before to check if these actions are new or historical.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Google Workspace admin roles may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-130m\",\"rule_id\":\"6f435062-b7fc-4af9-acea-5b1ead65c5a5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/2406043?hl=en\"],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace Role Modified\",\"description\":\"Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Role Modified\\n\\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt admin roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred. Each Google Workspace service has a set of custodial privileges that can be added to custom roles.\\n\\nRoles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Threat actors might modify existing roles with new privileges to advance their intrusion efforts and laterally move throughout the organization. Users with unexpected privileges might also cause operational dysfunction if unfamiliar settings are adjusted without warning.\\n\\nThis rule identifies when a Google Workspace role is modified.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- Identify the role modified by reviewing the `google_workspace.admin.role.name` field in the alert.\\n- Identify the privilege that was added or removed by reviewing the `google_workspace.admin.privilege.name` field in the alert.\\n- After identifying the involved user, verify administrative privileges are scoped properly.\\n- To identify other users with this role, search for `event.action: ASSIGN_ROLE`\\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\\n - Adjust the relative time accordingly to identify all users that were assigned this role.\\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\\n- If a privilege was added, monitor users assigned this role for the next 24 hours and look for attempts to use the new privilege.\\n - The `event.provider` field will help filter for specific services in Google Workspace such as Drive or Admin.\\n - The `event.action` field will help trace actions that are being taken by users.\\n\\n### False positive analysis\\n\\n- After identifying the user account that modified the role, verify the action was intentional.\\n- Verify that the user is expected to have administrative privileges in Google Workspace to modify roles.\\n- Review organizational units or groups the role might have been added to and ensure the new privileges align properly.\\n- Use the `user.name` to filter for `event.action` where `ADD_PRIVILEGE` or `UPDATE_ROLE` has been seen before to check if these actions are new or historical.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Resources: Investigation Guide\",\"Tactic: Persistence\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Google Workspace admin roles may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://support.google.com/a/answer/2406043?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a75eb231-a420-4e79-9462-79b5e60a6d3b\",\"rule_id\":\"6f435062-b7fc-4af9-acea-5b1ead65c5a5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.668Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.034Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/2406043?hl=en\"],\"target_version\":[\"https://support.google.com/a/answer/2406043?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/2406043?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"62afe461-f236-430e-93c9-2b7013664430\",\"rule_id\":\"7024e2a0-315d-4334-bb1a-441c593e16ab\",\"revision\":0,\"current_rule\":{\"id\":\"62afe461-f236-430e-93c9-2b7013664430\",\"updated_at\":\"2024-12-04T19:45:50.037Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.037Z\",\"created_by\":\"elastic\",\"name\":\"AWS CloudTrail Log Deleted\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Use Case: Log Auditing\",\"Resources: Investigation Guide\",\"Tactic: Defense Evasion\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS CloudTrail Log Deleted\\n\\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\\n\\nThis rule identifies the deletion of an AWS log trail using the API `DeleteTrail` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Contact the account and resource owners and confirm whether they are aware of this activity.\\n- Check if this operation was approved and performed according to the organization's change management policy.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and IP address conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\"],\"from\":\"now-60m\",\"rule_id\":\"7024e2a0-315d-4334-bb1a-441c593e16ab\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html\",\"https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html\"],\"version\":209,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"query\":\"event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS CloudTrail Log Deleted\",\"description\":\"Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS CloudTrail Log Deleted\\n\\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\\n\\nThis rule identifies the deletion of an AWS log trail using the API `DeleteTrail` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Contact the account and resource owners and confirm whether they are aware of this activity.\\n- Check if this operation was approved and performed according to the organization's change management policy.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and IP address conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"output_index\":\"\",\"investigation_fields\":{\"field_names\":[\"@timestamp\",\"user.name\",\"aws.cloudtrail.user_identity.arn\",\"aws.cloudtrail.user_identity.type\",\"source.address\",\"user_agent.original\",\"aws.cloudtrail.flattened.request_parameters.name\",\"event.action\",\"event.outcome\",\"cloud.region\",\"aws.cloudtrail.request_parameters\"]},\"version\":210,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Use Case: Log Auditing\",\"Resources: Investigation Guide\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-60m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\"],\"references\":[\"https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html\",\"https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"setup\":\"The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"62afe461-f236-430e-93c9-2b7013664430\",\"rule_id\":\"7024e2a0-315d-4334-bb1a-441c593e16ab\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.668Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.037Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"query\":\"event.dataset:aws.cloudtrail\\n and event.provider:cloudtrail.amazonaws.com\\n and event.action:DeleteTrail\\n and event.outcome:success\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":209,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"investigation_fields\":{\"has_base_version\":false,\"target_version\":{\"field_names\":[\"@timestamp\",\"user.name\",\"aws.cloudtrail.user_identity.arn\",\"aws.cloudtrail.user_identity.type\",\"source.address\",\"user_agent.original\",\"aws.cloudtrail.flattened.request_parameters.name\",\"event.action\",\"event.outcome\",\"cloud.region\",\"aws.cloudtrail.request_parameters\"]},\"merged_version\":{\"field_names\":[\"@timestamp\",\"user.name\",\"aws.cloudtrail.user_identity.arn\",\"aws.cloudtrail.user_identity.type\",\"source.address\",\"user_agent.original\",\"aws.cloudtrail.flattened.request_parameters.name\",\"event.action\",\"event.outcome\",\"cloud.region\",\"aws.cloudtrail.request_parameters\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset:aws.cloudtrail\\n and event.provider:cloudtrail.amazonaws.com\\n and event.action:DeleteTrail\\n and event.outcome:success\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset:aws.cloudtrail\\n and event.provider:cloudtrail.amazonaws.com\\n and event.action:DeleteTrail\\n and event.outcome:success\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d482bbe2-dbf7-4e67-ae98-e5b78fe41bb4\",\"rule_id\":\"708c9d92-22a3-4fe0-b6b9-1f861c55502d\",\"revision\":0,\"current_rule\":{\"id\":\"d482bbe2-dbf7-4e67-ae98-e5b78fe41bb4\",\"updated_at\":\"2024-12-04T19:45:51.161Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.161Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Execution via MSIEXEC\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious execution of the built-in Windows Installer, msiexec.exe, to install a package from usual paths or parent process. Adversaries may abuse msiexec.exe to launch malicious local MSI files.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"708c9d92-22a3-4fe0-b6b9-1f861c55502d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.007\",\"name\":\"Msiexec\",\"reference\":\"https://attack.mitre.org/techniques/T1218/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://lolbas-project.github.io/lolbas/Binaries/Msiexec/\",\"https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.action == \\\"start\\\" and\\n process.name : \\\"msiexec.exe\\\" and user.id : (\\\"S-1-5-21*\\\", \\\"S-1-12-*\\\") and process.parent.executable != null and\\n (\\n (process.args : \\\"/i\\\" and process.args : (\\\"/q\\\", \\\"/quiet\\\") and process.args_count == 4 and\\n process.args : (\\\"?:\\\\\\\\Users\\\\\\\\*\\\", \\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\") and\\n not process.parent.executable : (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Desktop\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\programdata\\\\\\\\*\\\")) or\\n\\n (process.args_count == 1 and not process.parent.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\explorer.exe\\\")) or\\n\\n (process.args : \\\"/i\\\" and process.args : (\\\"/q\\\", \\\"/quiet\\\") and process.args_count == 4 and\\n (process.parent.args : \\\"Schedule\\\" or process.parent.name : \\\"wmiprvse.exe\\\" or\\n process.parent.executable : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\*\\\" or\\n (process.parent.name : (\\\"powershell.exe\\\", \\\"cmd.exe\\\") and length(process.parent.command_line) >= 200))) or\\n\\n (process.args : \\\"/i\\\" and process.args : (\\\"/q\\\", \\\"/quiet\\\") and process.args_count == 4 and\\n ?process.working_directory : \\\"?:\\\\\\\\\\\" and process.parent.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\"))\\n ) and\\n\\n /* noisy pattern */\\n not (process.parent.executable : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*\\\" and ?process.parent.args_count >= 2 and\\n process.args : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*\\\\\\\\*.msi\\\") and\\n\\n not process.args : (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Execution via MSIEXEC\",\"description\":\"Identifies suspicious execution of the built-in Windows Installer, msiexec.exe, to install a package from usual paths or parent process. Adversaries may abuse msiexec.exe to launch malicious local MSI files.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://lolbas-project.github.io/lolbas/Binaries/Msiexec/\",\"https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.007\",\"name\":\"Msiexec\",\"reference\":\"https://attack.mitre.org/techniques/T1218/007/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d482bbe2-dbf7-4e67-ae98-e5b78fe41bb4\",\"rule_id\":\"708c9d92-22a3-4fe0-b6b9-1f861c55502d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.668Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.161Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.action == \\\"start\\\" and\\n process.name : \\\"msiexec.exe\\\" and user.id : (\\\"S-1-5-21*\\\", \\\"S-1-12-*\\\") and process.parent.executable != null and\\n (\\n (process.args : \\\"/i\\\" and process.args : (\\\"/q\\\", \\\"/quiet\\\") and process.args_count == 4 and\\n process.args : (\\\"?:\\\\\\\\Users\\\\\\\\*\\\", \\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\") and\\n not process.parent.executable : (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Desktop\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\programdata\\\\\\\\*\\\")) or\\n\\n (process.args_count == 1 and not process.parent.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\explorer.exe\\\")) or\\n\\n (process.args : \\\"/i\\\" and process.args : (\\\"/q\\\", \\\"/quiet\\\") and process.args_count == 4 and\\n (process.parent.args : \\\"Schedule\\\" or process.parent.name : \\\"wmiprvse.exe\\\" or\\n process.parent.executable : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\*\\\" or\\n (process.parent.name : (\\\"powershell.exe\\\", \\\"cmd.exe\\\") and length(process.parent.command_line) >= 200))) or\\n\\n (process.args : \\\"/i\\\" and process.args : (\\\"/q\\\", \\\"/quiet\\\") and process.args_count == 4 and\\n ?process.working_directory : \\\"?:\\\\\\\\\\\" and process.parent.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\"))\\n ) and\\n\\n /* noisy pattern */\\n not (process.parent.executable : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*\\\" and ?process.parent.args_count >= 2 and\\n process.args : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*\\\\\\\\*.msi\\\") and\\n\\n not process.args : (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e5bb807d-0c21-46a8-b828-be3a80797120\",\"rule_id\":\"71bccb61-e19b-452f-b104-79a60e546a95\",\"revision\":0,\"current_rule\":{\"id\":\"e5bb807d-0c21-46a8-b828-be3a80797120\",\"updated_at\":\"2024-12-04T19:45:51.172Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.172Z\",\"created_by\":\"elastic\",\"name\":\"Unusual File Creation - Alternate Data Stream\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual File Creation - Alternate Data Stream\\n\\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\\n\\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\\n\\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\\n - `Get-Content C:\\\\Path\\\\To\\\\file.exe -stream SampleAlternateDataStreamName`\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of process executable and file conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"71bccb61-e19b-452f-b104-79a60e546a95\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\",\"subtechnique\":[{\"id\":\"T1564.004\",\"name\":\"NTFS File Attributes\",\"reference\":\"https://attack.mitre.org/techniques/T1564/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":115,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n\\n file.path : \\\"C:\\\\\\\\*:*\\\" and\\n not file.path : \\n (\\\"C:\\\\\\\\*:zone.identifier*\\\",\\n \\\"C:\\\\\\\\users\\\\\\\\*\\\\\\\\appdata\\\\\\\\roaming\\\\\\\\microsoft\\\\\\\\teams\\\\\\\\old_weblogs_*:$DATA\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\CSC\\\\\\\\*:CscBitmapStream\\\") and\\n\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Dropbox\\\\\\\\Client\\\\\\\\Dropbox.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\EXCEL.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\OUTLOOK.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\POWERPNT.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\ExpressConnect\\\\\\\\ExpressConnectNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\EXCEL.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\OUTLOOK.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\POWERPNT.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Mozilla Firefox\\\\\\\\firefox.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Rivet Networks\\\\\\\\SmartByte\\\\\\\\SmartByteNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DataExchangeHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\Intel\\\\\\\\ICPS\\\\\\\\IntelConnectivityNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\RivetNetworks\\\\\\\\Killer\\\\\\\\KillerNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\PickerHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RuntimeBroker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchProtocolHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sihost.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\System32\\\\\\\\svchost.exe\\\"\\n ) and\\n\\n file.extension :\\n (\\n \\\"pdf\\\",\\n \\\"dll\\\",\\n \\\"exe\\\",\\n \\\"dat\\\",\\n \\\"com\\\",\\n \\\"bat\\\",\\n \\\"cmd\\\",\\n \\\"sys\\\",\\n \\\"vbs\\\",\\n \\\"ps1\\\",\\n \\\"hta\\\",\\n \\\"txt\\\",\\n \\\"vbe\\\",\\n \\\"js\\\",\\n \\\"wsh\\\",\\n \\\"docx\\\",\\n \\\"doc\\\",\\n \\\"xlsx\\\",\\n \\\"xls\\\",\\n \\\"pptx\\\",\\n \\\"ppt\\\",\\n \\\"rtf\\\",\\n \\\"gif\\\",\\n \\\"jpg\\\",\\n \\\"png\\\",\\n \\\"bmp\\\",\\n \\\"img\\\",\\n \\\"iso\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual File Creation - Alternate Data Stream\",\"description\":\"Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual File Creation - Alternate Data Stream\\n\\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\\n\\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\\n\\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\\n - `Get-Content C:\\\\Path\\\\To\\\\file.exe -stream SampleAlternateDataStreamName`\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of process executable and file conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":315,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\",\"subtechnique\":[{\"id\":\"T1564.004\",\"name\":\"NTFS File Attributes\",\"reference\":\"https://attack.mitre.org/techniques/T1564/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e5bb807d-0c21-46a8-b828-be3a80797120\",\"rule_id\":\"71bccb61-e19b-452f-b104-79a60e546a95\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.668Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.172Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n\\n file.path : \\\"C:\\\\\\\\*:*\\\" and\\n not file.path : \\n (\\\"C:\\\\\\\\*:zone.identifier*\\\",\\n \\\"C:\\\\\\\\users\\\\\\\\*\\\\\\\\appdata\\\\\\\\roaming\\\\\\\\microsoft\\\\\\\\teams\\\\\\\\old_weblogs_*:$DATA\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\CSC\\\\\\\\*:CscBitmapStream\\\") and\\n\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Dropbox\\\\\\\\Client\\\\\\\\Dropbox.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\EXCEL.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\OUTLOOK.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\POWERPNT.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\ExpressConnect\\\\\\\\ExpressConnectNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\EXCEL.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\OUTLOOK.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\POWERPNT.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Mozilla Firefox\\\\\\\\firefox.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Rivet Networks\\\\\\\\SmartByte\\\\\\\\SmartByteNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DataExchangeHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\Intel\\\\\\\\ICPS\\\\\\\\IntelConnectivityNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\RivetNetworks\\\\\\\\Killer\\\\\\\\KillerNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\PickerHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RuntimeBroker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchProtocolHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sihost.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\System32\\\\\\\\svchost.exe\\\"\\n ) and\\n\\n file.extension :\\n (\\n \\\"pdf\\\", \\\"dll\\\", \\\"exe\\\", \\\"dat\\\", \\\"com\\\", \\\"bat\\\", \\\"cmd\\\", \\\"sys\\\", \\\"vbs\\\", \\\"ps1\\\", \\\"hta\\\", \\\"txt\\\", \\\"vbe\\\", \\\"js\\\",\\n \\\"wsh\\\", \\\"docx\\\", \\\"doc\\\", \\\"xlsx\\\", \\\"xls\\\", \\\"pptx\\\", \\\"ppt\\\", \\\"rtf\\\", \\\"gif\\\", \\\"jpg\\\", \\\"png\\\", \\\"bmp\\\", \\\"img\\\", \\\"iso\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":115,\"target_version\":315,\"merged_version\":315,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n\\n file.path : \\\"C:\\\\\\\\*:*\\\" and\\n not file.path : \\n (\\\"C:\\\\\\\\*:zone.identifier*\\\",\\n \\\"C:\\\\\\\\users\\\\\\\\*\\\\\\\\appdata\\\\\\\\roaming\\\\\\\\microsoft\\\\\\\\teams\\\\\\\\old_weblogs_*:$DATA\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\CSC\\\\\\\\*:CscBitmapStream\\\") and\\n\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Dropbox\\\\\\\\Client\\\\\\\\Dropbox.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\EXCEL.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\OUTLOOK.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\POWERPNT.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\ExpressConnect\\\\\\\\ExpressConnectNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\EXCEL.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\OUTLOOK.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\POWERPNT.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Mozilla Firefox\\\\\\\\firefox.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Rivet Networks\\\\\\\\SmartByte\\\\\\\\SmartByteNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DataExchangeHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\Intel\\\\\\\\ICPS\\\\\\\\IntelConnectivityNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\RivetNetworks\\\\\\\\Killer\\\\\\\\KillerNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\PickerHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RuntimeBroker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchProtocolHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sihost.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\System32\\\\\\\\svchost.exe\\\"\\n ) and\\n\\n file.extension :\\n (\\n \\\"pdf\\\",\\n \\\"dll\\\",\\n \\\"exe\\\",\\n \\\"dat\\\",\\n \\\"com\\\",\\n \\\"bat\\\",\\n \\\"cmd\\\",\\n \\\"sys\\\",\\n \\\"vbs\\\",\\n \\\"ps1\\\",\\n \\\"hta\\\",\\n \\\"txt\\\",\\n \\\"vbe\\\",\\n \\\"js\\\",\\n \\\"wsh\\\",\\n \\\"docx\\\",\\n \\\"doc\\\",\\n \\\"xlsx\\\",\\n \\\"xls\\\",\\n \\\"pptx\\\",\\n \\\"ppt\\\",\\n \\\"rtf\\\",\\n \\\"gif\\\",\\n \\\"jpg\\\",\\n \\\"png\\\",\\n \\\"bmp\\\",\\n \\\"img\\\",\\n \\\"iso\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n\\n file.path : \\\"C:\\\\\\\\*:*\\\" and\\n not file.path : \\n (\\\"C:\\\\\\\\*:zone.identifier*\\\",\\n \\\"C:\\\\\\\\users\\\\\\\\*\\\\\\\\appdata\\\\\\\\roaming\\\\\\\\microsoft\\\\\\\\teams\\\\\\\\old_weblogs_*:$DATA\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\CSC\\\\\\\\*:CscBitmapStream\\\") and\\n\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Dropbox\\\\\\\\Client\\\\\\\\Dropbox.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\EXCEL.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\OUTLOOK.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\POWERPNT.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\ExpressConnect\\\\\\\\ExpressConnectNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\EXCEL.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\OUTLOOK.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\POWERPNT.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Mozilla Firefox\\\\\\\\firefox.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Rivet Networks\\\\\\\\SmartByte\\\\\\\\SmartByteNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DataExchangeHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\Intel\\\\\\\\ICPS\\\\\\\\IntelConnectivityNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\RivetNetworks\\\\\\\\Killer\\\\\\\\KillerNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\PickerHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RuntimeBroker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchProtocolHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sihost.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\System32\\\\\\\\svchost.exe\\\"\\n ) and\\n\\n file.extension :\\n (\\n \\\"pdf\\\", \\\"dll\\\", \\\"exe\\\", \\\"dat\\\", \\\"com\\\", \\\"bat\\\", \\\"cmd\\\", \\\"sys\\\", \\\"vbs\\\", \\\"ps1\\\", \\\"hta\\\", \\\"txt\\\", \\\"vbe\\\", \\\"js\\\",\\n \\\"wsh\\\", \\\"docx\\\", \\\"doc\\\", \\\"xlsx\\\", \\\"xls\\\", \\\"pptx\\\", \\\"ppt\\\", \\\"rtf\\\", \\\"gif\\\", \\\"jpg\\\", \\\"png\\\", \\\"bmp\\\", \\\"img\\\", \\\"iso\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n\\n file.path : \\\"C:\\\\\\\\*:*\\\" and\\n not file.path : \\n (\\\"C:\\\\\\\\*:zone.identifier*\\\",\\n \\\"C:\\\\\\\\users\\\\\\\\*\\\\\\\\appdata\\\\\\\\roaming\\\\\\\\microsoft\\\\\\\\teams\\\\\\\\old_weblogs_*:$DATA\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\CSC\\\\\\\\*:CscBitmapStream\\\") and\\n\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Dropbox\\\\\\\\Client\\\\\\\\Dropbox.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\EXCEL.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\OUTLOOK.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\POWERPNT.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\ExpressConnect\\\\\\\\ExpressConnectNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\EXCEL.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\OUTLOOK.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\POWERPNT.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Mozilla Firefox\\\\\\\\firefox.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Rivet Networks\\\\\\\\SmartByte\\\\\\\\SmartByteNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DataExchangeHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\Intel\\\\\\\\ICPS\\\\\\\\IntelConnectivityNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\RivetNetworks\\\\\\\\Killer\\\\\\\\KillerNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\PickerHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RuntimeBroker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchProtocolHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sihost.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\System32\\\\\\\\svchost.exe\\\"\\n ) and\\n\\n file.extension :\\n (\\n \\\"pdf\\\", \\\"dll\\\", \\\"exe\\\", \\\"dat\\\", \\\"com\\\", \\\"bat\\\", \\\"cmd\\\", \\\"sys\\\", \\\"vbs\\\", \\\"ps1\\\", \\\"hta\\\", \\\"txt\\\", \\\"vbe\\\", \\\"js\\\",\\n \\\"wsh\\\", \\\"docx\\\", \\\"doc\\\", \\\"xlsx\\\", \\\"xls\\\", \\\"pptx\\\", \\\"ppt\\\", \\\"rtf\\\", \\\"gif\\\", \\\"jpg\\\", \\\"png\\\", \\\"bmp\\\", \\\"img\\\", \\\"iso\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6060d5fb-b829-405a-91a3-4fd209b39c64\",\"rule_id\":\"71c5cb27-eca5-4151-bb47-64bc3f883270\",\"revision\":0,\"current_rule\":{\"id\":\"6060d5fb-b829-405a-91a3-4fd209b39c64\",\"updated_at\":\"2024-12-04T19:45:51.174Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.174Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious RDP ActiveX Client Loaded\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"71c5cb27-eca5-4151-bb47-64bc3f883270\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.library-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"any where host.os.type == \\\"windows\\\" and\\n (event.category : (\\\"library\\\", \\\"driver\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n (?dll.name : \\\"mstscax.dll\\\" or file.name : \\\"mstscax.dll\\\") and\\n /* depending on noise in your env add here extra paths */\\n process.executable : (\\n \\\"C:\\\\\\\\Windows\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\Default\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Intel\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\PerfLogs\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\Mup\\\\\\\\*\\\",\\n \\\"\\\\\\\\\\\\\\\\*\\\"\\n ) and\\n /* add here FPs */\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mstsc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vmconnect.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsSandboxClient.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\hvsirdpclient.exe\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious RDP ActiveX Client Loaded\",\"description\":\"Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"6060d5fb-b829-405a-91a3-4fd209b39c64\",\"rule_id\":\"71c5cb27-eca5-4151-bb47-64bc3f883270\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.668Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.174Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and\\n (event.category : (\\\"library\\\", \\\"driver\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n (?dll.name : \\\"mstscax.dll\\\" or file.name : \\\"mstscax.dll\\\") and\\n /* depending on noise in your env add here extra paths */\\n process.executable : (\\n \\\"C:\\\\\\\\Windows\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\Default\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Intel\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\PerfLogs\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\Mup\\\\\\\\*\\\",\\n \\\"\\\\\\\\\\\\\\\\*\\\"\\n ) and\\n /* add here FPs */\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mstsc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vmconnect.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsSandboxClient.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\hvsirdpclient.exe\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.library-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\"],\"target_version\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merged_version\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e3f27689-d65f-48e9-8349-9ec08125085a\",\"rule_id\":\"730ed57d-ae0f-444f-af50-78708b57edd5\",\"revision\":0,\"current_rule\":{\"id\":\"e3f27689-d65f-48e9-8349-9ec08125085a\",\"updated_at\":\"2024-12-04T19:45:51.200Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.200Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious JetBrains TeamCity Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious processes being spawned by the JetBrain TeamCity process. This activity could be related to JetBrains remote code execution vulnerabilities.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Powershell and Windows Command Shell are often observed as legit child processes of the Jetbrains TeamCity service and may require further tuning.\"],\"from\":\"now-9m\",\"rule_id\":\"730ed57d-ae0f-444f-af50-78708b57edd5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.executable :\\n (\\\"?:\\\\\\\\TeamCity\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\TeamCity\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\TeamCity\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"?:\\\\\\\\TeamCity\\\\\\\\BuildAgent\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\") and\\n process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"msiexec.exe\\\", \\\"certutil.exe\\\", \\\"bitsadmin.exe\\\", \\\"wmic.exe\\\", \\\"curl.exe\\\", \\\"ssh.exe\\\",\\n \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\", \\\"mshta.exe\\\", \\\"certreq.exe\\\", \\\"net.exe\\\", \\\"nltest.exe\\\", \\\"whoami.exe\\\", \\\"hostname.exe\\\",\\n \\\"tasklist.exe\\\", \\\"arp.exe\\\", \\\"nbtstat.exe\\\", \\\"netstat.exe\\\", \\\"reg.exe\\\", \\\"tasklist.exe\\\", \\\"Microsoft.Workflow.Compiler.exe\\\",\\n \\\"arp.exe\\\", \\\"atbroker.exe\\\", \\\"bginfo.exe\\\", \\\"bitsadmin.exe\\\", \\\"cdb.exe\\\", \\\"cmstp.exe\\\", \\\"control.exe\\\", \\\"cscript.exe\\\", \\\"csi.exe\\\",\\n \\\"dnx.exe\\\", \\\"dsget.exe\\\", \\\"dsquery.exe\\\", \\\"forfiles.exe\\\", \\\"fsi.exe\\\", \\\"ftp.exe\\\", \\\"gpresult.exe\\\", \\\"ieexec.exe\\\", \\\"iexpress.exe\\\",\\n \\\"installutil.exe\\\", \\\"ipconfig.exe\\\",\\\"msxsl.exe\\\", \\\"netsh.exe\\\", \\\"odbcconf.exe\\\", \\\"ping.exe\\\", \\\"pwsh.exe\\\", \\\"qprocess.exe\\\",\\n \\\"quser.exe\\\", \\\"qwinsta.exe\\\", \\\"rcsi.exe\\\", \\\"regasm.exe\\\", \\\"regsvcs.exe\\\", \\\"regsvr32.exe\\\", \\\"sc.exe\\\", \\\"schtasks.exe\\\",\\n \\\"systeminfo.exe\\\", \\\"tracert.exe\\\", \\\"wmic.exe\\\", \\\"wscript.exe\\\",\\\"xwizard.exe\\\", \\\"explorer.exe\\\", \\\"msdt.exe\\\") and\\n not (process.name : \\\"powershell.exe\\\" and process.args : \\\"-ExecutionPolicy\\\" and process.args : \\\"?:\\\\\\\\TeamCity\\\\\\\\buildAgent\\\\\\\\work\\\\\\\\*.ps1\\\") and\\n not (process.name : \\\"cmd.exe\\\" and process.args : \\\"dir\\\" and process.args : \\\"/-c\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious JetBrains TeamCity Child Process\",\"description\":\"Identifies suspicious processes being spawned by the JetBrain TeamCity process. This activity could be related to JetBrains remote code execution vulnerabilities.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":203,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Powershell and Windows Command Shell are often observed as legit child processes of the Jetbrains TeamCity service and may require further tuning.\"],\"references\":[\"https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e3f27689-d65f-48e9-8349-9ec08125085a\",\"rule_id\":\"730ed57d-ae0f-444f-af50-78708b57edd5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.669Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.200Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.executable :\\n (\\\"?:\\\\\\\\TeamCity\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\TeamCity\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\TeamCity\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"?:\\\\\\\\TeamCity\\\\\\\\BuildAgent\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\") and\\n process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"msiexec.exe\\\", \\\"certutil.exe\\\", \\\"bitsadmin.exe\\\", \\\"wmic.exe\\\", \\\"curl.exe\\\", \\\"ssh.exe\\\",\\n \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\", \\\"mshta.exe\\\", \\\"certreq.exe\\\", \\\"net.exe\\\", \\\"nltest.exe\\\", \\\"whoami.exe\\\", \\\"hostname.exe\\\",\\n \\\"tasklist.exe\\\", \\\"arp.exe\\\", \\\"nbtstat.exe\\\", \\\"netstat.exe\\\", \\\"reg.exe\\\", \\\"tasklist.exe\\\", \\\"Microsoft.Workflow.Compiler.exe\\\",\\n \\\"arp.exe\\\", \\\"atbroker.exe\\\", \\\"bginfo.exe\\\", \\\"bitsadmin.exe\\\", \\\"cdb.exe\\\", \\\"cmstp.exe\\\", \\\"control.exe\\\", \\\"cscript.exe\\\", \\\"csi.exe\\\",\\n \\\"dnx.exe\\\", \\\"dsget.exe\\\", \\\"dsquery.exe\\\", \\\"forfiles.exe\\\", \\\"fsi.exe\\\", \\\"ftp.exe\\\", \\\"gpresult.exe\\\", \\\"ieexec.exe\\\", \\\"iexpress.exe\\\",\\n \\\"installutil.exe\\\", \\\"ipconfig.exe\\\",\\\"msxsl.exe\\\", \\\"netsh.exe\\\", \\\"odbcconf.exe\\\", \\\"ping.exe\\\", \\\"pwsh.exe\\\", \\\"qprocess.exe\\\",\\n \\\"quser.exe\\\", \\\"qwinsta.exe\\\", \\\"rcsi.exe\\\", \\\"regasm.exe\\\", \\\"regsvcs.exe\\\", \\\"regsvr32.exe\\\", \\\"sc.exe\\\", \\\"schtasks.exe\\\",\\n \\\"systeminfo.exe\\\", \\\"tracert.exe\\\", \\\"wmic.exe\\\", \\\"wscript.exe\\\",\\\"xwizard.exe\\\", \\\"explorer.exe\\\", \\\"msdt.exe\\\") and\\n not (process.name : \\\"powershell.exe\\\" and process.args : \\\"-ExecutionPolicy\\\" and process.args : \\\"?:\\\\\\\\TeamCity\\\\\\\\buildAgent\\\\\\\\work\\\\\\\\*.ps1\\\") and\\n not (process.name : \\\"cmd.exe\\\" and process.args : \\\"dir\\\" and process.args : \\\"/-c\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":203,\"merged_version\":203,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f94723e6-0fdd-4934-a2ec-da9aeb2e1e23\",\"rule_id\":\"7318affb-bfe8-4d50-a425-f617833be160\",\"revision\":0,\"current_rule\":{\"id\":\"f94723e6-0fdd-4934-a2ec-da9aeb2e1e23\",\"updated_at\":\"2024-12-04T19:46:03.797Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.797Z\",\"created_by\":\"elastic\",\"name\":\"Potential Execution of rc.local Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects the potential execution of the `/etc/rc.local` script through the `already_running` event action created by the `rc-local.service` systemd service. The `/etc/rc.local` script is a legacy initialization script that is executed at the end of the boot process. The `/etc/rc.local` script is not enabled by default on most Linux distributions. The `/etc/rc.local` script can be used by attackers to persistently execute malicious commands or scripts on a compromised system at reboot. As the rc.local file is executed prior to the initialization of Elastic Defend, the execution event is not ingested, and therefore the `already_running` event is leveraged to provide insight into the potential execution of `rc.local`.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"7318affb-bfe8-4d50-a425-f617833be160\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"info\\\" and event.action == \\\"already_running\\\" and \\nprocess.parent.args == \\\"/etc/rc.local\\\" and process.parent.args == \\\"start\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Execution of rc.local Script\",\"description\":\"This rule detects the potential execution of the `/etc/rc.local` script through the `already_running` event action created by the `rc-local.service` systemd service. The `/etc/rc.local` script is a legacy initialization script that is executed at the end of the boot process. The `/etc/rc.local` script is not enabled by default on most Linux distributions. The `/etc/rc.local` script can be used by attackers to persistently execute malicious commands or scripts on a compromised system at reboot. As the rc.local file is executed prior to the initialization of Elastic Defend, the execution event is not ingested, and therefore the `already_running` event is leveraged to provide insight into the potential execution of `rc.local`.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f94723e6-0fdd-4934-a2ec-da9aeb2e1e23\",\"rule_id\":\"7318affb-bfe8-4d50-a425-f617833be160\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.669Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.797Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"info\\\" and event.action == \\\"already_running\\\" and \\nprocess.parent.args == \\\"/etc/rc.local\\\" and process.parent.args == \\\"start\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\"],\"target_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4a8bcc0a-0826-4418-9328-960fc22d0602\",\"rule_id\":\"7405ddf1-6c8e-41ce-818f-48bea6bcaed8\",\"revision\":0,\"current_rule\":{\"id\":\"4a8bcc0a-0826-4418-9328-960fc22d0602\",\"updated_at\":\"2024-12-04T19:45:51.203Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.203Z\",\"created_by\":\"elastic\",\"name\":\"Potential Modification of Accessibility Binaries\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Modification of Accessibility Binaries\\n\\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\\n\\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\\n\\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"7405ddf1-6c8e-41ce-818f-48bea6bcaed8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.008\",\"name\":\"Accessibility Features\",\"reference\":\"https://attack.mitre.org/techniques/T1546/008/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.008\",\"name\":\"Accessibility Features\",\"reference\":\"https://attack.mitre.org/techniques/T1546/008/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/blog/practical-security-engineering-stateful-detection\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"Utilman.exe\\\", \\\"winlogon.exe\\\") and user.name == \\\"SYSTEM\\\" and\\n process.pe.original_file_name : \\\"?*\\\" and\\n process.args :\\n (\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\osk.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Magnify.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Narrator.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Sethc.exe\\\",\\n \\\"utilman.exe\\\",\\n \\\"ATBroker.exe\\\",\\n \\\"DisplaySwitch.exe\\\",\\n \\\"sethc.exe\\\"\\n )\\n and not process.pe.original_file_name in\\n (\\n \\\"osk.exe\\\",\\n \\\"sethc.exe\\\",\\n \\\"utilman2.exe\\\",\\n \\\"DisplaySwitch.exe\\\",\\n \\\"ATBroker.exe\\\",\\n \\\"ScreenMagnifier.exe\\\",\\n \\\"SR.exe\\\",\\n \\\"Narrator.exe\\\",\\n \\\"magnify.exe\\\",\\n \\\"MAGNIFY.EXE\\\"\\n )\\n\\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\\n/* and process.code_signature.subject_name == \\\"Microsoft Windows\\\" and process.code_signature.status == \\\"trusted\\\" */\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Modification of Accessibility Binaries\",\"description\":\"Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Modification of Accessibility Binaries\\n\\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\\n\\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\\n\\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":212,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/blog/practical-security-engineering-stateful-detection\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.008\",\"name\":\"Accessibility Features\",\"reference\":\"https://attack.mitre.org/techniques/T1546/008/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.008\",\"name\":\"Accessibility Features\",\"reference\":\"https://attack.mitre.org/techniques/T1546/008/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"4a8bcc0a-0826-4418-9328-960fc22d0602\",\"rule_id\":\"7405ddf1-6c8e-41ce-818f-48bea6bcaed8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.669Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.203Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"Utilman.exe\\\", \\\"winlogon.exe\\\") and user.name == \\\"SYSTEM\\\" and\\n process.pe.original_file_name : \\\"?*\\\" and\\n process.args :\\n (\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\osk.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Magnify.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Narrator.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Sethc.exe\\\",\\n \\\"utilman.exe\\\",\\n \\\"ATBroker.exe\\\",\\n \\\"DisplaySwitch.exe\\\",\\n \\\"sethc.exe\\\"\\n )\\n and not process.pe.original_file_name in\\n (\\n \\\"osk.exe\\\",\\n \\\"sethc.exe\\\",\\n \\\"utilman2.exe\\\",\\n \\\"DisplaySwitch.exe\\\",\\n \\\"ATBroker.exe\\\",\\n \\\"ScreenMagnifier.exe\\\",\\n \\\"SR.exe\\\",\\n \\\"Narrator.exe\\\",\\n \\\"magnify.exe\\\",\\n \\\"MAGNIFY.EXE\\\"\\n )\\n\\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\\n/* and process.code_signature.subject_name == \\\"Microsoft Windows\\\" and process.code_signature.status == \\\"trusted\\\" */\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":212,\"merged_version\":212,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0b5a61bb-e0f8-4553-9555-b663c398c0b3\",\"rule_id\":\"7592c127-89fb-4209-a8f6-f9944dfd7e02\",\"revision\":0,\"current_rule\":{\"id\":\"0b5a61bb-e0f8-4553-9555-b663c398c0b3\",\"updated_at\":\"2024-12-04T19:45:51.212Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.212Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Sysctl File Event\",\"tags\":[\"Data Source: Auditd Manager\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"7592c127-89fb-4209-a8f6-f9944dfd7e02\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"to\":\"now\",\"references\":[],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\\n\\n```\\nKibana -->\\nManagement -->\\nIntegrations -->\\nAuditd Manager -->\\nAdd Auditd Manager\\n```\\n\\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\n\\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\\n\\n```\\n-w /etc/sysctl.conf -p wa -k sysctl\\n-w /etc/sysctl.d -p wa -k sysctl\\n```\\n\\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:file and event.action:(\\\"opened-file\\\" or \\\"read-file\\\" or \\\"wrote-to-file\\\") and\\nfile.path : (\\\"/etc/sysctl.conf\\\" or \\\"/etc/sysctl.d\\\" or /etc/sysctl.d/*) and not process.name:(\\n dpkg or dockerd or unattended-upg or systemd-sysctl or python* or auditbeat or dpkg or grep or pool*\\n)\\n\",\"new_terms_fields\":[\"host.id\",\"process.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Sysctl File Event\",\"description\":\"Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":108,\"tags\":[\"Data Source: Auditd Manager\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\\n\\n```\\nKibana -->\\nManagement -->\\nIntegrations -->\\nAuditd Manager -->\\nAdd Auditd Manager\\n```\\n\\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\n\\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\\n\\n```\\n-w /etc/sysctl.conf -p wa -k sysctl\\n-w /etc/sysctl.d -p wa -k sysctl\\n```\\n\\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n\",\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0b5a61bb-e0f8-4553-9555-b663c398c0b3\",\"rule_id\":\"7592c127-89fb-4209-a8f6-f9944dfd7e02\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.669Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.212Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:file and event.action:(\\\"opened-file\\\" or \\\"read-file\\\" or \\\"wrote-to-file\\\") and\\nfile.path : (\\\"/etc/sysctl.conf\\\" or \\\"/etc/sysctl.d\\\" or /etc/sysctl.d/*) and not process.name:(\\n dpkg or dockerd or unattended-upg or systemd-sysctl or python* or auditbeat or dpkg or pool*\\n)\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":108,\"merged_version\":108,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:file and event.action:(\\\"opened-file\\\" or \\\"read-file\\\" or \\\"wrote-to-file\\\") and\\nfile.path : (\\\"/etc/sysctl.conf\\\" or \\\"/etc/sysctl.d\\\" or /etc/sysctl.d/*) and not process.name:(\\n dpkg or dockerd or unattended-upg or systemd-sysctl or python* or auditbeat or dpkg or grep or pool*\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:file and event.action:(\\\"opened-file\\\" or \\\"read-file\\\" or \\\"wrote-to-file\\\") and\\nfile.path : (\\\"/etc/sysctl.conf\\\" or \\\"/etc/sysctl.d\\\" or /etc/sysctl.d/*) and not process.name:(\\n dpkg or dockerd or unattended-upg or systemd-sysctl or python* or auditbeat or dpkg or pool*\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:file and event.action:(\\\"opened-file\\\" or \\\"read-file\\\" or \\\"wrote-to-file\\\") and\\nfile.path : (\\\"/etc/sysctl.conf\\\" or \\\"/etc/sysctl.d\\\" or /etc/sysctl.d/*) and not process.name:(\\n dpkg or dockerd or unattended-upg or systemd-sysctl or python* or auditbeat or dpkg or pool*\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"new_terms_fields\":{\"has_base_version\":false,\"current_version\":[\"host.id\",\"process.executable\"],\"target_version\":[\"process.executable\"],\"merged_version\":[\"process.executable\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a7918216-c7a5-48b2-9817-8eecf925d050\",\"rule_id\":\"76152ca1-71d0-4003-9e37-0983e12832da\",\"revision\":0,\"current_rule\":{\"id\":\"a7918216-c7a5-48b2-9817-8eecf925d050\",\"updated_at\":\"2024-12-04T19:45:51.219Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.219Z\",\"created_by\":\"elastic\",\"name\":\"Potential Privilege Escalation via Sudoers File Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"76152ca1-71d0-4003-9e37-0983e12832da\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.003\",\"name\":\"Sudo and Sudo Caching\",\"reference\":\"https://attack.mitre.org/techniques/T1548/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":103,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\"],\"query\":\"event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Privilege Escalation via Sudoers File Modification\",\"description\":\"A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.003\",\"name\":\"Sudo and Sudo Caching\",\"reference\":\"https://attack.mitre.org/techniques/T1548/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a7918216-c7a5-48b2-9817-8eecf925d050\",\"rule_id\":\"76152ca1-71d0-4003-9e37-0983e12832da\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.669Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.219Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\"],\"query\":\"event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*)\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":103,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"de760181-3820-4fb5-a2ac-e8d40bd286a2\",\"rule_id\":\"764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66\",\"revision\":0,\"current_rule\":{\"id\":\"de760181-3820-4fb5-a2ac-e8d40bd286a2\",\"updated_at\":\"2024-12-04T19:45:51.224Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.224Z\",\"created_by\":\"elastic\",\"name\":\"Access to a Sensitive LDAP Attribute\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\",\"subtechnique\":[{\"id\":\"T1552.004\",\"name\":\"Private Keys\",\"reference\":\"https://attack.mitre.org/techniques/T1552/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming\",\"https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx\",\"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\"],\"version\":11,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessMask\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.Properties\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Access (Success,Failure)\\n```\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"any where event.action in (\\\"Directory Service Access\\\", \\\"object-operation-performed\\\") and event.code == \\\"4662\\\" and\\n\\n not winlog.event_data.SubjectUserSid : \\\"S-1-5-18\\\" and\\n\\n winlog.event_data.Properties : (\\n /* unixUserPassword */\\n \\\"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\\\",\\n\\n /* ms-PKI-AccountCredentials */\\n \\\"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\\\",\\n\\n /* ms-PKI-DPAPIMasterKeys */\\n \\\"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\\\",\\n\\n /* msPKI-CredentialRoamingTokens */\\n \\\"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\\\"\\n ) and\\n\\n /*\\n Excluding noisy AccessMasks\\n 0x0 undefined and 0x100 Control Access\\n https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\\n */\\n not winlog.event_data.AccessMask in (\\\"0x0\\\", \\\"0x100\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Access to a Sensitive LDAP Attribute\",\"description\":\"Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":112,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming\",\"https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx\",\"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\",\"subtechnique\":[{\"id\":\"T1552.004\",\"name\":\"Private Keys\",\"reference\":\"https://attack.mitre.org/techniques/T1552/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Access (Success,Failure)\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessMask\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.Properties\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"de760181-3820-4fb5-a2ac-e8d40bd286a2\",\"rule_id\":\"764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.669Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.224Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where event.action in (\\\"Directory Service Access\\\", \\\"object-operation-performed\\\") and event.code == \\\"4662\\\" and\\n\\n not winlog.event_data.SubjectUserSid : \\\"S-1-5-18\\\" and\\n\\n winlog.event_data.Properties : (\\n /* unixUserPassword */\\n \\\"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\\\",\\n\\n /* ms-PKI-AccountCredentials */\\n \\\"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\\\",\\n\\n /* ms-PKI-DPAPIMasterKeys */\\n \\\"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\\\",\\n\\n /* msPKI-CredentialRoamingTokens */\\n \\\"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\\\"\\n ) and\\n\\n /*\\n Excluding noisy AccessMasks\\n 0x0 undefined and 0x100 Control Access\\n https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\\n */\\n not winlog.event_data.AccessMask in (\\\"0x0\\\", \\\"0x100\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":11,\"target_version\":112,\"merged_version\":112,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e94cb6fd-2f55-46f6-99fc-70de23da3fcd\",\"rule_id\":\"76ddb638-abf7-42d5-be22-4a70b0bf7241\",\"revision\":0,\"current_rule\":{\"id\":\"e94cb6fd-2f55-46f6-99fc-70de23da3fcd\",\"updated_at\":\"2024-12-04T19:45:51.234Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.234Z\",\"created_by\":\"elastic\",\"name\":\"Privilege Escalation via Rogue Named Pipe Impersonation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"76ddb638-abf7-42d5-be22-4a70b0bf7241\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\"}]}],\"to\":\"now\",\"references\":[\"https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/\",\"https://github.com/zcgonvh/EfsPotato\",\"https://twitter.com/SBousseaden/status/1429530155291193354\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nNamed Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\\n`condition equal \\\"contains\\\" and keyword equal \\\"pipe\\\"`\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.action : \\\"Pipe Created*\\\" and\\n /* normal sysmon named pipe creation events truncate the pipe keyword */\\n file.name : \\\"\\\\\\\\*\\\\\\\\Pipe\\\\\\\\*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Privilege Escalation via Rogue Named Pipe Impersonation\",\"description\":\"Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/\",\"https://github.com/zcgonvh/EfsPotato\",\"https://twitter.com/SBousseaden/status/1429530155291193354\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\"}]}],\"setup\":\"## Setup\\n\\nNamed Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\\n`condition equal \\\"contains\\\" and keyword equal \\\"pipe\\\"`\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e94cb6fd-2f55-46f6-99fc-70de23da3fcd\",\"rule_id\":\"76ddb638-abf7-42d5-be22-4a70b0bf7241\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.669Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.234Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.action : \\\"Pipe Created*\\\" and\\n /* normal sysmon named pipe creation events truncate the pipe keyword */\\n file.name : \\\"\\\\\\\\*\\\\\\\\Pipe\\\\\\\\*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a0288771-7be3-4a44-bd48-a5b4d051f8e7\",\"rule_id\":\"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f\",\"revision\":0,\"current_rule\":{\"id\":\"a0288771-7be3-4a44-bd48-a5b4d051f8e7\",\"updated_at\":\"2024-12-04T19:45:51.238Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.238Z\",\"created_by\":\"elastic\",\"name\":\"Potential Remote Desktop Tunneling Detected\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Remote Desktop Tunneling Detected\\n\\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination.\\n\\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols.\\n\\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine network data to determine if the host communicated with external servers using the tunnel.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1572\",\"name\":\"Protocol Tunneling\",\"reference\":\"https://attack.mitre.org/techniques/T1572/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.004\",\"name\":\"SSH\",\"reference\":\"https://attack.mitre.org/techniques/T1021/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/\"],\"version\":313,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n /* RDP port and usual SSH tunneling related switches in command line */\\n process.args : \\\"*:3389\\\" and\\n process.args : (\\\"-L\\\", \\\"-P\\\", \\\"-R\\\", \\\"-pw\\\", \\\"-ssh\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Remote Desktop Tunneling Detected\",\"description\":\"Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Remote Desktop Tunneling Detected\\n\\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination.\\n\\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols.\\n\\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine network data to determine if the host communicated with external servers using the tunnel.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":416,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1572\",\"name\":\"Protocol Tunneling\",\"reference\":\"https://attack.mitre.org/techniques/T1572/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.004\",\"name\":\"SSH\",\"reference\":\"https://attack.mitre.org/techniques/T1021/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a0288771-7be3-4a44-bd48-a5b4d051f8e7\",\"rule_id\":\"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.669Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.238Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n /* RDP port and usual SSH tunneling related switches in command line */\\n process.args : \\\"*:3389\\\" and\\n process.args : (\\\"-L\\\", \\\"-P\\\", \\\"-R\\\", \\\"-pw\\\", \\\"-ssh\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":313,\"target_version\":416,\"merged_version\":416,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8e28566a-3091-425e-a525-8159d532fcf1\",\"rule_id\":\"770e0c4d-b998-41e5-a62e-c7901fd7f470\",\"revision\":0,\"current_rule\":{\"id\":\"8e28566a-3091-425e-a525-8159d532fcf1\",\"updated_at\":\"2024-12-04T19:45:51.241Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.241Z\",\"created_by\":\"elastic\",\"name\":\"Enumeration Command Spawned via WMIPrvSE\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"770e0c4d-b998-41e5-a62e-c7901fd7f470\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1016\",\"name\":\"System Network Configuration Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1016/\",\"subtechnique\":[{\"id\":\"T1016.001\",\"name\":\"Internet Connection Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1016/001/\"}]},{\"id\":\"T1018\",\"name\":\"Remote System Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1018/\"},{\"id\":\"T1057\",\"name\":\"Process Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1057/\"},{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\"},{\"id\":\"T1518\",\"name\":\"Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/\"}]}],\"to\":\"now\",\"references\":[],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.command_line != null and \\n process.name:\\n (\\n \\\"arp.exe\\\",\\n \\\"dsquery.exe\\\",\\n \\\"dsget.exe\\\",\\n \\\"gpresult.exe\\\",\\n \\\"hostname.exe\\\",\\n \\\"ipconfig.exe\\\",\\n \\\"nbtstat.exe\\\",\\n \\\"net.exe\\\",\\n \\\"net1.exe\\\",\\n \\\"netsh.exe\\\",\\n \\\"netstat.exe\\\",\\n \\\"nltest.exe\\\",\\n \\\"ping.exe\\\",\\n \\\"qprocess.exe\\\",\\n \\\"quser.exe\\\",\\n \\\"qwinsta.exe\\\",\\n \\\"reg.exe\\\",\\n \\\"sc.exe\\\",\\n \\\"systeminfo.exe\\\",\\n \\\"tasklist.exe\\\",\\n \\\"tracert.exe\\\",\\n \\\"whoami.exe\\\"\\n ) and\\n process.parent.name:\\\"wmiprvse.exe\\\" and \\n not (\\n process.name : \\\"sc.exe\\\" and process.args : \\\"RemoteRegistry\\\" and process.args : \\\"start=\\\" and \\n process.args : (\\\"demand\\\", \\\"disabled\\\")\\n ) and\\n not process.args : \\\"tenable_mw_scan\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Enumeration Command Spawned via WMIPrvSE\",\"description\":\"Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1016\",\"name\":\"System Network Configuration Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1016/\",\"subtechnique\":[{\"id\":\"T1016.001\",\"name\":\"Internet Connection Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1016/001/\"}]},{\"id\":\"T1018\",\"name\":\"Remote System Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1018/\"},{\"id\":\"T1057\",\"name\":\"Process Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1057/\"},{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\"},{\"id\":\"T1518\",\"name\":\"Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"8e28566a-3091-425e-a525-8159d532fcf1\",\"rule_id\":\"770e0c4d-b998-41e5-a62e-c7901fd7f470\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.669Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.241Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.command_line != null and \\n process.name:\\n (\\n \\\"arp.exe\\\", \\\"dsquery.exe\\\", \\\"dsget.exe\\\", \\\"gpresult.exe\\\", \\\"hostname.exe\\\", \\\"ipconfig.exe\\\", \\\"nbtstat.exe\\\",\\n \\\"net.exe\\\", \\\"net1.exe\\\", \\\"netsh.exe\\\", \\\"netstat.exe\\\", \\\"nltest.exe\\\", \\\"ping.exe\\\", \\\"qprocess.exe\\\", \\\"quser.exe\\\",\\n \\\"qwinsta.exe\\\", \\\"reg.exe\\\", \\\"sc.exe\\\", \\\"systeminfo.exe\\\", \\\"tasklist.exe\\\", \\\"tracert.exe\\\", \\\"whoami.exe\\\"\\n ) and\\n process.parent.name:\\\"wmiprvse.exe\\\" and \\n not (\\n process.name : \\\"sc.exe\\\" and process.args : \\\"RemoteRegistry\\\" and process.args : \\\"start=\\\" and \\n process.args : (\\\"demand\\\", \\\"disabled\\\")\\n ) and\\n not process.args : \\\"tenable_mw_scan\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.command_line != null and \\n process.name:\\n (\\n \\\"arp.exe\\\",\\n \\\"dsquery.exe\\\",\\n \\\"dsget.exe\\\",\\n \\\"gpresult.exe\\\",\\n \\\"hostname.exe\\\",\\n \\\"ipconfig.exe\\\",\\n \\\"nbtstat.exe\\\",\\n \\\"net.exe\\\",\\n \\\"net1.exe\\\",\\n \\\"netsh.exe\\\",\\n \\\"netstat.exe\\\",\\n \\\"nltest.exe\\\",\\n \\\"ping.exe\\\",\\n \\\"qprocess.exe\\\",\\n \\\"quser.exe\\\",\\n \\\"qwinsta.exe\\\",\\n \\\"reg.exe\\\",\\n \\\"sc.exe\\\",\\n \\\"systeminfo.exe\\\",\\n \\\"tasklist.exe\\\",\\n \\\"tracert.exe\\\",\\n \\\"whoami.exe\\\"\\n ) and\\n process.parent.name:\\\"wmiprvse.exe\\\" and \\n not (\\n process.name : \\\"sc.exe\\\" and process.args : \\\"RemoteRegistry\\\" and process.args : \\\"start=\\\" and \\n process.args : (\\\"demand\\\", \\\"disabled\\\")\\n ) and\\n not process.args : \\\"tenable_mw_scan\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.command_line != null and \\n process.name:\\n (\\n \\\"arp.exe\\\", \\\"dsquery.exe\\\", \\\"dsget.exe\\\", \\\"gpresult.exe\\\", \\\"hostname.exe\\\", \\\"ipconfig.exe\\\", \\\"nbtstat.exe\\\",\\n \\\"net.exe\\\", \\\"net1.exe\\\", \\\"netsh.exe\\\", \\\"netstat.exe\\\", \\\"nltest.exe\\\", \\\"ping.exe\\\", \\\"qprocess.exe\\\", \\\"quser.exe\\\",\\n \\\"qwinsta.exe\\\", \\\"reg.exe\\\", \\\"sc.exe\\\", \\\"systeminfo.exe\\\", \\\"tasklist.exe\\\", \\\"tracert.exe\\\", \\\"whoami.exe\\\"\\n ) and\\n process.parent.name:\\\"wmiprvse.exe\\\" and \\n not (\\n process.name : \\\"sc.exe\\\" and process.args : \\\"RemoteRegistry\\\" and process.args : \\\"start=\\\" and \\n process.args : (\\\"demand\\\", \\\"disabled\\\")\\n ) and\\n not process.args : \\\"tenable_mw_scan\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.command_line != null and \\n process.name:\\n (\\n \\\"arp.exe\\\", \\\"dsquery.exe\\\", \\\"dsget.exe\\\", \\\"gpresult.exe\\\", \\\"hostname.exe\\\", \\\"ipconfig.exe\\\", \\\"nbtstat.exe\\\",\\n \\\"net.exe\\\", \\\"net1.exe\\\", \\\"netsh.exe\\\", \\\"netstat.exe\\\", \\\"nltest.exe\\\", \\\"ping.exe\\\", \\\"qprocess.exe\\\", \\\"quser.exe\\\",\\n \\\"qwinsta.exe\\\", \\\"reg.exe\\\", \\\"sc.exe\\\", \\\"systeminfo.exe\\\", \\\"tasklist.exe\\\", \\\"tracert.exe\\\", \\\"whoami.exe\\\"\\n ) and\\n process.parent.name:\\\"wmiprvse.exe\\\" and \\n not (\\n process.name : \\\"sc.exe\\\" and process.args : \\\"RemoteRegistry\\\" and process.args : \\\"start=\\\" and \\n process.args : (\\\"demand\\\", \\\"disabled\\\")\\n ) and\\n not process.args : \\\"tenable_mw_scan\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"35f5a880-5ee2-4d0d-a652-4012afb803e9\",\"rule_id\":\"7787362c-90ff-4b1a-b313-8808b1020e64\",\"revision\":0,\"current_rule\":{\"id\":\"35f5a880-5ee2-4d0d-a652-4012afb803e9\",\"updated_at\":\"2024-12-04T19:45:51.246Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.246Z\",\"created_by\":\"elastic\",\"name\":\"UID Elevation from Previously Unknown Executable\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Monitors for the elevation of regular user permissions to root permissions through a previously unknown executable. Attackers may attempt to evade detection by hijacking the execution flow and hooking certain functions/syscalls through a rootkit in order to provide easy access to root via a special modified command.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"7787362c-90ff-4b1a-b313-8808b1020e64\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.013\",\"name\":\"KernelCallbackTable\",\"reference\":\"https://attack.mitre.org/techniques/T1574/013/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1014\",\"name\":\"Rootkit\",\"reference\":\"https://attack.mitre.org/techniques/T1014/\"}]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click Add integrations.\\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\\n- Click Add Elastic Defend.\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest to select \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click Save and Continue.\\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:\\\"linux\\\" and event.category:\\\"process\\\" and event.action:\\\"uid_change\\\" and event.type:\\\"change\\\" and user.id:\\\"0\\\"\\nand process.parent.name:(\\\"bash\\\" or \\\"dash\\\" or \\\"sh\\\" or \\\"tcsh\\\" or \\\"csh\\\" or \\\"zsh\\\" or \\\"ksh\\\" or \\\"fish\\\") and not (\\n process.executable:(\\n /bin/* or /usr/bin/* or /sbin/* or /usr/sbin/* or /snap/* or /tmp/newroot/* or /var/lib/docker/* or /usr/local/* or\\n /opt/psa/admin/* or /usr/lib/snapd/snap-confine or /opt/dynatrace/* or /opt/microsoft/* or\\n /var/lib/snapd/snap/bin/node or /opt/gitlab/embedded/sbin/logrotate or /etc/apt/universal-hooks/* or\\n /opt/puppetlabs/puppet/bin/puppet or /opt/cisco/* or /run/k3s/containerd/* or /usr/lib/postfix/sbin/master or\\n /usr/libexec/postfix/local\\n ) or\\n process.name:(\\n \\\"bash\\\" or \\\"dash\\\" or \\\"sh\\\" or \\\"tcsh\\\" or \\\"csh\\\" or \\\"zsh\\\" or \\\"ksh\\\" or \\\"fish\\\" or \\\"sudo\\\" or \\\"su\\\" or \\\"apt\\\" or \\\"apt-get\\\" or\\n \\\"aptitude\\\" or \\\"squid\\\" or \\\"snap\\\" or \\\"fusermount\\\" or \\\"pkexec\\\" or \\\"umount\\\" or \\\"master\\\" or \\\"omsbaseline\\\" or \\\"dzdo\\\" or\\n \\\"sandfly\\\" or \\\"logrotate\\\"\\n ) or\\n process.args:/usr/bin/python*\\n)\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"UID Elevation from Previously Unknown Executable\",\"description\":\"Monitors for the elevation of regular user permissions to root permissions through a previously unknown executable. Attackers may attempt to evade detection by hijacking the execution flow and hooking certain functions/syscalls through a rootkit in order to provide easy access to root via a special modified command.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.013\",\"name\":\"KernelCallbackTable\",\"reference\":\"https://attack.mitre.org/techniques/T1574/013/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1014\",\"name\":\"Rootkit\",\"reference\":\"https://attack.mitre.org/techniques/T1014/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click Add integrations.\\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\\n- Click Add Elastic Defend.\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest to select \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click Save and Continue.\\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"35f5a880-5ee2-4d0d-a652-4012afb803e9\",\"rule_id\":\"7787362c-90ff-4b1a-b313-8808b1020e64\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.669Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.246Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:\\\"linux\\\" and event.category:\\\"process\\\" and event.action:\\\"uid_change\\\" and event.type:\\\"change\\\" and user.id:\\\"0\\\"\\nand process.parent.name:(\\\"bash\\\" or \\\"dash\\\" or \\\"sh\\\" or \\\"tcsh\\\" or \\\"csh\\\" or \\\"zsh\\\" or \\\"ksh\\\" or \\\"fish\\\") and not (\\n process.executable:(\\n /bin/* or /usr/bin/* or /sbin/* or /usr/sbin/* or /snap/* or /tmp/newroot/* or /var/lib/docker/* or /usr/local/* or\\n /opt/psa/admin/* or /usr/lib/snapd/snap-confine or /opt/dynatrace/* or /opt/microsoft/* or\\n /var/lib/snapd/snap/bin/node or /opt/gitlab/embedded/sbin/logrotate or /etc/apt/universal-hooks/* or\\n /opt/puppetlabs/puppet/bin/puppet or /opt/cisco/* or /run/k3s/containerd/* or /usr/lib/postfix/sbin/master or\\n /usr/libexec/postfix/local or /var/lib/snapd/snap/bin/postgresql* or /opt/puppetlabs/puppet/bin/ruby\\n ) or\\n process.name:(\\n \\\"bash\\\" or \\\"dash\\\" or \\\"sh\\\" or \\\"tcsh\\\" or \\\"csh\\\" or \\\"zsh\\\" or \\\"ksh\\\" or \\\"fish\\\" or \\\"sudo\\\" or \\\"su\\\" or \\\"apt\\\" or \\\"apt-get\\\" or\\n \\\"aptitude\\\" or \\\"squid\\\" or \\\"snap\\\" or \\\"fusermount\\\" or \\\"pkexec\\\" or \\\"umount\\\" or \\\"master\\\" or \\\"omsbaseline\\\" or \\\"dzdo\\\" or\\n \\\"sandfly\\\" or \\\"logrotate\\\"\\n ) or\\n process.args:/usr/bin/python*\\n)\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:\\\"linux\\\" and event.category:\\\"process\\\" and event.action:\\\"uid_change\\\" and event.type:\\\"change\\\" and user.id:\\\"0\\\"\\nand process.parent.name:(\\\"bash\\\" or \\\"dash\\\" or \\\"sh\\\" or \\\"tcsh\\\" or \\\"csh\\\" or \\\"zsh\\\" or \\\"ksh\\\" or \\\"fish\\\") and not (\\n process.executable:(\\n /bin/* or /usr/bin/* or /sbin/* or /usr/sbin/* or /snap/* or /tmp/newroot/* or /var/lib/docker/* or /usr/local/* or\\n /opt/psa/admin/* or /usr/lib/snapd/snap-confine or /opt/dynatrace/* or /opt/microsoft/* or\\n /var/lib/snapd/snap/bin/node or /opt/gitlab/embedded/sbin/logrotate or /etc/apt/universal-hooks/* or\\n /opt/puppetlabs/puppet/bin/puppet or /opt/cisco/* or /run/k3s/containerd/* or /usr/lib/postfix/sbin/master or\\n /usr/libexec/postfix/local\\n ) or\\n process.name:(\\n \\\"bash\\\" or \\\"dash\\\" or \\\"sh\\\" or \\\"tcsh\\\" or \\\"csh\\\" or \\\"zsh\\\" or \\\"ksh\\\" or \\\"fish\\\" or \\\"sudo\\\" or \\\"su\\\" or \\\"apt\\\" or \\\"apt-get\\\" or\\n \\\"aptitude\\\" or \\\"squid\\\" or \\\"snap\\\" or \\\"fusermount\\\" or \\\"pkexec\\\" or \\\"umount\\\" or \\\"master\\\" or \\\"omsbaseline\\\" or \\\"dzdo\\\" or\\n \\\"sandfly\\\" or \\\"logrotate\\\"\\n ) or\\n process.args:/usr/bin/python*\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:\\\"linux\\\" and event.category:\\\"process\\\" and event.action:\\\"uid_change\\\" and event.type:\\\"change\\\" and user.id:\\\"0\\\"\\nand process.parent.name:(\\\"bash\\\" or \\\"dash\\\" or \\\"sh\\\" or \\\"tcsh\\\" or \\\"csh\\\" or \\\"zsh\\\" or \\\"ksh\\\" or \\\"fish\\\") and not (\\n process.executable:(\\n /bin/* or /usr/bin/* or /sbin/* or /usr/sbin/* or /snap/* or /tmp/newroot/* or /var/lib/docker/* or /usr/local/* or\\n /opt/psa/admin/* or /usr/lib/snapd/snap-confine or /opt/dynatrace/* or /opt/microsoft/* or\\n /var/lib/snapd/snap/bin/node or /opt/gitlab/embedded/sbin/logrotate or /etc/apt/universal-hooks/* or\\n /opt/puppetlabs/puppet/bin/puppet or /opt/cisco/* or /run/k3s/containerd/* or /usr/lib/postfix/sbin/master or\\n /usr/libexec/postfix/local or /var/lib/snapd/snap/bin/postgresql* or /opt/puppetlabs/puppet/bin/ruby\\n ) or\\n process.name:(\\n \\\"bash\\\" or \\\"dash\\\" or \\\"sh\\\" or \\\"tcsh\\\" or \\\"csh\\\" or \\\"zsh\\\" or \\\"ksh\\\" or \\\"fish\\\" or \\\"sudo\\\" or \\\"su\\\" or \\\"apt\\\" or \\\"apt-get\\\" or\\n \\\"aptitude\\\" or \\\"squid\\\" or \\\"snap\\\" or \\\"fusermount\\\" or \\\"pkexec\\\" or \\\"umount\\\" or \\\"master\\\" or \\\"omsbaseline\\\" or \\\"dzdo\\\" or\\n \\\"sandfly\\\" or \\\"logrotate\\\"\\n ) or\\n process.args:/usr/bin/python*\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:\\\"linux\\\" and event.category:\\\"process\\\" and event.action:\\\"uid_change\\\" and event.type:\\\"change\\\" and user.id:\\\"0\\\"\\nand process.parent.name:(\\\"bash\\\" or \\\"dash\\\" or \\\"sh\\\" or \\\"tcsh\\\" or \\\"csh\\\" or \\\"zsh\\\" or \\\"ksh\\\" or \\\"fish\\\") and not (\\n process.executable:(\\n /bin/* or /usr/bin/* or /sbin/* or /usr/sbin/* or /snap/* or /tmp/newroot/* or /var/lib/docker/* or /usr/local/* or\\n /opt/psa/admin/* or /usr/lib/snapd/snap-confine or /opt/dynatrace/* or /opt/microsoft/* or\\n /var/lib/snapd/snap/bin/node or /opt/gitlab/embedded/sbin/logrotate or /etc/apt/universal-hooks/* or\\n /opt/puppetlabs/puppet/bin/puppet or /opt/cisco/* or /run/k3s/containerd/* or /usr/lib/postfix/sbin/master or\\n /usr/libexec/postfix/local or /var/lib/snapd/snap/bin/postgresql* or /opt/puppetlabs/puppet/bin/ruby\\n ) or\\n process.name:(\\n \\\"bash\\\" or \\\"dash\\\" or \\\"sh\\\" or \\\"tcsh\\\" or \\\"csh\\\" or \\\"zsh\\\" or \\\"ksh\\\" or \\\"fish\\\" or \\\"sudo\\\" or \\\"su\\\" or \\\"apt\\\" or \\\"apt-get\\\" or\\n \\\"aptitude\\\" or \\\"squid\\\" or \\\"snap\\\" or \\\"fusermount\\\" or \\\"pkexec\\\" or \\\"umount\\\" or \\\"master\\\" or \\\"omsbaseline\\\" or \\\"dzdo\\\" or\\n \\\"sandfly\\\" or \\\"logrotate\\\"\\n ) or\\n process.args:/usr/bin/python*\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"692f2450-0b9c-42ef-a8c6-f84c608561be\",\"rule_id\":\"781f8746-2180-4691-890c-4c96d11ca91d\",\"revision\":0,\"current_rule\":{\"id\":\"692f2450-0b9c-42ef-a8c6-f84c608561be\",\"updated_at\":\"2024-12-04T19:45:51.250Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.250Z\",\"created_by\":\"elastic\",\"name\":\"Potential Network Sweep Detected\",\"tags\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"781f8746-2180-4691-890c-4c96d11ca91d\",\"max_signals\":5,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1046\",\"name\":\"Network Service Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1046/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0043\",\"name\":\"Reconnaissance\",\"reference\":\"https://attack.mitre.org/tactics/TA0043/\"},\"technique\":[{\"id\":\"T1595\",\"name\":\"Active Scanning\",\"reference\":\"https://attack.mitre.org/techniques/T1595/\",\"subtechnique\":[{\"id\":\"T1595.001\",\"name\":\"Scanning IP Blocks\",\"reference\":\"https://attack.mitre.org/techniques/T1595/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"threshold\",\"language\":\"kuery\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-endpoint.events.network-*\"],\"query\":\"destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and\\nsource.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\\n\",\"threshold\":{\"field\":[\"source.ip\"],\"value\":1,\"cardinality\":[{\"field\":\"destination.ip\",\"value\":100}]},\"actions\":[]},\"target_rule\":{\"name\":\"Potential Network Sweep Detected\",\"description\":\"This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":8,\"tags\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\",\"Data Source: Elastic Defend\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":5,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1046\",\"name\":\"Network Service Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1046/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0043\",\"name\":\"Reconnaissance\",\"reference\":\"https://attack.mitre.org/tactics/TA0043/\"},\"technique\":[{\"id\":\"T1595\",\"name\":\"Active Scanning\",\"reference\":\"https://attack.mitre.org/techniques/T1595/\",\"subtechnique\":[{\"id\":\"T1595.001\",\"name\":\"Scanning IP Blocks\",\"reference\":\"https://attack.mitre.org/techniques/T1595/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"692f2450-0b9c-42ef-a8c6-f84c608561be\",\"rule_id\":\"781f8746-2180-4691-890c-4c96d11ca91d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.669Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.250Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"threshold\",\"query\":\"destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and\\nsource.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\\n\",\"threshold\":{\"field\":[\"source.ip\"],\"value\":1,\"cardinality\":[{\"field\":\"destination.ip\",\"value\":100}]},\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-endpoint.events.network-*\",\"logs-panw.panos*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":8,\"merged_version\":8,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\"],\"target_version\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\",\"Data Source: Elastic Defend\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\",\"Data Source: Elastic Defend\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-endpoint.events.network-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-endpoint.events.network-*\",\"logs-panw.panos*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-endpoint.events.network-*\",\"logs-panw.panos*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b0c1eccd-b668-4e58-b659-9e66977174bc\",\"rule_id\":\"78390eb5-c838-4c1d-8240-69dd7397cfb7\",\"revision\":0,\"current_rule\":{\"id\":\"b0c1eccd-b668-4e58-b659-9e66977174bc\",\"updated_at\":\"2024-12-04T19:46:03.800Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.800Z\",\"created_by\":\"elastic\",\"name\":\"Yum/DNF Plugin Status Discovery\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects the execution of the `grep` command with the `plugins` argument on Linux systems. This command is used to search for YUM/DNF configurations and/or plugins with an enabled state. This behavior may indicate an attacker is attempting to establish persistence in a YUM or DNF plugin.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"78390eb5-c838-4c1d-8240-69dd7397cfb7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb\",\"https://pwnshift.github.io/2020/10/01/persistence.html\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\nThis rule requires data coming in from Elastic Defend.\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\nprocess.name == \\\"grep\\\" and process.args : \\\"plugins*\\\" and process.args : (\\n \\\"/etc/yum.conf\\\", \\\"/usr/lib/yum-plugins/*\\\", \\\"/etc/yum/pluginconf.d/*\\\",\\n \\\"/usr/lib/python*/site-packages/dnf-plugins/*\\\", \\\"/etc/dnf/plugins/*\\\", \\\"/etc/dnf/dnf.conf\\\"\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Yum/DNF Plugin Status Discovery\",\"description\":\"This rule detects the execution of the `grep` command with the `plugins` argument on Linux systems. This command is used to search for YUM/DNF configurations and/or plugins with an enabled state. This behavior may indicate an attacker is attempting to establish persistence in a YUM or DNF plugin.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb\",\"https://pwnshift.github.io/2020/10/01/persistence.html\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"setup\":\"## Setup\\nThis rule requires data coming in from Elastic Defend.\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b0c1eccd-b668-4e58-b659-9e66977174bc\",\"rule_id\":\"78390eb5-c838-4c1d-8240-69dd7397cfb7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.669Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.800Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\nprocess.name == \\\"grep\\\" and process.args : \\\"plugins*\\\" and process.args : (\\n \\\"/etc/yum.conf\\\", \\\"/usr/lib/yum-plugins/*\\\", \\\"/etc/yum/pluginconf.d/*\\\",\\n \\\"/usr/lib/python*/site-packages/dnf-plugins/*\\\", \\\"/etc/dnf/plugins/*\\\", \\\"/etc/dnf/dnf.conf\\\"\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb\",\"https://pwnshift.github.io/2020/10/01/persistence.html\"],\"target_version\":[\"https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb\",\"https://pwnshift.github.io/2020/10/01/persistence.html\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb\",\"https://pwnshift.github.io/2020/10/01/persistence.html\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e1aa46f2-aef7-4e7a-93c7-ad1be33d8641\",\"rule_id\":\"785a404b-75aa-4ffd-8be5-3334a5a544dd\",\"revision\":0,\"current_rule\":{\"id\":\"e1aa46f2-aef7-4e7a-93c7-ad1be33d8641\",\"updated_at\":\"2024-12-04T19:45:51.253Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.253Z\",\"created_by\":\"elastic\",\"name\":\"Application Added to Google Workspace Domain\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization’s Google Workspace domain in order to maintain a presence in their target’s organization and steal data.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Application Added to Google Workspace Domain\\n\\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or on Google Apps Script and created by both Google and third-party developers.\\n\\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\\n\\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\\n\\nThis rule checks for applications that were manually added to the Marketplace by a Google Workspace account.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\\n- With access to the Google Workspace admin console, visit the `Security > Investigation tool` with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\\n- With the user account, review other potentially related events within the last 48 hours.\\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\\n\\n### False positive analysis\\n\\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-130m\",\"rule_id\":\"785a404b-75aa-4ffd-8be5-3334a5a544dd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/6328701?hl=en#\"],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Application Added to Google Workspace Domain\",\"description\":\"Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization’s Google Workspace domain in order to maintain a presence in their target’s organization and steal data.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Application Added to Google Workspace Domain\\n\\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or on Google Apps Script and created by both Google and third-party developers.\\n\\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\\n\\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\\n\\nThis rule checks for applications that were manually added to the Marketplace by a Google Workspace account.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\\n- With access to the Google Workspace admin console, visit the `Security > Investigation tool` with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\\n- With the user account, review other potentially related events within the last 48 hours.\\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\\n\\n### False positive analysis\\n\\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://support.google.com/a/answer/6328701?hl=en#\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e1aa46f2-aef7-4e7a-93c7-ad1be33d8641\",\"rule_id\":\"785a404b-75aa-4ffd-8be5-3334a5a544dd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.669Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.253Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/6328701?hl=en#\"],\"target_version\":[\"https://support.google.com/a/answer/6328701?hl=en#\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/6328701?hl=en#\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"641169f2-cd01-4e4c-8fa7-4414ea0f72d9\",\"rule_id\":\"78de1aeb-5225-4067-b8cc-f4a1de8a8546\",\"revision\":0,\"current_rule\":{\"id\":\"641169f2-cd01-4e4c-8fa7-4414ea0f72d9\",\"updated_at\":\"2024-12-04T19:45:51.260Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.260Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious ScreenConnect Client Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution abusing unauthorized access to the ScreenConnect remote access software.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"78de1aeb-5225-4067-b8cc-f4a1de8a8546\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1219\",\"name\":\"Remote Access Software\",\"reference\":\"https://attack.mitre.org/techniques/T1219/\"}]}],\"to\":\"now\",\"references\":[\"https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\"],\"version\":204,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"logs-system.security*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name :\\n (\\\"ScreenConnect.ClientService.exe\\\",\\n \\\"ScreenConnect.WindowsClient.exe\\\",\\n \\\"ScreenConnect.WindowsBackstageShell.exe\\\",\\n \\\"ScreenConnect.WindowsFileManager.exe\\\") and\\n (\\n (process.name : \\\"powershell.exe\\\" and\\n process.args : (\\\"-enc\\\", \\\"-ec\\\", \\\"-e\\\", \\\"*downloadstring*\\\", \\\"*Reflection.Assembly*\\\", \\\"*http*\\\")) or\\n (process.name : \\\"cmd.exe\\\" and process.args : \\\"/c\\\") or\\n (process.name : \\\"net.exe\\\" and process.args : \\\"/add\\\") or\\n (process.name : \\\"schtasks.exe\\\" and process.args : (\\\"/create\\\", \\\"-create\\\")) or\\n (process.name : \\\"sc.exe\\\" and process.args : \\\"create\\\") or\\n (process.name : \\\"rundll32.exe\\\" and not process.args : \\\"url.dll,FileProtocolHandler\\\") or\\n (process.name : \\\"msiexec.exe\\\" and process.args : (\\\"/i\\\", \\\"-i\\\") and\\n process.args : (\\\"/q\\\", \\\"/quiet\\\", \\\"/qn\\\", \\\"-q\\\", \\\"-quiet\\\", \\\"-qn\\\", \\\"-Q+\\\")) or\\n process.name : (\\\"mshta.exe\\\", \\\"certutil.exe\\\", \\\"bistadmin.exe\\\", \\\"certreq.exe\\\", \\\"wscript.exe\\\", \\\"cscript.exe\\\", \\\"curl.exe\\\",\\n \\\"ssh.exe\\\", \\\"scp.exe\\\", \\\"wevtutil.exe\\\", \\\"wget.exe\\\", \\\"wmic.exe\\\")\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious ScreenConnect Client Child Process\",\"description\":\"Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution abusing unauthorized access to the ScreenConnect remote access software.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":307,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1219\",\"name\":\"Remote Access Software\",\"reference\":\"https://attack.mitre.org/techniques/T1219/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"641169f2-cd01-4e4c-8fa7-4414ea0f72d9\",\"rule_id\":\"78de1aeb-5225-4067-b8cc-f4a1de8a8546\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.669Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.260Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name :\\n (\\\"ScreenConnect.ClientService.exe\\\",\\n \\\"ScreenConnect.WindowsClient.exe\\\",\\n \\\"ScreenConnect.WindowsBackstageShell.exe\\\",\\n \\\"ScreenConnect.WindowsFileManager.exe\\\") and\\n (\\n (process.name : \\\"powershell.exe\\\" and\\n process.args : (\\\"-enc\\\", \\\"-ec\\\", \\\"-e\\\", \\\"*downloadstring*\\\", \\\"*Reflection.Assembly*\\\", \\\"*http*\\\")) or\\n (process.name : \\\"cmd.exe\\\" and process.args : \\\"/c\\\") or\\n (process.name : \\\"net.exe\\\" and process.args : \\\"/add\\\") or\\n (process.name : \\\"schtasks.exe\\\" and process.args : (\\\"/create\\\", \\\"-create\\\")) or\\n (process.name : \\\"sc.exe\\\" and process.args : \\\"create\\\") or\\n (process.name : \\\"rundll32.exe\\\" and not process.args : \\\"url.dll,FileProtocolHandler\\\") or\\n (process.name : \\\"msiexec.exe\\\" and process.args : (\\\"/i\\\", \\\"-i\\\") and\\n process.args : (\\\"/q\\\", \\\"/quiet\\\", \\\"/qn\\\", \\\"-q\\\", \\\"-quiet\\\", \\\"-qn\\\", \\\"-Q+\\\")) or\\n process.name : (\\\"mshta.exe\\\", \\\"certutil.exe\\\", \\\"bistadmin.exe\\\", \\\"certreq.exe\\\", \\\"wscript.exe\\\", \\\"cscript.exe\\\", \\\"curl.exe\\\",\\n \\\"ssh.exe\\\", \\\"scp.exe\\\", \\\"wevtutil.exe\\\", \\\"wget.exe\\\", \\\"wmic.exe\\\")\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"logs-system.security*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":204,\"target_version\":307,\"merged_version\":307,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"logs-system.security*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"logs-system.security*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"logs-system.security*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b4cf8f12-a626-4135-a639-4a91193d251e\",\"rule_id\":\"78ef0c95-9dc2-40ac-a8da-5deb6293a14e\",\"revision\":0,\"current_rule\":{\"id\":\"b4cf8f12-a626-4135-a639-4a91193d251e\",\"updated_at\":\"2024-12-04T19:45:51.269Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.269Z\",\"created_by\":\"elastic\",\"name\":\"Unsigned DLL Loaded by Svchost\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"78ef0c95-9dc2-40ac-a8da-5deb6293a14e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.001\",\"name\":\"Invalid Code Signature\",\"reference\":\"https://attack.mitre.org/techniques/T1036/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1569\",\"name\":\"System Services\",\"reference\":\"https://attack.mitre.org/techniques/T1569/\",\"subtechnique\":[{\"id\":\"T1569.002\",\"name\":\"Service Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1569/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"dll.Ext.relative_file_creation_time\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"dll.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"dll.hash.sha256\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.library-*\"],\"query\":\"library where host.os.type == \\\"windows\\\" and\\n\\n process.executable : \\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Syswow64\\\\\\\\svchost.exe\\\") and \\n \\n dll.code_signature.trusted != true and \\n \\n not dll.code_signature.status : (\\\"trusted\\\", \\\"errorExpired\\\", \\\"errorCode_endpoint*\\\") and \\n \\n dll.hash.sha256 != null and \\n \\n (\\n /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */\\n dll.Ext.relative_file_creation_time <= 300 or \\n \\n /* unusual paths */\\n dll.path :(\\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\PerfLogs\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\AMD\\\\\\\\Temp\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\AppReadiness\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ServiceState\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\IdentityCRL\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Branding\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\csc\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\DigitalLocker\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\en-US\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\wlansvc\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Prefetch\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\diagnostics\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\INF\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Speech\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\tracing\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\IME\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Performance\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\intel\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\ms\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\dot3svc\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\panther\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\RemotePackages\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\OCR\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\appcompat\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\apppatch\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\addins\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SKB\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Vss\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CbsTemp\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Logs\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WaaS\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\twain_32\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ShellExperiences\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ShellComponents\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PLA\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Migration\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\debug\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Cursors\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Containers\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Boot\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\bcastdvr\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\TextInput\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\schemas\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SchCache\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Resources\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\rescache\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Provisioning\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PrintDialog\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PolicyDefinitions\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\media\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Globalization\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\L2Schemas\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LiveKernelReports\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ModemLogs\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\$Recycle.Bin\\\\\\\\*\\\")\\n ) and \\n \\n not dll.hash.sha256 : \\n (\\\"3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6\\\", \\n \\\"b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4\\\", \\n \\\"214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba\\\", \\n \\\"23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244\\\", \\n \\\"5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unsigned DLL Loaded by Svchost\",\"description\":\"Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.001\",\"name\":\"Invalid Code Signature\",\"reference\":\"https://attack.mitre.org/techniques/T1036/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1569\",\"name\":\"System Services\",\"reference\":\"https://attack.mitre.org/techniques/T1569/\",\"subtechnique\":[{\"id\":\"T1569.002\",\"name\":\"Service Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1569/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"dll.Ext.relative_file_creation_time\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"dll.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"dll.hash.sha256\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b4cf8f12-a626-4135-a639-4a91193d251e\",\"rule_id\":\"78ef0c95-9dc2-40ac-a8da-5deb6293a14e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.669Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.269Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"library where host.os.type == \\\"windows\\\" and\\n\\n process.executable : \\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Syswow64\\\\\\\\svchost.exe\\\") and \\n \\n dll.code_signature.trusted != true and \\n \\n not dll.code_signature.status : (\\\"trusted\\\", \\\"errorExpired\\\", \\\"errorCode_endpoint*\\\") and \\n \\n dll.hash.sha256 != null and \\n \\n (\\n /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */\\n dll.Ext.relative_file_creation_time <= 300 or \\n \\n /* unusual paths */\\n dll.path :(\\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\PerfLogs\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\AMD\\\\\\\\Temp\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\AppReadiness\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ServiceState\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\IdentityCRL\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Branding\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\csc\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\DigitalLocker\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\en-US\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\wlansvc\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Prefetch\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\diagnostics\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\INF\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Speech\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\tracing\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\IME\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Performance\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\intel\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\ms\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\dot3svc\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\panther\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\RemotePackages\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\OCR\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\appcompat\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\apppatch\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\addins\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SKB\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Vss\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CbsTemp\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Logs\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WaaS\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\twain_32\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ShellExperiences\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ShellComponents\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PLA\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Migration\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\debug\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Cursors\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Containers\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Boot\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\bcastdvr\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\TextInput\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\schemas\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SchCache\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Resources\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\rescache\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Provisioning\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PrintDialog\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PolicyDefinitions\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\media\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Globalization\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\L2Schemas\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LiveKernelReports\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ModemLogs\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\$Recycle.Bin\\\\\\\\*\\\")\\n ) and \\n \\n not dll.hash.sha256 : \\n (\\\"3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6\\\", \\n \\\"b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4\\\", \\n \\\"214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba\\\", \\n \\\"23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244\\\", \\n \\\"5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.library-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion\"],\"merged_version\":[\"https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2f0836c0-3e11-4a42-910f-a868fd059154\",\"rule_id\":\"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c\",\"revision\":0,\"current_rule\":{\"id\":\"2f0836c0-3e11-4a42-910f-a868fd059154\",\"updated_at\":\"2024-12-04T19:45:51.278Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.278Z\",\"created_by\":\"elastic\",\"name\":\"Potential File Transfer via Certreq\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Command and Control\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential File Transfer via Certreq\\n\\nCertreq is a command-line utility in Windows operating systems that allows users to request and manage certificates from certificate authorities. It is primarily used for generating certificate signing requests (CSRs) and installing certificates. However, adversaries may abuse Certreq's functionality to download files or upload data to a remote URL by making an HTTP POST request.\\n\\nThis rule identifies the potential abuse of Certreq to download files or upload data to a remote URL.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the details of the dropped file, and whether it was executed.\\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1567\",\"name\":\"Exfiltration Over Web Service\",\"reference\":\"https://attack.mitre.org/techniques/T1567/\"}]}],\"to\":\"now\",\"references\":[\"https://lolbas-project.github.io/lolbas/Binaries/Certreq/\"],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"CertReq.exe\\\" or ?process.pe.original_file_name == \\\"CertReq.exe\\\") and process.args : \\\"-Post\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential File Transfer via Certreq\",\"description\":\"Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential File Transfer via Certreq\\n\\nCertreq is a command-line utility in Windows operating systems that allows users to request and manage certificates from certificate authorities. It is primarily used for generating certificate signing requests (CSRs) and installing certificates. However, adversaries may abuse Certreq's functionality to download files or upload data to a remote URL by making an HTTP POST request.\\n\\nThis rule identifies the potential abuse of Certreq to download files or upload data to a remote URL.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the details of the dropped file, and whether it was executed.\\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Command and Control\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://lolbas-project.github.io/lolbas/Binaries/Certreq/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1567\",\"name\":\"Exfiltration Over Web Service\",\"reference\":\"https://attack.mitre.org/techniques/T1567/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2f0836c0-3e11-4a42-910f-a868fd059154\",\"rule_id\":\"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.669Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.278Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"CertReq.exe\\\" or ?process.pe.original_file_name == \\\"CertReq.exe\\\") and process.args : \\\"-Post\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Command and Control\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Command and Control\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Command and Control\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b5345381-c262-4f3b-8c0a-f77dab6f85d5\",\"rule_id\":\"79f97b31-480e-4e63-a7f4-ede42bf2c6de\",\"revision\":0,\"current_rule\":{\"id\":\"b5345381-c262-4f3b-8c0a-f77dab6f85d5\",\"updated_at\":\"2024-12-04T19:45:51.281Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.281Z\",\"created_by\":\"elastic\",\"name\":\"Potential Shadow Credentials added to AD Object\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Shadow Credentials added to AD Object\\n\\nThe msDS-KeyCredentialLink is an Active Directory (AD) attribute that links cryptographic certificates to a user or computer for domain authentication.\\n\\nAttackers with write privileges on this attribute over an object can abuse it to gain access to the object or maintain persistence. This means they can authenticate and perform actions on behalf of the exploited identity, and they can use Shadow Credentials to request Ticket Granting Tickets (TGTs) on behalf of the identity.\\n\\n#### Possible investigation steps\\n\\n- Identify whether Windows Hello for Business (WHfB) and/or Azure AD is used in the environment.\\n - Review the event ID 4624 for logon events involving the subject identity (`winlog.event_data.SubjectUserName`).\\n - Check whether the `source.ip` is the server running Azure AD Connect.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Review the event IDs 4768 and 4769 for suspicious ticket requests involving the modified identity (`winlog.event_data.ObjectDN`).\\n - Extract the source IP addresses from these events and use them as indicators of compromise (IoCs) to investigate whether the host is compromised and to scope the attacker's access to the environment.\\n\\n### False positive analysis\\n\\n- Administrators might use custom accounts on Azure AD Connect. If this is the case, make sure the account is properly secured. You can also create an exception for the account if expected activity makes too much noise in your environment.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n - Remove the Shadow Credentials from the object.\\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions.\"],\"from\":\"now-9m\",\"rule_id\":\"79f97b31-480e-4e63-a7f4-ede42bf2c6de\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]}],\"to\":\"now\",\"references\":[\"https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab\",\"https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials\",\"https://github.com/OTRF/Set-AuditRule\",\"https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\\n\\n```\\nSet-AuditRule -AdObjectPath 'AD:\\\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:(\\\"Directory Service Changes\\\" or \\\"directory-service-object-modified\\\") and event.code:\\\"5136\\\" and\\n winlog.event_data.AttributeLDAPDisplayName:\\\"msDS-KeyCredentialLink\\\" and winlog.event_data.AttributeValue :B\\\\:828* and\\n not winlog.event_data.SubjectUserName: MSOL_*\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Shadow Credentials added to AD Object\",\"description\":\"Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Shadow Credentials added to AD Object\\n\\nThe msDS-KeyCredentialLink is an Active Directory (AD) attribute that links cryptographic certificates to a user or computer for domain authentication.\\n\\nAttackers with write privileges on this attribute over an object can abuse it to gain access to the object or maintain persistence. This means they can authenticate and perform actions on behalf of the exploited identity, and they can use Shadow Credentials to request Ticket Granting Tickets (TGTs) on behalf of the identity.\\n\\n#### Possible investigation steps\\n\\n- Identify whether Windows Hello for Business (WHfB) and/or Azure AD is used in the environment.\\n - Review the event ID 4624 for logon events involving the subject identity (`winlog.event_data.SubjectUserName`).\\n - Check whether the `source.ip` is the server running Azure AD Connect.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Review the event IDs 4768 and 4769 for suspicious ticket requests involving the modified identity (`winlog.event_data.ObjectDN`).\\n - Extract the source IP addresses from these events and use them as indicators of compromise (IoCs) to investigate whether the host is compromised and to scope the attacker's access to the environment.\\n\\n### False positive analysis\\n\\n- Administrators might use custom accounts on Azure AD Connect. If this is the case, make sure the account is properly secured. You can also create an exception for the account if expected activity makes too much noise in your environment.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n - Remove the Shadow Credentials from the object.\\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":212,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions.\"],\"references\":[\"https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab\",\"https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials\",\"https://github.com/OTRF/Set-AuditRule\",\"https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\\n\\n```\\nSet-AuditRule -AdObjectPath 'AD:\\\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"b5345381-c262-4f3b-8c0a-f77dab6f85d5\",\"rule_id\":\"79f97b31-480e-4e63-a7f4-ede42bf2c6de\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.670Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.281Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:(\\\"Directory Service Changes\\\" or \\\"directory-service-object-modified\\\") and event.code:\\\"5136\\\" and\\n winlog.event_data.AttributeLDAPDisplayName:\\\"msDS-KeyCredentialLink\\\" and winlog.event_data.AttributeValue :B\\\\:828* and\\n not winlog.event_data.SubjectUserName: MSOL_*\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":212,\"merged_version\":212,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"29d03784-b5ac-44bd-808d-5b62d3e66a68\",\"rule_id\":\"7afc6cc9-8800-4c7f-be6b-b688d2dea248\",\"revision\":0,\"current_rule\":{\"id\":\"29d03784-b5ac-44bd-808d-5b62d3e66a68\",\"updated_at\":\"2024-12-04T19:46:03.802Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.802Z\",\"created_by\":\"elastic\",\"name\":\"Potential Execution via XZBackdoor\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Persistence\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"It identifies potential malicious shell executions through remote SSH and detects cases where the sshd service suddenly terminates soon after successful execution, suggesting suspicious behavior similar to the XZ backdoor.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"7afc6cc9-8800-4c7f-be6b-b688d2dea248\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.004\",\"name\":\"SSH\",\"reference\":\"https://attack.mitre.org/techniques/T1021/004/\"}]},{\"id\":\"T1563\",\"name\":\"Remote Service Session Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/\",\"subtechnique\":[{\"id\":\"T1563.001\",\"name\":\"SSH Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/amlweems/xzbot\",\"https://access.redhat.com/security/cve/CVE-2024-3094\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.exit_code\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"sequence by host.id, user.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"sshd\\\" and\\n process.args == \\\"-D\\\" and process.args == \\\"-R\\\"] by process.pid, process.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.parent.name == \\\"sshd\\\" and \\n process.executable != \\\"/usr/sbin/sshd\\\"] by process.parent.pid, process.parent.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.action == \\\"end\\\" and process.name == \\\"sshd\\\" and process.exit_code != 0] by process.pid, process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"end\\\" and event.action == \\\"disconnect_received\\\" and process.name == \\\"sshd\\\"] by process.pid, process.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Execution via XZBackdoor\",\"description\":\"It identifies potential malicious shell executions through remote SSH and detects cases where the sshd service suddenly terminates soon after successful execution, suggesting suspicious behavior similar to the XZ backdoor.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Persistence\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/amlweems/xzbot\",\"https://access.redhat.com/security/cve/CVE-2024-3094\",\"https://www.elastic.co/security-labs/500ms-to-midnight\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.004\",\"name\":\"SSH\",\"reference\":\"https://attack.mitre.org/techniques/T1021/004/\"}]},{\"id\":\"T1563\",\"name\":\"Remote Service Session Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/\",\"subtechnique\":[{\"id\":\"T1563.001\",\"name\":\"SSH Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.exit_code\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"29d03784-b5ac-44bd-808d-5b62d3e66a68\",\"rule_id\":\"7afc6cc9-8800-4c7f-be6b-b688d2dea248\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.670Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.802Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id, user.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"sshd\\\" and\\n process.args == \\\"-D\\\" and process.args == \\\"-R\\\"] by process.pid, process.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.parent.name == \\\"sshd\\\" and \\n process.executable != null and not (\\n process.executable in (\\\"/usr/sbin/sshd\\\", \\\"/usr/sbin/unix_chkpwd\\\", \\\"/usr/bin/google_authorized_keys\\\", \\\"/usr/bin/fipscheck\\\") or\\n process.args like (\\\"rsync*\\\", \\\"systemctl*\\\", \\\"/usr/sbin/unix_chkpwd\\\", \\\"/usr/bin/google_authorized_keys\\\", \\\"/usr/sbin/aad_certhandler*\\\") or\\n process.command_line like \\\"sh -c /usr/bin/env -i PATH=*\\\"\\n )] by process.parent.pid, process.parent.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.action == \\\"end\\\" and process.name == \\\"sshd\\\" and process.exit_code != 0] by process.pid, process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"end\\\" and event.action == \\\"disconnect_received\\\" and process.name == \\\"sshd\\\"] by process.pid, process.entity_id\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://github.com/amlweems/xzbot\",\"https://access.redhat.com/security/cve/CVE-2024-3094\"],\"target_version\":[\"https://github.com/amlweems/xzbot\",\"https://access.redhat.com/security/cve/CVE-2024-3094\",\"https://www.elastic.co/security-labs/500ms-to-midnight\"],\"merged_version\":[\"https://github.com/amlweems/xzbot\",\"https://access.redhat.com/security/cve/CVE-2024-3094\",\"https://www.elastic.co/security-labs/500ms-to-midnight\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.exit_code\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.exit_code\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.exit_code\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by host.id, user.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"sshd\\\" and\\n process.args == \\\"-D\\\" and process.args == \\\"-R\\\"] by process.pid, process.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.parent.name == \\\"sshd\\\" and \\n process.executable != \\\"/usr/sbin/sshd\\\"] by process.parent.pid, process.parent.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.action == \\\"end\\\" and process.name == \\\"sshd\\\" and process.exit_code != 0] by process.pid, process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"end\\\" and event.action == \\\"disconnect_received\\\" and process.name == \\\"sshd\\\"] by process.pid, process.entity_id\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by host.id, user.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"sshd\\\" and\\n process.args == \\\"-D\\\" and process.args == \\\"-R\\\"] by process.pid, process.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.parent.name == \\\"sshd\\\" and \\n process.executable != null and not (\\n process.executable in (\\\"/usr/sbin/sshd\\\", \\\"/usr/sbin/unix_chkpwd\\\", \\\"/usr/bin/google_authorized_keys\\\", \\\"/usr/bin/fipscheck\\\") or\\n process.args like (\\\"rsync*\\\", \\\"systemctl*\\\", \\\"/usr/sbin/unix_chkpwd\\\", \\\"/usr/bin/google_authorized_keys\\\", \\\"/usr/sbin/aad_certhandler*\\\") or\\n process.command_line like \\\"sh -c /usr/bin/env -i PATH=*\\\"\\n )] by process.parent.pid, process.parent.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.action == \\\"end\\\" and process.name == \\\"sshd\\\" and process.exit_code != 0] by process.pid, process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"end\\\" and event.action == \\\"disconnect_received\\\" and process.name == \\\"sshd\\\"] by process.pid, process.entity_id\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by host.id, user.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"sshd\\\" and\\n process.args == \\\"-D\\\" and process.args == \\\"-R\\\"] by process.pid, process.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.parent.name == \\\"sshd\\\" and \\n process.executable != null and not (\\n process.executable in (\\\"/usr/sbin/sshd\\\", \\\"/usr/sbin/unix_chkpwd\\\", \\\"/usr/bin/google_authorized_keys\\\", \\\"/usr/bin/fipscheck\\\") or\\n process.args like (\\\"rsync*\\\", \\\"systemctl*\\\", \\\"/usr/sbin/unix_chkpwd\\\", \\\"/usr/bin/google_authorized_keys\\\", \\\"/usr/sbin/aad_certhandler*\\\") or\\n process.command_line like \\\"sh -c /usr/bin/env -i PATH=*\\\"\\n )] by process.parent.pid, process.parent.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.action == \\\"end\\\" and process.name == \\\"sshd\\\" and process.exit_code != 0] by process.pid, process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"end\\\" and event.action == \\\"disconnect_received\\\" and process.name == \\\"sshd\\\"] by process.pid, process.entity_id\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c658a81e-f0ef-40f2-a52a-87639e4559de\",\"rule_id\":\"7b8bfc26-81d2-435e-965c-d722ee397ef1\",\"revision\":0,\"current_rule\":{\"id\":\"c658a81e-f0ef-40f2-a52a-87639e4559de\",\"updated_at\":\"2024-12-04T19:45:51.288Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.288Z\",\"created_by\":\"elastic\",\"name\":\"Windows Network Enumeration\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.\",\"risk_score\":47,\"severity\":\"medium\",\"building_block_type\":\"default\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Network Enumeration\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `net` utility to enumerate servers in the environment that hosts shared drives or printers. This information is useful to attackers as they can identify targets for lateral movements and search for valuable shared data.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"7b8bfc26-81d2-435e-965c-d722ee397ef1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1018\",\"name\":\"Remote System Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1018/\"},{\"id\":\"T1135\",\"name\":\"Network Share Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1135/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1039\",\"name\":\"Data from Network Shared Drive\",\"reference\":\"https://attack.mitre.org/techniques/T1039/\"}]}],\"to\":\"now\",\"references\":[],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n ((process.name : \\\"net.exe\\\" or process.pe.original_file_name == \\\"net.exe\\\") or\\n ((process.name : \\\"net1.exe\\\" or process.pe.original_file_name == \\\"net1.exe\\\") and\\n not process.parent.name : \\\"net.exe\\\")) and\\n (process.args : \\\"view\\\" or (process.args : \\\"time\\\" and process.args : \\\"\\\\\\\\\\\\\\\\*\\\")) and\\n not process.command_line : \\\"net view \\\\\\\\\\\\\\\\localhost \\\"\\n\\n\\n /* expand when ancestry is available\\n and not descendant of [process where event.type == \\\"start\\\" and process.name : \\\"cmd.exe\\\" and\\n ((process.parent.name : \\\"userinit.exe\\\") or\\n (process.parent.name : \\\"gpscript.exe\\\") or\\n (process.parent.name : \\\"explorer.exe\\\" and\\n process.args : \\\"C:\\\\\\\\*\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.bat*\\\"))]\\n */\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Windows Network Enumeration\",\"description\":\"Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Network Enumeration\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `net` utility to enumerate servers in the environment that hosts shared drives or printers. This information is useful to attackers as they can identify targets for lateral movements and search for valuable shared data.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":214,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1018\",\"name\":\"Remote System Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1018/\"},{\"id\":\"T1135\",\"name\":\"Network Share Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1135/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1039\",\"name\":\"Data from Network Shared Drive\",\"reference\":\"https://attack.mitre.org/techniques/T1039/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c658a81e-f0ef-40f2-a52a-87639e4559de\",\"rule_id\":\"7b8bfc26-81d2-435e-965c-d722ee397ef1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.670Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.288Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n ((process.name : \\\"net.exe\\\" or process.pe.original_file_name == \\\"net.exe\\\") or\\n ((process.name : \\\"net1.exe\\\" or process.pe.original_file_name == \\\"net1.exe\\\") and\\n not process.parent.name : \\\"net.exe\\\")) and\\n (process.args : \\\"view\\\" or (process.args : \\\"time\\\" and process.args : \\\"\\\\\\\\\\\\\\\\*\\\")) and\\n not process.command_line : \\\"net view \\\\\\\\\\\\\\\\localhost \\\"\\n\\n\\n /* expand when ancestry is available\\n and not descendant of [process where event.type == \\\"start\\\" and process.name : \\\"cmd.exe\\\" and\\n ((process.parent.name : \\\"userinit.exe\\\") or\\n (process.parent.name : \\\"gpscript.exe\\\") or\\n (process.parent.name : \\\"explorer.exe\\\" and\\n process.args : \\\"C:\\\\\\\\*\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.bat*\\\"))]\\n */\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":214,\"merged_version\":214,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merged_version\":[\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7186583a-f4f4-46fa-80b6-4c26f00e6a8a\",\"rule_id\":\"7ba58110-ae13-439b-8192-357b0fcfa9d7\",\"revision\":0,\"current_rule\":{\"id\":\"7186583a-f4f4-46fa-80b6-4c26f00e6a8a\",\"updated_at\":\"2024-12-04T19:45:51.290Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.290Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious LSASS Access via MalSecLogon\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"7ba58110-ae13-439b-8192-357b0fcfa9d7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html\"],\"version\":208,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallTrace\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.GrantedAccess\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetImage\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n winlog.event_data.TargetImage : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\lsass.exe\\\" and\\n\\n /* seclogon service accessing lsass */\\n winlog.event_data.CallTrace : \\\"*seclogon.dll*\\\" and process.name : \\\"svchost.exe\\\" and\\n\\n /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */\\n winlog.event_data.GrantedAccess == \\\"0x14c0\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious LSASS Access via MalSecLogon\",\"description\":\"Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallTrace\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.GrantedAccess\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetImage\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"7186583a-f4f4-46fa-80b6-4c26f00e6a8a\",\"rule_id\":\"7ba58110-ae13-439b-8192-357b0fcfa9d7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.670Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.290Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n winlog.event_data.TargetImage : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\lsass.exe\\\" and\\n\\n /* seclogon service accessing lsass */\\n winlog.event_data.CallTrace : \\\"*seclogon.dll*\\\" and process.name : \\\"svchost.exe\\\" and\\n\\n /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */\\n winlog.event_data.GrantedAccess == \\\"0x14c0\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":208,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"eb280dc8-1070-494a-af2a-5fb8c702cb17\",\"rule_id\":\"7bcbb3ac-e533-41ad-a612-d6c3bf666aba\",\"revision\":0,\"current_rule\":{\"id\":\"eb280dc8-1070-494a-af2a-5fb8c702cb17\",\"updated_at\":\"2024-12-04T19:45:51.293Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.293Z\",\"created_by\":\"elastic\",\"name\":\"Tampering of Shell Command-Line History\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"7bcbb3ac-e533-41ad-a612-d6c3bf666aba\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.003\",\"name\":\"Clear Command History\",\"reference\":\"https://attack.mitre.org/techniques/T1070/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"process where event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and event.type == \\\"start\\\" and\\n (\\n ((process.args : (\\\"rm\\\", \\\"echo\\\") or\\n (process.args : \\\"ln\\\" and process.args : \\\"-sf\\\" and process.args : \\\"/dev/null\\\") or\\n (process.args : \\\"truncate\\\" and process.args : \\\"-s0\\\"))\\n and process.args : (\\\".bash_history\\\", \\\"/root/.bash_history\\\", \\\"/home/*/.bash_history\\\",\\\"/Users/.bash_history\\\", \\\"/Users/*/.bash_history\\\",\\n \\\".zsh_history\\\", \\\"/root/.zsh_history\\\", \\\"/home/*/.zsh_history\\\", \\\"/Users/.zsh_history\\\", \\\"/Users/*/.zsh_history\\\")) or\\n (process.args : \\\"history\\\" and process.args : \\\"-c\\\") or\\n (process.args : \\\"export\\\" and process.args : (\\\"HISTFILE=/dev/null\\\", \\\"HISTFILESIZE=0\\\")) or\\n (process.args : \\\"unset\\\" and process.args : \\\"HISTFILE\\\") or\\n (process.args : \\\"set\\\" and process.args : \\\"history\\\" and process.args : \\\"+o\\\")\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Tampering of Shell Command-Line History\",\"description\":\"Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.003\",\"name\":\"Clear Command History\",\"reference\":\"https://attack.mitre.org/techniques/T1070/003/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"eb280dc8-1070-494a-af2a-5fb8c702cb17\",\"rule_id\":\"7bcbb3ac-e533-41ad-a612-d6c3bf666aba\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.670Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.293Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and event.type == \\\"start\\\" and\\n (\\n ((process.args : (\\\"rm\\\", \\\"echo\\\") or\\n (process.args : \\\"ln\\\" and process.args : \\\"-sf\\\" and process.args : \\\"/dev/null\\\") or\\n (process.args : \\\"truncate\\\" and process.args : \\\"-s0\\\"))\\n and process.args : (\\\".bash_history\\\", \\\"/root/.bash_history\\\", \\\"/home/*/.bash_history\\\",\\\"/Users/.bash_history\\\", \\\"/Users/*/.bash_history\\\",\\n \\\".zsh_history\\\", \\\"/root/.zsh_history\\\", \\\"/home/*/.zsh_history\\\", \\\"/Users/.zsh_history\\\", \\\"/Users/*/.zsh_history\\\")) or\\n (process.args : \\\"history\\\" and process.args : \\\"-c\\\") or\\n (process.args : \\\"export\\\" and process.args : (\\\"HISTFILE=/dev/null\\\", \\\"HISTFILESIZE=0\\\")) or\\n (process.args : \\\"unset\\\" and process.args : \\\"HISTFILE\\\") or\\n (process.args : \\\"set\\\" and process.args : \\\"history\\\" and process.args : \\\"+o\\\")\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"merged_version\":[\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"296d3f1f-f511-438a-9898-1243c7a09b26\",\"rule_id\":\"7c2e1297-7664-42bc-af11-6d5d35220b6b\",\"revision\":0,\"current_rule\":{\"id\":\"296d3f1f-f511-438a-9898-1243c7a09b26\",\"updated_at\":\"2024-12-04T19:45:51.295Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.295Z\",\"created_by\":\"elastic\",\"name\":\"APT Package Manager Configuration File Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects file creation events in the configuration directory for the APT package manager. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on (by default) Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"7c2e1297-7664-42bc-af11-6d5d35220b6b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://packetstormsecurity.com/files/152668/APT-Package-Manager-Persistence.html\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : \\\"/etc/apt/apt.conf.d/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/usr/local/bin/apt-get\\\", \\\"/usr/bin/apt-get\\\"\\n ) or\\n file.path :(\\\"/etc/apt/apt.conf.d/*.tmp*\\\") or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\",\\n \\\"/etc/kernel/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"APT Package Manager Configuration File Creation\",\"description\":\"Detects file creation events in the configuration directory for the APT package manager. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on (by default) Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://packetstormsecurity.com/files/152668/APT-Package-Manager-Persistence.html\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"296d3f1f-f511-438a-9898-1243c7a09b26\",\"rule_id\":\"7c2e1297-7664-42bc-af11-6d5d35220b6b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.670Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.295Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : \\\"/etc/apt/apt.conf.d/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/usr/local/bin/apt-get\\\", \\\"/usr/bin/apt-get\\\"\\n ) or\\n file.path :(\\\"/etc/apt/apt.conf.d/*.tmp*\\\") or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\",\\n \\\"/etc/kernel/*\\\"\\n ) or\\n process.executable == null or\\n process.name in (\\\"pveupdate\\\", \\\"perl\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://packetstormsecurity.com/files/152668/APT-Package-Manager-Persistence.html\"],\"target_version\":[\"https://packetstormsecurity.com/files/152668/APT-Package-Manager-Persistence.html\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://packetstormsecurity.com/files/152668/APT-Package-Manager-Persistence.html\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : \\\"/etc/apt/apt.conf.d/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/usr/local/bin/apt-get\\\", \\\"/usr/bin/apt-get\\\"\\n ) or\\n file.path :(\\\"/etc/apt/apt.conf.d/*.tmp*\\\") or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\",\\n \\\"/etc/kernel/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : \\\"/etc/apt/apt.conf.d/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/usr/local/bin/apt-get\\\", \\\"/usr/bin/apt-get\\\"\\n ) or\\n file.path :(\\\"/etc/apt/apt.conf.d/*.tmp*\\\") or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\",\\n \\\"/etc/kernel/*\\\"\\n ) or\\n process.executable == null or\\n process.name in (\\\"pveupdate\\\", \\\"perl\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : \\\"/etc/apt/apt.conf.d/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/usr/local/bin/apt-get\\\", \\\"/usr/bin/apt-get\\\"\\n ) or\\n file.path :(\\\"/etc/apt/apt.conf.d/*.tmp*\\\") or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\",\\n \\\"/etc/kernel/*\\\"\\n ) or\\n process.executable == null or\\n process.name in (\\\"pveupdate\\\", \\\"perl\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c110365e-4202-41fb-8d2e-4bfd55038691\",\"rule_id\":\"7caa8e60-2df0-11ed-b814-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"c110365e-4202-41fb-8d2e-4bfd55038691\",\"updated_at\":\"2024-12-04T19:45:51.298Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.298Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace Bitlocker Setting Disabled\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Google Workspace administrators whom manage Windows devices and have Windows device management enabled may also enable BitLocker drive encryption to mitigate unauthorized data access on lost or stolen computers. Adversaries with valid account access may disable BitLocker to access sensitive data on an endpoint added to Google Workspace device management.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Bitlocker Setting Disabled\\n\\nBitLocker Drive Encryption is a data protection feature that integrates with the Windows operating system to address the data theft or exposure threats from lost, stolen, or inappropriately decommissioned computers. BitLocker helps mitigate unauthorized data access by enhancing file and system protections, such as data encryption and rendering data inaccessible. Google Workspace can sync with Windows endpoints that are registered in inventory, where BitLocker can be enabled and disabled.\\n\\nDisabling Bitlocker on an endpoint decrypts data at rest and makes it accessible, which raises the risk of exposing sensitive endpoint data.\\n\\nThis rule identifies a user with administrative privileges and access to the admin console, disabling BitLocker for Windows endpoints.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- After identifying the user, verify if the user should have administrative privileges to disable BitLocker on Windows endpoints.\\n- From the Google Workspace admin console, review `Reporting > Audit` and `Investigation > Device` logs, filtering on the user email identified from the alert.\\n - If a Google Workspace user logged into their account using a potentially compromised account, this will create an `Device sync event` event.\\n\\n### False positive analysis\\n\\n- An administrator may have intentionally disabled BitLocker for routine maintenance or endpoint updates.\\n - Verify with the user that they intended to disable BitLocker on Windows endpoints.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may temporarily disabled Bitlocker on managed devices for maintenance, testing or to resolve potential endpoint conflicts.\"],\"from\":\"now-130m\",\"rule_id\":\"7caa8e60-2df0-11ed-b814-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/9176657?hl=en\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.new_value\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.admin.setting.name\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.action:\\\"CHANGE_APPLICATION_SETTING\\\" and event.category:(iam or configuration)\\n and google_workspace.admin.new_value:\\\"Disabled\\\" and google_workspace.admin.setting.name:BitLocker*\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace Bitlocker Setting Disabled\",\"description\":\"Google Workspace administrators whom manage Windows devices and have Windows device management enabled may also enable BitLocker drive encryption to mitigate unauthorized data access on lost or stolen computers. Adversaries with valid account access may disable BitLocker to access sensitive data on an endpoint added to Google Workspace device management.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Bitlocker Setting Disabled\\n\\nBitLocker Drive Encryption is a data protection feature that integrates with the Windows operating system to address the data theft or exposure threats from lost, stolen, or inappropriately decommissioned computers. BitLocker helps mitigate unauthorized data access by enhancing file and system protections, such as data encryption and rendering data inaccessible. Google Workspace can sync with Windows endpoints that are registered in inventory, where BitLocker can be enabled and disabled.\\n\\nDisabling Bitlocker on an endpoint decrypts data at rest and makes it accessible, which raises the risk of exposing sensitive endpoint data.\\n\\nThis rule identifies a user with administrative privileges and access to the admin console, disabling BitLocker for Windows endpoints.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- After identifying the user, verify if the user should have administrative privileges to disable BitLocker on Windows endpoints.\\n- From the Google Workspace admin console, review `Reporting > Audit` and `Investigation > Device` logs, filtering on the user email identified from the alert.\\n - If a Google Workspace user logged into their account using a potentially compromised account, this will create an `Device sync event` event.\\n\\n### False positive analysis\\n\\n- An administrator may have intentionally disabled BitLocker for routine maintenance or endpoint updates.\\n - Verify with the user that they intended to disable BitLocker on Windows endpoints.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may temporarily disabled Bitlocker on managed devices for maintenance, testing or to resolve potential endpoint conflicts.\"],\"references\":[\"https://support.google.com/a/answer/9176657?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.new_value\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.admin.setting.name\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"c110365e-4202-41fb-8d2e-4bfd55038691\",\"rule_id\":\"7caa8e60-2df0-11ed-b814-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.670Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.298Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.action:\\\"CHANGE_APPLICATION_SETTING\\\" and event.category:(iam or configuration)\\n and google_workspace.admin.new_value:\\\"Disabled\\\" and google_workspace.admin.setting.name:BitLocker*\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/9176657?hl=en\"],\"target_version\":[\"https://support.google.com/a/answer/9176657?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/9176657?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d4b7d849-b6f2-4a30-bfe5-603dd00ce5fd\",\"rule_id\":\"7ce5e1c7-6a49-45e6-a101-0720d185667f\",\"revision\":0,\"current_rule\":{\"id\":\"d4b7d849-b6f2-4a30-bfe5-603dd00ce5fd\",\"updated_at\":\"2024-12-04T19:46:03.804Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.804Z\",\"created_by\":\"elastic\",\"name\":\"Git Hook Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects child processes spawned by Git hooks. Git hooks are scripts that Git executes before or after events such as commit, push, and receive. The rule identifies child processes spawned by Git hooks that are not typically spawned by the Git process itself. This behavior may indicate an attacker attempting to hide malicious activity by leveraging the legitimate Git process to execute unauthorized commands.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"7ce5e1c7-6a49-45e6-a101-0720d185667f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://git-scm.com/docs/githooks/2.26.0\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.parent.name in (\\n \\\"applypatch-msg\\\", \\\"commit-msg\\\", \\\"fsmonitor-watchman\\\", \\\"post-update\\\", \\\"post-checkout\\\", \\\"post-commit\\\",\\n \\\"pre-applypatch\\\", \\\"pre-commit\\\", \\\"pre-merge-commit\\\", \\\"prepare-commit-msg\\\", \\\"pre-push\\\", \\\"pre-rebase\\\", \\\"pre-receive\\\",\\n \\\"push-to-checkout\\\", \\\"update\\\", \\\"post-receive\\\", \\\"pre-auto-gc\\\", \\\"post-rewrite\\\", \\\"sendemail-validate\\\", \\\"p4-pre-submit\\\",\\n \\\"post-index-change\\\", \\\"post-merge\\\", \\\"post-applypatch\\\"\\n) and (\\n process.name in (\\\"nohup\\\", \\\"setsid\\\", \\\"disown\\\", \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") or \\n process.name : (\\\"php*\\\", \\\"perl*\\\", \\\"ruby*\\\", \\\"lua*\\\") or \\n process.executable : (\\n \\\"/boot/*\\\", \\\"/dev/shm/*\\\", \\\"/etc/cron.*/*\\\", \\\"/etc/init.d/*\\\", \\\"/etc/update-motd.d/*\\\",\\n \\\"/run/*\\\", \\\"/srv/*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\", \\\"/var/log/*\\\"\\n )\\n) and not process.name in (\\\"git\\\", \\\"dirname\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Git Hook Child Process\",\"description\":\"This rule detects child processes spawned by Git hooks. Git hooks are scripts that Git executes before or after events such as commit, push, and receive. The rule identifies child processes spawned by Git hooks that are not typically spawned by the Git process itself. This behavior may indicate an attacker attempting to hide malicious activity by leveraging the legitimate Git process to execute unauthorized commands.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://git-scm.com/docs/githooks/2.26.0\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d4b7d849-b6f2-4a30-bfe5-603dd00ce5fd\",\"rule_id\":\"7ce5e1c7-6a49-45e6-a101-0720d185667f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.670Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.804Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.parent.name in (\\n \\\"applypatch-msg\\\", \\\"commit-msg\\\", \\\"fsmonitor-watchman\\\", \\\"post-update\\\", \\\"post-checkout\\\", \\\"post-commit\\\",\\n \\\"pre-applypatch\\\", \\\"pre-commit\\\", \\\"pre-merge-commit\\\", \\\"prepare-commit-msg\\\", \\\"pre-push\\\", \\\"pre-rebase\\\", \\\"pre-receive\\\",\\n \\\"push-to-checkout\\\", \\\"update\\\", \\\"post-receive\\\", \\\"pre-auto-gc\\\", \\\"post-rewrite\\\", \\\"sendemail-validate\\\", \\\"p4-pre-submit\\\",\\n \\\"post-index-change\\\", \\\"post-merge\\\", \\\"post-applypatch\\\"\\n) and (\\n process.name in (\\\"nohup\\\", \\\"setsid\\\", \\\"disown\\\", \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") or \\n process.name : (\\\"php*\\\", \\\"perl*\\\", \\\"ruby*\\\", \\\"lua*\\\") or \\n process.executable : (\\n \\\"/boot/*\\\", \\\"/dev/shm/*\\\", \\\"/etc/cron.*/*\\\", \\\"/etc/init.d/*\\\", \\\"/etc/update-motd.d/*\\\",\\n \\\"/run/*\\\", \\\"/srv/*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\", \\\"/var/log/*\\\"\\n )\\n) and not process.name in (\\\"git\\\", \\\"dirname\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://git-scm.com/docs/githooks/2.26.0\"],\"target_version\":[\"https://git-scm.com/docs/githooks/2.26.0\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://git-scm.com/docs/githooks/2.26.0\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b13ac4f6-a37b-455e-b513-81e7bafd92d8\",\"rule_id\":\"7df3cb8b-5c0c-4228-b772-bb6cd619053c\",\"revision\":0,\"current_rule\":{\"id\":\"b13ac4f6-a37b-455e-b513-81e7bafd92d8\",\"updated_at\":\"2024-12-04T19:45:52.011Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.011Z\",\"created_by\":\"elastic\",\"name\":\"SSH Key Generated via ssh-keygen\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule identifies the creation of SSH keys using the ssh-keygen tool, which is the standard utility for generating SSH keys. Users often create SSH keys for authentication with remote services. However, threat actors can exploit this tool to move laterally across a network or maintain persistence by generating unauthorized SSH keys, granting them SSH access to systems.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"7df3cb8b-5c0c-4228-b772-bb6cd619053c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.004\",\"name\":\"SSH Authorized Keys\",\"reference\":\"https://attack.mitre.org/techniques/T1098/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.004\",\"name\":\"SSH\",\"reference\":\"https://attack.mitre.org/techniques/T1021/004/\"}]},{\"id\":\"T1563\",\"name\":\"Remote Service Session Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/\",\"subtechnique\":[{\"id\":\"T1563.001\",\"name\":\"SSH Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"creation\\\", \\\"file_create_event\\\") and\\nprocess.executable == \\\"/usr/bin/ssh-keygen\\\" and file.path : (\\\"/home/*/.ssh/*\\\", \\\"/root/.ssh/*\\\", \\\"/etc/ssh/*\\\") and\\nnot file.name : \\\"known_hosts.*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"SSH Key Generated via ssh-keygen\",\"description\":\"This rule identifies the creation of SSH keys using the ssh-keygen tool, which is the standard utility for generating SSH keys. Users often create SSH keys for authentication with remote services. However, threat actors can exploit this tool to move laterally across a network or maintain persistence by generating unauthorized SSH keys, granting them SSH access to systems.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.004\",\"name\":\"SSH Authorized Keys\",\"reference\":\"https://attack.mitre.org/techniques/T1098/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.004\",\"name\":\"SSH\",\"reference\":\"https://attack.mitre.org/techniques/T1021/004/\"}]},{\"id\":\"T1563\",\"name\":\"Remote Service Session Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/\",\"subtechnique\":[{\"id\":\"T1563.001\",\"name\":\"SSH Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b13ac4f6-a37b-455e-b513-81e7bafd92d8\",\"rule_id\":\"7df3cb8b-5c0c-4228-b772-bb6cd619053c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.670Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.011Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"creation\\\", \\\"file_create_event\\\") and\\nprocess.executable == \\\"/usr/bin/ssh-keygen\\\" and file.path : (\\\"/home/*/.ssh/*\\\", \\\"/root/.ssh/*\\\", \\\"/etc/ssh/*\\\") and\\nnot file.name : \\\"known_hosts.*\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"316e0abc-06e1-4e1b-a7eb-0806fb9ef6df\",\"rule_id\":\"7e23dfef-da2c-4d64-b11d-5f285b638853\",\"revision\":0,\"current_rule\":{\"id\":\"316e0abc-06e1-4e1b-a7eb-0806fb9ef6df\",\"updated_at\":\"2024-12-04T19:45:52.016Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.016Z\",\"created_by\":\"elastic\",\"name\":\"Microsoft Management Console File from Unusual Path\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to open a Microsoft Management Console File from untrusted paths. Adversaries may use MSC files for initial access and execution.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"7e23dfef-da2c-4d64-b11d-5f285b638853\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"},{\"id\":\"T1059.007\",\"name\":\"JavaScript\",\"reference\":\"https://attack.mitre.org/techniques/T1059/007/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.014\",\"name\":\"MMC\",\"reference\":\"https://attack.mitre.org/techniques/T1218/014/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/security-labs/grimresource\"],\"version\":204,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\" and process.args : \\\"*.msc\\\" and\\n not process.args : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.msc\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.msc\\\", \\\"?:\\\\\\\\Program files\\\\\\\\*.msc\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.msc\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Microsoft Management Console File from Unusual Path\",\"description\":\"Identifies attempts to open a Microsoft Management Console File from untrusted paths. Adversaries may use MSC files for initial access and execution.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":307,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/grimresource\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"},{\"id\":\"T1059.007\",\"name\":\"JavaScript\",\"reference\":\"https://attack.mitre.org/techniques/T1059/007/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.014\",\"name\":\"MMC\",\"reference\":\"https://attack.mitre.org/techniques/T1218/014/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"316e0abc-06e1-4e1b-a7eb-0806fb9ef6df\",\"rule_id\":\"7e23dfef-da2c-4d64-b11d-5f285b638853\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.670Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.016Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\"\\n ) and\\n process.args : \\\"*.msc\\\" and\\n not process.args : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.msc\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.msc\\\",\\n \\\"?:\\\\\\\\Program files\\\\\\\\*.msc\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.msc\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":204,\"target_version\":307,\"merged_version\":307,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\" and process.args : \\\"*.msc\\\" and\\n not process.args : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.msc\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.msc\\\", \\\"?:\\\\\\\\Program files\\\\\\\\*.msc\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.msc\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\"\\n ) and\\n process.args : \\\"*.msc\\\" and\\n not process.args : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.msc\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.msc\\\",\\n \\\"?:\\\\\\\\Program files\\\\\\\\*.msc\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.msc\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\"\\n ) and\\n process.args : \\\"*.msc\\\" and\\n not process.args : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.msc\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.msc\\\",\\n \\\"?:\\\\\\\\Program files\\\\\\\\*.msc\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.msc\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1f473896-c207-4311-b386-d5220ece829d\",\"rule_id\":\"7f370d54-c0eb-4270-ac5a-9a6020585dc6\",\"revision\":0,\"current_rule\":{\"id\":\"1f473896-c207-4311-b386-d5220ece829d\",\"updated_at\":\"2024-12-04T19:45:52.019Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.019Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious WMIC XSL Script Execution\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"7f370d54-c0eb-4270-ac5a-9a6020585dc6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1220\",\"name\":\"XSL Script Processing\",\"reference\":\"https://attack.mitre.org/techniques/T1220/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id with maxspan = 2m\\n[process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"WMIC.exe\\\" or process.pe.original_file_name : \\\"wmic.exe\\\") and\\n process.args : (\\\"format*:*\\\", \\\"/format*:*\\\", \\\"*-format*:*\\\") and\\n not process.command_line : (\\\"* /format:table *\\\", \\\"* /format:table\\\")]\\n[any where host.os.type == \\\"windows\\\" and (event.category == \\\"library\\\" or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n (?dll.name : (\\\"jscript.dll\\\", \\\"vbscript.dll\\\") or file.name : (\\\"jscript.dll\\\", \\\"vbscript.dll\\\"))]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious WMIC XSL Script Execution\",\"description\":\"Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1220\",\"name\":\"XSL Script Processing\",\"reference\":\"https://attack.mitre.org/techniques/T1220/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1f473896-c207-4311-b386-d5220ece829d\",\"rule_id\":\"7f370d54-c0eb-4270-ac5a-9a6020585dc6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.670Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.019Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id with maxspan = 2m\\n[process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"WMIC.exe\\\" or process.pe.original_file_name : \\\"wmic.exe\\\") and\\n process.args : (\\\"format*:*\\\", \\\"/format*:*\\\", \\\"*-format*:*\\\") and\\n not process.command_line : (\\\"* /format:table *\\\", \\\"* /format:table\\\")]\\n[any where host.os.type == \\\"windows\\\" and (event.category == \\\"library\\\" or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n (?dll.name : (\\\"jscript.dll\\\", \\\"vbscript.dll\\\") or file.name : (\\\"jscript.dll\\\", \\\"vbscript.dll\\\"))]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"41759309-c850-4cb5-a74b-ffe66bb57df9\",\"rule_id\":\"7fb500fa-8e24-4bd1-9480-2a819352602c\",\"revision\":0,\"current_rule\":{\"id\":\"41759309-c850-4cb5-a74b-ffe66bb57df9\",\"updated_at\":\"2024-12-04T19:45:52.024Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.024Z\",\"created_by\":\"elastic\",\"name\":\"Systemd Timer Created\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Systemd Timer Created\\n\\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \\n\\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \\n\\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the timer file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\\n- Search for the systemd service file named similarly to the timer that was created.\\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%'\\\\nOR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%'\\\\nOR path LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"7fb500fa-8e24-4bd1-9480-2a819352602c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.006\",\"name\":\"Systemd Timers\",\"reference\":\"https://attack.mitre.org/techniques/T1053/006/\"}]}]}],\"to\":\"now\",\"references\":[\"https://opensource.com/article/20/7/systemd-timers\",\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\"],\"version\":13,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/systemd/system/*\\\", \\\"/etc/systemd/user/*\\\", \\\"/usr/local/lib/systemd/system/*\\\",\\n \\\"/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/user/*\\\",\\n \\\"/home/*/.config/systemd/user/*\\\", \\\"/home/*/.local/share/systemd/user/*\\\",\\n \\\"/root/.config/systemd/user/*\\\", \\\"/root/.local/share/systemd/user/*\\\"\\n) and file.extension == \\\"timer\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/crio\\\", \\\"/usr/sbin/crond\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/kaniko/kaniko-executor\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/podman\\\", \\\"/bin/install\\\", \\\"/proc/self/exe\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Systemd Timer Created\",\"description\":\"Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Systemd Timer Created\\n\\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \\n\\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \\n\\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the timer file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\\n- Search for the systemd service file named similarly to the timer that was created.\\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE\\\\n'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE\\\\n'/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path LIKE\\\\n'/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%' OR\\\\npath LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path\\\\nLIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%'\\\\nOR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":15,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://opensource.com/article/20/7/systemd-timers\",\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.006\",\"name\":\"Systemd Timers\",\"reference\":\"https://attack.mitre.org/techniques/T1053/006/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"41759309-c850-4cb5-a74b-ffe66bb57df9\",\"rule_id\":\"7fb500fa-8e24-4bd1-9480-2a819352602c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.670Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.024Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/systemd/system/*\\\", \\\"/etc/systemd/user/*\\\", \\\"/usr/local/lib/systemd/system/*\\\",\\n \\\"/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/user/*\\\",\\n \\\"/home/*/.config/systemd/user/*\\\", \\\"/home/*/.local/share/systemd/user/*\\\",\\n \\\"/root/.config/systemd/user/*\\\", \\\"/root/.local/share/systemd/user/*\\\"\\n) and file.extension == \\\"timer\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/crio\\\", \\\"/usr/sbin/crond\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/kaniko/kaniko-executor\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/podman\\\", \\\"/bin/install\\\", \\\"/proc/self/exe\\\"\\n ) or\\n process.name like (\\n \\\"python*\\\", \\\"crio\\\", \\\"apt-get\\\", \\\"install\\\", \\\"snapd\\\", \\\"cloudflared\\\", \\\"sshd\\\", \\\"convert-usrmerge\\\", \\\"docker-init\\\",\\n \\\"google_metadata_script_runner\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":13,\"target_version\":15,\"merged_version\":15,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://opensource.com/article/20/7/systemd-timers\",\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\"],\"target_version\":[\"https://opensource.com/article/20/7/systemd-timers\",\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://opensource.com/article/20/7/systemd-timers\",\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"note\":{\"has_base_version\":false,\"current_version\":\"## Triage and analysis\\n\\n### Investigating Systemd Timer Created\\n\\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \\n\\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \\n\\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the timer file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\\n- Search for the systemd service file named similarly to the timer that was created.\\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%'\\\\nOR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%'\\\\nOR path LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating Systemd Timer Created\\n\\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \\n\\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \\n\\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the timer file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\\n- Search for the systemd service file named similarly to the timer that was created.\\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE\\\\n'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE\\\\n'/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path LIKE\\\\n'/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%' OR\\\\npath LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path\\\\nLIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%'\\\\nOR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating Systemd Timer Created\\n\\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \\n\\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \\n\\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the timer file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\\n- Search for the systemd service file named similarly to the timer that was created.\\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE\\\\n'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE\\\\n'/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path LIKE\\\\n'/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%' OR\\\\npath LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path\\\\nLIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%'\\\\nOR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/systemd/system/*\\\", \\\"/etc/systemd/user/*\\\", \\\"/usr/local/lib/systemd/system/*\\\",\\n \\\"/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/user/*\\\",\\n \\\"/home/*/.config/systemd/user/*\\\", \\\"/home/*/.local/share/systemd/user/*\\\",\\n \\\"/root/.config/systemd/user/*\\\", \\\"/root/.local/share/systemd/user/*\\\"\\n) and file.extension == \\\"timer\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/crio\\\", \\\"/usr/sbin/crond\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/kaniko/kaniko-executor\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/podman\\\", \\\"/bin/install\\\", \\\"/proc/self/exe\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/systemd/system/*\\\", \\\"/etc/systemd/user/*\\\", \\\"/usr/local/lib/systemd/system/*\\\",\\n \\\"/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/user/*\\\",\\n \\\"/home/*/.config/systemd/user/*\\\", \\\"/home/*/.local/share/systemd/user/*\\\",\\n \\\"/root/.config/systemd/user/*\\\", \\\"/root/.local/share/systemd/user/*\\\"\\n) and file.extension == \\\"timer\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/crio\\\", \\\"/usr/sbin/crond\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/kaniko/kaniko-executor\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/podman\\\", \\\"/bin/install\\\", \\\"/proc/self/exe\\\"\\n ) or\\n process.name like (\\n \\\"python*\\\", \\\"crio\\\", \\\"apt-get\\\", \\\"install\\\", \\\"snapd\\\", \\\"cloudflared\\\", \\\"sshd\\\", \\\"convert-usrmerge\\\", \\\"docker-init\\\",\\n \\\"google_metadata_script_runner\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/systemd/system/*\\\", \\\"/etc/systemd/user/*\\\", \\\"/usr/local/lib/systemd/system/*\\\",\\n \\\"/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/user/*\\\",\\n \\\"/home/*/.config/systemd/user/*\\\", \\\"/home/*/.local/share/systemd/user/*\\\",\\n \\\"/root/.config/systemd/user/*\\\", \\\"/root/.local/share/systemd/user/*\\\"\\n) and file.extension == \\\"timer\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/crio\\\", \\\"/usr/sbin/crond\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/kaniko/kaniko-executor\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/podman\\\", \\\"/bin/install\\\", \\\"/proc/self/exe\\\"\\n ) or\\n process.name like (\\n \\\"python*\\\", \\\"crio\\\", \\\"apt-get\\\", \\\"install\\\", \\\"snapd\\\", \\\"cloudflared\\\", \\\"sshd\\\", \\\"convert-usrmerge\\\", \\\"docker-init\\\",\\n \\\"google_metadata_script_runner\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3529d334-6118-4205-856d-1af2867fed0f\",\"rule_id\":\"7fda9bb2-fd28-11ee-85f9-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"3529d334-6118-4205-856d-1af2867fed0f\",\"updated_at\":\"2024-12-04T19:45:52.026Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.026Z\",\"created_by\":\"elastic\",\"name\":\"Potential AWS S3 Bucket Ransomware Note Uploaded\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS S3\",\"Use Case: Threat Detection\",\"Tactic: Impact\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the `PutObject` S3 API call with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"\\n## Triage and Analysis\\n\\n### Investigating Potential AWS S3 Bucket Ransomware Note Uploaded\\n\\nThis rule detects the `PutObject` S3 API call with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.\\n\\n#### Possible Investigation Steps:\\n\\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.\\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the `PutObject` action. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the ransom note was uploaded. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.\\n- **Inspect the Ransom Note**: Review the `aws.cloudtrail.request_parameters` for the `PutObject` action to identify the characteristics of the uploaded ransom note. Look for common ransomware file extensions such as `.txt`, `.note`, `.ransom`, or `.html`.\\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.\\n- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects before placing the ransom note.\\n\\n### False Positive Analysis:\\n\\n- **Legitimate Administrative Actions**: Confirm if the `PutObject` action aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management systems.\\n- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the upload was successful and intended according to policy.\\n\\n### Response and Remediation:\\n\\n- **Immediate Review and Reversal if Necessary**: If the activity was unauthorized, remove the uploaded ransom notes from the S3 bucket and review the bucket's access logs for any suspicious activity.\\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar `PutObject` actions, especially those involving sensitive data or unusual file extensions.\\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware.\\n- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege.\\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\\n\\n### Additional Information:\\n\\nFor further guidance on managing S3 bucket security and protecting against ransomware, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection:\\n- [ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild](https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf)\\n- [AWS S3 Ransomware Batch Deletion](https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion/)\\n- [S3 Ransomware Part 1: Attack Vector](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may legitimately access, delete, and replace objects in S3 buckets. Ensure that the sequence of events is not part of a legitimate operation before taking action.\"],\"from\":\"now-9m\",\"rule_id\":\"7fda9bb2-fd28-11ee-85f9-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1485\",\"name\":\"Data Destruction\",\"reference\":\"https://attack.mitre.org/techniques/T1485/\"}]}],\"to\":\"now\",\"references\":[\"https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf\",\"https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion/\",\"https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"AWS S3 data types need to be enabled in the CloudTrail trail configuration.\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-*\\n\\n// any successful uploads via S3 API requests\\n| where event.dataset == \\\"aws.cloudtrail\\\"\\n and event.provider == \\\"s3.amazonaws.com\\\"\\n and event.action == \\\"PutObject\\\"\\n and event.outcome == \\\"success\\\"\\n\\n// abstract object name from API request parameters\\n| dissect aws.cloudtrail.request_parameters \\\"%{?ignore_values}key=%{object_name}}\\\"\\n\\n// regex on common ransomware note extensions\\n| where object_name rlike \\\"(.*)(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)(.*)\\\"\\n and not object_name rlike \\\"(.*)(AWSLogs|CloudTrail|access-logs)(.*)\\\"\\n\\n// aggregate by S3 bucket, resource and object name\\n| stats note_upload_count = count(*) by tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name\\n\\n// filter for single occurrence to eliminate common upload operations\\n| where note_upload_count == 1\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential AWS S3 Bucket Ransomware Note Uploaded\",\"description\":\"Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the `PutObject` S3 API call with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\\n## Triage and Analysis\\n\\n### Investigating Potential AWS S3 Bucket Ransomware Note Uploaded\\n\\nThis rule detects the `PutObject` S3 API call with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.\\n\\n#### Possible Investigation Steps:\\n\\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.\\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the `PutObject` action. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the ransom note was uploaded. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.\\n- **Inspect the Ransom Note**: Review the `aws.cloudtrail.request_parameters` for the `PutObject` action to identify the characteristics of the uploaded ransom note. Look for common ransomware file extensions such as `.txt`, `.note`, `.ransom`, or `.html`.\\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.\\n- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects before placing the ransom note.\\n\\n### False Positive Analysis:\\n\\n- **Legitimate Administrative Actions**: Confirm if the `PutObject` action aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management systems.\\n- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the upload was successful and intended according to policy.\\n\\n### Response and Remediation:\\n\\n- **Immediate Review and Reversal if Necessary**: If the activity was unauthorized, remove the uploaded ransom notes from the S3 bucket and review the bucket's access logs for any suspicious activity.\\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar `PutObject` actions, especially those involving sensitive data or unusual file extensions.\\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware.\\n- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege.\\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\\n\\n### Additional Information:\\n\\nFor further guidance on managing S3 bucket security and protecting against ransomware, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection:\\n- [ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild](https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf)\\n- [AWS S3 Ransomware Batch Deletion](https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion/)\\n- [S3 Ransomware Part 1: Attack Vector](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)\\n\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS S3\",\"Use Case: Threat Detection\",\"Tactic: Impact\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may legitimately access, delete, and replace objects in S3 buckets. Ensure that the sequence of events is not part of a legitimate operation before taking action.\"],\"references\":[\"https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf\",\"https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion/\",\"https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1485\",\"name\":\"Data Destruction\",\"reference\":\"https://attack.mitre.org/techniques/T1485/\"}]}],\"setup\":\"AWS S3 data types need to be enabled in the CloudTrail trail configuration.\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"3529d334-6118-4205-856d-1af2867fed0f\",\"rule_id\":\"7fda9bb2-fd28-11ee-85f9-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.670Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.026Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-*\\n\\n// any successful uploads via S3 API requests\\n| where event.dataset == \\\"aws.cloudtrail\\\"\\n and event.provider == \\\"s3.amazonaws.com\\\"\\n and event.action == \\\"PutObject\\\"\\n and event.outcome == \\\"success\\\"\\n\\n// abstract object name from API request parameters\\n| dissect aws.cloudtrail.request_parameters \\\"%{?ignore_values}key=%{object_name}}\\\"\\n\\n// regex on common ransomware note extensions\\n| where object_name rlike \\\"(.*)(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)(.*)\\\"\\n and not object_name rlike \\\"(.*)(AWSLogs|CloudTrail|access-logs)(.*)\\\"\\n\\n// keep relevant fields\\n| keep tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name\\n\\n// aggregate by S3 bucket, resource and object name\\n| stats note_upload_count = count(*) by tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name\\n\\n// filter for single occurrence to eliminate common upload operations\\n| where note_upload_count == 1\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-aws.cloudtrail-*\\n\\n// any successful uploads via S3 API requests\\n| where event.dataset == \\\"aws.cloudtrail\\\"\\n and event.provider == \\\"s3.amazonaws.com\\\"\\n and event.action == \\\"PutObject\\\"\\n and event.outcome == \\\"success\\\"\\n\\n// abstract object name from API request parameters\\n| dissect aws.cloudtrail.request_parameters \\\"%{?ignore_values}key=%{object_name}}\\\"\\n\\n// regex on common ransomware note extensions\\n| where object_name rlike \\\"(.*)(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)(.*)\\\"\\n and not object_name rlike \\\"(.*)(AWSLogs|CloudTrail|access-logs)(.*)\\\"\\n\\n// aggregate by S3 bucket, resource and object name\\n| stats note_upload_count = count(*) by tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name\\n\\n// filter for single occurrence to eliminate common upload operations\\n| where note_upload_count == 1\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-aws.cloudtrail-*\\n\\n// any successful uploads via S3 API requests\\n| where event.dataset == \\\"aws.cloudtrail\\\"\\n and event.provider == \\\"s3.amazonaws.com\\\"\\n and event.action == \\\"PutObject\\\"\\n and event.outcome == \\\"success\\\"\\n\\n// abstract object name from API request parameters\\n| dissect aws.cloudtrail.request_parameters \\\"%{?ignore_values}key=%{object_name}}\\\"\\n\\n// regex on common ransomware note extensions\\n| where object_name rlike \\\"(.*)(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)(.*)\\\"\\n and not object_name rlike \\\"(.*)(AWSLogs|CloudTrail|access-logs)(.*)\\\"\\n\\n// keep relevant fields\\n| keep tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name\\n\\n// aggregate by S3 bucket, resource and object name\\n| stats note_upload_count = count(*) by tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name\\n\\n// filter for single occurrence to eliminate common upload operations\\n| where note_upload_count == 1\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-aws.cloudtrail-*\\n\\n// any successful uploads via S3 API requests\\n| where event.dataset == \\\"aws.cloudtrail\\\"\\n and event.provider == \\\"s3.amazonaws.com\\\"\\n and event.action == \\\"PutObject\\\"\\n and event.outcome == \\\"success\\\"\\n\\n// abstract object name from API request parameters\\n| dissect aws.cloudtrail.request_parameters \\\"%{?ignore_values}key=%{object_name}}\\\"\\n\\n// regex on common ransomware note extensions\\n| where object_name rlike \\\"(.*)(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)(.*)\\\"\\n and not object_name rlike \\\"(.*)(AWSLogs|CloudTrail|access-logs)(.*)\\\"\\n\\n// keep relevant fields\\n| keep tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name\\n\\n// aggregate by S3 bucket, resource and object name\\n| stats note_upload_count = count(*) by tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name\\n\\n// filter for single occurrence to eliminate common upload operations\\n| where note_upload_count == 1\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3312834b-6897-4fcb-86b4-c5224316fd42\",\"rule_id\":\"80084fa9-8677-4453-8680-b891d3c0c778\",\"revision\":0,\"current_rule\":{\"id\":\"3312834b-6897-4fcb-86b4-c5224316fd42\",\"updated_at\":\"2024-12-04T19:45:52.029Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.029Z\",\"created_by\":\"elastic\",\"name\":\"Enumeration of Kernel Modules via Proc\",\"tags\":[\"Data Source: Auditd Manager\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as lsmod and kmod to list the available kernel modules.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username.\"],\"from\":\"now-119m\",\"rule_id\":\"80084fa9-8677-4453-8680-b891d3c0c778\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"to\":\"now\",\"references\":[],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\\n```\\nKibana -->\\nManagement -->\\nIntegrations -->\\nAuditd Manager -->\\nAdd Auditd Manager\\n```\\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\\n```\\n-w /proc/ -p r -k audit_proc\\n```\\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:file and event.action:\\\"opened-file\\\" and file.path:\\\"/proc/modules\\\" and\\nnot process.name:(grep or python* or chef-client)\\n\",\"new_terms_fields\":[\"host.id\",\"process.executable\"],\"history_window_start\":\"now-7d\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Enumeration of Kernel Modules via Proc\",\"description\":\"Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as lsmod and kmod to list the available kernel modules.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Data Source: Auditd Manager\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\\n```\\nKibana -->\\nManagement -->\\nIntegrations -->\\nAuditd Manager -->\\nAdd Auditd Manager\\n```\\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\\n```\\n-w /proc/ -p r -k audit_proc\\n```\\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n\",\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3312834b-6897-4fcb-86b4-c5224316fd42\",\"rule_id\":\"80084fa9-8677-4453-8680-b891d3c0c778\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.670Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.029Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:file and event.action:\\\"opened-file\\\" and file.path:\\\"/proc/modules\\\" and\\nnot process.name:(python* or chef-client)\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:file and event.action:\\\"opened-file\\\" and file.path:\\\"/proc/modules\\\" and\\nnot process.name:(grep or python* or chef-client)\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:file and event.action:\\\"opened-file\\\" and file.path:\\\"/proc/modules\\\" and\\nnot process.name:(python* or chef-client)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:file and event.action:\\\"opened-file\\\" and file.path:\\\"/proc/modules\\\" and\\nnot process.name:(python* or chef-client)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"new_terms_fields\":{\"has_base_version\":false,\"current_version\":[\"host.id\",\"process.executable\"],\"target_version\":[\"process.executable\"],\"merged_version\":[\"process.executable\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"history_window_start\":{\"has_base_version\":false,\"current_version\":\"now-7d\",\"target_version\":\"now-14d\",\"merged_version\":\"now-14d\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4bffc57c-18d4-46de-9aac-535ced89b1a4\",\"rule_id\":\"8025db49-c57c-4fc0-bd86-7ccd6d10a35a\",\"revision\":0,\"current_rule\":{\"id\":\"4bffc57c-18d4-46de-9aac-535ced89b1a4\",\"updated_at\":\"2024-12-04T19:46:03.807Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.807Z\",\"created_by\":\"elastic\",\"name\":\"Potential PowerShell Obfuscated Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies scripts that contain patterns and known methods that obfuscate PowerShell code. Attackers can use obfuscation techniques to bypass PowerShell security protections such as Antimalware Scan Interface (AMSI).\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"8025db49-c57c-4fc0-bd86-7ccd6d10a35a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1027\",\"name\":\"Obfuscated Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1027/\"},{\"id\":\"T1140\",\"name\":\"Deobfuscate/Decode Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1140/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/danielbohannon/Invoke-Obfuscation\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"[string]::join\\\" or\\n \\\"-Join\\\" or\\n \\\"[convert]::toint16\\\" or\\n \\\"[char][int]$_\\\" or\\n (\\\"ConvertTo-SecureString\\\" and \\\"PtrToStringAuto\\\") or\\n \\\".GetNetworkCredential().password\\\" or\\n \\\"-BXor\\\" or\\n (\\\"replace\\\" and \\\"char\\\") or\\n \\\"[array]::reverse\\\"\\n ) and\\n powershell.file.script_block_text : (\\n (\\\"$pSHoMe[\\\" and \\\"+$pSHoMe[\\\") or\\n (\\\"$ShellId[\\\" and \\\"+$ShellId[\\\") or\\n (\\\"$env:ComSpec[4\\\" and \\\"25]-Join\\\") or\\n ((\\\"Set-Variable\\\" or \\\"SV\\\" or \\\"Set-Item\\\") and \\\"OFS\\\") or\\n (\\\"*MDR*\\\" and \\\"Name[3,11,2]\\\") or\\n (\\\"$VerbosePreference\\\" and \\\"[1,3]+'X'-Join''\\\") or\\n (\\\"rahc\\\" or \\\"ekovin\\\" or \\\"gnirts\\\" or \\\"ecnereferpesobrev\\\" or \\\"ecalper\\\" or \\\"cepsmoc\\\" or \\\"dillehs\\\")\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential PowerShell Obfuscated Script\",\"description\":\"Identifies scripts that contain patterns and known methods that obfuscate PowerShell code. Attackers can use obfuscation techniques to bypass PowerShell security protections such as Antimalware Scan Interface (AMSI).\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/danielbohannon/Invoke-Obfuscation\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1027\",\"name\":\"Obfuscated Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1027/\"},{\"id\":\"T1140\",\"name\":\"Deobfuscate/Decode Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1140/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"4bffc57c-18d4-46de-9aac-535ced89b1a4\",\"rule_id\":\"8025db49-c57c-4fc0-bd86-7ccd6d10a35a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.670Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.807Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"[string]::join\\\" or\\n \\\"-Join\\\" or\\n \\\"[convert]::toint16\\\" or\\n \\\"[char][int]$_\\\" or\\n (\\\"ConvertTo-SecureString\\\" and \\\"PtrToStringAuto\\\") or\\n \\\".GetNetworkCredential().password\\\" or\\n \\\"-BXor\\\" or\\n (\\\"replace\\\" and \\\"char\\\") or\\n \\\"[array]::reverse\\\"\\n ) and\\n powershell.file.script_block_text : (\\n (\\\"$pSHoMe[\\\" and \\\"+$pSHoMe[\\\") or\\n (\\\"$ShellId[\\\" and \\\"+$ShellId[\\\") or\\n (\\\"$env:ComSpec[4\\\" and \\\"25]-Join\\\") or\\n ((\\\"Set-Variable\\\" or \\\"SV\\\" or \\\"Set-Item\\\") and \\\"OFS\\\") or\\n (\\\"*MDR*\\\" and \\\"Name[3,11,2]\\\") or\\n (\\\"$VerbosePreference\\\" and \\\"[1,3]+'X'-Join''\\\") or\\n (\\\"rahc\\\" or \\\"ekovin\\\" or \\\"gnirts\\\" or \\\"ecnereferpesobrev\\\" or \\\"ecalper\\\" or \\\"cepsmoc\\\" or \\\"dillehs\\\")\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"29e48c76-26ec-4943-ba8d-ad597c979051\",\"rule_id\":\"808291d3-e918-4a3a-86cd-73052a0c9bdc\",\"revision\":0,\"current_rule\":{\"id\":\"29e48c76-26ec-4943-ba8d-ad597c979051\",\"updated_at\":\"2024-12-04T19:45:52.037Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.037Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Troubleshooting Pack Cabinet Execution\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of the Microsoft Diagnostic Wizard to open a diagcab file from a suspicious path and with an unusual parent process. This may indicate an attempt to execute malicious Troubleshooting Pack Cabinet files.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"808291d3-e918-4a3a-86cd-73052a0c9bdc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"to\":\"now\",\"references\":[\"https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-system.security*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.action == \\\"start\\\" and\\n (process.name : \\\"msdt.exe\\\" or ?process.pe.original_file_name == \\\"msdt.exe\\\") and process.args : \\\"/cab\\\" and\\n process.parent.name : (\\n \\\"firefox.exe\\\", \\\"chrome.exe\\\", \\\"msedge.exe\\\", \\\"explorer.exe\\\", \\\"brave.exe\\\", \\\"whale.exe\\\", \\\"browser.exe\\\",\\n \\\"dragon.exe\\\", \\\"vivaldi.exe\\\", \\\"opera.exe\\\", \\\"iexplore\\\", \\\"firefox.exe\\\", \\\"waterfox.exe\\\", \\\"iexplore.exe\\\",\\n \\\"winrar.exe\\\", \\\"winrar.exe\\\", \\\"7zFM.exe\\\", \\\"outlook.exe\\\", \\\"winword.exe\\\", \\\"excel.exe\\\"\\n ) and\\n process.args : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\",\\n \\\"\\\\\\\\\\\\\\\\*\\\",\\n \\\"http*\\\",\\n \\\"ftp://*\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Troubleshooting Pack Cabinet Execution\",\"description\":\"Identifies the execution of the Microsoft Diagnostic Wizard to open a diagcab file from a suspicious path and with an unusual parent process. This may indicate an attempt to execute malicious Troubleshooting Pack Cabinet files.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"29e48c76-26ec-4943-ba8d-ad597c979051\",\"rule_id\":\"808291d3-e918-4a3a-86cd-73052a0c9bdc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.670Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.037Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.action == \\\"start\\\" and\\n (process.name : \\\"msdt.exe\\\" or ?process.pe.original_file_name == \\\"msdt.exe\\\") and process.args : \\\"/cab\\\" and\\n process.parent.name : (\\n \\\"firefox.exe\\\", \\\"chrome.exe\\\", \\\"msedge.exe\\\", \\\"explorer.exe\\\", \\\"brave.exe\\\", \\\"whale.exe\\\", \\\"browser.exe\\\",\\n \\\"dragon.exe\\\", \\\"vivaldi.exe\\\", \\\"opera.exe\\\", \\\"iexplore\\\", \\\"firefox.exe\\\", \\\"waterfox.exe\\\", \\\"iexplore.exe\\\",\\n \\\"winrar.exe\\\", \\\"winrar.exe\\\", \\\"7zFM.exe\\\", \\\"outlook.exe\\\", \\\"winword.exe\\\", \\\"excel.exe\\\"\\n ) and\\n process.args : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\",\\n \\\"\\\\\\\\\\\\\\\\*\\\",\\n \\\"http*\\\",\\n \\\"ftp://*\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-system.security*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d5dd2920-2e3c-48d3-8a28-4c258f1d70cf\",\"rule_id\":\"818e23e6-2094-4f0e-8c01-22d30f3506c6\",\"revision\":0,\"current_rule\":{\"id\":\"d5dd2920-2e3c-48d3-8a28-4c258f1d70cf\",\"updated_at\":\"2024-12-04T19:45:52.047Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.047Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Script Block Logging Disabled\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable this logging to conceal their activities in the host and evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Script Block Logging Disabled\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available in various environments and creating an attractive way for attackers to execute code.\\n\\nPowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it processes, giving defenders visibility of PowerShell scripts and sequences of executed commands.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check whether it makes sense for the user to use PowerShell to complete tasks.\\n- Investigate if PowerShell scripts were run after logging was disabled.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"818e23e6-2094-4f0e-8c01-22d30f3506c6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.002\",\"name\":\"Disable Windows Event Logging\",\"reference\":\"https://attack.mitre.org/techniques/T1562/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\PowerShell\\\\\\\\ScriptBlockLogging\\\\\\\\EnableScriptBlockLogging\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\PowerShell\\\\\\\\ScriptBlockLogging\\\\\\\\EnableScriptBlockLogging\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Script Block Logging Disabled\",\"description\":\"Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable this logging to conceal their activities in the host and evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Script Block Logging Disabled\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available in various environments and creating an attractive way for attackers to execute code.\\n\\nPowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it processes, giving defenders visibility of PowerShell scripts and sequences of executed commands.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check whether it makes sense for the user to use PowerShell to complete tasks.\\n- Investigate if PowerShell scripts were run after logging was disabled.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.002\",\"name\":\"Disable Windows Event Logging\",\"reference\":\"https://attack.mitre.org/techniques/T1562/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d5dd2920-2e3c-48d3-8a28-4c258f1d70cf\",\"rule_id\":\"818e23e6-2094-4f0e-8c01-22d30f3506c6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.671Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.047Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\PowerShell\\\\\\\\ScriptBlockLogging\\\\\\\\EnableScriptBlockLogging\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\PowerShell\\\\\\\\ScriptBlockLogging\\\\\\\\EnableScriptBlockLogging\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\PowerShell\\\\\\\\ScriptBlockLogging\\\\\\\\EnableScriptBlockLogging\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\PowerShell\\\\\\\\ScriptBlockLogging\\\\\\\\EnableScriptBlockLogging\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\PowerShell\\\\\\\\ScriptBlockLogging\\\\\\\\EnableScriptBlockLogging\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\PowerShell\\\\\\\\ScriptBlockLogging\\\\\\\\EnableScriptBlockLogging\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\PowerShell\\\\\\\\ScriptBlockLogging\\\\\\\\EnableScriptBlockLogging\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\PowerShell\\\\\\\\ScriptBlockLogging\\\\\\\\EnableScriptBlockLogging\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\PowerShell\\\\\\\\ScriptBlockLogging\\\\\\\\EnableScriptBlockLogging\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\PowerShell\\\\\\\\ScriptBlockLogging\\\\\\\\EnableScriptBlockLogging\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\PowerShell\\\\\\\\ScriptBlockLogging\\\\\\\\EnableScriptBlockLogging\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"263424d7-e73d-4165-b646-3cec5de61ff0\",\"rule_id\":\"81fe9dc6-a2d7-4192-a2d8-eed98afc766a\",\"revision\":0,\"current_rule\":{\"id\":\"263424d7-e73d-4165-b646-3cec5de61ff0\",\"updated_at\":\"2024-12-04T19:45:52.049Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.049Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Suspicious Payload Encoded and Compressed\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate PowerShell Scripts which makes use of compression and encoding.\"],\"from\":\"now-9m\",\"rule_id\":\"81fe9dc6-a2d7-4192-a2d8-eed98afc766a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1027\",\"name\":\"Obfuscated Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1027/\"},{\"id\":\"T1140\",\"name\":\"Deobfuscate/Decode Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1140/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":212,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\n \\\"System.IO.Compression.DeflateStream\\\" or\\n \\\"System.IO.Compression.GzipStream\\\" or\\n \\\"IO.Compression.DeflateStream\\\" or\\n \\\"IO.Compression.GzipStream\\\"\\n ) and\\n FromBase64String\\n ) and\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\Downloads\\\\\\\\*\"}}}}],\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Suspicious Payload Encoded and Compressed\",\"description\":\"Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate PowerShell Scripts which makes use of compression and encoding.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1027\",\"name\":\"Obfuscated Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1027/\"},{\"id\":\"T1140\",\"name\":\"Deobfuscate/Decode Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1140/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"263424d7-e73d-4165-b646-3cec5de61ff0\",\"rule_id\":\"81fe9dc6-a2d7-4192-a2d8-eed98afc766a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.671Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.049Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\Downloads\\\\\\\\*\"}}}}],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\n \\\"System.IO.Compression.DeflateStream\\\" or\\n \\\"System.IO.Compression.GzipStream\\\" or\\n \\\"IO.Compression.DeflateStream\\\" or\\n \\\"IO.Compression.GzipStream\\\"\\n ) and\\n FromBase64String\\n ) and\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":212,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f0fd8b2e-f67b-4965-8e22-8e3232d569cc\",\"rule_id\":\"81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe\",\"revision\":0,\"current_rule\":{\"id\":\"f0fd8b2e-f67b-4965-8e22-8e3232d569cc\",\"updated_at\":\"2024-12-04T19:45:52.051Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.051Z\",\"created_by\":\"elastic\",\"name\":\"Temporarily Scheduled Task Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks may be created during installation of new software.\"],\"from\":\"now-9m\",\"rule_id\":\"81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698\"],\"version\":7,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TaskName\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m\\n [iam where event.action == \\\"scheduled-task-created\\\" and not user.name : \\\"*$\\\"]\\n [iam where event.action == \\\"scheduled-task-deleted\\\" and not user.name : \\\"*$\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Temporarily Scheduled Task Creation\",\"description\":\"Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":108,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks may be created during installation of new software.\"],\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TaskName\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"f0fd8b2e-f67b-4965-8e22-8e3232d569cc\",\"rule_id\":\"81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.671Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.051Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m\\n [iam where event.action == \\\"scheduled-task-created\\\" and not user.name : \\\"*$\\\"]\\n [iam where event.action == \\\"scheduled-task-deleted\\\" and not user.name : \\\"*$\\\"]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":7,\"target_version\":108,\"merged_version\":108,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e63c20df-98ab-4553-9375-732d68527841\",\"rule_id\":\"835c0622-114e-40b5-a346-f843ea5d01f1\",\"revision\":0,\"current_rule\":{\"id\":\"e63c20df-98ab-4553-9375-732d68527841\",\"updated_at\":\"2024-12-04T19:45:52.056Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.056Z\",\"created_by\":\"elastic\",\"name\":\"Potential Linux Local Account Brute Force Detected\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a set of customly crafted passwords in an attempt to gain access to these accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"835c0622-114e-40b5-a346-f843ea5d01f1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.001\",\"name\":\"Password Guessing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"sequence by host.id, process.parent.executable, user.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"su\\\" and \\n not process.parent.name in (\\n \\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\", \\\"clickhouse-server\\\", \\\"ma\\\", \\\"gitlab-runner\\\",\\n \\\"updatedb.findutils\\\", \\\"cron\\\"\\n )\\n ] with runs=10\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Linux Local Account Brute Force Detected\",\"description\":\"Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a set of customly crafted passwords in an attempt to gain access to these accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.001\",\"name\":\"Password Guessing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e63c20df-98ab-4553-9375-732d68527841\",\"rule_id\":\"835c0622-114e-40b5-a346-f843ea5d01f1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.671Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.056Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id, process.parent.executable, user.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"su\\\" and \\n not process.parent.name in (\\n \\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\", \\\"clickhouse-server\\\", \\\"ma\\\", \\\"gitlab-runner\\\",\\n \\\"updatedb.findutils\\\", \\\"cron\\\", \\\"perl\\\", \\\"sudo\\\", \\\"java\\\", \\\"cloud-app-identify\\\", \\\"ambari-sudo.sh\\\"\\n )\\n ] with runs=10\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by host.id, process.parent.executable, user.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"su\\\" and \\n not process.parent.name in (\\n \\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\", \\\"clickhouse-server\\\", \\\"ma\\\", \\\"gitlab-runner\\\",\\n \\\"updatedb.findutils\\\", \\\"cron\\\"\\n )\\n ] with runs=10\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by host.id, process.parent.executable, user.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"su\\\" and \\n not process.parent.name in (\\n \\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\", \\\"clickhouse-server\\\", \\\"ma\\\", \\\"gitlab-runner\\\",\\n \\\"updatedb.findutils\\\", \\\"cron\\\", \\\"perl\\\", \\\"sudo\\\", \\\"java\\\", \\\"cloud-app-identify\\\", \\\"ambari-sudo.sh\\\"\\n )\\n ] with runs=10\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by host.id, process.parent.executable, user.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"su\\\" and \\n not process.parent.name in (\\n \\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\", \\\"clickhouse-server\\\", \\\"ma\\\", \\\"gitlab-runner\\\",\\n \\\"updatedb.findutils\\\", \\\"cron\\\", \\\"perl\\\", \\\"sudo\\\", \\\"java\\\", \\\"cloud-app-identify\\\", \\\"ambari-sudo.sh\\\"\\n )\\n ] with runs=10\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0352a280-e30a-48f1-baa2-a7574817dea8\",\"rule_id\":\"83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f\",\"revision\":0,\"current_rule\":{\"id\":\"0352a280-e30a-48f1-baa2-a7574817dea8\",\"updated_at\":\"2024-12-04T19:45:52.061Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.061Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Disable IPTables or Firewall\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":7,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\n (\\n /* disable FW */\\n (\\n (process.name == \\\"ufw\\\" and process.args == \\\"disable\\\") or\\n (process.name == \\\"iptables\\\" and process.args == \\\"-F\\\" and process.args_count == 2)\\n ) or\\n\\n /* stop FW service */\\n (\\n ((process.name == \\\"service\\\" and process.args == \\\"stop\\\") or\\n (process.name == \\\"chkconfig\\\" and process.args == \\\"off\\\") or\\n (process.name == \\\"systemctl\\\" and process.args in (\\\"disable\\\", \\\"stop\\\", \\\"kill\\\"))) and\\n process.args in (\\\"firewalld\\\", \\\"ip6tables\\\", \\\"iptables\\\")\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Disable IPTables or Firewall\",\"description\":\"Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":9,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0352a280-e30a-48f1-baa2-a7574817dea8\",\"rule_id\":\"83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.671Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.061Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\n (\\n /* disable FW */\\n (\\n (process.name == \\\"ufw\\\" and process.args == \\\"disable\\\") or\\n (process.name == \\\"iptables\\\" and process.args in (\\\"-F\\\", \\\"--flush\\\", \\\"-X\\\", \\\"--delete-chain\\\") and process.args_count == 2) or\\n (process.name in (\\\"iptables\\\", \\\"ip6tables\\\") and process.parent.args == \\\"force-stop\\\")\\n ) or\\n\\n /* stop FW service */\\n (\\n ((process.name == \\\"service\\\" and process.args == \\\"stop\\\") or\\n (process.name == \\\"chkconfig\\\" and process.args == \\\"off\\\") or\\n (process.name == \\\"systemctl\\\" and process.args in (\\\"disable\\\", \\\"stop\\\", \\\"kill\\\"))) and\\n process.args in (\\\"firewalld\\\", \\\"ip6tables\\\", \\\"iptables\\\", \\\"firewalld.service\\\", \\\"ip6tables.service\\\", \\\"iptables.service\\\")\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":7,\"target_version\":9,\"merged_version\":9,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"merged_version\":[\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\n (\\n /* disable FW */\\n (\\n (process.name == \\\"ufw\\\" and process.args == \\\"disable\\\") or\\n (process.name == \\\"iptables\\\" and process.args == \\\"-F\\\" and process.args_count == 2)\\n ) or\\n\\n /* stop FW service */\\n (\\n ((process.name == \\\"service\\\" and process.args == \\\"stop\\\") or\\n (process.name == \\\"chkconfig\\\" and process.args == \\\"off\\\") or\\n (process.name == \\\"systemctl\\\" and process.args in (\\\"disable\\\", \\\"stop\\\", \\\"kill\\\"))) and\\n process.args in (\\\"firewalld\\\", \\\"ip6tables\\\", \\\"iptables\\\")\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\n (\\n /* disable FW */\\n (\\n (process.name == \\\"ufw\\\" and process.args == \\\"disable\\\") or\\n (process.name == \\\"iptables\\\" and process.args in (\\\"-F\\\", \\\"--flush\\\", \\\"-X\\\", \\\"--delete-chain\\\") and process.args_count == 2) or\\n (process.name in (\\\"iptables\\\", \\\"ip6tables\\\") and process.parent.args == \\\"force-stop\\\")\\n ) or\\n\\n /* stop FW service */\\n (\\n ((process.name == \\\"service\\\" and process.args == \\\"stop\\\") or\\n (process.name == \\\"chkconfig\\\" and process.args == \\\"off\\\") or\\n (process.name == \\\"systemctl\\\" and process.args in (\\\"disable\\\", \\\"stop\\\", \\\"kill\\\"))) and\\n process.args in (\\\"firewalld\\\", \\\"ip6tables\\\", \\\"iptables\\\", \\\"firewalld.service\\\", \\\"ip6tables.service\\\", \\\"iptables.service\\\")\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\n (\\n /* disable FW */\\n (\\n (process.name == \\\"ufw\\\" and process.args == \\\"disable\\\") or\\n (process.name == \\\"iptables\\\" and process.args in (\\\"-F\\\", \\\"--flush\\\", \\\"-X\\\", \\\"--delete-chain\\\") and process.args_count == 2) or\\n (process.name in (\\\"iptables\\\", \\\"ip6tables\\\") and process.parent.args == \\\"force-stop\\\")\\n ) or\\n\\n /* stop FW service */\\n (\\n ((process.name == \\\"service\\\" and process.args == \\\"stop\\\") or\\n (process.name == \\\"chkconfig\\\" and process.args == \\\"off\\\") or\\n (process.name == \\\"systemctl\\\" and process.args in (\\\"disable\\\", \\\"stop\\\", \\\"kill\\\"))) and\\n process.args in (\\\"firewalld\\\", \\\"ip6tables\\\", \\\"iptables\\\", \\\"firewalld.service\\\", \\\"ip6tables.service\\\", \\\"iptables.service\\\")\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0ac86616-b625-4f53-a643-0e09a153dedd\",\"rule_id\":\"846fe13f-6772-4c83-bd39-9d16d4ad1a81\",\"revision\":0,\"current_rule\":{\"id\":\"0ac86616-b625-4f53-a643-0e09a153dedd\",\"updated_at\":\"2024-12-04T19:45:52.066Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.066Z\",\"created_by\":\"elastic\",\"name\":\"Microsoft Exchange Transport Agent Install Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: PowerShell Logs\",\"Rule Type: BBR\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of Cmdlets and methods related to Microsoft Exchange Transport Agents install. Adversaries may leverage malicious Microsoft Exchange Transport Agents to execute tasks in response to adversary-defined criteria, establishing persistence.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"846fe13f-6772-4c83-bd39-9d16d4ad1a81\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1505\",\"name\":\"Server Software Component\",\"reference\":\"https://attack.mitre.org/techniques/T1505/\",\"subtechnique\":[{\"id\":\"T1505.002\",\"name\":\"Transport Agent\",\"reference\":\"https://attack.mitre.org/techniques/T1505/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\nSteps to implement the logging policy via registry:\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category: \\\"process\\\" and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\n \\\"Install-TransportAgent\\\" or\\n \\\"Enable-TransportAgent\\\"\\n )\\n ) and\\n not user.id : \\\"S-1-5-18\\\" and\\n not powershell.file.script_block_text : (\\n \\\"'Install-TransportAgent', 'Invoke-MonitoringProbe', 'Mount-Database', 'Move-ActiveMailboxDatabase',\\\" or\\n \\\"'Enable-TransportAgent', 'Enable-TransportRule', 'Export-ActiveSyncLog', 'Export-AutoDiscoverConfig',\\\" or\\n (\\\"scriptCmd.GetSteppablePipeline\\\" and \\\"ForwardHelpTargetName Install-TransportAgent\\\")\\n )\\n\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Exchange\\\\\\\\RemotePowerShell\\\\\\\\*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\tmp_????????.???\\\\\\\\tmp_????????.???.ps?1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\TEMP\\\\\\\\tmp_????????.???\\\\\\\\tmp_????????.???.ps?1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*\\\\\\\\tmp_????????.???\\\\\\\\tmp_????????.???.ps?1\"}}}}],\"actions\":[]},\"target_rule\":{\"name\":\"Microsoft Exchange Transport Agent Install Script\",\"description\":\"Identifies the use of Cmdlets and methods related to Microsoft Exchange Transport Agents install. Adversaries may leverage malicious Microsoft Exchange Transport Agents to execute tasks in response to adversary-defined criteria, establishing persistence.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: PowerShell Logs\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1505\",\"name\":\"Server Software Component\",\"reference\":\"https://attack.mitre.org/techniques/T1505/\",\"subtechnique\":[{\"id\":\"T1505.002\",\"name\":\"Transport Agent\",\"reference\":\"https://attack.mitre.org/techniques/T1505/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\nSteps to implement the logging policy via registry:\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0ac86616-b625-4f53-a643-0e09a153dedd\",\"rule_id\":\"846fe13f-6772-4c83-bd39-9d16d4ad1a81\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.671Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.066Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Exchange\\\\\\\\RemotePowerShell\\\\\\\\*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\tmp_????????.???\\\\\\\\tmp_????????.???.ps?1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\TEMP\\\\\\\\tmp_????????.???\\\\\\\\tmp_????????.???.ps?1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*\\\\\\\\tmp_????????.???\\\\\\\\tmp_????????.???.ps?1\"}}}}],\"query\":\"event.category: \\\"process\\\" and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\n \\\"Install-TransportAgent\\\" or\\n \\\"Enable-TransportAgent\\\"\\n )\\n ) and\\n not user.id : \\\"S-1-5-18\\\" and\\n not powershell.file.script_block_text : (\\n \\\"'Install-TransportAgent', 'Invoke-MonitoringProbe', 'Mount-Database', 'Move-ActiveMailboxDatabase',\\\" or\\n \\\"'Enable-TransportAgent', 'Enable-TransportRule', 'Export-ActiveSyncLog', 'Export-AutoDiscoverConfig',\\\" or\\n (\\\"scriptCmd.GetSteppablePipeline\\\" and \\\"ForwardHelpTargetName Install-TransportAgent\\\")\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c90d3ec4-3232-4320-a40e-f36aef87d039\",\"rule_id\":\"84755a05-78c8-4430-8681-89cd6c857d71\",\"revision\":0,\"current_rule\":{\"id\":\"c90d3ec4-3232-4320-a40e-f36aef87d039\",\"updated_at\":\"2024-12-04T19:46:04.828Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.828Z\",\"created_by\":\"elastic\",\"name\":\"At Job Created or Modified\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for at jobs being created or renamed. Linux at jobs are scheduled tasks that can be leveraged by system administrators to set up scheduled tasks, but may be abused by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"84755a05-78c8-4430-8681-89cd6c857d71\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.002\",\"name\":\"At\",\"reference\":\"https://attack.mitre.org/techniques/T1053/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.002\",\"name\":\"At\",\"reference\":\"https://attack.mitre.org/techniques/T1053/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.002\",\"name\":\"At\",\"reference\":\"https://attack.mitre.org/techniques/T1053/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and\\nevent.action in (\\\"rename\\\", \\\"creation\\\") and file.path : \\\"/var/spool/cron/atjobs/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/local/bin/dockerd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\") or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"At Job Created or Modified\",\"description\":\"This rule monitors for at jobs being created or renamed. Linux at jobs are scheduled tasks that can be leveraged by system administrators to set up scheduled tasks, but may be abused by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.002\",\"name\":\"At\",\"reference\":\"https://attack.mitre.org/techniques/T1053/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.002\",\"name\":\"At\",\"reference\":\"https://attack.mitre.org/techniques/T1053/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.002\",\"name\":\"At\",\"reference\":\"https://attack.mitre.org/techniques/T1053/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c90d3ec4-3232-4320-a40e-f36aef87d039\",\"rule_id\":\"84755a05-78c8-4430-8681-89cd6c857d71\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.671Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.828Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and\\nevent.action in (\\\"rename\\\", \\\"creation\\\") and file.path : \\\"/var/spool/cron/atjobs/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/local/bin/dockerd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\") or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5330e282-3308-4f3a-b9fe-b08308529801\",\"rule_id\":\"84da2554-e12a-11ec-b896-f661ea17fbcd\",\"revision\":0,\"current_rule\":{\"id\":\"5330e282-3308-4f3a-b9fe-b08308529801\",\"updated_at\":\"2024-12-04T19:45:52.074Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.074Z\",\"created_by\":\"elastic\",\"name\":\"Enumerating Domain Trusts via NLTEST.EXE\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Enumerating Domain Trusts via NLTEST.EXE\\n\\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \\\"trusting\\\" domain permits users from a \\\"trusted\\\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\\n\\nThis rule identifies the usage of the `nltest.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Related rules\\n\\n- Enumerating Domain Trusts via DSQUERY.EXE - 06a7a03c-c735-47a6-a313-51c354aef6c3\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Domain administrators may use this command-line utility for legitimate information gathering purposes, but it is not common for environments with Windows Server 2012 and newer.\"],\"from\":\"now-9m\",\"rule_id\":\"84da2554-e12a-11ec-b896-f661ea17fbcd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1018\",\"name\":\"Remote System Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1018/\"},{\"id\":\"T1482\",\"name\":\"Domain Trust Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1482/\"}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)\",\"https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"nltest.exe\\\" and process.args : (\\n \\\"/DCLIST:*\\\", \\\"/DCNAME:*\\\", \\\"/DSGET*\\\",\\n \\\"/LSAQUERYFTI:*\\\", \\\"/PARENTDOMAIN\\\",\\n \\\"/DOMAIN_TRUSTS\\\", \\\"/BDC_QUERY:*\\\"\\n ) and \\nnot process.parent.name : \\\"PDQInventoryScanner.exe\\\" and \\nnot user.id in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Enumerating Domain Trusts via NLTEST.EXE\",\"description\":\"Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Enumerating Domain Trusts via NLTEST.EXE\\n\\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \\\"trusting\\\" domain permits users from a \\\"trusted\\\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\\n\\nThis rule identifies the usage of the `nltest.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Related rules\\n\\n- Enumerating Domain Trusts via DSQUERY.EXE - 06a7a03c-c735-47a6-a313-51c354aef6c3\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":214,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Domain administrators may use this command-line utility for legitimate information gathering purposes, but it is not common for environments with Windows Server 2012 and newer.\"],\"references\":[\"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)\",\"https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1018\",\"name\":\"Remote System Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1018/\"},{\"id\":\"T1482\",\"name\":\"Domain Trust Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1482/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"5330e282-3308-4f3a-b9fe-b08308529801\",\"rule_id\":\"84da2554-e12a-11ec-b896-f661ea17fbcd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.671Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.074Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"nltest.exe\\\" and process.args : (\\n \\\"/DCLIST:*\\\", \\\"/DCNAME:*\\\", \\\"/DSGET*\\\",\\n \\\"/LSAQUERYFTI:*\\\", \\\"/PARENTDOMAIN\\\",\\n \\\"/DOMAIN_TRUSTS\\\", \\\"/BDC_QUERY:*\\\"\\n ) and \\nnot process.parent.name : \\\"PDQInventoryScanner.exe\\\" and \\nnot user.id in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":214,\"merged_version\":214,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"264e8c96-b2f7-406e-ab38-456e277b8add\",\"rule_id\":\"852c1f19-68e8-43a6-9dce-340771fe1be3\",\"revision\":0,\"current_rule\":{\"id\":\"264e8c96-b2f7-406e-ab38-456e277b8add\",\"updated_at\":\"2024-12-04T19:45:52.079Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.079Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious PowerShell Engine ImageLoad\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious PowerShell Engine ImageLoad\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called \\\"PowerShell without PowerShell,\\\" works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"852c1f19-68e8-43a6-9dce-340771fe1be3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":210,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable.caseless\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.name.caseless\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"host.os.type:windows and event.category:library and \\n dll.name:(\\\"System.Management.Automation.dll\\\" or \\\"System.Management.Automation.ni.dll\\\") and \\n not (\\n process.code_signature.subject_name:(\\\"Microsoft Corporation\\\" or \\\"Microsoft Dynamic Code Publisher\\\" or \\\"Microsoft Windows\\\") and process.code_signature.trusted:true and not process.name.caseless:(\\\"regsvr32.exe\\\" or \\\"rundll32.exe\\\")\\n ) and \\n not (\\n process.executable.caseless:(C\\\\:\\\\\\\\Program*Files*\\\\(x86\\\\)\\\\\\\\*.exe or C\\\\:\\\\\\\\Program*Files\\\\\\\\*.exe) and\\n process.code_signature.trusted:true\\n ) and \\n not (\\n process.executable.caseless: C\\\\:\\\\\\\\Windows\\\\\\\\Lenovo\\\\\\\\*.exe and process.code_signature.subject_name:\\\"Lenovo\\\" and \\n process.code_signature.trusted:true\\n ) and \\n not (\\n process.executable.caseless: \\\"C:\\\\\\\\ProgramData\\\\\\\\chocolatey\\\\\\\\choco.exe\\\" and\\n process.code_signature.subject_name:\\\"Chocolatey Software, Inc.\\\" and process.code_signature.trusted:true\\n ) and not process.executable.caseless : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\"\\n\",\"new_terms_fields\":[\"host.id\",\"process.executable\",\"user.id\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.library-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious PowerShell Engine ImageLoad\",\"description\":\"Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious PowerShell Engine ImageLoad\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called \\\"PowerShell without PowerShell,\\\" works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable.caseless\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.name.caseless\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"264e8c96-b2f7-406e-ab38-456e277b8add\",\"rule_id\":\"852c1f19-68e8-43a6-9dce-340771fe1be3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.671Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.079Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:windows and event.category:library and \\n dll.name:(\\\"System.Management.Automation.dll\\\" or \\\"System.Management.Automation.ni.dll\\\") and \\n not (\\n process.code_signature.subject_name:(\\\"Microsoft Corporation\\\" or \\\"Microsoft Dynamic Code Publisher\\\" or \\\"Microsoft Windows\\\") and process.code_signature.trusted:true and not process.name.caseless:(\\\"regsvr32.exe\\\" or \\\"rundll32.exe\\\")\\n ) and \\n not (\\n process.executable.caseless:(C\\\\:\\\\\\\\Program*Files*\\\\(x86\\\\)\\\\\\\\*.exe or C\\\\:\\\\\\\\Program*Files\\\\\\\\*.exe) and\\n process.code_signature.trusted:true\\n ) and \\n not (\\n process.executable.caseless: C\\\\:\\\\\\\\Windows\\\\\\\\Lenovo\\\\\\\\*.exe and process.code_signature.subject_name:\\\"Lenovo\\\" and \\n process.code_signature.trusted:true\\n ) and \\n not (\\n process.executable.caseless: \\\"C:\\\\\\\\ProgramData\\\\\\\\chocolatey\\\\\\\\choco.exe\\\" and\\n process.code_signature.subject_name:\\\"Chocolatey Software, Inc.\\\" and process.code_signature.trusted:true\\n ) and not process.executable.caseless : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\"\\n\",\"new_terms_fields\":[\"host.id\",\"process.executable\",\"user.id\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.library-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":210,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit\"],\"merged_version\":[\"https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"502cdc78-7075-434d-9ab1-041b03112953\",\"rule_id\":\"870aecc0-cea4-4110-af3f-e02e9b373655\",\"revision\":0,\"current_rule\":{\"id\":\"502cdc78-7075-434d-9ab1-041b03112953\",\"updated_at\":\"2024-12-04T19:45:52.089Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.089Z\",\"created_by\":\"elastic\",\"name\":\"Security Software Discovery via Grep\",\"tags\":[\"Domain: Endpoint\",\"OS: macOS\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Security Software Discovery via Grep\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `grep` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Endpoint Security installers, updaters and post installation verification scripts.\"],\"from\":\"now-9m\",\"rule_id\":\"870aecc0-cea4-4110-af3f-e02e9b373655\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1518\",\"name\":\"Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/\",\"subtechnique\":[{\"id\":\"T1518.001\",\"name\":\"Security Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"auditbeat-*\"],\"query\":\"process where event.type == \\\"start\\\" and\\nprocess.name : \\\"grep\\\" and user.id != \\\"0\\\" and\\n not process.parent.executable : (\\\"/Library/Application Support/*\\\", \\\"/opt/McAfee/agent/scripts/ma\\\") and\\n process.args :\\n (\\\"Little Snitch*\\\",\\n \\\"Avast*\\\",\\n \\\"Avira*\\\",\\n \\\"ESET*\\\",\\n \\\"BlockBlock*\\\",\\n \\\"360Sec*\\\",\\n \\\"LuLu*\\\",\\n \\\"KnockKnock*\\\",\\n \\\"kav\\\",\\n \\\"KIS\\\",\\n \\\"RTProtectionDaemon*\\\",\\n \\\"Malware*\\\",\\n \\\"VShieldScanner*\\\",\\n \\\"WebProtection*\\\",\\n \\\"webinspectord*\\\",\\n \\\"McAfee*\\\",\\n \\\"isecespd*\\\",\\n \\\"macmnsvc*\\\",\\n \\\"masvc*\\\",\\n \\\"kesl*\\\",\\n \\\"avscan*\\\",\\n \\\"guard*\\\",\\n \\\"rtvscand*\\\",\\n \\\"symcfgd*\\\",\\n \\\"scmdaemon*\\\",\\n \\\"symantec*\\\",\\n \\\"sophos*\\\",\\n \\\"osquery*\\\",\\n \\\"elastic-endpoint*\\\"\\n ) and\\n not (\\n (process.args : \\\"Avast\\\" and process.args : \\\"Passwords\\\") or\\n (process.parent.args : \\\"/opt/McAfee/agent/scripts/ma\\\" and process.parent.args : \\\"checkhealth\\\") or\\n (process.command_line : (\\n \\\"grep ESET Command-line scanner, version %s -A2\\\",\\n \\\"grep -i McAfee Web Gateway Core version:\\\",\\n \\\"grep --color=auto ESET Command-line scanner, version %s -A2\\\"\\n )\\n ) or\\n (process.parent.command_line : (\\n \\\"\\\"\\\"sh -c printf \\\"command_start_%s\\\"*; perl -pe 's/[^ -~]/\\\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1; printf \\\"command_done_%s*\\\"\\\"\\\",\\n \\\"\\\"\\\"bash -c perl -pe 's/[^ -~]/\\\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1\\\"\\\"\\\"\\n )\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Security Software Discovery via Grep\",\"description\":\"Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Security Software Discovery via Grep\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `grep` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":110,\"tags\":[\"Domain: Endpoint\",\"OS: macOS\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Endpoint Security installers, updaters and post installation verification scripts.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1518\",\"name\":\"Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/\",\"subtechnique\":[{\"id\":\"T1518.001\",\"name\":\"Security Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/001/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"502cdc78-7075-434d-9ab1-041b03112953\",\"rule_id\":\"870aecc0-cea4-4110-af3f-e02e9b373655\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.671Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.089Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where event.type == \\\"start\\\" and\\nprocess.name : \\\"grep\\\" and user.id != \\\"0\\\" and\\n not process.parent.executable : (\\\"/Library/Application Support/*\\\", \\\"/opt/McAfee/agent/scripts/ma\\\") and\\n process.args :\\n (\\\"Little Snitch*\\\",\\n \\\"Avast*\\\",\\n \\\"Avira*\\\",\\n \\\"ESET*\\\",\\n \\\"BlockBlock*\\\",\\n \\\"360Sec*\\\",\\n \\\"LuLu*\\\",\\n \\\"KnockKnock*\\\",\\n \\\"kav\\\",\\n \\\"KIS\\\",\\n \\\"RTProtectionDaemon*\\\",\\n \\\"Malware*\\\",\\n \\\"VShieldScanner*\\\",\\n \\\"WebProtection*\\\",\\n \\\"webinspectord*\\\",\\n \\\"McAfee*\\\",\\n \\\"isecespd*\\\",\\n \\\"macmnsvc*\\\",\\n \\\"masvc*\\\",\\n \\\"kesl*\\\",\\n \\\"avscan*\\\",\\n \\\"guard*\\\",\\n \\\"rtvscand*\\\",\\n \\\"symcfgd*\\\",\\n \\\"scmdaemon*\\\",\\n \\\"symantec*\\\",\\n \\\"sophos*\\\",\\n \\\"osquery*\\\",\\n \\\"elastic-endpoint*\\\"\\n ) and\\n not (\\n (process.args : \\\"Avast\\\" and process.args : \\\"Passwords\\\") or\\n (process.args == \\\"osquery.conf\\\") or \\n (process.parent.args : \\\"/opt/McAfee/agent/scripts/ma\\\" and process.parent.args : \\\"checkhealth\\\") or\\n (process.command_line : (\\n \\\"grep ESET Command-line scanner, version %s -A2\\\",\\n \\\"grep -i McAfee Web Gateway Core version:\\\",\\n \\\"grep --color=auto ESET Command-line scanner, version %s -A2\\\"\\n )\\n ) or\\n (process.parent.command_line : (\\n \\\"\\\"\\\"sh -c printf \\\"command_start_%s\\\"*; perl -pe 's/[^ -~]/\\\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1; printf \\\"command_done_%s*\\\"\\\"\\\",\\n \\\"\\\"\\\"bash -c perl -pe 's/[^ -~]/\\\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1\\\"\\\"\\\"\\n )\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"auditbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":110,\"merged_version\":110,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where event.type == \\\"start\\\" and\\nprocess.name : \\\"grep\\\" and user.id != \\\"0\\\" and\\n not process.parent.executable : (\\\"/Library/Application Support/*\\\", \\\"/opt/McAfee/agent/scripts/ma\\\") and\\n process.args :\\n (\\\"Little Snitch*\\\",\\n \\\"Avast*\\\",\\n \\\"Avira*\\\",\\n \\\"ESET*\\\",\\n \\\"BlockBlock*\\\",\\n \\\"360Sec*\\\",\\n \\\"LuLu*\\\",\\n \\\"KnockKnock*\\\",\\n \\\"kav\\\",\\n \\\"KIS\\\",\\n \\\"RTProtectionDaemon*\\\",\\n \\\"Malware*\\\",\\n \\\"VShieldScanner*\\\",\\n \\\"WebProtection*\\\",\\n \\\"webinspectord*\\\",\\n \\\"McAfee*\\\",\\n \\\"isecespd*\\\",\\n \\\"macmnsvc*\\\",\\n \\\"masvc*\\\",\\n \\\"kesl*\\\",\\n \\\"avscan*\\\",\\n \\\"guard*\\\",\\n \\\"rtvscand*\\\",\\n \\\"symcfgd*\\\",\\n \\\"scmdaemon*\\\",\\n \\\"symantec*\\\",\\n \\\"sophos*\\\",\\n \\\"osquery*\\\",\\n \\\"elastic-endpoint*\\\"\\n ) and\\n not (\\n (process.args : \\\"Avast\\\" and process.args : \\\"Passwords\\\") or\\n (process.parent.args : \\\"/opt/McAfee/agent/scripts/ma\\\" and process.parent.args : \\\"checkhealth\\\") or\\n (process.command_line : (\\n \\\"grep ESET Command-line scanner, version %s -A2\\\",\\n \\\"grep -i McAfee Web Gateway Core version:\\\",\\n \\\"grep --color=auto ESET Command-line scanner, version %s -A2\\\"\\n )\\n ) or\\n (process.parent.command_line : (\\n \\\"\\\"\\\"sh -c printf \\\"command_start_%s\\\"*; perl -pe 's/[^ -~]/\\\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1; printf \\\"command_done_%s*\\\"\\\"\\\",\\n \\\"\\\"\\\"bash -c perl -pe 's/[^ -~]/\\\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1\\\"\\\"\\\"\\n )\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where event.type == \\\"start\\\" and\\nprocess.name : \\\"grep\\\" and user.id != \\\"0\\\" and\\n not process.parent.executable : (\\\"/Library/Application Support/*\\\", \\\"/opt/McAfee/agent/scripts/ma\\\") and\\n process.args :\\n (\\\"Little Snitch*\\\",\\n \\\"Avast*\\\",\\n \\\"Avira*\\\",\\n \\\"ESET*\\\",\\n \\\"BlockBlock*\\\",\\n \\\"360Sec*\\\",\\n \\\"LuLu*\\\",\\n \\\"KnockKnock*\\\",\\n \\\"kav\\\",\\n \\\"KIS\\\",\\n \\\"RTProtectionDaemon*\\\",\\n \\\"Malware*\\\",\\n \\\"VShieldScanner*\\\",\\n \\\"WebProtection*\\\",\\n \\\"webinspectord*\\\",\\n \\\"McAfee*\\\",\\n \\\"isecespd*\\\",\\n \\\"macmnsvc*\\\",\\n \\\"masvc*\\\",\\n \\\"kesl*\\\",\\n \\\"avscan*\\\",\\n \\\"guard*\\\",\\n \\\"rtvscand*\\\",\\n \\\"symcfgd*\\\",\\n \\\"scmdaemon*\\\",\\n \\\"symantec*\\\",\\n \\\"sophos*\\\",\\n \\\"osquery*\\\",\\n \\\"elastic-endpoint*\\\"\\n ) and\\n not (\\n (process.args : \\\"Avast\\\" and process.args : \\\"Passwords\\\") or\\n (process.args == \\\"osquery.conf\\\") or \\n (process.parent.args : \\\"/opt/McAfee/agent/scripts/ma\\\" and process.parent.args : \\\"checkhealth\\\") or\\n (process.command_line : (\\n \\\"grep ESET Command-line scanner, version %s -A2\\\",\\n \\\"grep -i McAfee Web Gateway Core version:\\\",\\n \\\"grep --color=auto ESET Command-line scanner, version %s -A2\\\"\\n )\\n ) or\\n (process.parent.command_line : (\\n \\\"\\\"\\\"sh -c printf \\\"command_start_%s\\\"*; perl -pe 's/[^ -~]/\\\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1; printf \\\"command_done_%s*\\\"\\\"\\\",\\n \\\"\\\"\\\"bash -c perl -pe 's/[^ -~]/\\\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1\\\"\\\"\\\"\\n )\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where event.type == \\\"start\\\" and\\nprocess.name : \\\"grep\\\" and user.id != \\\"0\\\" and\\n not process.parent.executable : (\\\"/Library/Application Support/*\\\", \\\"/opt/McAfee/agent/scripts/ma\\\") and\\n process.args :\\n (\\\"Little Snitch*\\\",\\n \\\"Avast*\\\",\\n \\\"Avira*\\\",\\n \\\"ESET*\\\",\\n \\\"BlockBlock*\\\",\\n \\\"360Sec*\\\",\\n \\\"LuLu*\\\",\\n \\\"KnockKnock*\\\",\\n \\\"kav\\\",\\n \\\"KIS\\\",\\n \\\"RTProtectionDaemon*\\\",\\n \\\"Malware*\\\",\\n \\\"VShieldScanner*\\\",\\n \\\"WebProtection*\\\",\\n \\\"webinspectord*\\\",\\n \\\"McAfee*\\\",\\n \\\"isecespd*\\\",\\n \\\"macmnsvc*\\\",\\n \\\"masvc*\\\",\\n \\\"kesl*\\\",\\n \\\"avscan*\\\",\\n \\\"guard*\\\",\\n \\\"rtvscand*\\\",\\n \\\"symcfgd*\\\",\\n \\\"scmdaemon*\\\",\\n \\\"symantec*\\\",\\n \\\"sophos*\\\",\\n \\\"osquery*\\\",\\n \\\"elastic-endpoint*\\\"\\n ) and\\n not (\\n (process.args : \\\"Avast\\\" and process.args : \\\"Passwords\\\") or\\n (process.args == \\\"osquery.conf\\\") or \\n (process.parent.args : \\\"/opt/McAfee/agent/scripts/ma\\\" and process.parent.args : \\\"checkhealth\\\") or\\n (process.command_line : (\\n \\\"grep ESET Command-line scanner, version %s -A2\\\",\\n \\\"grep -i McAfee Web Gateway Core version:\\\",\\n \\\"grep --color=auto ESET Command-line scanner, version %s -A2\\\"\\n )\\n ) or\\n (process.parent.command_line : (\\n \\\"\\\"\\\"sh -c printf \\\"command_start_%s\\\"*; perl -pe 's/[^ -~]/\\\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1; printf \\\"command_done_%s*\\\"\\\"\\\",\\n \\\"\\\"\\\"bash -c perl -pe 's/[^ -~]/\\\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1\\\"\\\"\\\"\\n )\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3f64fe8b-508b-47f3-b86c-836f52b74b6a\",\"rule_id\":\"871ea072-1b71-4def-b016-6278b505138d\",\"revision\":0,\"current_rule\":{\"id\":\"3f64fe8b-508b-47f3-b86c-836f52b74b6a\",\"updated_at\":\"2024-12-04T19:45:52.091Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.091Z\",\"created_by\":\"elastic\",\"name\":\"Enumeration of Administrator Accounts\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Enumeration of Administrator Accounts\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups in the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Related rules\\n\\n- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"871ea072-1b71-4def-b016-6278b505138d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1069\",\"name\":\"Permission Groups Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1069/\",\"subtechnique\":[{\"id\":\"T1069.001\",\"name\":\"Local Groups\",\"reference\":\"https://attack.mitre.org/techniques/T1069/001/\"},{\"id\":\"T1069.002\",\"name\":\"Domain Groups\",\"reference\":\"https://attack.mitre.org/techniques/T1069/002/\"}]},{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\",\"subtechnique\":[{\"id\":\"T1087.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/001/\"},{\"id\":\"T1087.002\",\"name\":\"Domain Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (\\n (process.name : \\\"net.exe\\\" or ?process.pe.original_file_name == \\\"net.exe\\\") or\\n ((process.name : \\\"net1.exe\\\" or ?process.pe.original_file_name == \\\"net1.exe\\\") and not process.parent.name : \\\"net.exe\\\")\\n ) and\\n process.args : (\\\"group\\\", \\\"user\\\", \\\"localgroup\\\") and\\n process.args : (\\\"*admin*\\\", \\\"Domain Admins\\\", \\\"Remote Desktop Users\\\", \\\"Enterprise Admins\\\", \\\"Organization Management\\\")\\n and not process.args : (\\\"/add\\\", \\\"/delete\\\")\\n ) or\\n (\\n (process.name : \\\"wmic.exe\\\" or ?process.pe.original_file_name == \\\"wmic.exe\\\") and\\n process.args : (\\\"group\\\", \\\"useraccount\\\")\\n )\\n) and not user.id : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Enumeration of Administrator Accounts\",\"description\":\"Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Enumeration of Administrator Accounts\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups in the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Related rules\\n\\n- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":215,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1069\",\"name\":\"Permission Groups Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1069/\",\"subtechnique\":[{\"id\":\"T1069.001\",\"name\":\"Local Groups\",\"reference\":\"https://attack.mitre.org/techniques/T1069/001/\"},{\"id\":\"T1069.002\",\"name\":\"Domain Groups\",\"reference\":\"https://attack.mitre.org/techniques/T1069/002/\"}]},{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\",\"subtechnique\":[{\"id\":\"T1087.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/001/\"},{\"id\":\"T1087.002\",\"name\":\"Domain Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3f64fe8b-508b-47f3-b86c-836f52b74b6a\",\"rule_id\":\"871ea072-1b71-4def-b016-6278b505138d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.671Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.091Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (\\n (process.name : \\\"net.exe\\\" or ?process.pe.original_file_name == \\\"net.exe\\\") or\\n ((process.name : \\\"net1.exe\\\" or ?process.pe.original_file_name == \\\"net1.exe\\\") and not process.parent.name : \\\"net.exe\\\")\\n ) and\\n process.args : (\\\"group\\\", \\\"user\\\", \\\"localgroup\\\") and\\n process.args : (\\\"*admin*\\\", \\\"Domain Admins\\\", \\\"Remote Desktop Users\\\", \\\"Enterprise Admins\\\", \\\"Organization Management\\\")\\n and not process.args : (\\\"/add\\\", \\\"/delete\\\")\\n ) or\\n (\\n (process.name : \\\"wmic.exe\\\" or ?process.pe.original_file_name == \\\"wmic.exe\\\") and\\n process.args : (\\\"group\\\", \\\"useraccount\\\")\\n )\\n) and not user.id : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":215,\"merged_version\":215,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5dfb9850-5e54-4bdf-9758-5fd10850aa47\",\"rule_id\":\"884e87cc-c67b-4c90-a4ed-e1e24a940c82\",\"revision\":0,\"current_rule\":{\"id\":\"5dfb9850-5e54-4bdf-9758-5fd10850aa47\",\"updated_at\":\"2024-12-04T19:45:52.096Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.096Z\",\"created_by\":\"elastic\",\"name\":\"Potential Suspicious Clipboard Activity Detected\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process group leader. Adversaries may collect data stored in the clipboard from users copying information within or between applications.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"884e87cc-c67b-4c90-a4ed-e1e24a940c82\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1115\",\"name\":\"Clipboard Data\",\"reference\":\"https://attack.mitre.org/techniques/T1115/\"}]}],\"to\":\"now\",\"references\":[],\"version\":4,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.category:process and host.os.type:\\\"linux\\\" and\\nevent.type:\\\"start\\\" and event.action:(\\\"exec\\\" or \\\"exec_event\\\" or \\\"executed\\\" or \\\"process_started\\\") and\\nprocess.name:(\\\"xclip\\\" or \\\"xsel\\\" or \\\"wl-clipboard\\\" or \\\"clipman\\\" or \\\"copyq\\\")\\n\",\"new_terms_fields\":[\"host.id\",\"process.group_leader.executable\"],\"history_window_start\":\"now-7d\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Linux Clipboard Activity Detected\",\"description\":\"This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process group leader. Adversaries may collect data stored in the clipboard from users copying information within or between applications.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":5,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1115\",\"name\":\"Clipboard Data\",\"reference\":\"https://attack.mitre.org/techniques/T1115/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"5dfb9850-5e54-4bdf-9758-5fd10850aa47\",\"rule_id\":\"884e87cc-c67b-4c90-a4ed-e1e24a940c82\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.671Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.096Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.category:process and host.os.type:\\\"linux\\\" and event.type:\\\"start\\\" and\\nevent.action:(\\\"exec\\\" or \\\"exec_event\\\" or \\\"executed\\\" or \\\"process_started\\\") and\\nprocess.name:(\\\"xclip\\\" or \\\"xsel\\\" or \\\"wl-clipboard\\\" or \\\"clipman\\\" or \\\"copyq\\\") and\\nnot process.parent.name:(\\\"bwrap\\\" or \\\"micro\\\")\\n\",\"new_terms_fields\":[\"host.id\",\"process.group_leader.executable\"],\"history_window_start\":\"now-7d\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":4,\"target_version\":5,\"merged_version\":5,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"name\":{\"has_base_version\":false,\"current_version\":\"Potential Suspicious Clipboard Activity Detected\",\"target_version\":\"Linux Clipboard Activity Detected\",\"merged_version\":\"Linux Clipboard Activity Detected\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"rule_schedule\":{\"has_base_version\":false,\"current_version\":{\"interval\":\"60m\",\"lookback\":\"3540s\"},\"target_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merged_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"building_block\":{\"has_base_version\":false,\"current_version\":{\"type\":\"default\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"event.category:process and host.os.type:\\\"linux\\\" and\\nevent.type:\\\"start\\\" and event.action:(\\\"exec\\\" or \\\"exec_event\\\" or \\\"executed\\\" or \\\"process_started\\\") and\\nprocess.name:(\\\"xclip\\\" or \\\"xsel\\\" or \\\"wl-clipboard\\\" or \\\"clipman\\\" or \\\"copyq\\\")\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"event.category:process and host.os.type:\\\"linux\\\" and event.type:\\\"start\\\" and\\nevent.action:(\\\"exec\\\" or \\\"exec_event\\\" or \\\"executed\\\" or \\\"process_started\\\") and\\nprocess.name:(\\\"xclip\\\" or \\\"xsel\\\" or \\\"wl-clipboard\\\" or \\\"clipman\\\" or \\\"copyq\\\") and\\nnot process.parent.name:(\\\"bwrap\\\" or \\\"micro\\\")\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"event.category:process and host.os.type:\\\"linux\\\" and event.type:\\\"start\\\" and\\nevent.action:(\\\"exec\\\" or \\\"exec_event\\\" or \\\"executed\\\" or \\\"process_started\\\") and\\nprocess.name:(\\\"xclip\\\" or \\\"xsel\\\" or \\\"wl-clipboard\\\" or \\\"clipman\\\" or \\\"copyq\\\") and\\nnot process.parent.name:(\\\"bwrap\\\" or \\\"micro\\\")\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b687ca60-607c-4593-b5e3-251266cf8c31\",\"rule_id\":\"88fdcb8c-60e5-46ee-9206-2663adf1b1ce\",\"revision\":0,\"current_rule\":{\"id\":\"b687ca60-607c-4593-b5e3-251266cf8c31\",\"updated_at\":\"2024-12-04T19:45:52.103Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.103Z\",\"created_by\":\"elastic\",\"name\":\"Potential Sudo Hijacking\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"88fdcb8c-60e5-46ee-9206-2663adf1b1ce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.003\",\"name\":\"Sudo and Sudo Caching\",\"reference\":\"https://attack.mitre.org/techniques/T1548/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]}],\"to\":\"now\",\"references\":[\"https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.Ext.original.path\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"creation\\\", \\\"rename\\\") and\\nfile.path in (\\\"/usr/bin/sudo\\\", \\\"/bin/sudo\\\") and not (\\n file.Ext.original.path in (\\\"/usr/bin/sudo\\\", \\\"/bin/sudo\\\") or\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\", \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\",\\n \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\", \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\",\\n \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\", \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\",\\n \\\"/usr/sbin/pacman\\\", \\\"/usr/bin/microdnf\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/local/bin/podman\\\", \\\"/usr/local/bin/dnf\\\",\\n \\\"/kaniko/executor\\\", \\\"/proc/self/exe\\\", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-cache\\\", \\\"/usr/bin/apt-mark\\\"\\n ) or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/var/lib/docker/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\")\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Sudo Hijacking\",\"description\":\"Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.003\",\"name\":\"Sudo and Sudo Caching\",\"reference\":\"https://attack.mitre.org/techniques/T1548/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.Ext.original.path\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b687ca60-607c-4593-b5e3-251266cf8c31\",\"rule_id\":\"88fdcb8c-60e5-46ee-9206-2663adf1b1ce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.671Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.103Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"creation\\\", \\\"rename\\\") and\\nfile.path in (\\\"/usr/bin/sudo\\\", \\\"/bin/sudo\\\") and not (\\n file.Ext.original.path in (\\\"/usr/bin/sudo\\\", \\\"/bin/sudo\\\") or\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\", \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\",\\n \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\", \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\",\\n \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\", \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\",\\n \\\"/usr/sbin/pacman\\\", \\\"/usr/bin/microdnf\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/local/bin/podman\\\", \\\"/usr/local/bin/dnf\\\",\\n \\\"/kaniko/executor\\\", \\\"/proc/self/exe\\\", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-cache\\\", \\\"/usr/bin/apt-mark\\\"\\n ) or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/var/lib/docker/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\")\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/\"],\"target_version\":[\"https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e61250dc-31ea-4d6c-9ef3-f6f78b1e16d5\",\"rule_id\":\"891cb88e-441a-4c3e-be2d-120d99fe7b0d\",\"revision\":0,\"current_rule\":{\"id\":\"e61250dc-31ea-4d6c-9ef3-f6f78b1e16d5\",\"updated_at\":\"2024-12-04T19:45:52.109Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.109Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious WMI Image Load from MS Office\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"891cb88e-441a-4c3e-be2d-120d99fe7b0d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"to\":\"now\",\"references\":[\"https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"any where host.os.type == \\\"windows\\\" and\\n (event.category : (\\\"library\\\", \\\"driver\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n process.name : (\\\"WINWORD.EXE\\\", \\\"EXCEL.EXE\\\", \\\"POWERPNT.EXE\\\", \\\"MSPUB.EXE\\\", \\\"MSACCESS.EXE\\\") and\\n (?dll.name : \\\"wmiutils.dll\\\" or file.name : \\\"wmiutils.dll\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious WMI Image Load from MS Office\",\"description\":\"Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e61250dc-31ea-4d6c-9ef3-f6f78b1e16d5\",\"rule_id\":\"891cb88e-441a-4c3e-be2d-120d99fe7b0d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.671Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.109Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and\\n (event.category : (\\\"library\\\", \\\"driver\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n process.name : (\\\"WINWORD.EXE\\\", \\\"EXCEL.EXE\\\", \\\"POWERPNT.EXE\\\", \\\"MSPUB.EXE\\\", \\\"MSACCESS.EXE\\\") and\\n (?dll.name : \\\"wmiutils.dll\\\" or file.name : \\\"wmiutils.dll\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bb354b45-54af-42c1-96ba-b013b9384087\",\"rule_id\":\"894326d2-56c0-4342-b553-4abfaf421b5b\",\"revision\":0,\"current_rule\":{\"id\":\"bb354b45-54af-42c1-96ba-b013b9384087\",\"updated_at\":\"2024-12-04T19:45:52.112Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.112Z\",\"created_by\":\"elastic\",\"name\":\"Potential WPAD Spoofing via DNS Record Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of a DNS record that is potentially meant to enable WPAD spoofing. Attackers can disable the Global Query Block List (GQBL) and create a \\\"wpad\\\" record to exploit hosts running WPAD with default settings for privilege escalation and lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"894326d2-56c0-4342-b553-4abfaf421b5b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1557\",\"name\":\"Adversary-in-the-Middle\",\"reference\":\"https://attack.mitre.org/techniques/T1557/\"}]}],\"to\":\"now\",\"references\":[\"https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing#through-adidns-spoofing\",\"https://cube0x0.github.io/Pocing-Beyond-DA/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ObjectDN\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\\n\\n```\\nSet-AuditRule -AdObjectPath 'AD:\\\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\\n```\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"any where host.os.type == \\\"windows\\\" and event.action in (\\\"Directory Service Changes\\\", \\\"directory-service-object-modified\\\") and\\n event.code == \\\"5137\\\" and winlog.event_data.ObjectDN : \\\"DC=wpad,*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential WPAD Spoofing via DNS Record Creation\",\"description\":\"Identifies the creation of a DNS record that is potentially meant to enable WPAD spoofing. Attackers can disable the Global Query Block List (GQBL) and create a \\\"wpad\\\" record to exploit hosts running WPAD with default settings for privilege escalation and lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing#through-adidns-spoofing\",\"https://cube0x0.github.io/Pocing-Beyond-DA/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1557\",\"name\":\"Adversary-in-the-Middle\",\"reference\":\"https://attack.mitre.org/techniques/T1557/\"}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\\n\\n```\\nSet-AuditRule -AdObjectPath 'AD:\\\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ObjectDN\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"bb354b45-54af-42c1-96ba-b013b9384087\",\"rule_id\":\"894326d2-56c0-4342-b553-4abfaf421b5b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.671Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.112Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and event.action in (\\\"Directory Service Changes\\\", \\\"directory-service-object-modified\\\") and\\n event.code == \\\"5137\\\" and winlog.event_data.ObjectDN : \\\"DC=wpad,*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"78572426-2b38-4545-94d0-69bc1add54ae\",\"rule_id\":\"897dc6b5-b39f-432a-8d75-d3730d50c782\",\"revision\":0,\"current_rule\":{\"id\":\"78572426-2b38-4545-94d0-69bc1add54ae\",\"updated_at\":\"2024-12-04T19:45:52.114Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.114Z\",\"created_by\":\"elastic\",\"name\":\"Kerberos Traffic from Unusual Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Kerberos Traffic from Unusual Process\\n\\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\\n\\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check if the Destination IP is related to a Domain Controller.\\n- Review event ID 4769 for suspicious ticket requests.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\\n- Exceptions can be added for noisy/frequent connections.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n - Ticket requests can be used to investigate potentially compromised accounts.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller.\"],\"from\":\"now-9m\",\"rule_id\":\"897dc6b5-b39f-432a-8d75-d3730d50c782\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\"}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.address\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.network-*\"],\"query\":\"network where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and network.direction == \\\"egress\\\" and\\n destination.port == 88 and source.port >= 49152 and process.pid != 4 and destination.address : \\\"*\\\" and\\n not \\n (\\n process.executable : (\\n \\\"\\\\\\\\device\\\\\\\\harddiskvolume?\\\\\\\\program files (x86)\\\\\\\\nmap\\\\\\\\nmap.exe\\\",\\n \\\"\\\\\\\\device\\\\\\\\harddiskvolume?\\\\\\\\program files (x86)\\\\\\\\nmap oem\\\\\\\\nmap.exe\\\",\\n \\\"\\\\\\\\device\\\\\\\\harddiskvolume?\\\\\\\\windows\\\\\\\\system32\\\\\\\\lsass.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Amazon Corretto\\\\\\\\jdk1*\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\BlackBerry\\\\\\\\UEM\\\\\\\\Proxy Server\\\\\\\\bin\\\\\\\\prunsrv.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\BlackBerry\\\\\\\\UEM\\\\\\\\Core\\\\\\\\tomcat-core\\\\\\\\bin\\\\\\\\tomcat9.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\DBeaver\\\\\\\\dbeaver.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Docker\\\\\\\\Docker\\\\\\\\resources\\\\\\\\com.docker.backend.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Docker\\\\\\\\Docker\\\\\\\\resources\\\\\\\\com.docker.vpnkit.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Docker\\\\\\\\Docker\\\\\\\\resources\\\\\\\\vpnkit.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Internet Explorer\\\\\\\\iexplore.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\JetBrains\\\\\\\\PyCharm Community Edition*\\\\\\\\bin\\\\\\\\pycharm64.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Mozilla Firefox\\\\\\\\firefox.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Oracle\\\\\\\\VirtualBox\\\\\\\\VirtualBoxVM.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Puppet Labs\\\\\\\\Puppet\\\\\\\\puppet\\\\\\\\bin\\\\\\\\ruby.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\rapid7\\\\\\\\nexpose\\\\\\\\nse\\\\\\\\.DLLCACHE\\\\\\\\nseserv.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Silverfort\\\\\\\\Silverfort AD Adapter\\\\\\\\SilverfortServer.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Tenable\\\\\\\\Nessus\\\\\\\\nessusd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\VMware\\\\\\\\VMware View\\\\\\\\Server\\\\\\\\bin\\\\\\\\ws_TomcatService.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Advanced Port Scanner\\\\\\\\advanced_port_scanner.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\DesktopCentral_Agent\\\\\\\\bin\\\\\\\\dcpatchscan.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\GFI\\\\\\\\LanGuard 12 Agent\\\\\\\\lnsscomm.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Internet Explorer\\\\\\\\iexplore.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\EdgeUpdate\\\\\\\\MicrosoftEdgeUpdate.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Silverlight\\\\\\\\sllauncher.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Nmap\\\\\\\\nmap.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Nmap OEM\\\\\\\\nmap.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\nwps\\\\\\\\NetScanTools Pro\\\\\\\\NSTPRO.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SAP BusinessObjects\\\\\\\\tomcat\\\\\\\\bin\\\\\\\\tomcat9.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SuperScan\\\\\\\\scanner.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Zscaler\\\\\\\\ZSATunnel\\\\\\\\ZSATunnel.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MicrosoftEdgeCP.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\vmnat.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SystemApps\\\\\\\\Microsoft.MicrosoftEdge_*\\\\\\\\MicrosoftEdge.exe\\\",\\n \\\"System\\\"\\n ) and process.code_signature.trusted == true\\n ) and\\n destination.address != \\\"127.0.0.1\\\" and destination.address != \\\"::1\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Kerberos Traffic from Unusual Process\",\"description\":\"Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Kerberos Traffic from Unusual Process\\n\\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\\n\\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check if the Destination IP is related to a Domain Controller.\\n- Review event ID 4769 for suspicious ticket requests.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\\n- Exceptions can be added for noisy/frequent connections.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n - Ticket requests can be used to investigate potentially compromised accounts.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"destination.address\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true}],\"id\":\"78572426-2b38-4545-94d0-69bc1add54ae\",\"rule_id\":\"897dc6b5-b39f-432a-8d75-d3730d50c782\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.672Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.114Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"network where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and network.direction == \\\"egress\\\" and\\n destination.port == 88 and source.port >= 49152 and process.pid != 4 and destination.address : \\\"*\\\" and\\n not \\n (\\n process.executable : (\\n \\\"\\\\\\\\device\\\\\\\\harddiskvolume?\\\\\\\\program files (x86)\\\\\\\\nmap\\\\\\\\nmap.exe\\\",\\n \\\"\\\\\\\\device\\\\\\\\harddiskvolume?\\\\\\\\program files (x86)\\\\\\\\nmap oem\\\\\\\\nmap.exe\\\",\\n \\\"\\\\\\\\device\\\\\\\\harddiskvolume?\\\\\\\\windows\\\\\\\\system32\\\\\\\\lsass.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Amazon Corretto\\\\\\\\jdk1*\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\BlackBerry\\\\\\\\UEM\\\\\\\\Proxy Server\\\\\\\\bin\\\\\\\\prunsrv.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\BlackBerry\\\\\\\\UEM\\\\\\\\Core\\\\\\\\tomcat-core\\\\\\\\bin\\\\\\\\tomcat9.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\DBeaver\\\\\\\\dbeaver.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Docker\\\\\\\\Docker\\\\\\\\resources\\\\\\\\com.docker.backend.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Docker\\\\\\\\Docker\\\\\\\\resources\\\\\\\\com.docker.vpnkit.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Docker\\\\\\\\Docker\\\\\\\\resources\\\\\\\\vpnkit.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Internet Explorer\\\\\\\\iexplore.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\JetBrains\\\\\\\\PyCharm Community Edition*\\\\\\\\bin\\\\\\\\pycharm64.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Mozilla Firefox\\\\\\\\firefox.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Oracle\\\\\\\\VirtualBox\\\\\\\\VirtualBoxVM.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Puppet Labs\\\\\\\\Puppet\\\\\\\\puppet\\\\\\\\bin\\\\\\\\ruby.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\rapid7\\\\\\\\nexpose\\\\\\\\nse\\\\\\\\.DLLCACHE\\\\\\\\nseserv.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Silverfort\\\\\\\\Silverfort AD Adapter\\\\\\\\SilverfortServer.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Tenable\\\\\\\\Nessus\\\\\\\\nessusd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\VMware\\\\\\\\VMware View\\\\\\\\Server\\\\\\\\bin\\\\\\\\ws_TomcatService.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Advanced Port Scanner\\\\\\\\advanced_port_scanner.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\DesktopCentral_Agent\\\\\\\\bin\\\\\\\\dcpatchscan.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\GFI\\\\\\\\LanGuard 12 Agent\\\\\\\\lnsscomm.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Internet Explorer\\\\\\\\iexplore.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\EdgeUpdate\\\\\\\\MicrosoftEdgeUpdate.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Silverlight\\\\\\\\sllauncher.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Nmap\\\\\\\\nmap.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Nmap OEM\\\\\\\\nmap.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\nwps\\\\\\\\NetScanTools Pro\\\\\\\\NSTPRO.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SAP BusinessObjects\\\\\\\\tomcat\\\\\\\\bin\\\\\\\\tomcat9.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SuperScan\\\\\\\\scanner.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Zscaler\\\\\\\\ZSATunnel\\\\\\\\ZSATunnel.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MicrosoftEdgeCP.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\vmnat.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SystemApps\\\\\\\\Microsoft.MicrosoftEdge_*\\\\\\\\MicrosoftEdge.exe\\\",\\n \\\"System\\\"\\n ) and process.code_signature.trusted == true\\n ) and\\n destination.address != \\\"127.0.0.1\\\" and destination.address != \\\"::1\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.network-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d4faad8f-3648-4ce3-99e8-71df0388b4d8\",\"rule_id\":\"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696\",\"revision\":0,\"current_rule\":{\"id\":\"d4faad8f-3648-4ce3-99e8-71df0388b4d8\",\"updated_at\":\"2024-12-04T19:45:52.117Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.117Z\",\"created_by\":\"elastic\",\"name\":\"Command Prompt Network Connection\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Command Prompt Network Connection\\n\\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using a command and control channel. However, they can also abuse signed utilities to drop these files.\\n\\nThis rule looks for a network connection to an external address from the `cmd.exe` utility, which can indicate the abuse of the utility to download malicious files and tools.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\\n- Investigate the target host that the signed binary is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Examine if any file was downloaded and check if it is an executable or script.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the downloaded file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of destination IP address and file name conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool.\"],\"from\":\"now-9m\",\"rule_id\":\"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"to\":\"now\",\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and process.name : \\\"cmd.exe\\\" and event.type == \\\"start\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"cmd.exe\\\" and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\",\\n \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\",\\n \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\n \\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\",\\n \\\"FE80::/10\\\", \\\"FF00::/8\\\") and\\n not dns.question.name : (\\n \\\"wpad\\\", \\\"localhost\\\", \\\"ocsp.comodoca.com\\\", \\\"ocsp.digicert.com\\\", \\\"ocsp.sectigo.com\\\", \\\"crl.comodoca.com\\\"\\n )]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Command Prompt Network Connection\",\"description\":\"Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Command Prompt Network Connection\\n\\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using a command and control channel. However, they can also abuse signed utilities to drop these files.\\n\\nThis rule looks for a network connection to an external address from the `cmd.exe` utility, which can indicate the abuse of the utility to download malicious files and tools.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\\n- Investigate the target host that the signed binary is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Examine if any file was downloaded and check if it is an executable or script.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the downloaded file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of destination IP address and file name conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool.\"],\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d4faad8f-3648-4ce3-99e8-71df0388b4d8\",\"rule_id\":\"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.672Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.117Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and process.name : \\\"cmd.exe\\\" and event.type == \\\"start\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"cmd.exe\\\" and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\",\\n \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\",\\n \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\n \\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\",\\n \\\"FE80::/10\\\", \\\"FF00::/8\\\") and\\n not dns.question.name : (\\n \\\"wpad\\\", \\\"localhost\\\", \\\"ocsp.comodoca.com\\\", \\\"ocsp.digicert.com\\\", \\\"ocsp.sectigo.com\\\", \\\"crl.comodoca.com\\\"\\n )]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"40d369db-a9d5-49bd-a856-5197bf2bdb2a\",\"rule_id\":\"8a1b0278-0f9a-487d-96bd-d4833298e87a\",\"revision\":0,\"current_rule\":{\"id\":\"40d369db-a9d5-49bd-a856-5197bf2bdb2a\",\"updated_at\":\"2024-12-04T19:45:52.124Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.124Z\",\"created_by\":\"elastic\",\"name\":\"SUID/SGID Bit Set\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"8a1b0278-0f9a-487d-96bd-d4833298e87a\",\"max_signals\":33,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.001\",\"name\":\"Setuid and Setgid\",\"reference\":\"https://attack.mitre.org/techniques/T1548/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[],\"version\":104,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and (\\n (process.name == \\\"chmod\\\" and (process.args : (\\\"+s\\\", \\\"u+s\\\", \\\"g+s\\\") or process.args regex \\\"[24][0-9]{3}\\\")) or\\n (process.name == \\\"install\\\" and process.args : \\\"-m\\\" and\\n (process.args : (\\\"+s\\\", \\\"u+s\\\", \\\"g+s\\\") or process.args regex \\\"[24][0-9]{3}\\\"))\\n) and not (\\n process.parent.executable : (\\n \\\"/usr/NX/*\\\", \\\"/var/lib/docker/*\\\", \\\"/var/lib/dpkg/info*\\\", \\\"/tmp/newroot/*\\\",\\n \\\"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\\\"\\n ) or\\n process.args : (\\n \\\"/run/*\\\", \\\"/var/run/*\\\", \\\"/usr/bin/keybase-redirector\\\", \\\"/usr/local/share/fonts\\\", \\\"/usr/bin/ssh-agent\\\"\\n )\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"SUID/SGID Bit Set\",\"description\":\"An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":33,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.001\",\"name\":\"Setuid and Setgid\",\"reference\":\"https://attack.mitre.org/techniques/T1548/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"40d369db-a9d5-49bd-a856-5197bf2bdb2a\",\"rule_id\":\"8a1b0278-0f9a-487d-96bd-d4833298e87a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.672Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.124Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and (\\n (process.name == \\\"chmod\\\" and (process.args : (\\\"+s\\\", \\\"u+s\\\", \\\"g+s\\\") or process.args regex \\\"[24][0-9]{3}\\\")) or\\n (process.name == \\\"install\\\" and process.args : \\\"-m\\\" and\\n (process.args : (\\\"+s\\\", \\\"u+s\\\", \\\"g+s\\\") or process.args regex \\\"[24][0-9]{3}\\\"))\\n) and not (\\n process.parent.executable : (\\n \\\"/usr/NX/*\\\", \\\"/var/lib/docker/*\\\", \\\"/var/lib/dpkg/info*\\\", \\\"/tmp/newroot/*\\\",\\n \\\"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\\\"\\n ) or\\n process.args : (\\n \\\"/run/*\\\", \\\"/var/run/*\\\", \\\"/usr/bin/keybase-redirector\\\", \\\"/usr/local/share/fonts\\\", \\\"/usr/bin/ssh-agent\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":104,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d2b15151-5625-44e1-ae51-fbb33fcee6be\",\"rule_id\":\"8a1d4831-3ce6-4859-9891-28931fa6101d\",\"revision\":0,\"current_rule\":{\"id\":\"d2b15151-5625-44e1-ae51-fbb33fcee6be\",\"updated_at\":\"2024-12-04T19:45:52.126Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.126Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Execution from a Mounted Device\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"8a1d4831-3ce6-4859-9891-28931fa6101d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.005\",\"name\":\"Mshta\",\"reference\":\"https://attack.mitre.org/techniques/T1218/005/\"},{\"id\":\"T1218.010\",\"name\":\"Regsvr32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/010/\"},{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.executable : \\\"C:\\\\\\\\*\\\" and\\n (process.working_directory : \\\"?:\\\\\\\\\\\" and not process.working_directory: \\\"C:\\\\\\\\\\\") and\\n process.parent.name : \\\"explorer.exe\\\" and\\n process.name : (\\\"rundll32.exe\\\", \\\"mshta.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"cmd.exe\\\", \\\"regsvr32.exe\\\",\\n \\\"cscript.exe\\\", \\\"wscript.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Execution from a Mounted Device\",\"description\":\"Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.005\",\"name\":\"Mshta\",\"reference\":\"https://attack.mitre.org/techniques/T1218/005/\"},{\"id\":\"T1218.010\",\"name\":\"Regsvr32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/010/\"},{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d2b15151-5625-44e1-ae51-fbb33fcee6be\",\"rule_id\":\"8a1d4831-3ce6-4859-9891-28931fa6101d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.672Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.126Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.executable : \\\"C:\\\\\\\\*\\\" and\\n (process.working_directory : \\\"?:\\\\\\\\\\\" and not process.working_directory: \\\"C:\\\\\\\\\\\") and\\n process.parent.name : \\\"explorer.exe\\\" and\\n process.name : (\\\"rundll32.exe\\\", \\\"mshta.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"cmd.exe\\\", \\\"regsvr32.exe\\\",\\n \\\"cscript.exe\\\", \\\"wscript.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"05dd1bbe-8e3b-4d41-a5f9-e21a87f2b426\",\"rule_id\":\"8acb7614-1d92-4359-bfcf-478b6d9de150\",\"revision\":0,\"current_rule\":{\"id\":\"05dd1bbe-8e3b-4d41-a5f9-e21a87f2b426\",\"updated_at\":\"2024-12-04T19:45:52.131Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.131Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious JAVA Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Java Child Process\\n\\nThis rule identifies a suspicious child process of the Java interpreter process. It may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a Java specific vulnerability.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of process and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"8acb7614-1d92-4359-bfcf-478b6d9de150\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.007\",\"name\":\"JavaScript\",\"reference\":\"https://attack.mitre.org/techniques/T1059/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.lunasec.io/docs/blog/log4j-zero-day/\",\"https://github.com/christophetd/log4shell-vulnerable-app\",\"https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf\",\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\",\"https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046\"],\"version\":208,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"new_terms\",\"query\":\"event.category:process and event.type:(\\\"start\\\" or \\\"process_started\\\") and process.parent.name:\\\"java\\\" and process.name:(\\n bash or dash or sh or tcsh or csh or zsh or ksh or fish or python* or php* or perl or ruby or lua* or openssl or\\n nc or netcat or ncat or telnet or awk or socat or wget or curl\\n) and process.args :(\\n whoami or id or uname or cat or hostname or ip or curl or wget or pwd or ls or cd or python* or php* or perl or\\n ruby or lua* or openssl or nc or netcat or ncat or telnet or awk or socat\\n)\\n\",\"new_terms_fields\":[\"host.id\",\"process.command_line\"],\"history_window_start\":\"now-14d\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Deprecated - Suspicious JAVA Child Process\",\"description\":\"Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Java Child Process\\n\\nThis rule identifies a suspicious child process of the Java interpreter process. It may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a Java specific vulnerability.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of process and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.lunasec.io/docs/blog/log4j-zero-day/\",\"https://github.com/christophetd/log4shell-vulnerable-app\",\"https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf\",\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\",\"https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.007\",\"name\":\"JavaScript\",\"reference\":\"https://attack.mitre.org/techniques/T1059/007/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"05dd1bbe-8e3b-4d41-a5f9-e21a87f2b426\",\"rule_id\":\"8acb7614-1d92-4359-bfcf-478b6d9de150\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.672Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.131Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.category:process and event.type:(\\\"start\\\" or \\\"process_started\\\") and process.parent.name:\\\"java\\\" and process.name:(\\n bash or dash or sh or tcsh or csh or zsh or ksh or fish or python* or php* or perl or ruby or lua* or openssl or\\n nc or netcat or ncat or telnet or awk or socat or wget or curl\\n) and process.args :(\\n whoami or id or uname or cat or hostname or ip or curl or wget or pwd or ls or cd or python* or php* or perl or\\n ruby or lua* or openssl or nc or netcat or ncat or telnet or awk or socat\\n)\\n\",\"new_terms_fields\":[\"host.id\",\"process.command_line\"],\"history_window_start\":\"now-14d\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":208,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"name\":{\"has_base_version\":false,\"current_version\":\"Suspicious JAVA Child Process\",\"target_version\":\"Deprecated - Suspicious JAVA Child Process\",\"merged_version\":\"Deprecated - Suspicious JAVA Child Process\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7b4fd6b0-eafb-4d9e-950e-cbcd2fa28bbf\",\"rule_id\":\"8b2b3a62-a598-4293-bc14-3d5fa22bb98f\",\"revision\":0,\"current_rule\":{\"id\":\"7b4fd6b0-eafb-4d9e-950e-cbcd2fa28bbf\",\"updated_at\":\"2024-12-04T19:45:52.136Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.136Z\",\"created_by\":\"elastic\",\"name\":\"Executable File Creation with Multiple Extensions\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"8b2b3a62-a598-4293-bc14-3d5fa22bb98f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.007\",\"name\":\"Double File Extension\",\"reference\":\"https://attack.mitre.org/techniques/T1036/007/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and file.extension : \\\"exe\\\" and\\n file.name regex~ \\\"\\\"\\\".*\\\\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\\\\.exe\\\"\\\"\\\" and\\n not (process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\", \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\QGIS_SCCM\\\\\\\\Files\\\\\\\\QGIS-OSGeo4W-*-Setup-x86_64.exe\\\") and\\n file.path : \\\"?:\\\\\\\\Program Files\\\\\\\\QGIS *\\\\\\\\apps\\\\\\\\grass\\\\\\\\*.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Executable File Creation with Multiple Extensions\",\"description\":\"Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.007\",\"name\":\"Double File Extension\",\"reference\":\"https://attack.mitre.org/techniques/T1036/007/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"7b4fd6b0-eafb-4d9e-950e-cbcd2fa28bbf\",\"rule_id\":\"8b2b3a62-a598-4293-bc14-3d5fa22bb98f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.672Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.136Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and file.extension : \\\"exe\\\" and\\n file.name regex~ \\\"\\\"\\\".*\\\\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\\\\.exe\\\"\\\"\\\" and\\n not (process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\", \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\QGIS_SCCM\\\\\\\\Files\\\\\\\\QGIS-OSGeo4W-*-Setup-x86_64.exe\\\") and\\n file.path : \\\"?:\\\\\\\\Program Files\\\\\\\\QGIS *\\\\\\\\apps\\\\\\\\grass\\\\\\\\*.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7f13b232-bfd7-40c1-9bfd-8fa12926f963\",\"rule_id\":\"8b4f0816-6a65-4630-86a6-c21c179c0d09\",\"revision\":0,\"current_rule\":{\"id\":\"7f13b232-bfd7-40c1-9bfd-8fa12926f963\",\"updated_at\":\"2024-12-04T19:45:53.202Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.202Z\",\"created_by\":\"elastic\",\"name\":\"Enable Host Network Discovery via Netsh\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Enable Host Network Discovery via Netsh\\n\\nThe Windows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\\n\\nAttackers can enable Network Discovery on the Windows firewall to find other systems present in the same network. Systems with this setting enabled will communicate with other systems using broadcast messages, which can be used to identify targets for lateral movement. This rule looks for the setup of this setting using the netsh utility.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Disable Network Discovery:\\n - Using netsh: `netsh advfirewall firewall set rule group=\\\"Network Discovery\\\" new enable=No`\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Host Windows Firewall planned system administration changes.\"],\"from\":\"now-9m\",\"rule_id\":\"8b4f0816-6a65-4630-86a6-c21c179c0d09\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.004\",\"name\":\"Disable or Modify System Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\nprocess.name : \\\"netsh.exe\\\" and\\nprocess.args : (\\\"firewall\\\", \\\"advfirewall\\\") and process.args : \\\"group=Network Discovery\\\" and process.args : \\\"enable=Yes\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Enable Host Network Discovery via Netsh\",\"description\":\"Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Enable Host Network Discovery via Netsh\\n\\nThe Windows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\\n\\nAttackers can enable Network Discovery on the Windows firewall to find other systems present in the same network. Systems with this setting enabled will communicate with other systems using broadcast messages, which can be used to identify targets for lateral movement. This rule looks for the setup of this setting using the netsh utility.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Disable Network Discovery:\\n - Using netsh: `netsh advfirewall firewall set rule group=\\\"Network Discovery\\\" new enable=No`\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Host Windows Firewall planned system administration changes.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.004\",\"name\":\"Disable or Modify System Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"7f13b232-bfd7-40c1-9bfd-8fa12926f963\",\"rule_id\":\"8b4f0816-6a65-4630-86a6-c21c179c0d09\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.672Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.202Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\nprocess.name : \\\"netsh.exe\\\" and\\nprocess.args : (\\\"firewall\\\", \\\"advfirewall\\\") and process.args : \\\"group=Network Discovery\\\" and process.args : \\\"enable=Yes\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0f68ad23-53f8-4d10-a2c0-07e112d5c0b9\",\"rule_id\":\"8c1bdde8-4204-45c0-9e0c-c85ca3902488\",\"revision\":0,\"current_rule\":{\"id\":\"0f68ad23-53f8-4d10-a2c0-07e112d5c0b9\",\"updated_at\":\"2024-12-04T19:45:53.072Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.072Z\",\"created_by\":\"elastic\",\"name\":\"RDP (Remote Desktop Protocol) from the Internet\",\"tags\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timeline_id\":\"300afc76-072d-4261-864d-4149714bf3f1\",\"timeline_title\":\"Comprehensive Network Timeline\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected.\"],\"from\":\"now-9m\",\"rule_id\":\"8c1bdde8-4204-45c0-9e0c-c85ca3902488\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]}],\"to\":\"now\",\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"version\":103,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\\n network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and\\n not source.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n ) and\\n destination.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"RDP (Remote Desktop Protocol) from the Internet\",\"description\":\"This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"timeline_id\":\"300afc76-072d-4261-864d-4149714bf3f1\",\"timeline_title\":\"Comprehensive Network Timeline\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected.\"],\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"0f68ad23-53f8-4d10-a2c0-07e112d5c0b9\",\"rule_id\":\"8c1bdde8-4204-45c0-9e0c-c85ca3902488\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.672Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.072Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\\n network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and\\n not source.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n ) and\\n destination.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":103,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"target_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"target_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merged_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"880d7182-a473-49ee-811c-fb57cad6aaaf\",\"rule_id\":\"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45\",\"revision\":0,\"current_rule\":{\"id\":\"880d7182-a473-49ee-811c-fb57cad6aaaf\",\"updated_at\":\"2024-12-04T19:45:53.074Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.074Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Child Process of dns.exe\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Child Process of dns.exe\\n\\nSIGRed (CVE-2020-1350) is a wormable, critical vulnerability in the Windows DNS server that affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response. Because the service is running in elevated privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can effectively compromise the entire corporate infrastructure.\\n\\nThis rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a similar remote code execution vulnerability in the DNS server.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes.\\n - Any suspicious or abnormal child process spawned from dns.exe should be carefully reviewed and investigated. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (`whoami.exe`, `netstat.exe`, `systeminfo.exe`, `tasklist.exe`).\\n - Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: `mshta.exe`, `powershell.exe`, `regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`.\\n - If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to `werfault.exe` occurring.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the host during the past 48 hours.\\n- Check whether the server is vulnerable to CVE-2020-1350.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reimage the host operating system or restore the compromised server to a clean state.\\n- Install the latest patches on systems that run Microsoft DNS Server.\\n- Consider the implementation of a patch management system, such as the Windows Server Update Services (WSUS).\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn.\"],\"from\":\"now-9m\",\"rule_id\":\"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1210\",\"name\":\"Exploitation of Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1210/\"}]}],\"to\":\"now\",\"references\":[\"https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/\",\"https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/\",\"https://github.com/maxpl0it/CVE-2020-1350-DoS\",\"https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"dns.exe\\\" and\\n not process.name : \\\"conhost.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Child Process of dns.exe\",\"description\":\"Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Child Process of dns.exe\\n\\nSIGRed (CVE-2020-1350) is a wormable, critical vulnerability in the Windows DNS server that affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response. Because the service is running in elevated privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can effectively compromise the entire corporate infrastructure.\\n\\nThis rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a similar remote code execution vulnerability in the DNS server.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes.\\n - Any suspicious or abnormal child process spawned from dns.exe should be carefully reviewed and investigated. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (`whoami.exe`, `netstat.exe`, `systeminfo.exe`, `tasklist.exe`).\\n - Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: `mshta.exe`, `powershell.exe`, `regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`.\\n - If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to `werfault.exe` occurring.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the host during the past 48 hours.\\n- Check whether the server is vulnerable to CVE-2020-1350.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reimage the host operating system or restore the compromised server to a clean state.\\n- Install the latest patches on systems that run Microsoft DNS Server.\\n- Consider the implementation of a patch management system, such as the Windows Server Update Services (WSUS).\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn.\"],\"references\":[\"https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/\",\"https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/\",\"https://github.com/maxpl0it/CVE-2020-1350-DoS\",\"https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1210\",\"name\":\"Exploitation of Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1210/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"880d7182-a473-49ee-811c-fb57cad6aaaf\",\"rule_id\":\"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.672Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.074Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"dns.exe\\\" and\\n not process.name : \\\"conhost.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8b069a41-9c5a-46d4-984d-76933234c92e\",\"rule_id\":\"8c81e506-6e82-4884-9b9a-75d3d252f967\",\"revision\":0,\"current_rule\":{\"id\":\"8b069a41-9c5a-46d4-984d-76933234c92e\",\"updated_at\":\"2024-12-04T19:45:40.214Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.214Z\",\"created_by\":\"elastic\",\"name\":\"Potential SharpRDP Behavior\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"8c81e506-6e82-4884-9b9a-75d3d252f967\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\",\"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.registry-*\",\"logs-endpoint.events.network-*\"],\"query\":\"/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */\\n\\nsequence by host.id with maxspan=1m\\n [network where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"svchost.exe\\\" and destination.port == 3389 and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and network.transport == \\\"tcp\\\" and\\n source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"\\n ]\\n\\n [registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and process.name : \\\"explorer.exe\\\" and\\n registry.path : (\\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\RunMRU\\\\\\\\*\\\") and\\n registry.data.strings : (\\\"cmd.exe*\\\", \\\"powershell.exe*\\\", \\\"taskmgr*\\\", \\\"\\\\\\\\\\\\\\\\tsclient\\\\\\\\*.exe\\\\\\\\*\\\")\\n ]\\n\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.parent.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"taskmgr.exe\\\") or process.args : (\\\"\\\\\\\\\\\\\\\\tsclient\\\\\\\\*.exe\\\")) and\\n not process.name : \\\"conhost.exe\\\"\\n ]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential SharpRDP Behavior\",\"description\":\"Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":108,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\",\"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"8b069a41-9c5a-46d4-984d-76933234c92e\",\"rule_id\":\"8c81e506-6e82-4884-9b9a-75d3d252f967\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.672Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.214Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */\\n\\nsequence by host.id with maxspan=1m\\n [network where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"svchost.exe\\\" and destination.port == 3389 and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and network.transport == \\\"tcp\\\" and\\n source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"\\n ]\\n\\n [registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and process.name : \\\"explorer.exe\\\" and\\n registry.path : (\\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\RunMRU\\\\\\\\*\\\") and\\n registry.data.strings : (\\\"cmd.exe*\\\", \\\"powershell.exe*\\\", \\\"taskmgr*\\\", \\\"\\\\\\\\\\\\\\\\tsclient\\\\\\\\*.exe\\\\\\\\*\\\")\\n ]\\n\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.parent.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"taskmgr.exe\\\") or process.args : (\\\"\\\\\\\\\\\\\\\\tsclient\\\\\\\\*.exe\\\")) and\\n not process.name : \\\"conhost.exe\\\"\\n ]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.registry-*\",\"logs-endpoint.events.network-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":108,\"merged_version\":108,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\",\"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx\"],\"target_version\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\",\"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merged_version\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\",\"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"df59d506-d784-4fb4-b467-b2733b5775c6\",\"rule_id\":\"8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf\",\"revision\":0,\"current_rule\":{\"id\":\"df59d506-d784-4fb4-b467-b2733b5775c6\",\"updated_at\":\"2024-12-04T19:46:04.715Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.715Z\",\"created_by\":\"elastic\",\"name\":\"RPM Package Installed by Unusual Parent Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule leverages the new_terms rule type to identify the installation of RPM packages by an unusual parent process. RPM is a package management system used in Linux systems such as Red Hat, CentOS and Fedora. Attacks may backdoor RPM packages to gain initial access or install malicious RPM packages to maintain persistence.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\nThis rule requires data coming in from Elastic Defend.\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:rpm and\\nprocess.args:(\\\"-i\\\" or \\\"--install\\\")\\n\",\"new_terms_fields\":[\"process.parent.executable\"],\"history_window_start\":\"now-7d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"RPM Package Installed by Unusual Parent Process\",\"description\":\"This rule leverages the new_terms rule type to identify the installation of RPM packages by an unusual parent process. RPM is a package management system used in Linux systems such as Red Hat, CentOS and Fedora. Attacks may backdoor RPM packages to gain initial access or install malicious RPM packages to maintain persistence.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"setup\":\"## Setup\\nThis rule requires data coming in from Elastic Defend.\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"df59d506-d784-4fb4-b467-b2733b5775c6\",\"rule_id\":\"8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.672Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.715Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:rpm and\\nprocess.args:(\\\"-i\\\" or \\\"--install\\\")\\n\",\"new_terms_fields\":[\"process.parent.executable\"],\"history_window_start\":\"now-7d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"739563fe-bb9c-47f7-a516-781749766d68\",\"rule_id\":\"8e2485b6-a74f-411b-bf7f-38b819f3a846\",\"revision\":0,\"current_rule\":{\"id\":\"739563fe-bb9c-47f7-a516-781749766d68\",\"updated_at\":\"2024-12-04T19:45:53.094Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.094Z\",\"created_by\":\"elastic\",\"name\":\"Potential WSUS Abuse for Lateral Movement\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a potential Windows Server Update Services (WSUS) abuse to execute psexec to enable for lateral movement. WSUS is limited to executing Microsoft signed binaries, which limits the executables that can be used to tools published by Microsoft.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"8e2485b6-a74f-411b-bf7f-38b819f3a846\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1210\",\"name\":\"Exploitation of Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1210/\"}]}],\"to\":\"now\",\"references\":[\"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wsus-spoofing\"],\"version\":103,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-system.security-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"wuauclt.exe\\\" and\\nprocess.executable : \\\"?:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\Install\\\\\\\\*\\\" and\\n(process.name : \\\"psexec64.exe\\\" or ?process.pe.original_file_name : \\\"psexec.c\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential WSUS Abuse for Lateral Movement\",\"description\":\"Identifies a potential Windows Server Update Services (WSUS) abuse to execute psexec to enable for lateral movement. WSUS is limited to executing Microsoft signed binaries, which limits the executables that can be used to tools published by Microsoft.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":205,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wsus-spoofing\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1210\",\"name\":\"Exploitation of Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1210/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"739563fe-bb9c-47f7-a516-781749766d68\",\"rule_id\":\"8e2485b6-a74f-411b-bf7f-38b819f3a846\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.672Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.094Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"wuauclt.exe\\\" and\\nprocess.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\Install\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\Install\\\\\\\\*\\\"\\n) and\\n(process.name : \\\"psexec64.exe\\\" or ?process.pe.original_file_name : \\\"psexec.c\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-system.security-*\",\"winlogbeat-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":103,\"target_version\":205,\"merged_version\":205,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"wuauclt.exe\\\" and\\nprocess.executable : \\\"?:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\Install\\\\\\\\*\\\" and\\n(process.name : \\\"psexec64.exe\\\" or ?process.pe.original_file_name : \\\"psexec.c\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"wuauclt.exe\\\" and\\nprocess.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\Install\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\Install\\\\\\\\*\\\"\\n) and\\n(process.name : \\\"psexec64.exe\\\" or ?process.pe.original_file_name : \\\"psexec.c\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"wuauclt.exe\\\" and\\nprocess.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\Install\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\Install\\\\\\\\*\\\"\\n) and\\n(process.name : \\\"psexec64.exe\\\" or ?process.pe.original_file_name : \\\"psexec.c\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-system.security-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-system.security-*\",\"winlogbeat-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-system.security-*\",\"winlogbeat-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5bdd1a90-f0c4-424f-9f73-80b99e176da1\",\"rule_id\":\"8e39f54e-910b-4adb-a87e-494fbba5fb65\",\"revision\":0,\"current_rule\":{\"id\":\"5bdd1a90-f0c4-424f-9f73-80b99e176da1\",\"updated_at\":\"2024-12-04T19:45:53.097Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.097Z\",\"created_by\":\"elastic\",\"name\":\"Potential Outgoing RDP Connection by Unusual Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Adversaries may attempt to connect to a remote system over Windows Remote Desktop Protocol (RDP) to achieve lateral movement. Adversaries may avoid using the Microsoft Terminal Services Client (mstsc.exe) binary to establish an RDP connection to evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"8e39f54e-910b-4adb-a87e-494fbba5fb65\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.network-*\"],\"query\":\"network where host.os.type == \\\"windows\\\" and\\n event.action == \\\"connection_attempted\\\" and destination.port == 3389 and\\n destination.ip != \\\"::1\\\" and destination.ip != \\\"127.0.0.1\\\" and\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\mRemoteNG\\\\\\\\mRemoteNG.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\PRTG Network Monitor\\\\\\\\PRTG Probe.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Azure Advanced Threat Protection Sensor\\\\\\\\*\\\\\\\\Microsoft.Tri.Sensor.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Remote Desktop Connection Manager\\\\\\\\RDCMan.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\SentinelOne\\\\\\\\Sentinel Agent*\\\\\\\\Ranger\\\\\\\\SentinelRanger.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Devolutions\\\\\\\\Remote Desktop Manager\\\\\\\\RemoteDesktopManager.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Devolutions\\\\\\\\Remote Desktop Manager\\\\\\\\RemoteDesktopManager.exe\\\"\\n ) and process.code_signature.trusted == true\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Outgoing RDP Connection by Unusual Process\",\"description\":\"Adversaries may attempt to connect to a remote system over Windows Remote Desktop Protocol (RDP) to achieve lateral movement. Adversaries may avoid using the Microsoft Terminal Services Client (mstsc.exe) binary to establish an RDP connection to evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"5bdd1a90-f0c4-424f-9f73-80b99e176da1\",\"rule_id\":\"8e39f54e-910b-4adb-a87e-494fbba5fb65\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.672Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.097Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"network where host.os.type == \\\"windows\\\" and\\n event.action == \\\"connection_attempted\\\" and destination.port == 3389 and\\n destination.ip != \\\"::1\\\" and destination.ip != \\\"127.0.0.1\\\" and\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\mRemoteNG\\\\\\\\mRemoteNG.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\PRTG Network Monitor\\\\\\\\PRTG Probe.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Azure Advanced Threat Protection Sensor\\\\\\\\*\\\\\\\\Microsoft.Tri.Sensor.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Remote Desktop Connection Manager\\\\\\\\RDCMan.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\SentinelOne\\\\\\\\Sentinel Agent*\\\\\\\\Ranger\\\\\\\\SentinelRanger.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Devolutions\\\\\\\\Remote Desktop Manager\\\\\\\\RemoteDesktopManager.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Devolutions\\\\\\\\Remote Desktop Manager\\\\\\\\RemoteDesktopManager.exe\\\"\\n ) and process.code_signature.trusted == true\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.network-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"05a63a89-e1b5-458d-a1c3-9a2c2307371f\",\"rule_id\":\"8eec4df1-4b4b-4502-b6c3-c788714604c9\",\"revision\":0,\"current_rule\":{\"id\":\"05a63a89-e1b5-458d-a1c3-9a2c2307371f\",\"updated_at\":\"2024-12-04T19:45:53.099Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.099Z\",\"created_by\":\"elastic\",\"name\":\"Bitsadmin Activity\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism. Adversaries may abuse BITS to persist, download, execute, and even clean up after running malicious code.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"8eec4df1-4b4b-4502-b6c3-c788714604c9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1197\",\"name\":\"BITS Jobs\",\"reference\":\"https://attack.mitre.org/techniques/T1197/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1197\",\"name\":\"BITS Jobs\",\"reference\":\"https://attack.mitre.org/techniques/T1197/\"}]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n (process.name : \\\"bitsadmin.exe\\\" and process.args : (\\n \\\"*Transfer*\\\", \\\"*Create*\\\", \\\"AddFile\\\", \\\"*SetNotifyFlags*\\\", \\\"*SetNotifyCmdLine*\\\",\\n \\\"*SetMinRetryDelay*\\\", \\\"*SetCustomHeaders*\\\", \\\"*Resume*\\\")\\n ) or\\n (process.name : \\\"powershell.exe\\\" and process.args : (\\n \\\"*Start-BitsTransfer*\\\", \\\"*Add-BitsFile*\\\",\\n \\\"*Resume-BitsTransfer*\\\", \\\"*Set-BitsTransfer*\\\", \\\"*BITS.Manager*\\\")\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Bitsadmin Activity\",\"description\":\"Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism. Adversaries may abuse BITS to persist, download, execute, and even clean up after running malicious code.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1197\",\"name\":\"BITS Jobs\",\"reference\":\"https://attack.mitre.org/techniques/T1197/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1197\",\"name\":\"BITS Jobs\",\"reference\":\"https://attack.mitre.org/techniques/T1197/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"05a63a89-e1b5-458d-a1c3-9a2c2307371f\",\"rule_id\":\"8eec4df1-4b4b-4502-b6c3-c788714604c9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.672Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.099Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n (process.name : \\\"bitsadmin.exe\\\" and process.args : (\\n \\\"*Transfer*\\\", \\\"*Create*\\\", \\\"AddFile\\\", \\\"*SetNotifyFlags*\\\", \\\"*SetNotifyCmdLine*\\\",\\n \\\"*SetMinRetryDelay*\\\", \\\"*SetCustomHeaders*\\\", \\\"*Resume*\\\")\\n ) or\\n (process.name : \\\"powershell.exe\\\" and process.args : (\\n \\\"*Start-BitsTransfer*\\\", \\\"*Add-BitsFile*\\\",\\n \\\"*Resume-BitsTransfer*\\\", \\\"*Set-BitsTransfer*\\\", \\\"*BITS.Manager*\\\")\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"07339fb2-2fda-4bba-8bd0-6045548c8ed7\",\"rule_id\":\"8f242ffb-b191-4803-90ec-0f19942e17fd\",\"revision\":0,\"current_rule\":{\"id\":\"07339fb2-2fda-4bba-8bd0-6045548c8ed7\",\"updated_at\":\"2024-12-04T19:45:53.102Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.102Z\",\"created_by\":\"elastic\",\"name\":\"Potential ADIDNS Poisoning via Wildcard Record Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues, such as wildcard records, mainly because of the default permission (Any authenticated users) to create DNS-named records. Attackers can create wildcard records to redirect traffic that doesn't explicitly match records contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS spoofing.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"8f242ffb-b191-4803-90ec-0f19942e17fd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1557\",\"name\":\"Adversary-in-the-Middle\",\"reference\":\"https://attack.mitre.org/techniques/T1557/\"}]}],\"to\":\"now\",\"references\":[\"https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/\",\"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ObjectDN\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\\n\\n```\\nSet-AuditRule -AdObjectPath 'AD:\\\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\\n```\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"any where host.os.type == \\\"windows\\\" and event.action in (\\\"Directory Service Changes\\\", \\\"directory-service-object-modified\\\") and\\n event.code == \\\"5137\\\" and startsWith(winlog.event_data.ObjectDN, \\\"DC=*,\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential ADIDNS Poisoning via Wildcard Record Creation\",\"description\":\"Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues, such as wildcard records, mainly because of the default permission (Any authenticated users) to create DNS-named records. Attackers can create wildcard records to redirect traffic that doesn't explicitly match records contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS spoofing.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/\",\"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1557\",\"name\":\"Adversary-in-the-Middle\",\"reference\":\"https://attack.mitre.org/techniques/T1557/\"}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\\n\\n```\\nSet-AuditRule -AdObjectPath 'AD:\\\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ObjectDN\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"07339fb2-2fda-4bba-8bd0-6045548c8ed7\",\"rule_id\":\"8f242ffb-b191-4803-90ec-0f19942e17fd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.672Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.102Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and event.action in (\\\"Directory Service Changes\\\", \\\"directory-service-object-modified\\\") and\\n event.code == \\\"5137\\\" and startsWith(winlog.event_data.ObjectDN, \\\"DC=*,\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"69753afd-90f9-4c99-ab5b-a7e0d1955590\",\"rule_id\":\"8f3e91c7-d791-4704-80a1-42c160d7aa27\",\"revision\":0,\"current_rule\":{\"id\":\"69753afd-90f9-4c99-ab5b-a7e0d1955590\",\"updated_at\":\"2024-12-04T19:45:40.211Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.211Z\",\"created_by\":\"elastic\",\"name\":\"Potential Port Monitor or Print Processor Registration Abuse\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"8f3e91c7-d791-4704-80a1-42c160d7aa27\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.010\",\"name\":\"Port Monitors\",\"reference\":\"https://attack.mitre.org/techniques/T1547/010/\"},{\"id\":\"T1547.012\",\"name\":\"Print Processors\",\"reference\":\"https://attack.mitre.org/techniques/T1547/012/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.010\",\"name\":\"Port Monitors\",\"reference\":\"https://attack.mitre.org/techniques/T1547/010/\"},{\"id\":\"T1547.012\",\"name\":\"Print Processors\",\"reference\":\"https://attack.mitre.org/techniques/T1547/012/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Print\\\\\\\\Monitors\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Print\\\\\\\\Environments\\\\\\\\Windows*\\\\\\\\Print Processors\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Print\\\\\\\\Monitors\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Print\\\\\\\\Environments\\\\\\\\Windows*\\\\\\\\Print Processors\\\\\\\\*\\\"\\n ) and registry.data.strings : \\\"*.dll\\\" and\\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Port Monitor or Print Processor Registration Abuse\",\"description\":\"Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":108,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.010\",\"name\":\"Port Monitors\",\"reference\":\"https://attack.mitre.org/techniques/T1547/010/\"},{\"id\":\"T1547.012\",\"name\":\"Print Processors\",\"reference\":\"https://attack.mitre.org/techniques/T1547/012/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.010\",\"name\":\"Port Monitors\",\"reference\":\"https://attack.mitre.org/techniques/T1547/010/\"},{\"id\":\"T1547.012\",\"name\":\"Print Processors\",\"reference\":\"https://attack.mitre.org/techniques/T1547/012/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"69753afd-90f9-4c99-ab5b-a7e0d1955590\",\"rule_id\":\"8f3e91c7-d791-4704-80a1-42c160d7aa27\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.673Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.211Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Print\\\\\\\\Monitors\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Print\\\\\\\\Environments\\\\\\\\Windows*\\\\\\\\Print Processors\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Print\\\\\\\\Monitors\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Print\\\\\\\\Environments\\\\\\\\Windows*\\\\\\\\Print Processors\\\\\\\\*\\\"\\n ) and registry.data.strings : \\\"*.dll\\\" and\\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":108,\"merged_version\":108,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b4ece02c-6f96-438d-9216-e1575e6bf1be\",\"rule_id\":\"8f919d4b-a5af-47ca-a594-6be59cd924a4\",\"revision\":0,\"current_rule\":{\"id\":\"b4ece02c-6f96-438d-9216-e1575e6bf1be\",\"updated_at\":\"2024-12-04T19:45:53.104Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.104Z\",\"created_by\":\"elastic\",\"name\":\"Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"8f919d4b-a5af-47ca-a594-6be59cd924a4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.003\",\"name\":\"Distributed Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1021/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by host.id with maxspan=5s\\n [network where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"explorer.exe\\\" and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and network.transport == \\\"tcp\\\" and\\n source.port > 49151 and destination.port > 49151 and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"\\n ] by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"explorer.exe\\\"\\n ] by process.parent.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows\",\"description\":\"Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.003\",\"name\":\"Distributed Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1021/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true}],\"id\":\"b4ece02c-6f96-438d-9216-e1575e6bf1be\",\"rule_id\":\"8f919d4b-a5af-47ca-a594-6be59cd924a4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.673Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.104Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=5s\\n [network where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"explorer.exe\\\" and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and network.transport == \\\"tcp\\\" and\\n source.port > 49151 and destination.port > 49151 and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"\\n ] by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"explorer.exe\\\"\\n ] by process.parent.entity_id\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4d58da44-25f0-430d-8640-b34027155f5c\",\"rule_id\":\"90babaa8-5216-4568-992d-d4a01a105d98\",\"revision\":0,\"current_rule\":{\"id\":\"4d58da44-25f0-430d-8640-b34027155f5c\",\"updated_at\":\"2024-12-04T19:45:53.116Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.116Z\",\"created_by\":\"elastic\",\"name\":\"InstallUtil Activity\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. Adversaries may use InstallUtil to proxy the execution of code through a trusted Windows utility.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"90babaa8-5216-4568-992d-d4a01a105d98\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.004\",\"name\":\"InstallUtil\",\"reference\":\"https://attack.mitre.org/techniques/T1218/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-system.security*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"installutil.exe\\\" and not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"InstallUtil Activity\",\"description\":\"InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. Adversaries may use InstallUtil to proxy the execution of code through a trusted Windows utility.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.004\",\"name\":\"InstallUtil\",\"reference\":\"https://attack.mitre.org/techniques/T1218/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"4d58da44-25f0-430d-8640-b34027155f5c\",\"rule_id\":\"90babaa8-5216-4568-992d-d4a01a105d98\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.673Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.116Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"installutil.exe\\\" and not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-system.security*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"489a1318-efc1-4062-8659-90f6ebd56248\",\"rule_id\":\"92984446-aefb-4d5e-ad12-598042ca80ba\",\"revision\":0,\"current_rule\":{\"id\":\"489a1318-efc1-4062-8659-90f6ebd56248\",\"updated_at\":\"2024-12-04T19:45:53.134Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.134Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Suspicious Script with Clipboard Retrieval Capabilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: PowerShell Logs\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Suspicious Script with Clipboard Retrieval Capabilities\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can abuse PowerShell capabilities to get the contents of the clipboard with the goal of stealing credentials and other valuable information, such as credit card data and confidential conversations.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Determine whether the script stores the captured data locally.\\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\\n- Assess network data to determine if the host communicated with the exfiltration server.\\n\\n### False positive analysis\\n\\n- Regular users are unlikely to use scripting utilities to capture contents of the clipboard, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Related rules\\n\\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"92984446-aefb-4d5e-ad12-598042ca80ba\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1115\",\"name\":\"Clipboard Data\",\"reference\":\"https://attack.mitre.org/techniques/T1115/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard\",\"https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n (powershell.file.script_block_text : (\\n \\\"Windows.Clipboard\\\" or\\n \\\"Windows.Forms.Clipboard\\\" or\\n \\\"Windows.Forms.TextBox\\\"\\n ) and\\n powershell.file.script_block_text : (\\n \\\"]::GetText\\\" or\\n \\\".Paste()\\\"\\n )) or powershell.file.script_block_text : \\\"Get-Clipboard\\\" and\\n not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\" and \\\"PowerSploitIndicators\\\"\\n ) and\\n not user.id : \\\"S-1-5-18\\\" and\\n not (\\n file.path : C\\\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\*Modules*.ps1 and\\n file.name : (\\\"Convert-ExcelRangeToImage.ps1\\\" or \\\"Read-Clipboard.ps1\\\")\\n )\\n\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\program?files\\\\\\\\powershell\\\\\\\\?\\\\\\\\Modules\\\\\\\\*.psd1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\Modules\\\\\\\\*.psd1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.ps?1\"}}}}],\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Suspicious Script with Clipboard Retrieval Capabilities\",\"description\":\"Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Suspicious Script with Clipboard Retrieval Capabilities\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can abuse PowerShell capabilities to get the contents of the clipboard with the goal of stealing credentials and other valuable information, such as credit card data and confidential conversations.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Determine whether the script stores the captured data locally.\\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\\n- Assess network data to determine if the host communicated with the exfiltration server.\\n\\n### False positive analysis\\n\\n- Regular users are unlikely to use scripting utilities to capture contents of the clipboard, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Related rules\\n\\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: PowerShell Logs\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard\",\"https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1115\",\"name\":\"Clipboard Data\",\"reference\":\"https://attack.mitre.org/techniques/T1115/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"489a1318-efc1-4062-8659-90f6ebd56248\",\"rule_id\":\"92984446-aefb-4d5e-ad12-598042ca80ba\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.673Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.134Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\program?files\\\\\\\\powershell\\\\\\\\?\\\\\\\\Modules\\\\\\\\*.psd1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\Modules\\\\\\\\*.psd1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.ps?1\"}}}}],\"query\":\"event.category:process and host.os.type:windows and\\n (powershell.file.script_block_text : (\\n \\\"Windows.Clipboard\\\" or\\n \\\"Windows.Forms.Clipboard\\\" or\\n \\\"Windows.Forms.TextBox\\\"\\n ) and\\n powershell.file.script_block_text : (\\n \\\"]::GetText\\\" or\\n \\\".Paste()\\\"\\n )) or powershell.file.script_block_text : \\\"Get-Clipboard\\\" and\\n not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\" and \\\"PowerSploitIndicators\\\"\\n ) and\\n not user.id : \\\"S-1-5-18\\\" and\\n not (\\n file.path : C\\\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\*Modules*.ps1 and\\n file.name : (\\\"Convert-ExcelRangeToImage.ps1\\\" or \\\"Read-Clipboard.ps1\\\")\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"65e8be83-ff82-45d5-983b-974819c436f7\",\"rule_id\":\"92a6faf5-78ec-4e25-bea1-73bacc9b59d9\",\"revision\":0,\"current_rule\":{\"id\":\"65e8be83-ff82-45d5-983b-974819c436f7\",\"updated_at\":\"2024-12-04T19:45:53.136Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.136Z\",\"created_by\":\"elastic\",\"name\":\"A scheduled task was created\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks may be created during installation of new software.\"],\"from\":\"now-9m\",\"rule_id\":\"92a6faf5-78ec-4e25-bea1-73bacc9b59d9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698\"],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.TaskName\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"iam where event.action == \\\"scheduled-task-created\\\" and\\n\\n /* excluding tasks created by the computer account */\\n not user.name : \\\"*$\\\" and\\n\\n /* TaskContent is not parsed, exclude by full taskname noisy ones */\\n not winlog.event_data.TaskName : (\\n \\\"\\\\\\\\CreateExplorerShellUnelevatedTask\\\",\\n \\\"\\\\\\\\Hewlett-Packard\\\\\\\\HPDeviceCheck\\\",\\n \\\"\\\\\\\\Hewlett-Packard\\\\\\\\HP Support Assistant\\\\\\\\WarrantyChecker\\\",\\n \\\"\\\\\\\\Hewlett-Packard\\\\\\\\HP Support Assistant\\\\\\\\WarrantyChecker_backup\\\",\\n \\\"\\\\\\\\Hewlett-Packard\\\\\\\\HP Web Products Detection\\\",\\n \\\"\\\\\\\\Microsoft\\\\\\\\VisualStudio\\\\\\\\Updates\\\\\\\\BackgroundDownload\\\",\\n \\\"\\\\\\\\OneDrive Standalone Update Task-S-1-5-21*\\\",\\n \\\"\\\\\\\\OneDrive Standalone Update Task-S-1-12-1-*\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"A scheduled task was created\",\"description\":\"Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":109,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks may be created during installation of new software.\"],\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.TaskName\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"65e8be83-ff82-45d5-983b-974819c436f7\",\"rule_id\":\"92a6faf5-78ec-4e25-bea1-73bacc9b59d9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.673Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.136Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where event.action == \\\"scheduled-task-created\\\" and\\n\\n /* excluding tasks created by the computer account */\\n not user.name : \\\"*$\\\" and\\n\\n /* TaskContent is not parsed, exclude by full taskname noisy ones */\\n not winlog.event_data.TaskName : (\\n \\\"\\\\\\\\CreateExplorerShellUnelevatedTask\\\",\\n \\\"\\\\\\\\Hewlett-Packard\\\\\\\\HPDeviceCheck\\\",\\n \\\"\\\\\\\\Hewlett-Packard\\\\\\\\HP Support Assistant\\\\\\\\WarrantyChecker\\\",\\n \\\"\\\\\\\\Hewlett-Packard\\\\\\\\HP Support Assistant\\\\\\\\WarrantyChecker_backup\\\",\\n \\\"\\\\\\\\Hewlett-Packard\\\\\\\\HP Web Products Detection\\\",\\n \\\"\\\\\\\\Microsoft\\\\\\\\VisualStudio\\\\\\\\Updates\\\\\\\\BackgroundDownload\\\",\\n \\\"\\\\\\\\OneDrive Standalone Update Task-S-1-5-21*\\\",\\n \\\"\\\\\\\\OneDrive Standalone Update Task-S-1-12-1-*\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":109,\"merged_version\":109,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"71b43b8f-9755-453e-8418-70b9d601e212\",\"rule_id\":\"92d3a04e-6487-4b62-892d-70e640a590dc\",\"revision\":0,\"current_rule\":{\"id\":\"71b43b8f-9755-453e-8418-70b9d601e212\",\"updated_at\":\"2024-12-04T19:45:53.139Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.139Z\",\"created_by\":\"elastic\",\"name\":\"Potential Evasion via Windows Filtering Platform\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies multiple Windows Filtering Platform block events and where the process name is related to an endpoint security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"92d3a04e-6487-4b62-892d-70e640a590dc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.004\",\"name\":\"Disable or Modify System Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/dsnezhkov/shutter/tree/main\",\"https://github.com/netero1010/EDRSilencer/tree/main\",\"https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/\",\"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157\",\"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152\"],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Filtering Platform Connection' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nObject Access >\\nFiltering Platform Connection (Success,Failure)\\n```\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.network-*\",\"logs-system.security-*\"],\"query\":\"sequence by winlog.computer_name with maxspan=1m\\n [network where host.os.type == \\\"windows\\\" and \\n event.action : (\\\"windows-firewall-packet-block\\\", \\\"windows-firewall-packet-drop\\\") and \\n process.name : (\\n \\\"bdagent.exe\\\", \\\"bdreinit.exe\\\", \\\"pdscan.exe\\\", \\\"pdiface.exe\\\", \\\"BDSubWiz.exe\\\", \\\"ProductAgentService.exe\\\",\\n \\\"ProductAgentUI.exe\\\", \\\"WatchDog.exe\\\", \\\"CarbonBlackClientSetup.exe\\\", \\\"TrGUI.exe\\\", \\\"TracCAPI.exe\\\", \\\"cpmsi_tool.exe\\\",\\n \\\"trac.exe\\\", \\\"vna_install64.exe\\\", \\\"vna_utils.exe\\\", \\\"TracSrvWrapper.exe\\\", \\\"vsmon.exe\\\", \\\"p95tray.exe\\\",\\n \\\"CybereasonRansomFreeServiceHost.exe\\\", \\\"CrAmTray.exe\\\", \\\"minionhost.exe\\\", \\\"CybereasonSensor.exe\\\", \\\"CylanceUI.exe\\\",\\n \\\"CylanceProtectSetup.exe\\\", \\\"cylancesvc.exe\\\", \\\"cyupdate.exe\\\", \\\"elastic-agent.exe\\\", \\\"elastic-endpoint.exe\\\",\\n \\\"egui.exe\\\", \\\"minodlogin.exe\\\", \\\"emu-rep.exe\\\", \\\"emu_install.exe\\\", \\\"emu-cci.exe\\\", \\\"emu-gui.exe\\\", \\\"emu-uninstall.exe\\\",\\n \\\"ndep.exe\\\", \\\"spike.exe\\\", \\\"ecls.exe\\\", \\\"ecmd.exe\\\", \\\"ecomserver.exe\\\", \\\"eeclnt.exe\\\", \\\"eh64.exe\\\", \\\"EHttpSrv.exe\\\",\\n \\\"xagt.exe\\\", \\\"collectoragent.exe\\\", \\\"FSAEConfig.exe\\\", \\\"uninstalldcagent.exe\\\", \\\"rmon.exe\\\", \\\"fccomint.exe\\\",\\n \\\"fclanguageselector.exe\\\", \\\"fortifw.exe\\\", \\\"fcreg.exe\\\", \\\"fortitray.exe\\\", \\\"fcappdb.exe\\\", \\\"fcwizard.exe\\\", \\\"submitv.exe\\\",\\n \\\"av_task.exe\\\", \\\"fortiwf.exe\\\", \\\"fortiwadbd.exe\\\", \\\"fcauth.exe\\\", \\\"fcdblog.exe\\\", \\\"fcmgr.exe\\\", \\\"fortiwad.exe\\\",\\n \\\"fortiproxy.exe\\\", \\\"fortiscand.exe\\\", \\\"fortivpnst.exe\\\", \\\"ipsec.exe\\\", \\\"fcwscd7.exe\\\", \\\"fcasc.exe\\\", \\\"fchelper.exe\\\",\\n \\\"forticlient.exe\\\",\\\"fcwsc.exe\\\", \\\"FortiClient.exe\\\", \\\"fmon.exe\\\", \\\"FSSOMA.exe\\\", \\\"FCVbltScan.exe\\\", \\\"FortiESNAC.exe\\\",\\n \\\"EPCUserAvatar.exe\\\", \\\"FortiAvatar.exe\\\", \\\"FortiClient_Diagnostic_Tool.exe\\\", \\\"FortiSSLVPNdaemon.exe\\\", \\\"avp.exe\\\",\\n \\\"FCConfig.exe\\\", \\\"avpsus.exe\\\", \\\"klnagent.exe\\\", \\\"klnsacwsrv.exe\\\", \\\"kl_platf.exe\\\", \\\"stpass.exe\\\", \\\"klnagwds.exe\\\",\\n \\\"mbae.exe\\\", \\\"mbae64.exe\\\", \\\"mbae-svc.exe\\\", \\\"mbae-uninstaller.exe\\\", \\\"mbaeLoader32.exe\\\", \\\"mbaeloader64.exe\\\",\\n \\\"mbam-dor.exe\\\", \\\"mbamgui.exe\\\", \\\"mbamservice.exe\\\", \\\"mbamtrayctrl.exe\\\", \\\"mbampt.exe\\\", \\\"mbamscheduler.exe\\\",\\n \\\"Coreinst.exe\\\", \\\"mbae-setup.exe\\\", \\\"mcupdate.exe\\\", \\\"ProtectedModuleHost.exe\\\", \\\"ESConfigTool.exe\\\", \\\"FWInstCheck.exe\\\",\\n \\\"FwWindowsFirewallHandler.exe\\\", \\\"mfeesp.exe\\\", \\\"mfefw.exe\\\", \\\"mfeProvisionModeUtility.exe\\\", \\\"mfetp.exe\\\", \\\"avpui.exe\\\", \\n \\\"WscAVExe.exe\\\", \\\"mcshield.exe\\\", \\\"McChHost.exe\\\", \\\"mfewc.exe\\\", \\\"mfewch.exe\\\", \\\"mfewcui.exe\\\", \\\"fwinfo.exe\\\",\\n \\\"mfecanary.exe\\\", \\\"mfefire.exe\\\", \\\"mfehidin.exe\\\", \\\"mfemms.exe\\\", \\\"mfevtps.exe\\\", \\\"mmsinfo.exe\\\", \\\"vtpinfo.exe\\\",\\n \\\"MarSetup.exe\\\", \\\"mctray.exe\\\", \\\"masvc.exe\\\", \\\"macmnsvc.exe\\\", \\\"McAPExe.exe\\\", \\\"McPvTray.exe\\\", \\\"mcods.exe\\\",\\n \\\"mcuicnt.exe\\\", \\\"mcuihost.exe\\\", \\\"xtray.exe\\\", \\\"McpService.exe\\\", \\\"epefprtrainer.exe\\\", \\\"mfeffcoreservice.exe\\\",\\n \\\"MfeEpeSvc.exe\\\", \\\"qualysagent.exe\\\", \\\"QualysProxy.exe\\\", \\\"QualysAgentUI.exe\\\", \\\"SVRTgui.exe\\\", \\\"SVRTcli.exe\\\",\\n \\\"SVRTcli.exe\\\", \\\"SVRTgui.exe\\\", \\\"SCTCleanupService.exe\\\", \\\"SVRTservice.exe\\\", \\\"native.exe\\\", \\\"SCTBootTasks.exe\\\",\\n \\\"ALMon.exe\\\", \\\"SAA.exe\\\", \\\"SUMService.exe\\\", \\\"ssp.exe\\\", \\\"SCFService.exe\\\", \\\"SCFManager.exe\\\", \\\"spa.exe\\\", \\\"cabarc.exe\\\",\\n \\\"sargui.exe\\\", \\\"sntpservice.exe\\\", \\\"McsClient.exe\\\", \\\"McsAgent.exe\\\", \\\"McsHeartbeat.exe\\\", \\\"SAVAdminService.exe\\\",\\n \\\"sav32cli.exe\\\", \\\"ForceUpdateAlongSideSGN.exe\\\", \\\"SAVCleanupService.exe\\\", \\\"SavMain.exe\\\", \\\"SavProgress.exe\\\", \\n \\\"SavProxy.exe\\\", \\\"SavService.exe\\\", \\\"swc_service.exe\\\", \\\"swi_di.exe\\\", \\\"swi_service.exe\\\", \\\"swi_filter.exe\\\",\\n \\\"ALUpdate.exe\\\", \\\"SophosUpdate.exe\\\", \\\"ALsvc.exe\\\", \\\"SophosAlert.exe\\\", \\\"osCheck.exe\\\", \\\"N360Downloader.exe\\\",\\n \\\"InstWrap.exe\\\", \\\"symbos.exe\\\", \\\"nss.exe\\\", \\\"symcorpui.exe\\\", \\\"isPwdSvc.exe\\\", \\\"ccsvchst.exe\\\", \\\"ntrmv.exe\\\",\\n \\\"pccntmon.exe\\\", \\\"AosUImanager.exe\\\", \\\"NTRTScan.exe\\\", \\\"TMAS_OL.exe\\\", \\\"TMAS_OLImp.exe\\\", \\\"TMAS_OLSentry.exe\\\",\\n \\\"ufnavi.exe\\\", \\\"Clnrbin.exe\\\", \\\"vizorhtmldialog.exe\\\", \\\"pwmConsole.exe\\\", \\\"PwmSvc.exe\\\", \\\"coreServiceShell.exe\\\",\\n \\\"ds_agent.exe\\\", \\\"SfCtlCom.exe\\\", \\\"MBAMHelper.exe\\\", \\\"cb.exe\\\", \\\"smc.exe\\\", \\\"tda.exe\\\", \\\"xagtnotif.exe\\\", \\\"ekrn.exe\\\",\\n \\\"dsa.exe\\\", \\\"Notifier.exe\\\", \\\"rphcp.exe\\\", \\\"lc_sensor.exe\\\", \\\"CSFalconService.exe\\\", \\\"CSFalconController.exe\\\",\\n \\\"SenseSampleUploader.exe\\\", \\\"windefend.exe\\\", \\\"MSASCui.exe\\\", \\\"MSASCuiL.exe\\\", \\\"msmpeng.exe\\\", \\\"msmpsvc.exe\\\",\\n \\\"MsSense.exe\\\", \\\"esensor.exe\\\", \\\"sentinelone.exe\\\", \\\"tmccsf.exe\\\", \\\"csfalconcontainer.exe\\\", \\\"sensecncproxy.exe\\\",\\n \\\"splunk.exe\\\", \\\"sysmon.exe\\\", \\\"sysmon64.exe\\\", \\\"taniumclient.exe\\\"\\n )] with runs=5\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Evasion via Windows Filtering Platform\",\"description\":\"Identifies multiple Windows Filtering Platform block events and where the process name is related to an endpoint security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/dsnezhkov/shutter/tree/main\",\"https://github.com/netero1010/EDRSilencer/tree/main\",\"https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/\",\"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157\",\"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.004\",\"name\":\"Disable or Modify System Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/004/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'Filtering Platform Connection' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nObject Access >\\nFiltering Platform Connection (Success,Failure)\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"71b43b8f-9755-453e-8418-70b9d601e212\",\"rule_id\":\"92d3a04e-6487-4b62-892d-70e640a590dc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.673Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.139Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by winlog.computer_name with maxspan=1m\\n [network where host.os.type == \\\"windows\\\" and \\n event.action : (\\\"windows-firewall-packet-block\\\", \\\"windows-firewall-packet-drop\\\") and \\n process.name : (\\n \\\"bdagent.exe\\\", \\\"bdreinit.exe\\\", \\\"pdscan.exe\\\", \\\"pdiface.exe\\\", \\\"BDSubWiz.exe\\\", \\\"ProductAgentService.exe\\\",\\n \\\"ProductAgentUI.exe\\\", \\\"WatchDog.exe\\\", \\\"CarbonBlackClientSetup.exe\\\", \\\"TrGUI.exe\\\", \\\"TracCAPI.exe\\\", \\\"cpmsi_tool.exe\\\",\\n \\\"trac.exe\\\", \\\"vna_install64.exe\\\", \\\"vna_utils.exe\\\", \\\"TracSrvWrapper.exe\\\", \\\"vsmon.exe\\\", \\\"p95tray.exe\\\",\\n \\\"CybereasonRansomFreeServiceHost.exe\\\", \\\"CrAmTray.exe\\\", \\\"minionhost.exe\\\", \\\"CybereasonSensor.exe\\\", \\\"CylanceUI.exe\\\",\\n \\\"CylanceProtectSetup.exe\\\", \\\"cylancesvc.exe\\\", \\\"cyupdate.exe\\\", \\\"elastic-agent.exe\\\", \\\"elastic-endpoint.exe\\\",\\n \\\"egui.exe\\\", \\\"minodlogin.exe\\\", \\\"emu-rep.exe\\\", \\\"emu_install.exe\\\", \\\"emu-cci.exe\\\", \\\"emu-gui.exe\\\", \\\"emu-uninstall.exe\\\",\\n \\\"ndep.exe\\\", \\\"spike.exe\\\", \\\"ecls.exe\\\", \\\"ecmd.exe\\\", \\\"ecomserver.exe\\\", \\\"eeclnt.exe\\\", \\\"eh64.exe\\\", \\\"EHttpSrv.exe\\\",\\n \\\"xagt.exe\\\", \\\"collectoragent.exe\\\", \\\"FSAEConfig.exe\\\", \\\"uninstalldcagent.exe\\\", \\\"rmon.exe\\\", \\\"fccomint.exe\\\",\\n \\\"fclanguageselector.exe\\\", \\\"fortifw.exe\\\", \\\"fcreg.exe\\\", \\\"fortitray.exe\\\", \\\"fcappdb.exe\\\", \\\"fcwizard.exe\\\", \\\"submitv.exe\\\",\\n \\\"av_task.exe\\\", \\\"fortiwf.exe\\\", \\\"fortiwadbd.exe\\\", \\\"fcauth.exe\\\", \\\"fcdblog.exe\\\", \\\"fcmgr.exe\\\", \\\"fortiwad.exe\\\",\\n \\\"fortiproxy.exe\\\", \\\"fortiscand.exe\\\", \\\"fortivpnst.exe\\\", \\\"ipsec.exe\\\", \\\"fcwscd7.exe\\\", \\\"fcasc.exe\\\", \\\"fchelper.exe\\\",\\n \\\"forticlient.exe\\\",\\\"fcwsc.exe\\\", \\\"FortiClient.exe\\\", \\\"fmon.exe\\\", \\\"FSSOMA.exe\\\", \\\"FCVbltScan.exe\\\", \\\"FortiESNAC.exe\\\",\\n \\\"EPCUserAvatar.exe\\\", \\\"FortiAvatar.exe\\\", \\\"FortiClient_Diagnostic_Tool.exe\\\", \\\"FortiSSLVPNdaemon.exe\\\", \\\"avp.exe\\\",\\n \\\"FCConfig.exe\\\", \\\"avpsus.exe\\\", \\\"klnagent.exe\\\", \\\"klnsacwsrv.exe\\\", \\\"kl_platf.exe\\\", \\\"stpass.exe\\\", \\\"klnagwds.exe\\\",\\n \\\"mbae.exe\\\", \\\"mbae64.exe\\\", \\\"mbae-svc.exe\\\", \\\"mbae-uninstaller.exe\\\", \\\"mbaeLoader32.exe\\\", \\\"mbaeloader64.exe\\\",\\n \\\"mbam-dor.exe\\\", \\\"mbamgui.exe\\\", \\\"mbamservice.exe\\\", \\\"mbamtrayctrl.exe\\\", \\\"mbampt.exe\\\", \\\"mbamscheduler.exe\\\",\\n \\\"Coreinst.exe\\\", \\\"mbae-setup.exe\\\", \\\"mcupdate.exe\\\", \\\"ProtectedModuleHost.exe\\\", \\\"ESConfigTool.exe\\\", \\\"FWInstCheck.exe\\\",\\n \\\"FwWindowsFirewallHandler.exe\\\", \\\"mfeesp.exe\\\", \\\"mfefw.exe\\\", \\\"mfeProvisionModeUtility.exe\\\", \\\"mfetp.exe\\\", \\\"avpui.exe\\\", \\n \\\"WscAVExe.exe\\\", \\\"mcshield.exe\\\", \\\"McChHost.exe\\\", \\\"mfewc.exe\\\", \\\"mfewch.exe\\\", \\\"mfewcui.exe\\\", \\\"fwinfo.exe\\\",\\n \\\"mfecanary.exe\\\", \\\"mfefire.exe\\\", \\\"mfehidin.exe\\\", \\\"mfemms.exe\\\", \\\"mfevtps.exe\\\", \\\"mmsinfo.exe\\\", \\\"vtpinfo.exe\\\",\\n \\\"MarSetup.exe\\\", \\\"mctray.exe\\\", \\\"masvc.exe\\\", \\\"macmnsvc.exe\\\", \\\"McAPExe.exe\\\", \\\"McPvTray.exe\\\", \\\"mcods.exe\\\",\\n \\\"mcuicnt.exe\\\", \\\"mcuihost.exe\\\", \\\"xtray.exe\\\", \\\"McpService.exe\\\", \\\"epefprtrainer.exe\\\", \\\"mfeffcoreservice.exe\\\",\\n \\\"MfeEpeSvc.exe\\\", \\\"qualysagent.exe\\\", \\\"QualysProxy.exe\\\", \\\"QualysAgentUI.exe\\\", \\\"SVRTgui.exe\\\", \\\"SVRTcli.exe\\\",\\n \\\"SVRTcli.exe\\\", \\\"SVRTgui.exe\\\", \\\"SCTCleanupService.exe\\\", \\\"SVRTservice.exe\\\", \\\"native.exe\\\", \\\"SCTBootTasks.exe\\\",\\n \\\"ALMon.exe\\\", \\\"SAA.exe\\\", \\\"SUMService.exe\\\", \\\"ssp.exe\\\", \\\"SCFService.exe\\\", \\\"SCFManager.exe\\\", \\\"spa.exe\\\", \\\"cabarc.exe\\\",\\n \\\"sargui.exe\\\", \\\"sntpservice.exe\\\", \\\"McsClient.exe\\\", \\\"McsAgent.exe\\\", \\\"McsHeartbeat.exe\\\", \\\"SAVAdminService.exe\\\",\\n \\\"sav32cli.exe\\\", \\\"ForceUpdateAlongSideSGN.exe\\\", \\\"SAVCleanupService.exe\\\", \\\"SavMain.exe\\\", \\\"SavProgress.exe\\\", \\n \\\"SavProxy.exe\\\", \\\"SavService.exe\\\", \\\"swc_service.exe\\\", \\\"swi_di.exe\\\", \\\"swi_service.exe\\\", \\\"swi_filter.exe\\\",\\n \\\"ALUpdate.exe\\\", \\\"SophosUpdate.exe\\\", \\\"ALsvc.exe\\\", \\\"SophosAlert.exe\\\", \\\"osCheck.exe\\\", \\\"N360Downloader.exe\\\",\\n \\\"InstWrap.exe\\\", \\\"symbos.exe\\\", \\\"nss.exe\\\", \\\"symcorpui.exe\\\", \\\"isPwdSvc.exe\\\", \\\"ccsvchst.exe\\\", \\\"ntrmv.exe\\\",\\n \\\"pccntmon.exe\\\", \\\"AosUImanager.exe\\\", \\\"NTRTScan.exe\\\", \\\"TMAS_OL.exe\\\", \\\"TMAS_OLImp.exe\\\", \\\"TMAS_OLSentry.exe\\\",\\n \\\"ufnavi.exe\\\", \\\"Clnrbin.exe\\\", \\\"vizorhtmldialog.exe\\\", \\\"pwmConsole.exe\\\", \\\"PwmSvc.exe\\\", \\\"coreServiceShell.exe\\\",\\n \\\"ds_agent.exe\\\", \\\"SfCtlCom.exe\\\", \\\"MBAMHelper.exe\\\", \\\"cb.exe\\\", \\\"smc.exe\\\", \\\"tda.exe\\\", \\\"xagtnotif.exe\\\", \\\"ekrn.exe\\\",\\n \\\"dsa.exe\\\", \\\"Notifier.exe\\\", \\\"rphcp.exe\\\", \\\"lc_sensor.exe\\\", \\\"CSFalconService.exe\\\", \\\"CSFalconController.exe\\\",\\n \\\"SenseSampleUploader.exe\\\", \\\"windefend.exe\\\", \\\"MSASCui.exe\\\", \\\"MSASCuiL.exe\\\", \\\"msmpeng.exe\\\", \\\"msmpsvc.exe\\\",\\n \\\"MsSense.exe\\\", \\\"esensor.exe\\\", \\\"sentinelone.exe\\\", \\\"tmccsf.exe\\\", \\\"csfalconcontainer.exe\\\", \\\"sensecncproxy.exe\\\",\\n \\\"splunk.exe\\\", \\\"sysmon.exe\\\", \\\"sysmon64.exe\\\", \\\"taniumclient.exe\\\"\\n )] with runs=5\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.network-*\",\"logs-system.security*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-windows.network-*\",\"logs-system.security-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-windows.network-*\",\"logs-system.security*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-windows.network-*\",\"logs-system.security*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6d126440-b8da-4619-8f7e-4c789853d32f\",\"rule_id\":\"93075852-b0f5-4b8b-89c3-a226efae5726\",\"revision\":0,\"current_rule\":{\"id\":\"6d126440-b8da-4619-8f7e-4c789853d32f\",\"updated_at\":\"2024-12-04T19:45:53.141Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.141Z\",\"created_by\":\"elastic\",\"name\":\"AWS Security Token Service (STS) AssumeRole Usage\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS STS\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Austin Songer\"],\"false_positives\":[\"Automated processes that use Terraform may lead to false positives.\"],\"from\":\"now-6m\",\"rule_id\":\"93075852-b0f5-4b8b-89c3-a226efae5726\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.001\",\"name\":\"Application Access Token\",\"reference\":\"https://attack.mitre.org/techniques/T1550/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html\"],\"version\":207,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"aws.cloudtrail.user_identity.session_context.session_issuer.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"query\":\"event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumeRole and\\naws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS STS Role Assumption by Service\",\"description\":\"Identifies when a service has assumed a role in AWS Security Token Service (STS). Services can assume a role to obtain temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege escalation. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that identifies when a service assumes a role in AWS Security Token Service (STS) to obtain temporary credentials and access AWS resources. While often legitimate, adversaries may use this technique for unauthorized access, privilege escalation, or lateral movement within an AWS environment.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and Analysis\\n\\n### Investigating AWS STS Role Assumption by Service\\n\\nThis rule identifies instances where AWS STS (Security Token Service) is used to assume a role, granting temporary credentials for AWS resource access. While this action is often legitimate, it can be exploited by adversaries to obtain unauthorized access, escalate privileges, or move laterally within an AWS environment.\\n\\n#### Possible Investigation Steps\\n\\n- **Identify the Actor and Assumed Role**:\\n - **User Identity**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type` fields to determine who initiated the `AssumeRole` action.\\n - **Role Assumed**: Check the `aws.cloudtrail.flattened.request_parameters.roleArn` field to confirm the assumed role and ensure it aligns with expected responsibilities.\\n - **Session Name**: Observe the `aws.cloudtrail.flattened.request_parameters.roleSessionName` for context on the session's intended purpose, if available.\\n\\n- **Analyze the Role Session and Duration**:\\n - **Session Context**: Look at the `aws.cloudtrail.user_identity.session_context.creation_date` to understand when the session began and check if multi-factor authentication (MFA) was used, indicated by the `aws.cloudtrail.user_identity.session_context.mfa_authenticated` field.\\n - **Credential Validity**: Examine the `aws.cloudtrail.flattened.request_parameters.durationSeconds` for the credential's validity period.\\n - **Expiration Time**: Verify `aws.cloudtrail.flattened.response_elements.credentials.expiration` to determine when the credentials expire or expired.\\n\\n- **Inspect the User Agent for Tooling Identification**:\\n - **User Agent Details**: Review the `user_agent.original` field to identify the tool or SDK used for the role assumption. Indicators include:\\n - **AWS SDKs (e.g., Boto3)**: Often used in automated workflows or scripts.\\n - **AWS CLI**: Suggests command-line access, potentially indicating direct user interaction.\\n - **Custom Tooling**: Unusual user agents may signify custom or suspicious tools.\\n - **Source IP and Location**: Evaluate the `source.address` and `source.geo` fields to confirm if the access source aligns with typical access locations for your environment.\\n\\n- **Contextualize with Related Events**:\\n - **Review Event Patterns**: Check surrounding CloudTrail events to see if other actions coincide with this `AssumeRole` activity, such as attempts to access sensitive resources.\\n - **Identify High-Volume Exceptions**: Due to the potential volume of `AssumeRole` events, determine common, legitimate `roleArn` values or `user_agent` patterns, and consider adding these as exceptions to reduce noise.\\n\\n- **Evaluate the Privilege Level of the Assumed Role**:\\n - **Permissions**: Inspect permissions associated with the assumed role to understand its access level.\\n - **Authorized Usage**: Confirm whether the role is typically used for administrative purposes and if the assuming entity frequently accesses it as part of regular responsibilities.\\n\\n### False Positive Analysis\\n\\n- **Automated Workflows and Applications**: Many applications or scheduled tasks may assume roles for standard operations. Check user agents and ARNs for consistency with known workflows.\\n- **Routine IAM Policy Actions**: Historical data may reveal if the same user or application assumes this specific role regularly as part of authorized operations.\\n\\n### Response and Remediation\\n\\n- **Revoke Unauthorized Sessions**: If unauthorized, consider revoking the session by adjusting IAM policies or permissions associated with the assumed role.\\n- **Enhance Monitoring and Alerts**: Set up enhanced monitoring for high-risk roles, especially those with elevated privileges.\\n- **Manage Exceptions**: Regularly review and manage high-frequency roles and user agent patterns, adding trusted ARNs and user agents to exception lists to minimize alert fatigue.\\n- **Incident Response**: If malicious behavior is identified, follow incident response protocols, including containment, investigation, and remediation.\\n\\n### Additional Information\\n\\nFor more information on managing and securing AWS STS, refer to the [AWS STS documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) and AWS security best practices.\\n\",\"output_index\":\"\",\"investigation_fields\":{\"field_names\":[\"@timestamp\",\"aws.cloudtrail.user_identity.type\",\"aws.cloudtrail.resources.arn\",\"aws.cloudtrail.resources.type\",\"source.address\",\"aws.cloudtrail.user_identity.invoked_by\",\"aws.cloudtrail.flattened.request_parameters.roleArn\",\"aws.cloudtrail.flattened.request_parameters.roleSessionName\",\"event.action\",\"event.outcome\",\"cloud.region\",\"aws.cloudtrail.request_parameters\",\"aws.cloudtrail.response_elements\"]},\"version\":209,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS STS\",\"Resources: Investigation Guide\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[\"AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes.\",\"AWS services might assume roles to access AWS resources as part of their standard operations.\",\"Automated workflows might assume roles to perform periodic tasks such as data backups, updates, or deployments.\"],\"references\":[\"https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.001\",\"name\":\"Application Access Token\",\"reference\":\"https://attack.mitre.org/techniques/T1550/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"aws.cloudtrail.user_identity.invoked_by\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"aws.cloudtrail.user_identity.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"6d126440-b8da-4619-8f7e-4c789853d32f\",\"rule_id\":\"93075852-b0f5-4b8b-89c3-a226efae5726\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.673Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.141Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"sts.amazonaws.com\\\"\\n and event.action: \\\"AssumeRole\\\"\\n and event.outcome: \\\"success\\\"\\n and aws.cloudtrail.user_identity.type: \\\"AWSService\\\"\\n and not aws.cloudtrail.user_identity.invoked_by: (\\n \\\"config.amazonaws.com\\\" or\\n \\\"securityhub.amazonaws.com\\\" or\\n \\\"sso.amazonaws.com\\\"\\n )\\n\",\"new_terms_fields\":[\"aws.cloudtrail.resources.arn\",\"aws.cloudtrail.user_identity.invoked_by\"],\"history_window_start\":\"now-14d\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":207,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"name\":{\"has_base_version\":false,\"current_version\":\"AWS Security Token Service (STS) AssumeRole Usage\",\"target_version\":\"AWS STS Role Assumption by Service\",\"merged_version\":\"AWS STS Role Assumption by Service\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS STS\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\"],\"target_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS STS\",\"Resources: Investigation Guide\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\"],\"merged_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS STS\",\"Resources: Investigation Guide\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"description\":{\"has_base_version\":false,\"current_version\":\"Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.\",\"target_version\":\"Identifies when a service has assumed a role in AWS Security Token Service (STS). Services can assume a role to obtain temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege escalation. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that identifies when a service assumes a role in AWS Security Token Service (STS) to obtain temporary credentials and access AWS resources. While often legitimate, adversaries may use this technique for unauthorized access, privilege escalation, or lateral movement within an AWS environment.\",\"merged_version\":\"Identifies when a service has assumed a role in AWS Security Token Service (STS). Services can assume a role to obtain temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege escalation. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that identifies when a service assumes a role in AWS Security Token Service (STS) to obtain temporary credentials and access AWS resources. While often legitimate, adversaries may use this technique for unauthorized access, privilege escalation, or lateral movement within an AWS environment.\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"false_positives\":{\"has_base_version\":false,\"current_version\":[\"Automated processes that use Terraform may lead to false positives.\"],\"target_version\":[\"AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes.\",\"AWS services might assume roles to access AWS resources as part of their standard operations.\",\"Automated workflows might assume roles to perform periodic tasks such as data backups, updates, or deployments.\"],\"merged_version\":[\"AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes.\",\"AWS services might assume roles to access AWS resources as part of their standard operations.\",\"Automated workflows might assume roles to perform periodic tasks such as data backups, updates, or deployments.\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"note\":{\"has_base_version\":false,\"current_version\":\"\",\"target_version\":\"## Triage and Analysis\\n\\n### Investigating AWS STS Role Assumption by Service\\n\\nThis rule identifies instances where AWS STS (Security Token Service) is used to assume a role, granting temporary credentials for AWS resource access. While this action is often legitimate, it can be exploited by adversaries to obtain unauthorized access, escalate privileges, or move laterally within an AWS environment.\\n\\n#### Possible Investigation Steps\\n\\n- **Identify the Actor and Assumed Role**:\\n - **User Identity**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type` fields to determine who initiated the `AssumeRole` action.\\n - **Role Assumed**: Check the `aws.cloudtrail.flattened.request_parameters.roleArn` field to confirm the assumed role and ensure it aligns with expected responsibilities.\\n - **Session Name**: Observe the `aws.cloudtrail.flattened.request_parameters.roleSessionName` for context on the session's intended purpose, if available.\\n\\n- **Analyze the Role Session and Duration**:\\n - **Session Context**: Look at the `aws.cloudtrail.user_identity.session_context.creation_date` to understand when the session began and check if multi-factor authentication (MFA) was used, indicated by the `aws.cloudtrail.user_identity.session_context.mfa_authenticated` field.\\n - **Credential Validity**: Examine the `aws.cloudtrail.flattened.request_parameters.durationSeconds` for the credential's validity period.\\n - **Expiration Time**: Verify `aws.cloudtrail.flattened.response_elements.credentials.expiration` to determine when the credentials expire or expired.\\n\\n- **Inspect the User Agent for Tooling Identification**:\\n - **User Agent Details**: Review the `user_agent.original` field to identify the tool or SDK used for the role assumption. Indicators include:\\n - **AWS SDKs (e.g., Boto3)**: Often used in automated workflows or scripts.\\n - **AWS CLI**: Suggests command-line access, potentially indicating direct user interaction.\\n - **Custom Tooling**: Unusual user agents may signify custom or suspicious tools.\\n - **Source IP and Location**: Evaluate the `source.address` and `source.geo` fields to confirm if the access source aligns with typical access locations for your environment.\\n\\n- **Contextualize with Related Events**:\\n - **Review Event Patterns**: Check surrounding CloudTrail events to see if other actions coincide with this `AssumeRole` activity, such as attempts to access sensitive resources.\\n - **Identify High-Volume Exceptions**: Due to the potential volume of `AssumeRole` events, determine common, legitimate `roleArn` values or `user_agent` patterns, and consider adding these as exceptions to reduce noise.\\n\\n- **Evaluate the Privilege Level of the Assumed Role**:\\n - **Permissions**: Inspect permissions associated with the assumed role to understand its access level.\\n - **Authorized Usage**: Confirm whether the role is typically used for administrative purposes and if the assuming entity frequently accesses it as part of regular responsibilities.\\n\\n### False Positive Analysis\\n\\n- **Automated Workflows and Applications**: Many applications or scheduled tasks may assume roles for standard operations. Check user agents and ARNs for consistency with known workflows.\\n- **Routine IAM Policy Actions**: Historical data may reveal if the same user or application assumes this specific role regularly as part of authorized operations.\\n\\n### Response and Remediation\\n\\n- **Revoke Unauthorized Sessions**: If unauthorized, consider revoking the session by adjusting IAM policies or permissions associated with the assumed role.\\n- **Enhance Monitoring and Alerts**: Set up enhanced monitoring for high-risk roles, especially those with elevated privileges.\\n- **Manage Exceptions**: Regularly review and manage high-frequency roles and user agent patterns, adding trusted ARNs and user agents to exception lists to minimize alert fatigue.\\n- **Incident Response**: If malicious behavior is identified, follow incident response protocols, including containment, investigation, and remediation.\\n\\n### Additional Information\\n\\nFor more information on managing and securing AWS STS, refer to the [AWS STS documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) and AWS security best practices.\\n\",\"merged_version\":\"## Triage and Analysis\\n\\n### Investigating AWS STS Role Assumption by Service\\n\\nThis rule identifies instances where AWS STS (Security Token Service) is used to assume a role, granting temporary credentials for AWS resource access. While this action is often legitimate, it can be exploited by adversaries to obtain unauthorized access, escalate privileges, or move laterally within an AWS environment.\\n\\n#### Possible Investigation Steps\\n\\n- **Identify the Actor and Assumed Role**:\\n - **User Identity**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type` fields to determine who initiated the `AssumeRole` action.\\n - **Role Assumed**: Check the `aws.cloudtrail.flattened.request_parameters.roleArn` field to confirm the assumed role and ensure it aligns with expected responsibilities.\\n - **Session Name**: Observe the `aws.cloudtrail.flattened.request_parameters.roleSessionName` for context on the session's intended purpose, if available.\\n\\n- **Analyze the Role Session and Duration**:\\n - **Session Context**: Look at the `aws.cloudtrail.user_identity.session_context.creation_date` to understand when the session began and check if multi-factor authentication (MFA) was used, indicated by the `aws.cloudtrail.user_identity.session_context.mfa_authenticated` field.\\n - **Credential Validity**: Examine the `aws.cloudtrail.flattened.request_parameters.durationSeconds` for the credential's validity period.\\n - **Expiration Time**: Verify `aws.cloudtrail.flattened.response_elements.credentials.expiration` to determine when the credentials expire or expired.\\n\\n- **Inspect the User Agent for Tooling Identification**:\\n - **User Agent Details**: Review the `user_agent.original` field to identify the tool or SDK used for the role assumption. Indicators include:\\n - **AWS SDKs (e.g., Boto3)**: Often used in automated workflows or scripts.\\n - **AWS CLI**: Suggests command-line access, potentially indicating direct user interaction.\\n - **Custom Tooling**: Unusual user agents may signify custom or suspicious tools.\\n - **Source IP and Location**: Evaluate the `source.address` and `source.geo` fields to confirm if the access source aligns with typical access locations for your environment.\\n\\n- **Contextualize with Related Events**:\\n - **Review Event Patterns**: Check surrounding CloudTrail events to see if other actions coincide with this `AssumeRole` activity, such as attempts to access sensitive resources.\\n - **Identify High-Volume Exceptions**: Due to the potential volume of `AssumeRole` events, determine common, legitimate `roleArn` values or `user_agent` patterns, and consider adding these as exceptions to reduce noise.\\n\\n- **Evaluate the Privilege Level of the Assumed Role**:\\n - **Permissions**: Inspect permissions associated with the assumed role to understand its access level.\\n - **Authorized Usage**: Confirm whether the role is typically used for administrative purposes and if the assuming entity frequently accesses it as part of regular responsibilities.\\n\\n### False Positive Analysis\\n\\n- **Automated Workflows and Applications**: Many applications or scheduled tasks may assume roles for standard operations. Check user agents and ARNs for consistency with known workflows.\\n- **Routine IAM Policy Actions**: Historical data may reveal if the same user or application assumes this specific role regularly as part of authorized operations.\\n\\n### Response and Remediation\\n\\n- **Revoke Unauthorized Sessions**: If unauthorized, consider revoking the session by adjusting IAM policies or permissions associated with the assumed role.\\n- **Enhance Monitoring and Alerts**: Set up enhanced monitoring for high-risk roles, especially those with elevated privileges.\\n- **Manage Exceptions**: Regularly review and manage high-frequency roles and user agent patterns, adding trusted ARNs and user agents to exception lists to minimize alert fatigue.\\n- **Incident Response**: If malicious behavior is identified, follow incident response protocols, including containment, investigation, and remediation.\\n\\n### Additional Information\\n\\nFor more information on managing and securing AWS STS, refer to the [AWS STS documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) and AWS security best practices.\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"aws.cloudtrail.user_identity.session_context.session_issuer.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"aws.cloudtrail.user_identity.invoked_by\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"aws.cloudtrail.user_identity.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"aws.cloudtrail.user_identity.invoked_by\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"aws.cloudtrail.user_identity.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"rule_schedule\":{\"has_base_version\":false,\"current_version\":{\"interval\":\"5m\",\"lookback\":\"60s\"},\"target_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merged_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"investigation_fields\":{\"has_base_version\":false,\"target_version\":{\"field_names\":[\"@timestamp\",\"aws.cloudtrail.user_identity.type\",\"aws.cloudtrail.resources.arn\",\"aws.cloudtrail.resources.type\",\"source.address\",\"aws.cloudtrail.user_identity.invoked_by\",\"aws.cloudtrail.flattened.request_parameters.roleArn\",\"aws.cloudtrail.flattened.request_parameters.roleSessionName\",\"event.action\",\"event.outcome\",\"cloud.region\",\"aws.cloudtrail.request_parameters\",\"aws.cloudtrail.response_elements\"]},\"merged_version\":{\"field_names\":[\"@timestamp\",\"aws.cloudtrail.user_identity.type\",\"aws.cloudtrail.resources.arn\",\"aws.cloudtrail.resources.type\",\"source.address\",\"aws.cloudtrail.user_identity.invoked_by\",\"aws.cloudtrail.flattened.request_parameters.roleArn\",\"aws.cloudtrail.flattened.request_parameters.roleSessionName\",\"event.action\",\"event.outcome\",\"cloud.region\",\"aws.cloudtrail.request_parameters\",\"aws.cloudtrail.response_elements\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"type\":{\"has_base_version\":false,\"current_version\":\"query\",\"target_version\":\"new_terms\",\"merged_version\":\"new_terms\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NON_SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumeRole and\\naws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"sts.amazonaws.com\\\"\\n and event.action: \\\"AssumeRole\\\"\\n and event.outcome: \\\"success\\\"\\n and aws.cloudtrail.user_identity.type: \\\"AWSService\\\"\\n and not aws.cloudtrail.user_identity.invoked_by: (\\n \\\"config.amazonaws.com\\\" or\\n \\\"securityhub.amazonaws.com\\\" or\\n \\\"sso.amazonaws.com\\\"\\n )\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"sts.amazonaws.com\\\"\\n and event.action: \\\"AssumeRole\\\"\\n and event.outcome: \\\"success\\\"\\n and aws.cloudtrail.user_identity.type: \\\"AWSService\\\"\\n and not aws.cloudtrail.user_identity.invoked_by: (\\n \\\"config.amazonaws.com\\\" or\\n \\\"securityhub.amazonaws.com\\\" or\\n \\\"sso.amazonaws.com\\\"\\n )\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"new_terms_fields\":{\"has_base_version\":false,\"target_version\":[\"aws.cloudtrail.resources.arn\",\"aws.cloudtrail.user_identity.invoked_by\"],\"merged_version\":[\"aws.cloudtrail.resources.arn\",\"aws.cloudtrail.user_identity.invoked_by\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"history_window_start\":{\"has_base_version\":false,\"target_version\":\"now-14d\",\"merged_version\":\"now-14d\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":14,\"num_fields_with_conflicts\":13,\"num_fields_with_non_solvable_conflicts\":1}},{\"id\":\"5d8737c5-34c4-4c0b-b597-61e651c1307c\",\"rule_id\":\"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4\",\"revision\":0,\"current_rule\":{\"id\":\"5d8737c5-34c4-4c0b-b597-61e651c1307c\",\"updated_at\":\"2024-12-04T19:45:53.144Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.144Z\",\"created_by\":\"elastic\",\"name\":\"Sudoers File Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.003\",\"name\":\"Sudo and Sudo Caching\",\"reference\":\"https://attack.mitre.org/techniques/T1548/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":204,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*) and\\nnot process.name:(dpkg or platform-python or puppet or yum or dnf) and \\nnot process.executable:(/opt/chef/embedded/bin/ruby or /opt/puppetlabs/puppet/bin/ruby or /usr/bin/dockerd)\\n\",\"new_terms_fields\":[\"host.id\",\"process.executable\",\"file.path\"],\"history_window_start\":\"now-7d\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Sudoers File Modification\",\"description\":\"A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":205,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.003\",\"name\":\"Sudo and Sudo Caching\",\"reference\":\"https://attack.mitre.org/techniques/T1548/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"5d8737c5-34c4-4c0b-b597-61e651c1307c\",\"rule_id\":\"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.673Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.144Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*) and\\nnot process.name:(dpkg or platform-python or puppet or yum or dnf) and \\nnot process.executable:(/opt/chef/embedded/bin/ruby or /opt/puppetlabs/puppet/bin/ruby or /usr/bin/dockerd)\\n\",\"new_terms_fields\":[\"host.id\",\"process.executable\",\"file.path\"],\"history_window_start\":\"now-7d\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":204,\"target_version\":205,\"merged_version\":205,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6d608544-03e3-4de8-aaae-8719d1594dbb\",\"rule_id\":\"93b22c0a-06a0-4131-b830-b10d5e166ff4\",\"revision\":0,\"current_rule\":{\"id\":\"6d608544-03e3-4de8-aaae-8719d1594dbb\",\"updated_at\":\"2024-12-04T19:45:53.148Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.148Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious SolarWinds Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Trusted SolarWinds child processes, verify process details such as network connections and file writes.\"],\"from\":\"now-9m\",\"rule_id\":\"93b22c0a-06a0-4131-b830-b10d5e166ff4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\",\"https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name: (\\\"SolarWinds.BusinessLayerHost.exe\\\", \\\"SolarWinds.BusinessLayerHostx64.exe\\\") and\\n not (\\n process.name : (\\n \\\"APMServiceControl*.exe\\\",\\n \\\"ExportToPDFCmd*.Exe\\\",\\n \\\"SolarWinds.Credentials.Orion.WebApi*.exe\\\",\\n \\\"SolarWinds.Orion.Topology.Calculator*.exe\\\",\\n \\\"Database-Maint.exe\\\",\\n \\\"SolarWinds.Orion.ApiPoller.Service.exe\\\",\\n \\\"WerFault.exe\\\",\\n \\\"WerMgr.exe\\\",\\n \\\"SolarWinds.BusinessLayerHost.exe\\\",\\n \\\"SolarWinds.BusinessLayerHostx64.exe\\\",\\n \\\"SolarWinds.Topology.Calculator.exe\\\",\\n \\\"SolarWinds.Topology.Calculatorx64.exe\\\",\\n \\\"SolarWinds.APM.RealTimeProcessPoller.exe\\\") and\\n process.code_signature.trusted == true\\n ) and\\n not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\ARP.EXE\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\lodctr.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\unlodctr.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious SolarWinds Child Process\",\"description\":\"A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Trusted SolarWinds child processes, verify process details such as network connections and file writes.\"],\"references\":[\"https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\",\"https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"6d608544-03e3-4de8-aaae-8719d1594dbb\",\"rule_id\":\"93b22c0a-06a0-4131-b830-b10d5e166ff4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.673Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.148Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name: (\\\"SolarWinds.BusinessLayerHost.exe\\\", \\\"SolarWinds.BusinessLayerHostx64.exe\\\") and\\n not (\\n process.name : (\\n \\\"APMServiceControl*.exe\\\",\\n \\\"ExportToPDFCmd*.Exe\\\",\\n \\\"SolarWinds.Credentials.Orion.WebApi*.exe\\\",\\n \\\"SolarWinds.Orion.Topology.Calculator*.exe\\\",\\n \\\"Database-Maint.exe\\\",\\n \\\"SolarWinds.Orion.ApiPoller.Service.exe\\\",\\n \\\"WerFault.exe\\\",\\n \\\"WerMgr.exe\\\",\\n \\\"SolarWinds.BusinessLayerHost.exe\\\",\\n \\\"SolarWinds.BusinessLayerHostx64.exe\\\",\\n \\\"SolarWinds.Topology.Calculator.exe\\\",\\n \\\"SolarWinds.Topology.Calculatorx64.exe\\\",\\n \\\"SolarWinds.APM.RealTimeProcessPoller.exe\\\") and\\n process.code_signature.trusted == true\\n ) and\\n not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\ARP.EXE\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\lodctr.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\unlodctr.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2644352c-d5e4-4f5e-a8df-ebf001c118f3\",\"rule_id\":\"93c1ce76-494c-4f01-8167-35edfb52f7b1\",\"revision\":0,\"current_rule\":{\"id\":\"2644352c-d5e4-4f5e-a8df-ebf001c118f3\",\"updated_at\":\"2024-12-04T19:45:53.151Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.151Z\",\"created_by\":\"elastic\",\"name\":\"Encoded Executable Stored in the Registry\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"93c1ce76-494c-4f01-8167-35edfb52f7b1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1140\",\"name\":\"Deobfuscate/Decode Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1140/\"}]}],\"to\":\"now\",\"references\":[],\"version\":309,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"logs-sentinel_one_cloud_funnel.*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and\\n/* update here with encoding combinations */\\n registry.data.strings : \\\"TVqQAAMAAAAEAAAA*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Encoded Executable Stored in the Registry\",\"description\":\"Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":411,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1140\",\"name\":\"Deobfuscate/Decode Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1140/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true}],\"id\":\"2644352c-d5e4-4f5e-a8df-ebf001c118f3\",\"rule_id\":\"93c1ce76-494c-4f01-8167-35edfb52f7b1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.673Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.151Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and\\n/* update here with encoding combinations */\\n registry.data.strings : \\\"TVqQAAMAAAAEAAAA*\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"logs-sentinel_one_cloud_funnel.*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":309,\"target_version\":411,\"merged_version\":411,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"logs-sentinel_one_cloud_funnel.*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"logs-sentinel_one_cloud_funnel.*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"17692477-913f-43f3-a955-886cf6c2cf98\",\"rule_id\":\"93e63c3e-4154-4fc6-9f86-b411e0987bbf\",\"revision\":0,\"current_rule\":{\"id\":\"17692477-913f-43f3-a955-886cf6c2cf98\",\"updated_at\":\"2024-12-04T19:45:53.153Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.153Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace Admin Role Deletion\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Tactic: Impact\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Admin Role Deletion\\n\\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where further domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred.\\n\\nDeleted administrator roles may render some user accounts inaccessible or cause operational failure where these roles are relied upon to perform daily administrative tasks. The deletion of roles may also hinder the response and remediation actions of administrators responding to security-related alerts and events. Without specific roles assigned, users will inherit the permissions and privileges of the root organizational unit.\\n\\nThis rule identifies when a Google Workspace administrative role is deleted within the Google Admin console.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- Identify the role deleted by reviewing `google_workspace.admin.role.name` in the alert.\\n- With the user identified, verify if he has administrative privileges to disable or delete administrative roles.\\n- To identify other users affected by this role removed, search for `event.action: ASSIGN_ROLE`.\\n - Add `google_workspace.admin.role.name` with the role deleted as an additional filter.\\n - Adjust the relative time accordingly to identify all users that were assigned this admin role.\\n\\n### False positive analysis\\n\\n- After identifying the user account that disabled the admin role, verify the action was intentional.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Discuss with the user the affected users as a result of this action to mitigate operational discrepencies.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Google Workspace admin roles may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-130m\",\"rule_id\":\"93e63c3e-4154-4fc6-9f86-b411e0987bbf\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/2406043?hl=en\"],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace Admin Role Deletion\",\"description\":\"Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Admin Role Deletion\\n\\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where further domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred.\\n\\nDeleted administrator roles may render some user accounts inaccessible or cause operational failure where these roles are relied upon to perform daily administrative tasks. The deletion of roles may also hinder the response and remediation actions of administrators responding to security-related alerts and events. Without specific roles assigned, users will inherit the permissions and privileges of the root organizational unit.\\n\\nThis rule identifies when a Google Workspace administrative role is deleted within the Google Admin console.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- Identify the role deleted by reviewing `google_workspace.admin.role.name` in the alert.\\n- With the user identified, verify if he has administrative privileges to disable or delete administrative roles.\\n- To identify other users affected by this role removed, search for `event.action: ASSIGN_ROLE`.\\n - Add `google_workspace.admin.role.name` with the role deleted as an additional filter.\\n - Adjust the relative time accordingly to identify all users that were assigned this admin role.\\n\\n### False positive analysis\\n\\n- After identifying the user account that disabled the admin role, verify the action was intentional.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Discuss with the user the affected users as a result of this action to mitigate operational discrepencies.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Tactic: Impact\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Google Workspace admin roles may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://support.google.com/a/answer/2406043?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"17692477-913f-43f3-a955-886cf6c2cf98\",\"rule_id\":\"93e63c3e-4154-4fc6-9f86-b411e0987bbf\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.673Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.153Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/2406043?hl=en\"],\"target_version\":[\"https://support.google.com/a/answer/2406043?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/2406043?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c32d7cb7-ff00-4bba-b5a6-2574dd72ca85\",\"rule_id\":\"94418745-529f-4259-8d25-a713a6feb6ae\",\"revision\":0,\"current_rule\":{\"id\":\"c32d7cb7-ff00-4bba-b5a6-2574dd72ca85\",\"updated_at\":\"2024-12-04T19:45:40.227Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.227Z\",\"created_by\":\"elastic\",\"name\":\"Executable Bit Set for Potential Persistence Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for the addition of an executable bit for scripts that are located in directories which are commonly abused for persistence. An alert of this rule is an indicator that a persistence mechanism is being set up within your environment. Adversaries may create these scripts to execute malicious code at start-up, or at a set interval to gain persistence onto the system.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"94418745-529f-4259-8d25-a713a6feb6ae\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]},{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]},{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.013\",\"name\":\"XDG Autostart Entries\",\"reference\":\"https://attack.mitre.org/techniques/T1547/013/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\"],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\nprocess.args : (\\n // Misc.\\n \\\"/etc/rc.local\\\", \\\"/etc/rc.common\\\", \\\"/etc/rc.d/rc.local\\\", \\\"/etc/init.d/*\\\", \\\"/etc/update-motd.d/*\\\",\\n \\\"/etc/apt/apt.conf.d/*\\\", \\\"/etc/cron*\\\", \\\"/etc/init/*\\\",\\n\\n // XDG\\n \\\"/etc/xdg/autostart/*\\\", \\\"/home/*/.config/autostart/*\\\", \\\"/root/.config/autostart/*\\\",\\n \\\"/home/*/.local/share/autostart/*\\\", \\\"/root/.local/share/autostart/*\\\", \\\"/home/*/.config/autostart-scripts/*\\\",\\n \\\"/root/.config/autostart-scripts/*\\\", \\\"/etc/xdg/autostart/*\\\", \\\"/usr/share/autostart/*\\\",\\n \\n // udev\\n \\\"/lib/udev/*\\\", \\\"/etc/udev/rules.d/*\\\", \\\"/usr/lib/udev/rules.d/*\\\", \\\"/run/udev/rules.d/*\\\"\\n\\n) and (\\n (process.name == \\\"chmod\\\" and process.args : (\\\"+x*\\\", \\\"1*\\\", \\\"3*\\\", \\\"5*\\\", \\\"7*\\\")) or\\n (process.name == \\\"install\\\" and process.args : \\\"-m*\\\" and process.args : (\\\"7*\\\", \\\"5*\\\", \\\"3*\\\", \\\"1*\\\"))\\n) and not process.parent.executable : \\\"/var/lib/dpkg/*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Executable Bit Set for Potential Persistence Script\",\"description\":\"This rule monitors for the addition of an executable bit for scripts that are located in directories which are commonly abused for persistence. An alert of this rule is an indicator that a persistence mechanism is being set up within your environment. Adversaries may create these scripts to execute malicious code at start-up, or at a set interval to gain persistence onto the system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]},{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]},{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.013\",\"name\":\"XDG Autostart Entries\",\"reference\":\"https://attack.mitre.org/techniques/T1547/013/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c32d7cb7-ff00-4bba-b5a6-2574dd72ca85\",\"rule_id\":\"94418745-529f-4259-8d25-a713a6feb6ae\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.673Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.227Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\nprocess.args : (\\n // Misc.\\n \\\"/etc/rc.local\\\", \\\"/etc/rc.common\\\", \\\"/etc/rc.d/rc.local\\\", \\\"/etc/init.d/*\\\", \\\"/etc/update-motd.d/*\\\",\\n \\\"/etc/apt/apt.conf.d/*\\\", \\\"/etc/cron*\\\", \\\"/etc/init/*\\\",\\n\\n // XDG\\n \\\"/etc/xdg/autostart/*\\\", \\\"/home/*/.config/autostart/*\\\", \\\"/root/.config/autostart/*\\\",\\n \\\"/home/*/.local/share/autostart/*\\\", \\\"/root/.local/share/autostart/*\\\", \\\"/home/*/.config/autostart-scripts/*\\\",\\n \\\"/root/.config/autostart-scripts/*\\\", \\\"/etc/xdg/autostart/*\\\", \\\"/usr/share/autostart/*\\\",\\n \\n // udev\\n \\\"/lib/udev/*\\\", \\\"/etc/udev/rules.d/*\\\", \\\"/usr/lib/udev/rules.d/*\\\", \\\"/run/udev/rules.d/*\\\"\\n\\n) and (\\n (process.name == \\\"chmod\\\" and process.args : (\\\"+x*\\\", \\\"1*\\\", \\\"3*\\\", \\\"5*\\\", \\\"7*\\\")) or\\n (process.name == \\\"install\\\" and process.args : \\\"-m*\\\" and process.args : (\\\"7*\\\", \\\"5*\\\", \\\"3*\\\", \\\"1*\\\"))\\n) and not process.parent.executable : \\\"/var/lib/dpkg/*\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\"],\"target_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"eedfd206-3685-4a8b-a372-7d29f8975b34\",\"rule_id\":\"94a401ba-4fa2-455c-b7ae-b6e037afc0b7\",\"revision\":0,\"current_rule\":{\"id\":\"eedfd206-3685-4a8b-a372-7d29f8975b34\",\"updated_at\":\"2024-12-04T19:45:53.164Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.164Z\",\"created_by\":\"elastic\",\"name\":\"Group Policy Discovery via Microsoft GPResult Utility\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and possible methods to escalate privileges or move laterally.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Group Policy Discovery via Microsoft GPResult Utility\\n\\nGroup Policy is a Windows feature that allows administrators to manage and configure settings for users and computers in an Active Directory environment. The Microsoft GPResult utility (gpresult.exe) is a command-line tool used to query and display Group Policy Objects (GPOs) applied to a system. Attackers may abuse this utility to gain insights into the active directory environment and identify potential privilege escalation or lateral movement opportunities.\\n\\nThe detection rule 'Group Policy Discovery via Microsoft GPResult Utility' is designed to identify the usage of gpresult.exe with specific arguments (\\\"/z\\\", \\\"/v\\\", \\\"/r\\\", \\\"/x\\\") that are commonly used by adversaries during the reconnaissance phase to perform group policy discovery.\\n\\n#### Possible investigation steps\\n\\n- Review the alert details to understand the context of the gpresult.exe usage, such as the user account, system, and time of execution.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate any abnormal behavior by the parent process, such as network connections, registry or file modifications, and any other spawned child processes.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"94a401ba-4fa2-455c-b7ae-b6e037afc0b7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1615\",\"name\":\"Group Policy Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1615/\"}]}],\"to\":\"now\",\"references\":[],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(process.name: \\\"gpresult.exe\\\" or ?process.pe.original_file_name == \\\"gprslt.exe\\\") and process.args: (\\\"/z\\\", \\\"/v\\\", \\\"/r\\\", \\\"/x\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Group Policy Discovery via Microsoft GPResult Utility\",\"description\":\"Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and possible methods to escalate privileges or move laterally.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Group Policy Discovery via Microsoft GPResult Utility\\n\\nGroup Policy is a Windows feature that allows administrators to manage and configure settings for users and computers in an Active Directory environment. The Microsoft GPResult utility (gpresult.exe) is a command-line tool used to query and display Group Policy Objects (GPOs) applied to a system. Attackers may abuse this utility to gain insights into the active directory environment and identify potential privilege escalation or lateral movement opportunities.\\n\\nThe detection rule 'Group Policy Discovery via Microsoft GPResult Utility' is designed to identify the usage of gpresult.exe with specific arguments (\\\"/z\\\", \\\"/v\\\", \\\"/r\\\", \\\"/x\\\") that are commonly used by adversaries during the reconnaissance phase to perform group policy discovery.\\n\\n#### Possible investigation steps\\n\\n- Review the alert details to understand the context of the gpresult.exe usage, such as the user account, system, and time of execution.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate any abnormal behavior by the parent process, such as network connections, registry or file modifications, and any other spawned child processes.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1615\",\"name\":\"Group Policy Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1615/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"eedfd206-3685-4a8b-a372-7d29f8975b34\",\"rule_id\":\"94a401ba-4fa2-455c-b7ae-b6e037afc0b7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.673Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.164Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(process.name: \\\"gpresult.exe\\\" or ?process.pe.original_file_name == \\\"gprslt.exe\\\") and process.args: (\\\"/z\\\", \\\"/v\\\", \\\"/r\\\", \\\"/x\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"fe244d52-b50d-483a-9ab3-5d472d901b0a\",\"rule_id\":\"9510add4-3392-11ed-bd01-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"fe244d52-b50d-483a-9ab3-5d472d901b0a\",\"updated_at\":\"2024-12-04T19:45:53.167Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.167Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace Custom Gmail Route Created or Modified\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Tactic: Collection\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a custom Gmail route is added or modified in Google Workspace. Adversaries can add a custom e-mail route for outbound mail to route these e-mails to their own inbox of choice for data gathering. This allows adversaries to capture sensitive information from e-mail and potential attachments, such as invoices or payment documents. By default, all email from current Google Workspace users with accounts are routed through a domain's mail server for inbound and outbound mail.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Custom Gmail Route Created or Modified\\n\\nGmail is a popular cloud-based email service developed and managed by Google. Gmail is one of many services available for users with Google Workspace accounts.\\n\\nThreat actors often send phishing emails containing malicious URL links or attachments to corporate Gmail accounts. Google Workspace identity relies on the corporate user Gmail account and if stolen, allows threat actors to further their intrusion efforts from valid user accounts.\\n\\nThis rule identifies the creation of a custom global Gmail route by an administrator from the Google Workspace admin console. Custom email routes could indicate an attempt to secretly forward sensitive emails to unintentional recipients.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that created the custom email route and verify that they should have administrative privileges.\\n- Review the added recipients from the custom email route and confidentiality of potential email contents.\\n- Identify the user account, then review `event.action` values for related activity within the last 48 hours.\\n- If the Google Workspace license is Enterprise Plus or Education Plus, search for emails matching the route filters. To find the Gmail event logs, go to `Reporting > Audit and investigation > Gmail log events`.\\n- If existing emails have been sent and match the custom route criteria, review the sender and contents for malicious URL links and attachments.\\n- Identified URLs or attachments can be submitted to VirusTotal for reputational services.\\n\\n### False positive analysis\\n\\n- This rule searches for domain-wide custom email routes created in the admin console of Google Workspace. Administrators might create custom email routes to fulfill organizational requirements.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may create custom email routes in Google Workspace based on organizational policies, administrative preference or for security purposes regarding spam.\"],\"from\":\"now-130m\",\"rule_id\":\"9510add4-3392-11ed-bd01-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1114\",\"name\":\"Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/\",\"subtechnique\":[{\"id\":\"T1114.003\",\"name\":\"Email Forwarding Rule\",\"reference\":\"https://attack.mitre.org/techniques/T1114/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/2685650?hl=en\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.setting.name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.event.type\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.action:(\\\"CREATE_GMAIL_SETTING\\\" or \\\"CHANGE_GMAIL_SETTING\\\")\\n and google_workspace.event.type:\\\"EMAIL_SETTINGS\\\" and google_workspace.admin.setting.name:(\\\"EMAIL_ROUTE\\\" or \\\"MESSAGE_SECURITY_RULE\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace Custom Gmail Route Created or Modified\",\"description\":\"Detects when a custom Gmail route is added or modified in Google Workspace. Adversaries can add a custom e-mail route for outbound mail to route these e-mails to their own inbox of choice for data gathering. This allows adversaries to capture sensitive information from e-mail and potential attachments, such as invoices or payment documents. By default, all email from current Google Workspace users with accounts are routed through a domain's mail server for inbound and outbound mail.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Custom Gmail Route Created or Modified\\n\\nGmail is a popular cloud-based email service developed and managed by Google. Gmail is one of many services available for users with Google Workspace accounts.\\n\\nThreat actors often send phishing emails containing malicious URL links or attachments to corporate Gmail accounts. Google Workspace identity relies on the corporate user Gmail account and if stolen, allows threat actors to further their intrusion efforts from valid user accounts.\\n\\nThis rule identifies the creation of a custom global Gmail route by an administrator from the Google Workspace admin console. Custom email routes could indicate an attempt to secretly forward sensitive emails to unintentional recipients.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that created the custom email route and verify that they should have administrative privileges.\\n- Review the added recipients from the custom email route and confidentiality of potential email contents.\\n- Identify the user account, then review `event.action` values for related activity within the last 48 hours.\\n- If the Google Workspace license is Enterprise Plus or Education Plus, search for emails matching the route filters. To find the Gmail event logs, go to `Reporting > Audit and investigation > Gmail log events`.\\n- If existing emails have been sent and match the custom route criteria, review the sender and contents for malicious URL links and attachments.\\n- Identified URLs or attachments can be submitted to VirusTotal for reputational services.\\n\\n### False positive analysis\\n\\n- This rule searches for domain-wide custom email routes created in the admin console of Google Workspace. Administrators might create custom email routes to fulfill organizational requirements.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Tactic: Collection\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may create custom email routes in Google Workspace based on organizational policies, administrative preference or for security purposes regarding spam.\"],\"references\":[\"https://support.google.com/a/answer/2685650?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1114\",\"name\":\"Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/\",\"subtechnique\":[{\"id\":\"T1114.003\",\"name\":\"Email Forwarding Rule\",\"reference\":\"https://attack.mitre.org/techniques/T1114/003/\"}]}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.setting.name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.event.type\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"fe244d52-b50d-483a-9ab3-5d472d901b0a\",\"rule_id\":\"9510add4-3392-11ed-bd01-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.673Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.167Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.action:(\\\"CREATE_GMAIL_SETTING\\\" or \\\"CHANGE_GMAIL_SETTING\\\")\\n and google_workspace.event.type:\\\"EMAIL_SETTINGS\\\" and google_workspace.admin.setting.name:(\\\"EMAIL_ROUTE\\\" or \\\"MESSAGE_SECURITY_RULE\\\")\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/2685650?hl=en\"],\"target_version\":[\"https://support.google.com/a/answer/2685650?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/2685650?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3ed55975-37b5-423b-aad3-ab842d890039\",\"rule_id\":\"951779c2-82ad-4a6c-82b8-296c1f691449\",\"revision\":0,\"current_rule\":{\"id\":\"3ed55975-37b5-423b-aad3-ab842d890039\",\"updated_at\":\"2024-12-04T19:45:53.169Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.169Z\",\"created_by\":\"elastic\",\"name\":\"Potential PowerShell Pass-the-Hash/Relay Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects PowerShell scripts that can execute pass-the-hash (PtH) attacks, intercept and relay NTLM challenges, and carry out other man-in-the-middle (MitM) attacks.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"951779c2-82ad-4a6c-82b8-296c1f691449\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1557\",\"name\":\"Adversary-in-the-Middle\",\"reference\":\"https://attack.mitre.org/techniques/T1557/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.002\",\"name\":\"Pass the Hash\",\"reference\":\"https://attack.mitre.org/techniques/T1550/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1\",\"https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1\",\"https://github.com/dafthack/Check-LocalAdminHash/blob/master/Check-LocalAdminHash.ps1\",\"https://github.com/nettitude/PoshC2/blob/master/resources/modules/Invoke-Tater.ps1\",\"https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\\"NTLMSSPNegotiate\\\" and (\\\"NegotiateSMB\\\" or \\\"NegotiateSMB2\\\")) or\\n \\\"4E544C4D53535000\\\" or\\n \\\"0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50\\\" or\\n \\\"0x4e,0x54,0x20,0x4c,0x4d\\\" or\\n \\\"0x53,0x4d,0x42,0x20,0x32\\\" or\\n \\\"0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38\\\"\\n ) and\\n not file.directory : \\\"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential PowerShell Pass-the-Hash/Relay Script\",\"description\":\"Detects PowerShell scripts that can execute pass-the-hash (PtH) attacks, intercept and relay NTLM challenges, and carry out other man-in-the-middle (MitM) attacks.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1\",\"https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1\",\"https://github.com/dafthack/Check-LocalAdminHash/blob/master/Check-LocalAdminHash.ps1\",\"https://github.com/nettitude/PoshC2/blob/master/resources/modules/Invoke-Tater.ps1\",\"https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1557\",\"name\":\"Adversary-in-the-Middle\",\"reference\":\"https://attack.mitre.org/techniques/T1557/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.002\",\"name\":\"Pass the Hash\",\"reference\":\"https://attack.mitre.org/techniques/T1550/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"3ed55975-37b5-423b-aad3-ab842d890039\",\"rule_id\":\"951779c2-82ad-4a6c-82b8-296c1f691449\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.673Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.169Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\\"NTLMSSPNegotiate\\\" and (\\\"NegotiateSMB\\\" or \\\"NegotiateSMB2\\\")) or\\n \\\"4E544C4D53535000\\\" or\\n \\\"0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50\\\" or\\n \\\"0x4e,0x54,0x20,0x4c,0x4d\\\" or\\n \\\"0x53,0x4d,0x42,0x20,0x32\\\" or\\n \\\"0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38\\\"\\n ) and\\n not file.directory : \\\"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"90bb6388-f9f3-4215-a69d-26809d5195c8\",\"rule_id\":\"954ee7c8-5437-49ae-b2d6-2960883898e9\",\"revision\":0,\"current_rule\":{\"id\":\"90bb6388-f9f3-4215-a69d-26809d5195c8\",\"updated_at\":\"2024-12-04T19:45:40.217Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.217Z\",\"created_by\":\"elastic\",\"name\":\"Remote Scheduled Task Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote Scheduled Task Creation\\n\\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\\n\\n#### Possible investigation steps\\n\\n- Review the base64 encoded tasks actions registry value to investigate the task configured action.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\\n\\n### False positive analysis\\n\\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\\n\\n### Related rules\\n\\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Remove scheduled task and any other related artifacts.\\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"954ee7c8-5437-49ae-b2d6-2960883898e9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"/* Task Scheduler service incoming connection followed by TaskCache registry modification */\\n\\nsequence by host.id, process.entity_id with maxspan = 1m\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"svchost.exe\\\" and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and source.port >= 49152 and destination.port >= 49152 and\\n source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"\\n ]\\n [registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Actions\\\" and\\n registry.path : \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\TaskCache\\\\\\\\Tasks\\\\\\\\*\\\\\\\\Actions\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Remote Scheduled Task Creation\",\"description\":\"Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote Scheduled Task Creation\\n\\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\\n\\n#### Possible investigation steps\\n\\n- Review the base64 encoded tasks actions registry value to investigate the task configured action.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\\n\\n### False positive analysis\\n\\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\\n\\n### Related rules\\n\\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Remove scheduled task and any other related artifacts.\\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true}],\"id\":\"90bb6388-f9f3-4215-a69d-26809d5195c8\",\"rule_id\":\"954ee7c8-5437-49ae-b2d6-2960883898e9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.673Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.217Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"/* Task Scheduler service incoming connection followed by TaskCache registry modification */\\n\\nsequence by host.id, process.entity_id with maxspan = 1m\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"svchost.exe\\\" and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and source.port >= 49152 and destination.port >= 49152 and\\n source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"\\n ]\\n [registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Actions\\\" and\\n registry.path : \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\TaskCache\\\\\\\\Tasks\\\\\\\\*\\\\\\\\Actions\\\"]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merged_version\":[\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d77ab255-3f31-4676-a0c6-4517dafa6aa4\",\"rule_id\":\"959a7353-1129-4aa7-9084-30746b256a70\",\"revision\":0,\"current_rule\":{\"id\":\"d77ab255-3f31-4676-a0c6-4517dafa6aa4\",\"updated_at\":\"2024-12-04T19:45:53.172Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.172Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Suspicious Script with Screenshot Capabilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects PowerShell scripts that can take screenshots, which is a common feature in post-exploitation kits and remote access tools (RATs).\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Suspicious Script with Screenshot Capabilities\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, which makes it available for use in various environments and creates an attractive way for attackers to execute code.\\n\\nAttackers can abuse PowerShell capabilities and take screen captures of desktops to gather information over the course of an operation.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Determine whether the script stores the captured data locally.\\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\\n- Assess network data to determine if the host communicated with the exfiltration server.\\n\\n### False positive analysis\\n\\n- Regular users do not have a business justification for using scripting utilities to take screenshots, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Related rules\\n\\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"959a7353-1129-4aa7-9084-30746b256a70\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1113\",\"name\":\"Screen Capture\",\"reference\":\"https://attack.mitre.org/techniques/T1113/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n CopyFromScreen and\\n (\\\"System.Drawing.Bitmap\\\" or \\\"Drawing.Bitmap\\\")\\n ) and not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Suspicious Script with Screenshot Capabilities\",\"description\":\"Detects PowerShell scripts that can take screenshots, which is a common feature in post-exploitation kits and remote access tools (RATs).\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Suspicious Script with Screenshot Capabilities\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, which makes it available for use in various environments and creates an attractive way for attackers to execute code.\\n\\nAttackers can abuse PowerShell capabilities and take screen captures of desktops to gather information over the course of an operation.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Determine whether the script stores the captured data locally.\\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\\n- Assess network data to determine if the host communicated with the exfiltration server.\\n\\n### False positive analysis\\n\\n- Regular users do not have a business justification for using scripting utilities to take screenshots, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Related rules\\n\\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1113\",\"name\":\"Screen Capture\",\"reference\":\"https://attack.mitre.org/techniques/T1113/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d77ab255-3f31-4676-a0c6-4517dafa6aa4\",\"rule_id\":\"959a7353-1129-4aa7-9084-30746b256a70\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.674Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.172Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n CopyFromScreen and\\n (\\\"System.Drawing.Bitmap\\\" or \\\"Drawing.Bitmap\\\")\\n ) and not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0bcb9872-af70-473c-9b06-420a759925aa\",\"rule_id\":\"968ccab9-da51-4a87-9ce2-d3c9782fd759\",\"revision\":0,\"current_rule\":{\"id\":\"0bcb9872-af70-473c-9b06-420a759925aa\",\"updated_at\":\"2024-12-04T19:45:53.176Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.176Z\",\"created_by\":\"elastic\",\"name\":\"File made Immutable by Chattr\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"968ccab9-da51-4a87-9ce2-d3c9782fd759\",\"max_signals\":33,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1222\",\"name\":\"File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/\",\"subtechnique\":[{\"id\":\"T1222.002\",\"name\":\"Linux and Mac File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n#### Custom Ingest Pipeline\\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and user.id == \\\"0\\\" and\\n process.executable : \\\"/usr/bin/chattr\\\" and process.args : (\\\"-*i*\\\", \\\"+*i*\\\") and\\n not process.parent.executable: (\\\"/lib/systemd/systemd\\\", \\\"/usr/local/uems_agent/bin/*\\\", \\\"/usr/lib/systemd/systemd\\\") and\\n not process.parent.name in (\\\"systemd\\\", \\\"cf-agent\\\", \\\"ntpdate\\\", \\\"xargs\\\", \\\"px\\\", \\\"preinst\\\", \\\"auth\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"File made Immutable by Chattr\",\"description\":\"Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":112,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":33,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1222\",\"name\":\"File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/\",\"subtechnique\":[{\"id\":\"T1222.002\",\"name\":\"Linux and Mac File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n#### Custom Ingest Pipeline\\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0bcb9872-af70-473c-9b06-420a759925aa\",\"rule_id\":\"968ccab9-da51-4a87-9ce2-d3c9782fd759\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.674Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.176Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and process.parent.executable != null and\\nprocess.executable : \\\"/usr/bin/chattr\\\" and process.args : (\\\"-*i*\\\", \\\"+*i*\\\") and not (\\n process.parent.executable: (\\\"/lib/systemd/systemd\\\", \\\"/usr/local/uems_agent/bin/*\\\", \\\"/usr/lib/systemd/systemd\\\") or\\n process.parent.name in (\\n \\\"systemd\\\", \\\"cf-agent\\\", \\\"ntpdate\\\", \\\"xargs\\\", \\\"px\\\", \\\"preinst\\\", \\\"auth\\\", \\\"cf-agent\\\", \\\"dcservice\\\", \\\"dcagentupgrader\\\",\\n \\\"sudo\\\", \\\"ephemeral-disk-warning\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":112,\"merged_version\":112,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and user.id == \\\"0\\\" and\\n process.executable : \\\"/usr/bin/chattr\\\" and process.args : (\\\"-*i*\\\", \\\"+*i*\\\") and\\n not process.parent.executable: (\\\"/lib/systemd/systemd\\\", \\\"/usr/local/uems_agent/bin/*\\\", \\\"/usr/lib/systemd/systemd\\\") and\\n not process.parent.name in (\\\"systemd\\\", \\\"cf-agent\\\", \\\"ntpdate\\\", \\\"xargs\\\", \\\"px\\\", \\\"preinst\\\", \\\"auth\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and process.parent.executable != null and\\nprocess.executable : \\\"/usr/bin/chattr\\\" and process.args : (\\\"-*i*\\\", \\\"+*i*\\\") and not (\\n process.parent.executable: (\\\"/lib/systemd/systemd\\\", \\\"/usr/local/uems_agent/bin/*\\\", \\\"/usr/lib/systemd/systemd\\\") or\\n process.parent.name in (\\n \\\"systemd\\\", \\\"cf-agent\\\", \\\"ntpdate\\\", \\\"xargs\\\", \\\"px\\\", \\\"preinst\\\", \\\"auth\\\", \\\"cf-agent\\\", \\\"dcservice\\\", \\\"dcagentupgrader\\\",\\n \\\"sudo\\\", \\\"ephemeral-disk-warning\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and process.parent.executable != null and\\nprocess.executable : \\\"/usr/bin/chattr\\\" and process.args : (\\\"-*i*\\\", \\\"+*i*\\\") and not (\\n process.parent.executable: (\\\"/lib/systemd/systemd\\\", \\\"/usr/local/uems_agent/bin/*\\\", \\\"/usr/lib/systemd/systemd\\\") or\\n process.parent.name in (\\n \\\"systemd\\\", \\\"cf-agent\\\", \\\"ntpdate\\\", \\\"xargs\\\", \\\"px\\\", \\\"preinst\\\", \\\"auth\\\", \\\"cf-agent\\\", \\\"dcservice\\\", \\\"dcagentupgrader\\\",\\n \\\"sudo\\\", \\\"ephemeral-disk-warning\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2f130261-43b4-4479-85ee-6204e4fcca49\",\"rule_id\":\"96d11d31-9a79-480f-8401-da28b194608f\",\"revision\":0,\"current_rule\":{\"id\":\"2f130261-43b4-4479-85ee-6204e4fcca49\",\"updated_at\":\"2024-12-04T19:45:53.181Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.181Z\",\"created_by\":\"elastic\",\"name\":\"Message-of-the-Day (MOTD) File Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects the creation of potentially malicious files within the default MOTD file directories. Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \\\"/etc/update-motd.d/\\\" directory. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Message-of-the-Day (MOTD) File Creation\\n\\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\\n\\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` directory. Executable files in these directories automatically run with root privileges.\\n\\nThis rule identifies the creation of new files within the `/etc/update-motd.d/` directory.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate whether any other files in the `/etc/update-motd.d/` directory have been altered.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path LIKE '/etc/update-motd.d/%'\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path LIKE '/etc/update-motd.d/%'\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system.\\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n\\n### Related Rules\\n\\n- Process Spawned from Message-of-the-Day (MOTD) - 4ec47004-b34a-42e6-8003-376a123ea447\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the MOTD files or restore their original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"96d11d31-9a79-480f-8401-da28b194608f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\"}]}],\"to\":\"now\",\"references\":[\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd\"],\"version\":11,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : \\\"/etc/update-motd.d/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Message-of-the-Day (MOTD) File Creation\",\"description\":\"This rule detects the creation of potentially malicious files within the default MOTD file directories. Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \\\"/etc/update-motd.d/\\\" directory. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Message-of-the-Day (MOTD) File Creation\\n\\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\\n\\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` directory. Executable files in these directories automatically run with root privileges.\\n\\nThis rule identifies the creation of new files within the `/etc/update-motd.d/` directory.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate whether any other files in the `/etc/update-motd.d/` directory have been altered.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path LIKE '/etc/update-motd.d/%'\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path LIKE '/etc/update-motd.d/%'\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system.\\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n\\n### Related Rules\\n\\n- Process Spawned from Message-of-the-Day (MOTD) - 4ec47004-b34a-42e6-8003-376a123ea447\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the MOTD files or restore their original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":12,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2f130261-43b4-4479-85ee-6204e4fcca49\",\"rule_id\":\"96d11d31-9a79-480f-8401-da28b194608f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.674Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.181Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : \\\"/etc/update-motd.d/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":11,\"target_version\":12,\"merged_version\":12,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd\"],\"target_version\":[\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"51c218ae-0fbe-4ff0-a9de-697dd9194b4d\",\"rule_id\":\"97020e61-e591-4191-8a3b-2861a2b887cd\",\"revision\":0,\"current_rule\":{\"id\":\"51c218ae-0fbe-4ff0-a9de-697dd9194b4d\",\"updated_at\":\"2024-12-04T19:45:53.186Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.186Z\",\"created_by\":\"elastic\",\"name\":\"SeDebugPrivilege Enabled by a Suspicious Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"97020e61-e591-4191-8a3b-2861a2b887cd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\"}]}],\"to\":\"now\",\"references\":[\"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703\",\"https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e\"],\"version\":7,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.EnabledPrivilegeList\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ProcessName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nWindows Event 4703 logs Token Privileges changes and need to be configured (Enable).\\n\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDetailed Tracking >\\nToken Right Adjusted Events (Success)\\n```\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.*\",\"logs-system.security*\"],\"query\":\"any where host.os.type == \\\"windows\\\" and event.provider: \\\"Microsoft-Windows-Security-Auditing\\\" and\\n event.action : \\\"Token Right Adjusted Events\\\" and\\n\\n winlog.event_data.EnabledPrivilegeList : \\\"SeDebugPrivilege\\\" and\\n\\n /* exclude processes with System Integrity */\\n not winlog.event_data.SubjectUserSid : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n\\n not winlog.event_data.ProcessName :\\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MRT.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cleanmgr.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*-*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\auditpol.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSe.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbem\\\\\\\\WmiPrvSe.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"SeDebugPrivilege Enabled by a Suspicious Process\",\"description\":\"Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":108,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703\",\"https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\"}]}],\"setup\":\"## Setup\\n\\nWindows Event 4703 logs Token Privileges changes and need to be configured (Enable).\\n\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDetailed Tracking >\\nToken Right Adjusted Events (Success)\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.EnabledPrivilegeList\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ProcessName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"51c218ae-0fbe-4ff0-a9de-697dd9194b4d\",\"rule_id\":\"97020e61-e591-4191-8a3b-2861a2b887cd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.674Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.186Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and event.provider: \\\"Microsoft-Windows-Security-Auditing\\\" and\\n event.action : \\\"Token Right Adjusted Events\\\" and\\n\\n winlog.event_data.EnabledPrivilegeList : \\\"SeDebugPrivilege\\\" and\\n\\n /* exclude processes with System Integrity */\\n not winlog.event_data.SubjectUserSid : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n\\n not winlog.event_data.ProcessName :\\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MRT.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cleanmgr.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*-*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\auditpol.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSe.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbem\\\\\\\\WmiPrvSe.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.*\",\"logs-system.security*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":7,\"target_version\":108,\"merged_version\":108,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"88311378-166c-443a-bfdc-a341fc2beb51\",\"rule_id\":\"979729e7-0c52-4c4c-b71e-88103304a79f\",\"revision\":0,\"current_rule\":{\"id\":\"88311378-166c-443a-bfdc-a341fc2beb51\",\"updated_at\":\"2024-12-04T19:45:53.193Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.193Z\",\"created_by\":\"elastic\",\"name\":\"AWS SAML Activity\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Use Case: Identity and Access Audit\",\"Tactic: Defense Evasion\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Austin Songer\"],\"false_positives\":[\"SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\"],\"from\":\"now-25m\",\"rule_id\":\"979729e7-0c52-4c4c-b71e-88103304a79f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.001\",\"name\":\"Application Access Token\",\"reference\":\"https://attack.mitre.org/techniques/T1550/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]}],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html\",\"https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"query\":\"event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or\\nUpdateSAMLProvider) and event.outcome:success\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS IAM SAML Provider Updated\",\"description\":\"Identifies when a user has updated a SAML provider in AWS. SAML providers are used to enable federated access to the AWS Management Console. This activity could be an indication of an attacker attempting to escalate privileges.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[\"SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\"],\"references\":[\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1484\",\"name\":\"Domain or Tenant Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/\",\"subtechnique\":[{\"id\":\"T1484.002\",\"name\":\"Trust Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/002/\"}]}]}],\"setup\":\"The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"88311378-166c-443a-bfdc-a341fc2beb51\",\"rule_id\":\"979729e7-0c52-4c4c-b71e-88103304a79f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.674Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.193Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"query\":\"event.dataset:aws.cloudtrail\\n and event.provider: iam.amazonaws.com\\n and event.action: UpdateSAMLProvider\\n and event.outcome:success\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"name\":{\"has_base_version\":false,\"current_version\":\"AWS SAML Activity\",\"target_version\":\"AWS IAM SAML Provider Updated\",\"merged_version\":\"AWS IAM SAML Provider Updated\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Use Case: Identity and Access Audit\",\"Tactic: Defense Evasion\"],\"target_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\"],\"merged_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"description\":{\"has_base_version\":false,\"current_version\":\"Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target.\",\"target_version\":\"Identifies when a user has updated a SAML provider in AWS. SAML providers are used to enable federated access to the AWS Management Console. This activity could be an indication of an attacker attempting to escalate privileges.\",\"merged_version\":\"Identifies when a user has updated a SAML provider in AWS. SAML providers are used to enable federated access to the AWS Management Console. This activity could be an indication of an attacker attempting to escalate privileges.\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"severity\":{\"has_base_version\":false,\"current_version\":\"low\",\"target_version\":\"medium\",\"merged_version\":\"medium\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"risk_score\":{\"has_base_version\":false,\"current_version\":21,\"target_version\":47,\"merged_version\":47,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html\",\"https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html\"],\"target_version\":[\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html\"],\"merged_version\":[\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.001\",\"name\":\"Application Access Token\",\"reference\":\"https://attack.mitre.org/techniques/T1550/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1484\",\"name\":\"Domain or Tenant Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/\",\"subtechnique\":[{\"id\":\"T1484.002\",\"name\":\"Trust Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/002/\"}]}]}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1484\",\"name\":\"Domain or Tenant Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/\",\"subtechnique\":[{\"id\":\"T1484.002\",\"name\":\"Trust Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/002/\"}]}]}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"rule_schedule\":{\"has_base_version\":false,\"current_version\":{\"interval\":\"5m\",\"lookback\":\"1200s\"},\"target_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merged_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or\\nUpdateSAMLProvider) and event.outcome:success\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset:aws.cloudtrail\\n and event.provider: iam.amazonaws.com\\n and event.action: UpdateSAMLProvider\\n and event.outcome:success\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset:aws.cloudtrail\\n and event.provider: iam.amazonaws.com\\n and event.action: UpdateSAMLProvider\\n and event.outcome:success\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":10,\"num_fields_with_conflicts\":9,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b4afd030-5d26-4510-913c-5f69e08d436d\",\"rule_id\":\"97aba1ef-6034-4bd3-8c1a-1e0996b27afa\",\"revision\":0,\"current_rule\":{\"id\":\"b4afd030-5d26-4510-913c-5f69e08d436d\",\"updated_at\":\"2024-12-04T19:45:54.278Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.278Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Zoom Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Zoom Child Process\\n\\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation.\\n\\nThis rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the command line of the child process to determine which commands or scripts were executed.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"97aba1ef-6034-4bd3-8c1a-1e0996b27afa\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"},{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1203\",\"name\":\"Exploitation for Client Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1203/\"}]}],\"to\":\"now\",\"references\":[],\"version\":313,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"Zoom.exe\\\" and process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Zoom Child Process\",\"description\":\"A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Zoom Child Process\\n\\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation.\\n\\nThis rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the command line of the child process to determine which commands or scripts were executed.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":416,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"},{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1203\",\"name\":\"Exploitation for Client Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1203/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b4afd030-5d26-4510-913c-5f69e08d436d\",\"rule_id\":\"97aba1ef-6034-4bd3-8c1a-1e0996b27afa\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.674Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.278Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"Zoom.exe\\\" and process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":313,\"target_version\":416,\"merged_version\":416,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a9f26fba-1fcb-4034-8d8e-f1b7363ae814\",\"rule_id\":\"97fc44d3-8dae-4019-ae83-298c3015600f\",\"revision\":0,\"current_rule\":{\"id\":\"a9f26fba-1fcb-4034-8d8e-f1b7363ae814\",\"updated_at\":\"2024-12-04T19:45:40.225Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.225Z\",\"created_by\":\"elastic\",\"name\":\"Startup or Run Key Registry Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Startup or Run Key Registry Modification\\n\\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\\n\\n### Related rules\\n\\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timeline_id\":\"3e47ef71-ebfc-4520-975c-cb27fc090799\",\"timeline_title\":\"Comprehensive Registry Timeline\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"97fc44d3-8dae-4019-ae83-298c3015600f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.hive\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and \\n registry.data.strings != null and registry.hive : (\\\"HKEY_USERS\\\", \\\"HKLM\\\") and\\n registry.path : (\\n /* Machine Hive */\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnce\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnceEx\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell\\\\\\\\*\\\",\\n /* Users Hive */\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnce\\\\\\\\*\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnceEx\\\\\\\\*\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell\\\\\\\\*\\\"\\n ) and\\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\\n not registry.data.strings : \\\"ctfmon.exe /n\\\" and\\n not (registry.value : \\\"Application Restart #*\\\" and process.name : \\\"csrss.exe\\\") and\\n not user.id : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n not registry.data.strings : (\\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\") and\\n not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\") and\\n not (\\n /* Logitech G Hub */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Logitech Inc\\\" and\\n (\\n process.name : \\\"lghub_agent.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\LGHUB\\\\\\\\lghub.exe\\\\\\\" --background\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\LGHUB\\\\\\\\system_tray\\\\\\\\lghub_system_tray.exe\\\\\\\" --minimized\\\"\\n )\\n ) or\\n (\\n process.name : \\\"LogiBolt.exe\\\" and registry.data.strings : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Logi\\\\\\\\LogiBolt\\\\\\\\LogiBolt.exe --startup\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Logi\\\\\\\\LogiBolt\\\\\\\\LogiBolt.exe --startup\\\"\\n )\\n )\\n ) or\\n\\n /* Google Drive File Stream, Chrome, and Google Update */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Google LLC\\\" and\\n (\\n process.name : \\\"GoogleDriveFS.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\Google\\\\\\\\Drive File Stream\\\\\\\\*\\\\\\\\GoogleDriveFS.exe\\\\\\\" --startup_mode\\\"\\n ) or\\n\\n process.name : \\\"chrome.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\\\\\" --no-startup-window /prefetch:5\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\\\\\" --no-startup-window /prefetch:5\\\"\\n ) or\\n\\n process.name : \\\"GoogleUpdate.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Google\\\\\\\\Update\\\\\\\\*\\\\\\\\GoogleUpdateCore.exe\\\\\\\"\\\"\\n )\\n )\\n ) or\\n\\n /* MS Programs */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name in (\\\"Microsoft Windows\\\", \\\"Microsoft Corporation\\\") and\\n (\\n process.name : \\\"msedge.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\\\\\\\" --no-startup-window --win-session-start /prefetch:5\\\",\\n \\\"\\\\\\\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\\\\\\\" --win-session-start\\\",\\n \\\"\\\\\\\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\\\\\\\" --no-startup-window --win-session-start\\\"\\n ) or\\n\\n process.name : (\\\"Update.exe\\\", \\\"Teams.exe\\\") and registry.data.strings : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Teams\\\\\\\\Update.exe --processStart \\\\\\\"Teams.exe\\\\\\\" --process-start-args \\\\\\\"--system-initiated\\\\\\\"\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\\\\\\Microsoft\\\\\\\\Teams\\\\\\\\Update.exe --processStart \\\\\\\"Teams.exe\\\\\\\" --process-start-args \\\\\\\"--system-initiated\\\\\\\"\\\"\\n ) or\\n\\n process.name : \\\"OneDriveStandaloneUpdater.exe\\\" and registry.data.strings : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\*\\\\\\\\Microsoft.SharePoint.exe\\\"\\n ) or\\n\\n process.name : \\\"OneDriveSetup.exe\\\" and\\n registry.data.strings : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\cmd.exe /q /c * \\\\\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\*\\\\\\\"\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft OneDrive\\\\\\\\OneDrive.exe /background*\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft OneDrive\\\\\\\\OneDrive.exe\\\\\\\" /background*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft OneDrive\\\\\\\\OneDrive.exe /background *\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\??.???.????.????\\\\\\\\Microsoft.SharePoint.exe\\\"\\n ) or\\n \\n process.name : \\\"OneDrive.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft OneDrive\\\\\\\\OneDrive.exe\\\\\\\" /background\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft OneDrive\\\\\\\\OneDrive.exe\\\\\\\" /background\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\OneDrive.exe\\\\\\\" /background\\\"\\n ) or\\n \\n process.name : \\\"Microsoft.SharePoint.exe\\\" and registry.data.strings : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\??.???.????.????\\\\\\\\Microsoft.SharePoint.exe\\\"\\n ) or\\n \\n process.name : \\\"MicrosoftEdgeUpdate.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Users\\\\\\\\Expedient\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\EdgeUpdate\\\\\\\\*\\\\\\\\MicrosoftEdgeUpdateCore.exe\\\\\\\"\\\"\\n ) or\\n \\n process.executable : \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\EdgeWebView\\\\\\\\Application\\\\\\\\*\\\\\\\\Installer\\\\\\\\setup.exe\\\" and\\n registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\EdgeWebView\\\\\\\\Application\\\\\\\\*\\\\\\\\Installer\\\\\\\\setup.exe\\\\\\\" --msedgewebview --delete-old-versions --system-level --verbose-logging --on-logon\\\"\\n )\\n )\\n ) or\\n\\n /* Slack */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name in (\\n \\\"Slack Technologies, Inc.\\\", \\\"Slack Technologies, LLC\\\"\\n ) and process.name : \\\"slack.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\slack\\\\\\\\slack.exe\\\\\\\" --process-start-args --startup\\\",\\n \\\"\\\\\\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\\\\\\slack\\\\\\\\slack.exe\\\\\\\" --process-start-args --startup\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\Slack\\\\\\\\slack.exe\\\\\\\" --process-start-args --startup\\\"\\n )\\n ) or\\n\\n /* Cisco */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name in (\\\"Cisco WebEx LLC\\\", \\\"Cisco Systems, Inc.\\\") and\\n (\\n process.name : \\\"WebexHost.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\WebEx\\\\\\\\WebexHost.exe\\\\\\\" /daemon /runFrom=autorun\\\"\\n )\\n ) or\\n (\\n process.name : \\\"CiscoJabber.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Cisco Systems\\\\\\\\Cisco Jabber\\\\\\\\CiscoJabber.exe\\\\\\\" /min\\\"\\n )\\n )\\n ) or\\n\\n /* Loom */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Loom, Inc.\\\" and\\n process.name : \\\"Loom.exe\\\" and registry.data.strings : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Loom\\\\\\\\Loom.exe --process-start-args \\\\\\\"--loomHidden\\\\\\\"\\\"\\n )\\n ) or\\n\\n /* Adobe */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Adobe Inc.\\\" and\\n process.name : (\\\"Acrobat.exe\\\", \\\"FlashUtil32_*_Plugin.exe\\\") and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\Adobe\\\\\\\\Acrobat DC\\\\\\\\Acrobat\\\\\\\\AdobeCollabSync.exe\\\\\\\"\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Adobe\\\\\\\\Acrobat DC\\\\\\\\Acrobat\\\\\\\\AdobeCollabSync.exe\\\\\\\"\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\SysWOW64\\\\\\\\Macromed\\\\\\\\Flash\\\\\\\\FlashUtil32_*_Plugin.exe -update plugin\\\"\\n )\\n ) or\\n\\n /* CCleaner */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"PIRIFORM SOFTWARE LIMITED\\\" and\\n process.name : (\\\"CCleanerBrowser.exe\\\", \\\"CCleaner64.exe\\\") and registry.data.strings : (\\n \\\"\\\\\\\"C:\\\\\\\\Program Files (x86)\\\\\\\\CCleaner Browser\\\\\\\\Application\\\\\\\\CCleanerBrowser.exe\\\\\\\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\\\\\\\"Default\\\\\\\"\\\",\\n \\\"\\\\\\\"C:\\\\\\\\Program Files\\\\\\\\CCleaner\\\\\\\\CCleaner64.exe\\\\\\\" /MONITOR\\\"\\n )\\n ) or\\n\\n /* Opera */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Opera Norway AS\\\" and\\n process.name : \\\"opera.exe\\\" and registry.data.strings : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Opera\\\\\\\\launcher.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Opera GX\\\\\\\\launcher.exe\\\"\\n )\\n ) or\\n\\n /* Avast */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Avast Software s.r.o.\\\" and\\n process.name : \\\"AvastBrowser.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\AVAST Software\\\\\\\\Browser\\\\\\\\Application\\\\\\\\AvastBrowser.exe\\\\\\\" --check-run=src=logon --auto-launch-at-startup*\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\AVAST Software\\\\\\\\Browser\\\\\\\\Application\\\\\\\\AvastBrowser.exe\\\\\\\" --check-run=src=logon --auto-launch-at-startup*\\\",\\n \\\"\\\"\\n )\\n ) or\\n\\n /* Grammarly */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Grammarly, Inc.\\\" and\\n process.name : \\\"GrammarlyInstaller.exe\\\" and registry.data.strings : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Grammarly\\\\\\\\DesktopIntegrations\\\\\\\\Grammarly.Desktop.exe\\\"\\n )\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Startup or Run Key Registry Modification\",\"description\":\"Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"timeline_id\":\"3e47ef71-ebfc-4520-975c-cb27fc090799\",\"timeline_title\":\"Comprehensive Registry Timeline\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Startup or Run Key Registry Modification\\n\\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\\n\\n### Related rules\\n\\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":113,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.hive\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a9f26fba-1fcb-4034-8d8e-f1b7363ae814\",\"rule_id\":\"97fc44d3-8dae-4019-ae83-298c3015600f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.674Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.225Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and \\n registry.data.strings != null and registry.hive : (\\\"HKEY_USERS\\\", \\\"HKLM\\\") and\\n registry.path : (\\n /* Machine Hive */\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnce\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnceEx\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell\\\\\\\\*\\\",\\n /* Users Hive */\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnce\\\\\\\\*\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnceEx\\\\\\\\*\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell\\\\\\\\*\\\"\\n ) and\\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\\n not registry.data.strings : \\\"ctfmon.exe /n\\\" and\\n not (registry.value : \\\"Application Restart #*\\\" and process.name : \\\"csrss.exe\\\") and\\n not user.id : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n not registry.data.strings : (\\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\") and\\n not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\") and\\n not (\\n /* Logitech G Hub */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Logitech Inc\\\" and\\n (\\n process.name : \\\"lghub_agent.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\LGHUB\\\\\\\\lghub.exe\\\\\\\" --background\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\LGHUB\\\\\\\\system_tray\\\\\\\\lghub_system_tray.exe\\\\\\\" --minimized\\\"\\n )\\n ) or\\n (\\n process.name : \\\"LogiBolt.exe\\\" and registry.data.strings : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Logi\\\\\\\\LogiBolt\\\\\\\\LogiBolt.exe --startup\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Logi\\\\\\\\LogiBolt\\\\\\\\LogiBolt.exe --startup\\\"\\n )\\n )\\n ) or\\n\\n /* Google Drive File Stream, Chrome, and Google Update */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Google LLC\\\" and\\n (\\n process.name : \\\"GoogleDriveFS.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\Google\\\\\\\\Drive File Stream\\\\\\\\*\\\\\\\\GoogleDriveFS.exe\\\\\\\" --startup_mode\\\"\\n ) or\\n\\n process.name : \\\"chrome.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\\\\\" --no-startup-window /prefetch:5\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\\\\\" --no-startup-window /prefetch:5\\\"\\n ) or\\n\\n process.name : \\\"GoogleUpdate.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Google\\\\\\\\Update\\\\\\\\*\\\\\\\\GoogleUpdateCore.exe\\\\\\\"\\\"\\n )\\n )\\n ) or\\n\\n /* MS Programs */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name in (\\\"Microsoft Windows\\\", \\\"Microsoft Corporation\\\") and\\n (\\n process.name : \\\"msedge.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\\\\\\\" --no-startup-window --win-session-start /prefetch:5\\\",\\n \\\"\\\\\\\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\\\\\\\" --win-session-start\\\",\\n \\\"\\\\\\\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\\\\\\\" --no-startup-window --win-session-start\\\"\\n ) or\\n\\n process.name : (\\\"Update.exe\\\", \\\"Teams.exe\\\") and registry.data.strings : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Teams\\\\\\\\Update.exe --processStart \\\\\\\"Teams.exe\\\\\\\" --process-start-args \\\\\\\"--system-initiated\\\\\\\"\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\\\\\\Microsoft\\\\\\\\Teams\\\\\\\\Update.exe --processStart \\\\\\\"Teams.exe\\\\\\\" --process-start-args \\\\\\\"--system-initiated\\\\\\\"\\\"\\n ) or\\n\\n process.name : \\\"OneDriveStandaloneUpdater.exe\\\" and registry.data.strings : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\*\\\\\\\\Microsoft.SharePoint.exe\\\"\\n ) or\\n\\n process.name : \\\"OneDriveSetup.exe\\\" and\\n registry.data.strings : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\cmd.exe /q /c * \\\\\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\*\\\\\\\"\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft OneDrive\\\\\\\\OneDrive.exe /background*\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft OneDrive\\\\\\\\OneDrive.exe\\\\\\\" /background*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft OneDrive\\\\\\\\OneDrive.exe /background *\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\??.???.????.????\\\\\\\\Microsoft.SharePoint.exe\\\"\\n ) or\\n \\n process.name : \\\"OneDrive.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft OneDrive\\\\\\\\OneDrive.exe\\\\\\\" /background\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft OneDrive\\\\\\\\OneDrive.exe\\\\\\\" /background\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\OneDrive.exe\\\\\\\" /background\\\"\\n ) or\\n \\n process.name : \\\"Microsoft.SharePoint.exe\\\" and registry.data.strings : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\??.???.????.????\\\\\\\\Microsoft.SharePoint.exe\\\"\\n ) or\\n \\n process.name : \\\"MicrosoftEdgeUpdate.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Users\\\\\\\\Expedient\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\EdgeUpdate\\\\\\\\*\\\\\\\\MicrosoftEdgeUpdateCore.exe\\\\\\\"\\\"\\n ) or\\n \\n process.executable : \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\EdgeWebView\\\\\\\\Application\\\\\\\\*\\\\\\\\Installer\\\\\\\\setup.exe\\\" and\\n registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\EdgeWebView\\\\\\\\Application\\\\\\\\*\\\\\\\\Installer\\\\\\\\setup.exe\\\\\\\" --msedgewebview --delete-old-versions --system-level --verbose-logging --on-logon\\\"\\n )\\n )\\n ) or\\n\\n /* Slack */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name in (\\n \\\"Slack Technologies, Inc.\\\", \\\"Slack Technologies, LLC\\\"\\n ) and process.name : \\\"slack.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\slack\\\\\\\\slack.exe\\\\\\\" --process-start-args --startup\\\",\\n \\\"\\\\\\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\\\\\\slack\\\\\\\\slack.exe\\\\\\\" --process-start-args --startup\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\Slack\\\\\\\\slack.exe\\\\\\\" --process-start-args --startup\\\"\\n )\\n ) or\\n\\n /* Cisco */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name in (\\\"Cisco WebEx LLC\\\", \\\"Cisco Systems, Inc.\\\") and\\n (\\n process.name : \\\"WebexHost.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\WebEx\\\\\\\\WebexHost.exe\\\\\\\" /daemon /runFrom=autorun\\\"\\n )\\n ) or\\n (\\n process.name : \\\"CiscoJabber.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Cisco Systems\\\\\\\\Cisco Jabber\\\\\\\\CiscoJabber.exe\\\\\\\" /min\\\"\\n )\\n )\\n ) or\\n\\n /* Loom */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Loom, Inc.\\\" and\\n process.name : \\\"Loom.exe\\\" and registry.data.strings : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Loom\\\\\\\\Loom.exe --process-start-args \\\\\\\"--loomHidden\\\\\\\"\\\"\\n )\\n ) or\\n\\n /* Adobe */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Adobe Inc.\\\" and\\n process.name : (\\\"Acrobat.exe\\\", \\\"FlashUtil32_*_Plugin.exe\\\") and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\Adobe\\\\\\\\Acrobat DC\\\\\\\\Acrobat\\\\\\\\AdobeCollabSync.exe\\\\\\\"\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Adobe\\\\\\\\Acrobat DC\\\\\\\\Acrobat\\\\\\\\AdobeCollabSync.exe\\\\\\\"\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\SysWOW64\\\\\\\\Macromed\\\\\\\\Flash\\\\\\\\FlashUtil32_*_Plugin.exe -update plugin\\\"\\n )\\n ) or\\n\\n /* CCleaner */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"PIRIFORM SOFTWARE LIMITED\\\" and\\n process.name : (\\\"CCleanerBrowser.exe\\\", \\\"CCleaner64.exe\\\") and registry.data.strings : (\\n \\\"\\\\\\\"C:\\\\\\\\Program Files (x86)\\\\\\\\CCleaner Browser\\\\\\\\Application\\\\\\\\CCleanerBrowser.exe\\\\\\\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\\\\\\\"Default\\\\\\\"\\\",\\n \\\"\\\\\\\"C:\\\\\\\\Program Files\\\\\\\\CCleaner\\\\\\\\CCleaner64.exe\\\\\\\" /MONITOR\\\"\\n )\\n ) or\\n\\n /* Opera */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Opera Norway AS\\\" and\\n process.name : \\\"opera.exe\\\" and registry.data.strings : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Opera\\\\\\\\launcher.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Opera GX\\\\\\\\launcher.exe\\\"\\n )\\n ) or\\n\\n /* Avast */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Avast Software s.r.o.\\\" and\\n process.name : \\\"AvastBrowser.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\AVAST Software\\\\\\\\Browser\\\\\\\\Application\\\\\\\\AvastBrowser.exe\\\\\\\" --check-run=src=logon --auto-launch-at-startup*\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\AVAST Software\\\\\\\\Browser\\\\\\\\Application\\\\\\\\AvastBrowser.exe\\\\\\\" --check-run=src=logon --auto-launch-at-startup*\\\",\\n \\\"\\\"\\n )\\n ) or\\n\\n /* Grammarly */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Grammarly, Inc.\\\" and\\n process.name : \\\"GrammarlyInstaller.exe\\\" and registry.data.strings : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Grammarly\\\\\\\\DesktopIntegrations\\\\\\\\Grammarly.Desktop.exe\\\"\\n )\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":113,\"merged_version\":113,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\"],\"merged_version\":[\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3f5e0115-4c6c-4ad7-a147-5380134f5a30\",\"rule_id\":\"980b70a0-c820-11ed-8799-f661ea17fbcc\",\"revision\":0,\"current_rule\":{\"id\":\"3f5e0115-4c6c-4ad7-a147-5380134f5a30\",\"updated_at\":\"2024-12-04T19:45:54.149Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.149Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace Drive Encryption Key(s) Accessed from Anonymous User\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Credential Access\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when an external (anonymous) user has viewed, copied or downloaded an encryption key file from a Google Workspace drive. Adversaries may gain access to encryption keys stored in private drives from rogue access links that do not have an expiration. Access to encryption keys may allow adversaries to access sensitive data or authenticate on behalf of users.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"A user may generate a shared access link to encryption key files to share with others. It is unlikely that the intended recipient is an external or anonymous user.\"],\"from\":\"now-130m\",\"rule_id\":\"980b70a0-c820-11ed-8799-f661ea17fbcc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\",\"subtechnique\":[{\"id\":\"T1552.004\",\"name\":\"Private Keys\",\"reference\":\"https://attack.mitre.org/techniques/T1552/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/drive/answer/2494822\"],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.drive.visibility\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"source.user.email\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"file where event.dataset == \\\"google_workspace.drive\\\" and event.action : (\\\"copy\\\", \\\"view\\\", \\\"download\\\") and\\n google_workspace.drive.visibility: \\\"people_with_link\\\" and source.user.email == \\\"\\\" and\\n file.extension: (\\n \\\"token\\\",\\\"assig\\\", \\\"pssc\\\", \\\"keystore\\\", \\\"pub\\\", \\\"pgp.asc\\\", \\\"ps1xml\\\", \\\"pem\\\", \\\"gpg.sig\\\", \\\"der\\\", \\\"key\\\",\\n \\\"p7r\\\", \\\"p12\\\", \\\"asc\\\", \\\"jks\\\", \\\"p7b\\\", \\\"signature\\\", \\\"gpg\\\", \\\"pgp.sig\\\", \\\"sst\\\", \\\"pgp\\\", \\\"gpgz\\\", \\\"pfx\\\", \\\"crt\\\",\\n \\\"p8\\\", \\\"sig\\\", \\\"pkcs7\\\", \\\"jceks\\\", \\\"pkcs8\\\", \\\"psc1\\\", \\\"p7c\\\", \\\"csr\\\", \\\"cer\\\", \\\"spc\\\", \\\"ps2xml\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace Drive Encryption Key(s) Accessed from Anonymous User\",\"description\":\"Detects when an external (anonymous) user has viewed, copied or downloaded an encryption key file from a Google Workspace drive. Adversaries may gain access to encryption keys stored in private drives from rogue access links that do not have an expiration. Access to encryption keys may allow adversaries to access sensitive data or authenticate on behalf of users.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Credential Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"A user may generate a shared access link to encryption key files to share with others. It is unlikely that the intended recipient is an external or anonymous user.\"],\"references\":[\"https://support.google.com/drive/answer/2494822\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\",\"subtechnique\":[{\"id\":\"T1552.004\",\"name\":\"Private Keys\",\"reference\":\"https://attack.mitre.org/techniques/T1552/004/\"}]}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.drive.visibility\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"source.user.email\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3f5e0115-4c6c-4ad7-a147-5380134f5a30\",\"rule_id\":\"980b70a0-c820-11ed-8799-f661ea17fbcc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.674Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.149Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where event.dataset == \\\"google_workspace.drive\\\" and event.action : (\\\"copy\\\", \\\"view\\\", \\\"download\\\") and\\n google_workspace.drive.visibility: \\\"people_with_link\\\" and source.user.email == \\\"\\\" and\\n file.extension: (\\n \\\"token\\\",\\\"assig\\\", \\\"pssc\\\", \\\"keystore\\\", \\\"pub\\\", \\\"pgp.asc\\\", \\\"ps1xml\\\", \\\"pem\\\", \\\"gpg.sig\\\", \\\"der\\\", \\\"key\\\",\\n \\\"p7r\\\", \\\"p12\\\", \\\"asc\\\", \\\"jks\\\", \\\"p7b\\\", \\\"signature\\\", \\\"gpg\\\", \\\"pgp.sig\\\", \\\"sst\\\", \\\"pgp\\\", \\\"gpgz\\\", \\\"pfx\\\", \\\"crt\\\",\\n \\\"p8\\\", \\\"sig\\\", \\\"pkcs7\\\", \\\"jceks\\\", \\\"pkcs8\\\", \\\"psc1\\\", \\\"p7c\\\", \\\"csr\\\", \\\"cer\\\", \\\"spc\\\", \\\"ps2xml\\\")\\n\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/drive/answer/2494822\"],\"target_version\":[\"https://support.google.com/drive/answer/2494822\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/drive/answer/2494822\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d910f370-3669-46a6-abe4-eb608ffea8f6\",\"rule_id\":\"9822c5a1-1494-42de-b197-487197bb540c\",\"revision\":0,\"current_rule\":{\"id\":\"d910f370-3669-46a6-abe4-eb608ffea8f6\",\"updated_at\":\"2024-12-04T19:46:04.731Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.731Z\",\"created_by\":\"elastic\",\"name\":\"Git Hook Egress Network Connection\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects a suspicious egress network connection attempt from a Git hook script. Git hooks are scripts that Git executes before or after events such as: commit, push, and receive. An attacker can abuse these features to execute arbitrary commands on the system, establish persistence or to initialize a network connection to a remote server and exfiltrate data or download additional payloads.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"9822c5a1-1494-42de-b197-487197bb540c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process*\",\"logs-endpoint.events.network*\"],\"query\":\"sequence by host.id with maxspan=3s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name == \\\"git\\\" and process.args : \\\".git/hooks/*\\\" and\\n process.name in (\\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\", \\\"172.31.0.0/16\\\"\\n )\\n )\\n ] by process.parent.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Git Hook Egress Network Connection\",\"description\":\"This rule detects a suspicious egress network connection attempt from a Git hook script. Git hooks are scripts that Git executes before or after events such as: commit, push, and receive. An attacker can abuse these features to execute arbitrary commands on the system, establish persistence or to initialize a network connection to a remote server and exfiltrate data or download additional payloads.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d910f370-3669-46a6-abe4-eb608ffea8f6\",\"rule_id\":\"9822c5a1-1494-42de-b197-487197bb540c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.675Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.731Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=3s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name == \\\"git\\\" and process.args : \\\".git/hooks/*\\\" and\\n process.name in (\\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\", \\\"172.31.0.0/16\\\"\\n )\\n )\\n ] by process.parent.entity_id\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process*\",\"logs-endpoint.events.network*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git\"],\"target_version\":[\"https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3356179c-95ea-4598-870b-307847fc7e67\",\"rule_id\":\"98843d35-645e-4e66-9d6a-5049acd96ce1\",\"revision\":0,\"current_rule\":{\"id\":\"3356179c-95ea-4598-870b-307847fc7e67\",\"updated_at\":\"2024-12-04T19:45:54.151Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.151Z\",\"created_by\":\"elastic\",\"name\":\"Indirect Command Execution via Forfiles/Pcalua\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies indirect command execution via Program Compatibility Assistant (pcalua.exe) or forfiles.exe.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"98843d35-645e-4e66-9d6a-5049acd96ce1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-system.security*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"pcalua.exe\\\", \\\"forfiles.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Indirect Command Execution via Forfiles/Pcalua\",\"description\":\"Identifies indirect command execution via Program Compatibility Assistant (pcalua.exe) or forfiles.exe.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3356179c-95ea-4598-870b-307847fc7e67\",\"rule_id\":\"98843d35-645e-4e66-9d6a-5049acd96ce1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.676Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.151Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"pcalua.exe\\\", \\\"forfiles.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-system.security*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5399a191-96a2-4efe-8eb0-2f1ee567cec8\",\"rule_id\":\"994e40aa-8c85-43de-825e-15f665375ee8\",\"revision\":0,\"current_rule\":{\"id\":\"5399a191-96a2-4efe-8eb0-2f1ee567cec8\",\"updated_at\":\"2024-12-04T19:45:54.169Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.169Z\",\"created_by\":\"elastic\",\"name\":\"Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score\",\"tags\":[\"OS: Windows\",\"Data Source: Elastic Endgame\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-10m\",\"rule_id\":\"994e40aa-8c85-43de-825e-15f665375ee8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.004\",\"name\":\"Masquerade Task or Service\",\"reference\":\"https://attack.mitre.org/techniques/T1036/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"blocklist_label\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"problemchild.prediction\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"problemchild.prediction_probability\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"endgame-*\",\"logs-endpoint.events.process-*\",\"winlogbeat-*\"],\"query\":\"process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or\\nblocklist_label == 1) and not process.args : (\\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.txt*\\\", \\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.tmp*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score\",\"description\":\"A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":110,\"tags\":[\"OS: Windows\",\"Data Source: Elastic Endgame\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-10m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.004\",\"name\":\"Masquerade Task or Service\",\"reference\":\"https://attack.mitre.org/techniques/T1036/004/\"}]}]}],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\\n\",\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"blocklist_label\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"problemchild.prediction\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"problemchild.prediction_probability\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"5399a191-96a2-4efe-8eb0-2f1ee567cec8\",\"rule_id\":\"994e40aa-8c85-43de-825e-15f665375ee8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.676Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.169Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or\\nblocklist_label == 1) and not process.args : (\\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.txt*\\\", \\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.tmp*\\\")\\n\",\"language\":\"eql\",\"index\":[\"endgame-*\",\"logs-endpoint.events.process-*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":110,\"merged_version\":110,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"OS: Windows\",\"Data Source: Elastic Endgame\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"target_version\":[\"OS: Windows\",\"Data Source: Elastic Endgame\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"merged_version\":[\"OS: Windows\",\"Data Source: Elastic Endgame\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"severity\":{\"has_base_version\":false,\"current_version\":\"low\",\"target_version\":\"high\",\"merged_version\":\"high\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"risk_score\":{\"has_base_version\":false,\"current_version\":21,\"target_version\":73,\"merged_version\":73,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3f8a9ca3-a184-4f51-8a48-a0a8c5203703\",\"rule_id\":\"9960432d-9b26-409f-972b-839a959e79e2\",\"revision\":0,\"current_rule\":{\"id\":\"3f8a9ca3-a184-4f51-8a48-a0a8c5203703\",\"updated_at\":\"2024-12-04T19:45:54.172Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.172Z\",\"created_by\":\"elastic\",\"name\":\"Potential Credential Access via LSASS Memory Dump\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic:Execution\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"9960432d-9b26-409f-972b-839a959e79e2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"to\":\"now\",\"references\":[\"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"version\":209,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallTrace\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetImage\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n winlog.event_data.TargetImage : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\lsass.exe\\\" and\\n\\n /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/\\n winlog.event_data.CallTrace : (\\\"*dbghelp*\\\", \\\"*dbgcore*\\\") and\\n\\n /* case of lsass crashing */\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFaultSecure.exe\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Credential Access via LSASS Memory Dump\",\"description\":\"Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic:Execution\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz\",\"https://www.elastic.co/security-labs/detect-credential-access\",\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallTrace\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetImage\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"3f8a9ca3-a184-4f51-8a48-a0a8c5203703\",\"rule_id\":\"9960432d-9b26-409f-972b-839a959e79e2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.676Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.172Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n winlog.event_data.TargetImage : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\lsass.exe\\\" and\\n\\n /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/\\n winlog.event_data.CallTrace : (\\\"*dbghelp*\\\", \\\"*dbgcore*\\\") and\\n\\n /* case of lsass crashing */\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFaultSecure.exe\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":209,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"target_version\":[\"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz\",\"https://www.elastic.co/security-labs/detect-credential-access\",\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"merged_version\":[\"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz\",\"https://www.elastic.co/security-labs/detect-credential-access\",\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f4df0e36-cde6-42af-8a76-8dd689a3e4c2\",\"rule_id\":\"9a3a3689-8ed1-4cdb-83fb-9506db54c61f\",\"revision\":0,\"current_rule\":{\"id\":\"f4df0e36-cde6-42af-8a76-8dd689a3e4c2\",\"updated_at\":\"2024-12-04T19:45:54.179Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.179Z\",\"created_by\":\"elastic\",\"name\":\"Potential Shadow File Read via Command Line Utilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may utilize these to move laterally undetected and access additional resources.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"9a3a3689-8ed1-4cdb-83fb-9506db54c61f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.008\",\"name\":\"/etc/passwd and /etc/shadow\",\"reference\":\"https://attack.mitre.org/techniques/T1003/008/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/\"],\"version\":208,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type : \\\"linux\\\" and event.category : \\\"process\\\" and event.action : (\\\"exec\\\" or \\\"exec_event\\\") and\\n(process.args : \\\"/etc/shadow\\\" or (process.working_directory: \\\"/etc\\\" and process.args: \\\"shadow\\\")) and not \\n(process.executable : (\\\"/bin/chown\\\" or \\\"/usr/bin/chown\\\") and process.args : \\\"root:shadow\\\") and not \\n(process.executable : (\\\"/bin/chmod\\\" or \\\"/usr/bin/chmod\\\") and process.args : \\\"640\\\")\\n\",\"new_terms_fields\":[\"process.command_line\",\"host.id\",\"process.executable\"],\"history_window_start\":\"now-10d\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Shadow File Read via Command Line Utilities\",\"description\":\"Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may utilize these to move laterally undetected and access additional resources.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.008\",\"name\":\"/etc/passwd and /etc/shadow\",\"reference\":\"https://attack.mitre.org/techniques/T1003/008/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f4df0e36-cde6-42af-8a76-8dd689a3e4c2\",\"rule_id\":\"9a3a3689-8ed1-4cdb-83fb-9506db54c61f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.676Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.179Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type : \\\"linux\\\" and event.category : \\\"process\\\" and event.action : (\\\"exec\\\" or \\\"exec_event\\\") and\\n(process.args : \\\"/etc/shadow\\\" or (process.working_directory: \\\"/etc\\\" and process.args: \\\"shadow\\\")) and not (\\n (process.executable : (\\\"/bin/chown\\\" or \\\"/usr/bin/chown\\\") and process.args : \\\"root:shadow\\\") or\\n (process.executable : (\\\"/bin/chmod\\\" or \\\"/usr/bin/chmod\\\") and process.args : \\\"640\\\") or\\n process.executable:(/vz/* or /var/lib/docker/* or /run/containerd/* or /tmp/.criu* or /tmp/newroot/*) or\\n process.parent.name:(gen_passwd_sets or scc_* or wazuh-modulesd)\\n)\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-10d\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":208,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type : \\\"linux\\\" and event.category : \\\"process\\\" and event.action : (\\\"exec\\\" or \\\"exec_event\\\") and\\n(process.args : \\\"/etc/shadow\\\" or (process.working_directory: \\\"/etc\\\" and process.args: \\\"shadow\\\")) and not \\n(process.executable : (\\\"/bin/chown\\\" or \\\"/usr/bin/chown\\\") and process.args : \\\"root:shadow\\\") and not \\n(process.executable : (\\\"/bin/chmod\\\" or \\\"/usr/bin/chmod\\\") and process.args : \\\"640\\\")\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type : \\\"linux\\\" and event.category : \\\"process\\\" and event.action : (\\\"exec\\\" or \\\"exec_event\\\") and\\n(process.args : \\\"/etc/shadow\\\" or (process.working_directory: \\\"/etc\\\" and process.args: \\\"shadow\\\")) and not (\\n (process.executable : (\\\"/bin/chown\\\" or \\\"/usr/bin/chown\\\") and process.args : \\\"root:shadow\\\") or\\n (process.executable : (\\\"/bin/chmod\\\" or \\\"/usr/bin/chmod\\\") and process.args : \\\"640\\\") or\\n process.executable:(/vz/* or /var/lib/docker/* or /run/containerd/* or /tmp/.criu* or /tmp/newroot/*) or\\n process.parent.name:(gen_passwd_sets or scc_* or wazuh-modulesd)\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type : \\\"linux\\\" and event.category : \\\"process\\\" and event.action : (\\\"exec\\\" or \\\"exec_event\\\") and\\n(process.args : \\\"/etc/shadow\\\" or (process.working_directory: \\\"/etc\\\" and process.args: \\\"shadow\\\")) and not (\\n (process.executable : (\\\"/bin/chown\\\" or \\\"/usr/bin/chown\\\") and process.args : \\\"root:shadow\\\") or\\n (process.executable : (\\\"/bin/chmod\\\" or \\\"/usr/bin/chmod\\\") and process.args : \\\"640\\\") or\\n process.executable:(/vz/* or /var/lib/docker/* or /run/containerd/* or /tmp/.criu* or /tmp/newroot/*) or\\n process.parent.name:(gen_passwd_sets or scc_* or wazuh-modulesd)\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"new_terms_fields\":{\"has_base_version\":false,\"current_version\":[\"process.command_line\",\"host.id\",\"process.executable\"],\"target_version\":[\"process.executable\"],\"merged_version\":[\"process.executable\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2f6adb09-70e1-477e-be45-93edb455db95\",\"rule_id\":\"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b\",\"revision\":0,\"current_rule\":{\"id\":\"2f6adb09-70e1-477e-be45-93edb455db95\",\"updated_at\":\"2024-12-04T19:45:54.181Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.181Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Explorer Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"},{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"powershell.exe\\\", \\\"rundll32.exe\\\", \\\"cmd.exe\\\", \\\"mshta.exe\\\", \\\"regsvr32.exe\\\") or\\n process.pe.original_file_name in (\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"PowerShell.EXE\\\", \\\"RUNDLL32.EXE\\\", \\\"Cmd.Exe\\\", \\\"MSHTA.EXE\\\", \\\"REGSVR32.EXE\\\")\\n ) and\\n /* Explorer started via DCOM */\\n process.parent.name : \\\"explorer.exe\\\" and process.parent.args : \\\"-Embedding\\\" and\\n not process.parent.args:\\n (\\n /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */\\n \\\"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\\\",\\n \\\"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Explorer Child Process\",\"description\":\"Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"},{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2f6adb09-70e1-477e-be45-93edb455db95\",\"rule_id\":\"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.676Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.181Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"powershell.exe\\\", \\\"rundll32.exe\\\", \\\"cmd.exe\\\", \\\"mshta.exe\\\", \\\"regsvr32.exe\\\") or\\n ?process.pe.original_file_name in (\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"PowerShell.EXE\\\", \\\"RUNDLL32.EXE\\\", \\\"Cmd.Exe\\\", \\\"MSHTA.EXE\\\", \\\"REGSVR32.EXE\\\")\\n ) and\\n /* Explorer started via DCOM */\\n process.parent.name : \\\"explorer.exe\\\" and process.parent.args : \\\"-Embedding\\\" and\\n not process.parent.args:\\n (\\n /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */\\n \\\"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\\\",\\n \\\"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"powershell.exe\\\", \\\"rundll32.exe\\\", \\\"cmd.exe\\\", \\\"mshta.exe\\\", \\\"regsvr32.exe\\\") or\\n process.pe.original_file_name in (\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"PowerShell.EXE\\\", \\\"RUNDLL32.EXE\\\", \\\"Cmd.Exe\\\", \\\"MSHTA.EXE\\\", \\\"REGSVR32.EXE\\\")\\n ) and\\n /* Explorer started via DCOM */\\n process.parent.name : \\\"explorer.exe\\\" and process.parent.args : \\\"-Embedding\\\" and\\n not process.parent.args:\\n (\\n /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */\\n \\\"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\\\",\\n \\\"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"powershell.exe\\\", \\\"rundll32.exe\\\", \\\"cmd.exe\\\", \\\"mshta.exe\\\", \\\"regsvr32.exe\\\") or\\n ?process.pe.original_file_name in (\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"PowerShell.EXE\\\", \\\"RUNDLL32.EXE\\\", \\\"Cmd.Exe\\\", \\\"MSHTA.EXE\\\", \\\"REGSVR32.EXE\\\")\\n ) and\\n /* Explorer started via DCOM */\\n process.parent.name : \\\"explorer.exe\\\" and process.parent.args : \\\"-Embedding\\\" and\\n not process.parent.args:\\n (\\n /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */\\n \\\"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\\\",\\n \\\"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"powershell.exe\\\", \\\"rundll32.exe\\\", \\\"cmd.exe\\\", \\\"mshta.exe\\\", \\\"regsvr32.exe\\\") or\\n ?process.pe.original_file_name in (\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"PowerShell.EXE\\\", \\\"RUNDLL32.EXE\\\", \\\"Cmd.Exe\\\", \\\"MSHTA.EXE\\\", \\\"REGSVR32.EXE\\\")\\n ) and\\n /* Explorer started via DCOM */\\n process.parent.name : \\\"explorer.exe\\\" and process.parent.args : \\\"-Embedding\\\" and\\n not process.parent.args:\\n (\\n /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */\\n \\\"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\\\",\\n \\\"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d50db8b1-d5db-4ee8-bc67-8af3d1515cd9\",\"rule_id\":\"9aa0e1f6-52ce-42e1-abb3-09657cee2698\",\"revision\":0,\"current_rule\":{\"id\":\"d50db8b1-d5db-4ee8-bc67-8af3d1515cd9\",\"updated_at\":\"2024-12-04T19:45:40.219Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.219Z\",\"created_by\":\"elastic\",\"name\":\"Scheduled Tasks AT Command Enabled\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"9aa0e1f6-52ce-42e1-abb3-09657cee2698\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.002\",\"name\":\"At\",\"reference\":\"https://attack.mitre.org/techniques/T1053/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\Configuration\\\\\\\\EnableAt\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\Configuration\\\\\\\\EnableAt\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Scheduled Tasks AT Command Enabled\",\"description\":\"Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.002\",\"name\":\"At\",\"reference\":\"https://attack.mitre.org/techniques/T1053/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d50db8b1-d5db-4ee8-bc67-8af3d1515cd9\",\"rule_id\":\"9aa0e1f6-52ce-42e1-abb3-09657cee2698\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.676Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.219Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\Configuration\\\\\\\\EnableAt\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\Configuration\\\\\\\\EnableAt\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\Configuration\\\\\\\\EnableAt\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\Configuration\\\\\\\\EnableAt\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\Configuration\\\\\\\\EnableAt\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\Configuration\\\\\\\\EnableAt\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\Configuration\\\\\\\\EnableAt\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\Configuration\\\\\\\\EnableAt\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\Configuration\\\\\\\\EnableAt\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\Configuration\\\\\\\\EnableAt\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\Configuration\\\\\\\\EnableAt\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9707f06f-2da8-40ba-b2f4-7e1ca4167503\",\"rule_id\":\"9aa4be8d-5828-417d-9f54-7cd304571b24\",\"revision\":0,\"current_rule\":{\"id\":\"9707f06f-2da8-40ba-b2f4-7e1ca4167503\",\"updated_at\":\"2024-12-04T19:45:54.184Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.184Z\",\"created_by\":\"elastic\",\"name\":\"AWS IAM AdministratorAccess Policy Attached to User\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to compromised user accounts. This rule looks for use of the IAM `AttachUserPolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM user.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to User\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources. \\nWith access to the `iam:AttachUserPolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to the current user for privilege escalation or another user as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachUserPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected user(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachUserPolicy` API operation to attach the `AdministratorAccess` policy to the target user.\"],\"from\":\"now-6m\",\"rule_id\":\"9aa4be8d-5828-417d-9f54-7cd304571b24\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html\",\"https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html\",\"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-*\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachUserPolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?userName}=%{target.userName}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS IAM AdministratorAccess Policy Attached to User\",\"description\":\"An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to compromised user accounts. This rule looks for use of the IAM `AttachUserPolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM user.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to User\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources.\\nWith access to the `iam:AttachUserPolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to the current user for privilege escalation or another user as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachUserPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected user(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment.\\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"investigation_fields\":{\"field_names\":[\"@timestamp\",\"user.name\",\"source.address\",\"aws.cloudtrail.user_identity.arn\",\"user_agent.original\",\"target.userName\",\"event.action\",\"policyName\",\"event.outcome\",\"cloud.region\",\"event.provider\",\"aws.cloudtrail.request_parameters\"]},\"version\":4,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachUserPolicy` API operation to attach the `AdministratorAccess` policy to the target user.\"],\"references\":[\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html\",\"https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html\",\"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"9707f06f-2da8-40ba-b2f4-7e1ca4167503\",\"rule_id\":\"9aa4be8d-5828-417d-9f54-7cd304571b24\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.676Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.184Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachUserPolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?userName}=%{target.userName}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n| keep\\n @timestamp,\\n cloud.region,\\n event.provider,\\n event.action,\\n event.outcome,\\n policyName,\\n target.userName,\\n aws.cloudtrail.request_parameters,\\n aws.cloudtrail.user_identity.arn,\\n related.user,\\n user_agent.original,\\n user.name,\\n source.address\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"note\":{\"has_base_version\":false,\"current_version\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to User\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources. \\nWith access to the `iam:AttachUserPolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to the current user for privilege escalation or another user as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachUserPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected user(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to User\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources.\\nWith access to the `iam:AttachUserPolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to the current user for privilege escalation or another user as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachUserPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected user(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment.\\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to User\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources.\\nWith access to the `iam:AttachUserPolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to the current user for privilege escalation or another user as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachUserPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected user(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment.\\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"investigation_fields\":{\"has_base_version\":false,\"target_version\":{\"field_names\":[\"@timestamp\",\"user.name\",\"source.address\",\"aws.cloudtrail.user_identity.arn\",\"user_agent.original\",\"target.userName\",\"event.action\",\"policyName\",\"event.outcome\",\"cloud.region\",\"event.provider\",\"aws.cloudtrail.request_parameters\"]},\"merged_version\":{\"field_names\":[\"@timestamp\",\"user.name\",\"source.address\",\"aws.cloudtrail.user_identity.arn\",\"user_agent.original\",\"target.userName\",\"event.action\",\"policyName\",\"event.outcome\",\"cloud.region\",\"event.provider\",\"aws.cloudtrail.request_parameters\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-aws.cloudtrail-*\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachUserPolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?userName}=%{target.userName}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachUserPolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?userName}=%{target.userName}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n| keep\\n @timestamp,\\n cloud.region,\\n event.provider,\\n event.action,\\n event.outcome,\\n policyName,\\n target.userName,\\n aws.cloudtrail.request_parameters,\\n aws.cloudtrail.user_identity.arn,\\n related.user,\\n user_agent.original,\\n user.name,\\n source.address\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachUserPolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?userName}=%{target.userName}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n| keep\\n @timestamp,\\n cloud.region,\\n event.provider,\\n event.action,\\n event.outcome,\\n policyName,\\n target.userName,\\n aws.cloudtrail.request_parameters,\\n aws.cloudtrail.user_identity.arn,\\n related.user,\\n user_agent.original,\\n user.name,\\n source.address\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f1738911-166f-4856-a6b4-abab6de603e4\",\"rule_id\":\"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c\",\"revision\":0,\"current_rule\":{\"id\":\"f1738911-166f-4856-a6b4-abab6de603e4\",\"updated_at\":\"2024-12-04T19:45:54.188Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.188Z\",\"created_by\":\"elastic\",\"name\":\"Persistence via WMI Event Subscription\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.003\",\"name\":\"Windows Management Instrumentation Event Subscription\",\"reference\":\"https://attack.mitre.org/techniques/T1546/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"wmic.exe\\\" or ?process.pe.original_file_name == \\\"wmic.exe\\\") and\\n process.args : \\\"create\\\" and\\n process.args : (\\\"ActiveScriptEventConsumer\\\", \\\"CommandLineEventConsumer\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Persistence via WMI Event Subscription\",\"description\":\"An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.003\",\"name\":\"Windows Management Instrumentation Event Subscription\",\"reference\":\"https://attack.mitre.org/techniques/T1546/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f1738911-166f-4856-a6b4-abab6de603e4\",\"rule_id\":\"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.676Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.188Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"wmic.exe\\\" or ?process.pe.original_file_name == \\\"wmic.exe\\\") and\\n process.args : \\\"create\\\" and\\n process.args : (\\\"ActiveScriptEventConsumer\\\", \\\"CommandLineEventConsumer\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5a0b3b08-a172-463b-9c1c-738364b31d39\",\"rule_id\":\"9b80cb26-9966-44b5-abbf-764fbdbc3586\",\"revision\":0,\"current_rule\":{\"id\":\"5a0b3b08-a172-463b-9c1c-738364b31d39\",\"updated_at\":\"2024-12-04T19:45:54.191Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.191Z\",\"created_by\":\"elastic\",\"name\":\"Privilege Escalation via CAP_SETUID/SETGID Capabilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies instances where a process (granted CAP_SETUID and/or CAP_SETGID capabilities) is executed, after which the user's access is elevated to UID/GID 0 (root). In Linux, the CAP_SETUID and CAP_SETGID capabilities allow a process to change its UID and GID, respectively, providing control over user and group identity management. Attackers may leverage a misconfiguration for exploitation in order to escalate their privileges to root.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"9b80cb26-9966-44b5-abbf-764fbdbc3586\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.001\",\"name\":\"Setuid and Setgid\",\"reference\":\"https://attack.mitre.org/techniques/T1548/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.effective\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.permitted\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"sequence by host.id, process.entity_id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name != null and\\n (process.thread.capabilities.effective : \\\"CAP_SET?ID\\\" or process.thread.capabilities.permitted : \\\"CAP_SET?ID\\\") and \\n user.id != \\\"0\\\" and not (\\n process.parent.executable : (\\\"/tmp/newroot/*\\\", \\\"/opt/carbonblack*\\\") or\\n process.parent.executable in (\\n \\\"/opt/SolarWinds/Agent/bin/Plugins/JobEngine/SolarWinds.Agent.JobEngine.Plugin\\\", \\\"/usr/bin/vmware-toolbox-cmd\\\",\\n \\\"/usr/bin/dbus-daemon\\\", \\\"/usr/bin/update-notifier\\\", \\\"/usr/share/language-tools/language-options\\\"\\n ) or\\n process.executable : (\\\"/opt/dynatrace/*\\\", \\\"/tmp/newroot/*\\\") or\\n process.executable in (\\n \\\"/bin/fgrep\\\", \\\"/usr/bin/sudo\\\", \\\"/usr/bin/pkexec\\\", \\\"/usr/lib/cockpit/cockpit-session\\\", \\\"/usr/sbin/suexec\\\"\\n )\\n )]\\n [process where host.os.type == \\\"linux\\\" and event.action == \\\"uid_change\\\" and event.type == \\\"change\\\" and \\n (process.thread.capabilities.effective : \\\"CAP_SET?ID\\\" or process.thread.capabilities.permitted : \\\"CAP_SET?ID\\\")\\n and user.id == \\\"0\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Privilege Escalation via CAP_SETUID/SETGID Capabilities\",\"description\":\"Identifies instances where a process (granted CAP_SETUID and/or CAP_SETGID capabilities) is executed, after which the user's access is elevated to UID/GID 0 (root). In Linux, the CAP_SETUID and CAP_SETGID capabilities allow a process to change its UID and GID, respectively, providing control over user and group identity management. Attackers may leverage a misconfiguration for exploitation in order to escalate their privileges to root.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.001\",\"name\":\"Setuid and Setgid\",\"reference\":\"https://attack.mitre.org/techniques/T1548/001/\"}]}]}],\"setup\":\"## Setup\\n\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.effective\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.permitted\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"5a0b3b08-a172-463b-9c1c-738364b31d39\",\"rule_id\":\"9b80cb26-9966-44b5-abbf-764fbdbc3586\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.676Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.191Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id, process.entity_id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name != null and\\n (process.thread.capabilities.effective : \\\"CAP_SET?ID\\\" or process.thread.capabilities.permitted : \\\"CAP_SET?ID\\\") and \\n user.id != \\\"0\\\" and not (\\n process.parent.executable : (\\\"/tmp/newroot/*\\\", \\\"/opt/carbonblack*\\\") or\\n process.parent.executable in (\\n \\\"/opt/SolarWinds/Agent/bin/Plugins/JobEngine/SolarWinds.Agent.JobEngine.Plugin\\\", \\\"/usr/bin/vmware-toolbox-cmd\\\",\\n \\\"/usr/bin/dbus-daemon\\\", \\\"/usr/bin/update-notifier\\\", \\\"/usr/share/language-tools/language-options\\\",\\n \\\"/opt/SolarWinds/Agent/*\\\", \\\"/usr/local/sbin/lynis.sh\\\"\\n ) or\\n process.executable : (\\\"/opt/dynatrace/*\\\", \\\"/tmp/newroot/*\\\", \\\"/opt/SolarWinds/Agent/*\\\") or\\n process.executable in (\\n \\\"/bin/fgrep\\\", \\\"/usr/bin/sudo\\\", \\\"/usr/bin/pkexec\\\", \\\"/usr/lib/cockpit/cockpit-session\\\", \\\"/usr/sbin/suexec\\\"\\n ) or\\n process.parent.name in (\\\"update-notifier\\\", \\\"language-options\\\", \\\"osqueryd\\\", \\\"saposcol\\\", \\\"dbus-daemon\\\", \\\"osqueryi\\\", \\\"sdbrun\\\") or\\n process.command_line like (\\\"sudo*BECOME-SUCCESS*\\\", \\\"/bin/sh*sapsysinfo.sh*\\\", \\\"sudo su\\\", \\\"sudo su -\\\") or\\n process.name == \\\"sudo\\\" or\\n process.parent.command_line like \\\"/usr/bin/python*ansible*\\\"\\n )]\\n [process where host.os.type == \\\"linux\\\" and event.action == \\\"uid_change\\\" and event.type == \\\"change\\\" and \\n (process.thread.capabilities.effective : \\\"CAP_SET?ID\\\" or process.thread.capabilities.permitted : \\\"CAP_SET?ID\\\")\\n and user.id == \\\"0\\\"]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.effective\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.permitted\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.effective\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.permitted\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.effective\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.permitted\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by host.id, process.entity_id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name != null and\\n (process.thread.capabilities.effective : \\\"CAP_SET?ID\\\" or process.thread.capabilities.permitted : \\\"CAP_SET?ID\\\") and \\n user.id != \\\"0\\\" and not (\\n process.parent.executable : (\\\"/tmp/newroot/*\\\", \\\"/opt/carbonblack*\\\") or\\n process.parent.executable in (\\n \\\"/opt/SolarWinds/Agent/bin/Plugins/JobEngine/SolarWinds.Agent.JobEngine.Plugin\\\", \\\"/usr/bin/vmware-toolbox-cmd\\\",\\n \\\"/usr/bin/dbus-daemon\\\", \\\"/usr/bin/update-notifier\\\", \\\"/usr/share/language-tools/language-options\\\"\\n ) or\\n process.executable : (\\\"/opt/dynatrace/*\\\", \\\"/tmp/newroot/*\\\") or\\n process.executable in (\\n \\\"/bin/fgrep\\\", \\\"/usr/bin/sudo\\\", \\\"/usr/bin/pkexec\\\", \\\"/usr/lib/cockpit/cockpit-session\\\", \\\"/usr/sbin/suexec\\\"\\n )\\n )]\\n [process where host.os.type == \\\"linux\\\" and event.action == \\\"uid_change\\\" and event.type == \\\"change\\\" and \\n (process.thread.capabilities.effective : \\\"CAP_SET?ID\\\" or process.thread.capabilities.permitted : \\\"CAP_SET?ID\\\")\\n and user.id == \\\"0\\\"]\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by host.id, process.entity_id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name != null and\\n (process.thread.capabilities.effective : \\\"CAP_SET?ID\\\" or process.thread.capabilities.permitted : \\\"CAP_SET?ID\\\") and \\n user.id != \\\"0\\\" and not (\\n process.parent.executable : (\\\"/tmp/newroot/*\\\", \\\"/opt/carbonblack*\\\") or\\n process.parent.executable in (\\n \\\"/opt/SolarWinds/Agent/bin/Plugins/JobEngine/SolarWinds.Agent.JobEngine.Plugin\\\", \\\"/usr/bin/vmware-toolbox-cmd\\\",\\n \\\"/usr/bin/dbus-daemon\\\", \\\"/usr/bin/update-notifier\\\", \\\"/usr/share/language-tools/language-options\\\",\\n \\\"/opt/SolarWinds/Agent/*\\\", \\\"/usr/local/sbin/lynis.sh\\\"\\n ) or\\n process.executable : (\\\"/opt/dynatrace/*\\\", \\\"/tmp/newroot/*\\\", \\\"/opt/SolarWinds/Agent/*\\\") or\\n process.executable in (\\n \\\"/bin/fgrep\\\", \\\"/usr/bin/sudo\\\", \\\"/usr/bin/pkexec\\\", \\\"/usr/lib/cockpit/cockpit-session\\\", \\\"/usr/sbin/suexec\\\"\\n ) or\\n process.parent.name in (\\\"update-notifier\\\", \\\"language-options\\\", \\\"osqueryd\\\", \\\"saposcol\\\", \\\"dbus-daemon\\\", \\\"osqueryi\\\", \\\"sdbrun\\\") or\\n process.command_line like (\\\"sudo*BECOME-SUCCESS*\\\", \\\"/bin/sh*sapsysinfo.sh*\\\", \\\"sudo su\\\", \\\"sudo su -\\\") or\\n process.name == \\\"sudo\\\" or\\n process.parent.command_line like \\\"/usr/bin/python*ansible*\\\"\\n )]\\n [process where host.os.type == \\\"linux\\\" and event.action == \\\"uid_change\\\" and event.type == \\\"change\\\" and \\n (process.thread.capabilities.effective : \\\"CAP_SET?ID\\\" or process.thread.capabilities.permitted : \\\"CAP_SET?ID\\\")\\n and user.id == \\\"0\\\"]\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by host.id, process.entity_id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name != null and\\n (process.thread.capabilities.effective : \\\"CAP_SET?ID\\\" or process.thread.capabilities.permitted : \\\"CAP_SET?ID\\\") and \\n user.id != \\\"0\\\" and not (\\n process.parent.executable : (\\\"/tmp/newroot/*\\\", \\\"/opt/carbonblack*\\\") or\\n process.parent.executable in (\\n \\\"/opt/SolarWinds/Agent/bin/Plugins/JobEngine/SolarWinds.Agent.JobEngine.Plugin\\\", \\\"/usr/bin/vmware-toolbox-cmd\\\",\\n \\\"/usr/bin/dbus-daemon\\\", \\\"/usr/bin/update-notifier\\\", \\\"/usr/share/language-tools/language-options\\\",\\n \\\"/opt/SolarWinds/Agent/*\\\", \\\"/usr/local/sbin/lynis.sh\\\"\\n ) or\\n process.executable : (\\\"/opt/dynatrace/*\\\", \\\"/tmp/newroot/*\\\", \\\"/opt/SolarWinds/Agent/*\\\") or\\n process.executable in (\\n \\\"/bin/fgrep\\\", \\\"/usr/bin/sudo\\\", \\\"/usr/bin/pkexec\\\", \\\"/usr/lib/cockpit/cockpit-session\\\", \\\"/usr/sbin/suexec\\\"\\n ) or\\n process.parent.name in (\\\"update-notifier\\\", \\\"language-options\\\", \\\"osqueryd\\\", \\\"saposcol\\\", \\\"dbus-daemon\\\", \\\"osqueryi\\\", \\\"sdbrun\\\") or\\n process.command_line like (\\\"sudo*BECOME-SUCCESS*\\\", \\\"/bin/sh*sapsysinfo.sh*\\\", \\\"sudo su\\\", \\\"sudo su -\\\") or\\n process.name == \\\"sudo\\\" or\\n process.parent.command_line like \\\"/usr/bin/python*ansible*\\\"\\n )]\\n [process where host.os.type == \\\"linux\\\" and event.action == \\\"uid_change\\\" and event.type == \\\"change\\\" and \\n (process.thread.capabilities.effective : \\\"CAP_SET?ID\\\" or process.thread.capabilities.permitted : \\\"CAP_SET?ID\\\")\\n and user.id == \\\"0\\\"]\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c8ad01fc-7bce-485c-9112-55615ba32106\",\"rule_id\":\"9c260313-c811-4ec8-ab89-8f6530e0246c\",\"revision\":0,\"current_rule\":{\"id\":\"c8ad01fc-7bce-485c-9112-55615ba32106\",\"updated_at\":\"2024-12-04T19:45:54.193Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.193Z\",\"created_by\":\"elastic\",\"name\":\"Hosts File Modified\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Hosts File Modified\\n\\nOperating systems use the hosts file to map a connection between an IP address and domain names before going to domain name servers. Attackers can abuse this mechanism to route traffic to malicious infrastructure or disrupt security that depends on server communications. For example, Russian threat actors modified this file on a domain controller to redirect Duo MFA calls to localhost instead of the Duo server, which prevented the MFA service from contacting its server to validate MFA login. This effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to \\\"Fail open\\\" if the MFA server is unreachable. This can happen in any MFA implementation and is not exclusive to Duo. Find more details in this [CISA Alert](https://www.cisa.gov/uscert/ncas/alerts/aa22-074a).\\n\\nThis rule identifies modifications in the hosts file across multiple operating systems using process creation events for Linux and file events in Windows and macOS.\\n\\n#### Possible investigation steps\\n\\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the changes to the hosts file by comparing it against file backups, volume shadow copies, and other restoration mechanisms.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and the configuration was justified.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider isolating the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Review the privileges of the administrator account that performed the action.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timeline_id\":\"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c\",\"timeline_title\":\"Comprehensive File Timeline\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"9c260313-c811-4ec8-ab89-8f6530e0246c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1565\",\"name\":\"Data Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1565/\",\"subtechnique\":[{\"id\":\"T1565.001\",\"name\":\"Stored Data Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1565/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nFor Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"winlogbeat-*\",\"logs-endpoint.events.*\",\"logs-windows.*\"],\"query\":\"any where\\n\\n /* file events for creation; file change events are not captured by some of the included sources for linux and so may\\n miss this, which is the purpose of the process + command line args logic below */\\n (\\n event.category == \\\"file\\\" and event.type in (\\\"change\\\", \\\"creation\\\") and\\n file.path : (\\\"/private/etc/hosts\\\", \\\"/etc/hosts\\\", \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\etc\\\\\\\\hosts\\\") and \\n not process.name in (\\\"dockerd\\\", \\\"rootlesskit\\\", \\\"podman\\\", \\\"crio\\\")\\n )\\n or\\n\\n /* process events for change targeting linux only */\\n (\\n event.category == \\\"process\\\" and event.type in (\\\"start\\\") and\\n process.name in (\\\"nano\\\", \\\"vim\\\", \\\"vi\\\", \\\"emacs\\\", \\\"echo\\\", \\\"sed\\\") and\\n process.args : (\\\"/etc/hosts\\\") and \\n not process.parent.name in (\\\"dhclient-script\\\", \\\"google_set_hostname\\\")\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Hosts File Modified\",\"description\":\"The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"timeline_id\":\"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c\",\"timeline_title\":\"Comprehensive File Timeline\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Hosts File Modified\\n\\nOperating systems use the hosts file to map a connection between an IP address and domain names before going to domain name servers. Attackers can abuse this mechanism to route traffic to malicious infrastructure or disrupt security that depends on server communications. For example, Russian threat actors modified this file on a domain controller to redirect Duo MFA calls to localhost instead of the Duo server, which prevented the MFA service from contacting its server to validate MFA login. This effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to \\\"Fail open\\\" if the MFA server is unreachable. This can happen in any MFA implementation and is not exclusive to Duo. Find more details in this [CISA Alert](https://www.cisa.gov/uscert/ncas/alerts/aa22-074a).\\n\\nThis rule identifies modifications in the hosts file across multiple operating systems using process creation events for Linux and file events in Windows and macOS.\\n\\n#### Possible investigation steps\\n\\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the changes to the hosts file by comparing it against file backups, volume shadow copies, and other restoration mechanisms.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and the configuration was justified.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider isolating the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Review the privileges of the administrator account that performed the action.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1565\",\"name\":\"Data Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1565/\",\"subtechnique\":[{\"id\":\"T1565.001\",\"name\":\"Stored Data Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1565/001/\"}]}]}],\"setup\":\"## Setup\\n\\nFor Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c8ad01fc-7bce-485c-9112-55615ba32106\",\"rule_id\":\"9c260313-c811-4ec8-ab89-8f6530e0246c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.676Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.193Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where\\n\\n /* file events for creation; file change events are not captured by some of the included sources for linux and so may\\n miss this, which is the purpose of the process + command line args logic below */\\n (\\n event.category == \\\"file\\\" and event.type in (\\\"change\\\", \\\"creation\\\") and\\n file.path : (\\\"/private/etc/hosts\\\", \\\"/etc/hosts\\\", \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\etc\\\\\\\\hosts\\\") and \\n not process.name in (\\\"dockerd\\\", \\\"rootlesskit\\\", \\\"podman\\\", \\\"crio\\\")\\n )\\n or\\n\\n /* process events for change targeting linux only */\\n (\\n event.category == \\\"process\\\" and event.type in (\\\"start\\\") and\\n process.name in (\\\"nano\\\", \\\"vim\\\", \\\"vi\\\", \\\"emacs\\\", \\\"echo\\\", \\\"sed\\\") and\\n process.args : (\\\"/etc/hosts\\\") and \\n not process.parent.name in (\\\"dhclient-script\\\", \\\"google_set_hostname\\\")\\n )\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"winlogbeat-*\",\"logs-endpoint.events.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a8cdde6f-ad21-4a0b-888a-1cb674e6083b\",\"rule_id\":\"9c865691-5599-447a-bac9-b3f2df5f9a9d\",\"revision\":0,\"current_rule\":{\"id\":\"a8cdde6f-ad21-4a0b-888a-1cb674e6083b\",\"updated_at\":\"2024-12-04T19:45:54.196Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.196Z\",\"created_by\":\"elastic\",\"name\":\"Remote Scheduled Task Creation via RPC\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote Scheduled Task Creation\\n\\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\\n\\n#### Possible investigation steps\\n\\n- Review the TaskContent value to investigate the task configured action.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\\n\\n### False positive analysis\\n\\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\\n\\n### Related rules\\n\\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\\n- Remote Scheduled Task Creation - 954ee7c8-5437-49ae-b2d6-2960883898e9\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Remove scheduled task and any other related artifacts.\\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"9c865691-5599-447a-bac9-b3f2df5f9a9d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ClientProcessId\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.RpcCallClientLocality\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"],\"query\":\"iam where event.action == \\\"scheduled-task-created\\\" and \\n winlog.event_data.RpcCallClientLocality : \\\"0\\\" and winlog.event_data.ClientProcessId : \\\"0\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Remote Scheduled Task Creation via RPC\",\"description\":\"Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote Scheduled Task Creation\\n\\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\\n\\n#### Possible investigation steps\\n\\n- Review the TaskContent value to investigate the task configured action.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\\n\\n### False positive analysis\\n\\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\\n\\n### Related rules\\n\\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\\n- Remote Scheduled Task Creation - 954ee7c8-5437-49ae-b2d6-2960883898e9\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Remove scheduled task and any other related artifacts.\\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\\n\",\"output_index\":\"\",\"version\":109,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ClientProcessId\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.RpcCallClientLocality\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"a8cdde6f-ad21-4a0b-888a-1cb674e6083b\",\"rule_id\":\"9c865691-5599-447a-bac9-b3f2df5f9a9d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.676Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.196Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where event.action == \\\"scheduled-task-created\\\" and \\n winlog.event_data.RpcCallClientLocality : \\\"0\\\" and winlog.event_data.ClientProcessId : \\\"0\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":109,\"merged_version\":109,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6e66aaea-6fad-4849-84b6-ad7d5d4735f2\",\"rule_id\":\"9ccf3ce0-0057-440a-91f5-870c6ad39093\",\"revision\":0,\"current_rule\":{\"id\":\"6e66aaea-6fad-4849-84b6-ad7d5d4735f2\",\"updated_at\":\"2024-12-04T19:45:54.205Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.205Z\",\"created_by\":\"elastic\",\"name\":\"Command Shell Activity Started via RunDLL32\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Microsoft Windows installers leveraging RunDLL32 for installation.\"],\"from\":\"now-9m\",\"rule_id\":\"9ccf3ce0-0057-440a-91f5-870c6ad39093\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\") and\\n process.parent.name : \\\"rundll32.exe\\\" and process.parent.command_line != null and\\n /* common FPs can be added here */\\n not process.parent.args : (\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SHELL32.dll,RunAsNewUser_RunDLL\\\",\\n \\\"C:\\\\\\\\WINDOWS\\\\\\\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Command Shell Activity Started via RunDLL32\",\"description\":\"Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Microsoft Windows installers leveraging RunDLL32 for installation.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"6e66aaea-6fad-4849-84b6-ad7d5d4735f2\",\"rule_id\":\"9ccf3ce0-0057-440a-91f5-870c6ad39093\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.676Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.205Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\") and\\n process.parent.name : \\\"rundll32.exe\\\" and process.parent.command_line != null and\\n /* common FPs can be added here */\\n not process.parent.args : (\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SHELL32.dll,RunAsNewUser_RunDLL\\\",\\n \\\"C:\\\\\\\\WINDOWS\\\\\\\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c5bfb1d5-6729-40f2-bc03-dd86bba7d76a\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2\",\"revision\":0,\"current_rule\":{\"id\":\"c5bfb1d5-6729-40f2-bc03-dd86bba7d76a\",\"updated_at\":\"2024-12-04T19:45:54.207Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.207Z\",\"created_by\":\"elastic\",\"name\":\"Microsoft Build Engine Started by a Script Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual.\"],\"from\":\"now-9m\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"},{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":209,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name.caseless\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:windows and event.category:process and event.type:start and (\\n process.name.caseless:\\\"msbuild.exe\\\" or process.pe.original_file_name:\\\"MSBuild.exe\\\") and \\n process.parent.name:(\\\"cmd.exe\\\" or \\\"powershell.exe\\\" or \\\"pwsh.exe\\\" or \\\"powershell_ise.exe\\\" or \\\"cscript.exe\\\" or\\n \\\"wscript.exe\\\" or \\\"mshta.exe\\\")\\n\",\"new_terms_fields\":[\"host.id\",\"user.name\",\"process.command_line\"],\"history_window_start\":\"now-14d\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Microsoft Build Engine Started by a Script Process\",\"description\":\"An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"},{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name.caseless\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c5bfb1d5-6729-40f2-bc03-dd86bba7d76a\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.676Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.207Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:windows and event.category:process and event.type:start and (\\n process.name.caseless:\\\"msbuild.exe\\\" or process.pe.original_file_name:\\\"MSBuild.exe\\\") and \\n process.parent.name:(\\\"cmd.exe\\\" or \\\"powershell.exe\\\" or \\\"pwsh.exe\\\" or \\\"powershell_ise.exe\\\" or \\\"cscript.exe\\\" or\\n \\\"wscript.exe\\\" or \\\"mshta.exe\\\")\\n\",\"new_terms_fields\":[\"host.id\",\"user.name\",\"process.command_line\"],\"history_window_start\":\"now-14d\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":209,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b8d062b8-cfea-4cc8-9617-c12067450833\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3\",\"revision\":0,\"current_rule\":{\"id\":\"b8d062b8-cfea-4cc8-9617-c12067450833\",\"updated_at\":\"2024-12-04T19:45:54.209Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.209Z\",\"created_by\":\"elastic\",\"name\":\"Microsoft Build Engine Started by a System Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual.\"],\"from\":\"now-9m\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"MSBuild.exe\\\" and\\n process.parent.name : (\\\"explorer.exe\\\", \\\"wmiprvse.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Microsoft Build Engine Started by a System Process\",\"description\":\"An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b8d062b8-cfea-4cc8-9617-c12067450833\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.676Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.209Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"MSBuild.exe\\\" and\\n process.parent.name : (\\\"explorer.exe\\\", \\\"wmiprvse.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d298624e-ffd1-4892-a111-35313cd74cbd\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4\",\"revision\":0,\"current_rule\":{\"id\":\"d298624e-ffd1-4892-a111-35313cd74cbd\",\"updated_at\":\"2024-12-04T19:45:54.212Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.212Z\",\"created_by\":\"elastic\",\"name\":\"Microsoft Build Engine Using an Alternate Name\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Microsoft Build Engine Using an Alternate Name\\n\\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\\n\\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\\n\\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual.\"],\"from\":\"now-9m\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.003\",\"name\":\"Rename System Utilities\",\"reference\":\"https://attack.mitre.org/techniques/T1036/003/\"}]},{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.pe.original_file_name == \\\"MSBuild.exe\\\" and\\n not process.name : \\\"MSBuild.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Microsoft Build Engine Using an Alternate Name\",\"description\":\"An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Microsoft Build Engine Using an Alternate Name\\n\\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\\n\\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\\n\\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.003\",\"name\":\"Rename System Utilities\",\"reference\":\"https://attack.mitre.org/techniques/T1036/003/\"}]},{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d298624e-ffd1-4892-a111-35313cd74cbd\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.676Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.212Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.pe.original_file_name == \\\"MSBuild.exe\\\" and\\n not process.name : \\\"MSBuild.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8627eb62-30f7-4150-afef-57c8a8e681a2\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5\",\"revision\":0,\"current_rule\":{\"id\":\"8627eb62-30f7-4150-afef-57c8a8e681a2\",\"updated_at\":\"2024-12-04T19:45:54.214Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.214Z\",\"created_by\":\"elastic\",\"name\":\"Potential Credential Access via Trusted Developer Utility\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Credential Access via Trusted Developer Utility\\n\\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\\n\\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\\n\\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the command line to identify the `.csproj` file location.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual.\"],\"from\":\"now-9m\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"}]},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\",\"subtechnique\":[{\"id\":\"T1555.004\",\"name\":\"Windows Credential Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1555/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and (process.name : \\\"MSBuild.exe\\\" or process.pe.original_file_name == \\\"MSBuild.exe\\\")]\\n [any where host.os.type == \\\"windows\\\" and (event.category == \\\"library\\\" or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n (?dll.name : (\\\"vaultcli.dll\\\", \\\"SAMLib.DLL\\\") or file.name : (\\\"vaultcli.dll\\\", \\\"SAMLib.DLL\\\"))]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Credential Access via Trusted Developer Utility\",\"description\":\"An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Credential Access via Trusted Developer Utility\\n\\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\\n\\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\\n\\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the command line to identify the `.csproj` file location.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"}]},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\",\"subtechnique\":[{\"id\":\"T1555.004\",\"name\":\"Windows Credential Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1555/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"8627eb62-30f7-4150-afef-57c8a8e681a2\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.677Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.214Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and (process.name : \\\"MSBuild.exe\\\" or process.pe.original_file_name == \\\"MSBuild.exe\\\")]\\n [any where host.os.type == \\\"windows\\\" and (event.category == \\\"library\\\" or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n (?dll.name : (\\\"vaultcli.dll\\\", \\\"SAMLib.DLL\\\") or file.name : (\\\"vaultcli.dll\\\", \\\"SAMLib.DLL\\\"))]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"55e9be51-2736-4ae0-ba13-70c750530a07\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6\",\"revision\":0,\"current_rule\":{\"id\":\"55e9be51-2736-4ae0-ba13-70c750530a07\",\"updated_at\":\"2024-12-04T19:45:54.217Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.217Z\",\"created_by\":\"elastic\",\"name\":\"Microsoft Build Engine Started an Unusual Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name.\"],\"from\":\"now-9m\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1027\",\"name\":\"Obfuscated Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1027/\",\"subtechnique\":[{\"id\":\"T1027.004\",\"name\":\"Compile After Delivery\",\"reference\":\"https://attack.mitre.org/techniques/T1027/004/\"}]},{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html\"],\"version\":211,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:windows and event.category:process and event.type:start and process.parent.name:(\\\"MSBuild.exe\\\" or \\\"msbuild.exe\\\") and\\nprocess.name:(\\\"csc.exe\\\" or \\\"iexplore.exe\\\" or \\\"powershell.exe\\\")\\n\",\"new_terms_fields\":[\"host.id\",\"user.name\"],\"history_window_start\":\"now-14d\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"logs-system.security*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Microsoft Build Engine Started an Unusual Process\",\"description\":\"An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name.\"],\"references\":[\"https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1027\",\"name\":\"Obfuscated Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1027/\",\"subtechnique\":[{\"id\":\"T1027.004\",\"name\":\"Compile After Delivery\",\"reference\":\"https://attack.mitre.org/techniques/T1027/004/\"}]},{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"55e9be51-2736-4ae0-ba13-70c750530a07\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.677Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.217Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:windows and event.category:process and event.type:start and process.parent.name:(\\\"MSBuild.exe\\\" or \\\"msbuild.exe\\\") and\\nprocess.name:(\\\"csc.exe\\\" or \\\"iexplore.exe\\\" or \\\"powershell.exe\\\")\\n\",\"new_terms_fields\":[\"host.id\",\"user.name\"],\"history_window_start\":\"now-14d\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"logs-system.security*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":211,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c02d737d-2559-45f3-a1bd-f8e9570ed2f7\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9\",\"revision\":0,\"current_rule\":{\"id\":\"c02d737d-2559-45f3-a1bd-f8e9570ed2f7\",\"updated_at\":\"2024-12-04T19:45:54.219Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.219Z\",\"created_by\":\"elastic\",\"name\":\"Process Injection by the Microsoft Build Engine\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual.\"],\"from\":\"now-6m\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"},{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]}],\"to\":\"now\",\"references\":[],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"process.name:MSBuild.exe and host.os.type:windows and event.action:\\\"CreateRemoteThread detected (rule: CreateRemoteThread)\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Process Injection by the Microsoft Build Engine\",\"description\":\"An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"},{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c02d737d-2559-45f3-a1bd-f8e9570ed2f7\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.677Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.219Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and process.name: \\\"MSBuild.exe\\\" and\\n event.action:(\\\"CreateRemoteThread detected (rule: CreateRemoteThread)\\\", \\\"CreateRemoteThread\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"type\":{\"has_base_version\":false,\"current_version\":\"query\",\"target_version\":\"eql\",\"merged_version\":\"eql\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NON_SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"process.name:MSBuild.exe and host.os.type:windows and event.action:\\\"CreateRemoteThread detected (rule: CreateRemoteThread)\\\"\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and process.name: \\\"MSBuild.exe\\\" and\\n event.action:(\\\"CreateRemoteThread detected (rule: CreateRemoteThread)\\\", \\\"CreateRemoteThread\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and process.name: \\\"MSBuild.exe\\\" and\\n event.action:(\\\"CreateRemoteThread detected (rule: CreateRemoteThread)\\\", \\\"CreateRemoteThread\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":1}},{\"id\":\"dcadc2bb-566b-4d71-8349-1301a8c32a40\",\"rule_id\":\"9f962927-1a4f-45f3-a57b-287f2c7029c1\",\"revision\":0,\"current_rule\":{\"id\":\"dcadc2bb-566b-4d71-8349-1301a8c32a40\",\"updated_at\":\"2024-12-04T19:45:54.231Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.231Z\",\"created_by\":\"elastic\",\"name\":\"Potential Credential Access via DCSync\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Credential Access via DCSync\\n\\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\\n\\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\\n\\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\\n\\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\\n\\nThis rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\\n\\n### False positive analysis\\n\\n- Administrators may use custom accounts on Azure AD Connect, investigate if it is the case, and if it is properly secured. If noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. If this rule is noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the entire domain or the `krbtgt` user was compromised:\\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"9f962927-1a4f-45f3-a57b-287f2c7029c1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.006\",\"name\":\"DCSync\",\"reference\":\"https://attack.mitre.org/techniques/T1003/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md\",\"https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync\",\"https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync\"],\"version\":113,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessMask\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.Properties\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Access (Success,Failure)\\n```\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"any where event.action : (\\\"Directory Service Access\\\", \\\"object-operation-performed\\\") and\\n event.code == \\\"4662\\\" and winlog.event_data.Properties : (\\n\\n /* Control Access Rights/Permissions Symbol */\\n\\n \\\"*DS-Replication-Get-Changes*\\\",\\n \\\"*DS-Replication-Get-Changes-All*\\\",\\n \\\"*DS-Replication-Get-Changes-In-Filtered-Set*\\\",\\n\\n /* Identifying GUID used in ACE */\\n\\n \\\"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*\\\",\\n \\\"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*\\\",\\n \\\"*89e95b76-444d-4c62-991a-0facbeda640c*\\\")\\n\\n /* The right to perform an operation controlled by an extended access right. */\\n\\n and winlog.event_data.AccessMask : \\\"0x100\\\" and\\n not winlog.event_data.SubjectUserName : (\\n \\\"*$\\\", \\\"MSOL_*\\\", \\\"OpenDNS_Connector\\\", \\\"adconnect\\\", \\\"SyncADConnect\\\",\\n \\\"SyncADConnectCM\\\", \\\"aadsync\\\", \\\"svcAzureADSync\\\", \\\"-\\\"\\n )\\n\\n /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Credential Access via DCSync\",\"description\":\"This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Credential Access via DCSync\\n\\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\\n\\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\\n\\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\\n\\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\\n\\nThis rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\\n\\n### False positive analysis\\n\\n- Administrators may use custom accounts on Azure AD Connect, investigate if it is the case, and if it is properly secured. If noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. If this rule is noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the entire domain or the `krbtgt` user was compromised:\\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":215,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md\",\"https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync\",\"https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.006\",\"name\":\"DCSync\",\"reference\":\"https://attack.mitre.org/techniques/T1003/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Access (Success,Failure)\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessMask\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.Properties\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"dcadc2bb-566b-4d71-8349-1301a8c32a40\",\"rule_id\":\"9f962927-1a4f-45f3-a57b-287f2c7029c1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.677Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.231Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where event.action : (\\\"Directory Service Access\\\", \\\"object-operation-performed\\\") and\\n event.code == \\\"4662\\\" and winlog.event_data.Properties : (\\n\\n /* Control Access Rights/Permissions Symbol */\\n\\n \\\"*DS-Replication-Get-Changes*\\\",\\n \\\"*DS-Replication-Get-Changes-All*\\\",\\n \\\"*DS-Replication-Get-Changes-In-Filtered-Set*\\\",\\n\\n /* Identifying GUID used in ACE */\\n\\n \\\"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*\\\",\\n \\\"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*\\\",\\n \\\"*89e95b76-444d-4c62-991a-0facbeda640c*\\\")\\n\\n /* The right to perform an operation controlled by an extended access right. */\\n\\n and winlog.event_data.AccessMask : \\\"0x100\\\" and\\n not winlog.event_data.SubjectUserName : (\\n \\\"*$\\\", \\\"MSOL_*\\\", \\\"OpenDNS_Connector\\\", \\\"adconnect\\\", \\\"SyncADConnect\\\",\\n \\\"SyncADConnectCM\\\", \\\"aadsync\\\", \\\"svcAzureADSync\\\", \\\"-\\\"\\n )\\n\\n /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":113,\"target_version\":215,\"merged_version\":215,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md\",\"https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync\",\"https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync\"],\"target_version\":[\"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md\",\"https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync\",\"https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merged_version\":[\"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md\",\"https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync\",\"https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"389a9945-b70a-4bf6-94fe-582cfb2beb41\",\"rule_id\":\"9f9a2a82-93a8-4b1a-8778-1780895626d4\",\"revision\":0,\"current_rule\":{\"id\":\"389a9945-b70a-4bf6-94fe-582cfb2beb41\",\"updated_at\":\"2024-12-04T19:45:54.233Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.233Z\",\"created_by\":\"elastic\",\"name\":\"File Permission Modification in Writable Directory\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username.\"],\"from\":\"now-9m\",\"rule_id\":\"9f9a2a82-93a8-4b1a-8778-1780895626d4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1222\",\"name\":\"File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/\"}]}],\"to\":\"now\",\"references\":[],\"version\":210,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:process and event.type:start and\\nprocess.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and\\nnot process.parent.name:(apt-key or update-motd-updates-available)\\n\",\"new_terms_fields\":[\"host.id\",\"process.parent.executable\",\"process.command_line\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"File Permission Modification in Writable Directory\",\"description\":\"Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1222\",\"name\":\"File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"389a9945-b70a-4bf6-94fe-582cfb2beb41\",\"rule_id\":\"9f9a2a82-93a8-4b1a-8778-1780895626d4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.677Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.233Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:process and event.type:start and\\nprocess.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and\\nnot process.parent.name:(apt-key or update-motd-updates-available or apt-get)\\n\",\"new_terms_fields\":[\"host.id\",\"process.parent.executable\",\"process.command_line\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":210,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:process and event.type:start and\\nprocess.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and\\nnot process.parent.name:(apt-key or update-motd-updates-available)\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:process and event.type:start and\\nprocess.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and\\nnot process.parent.name:(apt-key or update-motd-updates-available or apt-get)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:process and event.type:start and\\nprocess.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and\\nnot process.parent.name:(apt-key or update-motd-updates-available or apt-get)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4b7e3391-d96b-4676-a316-7667f900ff09\",\"rule_id\":\"a02cb68e-7c93-48d1-93b2-2c39023308eb\",\"revision\":0,\"current_rule\":{\"id\":\"4b7e3391-d96b-4676-a316-7667f900ff09\",\"updated_at\":\"2024-12-04T19:45:54.242Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.242Z\",\"created_by\":\"elastic\",\"name\":\"A scheduled task was updated\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks may be created during installation of new software.\"],\"from\":\"now-9m\",\"rule_id\":\"a02cb68e-7c93-48d1-93b2-2c39023308eb\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698\"],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TaskName\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"iam where event.action == \\\"scheduled-task-updated\\\" and\\n\\n /* excluding tasks created by the computer account */\\n not user.name : \\\"*$\\\" and \\n not winlog.event_data.TaskName : \\\"*Microsoft*\\\" and \\n not winlog.event_data.TaskName :\\n (\\\"\\\\\\\\User_Feed_Synchronization-*\\\",\\n \\\"\\\\\\\\OneDrive Reporting Task-S-1-5-21*\\\",\\n \\\"\\\\\\\\OneDrive Reporting Task-S-1-12-1-*\\\",\\n \\\"\\\\\\\\Hewlett-Packard\\\\\\\\HP Web Products Detection\\\",\\n \\\"\\\\\\\\Hewlett-Packard\\\\\\\\HPDeviceCheck\\\", \\n \\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateOrchestrator\\\\\\\\UpdateAssistant\\\", \\n \\\"\\\\\\\\IpamDnsProvisioning\\\", \\n \\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateOrchestrator\\\\\\\\UpdateAssistantAllUsersRun\\\", \\n \\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateOrchestrator\\\\\\\\UpdateAssistantCalendarRun\\\", \\n \\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateOrchestrator\\\\\\\\UpdateAssistantWakeupRun\\\", \\n \\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\.NET Framework\\\\\\\\.NET Framework NGEN v*\\\", \\n \\\"\\\\\\\\Microsoft\\\\\\\\VisualStudio\\\\\\\\Updates\\\\\\\\BackgroundDownload\\\") and \\n not winlog.event_data.SubjectUserSid : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"A scheduled task was updated\",\"description\":\"Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":109,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks may be created during installation of new software.\"],\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TaskName\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"4b7e3391-d96b-4676-a316-7667f900ff09\",\"rule_id\":\"a02cb68e-7c93-48d1-93b2-2c39023308eb\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.677Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.242Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where event.action == \\\"scheduled-task-updated\\\" and\\n\\n /* excluding tasks created by the computer account */\\n not user.name : \\\"*$\\\" and \\n not winlog.event_data.TaskName : \\\"*Microsoft*\\\" and \\n not winlog.event_data.TaskName :\\n (\\\"\\\\\\\\User_Feed_Synchronization-*\\\",\\n \\\"\\\\\\\\OneDrive Reporting Task-S-1-5-21*\\\",\\n \\\"\\\\\\\\OneDrive Reporting Task-S-1-12-1-*\\\",\\n \\\"\\\\\\\\Hewlett-Packard\\\\\\\\HP Web Products Detection\\\",\\n \\\"\\\\\\\\Hewlett-Packard\\\\\\\\HPDeviceCheck\\\", \\n \\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateOrchestrator\\\\\\\\UpdateAssistant\\\", \\n \\\"\\\\\\\\IpamDnsProvisioning\\\", \\n \\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateOrchestrator\\\\\\\\UpdateAssistantAllUsersRun\\\", \\n \\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateOrchestrator\\\\\\\\UpdateAssistantCalendarRun\\\", \\n \\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateOrchestrator\\\\\\\\UpdateAssistantWakeupRun\\\", \\n \\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\.NET Framework\\\\\\\\.NET Framework NGEN v*\\\", \\n \\\"\\\\\\\\Microsoft\\\\\\\\VisualStudio\\\\\\\\Updates\\\\\\\\BackgroundDownload\\\") and \\n not winlog.event_data.SubjectUserSid : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":109,\"merged_version\":109,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1bf38c84-3cee-4bbb-bd14-f6be30d2f587\",\"rule_id\":\"a13167f1-eec2-4015-9631-1fee60406dcf\",\"revision\":0,\"current_rule\":{\"id\":\"1bf38c84-3cee-4bbb-bd14-f6be30d2f587\",\"updated_at\":\"2024-12-04T19:45:54.250Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.250Z\",\"created_by\":\"elastic\",\"name\":\"InstallUtil Process Making Network Connections\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a13167f1-eec2-4015-9631-1fee60406dcf\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.004\",\"name\":\"InstallUtil\",\"reference\":\"https://attack.mitre.org/techniques/T1218/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\\n\\nsequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"installutil.exe\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"installutil.exe\\\" and network.direction : (\\\"outgoing\\\", \\\"egress\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"InstallUtil Process Making Network Connections\",\"description\":\"Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.004\",\"name\":\"InstallUtil\",\"reference\":\"https://attack.mitre.org/techniques/T1218/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1bf38c84-3cee-4bbb-bd14-f6be30d2f587\",\"rule_id\":\"a13167f1-eec2-4015-9631-1fee60406dcf\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.677Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.250Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\\n\\nsequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"installutil.exe\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"installutil.exe\\\" and network.direction : (\\\"outgoing\\\", \\\"egress\\\")]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0ccfe8d8-9281-4d1d-8a11-1877a21d772a\",\"rule_id\":\"a16612dd-b30e-4d41-86a0-ebe70974ec00\",\"revision\":0,\"current_rule\":{\"id\":\"0ccfe8d8-9281-4d1d-8a11-1877a21d772a\",\"updated_at\":\"2024-12-04T19:45:54.254Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.254Z\",\"created_by\":\"elastic\",\"name\":\"Potential LSASS Clone Creation via PssCaptureSnapShot\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a16612dd-b30e-4d41-86a0-ebe70974ec00\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/\",\"https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.code:\\\"4688\\\" and\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and\\n process.parent.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential LSASS Clone Creation via PssCaptureSnapShot\",\"description\":\"Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Sysmon\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/\",\"https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0ccfe8d8-9281-4d1d-8a11-1877a21d772a\",\"rule_id\":\"a16612dd-b30e-4d41-86a0-ebe70974ec00\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.677Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.254Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.code:\\\"4688\\\" and\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and\\n process.parent.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Sysmon\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Sysmon\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e80f4583-77aa-49a5-9b13-c23ad160e7cd\",\"rule_id\":\"a1699af0-8e1e-4ed0-8ec1-89783538a061\",\"revision\":0,\"current_rule\":{\"id\":\"e80f4583-77aa-49a5-9b13-c23ad160e7cd\",\"updated_at\":\"2024-12-04T19:45:40.230Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.230Z\",\"created_by\":\"elastic\",\"name\":\"Windows Subsystem for Linux Distribution Installed\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux distribution by name. Adversaries may enable and use WSL for Linux to avoid detection.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Subsystem for Linux Distribution Installed\\n\\nThe Windows Subsystem for Linux (WSL) lets developers install a Linux distribution (such as Ubuntu, OpenSUSE, Kali, Debian, Arch Linux, etc) and use Linux applications, utilities, and Bash command-line tools directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup. Attackers may abuse WSL to avoid security protections on a Windows host and perform a wide range of attacks.\\n\\nThis rule identifies the installation of a new Windows Subsystem for Linux distribution via registry events.\\n\\n### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Examine which distribution was installed. Some distributions such as Kali Linux can facilitate the compromise of the environment.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and the WSL distribution is homologated and approved in the environment.\\n\\n### Related Rules\\n\\n- Host Files System Changes via Windows Subsystem for Linux - e88d1fe9-b2f4-48d4-bace-a026dc745d4b\\n- Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\\n- Suspicious Execution via Windows Subsystem for Linux - 3e0eeb75-16e8-4f2f-9826-62461ca128b7\\n- Windows Subsystem for Linux Enabled via Dism Utility - e2e0537d-7d8f-4910-a11d-559bcf61295a\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timeline_id\":\"3e47ef71-ebfc-4520-975c-cb27fc090799\",\"timeline_title\":\"Comprehensive Registry Timeline\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a1699af0-8e1e-4ed0-8ec1-89783538a061\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]}],\"to\":\"now\",\"references\":[\"https://learn.microsoft.com/en-us/windows/wsl/wsl-config\"],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"PackageFamilyName\\\" and\\n registry.path : \\n (\\\"HK*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Lxss\\\\\\\\*\\\\\\\\PackageFamilyName\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Lxss\\\\\\\\*\\\\\\\\PackageFamilyName\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Windows Subsystem for Linux Distribution Installed\",\"description\":\"Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux distribution by name. Adversaries may enable and use WSL for Linux to avoid detection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"timeline_id\":\"3e47ef71-ebfc-4520-975c-cb27fc090799\",\"timeline_title\":\"Comprehensive Registry Timeline\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Subsystem for Linux Distribution Installed\\n\\nThe Windows Subsystem for Linux (WSL) lets developers install a Linux distribution (such as Ubuntu, OpenSUSE, Kali, Debian, Arch Linux, etc) and use Linux applications, utilities, and Bash command-line tools directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup. Attackers may abuse WSL to avoid security protections on a Windows host and perform a wide range of attacks.\\n\\nThis rule identifies the installation of a new Windows Subsystem for Linux distribution via registry events.\\n\\n### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Examine which distribution was installed. Some distributions such as Kali Linux can facilitate the compromise of the environment.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and the WSL distribution is homologated and approved in the environment.\\n\\n### Related Rules\\n\\n- Host Files System Changes via Windows Subsystem for Linux - e88d1fe9-b2f4-48d4-bace-a026dc745d4b\\n- Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\\n- Suspicious Execution via Windows Subsystem for Linux - 3e0eeb75-16e8-4f2f-9826-62461ca128b7\\n- Windows Subsystem for Linux Enabled via Dism Utility - e2e0537d-7d8f-4910-a11d-559bcf61295a\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://learn.microsoft.com/en-us/windows/wsl/wsl-config\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e80f4583-77aa-49a5-9b13-c23ad160e7cd\",\"rule_id\":\"a1699af0-8e1e-4ed0-8ec1-89783538a061\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.677Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.230Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"PackageFamilyName\\\" and\\n registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Lxss\\\\\\\\*\\\\\\\\PackageFamilyName\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"PackageFamilyName\\\" and\\n registry.path : \\n (\\\"HK*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Lxss\\\\\\\\*\\\\\\\\PackageFamilyName\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Lxss\\\\\\\\*\\\\\\\\PackageFamilyName\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"PackageFamilyName\\\" and\\n registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Lxss\\\\\\\\*\\\\\\\\PackageFamilyName\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"PackageFamilyName\\\" and\\n registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Lxss\\\\\\\\*\\\\\\\\PackageFamilyName\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c6c648dc-5ae4-442a-8ff5-a73d1e71daf8\",\"rule_id\":\"a1a0375f-22c2-48c0-81a4-7c2d11cc6856\",\"revision\":0,\"current_rule\":{\"id\":\"c6c648dc-5ae4-442a-8ff5-a73d1e71daf8\",\"updated_at\":\"2024-12-04T19:45:54.262Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.262Z\",\"created_by\":\"elastic\",\"name\":\"Potential Reverse Shell Activity via Terminal\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Reverse Shell Activity via Terminal\\n\\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing. This activity is typically the result of vulnerability exploitation, malware infection, or penetration testing.\\n\\nThis rule identifies commands that are potentially related to reverse shell activities using shell applications.\\n\\n#### Possible investigation steps\\n\\n- Examine the command line and extract the target domain or IP address information.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Take actions to terminate processes and connections used by the attacker.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a1a0375f-22c2-48c0-81a4-7c2d11cc6856\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md\",\"https://github.com/WangYihang/Reverse-Shell-Manager\",\"https://www.netsparker.com/blog/web-security/understanding-reverse-shells/\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\"],\"query\":\"process where event.type in (\\\"start\\\", \\\"process_started\\\") and\\n process.name in (\\\"sh\\\", \\\"bash\\\", \\\"zsh\\\", \\\"dash\\\", \\\"zmodload\\\") and\\n process.args : (\\\"*/dev/tcp/*\\\", \\\"*/dev/udp/*\\\", \\\"*zsh/net/tcp*\\\", \\\"*zsh/net/udp*\\\") and\\n\\n /* noisy FPs */\\n not (process.parent.name : \\\"timeout\\\" and process.executable : \\\"/var/lib/docker/overlay*\\\") and\\n not process.command_line : (\\n \\\"*/dev/tcp/sirh_db/*\\\", \\\"*/dev/tcp/remoteiot.com/*\\\", \\\"*dev/tcp/elk.stag.one/*\\\", \\\"*dev/tcp/kafka/*\\\",\\n \\\"*/dev/tcp/$0/$1*\\\", \\\"*/dev/tcp/127.*\\\", \\\"*/dev/udp/127.*\\\", \\\"*/dev/tcp/localhost/*\\\", \\\"*/dev/tcp/itom-vault/*\\\") and\\n not process.parent.command_line : \\\"runc init\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Reverse Shell Activity via Terminal\",\"description\":\"Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Reverse Shell Activity via Terminal\\n\\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing. This activity is typically the result of vulnerability exploitation, malware infection, or penetration testing.\\n\\nThis rule identifies commands that are potentially related to reverse shell activities using shell applications.\\n\\n#### Possible investigation steps\\n\\n- Examine the command line and extract the target domain or IP address information.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Take actions to terminate processes and connections used by the attacker.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":109,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md\",\"https://github.com/WangYihang/Reverse-Shell-Manager\",\"https://www.netsparker.com/blog/web-security/understanding-reverse-shells/\",\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c6c648dc-5ae4-442a-8ff5-a73d1e71daf8\",\"rule_id\":\"a1a0375f-22c2-48c0-81a4-7c2d11cc6856\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.677Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.262Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where event.type in (\\\"start\\\", \\\"process_started\\\") and\\n process.name in (\\\"sh\\\", \\\"bash\\\", \\\"zsh\\\", \\\"dash\\\", \\\"zmodload\\\") and\\n process.args : (\\\"*/dev/tcp/*\\\", \\\"*/dev/udp/*\\\", \\\"*zsh/net/tcp*\\\", \\\"*zsh/net/udp*\\\") and\\n\\n /* noisy FPs */\\n not (process.parent.name : \\\"timeout\\\" and process.executable : \\\"/var/lib/docker/overlay*\\\") and\\n not process.command_line : (\\n \\\"*/dev/tcp/sirh_db/*\\\", \\\"*/dev/tcp/remoteiot.com/*\\\", \\\"*dev/tcp/elk.stag.one/*\\\", \\\"*dev/tcp/kafka/*\\\",\\n \\\"*/dev/tcp/$0/$1*\\\", \\\"*/dev/tcp/127.*\\\", \\\"*/dev/udp/127.*\\\", \\\"*/dev/tcp/localhost/*\\\", \\\"*/dev/tcp/itom-vault/*\\\") and\\n not process.parent.command_line : \\\"runc init\\\"\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":109,\"merged_version\":109,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md\",\"https://github.com/WangYihang/Reverse-Shell-Manager\",\"https://www.netsparker.com/blog/web-security/understanding-reverse-shells/\"],\"target_version\":[\"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md\",\"https://github.com/WangYihang/Reverse-Shell-Manager\",\"https://www.netsparker.com/blog/web-security/understanding-reverse-shells/\",\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"merged_version\":[\"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md\",\"https://github.com/WangYihang/Reverse-Shell-Manager\",\"https://www.netsparker.com/blog/web-security/understanding-reverse-shells/\",\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0fefb51d-25c2-400a-b422-bba11308e90c\",\"rule_id\":\"a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f\",\"revision\":0,\"current_rule\":{\"id\":\"0fefb51d-25c2-400a-b422-bba11308e90c\",\"updated_at\":\"2024-12-04T19:45:54.264Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.264Z\",\"created_by\":\"elastic\",\"name\":\"Linux Group Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Linux Group Creation\\n\\nThe `groupadd` and `addgroup` commands are used to create new user groups in Linux-based operating systems.\\n\\nAttackers may create new groups to maintain access to victim systems or escalate privileges by assigning a compromised account to a privileged group.\\n\\nThis rule identifies the usages of `groupadd` and `addgroup` to create new groups.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n\\n- Investigate whether the group was created succesfully.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific Group\\\",\\\"query\\\":\\\"SELECT * FROM groups WHERE groupname = {{group.name}}\\\"}}\\n- Identify if a user account was added to this group after creation.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Group creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Delete the created group and, in case an account was added to this group, delete the account.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Filebeat.\\n\\n### Filebeat Setup\\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\\n\\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\\n- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\\n\\n#### Rule Specific Setup Note\\n- This rule requires the “Filebeat System Module” to be enabled.\\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-system.auth-*\"],\"query\":\"iam where host.os.type == \\\"linux\\\" and (event.type == \\\"group\\\" and event.type == \\\"creation\\\") and\\nprocess.name in (\\\"groupadd\\\", \\\"addgroup\\\") and group.name != null\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Linux Group Creation\",\"description\":\"Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Linux Group Creation\\n\\nThe `groupadd` and `addgroup` commands are used to create new user groups in Linux-based operating systems.\\n\\nAttackers may create new groups to maintain access to victim systems or escalate privileges by assigning a compromised account to a privileged group.\\n\\nThis rule identifies the usages of `groupadd` and `addgroup` to create new groups.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n\\n- Investigate whether the group was created succesfully.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific Group\\\",\\\"query\\\":\\\"SELECT * FROM groups WHERE groupname = {{group.name}}\\\"}}\\n- Identify if a user account was added to this group after creation.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Group creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Delete the created group and, in case an account was added to this group, delete the account.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":6,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Filebeat.\\n\\n### Filebeat Setup\\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\\n\\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\\n- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\\n\\n#### Rule Specific Setup Note\\n- This rule requires the “Filebeat System Module” to be enabled.\\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0fefb51d-25c2-400a-b422-bba11308e90c\",\"rule_id\":\"a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.677Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.264Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where host.os.type == \\\"linux\\\" and (event.type == \\\"group\\\" and event.type == \\\"creation\\\") and\\nprocess.name in (\\\"groupadd\\\", \\\"addgroup\\\") and group.name != null\\n\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-system.auth-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":6,\"merged_version\":6,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4b5aa05f-0552-4cd3-9ec8-0a6f2e4e73e0\",\"rule_id\":\"a22a09c2-2162-4df0-a356-9aacbeb56a04\",\"revision\":0,\"current_rule\":{\"id\":\"4b5aa05f-0552-4cd3-9ec8-0a6f2e4e73e0\",\"updated_at\":\"2024-12-04T19:45:40.233Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.233Z\",\"created_by\":\"elastic\",\"name\":\"DNS-over-HTTPS Enabled via Registry\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Austin Songer\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a22a09c2-2162-4df0-a356-9aacbeb56a04\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\"}]}],\"to\":\"now\",\"references\":[\"https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html\",\"https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\BuiltInDnsClientEnabled\\\" and\\n registry.data.strings : \\\"1\\\") or\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\DnsOverHttpsMode\\\" and\\n registry.data.strings : \\\"secure\\\") or\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Mozilla\\\\\\\\Firefox\\\\\\\\DNSOverHTTPS\\\" and\\n registry.data.strings : \\\"1\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"DNS-over-HTTPS Enabled via Registry\",\"description\":\"Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Austin Songer\"],\"false_positives\":[],\"references\":[\"https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html\",\"https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"4b5aa05f-0552-4cd3-9ec8-0a6f2e4e73e0\",\"rule_id\":\"a22a09c2-2162-4df0-a356-9aacbeb56a04\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.677Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.233Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\BuiltInDnsClientEnabled\\\" and\\n registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")) or\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\DnsOverHttpsMode\\\" and\\n registry.data.strings : \\\"secure\\\") or\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Mozilla\\\\\\\\Firefox\\\\\\\\DNSOverHTTPS\\\" and\\n registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\"))\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\BuiltInDnsClientEnabled\\\" and\\n registry.data.strings : \\\"1\\\") or\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\DnsOverHttpsMode\\\" and\\n registry.data.strings : \\\"secure\\\") or\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Mozilla\\\\\\\\Firefox\\\\\\\\DNSOverHTTPS\\\" and\\n registry.data.strings : \\\"1\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\BuiltInDnsClientEnabled\\\" and\\n registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")) or\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\DnsOverHttpsMode\\\" and\\n registry.data.strings : \\\"secure\\\") or\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Mozilla\\\\\\\\Firefox\\\\\\\\DNSOverHTTPS\\\" and\\n registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\"))\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\BuiltInDnsClientEnabled\\\" and\\n registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")) or\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\DnsOverHttpsMode\\\" and\\n registry.data.strings : \\\"secure\\\") or\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Mozilla\\\\\\\\Firefox\\\\\\\\DNSOverHTTPS\\\" and\\n registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\"))\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"236c267d-3f7d-4466-9c8f-b280119474ef\",\"rule_id\":\"a2795334-2499-11ed-9e1a-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"236c267d-3f7d-4466-9c8f-b280119474ef\",\"updated_at\":\"2024-12-04T19:45:54.266Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.266Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace Restrictions for Marketplace Modified to Allow Any App\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace. Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google Workspace environment prior to distributing the malicious APK to the end user.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Restrictions for Marketplace Modified to Allow Any App\\n\\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\\n\\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\\n\\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\\n\\nThis rule identifies when the global allow-all setting is enabled for Google Workspace Marketplace applications.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\\n- Search for `event.action` is `ADD_APPLICATION` to identify applications installed after these changes were made.\\n - The `google_workspace.admin.application.name` field will help identify what applications were added.\\n- With the user account, review other potentially related events within the last 48 hours.\\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\\n\\n### False positive analysis\\n\\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\\n- Google Workspace administrators may intentionally add an application from the marketplace based on organizational needs.\\n - Follow up with the user who added the application to ensure this was intended.\\n- Verify the application identified has been assessed thoroughly by an administrator.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Applications can be added and removed from blocklists by Google Workspace administrators, but they can all be explicitly allowed for users. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-9m\",\"rule_id\":\"a2795334-2499-11ed-9e1a-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/6089179?hl=en\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.application.name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.admin.new_value\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.admin.setting.name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.event.type\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.action:\\\"CHANGE_APPLICATION_SETTING\\\" and event.category:(iam or configuration)\\n and google_workspace.event.type:\\\"APPLICATION_SETTINGS\\\" and google_workspace.admin.application.name:\\\"Google Workspace Marketplace\\\"\\n and google_workspace.admin.setting.name:\\\"Apps Access Setting Allowlist access\\\" and google_workspace.admin.new_value:\\\"ALLOW_ALL\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace Restrictions for Marketplace Modified to Allow Any App\",\"description\":\"Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace. Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google Workspace environment prior to distributing the malicious APK to the end user.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Restrictions for Marketplace Modified to Allow Any App\\n\\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\\n\\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\\n\\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\\n\\nThis rule identifies when the global allow-all setting is enabled for Google Workspace Marketplace applications.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\\n- Search for `event.action` is `ADD_APPLICATION` to identify applications installed after these changes were made.\\n - The `google_workspace.admin.application.name` field will help identify what applications were added.\\n- With the user account, review other potentially related events within the last 48 hours.\\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\\n\\n### False positive analysis\\n\\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\\n- Google Workspace administrators may intentionally add an application from the marketplace based on organizational needs.\\n - Follow up with the user who added the application to ensure this was intended.\\n- Verify the application identified has been assessed thoroughly by an administrator.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":108,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Applications can be added and removed from blocklists by Google Workspace administrators, but they can all be explicitly allowed for users. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://support.google.com/a/answer/6089179?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.application.name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.admin.new_value\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.admin.setting.name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.event.type\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"236c267d-3f7d-4466-9c8f-b280119474ef\",\"rule_id\":\"a2795334-2499-11ed-9e1a-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.677Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.266Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.action:\\\"CHANGE_APPLICATION_SETTING\\\" and event.category:(iam or configuration)\\n and google_workspace.event.type:\\\"APPLICATION_SETTINGS\\\" and google_workspace.admin.application.name:\\\"Google Workspace Marketplace\\\"\\n and google_workspace.admin.setting.name:\\\"Apps Access Setting Allowlist access\\\" and google_workspace.admin.new_value:\\\"ALLOW_ALL\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":108,\"merged_version\":108,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/6089179?hl=en\"],\"target_version\":[\"https://support.google.com/a/answer/6089179?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/6089179?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b2b21564-8d4a-4c9a-ae86-ec25529b27ec\",\"rule_id\":\"a2d04374-187c-4fd9-b513-3ad4e7fdd67a\",\"revision\":0,\"current_rule\":{\"id\":\"b2b21564-8d4a-4c9a-ae86-ec25529b27ec\",\"updated_at\":\"2024-12-04T19:45:54.269Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.269Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Mailbox Collection Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: PowerShell Logs\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects PowerShell scripts that can be used to collect data from mailboxes. Adversaries may target user email to collect sensitive information.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Mailbox Collection Script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\\n\\nThis rule identifies scripts that contains methods and classes that can be abused to collect emails from local and remote mailboxes.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Determine whether the script stores the captured data locally.\\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\\n - Assess network data to determine if the host communicated with the exfiltration server.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\\n\\n### Related rules\\n\\n- Exporting Exchange Mailbox via PowerShell - 6aace640-e631-4870-ba8e-5fdda09325db\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a2d04374-187c-4fd9-b513-3ad4e7fdd67a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1114\",\"name\":\"Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/\",\"subtechnique\":[{\"id\":\"T1114.001\",\"name\":\"Local Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/001/\"},{\"id\":\"T1114.002\",\"name\":\"Remote Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/dafthack/MailSniper/blob/master/MailSniper.ps1\",\"https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1\"],\"version\":7,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n (\\n powershell.file.script_block_text : (\\n \\\"Microsoft.Office.Interop.Outlook\\\" or\\n \\\"Interop.Outlook.olDefaultFolders\\\" or\\n \\\"::olFolderInBox\\\"\\n ) or\\n powershell.file.script_block_text : (\\n \\\"Microsoft.Exchange.WebServices.Data.Folder\\\" or\\n \\\"Microsoft.Exchange.WebServices.Data.FileAttachment\\\"\\n )\\n ) and not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Mailbox Collection Script\",\"description\":\"Detects PowerShell scripts that can be used to collect data from mailboxes. Adversaries may target user email to collect sensitive information.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Mailbox Collection Script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\\n\\nThis rule identifies scripts that contains methods and classes that can be abused to collect emails from local and remote mailboxes.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Determine whether the script stores the captured data locally.\\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\\n - Assess network data to determine if the host communicated with the exfiltration server.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\\n\\n### Related rules\\n\\n- Exporting Exchange Mailbox via PowerShell - 6aace640-e631-4870-ba8e-5fdda09325db\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":109,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: PowerShell Logs\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/dafthack/MailSniper/blob/master/MailSniper.ps1\",\"https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1114\",\"name\":\"Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/\",\"subtechnique\":[{\"id\":\"T1114.001\",\"name\":\"Local Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/001/\"},{\"id\":\"T1114.002\",\"name\":\"Remote Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b2b21564-8d4a-4c9a-ae86-ec25529b27ec\",\"rule_id\":\"a2d04374-187c-4fd9-b513-3ad4e7fdd67a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.677Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.269Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n (\\n powershell.file.script_block_text : (\\n \\\"Microsoft.Office.Interop.Outlook\\\" or\\n \\\"Interop.Outlook.olDefaultFolders\\\" or\\n \\\"::olFolderInBox\\\"\\n ) or\\n powershell.file.script_block_text : (\\n \\\"Microsoft.Exchange.WebServices.Data.Folder\\\" or\\n \\\"Microsoft.Exchange.WebServices.Data.FileAttachment\\\"\\n )\\n ) and not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":7,\"target_version\":109,\"merged_version\":109,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7833a787-adce-4263-b246-27e3d576b5e3\",\"rule_id\":\"a3ea12f3-0d4e-4667-8b44-4230c63f3c75\",\"revision\":0,\"current_rule\":{\"id\":\"7833a787-adce-4263-b246-27e3d576b5e3\",\"updated_at\":\"2024-12-04T19:45:54.275Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.275Z\",\"created_by\":\"elastic\",\"name\":\"Execution via local SxS Shared Module\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\nThe SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a3ea12f3-0d4e-4667-8b44-4230c63f3c75\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1129\",\"name\":\"Shared Modules\",\"reference\":\"https://attack.mitre.org/techniques/T1129/\"}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and file.extension : \\\"dll\\\" and file.path : \\\"C:\\\\\\\\*\\\\\\\\*.exe.local\\\\\\\\*.dll\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Execution via local SxS Shared Module\",\"description\":\"Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\nThe SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.\\n\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1129\",\"name\":\"Shared Modules\",\"reference\":\"https://attack.mitre.org/techniques/T1129/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"7833a787-adce-4263-b246-27e3d576b5e3\",\"rule_id\":\"a3ea12f3-0d4e-4667-8b44-4230c63f3c75\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.677Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.275Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and file.extension : \\\"dll\\\" and file.path : \\\"C:\\\\\\\\*\\\\\\\\*.exe.local\\\\\\\\*.dll\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9035a3a8-7c17-474e-8420-bc43a69775cf\",\"rule_id\":\"a44bcb58-5109-4870-a7c6-11f5fe7dd4b1\",\"revision\":0,\"current_rule\":{\"id\":\"9035a3a8-7c17-474e-8420-bc43a69775cf\",\"updated_at\":\"2024-12-04T19:46:04.733Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.733Z\",\"created_by\":\"elastic\",\"name\":\"AWS EC2 Instance Interaction with IAM Service\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS EC2\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies when an EC2 instance interacts with the AWS IAM service via an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. For example, an assumed role could be used to create new users for persistence or add permissions for privilege escalation. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern \\\"i-\\\" which is the beginning pattern for assumed role sessions started by an EC2 instance.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may use EC2 instances to interact with IAM services as part of an automation workflow, ensure validity of the triggered event and include exceptions where necessary.\"],\"from\":\"now-6m\",\"rule_id\":\"a44bcb58-5109-4870-a7c6-11f5fe7dd4b1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.001\",\"name\":\"Additional Cloud Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1098/001/\"},{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]},{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://redcanary.com/blog/aws-sts/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"aws.cloudtrail.user_identity.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"query\":\"any where event.dataset == \\\"aws.cloudtrail\\\"\\n and event.provider == \\\"iam.amazonaws.com\\\"\\n and aws.cloudtrail.user_identity.type == \\\"AssumedRole\\\"\\n and stringContains (user.id, \\\":i-\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS EC2 Instance Interaction with IAM Service\",\"description\":\"Identifies when an EC2 instance interacts with the AWS IAM service via an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. For example, an assumed role could be used to create new users for persistence or add permissions for privilege escalation. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern \\\"i-\\\" which is the beginning pattern for assumed role sessions started by an EC2 instance. This is a [building block](https://www.elastic.co/guide/en/security/current/building-block-rule.html) rule and does not generate alerts on its own. It is meant to be used for correlation with other rules to detect suspicious activity.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"investigation_fields\":{\"field_names\":[\"@timestamp\",\"source.address\",\"user.name\",\"user.id\",\"aws.cloudtrail.user_identity.arn\",\"aws.cloudtrail.user_identity.type\",\"user_agent.original\",\"user.target.name\",\"event.action\",\"event.outcome\",\"cloud.region\",\"event.provider\",\"aws.cloudtrail.request_parameters\",\"aws.cloudtrail.response_elements\"]},\"version\":2,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS EC2\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may use EC2 instances to interact with IAM services as part of an automation workflow, ensure validity of the triggered event and include exceptions where necessary.\"],\"references\":[\"https://redcanary.com/blog/aws-sts/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]},{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.001\",\"name\":\"Additional Cloud Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1098/001/\"},{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"aws.cloudtrail.user_identity.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"9035a3a8-7c17-474e-8420-bc43a69775cf\",\"rule_id\":\"a44bcb58-5109-4870-a7c6-11f5fe7dd4b1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.678Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.733Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where event.dataset == \\\"aws.cloudtrail\\\"\\n and event.provider == \\\"iam.amazonaws.com\\\"\\n and aws.cloudtrail.user_identity.type == \\\"AssumedRole\\\"\\n and stringContains(user.id, \\\":i-\\\")\\n and (\\n startsWith(event.action, \\\"Update\\\")\\n or startsWith(event.action, \\\"Attach\\\")\\n or startsWith(event.action, \\\"Detach\\\")\\n or startsWith(event.action, \\\"Create\\\")\\n or startsWith(event.action, \\\"Delete\\\")\\n or startsWith(event.action, \\\"Add\\\")\\n or startsWith(event.action, \\\"Remove\\\")\\n or startsWith(event.action, \\\"Put\\\")\\n or startsWith(event.action, \\\"Tag\\\")\\n )\\n\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS EC2\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\"],\"target_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS EC2\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Rule Type: BBR\"],\"merged_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS EC2\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Rule Type: BBR\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"description\":{\"has_base_version\":false,\"current_version\":\"Identifies when an EC2 instance interacts with the AWS IAM service via an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. For example, an assumed role could be used to create new users for persistence or add permissions for privilege escalation. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern \\\"i-\\\" which is the beginning pattern for assumed role sessions started by an EC2 instance.\",\"target_version\":\"Identifies when an EC2 instance interacts with the AWS IAM service via an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. For example, an assumed role could be used to create new users for persistence or add permissions for privilege escalation. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern \\\"i-\\\" which is the beginning pattern for assumed role sessions started by an EC2 instance. This is a [building block](https://www.elastic.co/guide/en/security/current/building-block-rule.html) rule and does not generate alerts on its own. It is meant to be used for correlation with other rules to detect suspicious activity.\",\"merged_version\":\"Identifies when an EC2 instance interacts with the AWS IAM service via an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. For example, an assumed role could be used to create new users for persistence or add permissions for privilege escalation. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern \\\"i-\\\" which is the beginning pattern for assumed role sessions started by an EC2 instance. This is a [building block](https://www.elastic.co/guide/en/security/current/building-block-rule.html) rule and does not generate alerts on its own. It is meant to be used for correlation with other rules to detect suspicious activity.\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"severity\":{\"has_base_version\":false,\"current_version\":\"medium\",\"target_version\":\"low\",\"merged_version\":\"low\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"risk_score\":{\"has_base_version\":false,\"current_version\":47,\"target_version\":21,\"merged_version\":21,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.001\",\"name\":\"Additional Cloud Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1098/001/\"},{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]},{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"}}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]},{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.001\",\"name\":\"Additional Cloud Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1098/001/\"},{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"}}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]},{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.001\",\"name\":\"Additional Cloud Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1098/001/\"},{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"}}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"aws.cloudtrail.user_identity.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"aws.cloudtrail.user_identity.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"aws.cloudtrail.user_identity.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"building_block\":{\"has_base_version\":false,\"target_version\":{\"type\":\"default\"},\"merged_version\":{\"type\":\"default\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"investigation_fields\":{\"has_base_version\":false,\"target_version\":{\"field_names\":[\"@timestamp\",\"source.address\",\"user.name\",\"user.id\",\"aws.cloudtrail.user_identity.arn\",\"aws.cloudtrail.user_identity.type\",\"user_agent.original\",\"user.target.name\",\"event.action\",\"event.outcome\",\"cloud.region\",\"event.provider\",\"aws.cloudtrail.request_parameters\",\"aws.cloudtrail.response_elements\"]},\"merged_version\":{\"field_names\":[\"@timestamp\",\"source.address\",\"user.name\",\"user.id\",\"aws.cloudtrail.user_identity.arn\",\"aws.cloudtrail.user_identity.type\",\"user_agent.original\",\"user.target.name\",\"event.action\",\"event.outcome\",\"cloud.region\",\"event.provider\",\"aws.cloudtrail.request_parameters\",\"aws.cloudtrail.response_elements\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"any where event.dataset == \\\"aws.cloudtrail\\\"\\n and event.provider == \\\"iam.amazonaws.com\\\"\\n and aws.cloudtrail.user_identity.type == \\\"AssumedRole\\\"\\n and stringContains (user.id, \\\":i-\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"any where event.dataset == \\\"aws.cloudtrail\\\"\\n and event.provider == \\\"iam.amazonaws.com\\\"\\n and aws.cloudtrail.user_identity.type == \\\"AssumedRole\\\"\\n and stringContains(user.id, \\\":i-\\\")\\n and (\\n startsWith(event.action, \\\"Update\\\")\\n or startsWith(event.action, \\\"Attach\\\")\\n or startsWith(event.action, \\\"Detach\\\")\\n or startsWith(event.action, \\\"Create\\\")\\n or startsWith(event.action, \\\"Delete\\\")\\n or startsWith(event.action, \\\"Add\\\")\\n or startsWith(event.action, \\\"Remove\\\")\\n or startsWith(event.action, \\\"Put\\\")\\n or startsWith(event.action, \\\"Tag\\\")\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"any where event.dataset == \\\"aws.cloudtrail\\\"\\n and event.provider == \\\"iam.amazonaws.com\\\"\\n and aws.cloudtrail.user_identity.type == \\\"AssumedRole\\\"\\n and stringContains(user.id, \\\":i-\\\")\\n and (\\n startsWith(event.action, \\\"Update\\\")\\n or startsWith(event.action, \\\"Attach\\\")\\n or startsWith(event.action, \\\"Detach\\\")\\n or startsWith(event.action, \\\"Create\\\")\\n or startsWith(event.action, \\\"Delete\\\")\\n or startsWith(event.action, \\\"Add\\\")\\n or startsWith(event.action, \\\"Remove\\\")\\n or startsWith(event.action, \\\"Put\\\")\\n or startsWith(event.action, \\\"Tag\\\")\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":10,\"num_fields_with_conflicts\":9,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"912dc10b-85c9-45fe-8aa4-966d0296edc9\",\"rule_id\":\"a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\",\"revision\":0,\"current_rule\":{\"id\":\"912dc10b-85c9-45fe-8aa4-966d0296edc9\",\"updated_at\":\"2024-12-04T19:45:55.340Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.340Z\",\"created_by\":\"elastic\",\"name\":\"Windows Registry File Creation in SMB Share\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation or modification of a medium-size registry hive file on a Server Message Block (SMB) share, which may indicate an exfiltration attempt of a previously dumped Security Account Manager (SAM) registry hive for credential extraction on an attacker-controlled system.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Registry File Creation in SMB Share\\n\\nDumping registry hives is a common way to access credential information. Some hives store credential material, as is the case for the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\\n\\nAttackers can try to evade detection on the host by transferring this data to a system that is not monitored to be parsed and decrypted. This rule identifies the creation or modification of a medium-size registry hive file on an SMB share, which may indicate this kind of exfiltration attempt.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/source host during the past 48 hours.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Inspect the source host for suspicious or abnormal behaviors in the alert timeframe.\\n- Capture the registry file(s) to determine the extent of the credential compromise in an eventual incident response.\\n\\n### False positive analysis\\n\\n- Administrators can export registry hives for backup purposes. Check whether the user should be performing this kind of activity and is aware of it.\\n\\n### Related rules\\n\\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reimage the host operating system and restore compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/security-labs/detect-credential-access\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.header_bytes\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.size\",\"type\":\"long\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n /* regf file header */\\n file.Ext.header_bytes : \\\"72656766*\\\" and file.size >= 30000 and\\n process.pid == 4 and user.id : (\\\"S-1-5-21*\\\", \\\"S-1-12-1-*\\\") and\\n not file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\UPM_Profile\\\\\\\\NTUSER.DAT\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\UPM_Profile\\\\\\\\NTUSER.DAT.LASTGOOD.LOAD\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Netwrix\\\\\\\\Temp\\\\\\\\????????.???.offreg\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Packages\\\\\\\\Microsoft.*\\\\\\\\Settings\\\\\\\\settings.dat*\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Windows Registry File Creation in SMB Share\",\"description\":\"Identifies the creation or modification of a medium-size registry hive file on a Server Message Block (SMB) share, which may indicate an exfiltration attempt of a previously dumped Security Account Manager (SAM) registry hive for credential extraction on an attacker-controlled system.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Registry File Creation in SMB Share\\n\\nDumping registry hives is a common way to access credential information. Some hives store credential material, as is the case for the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\\n\\nAttackers can try to evade detection on the host by transferring this data to a system that is not monitored to be parsed and decrypted. This rule identifies the creation or modification of a medium-size registry hive file on an SMB share, which may indicate this kind of exfiltration attempt.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/source host during the past 48 hours.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Inspect the source host for suspicious or abnormal behaviors in the alert timeframe.\\n- Capture the registry file(s) to determine the extent of the credential compromise in an eventual incident response.\\n\\n### False positive analysis\\n\\n- Administrators can export registry hives for backup purposes. Check whether the user should be performing this kind of activity and is aware of it.\\n\\n### Related rules\\n\\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reimage the host operating system and restore compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":109,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/detect-credential-access\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.header_bytes\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.size\",\"type\":\"long\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"912dc10b-85c9-45fe-8aa4-966d0296edc9\",\"rule_id\":\"a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.678Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.340Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n /* regf file header */\\n file.Ext.header_bytes : \\\"72656766*\\\" and file.size >= 30000 and\\n process.pid == 4 and user.id : (\\\"S-1-5-21*\\\", \\\"S-1-12-1-*\\\") and\\n not file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\UPM_Profile\\\\\\\\NTUSER.DAT\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\UPM_Profile\\\\\\\\NTUSER.DAT.LASTGOOD.LOAD\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\UPM_Profile\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UsrClass.dat*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Netwrix\\\\\\\\Temp\\\\\\\\????????.???.offreg\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Packages\\\\\\\\Microsoft.*\\\\\\\\Settings\\\\\\\\settings.dat*\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":109,\"merged_version\":109,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n /* regf file header */\\n file.Ext.header_bytes : \\\"72656766*\\\" and file.size >= 30000 and\\n process.pid == 4 and user.id : (\\\"S-1-5-21*\\\", \\\"S-1-12-1-*\\\") and\\n not file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\UPM_Profile\\\\\\\\NTUSER.DAT\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\UPM_Profile\\\\\\\\NTUSER.DAT.LASTGOOD.LOAD\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Netwrix\\\\\\\\Temp\\\\\\\\????????.???.offreg\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Packages\\\\\\\\Microsoft.*\\\\\\\\Settings\\\\\\\\settings.dat*\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n /* regf file header */\\n file.Ext.header_bytes : \\\"72656766*\\\" and file.size >= 30000 and\\n process.pid == 4 and user.id : (\\\"S-1-5-21*\\\", \\\"S-1-12-1-*\\\") and\\n not file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\UPM_Profile\\\\\\\\NTUSER.DAT\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\UPM_Profile\\\\\\\\NTUSER.DAT.LASTGOOD.LOAD\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\UPM_Profile\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UsrClass.dat*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Netwrix\\\\\\\\Temp\\\\\\\\????????.???.offreg\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Packages\\\\\\\\Microsoft.*\\\\\\\\Settings\\\\\\\\settings.dat*\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n /* regf file header */\\n file.Ext.header_bytes : \\\"72656766*\\\" and file.size >= 30000 and\\n process.pid == 4 and user.id : (\\\"S-1-5-21*\\\", \\\"S-1-12-1-*\\\") and\\n not file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\UPM_Profile\\\\\\\\NTUSER.DAT\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\UPM_Profile\\\\\\\\NTUSER.DAT.LASTGOOD.LOAD\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\UPM_Profile\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UsrClass.dat*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Netwrix\\\\\\\\Temp\\\\\\\\????????.???.offreg\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Packages\\\\\\\\Microsoft.*\\\\\\\\Settings\\\\\\\\settings.dat*\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"12e7546b-2b12-4789-83ea-21190eac9f36\",\"rule_id\":\"a5eb21b7-13cc-4b94-9fe2-29bb2914e037\",\"revision\":0,\"current_rule\":{\"id\":\"12e7546b-2b12-4789-83ea-21190eac9f36\",\"updated_at\":\"2024-12-04T19:45:55.217Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.217Z\",\"created_by\":\"elastic\",\"name\":\"Potential Reverse Shell via UDP\",\"tags\":[\"Data Source: Auditd Manager\",\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a5eb21b7-13cc-4b94-9fe2-29bb2914e037\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md\"],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"auditd.data.a1\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.syscall\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Auditbeat\\n- Auditd Manager\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n### Auditd Manager Integration Setup\\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"auditd_manager\\\" on a Linux System:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.\\n- Click “Add Auditd Manager”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\\n\\n#### Rule Specific Setup Note\\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\n- For this detection rule no additional audit rules are required to be added to the integration.\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"sample by host.id, process.pid, process.parent.pid\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"executed\\\" and process.name : (\\n \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\", \\\"perl\\\", \\\"python*\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"php*\\\",\\n \\\"ruby\\\", \\\"openssl\\\", \\\"awk\\\", \\\"telnet\\\", \\\"lua*\\\", \\\"socat\\\"\\n )]\\n [process where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"socket\\\" and process.name : (\\n \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\", \\\"perl\\\", \\\"python*\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"php*\\\",\\n \\\"ruby\\\", \\\"openssl\\\", \\\"awk\\\", \\\"telnet\\\", \\\"lua*\\\", \\\"socat\\\"\\n ) and auditd.data.a1 == \\\"2\\\"]\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connected-to\\\" and\\n process.name : (\\n \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\", \\\"perl\\\", \\\"python*\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"php*\\\",\\n \\\"ruby\\\", \\\"openssl\\\", \\\"awk\\\", \\\"telnet\\\", \\\"lua*\\\", \\\"socat\\\"\\n ) and network.direction == \\\"egress\\\" and destination.ip != null and\\n not cidrmatch(destination.ip, \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"224.0.0.0/4\\\", \\\"::1\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Reverse Shell via UDP\",\"description\":\"This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Data Source: Auditd Manager\",\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\",\"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Auditbeat\\n- Auditd Manager\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n### Auditd Manager Integration Setup\\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"auditd_manager\\\" on a Linux System:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.\\n- Click “Add Auditd Manager”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\\n\\n#### Rule Specific Setup Note\\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\n- For this detection rule no additional audit rules are required to be added to the integration.\\n\",\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"auditd.data.a1\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.syscall\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"id\":\"12e7546b-2b12-4789-83ea-21190eac9f36\",\"rule_id\":\"a5eb21b7-13cc-4b94-9fe2-29bb2914e037\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.678Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.217Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sample by host.id, process.pid, process.parent.pid\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"executed\\\" and process.name : (\\n \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\", \\\"perl\\\", \\\"python*\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"php*\\\",\\n \\\"ruby\\\", \\\"openssl\\\", \\\"awk\\\", \\\"telnet\\\", \\\"lua*\\\", \\\"socat\\\"\\n )]\\n [process where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"socket\\\" and process.name : (\\n \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\", \\\"perl\\\", \\\"python*\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"php*\\\",\\n \\\"ruby\\\", \\\"openssl\\\", \\\"awk\\\", \\\"telnet\\\", \\\"lua*\\\", \\\"socat\\\"\\n ) and auditd.data.a1 == \\\"2\\\"]\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connected-to\\\" and\\n process.name : (\\n \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\", \\\"perl\\\", \\\"python*\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"php*\\\",\\n \\\"ruby\\\", \\\"openssl\\\", \\\"awk\\\", \\\"telnet\\\", \\\"lua*\\\", \\\"socat\\\"\\n ) and network.direction == \\\"egress\\\" and destination.ip != null and\\n not cidrmatch(destination.ip, \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"224.0.0.0/4\\\", \\\"::1\\\")]\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md\"],\"target_version\":[\"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\",\"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd\"],\"merged_version\":[\"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\",\"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"088b8902-a3db-48df-928d-cb5abd616aa0\",\"rule_id\":\"a624863f-a70d-417f-a7d2-7a404638d47f\",\"revision\":0,\"current_rule\":{\"id\":\"088b8902-a3db-48df-928d-cb5abd616aa0\",\"updated_at\":\"2024-12-04T19:45:55.226Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.226Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious MS Office Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious MS Office Child Process\\n\\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\\n\\nThis rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of malicious documents.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\\n- Determine if the collected files are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a624863f-a70d-417f-a7d2-7a404638d47f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/blog/vulnerability-summary-follina\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\n \\\"eqnedt32.exe\\\", \\\"excel.exe\\\", \\\"fltldr.exe\\\", \\\"msaccess.exe\\\",\\n \\\"mspub.exe\\\", \\\"powerpnt.exe\\\", \\\"winword.exe\\\", \\\"outlook.exe\\\"\\n ) and\\n process.name : (\\n \\\"Microsoft.Workflow.Compiler.exe\\\", \\\"arp.exe\\\", \\\"atbroker.exe\\\", \\\"bginfo.exe\\\", \\\"bitsadmin.exe\\\", \\\"cdb.exe\\\",\\n \\\"certutil.exe\\\", \\\"cmd.exe\\\", \\\"cmstp.exe\\\", \\\"control.exe\\\", \\\"cscript.exe\\\", \\\"csi.exe\\\", \\\"dnx.exe\\\", \\\"dsget.exe\\\",\\n \\\"dsquery.exe\\\", \\\"forfiles.exe\\\", \\\"fsi.exe\\\", \\\"ftp.exe\\\", \\\"gpresult.exe\\\", \\\"hostname.exe\\\", \\\"ieexec.exe\\\", \\\"iexpress.exe\\\",\\n \\\"installutil.exe\\\", \\\"ipconfig.exe\\\", \\\"mshta.exe\\\", \\\"msxsl.exe\\\", \\\"nbtstat.exe\\\", \\\"net.exe\\\", \\\"net1.exe\\\", \\\"netsh.exe\\\",\\n \\\"netstat.exe\\\", \\\"nltest.exe\\\", \\\"odbcconf.exe\\\", \\\"ping.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"qprocess.exe\\\",\\n \\\"quser.exe\\\", \\\"qwinsta.exe\\\", \\\"rcsi.exe\\\", \\\"reg.exe\\\", \\\"regasm.exe\\\", \\\"regsvcs.exe\\\", \\\"regsvr32.exe\\\", \\\"sc.exe\\\",\\n \\\"schtasks.exe\\\", \\\"systeminfo.exe\\\", \\\"tasklist.exe\\\", \\\"tracert.exe\\\", \\\"whoami.exe\\\", \\\"wmic.exe\\\", \\\"wscript.exe\\\",\\n \\\"xwizard.exe\\\", \\\"explorer.exe\\\", \\\"rundll32.exe\\\", \\\"hh.exe\\\", \\\"msdt.exe\\\"\\n ) and\\n not (\\n process.parent.name : \\\"outlook.exe\\\" and\\n process.name : \\\"rundll32.exe\\\" and\\n process.args : \\\"shell32.dll,Control_RunDLL\\\" and\\n process.args : \\\"srchadmin.dll\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious MS Office Child Process\",\"description\":\"Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious MS Office Child Process\\n\\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\\n\\nThis rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of malicious documents.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\\n- Determine if the collected files are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/blog/vulnerability-summary-follina\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"088b8902-a3db-48df-928d-cb5abd616aa0\",\"rule_id\":\"a624863f-a70d-417f-a7d2-7a404638d47f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.678Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.226Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\n \\\"eqnedt32.exe\\\", \\\"excel.exe\\\", \\\"fltldr.exe\\\", \\\"msaccess.exe\\\",\\n \\\"mspub.exe\\\", \\\"powerpnt.exe\\\", \\\"winword.exe\\\", \\\"outlook.exe\\\"\\n ) and\\n process.name : (\\n \\\"Microsoft.Workflow.Compiler.exe\\\", \\\"arp.exe\\\", \\\"atbroker.exe\\\", \\\"bginfo.exe\\\", \\\"bitsadmin.exe\\\", \\\"cdb.exe\\\",\\n \\\"certutil.exe\\\", \\\"cmd.exe\\\", \\\"cmstp.exe\\\", \\\"control.exe\\\", \\\"cscript.exe\\\", \\\"csi.exe\\\", \\\"dnx.exe\\\", \\\"dsget.exe\\\",\\n \\\"dsquery.exe\\\", \\\"forfiles.exe\\\", \\\"fsi.exe\\\", \\\"ftp.exe\\\", \\\"gpresult.exe\\\", \\\"hostname.exe\\\", \\\"ieexec.exe\\\", \\\"iexpress.exe\\\",\\n \\\"installutil.exe\\\", \\\"ipconfig.exe\\\", \\\"mshta.exe\\\", \\\"msxsl.exe\\\", \\\"nbtstat.exe\\\", \\\"net.exe\\\", \\\"net1.exe\\\", \\\"netsh.exe\\\",\\n \\\"netstat.exe\\\", \\\"nltest.exe\\\", \\\"odbcconf.exe\\\", \\\"ping.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"qprocess.exe\\\",\\n \\\"quser.exe\\\", \\\"qwinsta.exe\\\", \\\"rcsi.exe\\\", \\\"reg.exe\\\", \\\"regasm.exe\\\", \\\"regsvcs.exe\\\", \\\"regsvr32.exe\\\", \\\"sc.exe\\\",\\n \\\"schtasks.exe\\\", \\\"systeminfo.exe\\\", \\\"tasklist.exe\\\", \\\"tracert.exe\\\", \\\"whoami.exe\\\", \\\"wmic.exe\\\", \\\"wscript.exe\\\",\\n \\\"xwizard.exe\\\", \\\"explorer.exe\\\", \\\"rundll32.exe\\\", \\\"hh.exe\\\", \\\"msdt.exe\\\"\\n ) and\\n not (\\n process.parent.name : \\\"outlook.exe\\\" and\\n process.name : \\\"rundll32.exe\\\" and\\n process.args : \\\"shell32.dll,Control_RunDLL\\\" and\\n process.args : \\\"srchadmin.dll\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"06f6ce5c-7b90-4740-a50e-304961a15f8b\",\"rule_id\":\"a7ccae7b-9d2c-44b2-a061-98e5946971fa\",\"revision\":0,\"current_rule\":{\"id\":\"06f6ce5c-7b90-4740-a50e-304961a15f8b\",\"updated_at\":\"2024-12-04T19:45:55.234Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.234Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Print Spooler SPL File Created\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Print Spooler SPL File Created\\n\\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\\n\\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\`, which is an essential step in exploiting these vulnerabilities.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of process executable and file conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a7ccae7b-9d2c-44b2-a061-98e5946971fa\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"to\":\"now\",\"references\":[\"https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.extension : \\\"spl\\\" and\\n file.path : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\PRINTERS\\\\\\\\*\\\" and\\n not process.name : (\\\"spoolsv.exe\\\",\\n \\\"printfilterpipelinesvc.exe\\\",\\n \\\"PrintIsolationHost.exe\\\",\\n \\\"splwow64.exe\\\",\\n \\\"msiexec.exe\\\",\\n \\\"poqexec.exe\\\",\\n \\\"System\\\") and\\n not user.id : \\\"S-1-5-18\\\" and\\n not process.executable :\\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\Mup\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\printui.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\PROGRA~1\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\PROGRA~2\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\rundll32.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Print Spooler SPL File Created\",\"description\":\"Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Print Spooler SPL File Created\\n\\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\\n\\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\`, which is an essential step in exploiting these vulnerabilities.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of process executable and file conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":113,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"06f6ce5c-7b90-4740-a50e-304961a15f8b\",\"rule_id\":\"a7ccae7b-9d2c-44b2-a061-98e5946971fa\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.678Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.234Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.extension : \\\"spl\\\" and\\n file.path : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\PRINTERS\\\\\\\\*\\\" and\\n not process.name : (\\\"spoolsv.exe\\\",\\n \\\"printfilterpipelinesvc.exe\\\",\\n \\\"PrintIsolationHost.exe\\\",\\n \\\"splwow64.exe\\\",\\n \\\"msiexec.exe\\\",\\n \\\"poqexec.exe\\\",\\n \\\"System\\\") and\\n not user.id : \\\"S-1-5-18\\\" and\\n not process.executable :\\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\Mup\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\printui.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\PROGRA~1\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\PROGRA~2\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\rundll32.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":113,\"merged_version\":113,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"severity\":{\"has_base_version\":false,\"current_version\":\"medium\",\"target_version\":\"low\",\"merged_version\":\"low\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"risk_score\":{\"has_base_version\":false,\"current_version\":47,\"target_version\":21,\"merged_version\":21,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a741c633-2356-4b83-b461-513661eb6d6d\",\"rule_id\":\"a7e7bfa3-088e-4f13-b29e-3986e0e756b8\",\"revision\":0,\"current_rule\":{\"id\":\"a741c633-2356-4b83-b461-513661eb6d6d\",\"updated_at\":\"2024-12-04T19:45:55.236Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.236Z\",\"created_by\":\"elastic\",\"name\":\"Credential Acquisition via Registry Hive Dumping\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Credential Acquisition via Registry Hive Dumping\\n\\nDumping registry hives is a common way to access credential information as some hives store credential material.\\n\\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached credentials (LSA secrets).\\n\\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\\n\\nThis rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the compromise of the credentials stored in the host.\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\\n\\n### False positive analysis\\n\\n- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether the user is legitamitely performing this kind of activity.\\n\\n### Related rules\\n\\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reimage the host operating system and restore compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a7e7bfa3-088e-4f13-b29e-3986e0e756b8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"},{\"id\":\"T1003.004\",\"name\":\"LSA Secrets\",\"reference\":\"https://attack.mitre.org/techniques/T1003/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (?process.pe.original_file_name == \\\"reg.exe\\\" or process.name : \\\"reg.exe\\\") and\\n process.args : (\\\"save\\\", \\\"export\\\") and\\n process.args : (\\\"hklm\\\\\\\\sam\\\", \\\"hklm\\\\\\\\security\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Credential Acquisition via Registry Hive Dumping\",\"description\":\"Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Credential Acquisition via Registry Hive Dumping\\n\\nDumping registry hives is a common way to access credential information as some hives store credential material.\\n\\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached credentials (LSA secrets).\\n\\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\\n\\nThis rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the compromise of the credentials stored in the host.\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\\n\\n### False positive analysis\\n\\n- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether the user is legitamitely performing this kind of activity.\\n\\n### Related rules\\n\\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reimage the host operating system and restore compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"},{\"id\":\"T1003.004\",\"name\":\"LSA Secrets\",\"reference\":\"https://attack.mitre.org/techniques/T1003/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a741c633-2356-4b83-b461-513661eb6d6d\",\"rule_id\":\"a7e7bfa3-088e-4f13-b29e-3986e0e756b8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.678Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.236Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (?process.pe.original_file_name == \\\"reg.exe\\\" or process.name : \\\"reg.exe\\\") and\\n process.args : (\\\"save\\\", \\\"export\\\") and\\n process.args : (\\\"hklm\\\\\\\\sam\\\", \\\"hklm\\\\\\\\security\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4e577316-2d24-40a4-8dd7-768319d448cb\",\"rule_id\":\"a80d96cd-1164-41b3-9852-ef58724be496\",\"revision\":0,\"current_rule\":{\"id\":\"4e577316-2d24-40a4-8dd7-768319d448cb\",\"updated_at\":\"2024-12-04T19:46:04.738Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.738Z\",\"created_by\":\"elastic\",\"name\":\"Privileged Docker Container Creation\",\"tags\":[\"Domain: Endpoint\",\"Domain: Container\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule leverages the new_terms rule type to identify the creation of a potentially unsafe docker container from an unusual parent process. Attackers can use the `--privileged` flag to create containers with escalated privileges, which can lead to trivial privilege escalation, docker escaping and persistence. access.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a80d96cd-1164-41b3-9852-ef58724be496\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1609\",\"name\":\"Container Administration Command\",\"reference\":\"https://attack.mitre.org/techniques/T1609/\"},{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1611\",\"name\":\"Escape to Host\",\"reference\":\"https://attack.mitre.org/techniques/T1611/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\nThis rule requires data coming in from Elastic Defend.\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:docker and\\nprocess.args:(run and --privileged)\\n\",\"new_terms_fields\":[\"process.parent.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.process*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Privileged Docker Container Creation\",\"description\":\"This rule leverages the new_terms rule type to identify the creation of a potentially unsafe docker container from an unusual parent process. Attackers can use the `--privileged` flag to create containers with escalated privileges, which can lead to trivial privilege escalation, docker escaping and persistence. access.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"Domain: Container\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]},{\"id\":\"T1609\",\"name\":\"Container Administration Command\",\"reference\":\"https://attack.mitre.org/techniques/T1609/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1611\",\"name\":\"Escape to Host\",\"reference\":\"https://attack.mitre.org/techniques/T1611/\"}]}],\"setup\":\"## Setup\\nThis rule requires data coming in from Elastic Defend.\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"4e577316-2d24-40a4-8dd7-768319d448cb\",\"rule_id\":\"a80d96cd-1164-41b3-9852-ef58724be496\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.678Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.738Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:docker and\\nprocess.args:(run and --privileged)\\n\",\"new_terms_fields\":[\"process.parent.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.process*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1609\",\"name\":\"Container Administration Command\",\"reference\":\"https://attack.mitre.org/techniques/T1609/\"},{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1611\",\"name\":\"Escape to Host\",\"reference\":\"https://attack.mitre.org/techniques/T1611/\"}]}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]},{\"id\":\"T1609\",\"name\":\"Container Administration Command\",\"reference\":\"https://attack.mitre.org/techniques/T1609/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1611\",\"name\":\"Escape to Host\",\"reference\":\"https://attack.mitre.org/techniques/T1611/\"}]}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]},{\"id\":\"T1609\",\"name\":\"Container Administration Command\",\"reference\":\"https://attack.mitre.org/techniques/T1609/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1611\",\"name\":\"Escape to Host\",\"reference\":\"https://attack.mitre.org/techniques/T1611/\"}]}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"05f0d7e7-7f12-4587-b946-ab4682c3ab40\",\"rule_id\":\"a8afdce2-0ec1-11ee-b843-f661ea17fbcd\",\"revision\":0,\"current_rule\":{\"id\":\"05f0d7e7-7f12-4587-b946-ab4682c3ab40\",\"updated_at\":\"2024-12-04T19:45:55.245Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.245Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious File Downloaded from Google Drive\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing payloads via a trusted webservice.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Approved third-party applications that use Google Drive download URLs.\",\"Legitimate publicly shared files from Google Drive.\"],\"from\":\"now-9m\",\"rule_id\":\"a8afdce2-0ec1-11ee-b843-f661ea17fbcd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"to\":\"now\",\"references\":[\"https://intelligence.abnormalsecurity.com/blog/google-drive-matanbuchus-malware\"],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint*\",\"logs-system.security*\"],\"query\":\"process where\\n\\n /* common browser processes */\\n event.action in (\\\"exec\\\", \\\"fork\\\", \\\"start\\\") and \\n\\n process.name : (\\\"Microsoft Edge\\\", \\\"chrome.exe\\\", \\\"Google Chrome\\\", \\\"google-chrome-stable\\\", \\n \\\"google-chrome-beta\\\", \\\"google-chrome\\\", \\\"msedge.exe\\\", \\\"firefox.exe\\\", \\\"brave.exe\\\", \\n \\\"whale.exe\\\", \\\"browser.exe\\\", \\\"dragon.exe\\\", \\\"vivaldi.exe\\\", \\\"opera.exe\\\", \\\"firefox\\\", \\n \\\"powershell.exe\\\", \\\"curl\\\", \\\"curl.exe\\\", \\\"wget\\\", \\\"wget.exe\\\") and \\n\\n /* Look for Google Drive download URL with AV flag skipping */\\n (process.command_line : \\\"*drive.google.com*\\\" and process.command_line : \\\"*export=download*\\\" and process.command_line : \\\"*confirm=no_antivirus*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious File Downloaded from Google Drive\",\"description\":\"Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing payloads via a trusted webservice.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Approved third-party applications that use Google Drive download URLs.\",\"Legitimate publicly shared files from Google Drive.\"],\"references\":[\"https://intelligence.abnormalsecurity.com/blog/google-drive-matanbuchus-malware\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"05f0d7e7-7f12-4587-b946-ab4682c3ab40\",\"rule_id\":\"a8afdce2-0ec1-11ee-b843-f661ea17fbcd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.678Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.245Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where\\n\\n /* common browser processes */\\n event.action in (\\\"exec\\\", \\\"fork\\\", \\\"start\\\") and \\n\\n process.name : (\\\"Microsoft Edge\\\", \\\"chrome.exe\\\", \\\"Google Chrome\\\", \\\"google-chrome-stable\\\", \\n \\\"google-chrome-beta\\\", \\\"google-chrome\\\", \\\"msedge.exe\\\", \\\"firefox.exe\\\", \\\"brave.exe\\\", \\n \\\"whale.exe\\\", \\\"browser.exe\\\", \\\"dragon.exe\\\", \\\"vivaldi.exe\\\", \\\"opera.exe\\\", \\\"firefox\\\", \\n \\\"powershell.exe\\\", \\\"curl\\\", \\\"curl.exe\\\", \\\"wget\\\", \\\"wget.exe\\\") and \\n\\n /* Look for Google Drive download URL with AV flag skipping */\\n (process.command_line : \\\"*drive.google.com*\\\" and process.command_line : \\\"*export=download*\\\" and process.command_line : \\\"*confirm=no_antivirus*\\\")\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"auditbeat-*\",\"logs-endpoint*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"auditbeat-*\",\"logs-endpoint*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"auditbeat-*\",\"logs-endpoint*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"91021177-887a-46b4-a83f-6477e1dde2ab\",\"rule_id\":\"a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73\",\"revision\":0,\"current_rule\":{\"id\":\"91021177-887a-46b4-a83f-6477e1dde2ab\",\"updated_at\":\"2024-12-04T19:45:55.252Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.252Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace Password Policy Modified\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Password Policy Modified\\n\\nGoogle Workspace administrators manage password policies to enforce password requirements for an organization's compliance needs. Administrators have the capability to set restrictions on password length, reset frequency, reuse capability, expiration, and much more. Google Workspace also allows multi-factor authentication (MFA) and 2-step verification (2SV) for authentication.\\n\\nThreat actors might rely on weak password policies or restrictions to attempt credential access by using password stuffing or spraying techniques for cloud-based user accounts. Administrators might introduce increased risk to credential access from a third-party by weakening the password restrictions for an organization.\\n\\nThis rule detects when a Google Workspace password policy is modified to decrease password complexity or to adjust the reuse and reset frequency.\\n\\n#### Possible investigation steps\\n\\n- Identify associated user account(s) by reviewing the `user.name` or `source.user.email` fields in the alert.\\n- Identify the password setting that was created or adjusted by reviewing `google_workspace.admin.setting.name` field.\\n- Check if a password setting was enabled or disabled by reviewing the `google_workspace.admin.new_value` and `google_workspace.admin.old_value` fields.\\n- After identifying the involved user, verify administrative privileges are scoped properly to change.\\n- Filter `event.dataset` for `google_workspace.login` and aggregate by `user.name`, `event.action`.\\n - The `google_workspace.login.challenge_method` field can be used to identify the challenge method used for failed and successful logins.\\n\\n### False positive analysis\\n\\n- After identifying the user account that updated the password policy, verify whether the action was intentional.\\n- Verify whether the user should have administrative privileges in Google Workspace to modify password policies.\\n- Review organizational units or groups the role may have been added to and ensure the new privileges align properly.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider resetting passwords for potentially affected users.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Reactivate multi-factor authentication for the user.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators might observe lag times ranging from several minutes to 3 days between the event occurrence time and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Password policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-130m\",\"rule_id\":\"a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.setting.name\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Google Workspace Fleet integration, the Filebeat module, or data that's similarly structured is required for this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and\\n event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and\\n google_workspace.admin.setting.name:(\\n \\\"Password Management - Enforce strong password\\\" or\\n \\\"Password Management - Password reset frequency\\\" or\\n \\\"Password Management - Enable password reuse\\\" or\\n \\\"Password Management - Enforce password policy at next login\\\" or\\n \\\"Password Management - Minimum password length\\\" or\\n \\\"Password Management - Maximum password length\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace Password Policy Modified\",\"description\":\"Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Password Policy Modified\\n\\nGoogle Workspace administrators manage password policies to enforce password requirements for an organization's compliance needs. Administrators have the capability to set restrictions on password length, reset frequency, reuse capability, expiration, and much more. Google Workspace also allows multi-factor authentication (MFA) and 2-step verification (2SV) for authentication.\\n\\nThreat actors might rely on weak password policies or restrictions to attempt credential access by using password stuffing or spraying techniques for cloud-based user accounts. Administrators might introduce increased risk to credential access from a third-party by weakening the password restrictions for an organization.\\n\\nThis rule detects when a Google Workspace password policy is modified to decrease password complexity or to adjust the reuse and reset frequency.\\n\\n#### Possible investigation steps\\n\\n- Identify associated user account(s) by reviewing the `user.name` or `source.user.email` fields in the alert.\\n- Identify the password setting that was created or adjusted by reviewing `google_workspace.admin.setting.name` field.\\n- Check if a password setting was enabled or disabled by reviewing the `google_workspace.admin.new_value` and `google_workspace.admin.old_value` fields.\\n- After identifying the involved user, verify administrative privileges are scoped properly to change.\\n- Filter `event.dataset` for `google_workspace.login` and aggregate by `user.name`, `event.action`.\\n - The `google_workspace.login.challenge_method` field can be used to identify the challenge method used for failed and successful logins.\\n\\n### False positive analysis\\n\\n- After identifying the user account that updated the password policy, verify whether the action was intentional.\\n- Verify whether the user should have administrative privileges in Google Workspace to modify password policies.\\n- Review organizational units or groups the role may have been added to and ensure the new privileges align properly.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider resetting passwords for potentially affected users.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Reactivate multi-factor authentication for the user.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators might observe lag times ranging from several minutes to 3 days between the event occurrence time and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Password policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://support.google.com/a/answer/7061566\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"The Google Workspace Fleet integration, the Filebeat module, or data that's similarly structured is required for this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.setting.name\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"91021177-887a-46b4-a83f-6477e1dde2ab\",\"rule_id\":\"a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.678Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.252Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and\\n event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and\\n google_workspace.admin.setting.name:(\\n \\\"Password Management - Enforce strong password\\\" or\\n \\\"Password Management - Password reset frequency\\\" or\\n \\\"Password Management - Enable password reuse\\\" or\\n \\\"Password Management - Enforce password policy at next login\\\" or\\n \\\"Password Management - Minimum password length\\\" or\\n \\\"Password Management - Maximum password length\\\"\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://support.google.com/a/answer/7061566\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/7061566\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bdf96f45-7acf-4f20-b584-0c5321001619\",\"rule_id\":\"a9b05c3b-b304-4bf9-970d-acdfaef2944c\",\"revision\":0,\"current_rule\":{\"id\":\"bdf96f45-7acf-4f20-b584-0c5321001619\",\"updated_at\":\"2024-12-04T19:45:40.240Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.240Z\",\"created_by\":\"elastic\",\"name\":\"Persistence via Hidden Run Key Detected\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a9b05c3b-b304-4bf9-970d-acdfaef2944c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/outflanknl/SharpHide\",\"https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"/* Registry Path ends with backslash */\\nregistry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and length(registry.data.strings) > 0 and\\n registry.path : (\\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Persistence via Hidden Run Key Detected\",\"description\":\"Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/outflanknl/SharpHide\",\"https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"bdf96f45-7acf-4f20-b584-0c5321001619\",\"rule_id\":\"a9b05c3b-b304-4bf9-970d-acdfaef2944c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.678Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.240Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"/* Registry Path ends with backslash */\\nregistry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and length(registry.data.strings) > 0 and\\n registry.path : (\\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2e092754-39c3-4284-8a49-28bd8bdfc950\",\"rule_id\":\"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7\",\"revision\":0,\"current_rule\":{\"id\":\"2e092754-39c3-4284-8a49-28bd8bdfc950\",\"updated_at\":\"2024-12-04T19:45:55.254Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.254Z\",\"created_by\":\"elastic\",\"name\":\"IPSEC NAT Traversal Port Activity\",\"tags\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded.\"],\"from\":\"now-9m\",\"rule_id\":\"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[],\"version\":104,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:udp and destination.port:4500\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"IPSEC NAT Traversal Port Activity\",\"description\":\"This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2e092754-39c3-4284-8a49-28bd8bdfc950\",\"rule_id\":\"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.678Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.254Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:udp and destination.port:4500\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":104,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"target_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"target_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merged_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"72d7d7ed-ec56-4e31-a822-bcb096b7ca8b\",\"rule_id\":\"aa895aea-b69c-4411-b110-8d7599634b30\",\"revision\":0,\"current_rule\":{\"id\":\"72d7d7ed-ec56-4e31-a822-bcb096b7ca8b\",\"updated_at\":\"2024-12-04T19:45:55.259Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.259Z\",\"created_by\":\"elastic\",\"name\":\"System Log File Deletion\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"aa895aea-b69c-4411-b110-8d7599634b30\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.002\",\"name\":\"Clear Linux or Mac System Logs\",\"reference\":\"https://attack.mitre.org/techniques/T1070/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n#### Custom Ingest Pipeline\\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"deletion\\\" and\\n file.path :\\n (\\n \\\"/var/run/utmp\\\",\\n \\\"/var/log/wtmp\\\",\\n \\\"/var/log/btmp\\\",\\n \\\"/var/log/lastlog\\\",\\n \\\"/var/log/faillog\\\",\\n \\\"/var/log/syslog\\\",\\n \\\"/var/log/messages\\\",\\n \\\"/var/log/secure\\\",\\n \\\"/var/log/auth.log\\\",\\n \\\"/var/log/boot.log\\\",\\n \\\"/var/log/kern.log\\\"\\n ) and\\n not process.name in (\\\"gzip\\\", \\\"executor\\\", \\\"dockerd\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"System Log File Deletion\",\"description\":\"Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":112,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html\",\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.002\",\"name\":\"Clear Linux or Mac System Logs\",\"reference\":\"https://attack.mitre.org/techniques/T1070/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n#### Custom Ingest Pipeline\\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"72d7d7ed-ec56-4e31-a822-bcb096b7ca8b\",\"rule_id\":\"aa895aea-b69c-4411-b110-8d7599634b30\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.678Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.259Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"deletion\\\" and\\n file.path :\\n (\\n \\\"/var/run/utmp\\\",\\n \\\"/var/log/wtmp\\\",\\n \\\"/var/log/btmp\\\",\\n \\\"/var/log/lastlog\\\",\\n \\\"/var/log/faillog\\\",\\n \\\"/var/log/syslog\\\",\\n \\\"/var/log/messages\\\",\\n \\\"/var/log/secure\\\",\\n \\\"/var/log/auth.log\\\",\\n \\\"/var/log/boot.log\\\",\\n \\\"/var/log/kern.log\\\",\\n \\\"/var/log/dmesg\\\"\\n ) and\\n not process.name in (\\\"gzip\\\", \\\"executor\\\", \\\"dockerd\\\")\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":112,\"merged_version\":112,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html\"],\"target_version\":[\"https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html\",\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"merged_version\":[\"https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html\",\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"deletion\\\" and\\n file.path :\\n (\\n \\\"/var/run/utmp\\\",\\n \\\"/var/log/wtmp\\\",\\n \\\"/var/log/btmp\\\",\\n \\\"/var/log/lastlog\\\",\\n \\\"/var/log/faillog\\\",\\n \\\"/var/log/syslog\\\",\\n \\\"/var/log/messages\\\",\\n \\\"/var/log/secure\\\",\\n \\\"/var/log/auth.log\\\",\\n \\\"/var/log/boot.log\\\",\\n \\\"/var/log/kern.log\\\"\\n ) and\\n not process.name in (\\\"gzip\\\", \\\"executor\\\", \\\"dockerd\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"deletion\\\" and\\n file.path :\\n (\\n \\\"/var/run/utmp\\\",\\n \\\"/var/log/wtmp\\\",\\n \\\"/var/log/btmp\\\",\\n \\\"/var/log/lastlog\\\",\\n \\\"/var/log/faillog\\\",\\n \\\"/var/log/syslog\\\",\\n \\\"/var/log/messages\\\",\\n \\\"/var/log/secure\\\",\\n \\\"/var/log/auth.log\\\",\\n \\\"/var/log/boot.log\\\",\\n \\\"/var/log/kern.log\\\",\\n \\\"/var/log/dmesg\\\"\\n ) and\\n not process.name in (\\\"gzip\\\", \\\"executor\\\", \\\"dockerd\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"deletion\\\" and\\n file.path :\\n (\\n \\\"/var/run/utmp\\\",\\n \\\"/var/log/wtmp\\\",\\n \\\"/var/log/btmp\\\",\\n \\\"/var/log/lastlog\\\",\\n \\\"/var/log/faillog\\\",\\n \\\"/var/log/syslog\\\",\\n \\\"/var/log/messages\\\",\\n \\\"/var/log/secure\\\",\\n \\\"/var/log/auth.log\\\",\\n \\\"/var/log/boot.log\\\",\\n \\\"/var/log/kern.log\\\",\\n \\\"/var/log/dmesg\\\"\\n ) and\\n not process.name in (\\\"gzip\\\", \\\"executor\\\", \\\"dockerd\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"50f2d299-be20-41eb-b105-47eb0b9626fc\",\"rule_id\":\"aa9a274d-6b53-424d-ac5e-cb8ca4251650\",\"revision\":0,\"current_rule\":{\"id\":\"50f2d299-be20-41eb-b105-47eb0b9626fc\",\"updated_at\":\"2024-12-04T19:45:55.261Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.261Z\",\"created_by\":\"elastic\",\"name\":\"Remotely Started Services via RPC\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remotely Started Services via RPC\\n\\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\\n\\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"aa9a274d-6b53-424d-ac5e-cb8ca4251650\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence with maxspan=1s\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"services.exe\\\" and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and network.transport == \\\"tcp\\\" and\\n source.port >= 49152 and destination.port >= 49152 and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"\\n ] by host.id, process.entity_id\\n [process where host.os.type == \\\"windows\\\" and \\n event.type == \\\"start\\\" and process.parent.name : \\\"services.exe\\\" and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\" and process.args : \\\"/V\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Pella Corporation\\\\\\\\OSCToGPAutoService\\\\\\\\OSCToGPAutoSvc.exe\\\",\\n \\\"?:\\\\\\\\Pella Corporation\\\\\\\\Pella Order Management\\\\\\\\GPAutoSvc.exe\\\",\\n \\\"?:\\\\\\\\Pella Corporation\\\\\\\\Pella Order Management\\\\\\\\GPAutoSvc.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ADCR_Agent\\\\\\\\adcrsvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\AdminArsenal\\\\\\\\PDQ*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CAInvokerService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ccmsetup\\\\\\\\ccmsetup.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\eset-remote-install-service.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ProPatches\\\\\\\\Scheduler\\\\\\\\STSchedEx.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PSEXESVC.EXE\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\RemoteAuditService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\TrustedInstaller.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\certsrv.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sppsvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\srmhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostex.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\upfc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vds.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VSSVC.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\NwxExeSvc\\\\\\\\NwxExeSvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Veeam\\\\\\\\Backup\\\\\\\\VeeamDeploymentSvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\VeeamLogShipper\\\\\\\\VeeamLogShipper.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe\\\"\\n )] by host.id, process.parent.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Remotely Started Services via RPC\",\"description\":\"Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remotely Started Services via RPC\\n\\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\\n\\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f\",\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true}],\"id\":\"50f2d299-be20-41eb-b105-47eb0b9626fc\",\"rule_id\":\"aa9a274d-6b53-424d-ac5e-cb8ca4251650\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.678Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.261Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence with maxspan=1s\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"services.exe\\\" and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and network.transport == \\\"tcp\\\" and\\n source.port >= 49152 and destination.port >= 49152 and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"\\n ] by host.id, process.entity_id\\n [process where host.os.type == \\\"windows\\\" and \\n event.type == \\\"start\\\" and process.parent.name : \\\"services.exe\\\" and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\" and process.args : \\\"/V\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Pella Corporation\\\\\\\\OSCToGPAutoService\\\\\\\\OSCToGPAutoSvc.exe\\\",\\n \\\"?:\\\\\\\\Pella Corporation\\\\\\\\Pella Order Management\\\\\\\\GPAutoSvc.exe\\\",\\n \\\"?:\\\\\\\\Pella Corporation\\\\\\\\Pella Order Management\\\\\\\\GPAutoSvc.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ADCR_Agent\\\\\\\\adcrsvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\AdminArsenal\\\\\\\\PDQ*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CAInvokerService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ccmsetup\\\\\\\\ccmsetup.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\eset-remote-install-service.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ProPatches\\\\\\\\Scheduler\\\\\\\\STSchedEx.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PSEXESVC.EXE\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\RemoteAuditService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\TrustedInstaller.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\certsrv.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sppsvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\srmhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostex.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\upfc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vds.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VSSVC.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\NwxExeSvc\\\\\\\\NwxExeSvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Veeam\\\\\\\\Backup\\\\\\\\VeeamDeploymentSvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\VeeamLogShipper\\\\\\\\VeeamLogShipper.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe\\\"\\n )] by host.id, process.parent.entity_id\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f\"],\"target_version\":[\"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f\",\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"merged_version\":[\"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f\",\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2968a2ec-8287-43f4-916f-b09faed35ccf\",\"rule_id\":\"ab75c24b-2502-43a0-bf7c-e60e662c811e\",\"revision\":0,\"current_rule\":{\"id\":\"2968a2ec-8287-43f4-916f-b09faed35ccf\",\"updated_at\":\"2024-12-04T19:45:55.269Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.269Z\",\"created_by\":\"elastic\",\"name\":\"Remote Execution via File Shares\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote Execution via File Shares\\n\\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Review the privileges needed to write to the network share and restrict write access as needed.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ab75c24b-2502-43a0-bf7c-e60e662c811e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]}],\"to\":\"now\",\"references\":[\"http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.header_bytes\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\"],\"query\":\"sequence with maxspan=1m\\n [file where host.os.type == \\\"windows\\\" and event.type in (\\\"creation\\\", \\\"change\\\") and \\n process.pid == 4 and (file.extension : \\\"exe\\\" or file.Ext.header_bytes : \\\"4d5a*\\\")] by host.id, file.path\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n not (\\n /* Veeam related processes */\\n (\\n process.name : (\\n \\\"VeeamGuestHelper.exe\\\", \\\"VeeamGuestIndexer.exe\\\", \\\"VeeamAgent.exe\\\", \\\"VeeamLogShipper.exe\\\", \\\"Veeam.VSS.Sharepoint2010.exe\\\"\\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Veeam Software Group GmbH\\\"\\n ) or\\n /* PDQ related processes */\\n (\\n process.name : (\\n \\\"PDQInventoryScanner.exe\\\", \\\"PDQInventoryMonitor.exe\\\", \\\"PDQInventory-Scanner-?.exe\\\", \\\"PDQInventoryWakeCommand-?.exe\\\"\\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \\\"PDQ.com Corporation\\\"\\n )\\n )\\n ] by host.id, process.executable\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Remote Execution via File Shares\",\"description\":\"Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote Execution via File Shares\\n\\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Review the privileges needed to write to the network share and restrict write access as needed.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":114,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.header_bytes\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"id\":\"2968a2ec-8287-43f4-916f-b09faed35ccf\",\"rule_id\":\"ab75c24b-2502-43a0-bf7c-e60e662c811e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.678Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.269Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence with maxspan=1m\\n [file where host.os.type == \\\"windows\\\" and event.type in (\\\"creation\\\", \\\"change\\\") and \\n process.pid == 4 and (file.extension : \\\"exe\\\" or file.Ext.header_bytes : \\\"4d5a*\\\")] by host.id, file.path\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n not (\\n /* Veeam related processes */\\n (\\n process.name : (\\n \\\"VeeamGuestHelper.exe\\\", \\\"VeeamGuestIndexer.exe\\\", \\\"VeeamAgent.exe\\\", \\\"VeeamLogShipper.exe\\\", \\\"Veeam.VSS.Sharepoint20??.exe\\\"\\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Veeam Software Group GmbH\\\"\\n ) or\\n /* PDQ related processes */\\n (\\n process.name : (\\n \\\"PDQInventoryScanner.exe\\\", \\\"PDQInventoryMonitor.exe\\\", \\\"PDQInventory-Scanner-?.exe\\\",\\n \\\"PDQInventoryWakeCommand-?.exe\\\", \\\"PDQDeployRunner-?.exe\\\"\\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \\\"PDQ.com Corporation\\\"\\n ) or\\n /* CrowdStrike related processes */\\n (\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\CrowdStrike\\\\\\\\*-WindowsSensor.*.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"CrowdStrike, Inc.\\\") or\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\CrowdStrike\\\\\\\\*-CsInstallerService.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Microsoft Windows Hardware Compatibility Publisher\\\")\\n ) or\\n /* MS related processes */\\n (\\n process.executable == \\\"System\\\" or\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\ccmsetup\\\\\\\\ccmsetup.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Microsoft Corporation\\\")\\n ) or\\n /* CyberArk processes */\\n (\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\CAInvokerService.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"CyberArk Software Ltd.\\\"\\n ) or\\n /* Sophos processes */\\n (\\n process.executable : \\\"?:\\\\\\\\ProgramData\\\\\\\\Sophos\\\\\\\\AutoUpdate\\\\\\\\Cache\\\\\\\\sophos_autoupdate1.dir\\\\\\\\SophosUpdate.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Sophos Ltd\\\"\\n ) \\n )\\n ] by host.id, process.executable\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":114,\"merged_version\":114,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html\"],\"target_version\":[\"http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merged_version\":[\"http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence with maxspan=1m\\n [file where host.os.type == \\\"windows\\\" and event.type in (\\\"creation\\\", \\\"change\\\") and \\n process.pid == 4 and (file.extension : \\\"exe\\\" or file.Ext.header_bytes : \\\"4d5a*\\\")] by host.id, file.path\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n not (\\n /* Veeam related processes */\\n (\\n process.name : (\\n \\\"VeeamGuestHelper.exe\\\", \\\"VeeamGuestIndexer.exe\\\", \\\"VeeamAgent.exe\\\", \\\"VeeamLogShipper.exe\\\", \\\"Veeam.VSS.Sharepoint2010.exe\\\"\\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Veeam Software Group GmbH\\\"\\n ) or\\n /* PDQ related processes */\\n (\\n process.name : (\\n \\\"PDQInventoryScanner.exe\\\", \\\"PDQInventoryMonitor.exe\\\", \\\"PDQInventory-Scanner-?.exe\\\", \\\"PDQInventoryWakeCommand-?.exe\\\"\\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \\\"PDQ.com Corporation\\\"\\n )\\n )\\n ] by host.id, process.executable\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence with maxspan=1m\\n [file where host.os.type == \\\"windows\\\" and event.type in (\\\"creation\\\", \\\"change\\\") and \\n process.pid == 4 and (file.extension : \\\"exe\\\" or file.Ext.header_bytes : \\\"4d5a*\\\")] by host.id, file.path\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n not (\\n /* Veeam related processes */\\n (\\n process.name : (\\n \\\"VeeamGuestHelper.exe\\\", \\\"VeeamGuestIndexer.exe\\\", \\\"VeeamAgent.exe\\\", \\\"VeeamLogShipper.exe\\\", \\\"Veeam.VSS.Sharepoint20??.exe\\\"\\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Veeam Software Group GmbH\\\"\\n ) or\\n /* PDQ related processes */\\n (\\n process.name : (\\n \\\"PDQInventoryScanner.exe\\\", \\\"PDQInventoryMonitor.exe\\\", \\\"PDQInventory-Scanner-?.exe\\\",\\n \\\"PDQInventoryWakeCommand-?.exe\\\", \\\"PDQDeployRunner-?.exe\\\"\\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \\\"PDQ.com Corporation\\\"\\n ) or\\n /* CrowdStrike related processes */\\n (\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\CrowdStrike\\\\\\\\*-WindowsSensor.*.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"CrowdStrike, Inc.\\\") or\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\CrowdStrike\\\\\\\\*-CsInstallerService.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Microsoft Windows Hardware Compatibility Publisher\\\")\\n ) or\\n /* MS related processes */\\n (\\n process.executable == \\\"System\\\" or\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\ccmsetup\\\\\\\\ccmsetup.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Microsoft Corporation\\\")\\n ) or\\n /* CyberArk processes */\\n (\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\CAInvokerService.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"CyberArk Software Ltd.\\\"\\n ) or\\n /* Sophos processes */\\n (\\n process.executable : \\\"?:\\\\\\\\ProgramData\\\\\\\\Sophos\\\\\\\\AutoUpdate\\\\\\\\Cache\\\\\\\\sophos_autoupdate1.dir\\\\\\\\SophosUpdate.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Sophos Ltd\\\"\\n ) \\n )\\n ] by host.id, process.executable\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence with maxspan=1m\\n [file where host.os.type == \\\"windows\\\" and event.type in (\\\"creation\\\", \\\"change\\\") and \\n process.pid == 4 and (file.extension : \\\"exe\\\" or file.Ext.header_bytes : \\\"4d5a*\\\")] by host.id, file.path\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n not (\\n /* Veeam related processes */\\n (\\n process.name : (\\n \\\"VeeamGuestHelper.exe\\\", \\\"VeeamGuestIndexer.exe\\\", \\\"VeeamAgent.exe\\\", \\\"VeeamLogShipper.exe\\\", \\\"Veeam.VSS.Sharepoint20??.exe\\\"\\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Veeam Software Group GmbH\\\"\\n ) or\\n /* PDQ related processes */\\n (\\n process.name : (\\n \\\"PDQInventoryScanner.exe\\\", \\\"PDQInventoryMonitor.exe\\\", \\\"PDQInventory-Scanner-?.exe\\\",\\n \\\"PDQInventoryWakeCommand-?.exe\\\", \\\"PDQDeployRunner-?.exe\\\"\\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \\\"PDQ.com Corporation\\\"\\n ) or\\n /* CrowdStrike related processes */\\n (\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\CrowdStrike\\\\\\\\*-WindowsSensor.*.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"CrowdStrike, Inc.\\\") or\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\CrowdStrike\\\\\\\\*-CsInstallerService.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Microsoft Windows Hardware Compatibility Publisher\\\")\\n ) or\\n /* MS related processes */\\n (\\n process.executable == \\\"System\\\" or\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\ccmsetup\\\\\\\\ccmsetup.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Microsoft Corporation\\\")\\n ) or\\n /* CyberArk processes */\\n (\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\CAInvokerService.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"CyberArk Software Ltd.\\\"\\n ) or\\n /* Sophos processes */\\n (\\n process.executable : \\\"?:\\\\\\\\ProgramData\\\\\\\\Sophos\\\\\\\\AutoUpdate\\\\\\\\Cache\\\\\\\\sophos_autoupdate1.dir\\\\\\\\SophosUpdate.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Sophos Ltd\\\"\\n ) \\n )\\n ] by host.id, process.executable\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d29fa7b7-c2e2-4217-b77c-0dfdf52db3f8\",\"rule_id\":\"ab8f074c-5565-4bc4-991c-d49770e19fc9\",\"revision\":0,\"current_rule\":{\"id\":\"d29fa7b7-c2e2-4217-b77c-0dfdf52db3f8\",\"updated_at\":\"2024-12-04T19:46:04.746Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.746Z\",\"created_by\":\"elastic\",\"name\":\"AWS S3 Object Encryption Using External KMS Key\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS S3\",\"Data Source: AWS KMS\",\"Use Case: Threat Detection\",\"Tactic: Impact\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies `CopyObject` events within an S3 bucket using an AWS KMS key from an external account for encryption. Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS key to deny their victims access to their own data.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"\\n## Triage and Analysis\\n\\n### Investigating AWS S3 Object Encryption Using External KMS Key\\n\\nThis rule detects the use of an external AWS KMS key to encrypt objects within an S3 bucket. Adversaries with access to a misconfigured S3 bucket may use an external key to copy objects within a bucket and deny victims the ability to access their own data.\\nThis rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule) to look for use of the `CopyObject` operation where the target bucket's `cloud.account.id` is different from the `key.account.id` dissected from the AWS KMS key used for encryption.\\n\\n#### Possible Investigation Steps:\\n\\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.\\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the `CopyObject` action. Look for any unusual parameters that could suggest unauthorized or malicious modifications or usage of an unknown KMS keyId.\\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the object was copied. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.\\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.\\n- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects including older object versions.\\n- **Interview Relevant Personnel**: If the copy event was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing S3 buckets.\\n\\n### False Positive Analysis:\\n\\n- **Legitimate Administrative Actions**: Confirm if the `CopyObject` action aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management systems.\\n- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\\n\\n### Response and Remediation:\\n\\n- **Immediate Review**: If the activity was unauthorized, search for potential ransom note placed in S3 bucket and review the bucket's access logs for any suspicious activity.\\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar `CopyObject` actions, especially those involving sensitive data or unusual file extensions.\\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware.\\n- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege.\\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\\n\\n### Additional Information:\\n\\nFor further guidance on managing S3 bucket security and protecting against ransomware, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection:\\n- [ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild](https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf)\\n- [S3 Ransomware Part 1: Attack Vector](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators within an AWS Organization structure may legitimately encrypt bucket objects with a key from an account different from the target bucket. Ensure that this behavior is not part of a legitimate operation before taking action.\"],\"from\":\"now-9m\",\"rule_id\":\"ab8f074c-5565-4bc4-991c-d49770e19fc9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1486\",\"name\":\"Data Encrypted for Impact\",\"reference\":\"https://attack.mitre.org/techniques/T1486/\"}]}],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html/\",\"https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html/\",\"https://www.gem.security/post/cloud-ransomware-a-new-take-on-an-old-attack-pattern/\",\"https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"AWS S3 data event types need to be enabled in the CloudTrail trail configuration.\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-*\\n\\n// any successful copy event\\n| where event.dataset == \\\"aws.cloudtrail\\\" \\n and event.provider == \\\"s3.amazonaws.com\\\" \\n and event.action == \\\"CopyObject\\\" \\n and event.outcome == \\\"success\\\"\\n\\n// abstract key account id, key id, encrypted object bucket name and object name\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?bucketName}=%{target.bucketName},%{?x-amz-server-side-encryption-aws-kms-key-id}=%{?arn}:%{?aws}:%{?kms}:%{?region}:%{key.account.id}:%{?key}/%{keyId},%{?Host}=%{?tls.client.server_name},%{?x-amz-server-side-encryption}=%{?server-side-encryption},%{?x-amz-copy-source}=%{?bucket.objectName},%{?key}=%{target.objectName}}\\\"\\n\\n// filter for s3 objects whose account id is different from the encryption key's account id\\n// add exceptions based on key.account.id or keyId for known external accounts or encryption keys\\n| where cloud.account.id != key.account.id \\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS S3 Object Encryption Using External KMS Key\",\"description\":\"Identifies `CopyObject` events within an S3 bucket using an AWS KMS key from an external account for encryption. Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS key to deny their victims access to their own data.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\\n## Triage and Analysis\\n\\n### Investigating AWS S3 Object Encryption Using External KMS Key\\n\\nThis rule detects the use of an external AWS KMS key to encrypt objects within an S3 bucket. Adversaries with access to a misconfigured S3 bucket may use an external key to copy objects within a bucket and deny victims the ability to access their own data.\\nThis rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule) to look for use of the `CopyObject` operation where the target bucket's `cloud.account.id` is different from the `key.account.id` dissected from the AWS KMS key used for encryption.\\n\\n#### Possible Investigation Steps:\\n\\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.\\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the `CopyObject` action. Look for any unusual parameters that could suggest unauthorized or malicious modifications or usage of an unknown KMS keyId.\\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the object was copied. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.\\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.\\n- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects including older object versions.\\n- **Interview Relevant Personnel**: If the copy event was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing S3 buckets.\\n\\n### False Positive Analysis:\\n\\n- **Legitimate Administrative Actions**: Confirm if the `CopyObject` action aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management systems.\\n- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\\n\\n### Response and Remediation:\\n\\n- **Immediate Review**: If the activity was unauthorized, search for potential ransom note placed in S3 bucket and review the bucket's access logs for any suspicious activity.\\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar `CopyObject` actions, especially those involving sensitive data or unusual file extensions.\\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware.\\n- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege.\\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\\n\\n### Additional Information:\\n\\nFor further guidance on managing S3 bucket security and protecting against ransomware, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection:\\n- [ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild](https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf)\\n- [S3 Ransomware Part 1: Attack Vector](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)\\n\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS S3\",\"Data Source: AWS KMS\",\"Use Case: Threat Detection\",\"Tactic: Impact\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators within an AWS Organization structure may legitimately encrypt bucket objects with a key from an account different from the target bucket. Ensure that this behavior is not part of a legitimate operation before taking action.\"],\"references\":[\"https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html/\",\"https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html/\",\"https://www.gem.security/post/cloud-ransomware-a-new-take-on-an-old-attack-pattern/\",\"https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1486\",\"name\":\"Data Encrypted for Impact\",\"reference\":\"https://attack.mitre.org/techniques/T1486/\"}]}],\"setup\":\"AWS S3 data event types need to be enabled in the CloudTrail trail configuration.\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"d29fa7b7-c2e2-4217-b77c-0dfdf52db3f8\",\"rule_id\":\"ab8f074c-5565-4bc4-991c-d49770e19fc9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.678Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.746Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n\\n// any successful copy event\\n| where event.dataset == \\\"aws.cloudtrail\\\"\\n and event.provider == \\\"s3.amazonaws.com\\\"\\n and event.action == \\\"CopyObject\\\"\\n and event.outcome == \\\"success\\\"\\n\\n// abstract key account id, key id, encrypted object bucket name and object name\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?bucketName}=%{target.bucketName},%{?x-amz-server-side-encryption-aws-kms-key-id}=%{?arn}:%{?aws}:%{?kms}:%{?region}:%{key.account.id}:%{?key}/%{keyId},%{?Host}=%{?tls.client.server_name},%{?x-amz-server-side-encryption}=%{?server-side-encryption},%{?x-amz-copy-source}=%{?bucket.objectName},%{?key}=%{target.objectName}}\\\"\\n\\n// filter for s3 objects whose account id is different from the encryption key's account id\\n// add exceptions based on key.account.id or keyId for known external accounts or encryption keys\\n| where cloud.account.id != key.account.id\\n\\n// keep relevant fields\\n| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, target.bucketName, key.account.id, keyId, target.objectName\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-aws.cloudtrail-*\\n\\n// any successful copy event\\n| where event.dataset == \\\"aws.cloudtrail\\\" \\n and event.provider == \\\"s3.amazonaws.com\\\" \\n and event.action == \\\"CopyObject\\\" \\n and event.outcome == \\\"success\\\"\\n\\n// abstract key account id, key id, encrypted object bucket name and object name\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?bucketName}=%{target.bucketName},%{?x-amz-server-side-encryption-aws-kms-key-id}=%{?arn}:%{?aws}:%{?kms}:%{?region}:%{key.account.id}:%{?key}/%{keyId},%{?Host}=%{?tls.client.server_name},%{?x-amz-server-side-encryption}=%{?server-side-encryption},%{?x-amz-copy-source}=%{?bucket.objectName},%{?key}=%{target.objectName}}\\\"\\n\\n// filter for s3 objects whose account id is different from the encryption key's account id\\n// add exceptions based on key.account.id or keyId for known external accounts or encryption keys\\n| where cloud.account.id != key.account.id \\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n\\n// any successful copy event\\n| where event.dataset == \\\"aws.cloudtrail\\\"\\n and event.provider == \\\"s3.amazonaws.com\\\"\\n and event.action == \\\"CopyObject\\\"\\n and event.outcome == \\\"success\\\"\\n\\n// abstract key account id, key id, encrypted object bucket name and object name\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?bucketName}=%{target.bucketName},%{?x-amz-server-side-encryption-aws-kms-key-id}=%{?arn}:%{?aws}:%{?kms}:%{?region}:%{key.account.id}:%{?key}/%{keyId},%{?Host}=%{?tls.client.server_name},%{?x-amz-server-side-encryption}=%{?server-side-encryption},%{?x-amz-copy-source}=%{?bucket.objectName},%{?key}=%{target.objectName}}\\\"\\n\\n// filter for s3 objects whose account id is different from the encryption key's account id\\n// add exceptions based on key.account.id or keyId for known external accounts or encryption keys\\n| where cloud.account.id != key.account.id\\n\\n// keep relevant fields\\n| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, target.bucketName, key.account.id, keyId, target.objectName\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n\\n// any successful copy event\\n| where event.dataset == \\\"aws.cloudtrail\\\"\\n and event.provider == \\\"s3.amazonaws.com\\\"\\n and event.action == \\\"CopyObject\\\"\\n and event.outcome == \\\"success\\\"\\n\\n// abstract key account id, key id, encrypted object bucket name and object name\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?bucketName}=%{target.bucketName},%{?x-amz-server-side-encryption-aws-kms-key-id}=%{?arn}:%{?aws}:%{?kms}:%{?region}:%{key.account.id}:%{?key}/%{keyId},%{?Host}=%{?tls.client.server_name},%{?x-amz-server-side-encryption}=%{?server-side-encryption},%{?x-amz-copy-source}=%{?bucket.objectName},%{?key}=%{target.objectName}}\\\"\\n\\n// filter for s3 objects whose account id is different from the encryption key's account id\\n// add exceptions based on key.account.id or keyId for known external accounts or encryption keys\\n| where cloud.account.id != key.account.id\\n\\n// keep relevant fields\\n| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, target.bucketName, key.account.id, keyId, target.objectName\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8253b2b1-c650-49af-922f-b2a8021c5d8d\",\"rule_id\":\"abae61a8-c560-4dbd-acca-1e1438bff36b\",\"revision\":0,\"current_rule\":{\"id\":\"8253b2b1-c650-49af-922f-b2a8021c5d8d\",\"updated_at\":\"2024-12-04T19:45:55.271Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.271Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Windows Process Calling the Metadata Service\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Credential Access\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule.\"],\"from\":\"now-45m\",\"rule_id\":\"abae61a8-c560-4dbd-acca-1e1438bff36b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\",\"subtechnique\":[{\"id\":\"T1552.005\",\"name\":\"Cloud Instance Metadata API\",\"reference\":\"https://attack.mitre.org/techniques/T1552/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":104,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_rare_metadata_process\"],\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Windows Process Calling the Metadata Service\",\"description\":\"Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Credential Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\",\"subtechnique\":[{\"id\":\"T1552.005\",\"name\":\"Cloud Instance Metadata API\",\"reference\":\"https://attack.mitre.org/techniques/T1552/005/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"8253b2b1-c650-49af-922f-b2a8021c5d8d\",\"rule_id\":\"abae61a8-c560-4dbd-acca-1e1438bff36b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.678Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.271Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_rare_metadata_process\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":104,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"055a0b05-90e5-40bb-87a5-e5012a95fed4\",\"rule_id\":\"ac5012b8-8da8-440b-aaaf-aedafdea2dff\",\"revision\":0,\"current_rule\":{\"id\":\"055a0b05-90e5-40bb-87a5-e5012a95fed4\",\"updated_at\":\"2024-12-04T19:45:55.280Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.280Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious WerFault Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Custom Windows error reporting debugger or applications restarted by WerFault after a crash.\"],\"from\":\"now-9m\",\"rule_id\":\"ac5012b8-8da8-440b-aaaf-aedafdea2dff\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.012\",\"name\":\"Image File Execution Options Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1546/012/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.012\",\"name\":\"Image File Execution Options Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1546/012/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/\",\"https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/\",\"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx\",\"http://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/\"],\"version\":314,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n\\n process.parent.name : \\\"WerFault.exe\\\" and\\n\\n /* args -s and -t used to execute a process via SilentProcessExit mechanism */\\n (process.parent.args : \\\"-s\\\" and process.parent.args : \\\"-t\\\" and process.parent.args : \\\"-c\\\") and\\n\\n not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\Initcrypt.exe\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Heimdal\\\\\\\\Heimdal.Guard.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious WerFault Child Process\",\"description\":\"A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":415,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Custom Windows error reporting debugger or applications restarted by WerFault after a crash.\"],\"references\":[\"https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/\",\"https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/\",\"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx\",\"http://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.012\",\"name\":\"Image File Execution Options Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1546/012/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.012\",\"name\":\"Image File Execution Options Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1546/012/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"055a0b05-90e5-40bb-87a5-e5012a95fed4\",\"rule_id\":\"ac5012b8-8da8-440b-aaaf-aedafdea2dff\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.679Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.280Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n\\n process.parent.name : \\\"WerFault.exe\\\" and\\n\\n /* args -s and -t used to execute a process via SilentProcessExit mechanism */\\n (process.parent.args : \\\"-s\\\" and process.parent.args : \\\"-t\\\" and process.parent.args : \\\"-c\\\") and\\n\\n not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\Initcrypt.exe\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Heimdal\\\\\\\\Heimdal.Guard.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":314,\"target_version\":415,\"merged_version\":415,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0297e525-aac3-4b18-b06e-0ebc0db89723\",\"rule_id\":\"ac531fcc-1d3b-476d-bbb5-1357728c9a37\",\"revision\":0,\"current_rule\":{\"id\":\"0297e525-aac3-4b18-b06e-0ebc0db89723\",\"updated_at\":\"2024-12-04T19:46:04.748Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.748Z\",\"created_by\":\"elastic\",\"name\":\"Git Hook Created or Modified\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects the creation or modification of a Git hook file on a Linux system. Git hooks are scripts that Git executes before or after events such as commit, push, and receive. They are used to automate tasks, enforce policies, and customize Git's behavior. Attackers can abuse Git hooks to maintain persistence on a system by executing malicious code whenever a specific Git event occurs.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ac531fcc-1d3b-476d-bbb5-1357728c9a37\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://git-scm.com/docs/githooks/2.26.0\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"creation\\\" and file.path : \\\"*.git/hooks/*\\\" and\\nfile.extension == null and process.executable != null and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/usr/bin/pamac-daemon\\\", \\\"/bin/pamac-daemon\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/sbin/dockerd\\\"\\n ) or\\n process.executable : (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\") or\\n process.name in (\\\"git\\\", \\\"dirname\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Git Hook Created or Modified\",\"description\":\"This rule detects the creation or modification of a Git hook file on a Linux system. Git hooks are scripts that Git executes before or after events such as commit, push, and receive. They are used to automate tasks, enforce policies, and customize Git's behavior. Attackers can abuse Git hooks to maintain persistence on a system by executing malicious code whenever a specific Git event occurs.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://git-scm.com/docs/githooks/2.26.0\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0297e525-aac3-4b18-b06e-0ebc0db89723\",\"rule_id\":\"ac531fcc-1d3b-476d-bbb5-1357728c9a37\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.679Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.748Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"creation\\\" and file.path : \\\"*.git/hooks/*\\\" and\\nfile.extension == null and process.executable != null and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/usr/bin/pamac-daemon\\\", \\\"/bin/pamac-daemon\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/sbin/dockerd\\\"\\n ) or\\n process.executable : (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\") or\\n process.name in (\\\"git\\\", \\\"dirname\\\", \\\"tar\\\", \\\"gitea\\\", \\\"git-lfs\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://git-scm.com/docs/githooks/2.26.0\"],\"target_version\":[\"https://git-scm.com/docs/githooks/2.26.0\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://git-scm.com/docs/githooks/2.26.0\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"creation\\\" and file.path : \\\"*.git/hooks/*\\\" and\\nfile.extension == null and process.executable != null and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/usr/bin/pamac-daemon\\\", \\\"/bin/pamac-daemon\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/sbin/dockerd\\\"\\n ) or\\n process.executable : (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\") or\\n process.name in (\\\"git\\\", \\\"dirname\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"creation\\\" and file.path : \\\"*.git/hooks/*\\\" and\\nfile.extension == null and process.executable != null and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/usr/bin/pamac-daemon\\\", \\\"/bin/pamac-daemon\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/sbin/dockerd\\\"\\n ) or\\n process.executable : (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\") or\\n process.name in (\\\"git\\\", \\\"dirname\\\", \\\"tar\\\", \\\"gitea\\\", \\\"git-lfs\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"creation\\\" and file.path : \\\"*.git/hooks/*\\\" and\\nfile.extension == null and process.executable != null and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/usr/bin/pamac-daemon\\\", \\\"/bin/pamac-daemon\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/sbin/dockerd\\\"\\n ) or\\n process.executable : (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\") or\\n process.name in (\\\"git\\\", \\\"dirname\\\", \\\"tar\\\", \\\"gitea\\\", \\\"git-lfs\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"624a407a-3483-45a4-a55b-d9a7b312b13c\",\"rule_id\":\"ac5a2759-5c34-440a-b0c4-51fe674611d6\",\"revision\":0,\"current_rule\":{\"id\":\"624a407a-3483-45a4-a55b-d9a7b312b13c\",\"updated_at\":\"2024-12-04T19:46:04.750Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.750Z\",\"created_by\":\"elastic\",\"name\":\"Outlook Home Page Registry Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies modifications in registry keys associated with abuse of the Outlook Home Page functionality for command and control or persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ac5a2759-5c34-440a-b0c4-51fe674611d6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1137\",\"name\":\"Office Application Startup\",\"reference\":\"https://attack.mitre.org/techniques/T1137/\",\"subtechnique\":[{\"id\":\"T1137.004\",\"name\":\"Outlook Home Page\",\"reference\":\"https://attack.mitre.org/techniques/T1137/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://cloud.google.com/blog/topics/threat-intelligence/breaking-the-rules-tough-outlook-for-home-page-attacks/\",\"https://github.com/trustedsec/specula\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and registry.value : \\\"URL\\\" and\\n registry.path : (\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\"\\n ) and registry.data.strings : \\\"*http*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Outlook Home Page Registry Modification\",\"description\":\"Identifies modifications in registry keys associated with abuse of the Outlook Home Page functionality for command and control or persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":201,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://cloud.google.com/blog/topics/threat-intelligence/breaking-the-rules-tough-outlook-for-home-page-attacks/\",\"https://github.com/trustedsec/specula\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1137\",\"name\":\"Office Application Startup\",\"reference\":\"https://attack.mitre.org/techniques/T1137/\",\"subtechnique\":[{\"id\":\"T1137.004\",\"name\":\"Outlook Home Page\",\"reference\":\"https://attack.mitre.org/techniques/T1137/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"624a407a-3483-45a4-a55b-d9a7b312b13c\",\"rule_id\":\"ac5a2759-5c34-440a-b0c4-51fe674611d6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.679Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.750Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and registry.value : \\\"URL\\\" and\\n registry.path : (\\n \\\"HKCU\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\"\\n ) and registry.data.strings : \\\"*http*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":201,\"merged_version\":201,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and registry.value : \\\"URL\\\" and\\n registry.path : (\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\"\\n ) and registry.data.strings : \\\"*http*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and registry.value : \\\"URL\\\" and\\n registry.path : (\\n \\\"HKCU\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\"\\n ) and registry.data.strings : \\\"*http*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and registry.value : \\\"URL\\\" and\\n registry.path : (\\n \\\"HKCU\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\"\\n ) and registry.data.strings : \\\"*http*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"28328685-944c-4a61-9a58-380eb71c7016\",\"rule_id\":\"ac96ceb8-4399-4191-af1d-4feeac1f1f46\",\"revision\":0,\"current_rule\":{\"id\":\"28328685-944c-4a61-9a58-380eb71c7016\",\"updated_at\":\"2024-12-04T19:45:55.287Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.287Z\",\"created_by\":\"elastic\",\"name\":\"Potential Invoke-Mimikatz PowerShell Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. This rule detects Invoke-Mimikatz PowerShell script and alike.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Mimikatz PowerShell Activity\\n\\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to move laterally and pivot across a network.\\n\\nThis rule looks for PowerShell scripts that load mimikatz in memory, like Invoke-Mimikataz, which are used to dump credentials from the Local Security Authority Subsystem Service (LSASS). Any activity triggered from this rule should be treated with high priority as it typically represents an active adversary.\\n\\nMore information about Mimikatz components and how to detect/prevent them can be found on [ADSecurity](https://adsecurity.org/?page_id=1821).\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Invoke-Mimitakz and alike scripts heavily use other capabilities covered by other detections described in the \\\"Related Rules\\\" section.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host.\\n - Examine network and security events in the environment to identify potential lateral movement using compromised credentials.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n- Mimikatz Memssp Log File Detected - ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\\n- Modification of WDigest Security Provider - d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Validate that cleartext passwords are disabled in memory for use with `WDigest`.\\n- Look into preventing access to `LSASS` using capabilities such as LSA protection or antivirus/EDR tools that provide this capability.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ac96ceb8-4399-4191-af1d-4feeac1f1f46\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://attack.mitre.org/software/S0002/\",\"https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\\n\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\npowershell.file.script_block_text:(\\n (DumpCreds and\\n DumpCerts) or\\n \\\"sekurlsa::logonpasswords\\\" or\\n (\\\"crypto::certificates\\\" and\\n \\\"CERT_SYSTEM_STORE_LOCAL_MACHINE\\\")\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Invoke-Mimikatz PowerShell Script\",\"description\":\"Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. This rule detects Invoke-Mimikatz PowerShell script and alike.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Mimikatz PowerShell Activity\\n\\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to move laterally and pivot across a network.\\n\\nThis rule looks for PowerShell scripts that load mimikatz in memory, like Invoke-Mimikataz, which are used to dump credentials from the Local Security Authority Subsystem Service (LSASS). Any activity triggered from this rule should be treated with high priority as it typically represents an active adversary.\\n\\nMore information about Mimikatz components and how to detect/prevent them can be found on [ADSecurity](https://adsecurity.org/?page_id=1821).\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Invoke-Mimitakz and alike scripts heavily use other capabilities covered by other detections described in the \\\"Related Rules\\\" section.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host.\\n - Examine network and security events in the environment to identify potential lateral movement using compromised credentials.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n- Mimikatz Memssp Log File Detected - ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\\n- Modification of WDigest Security Provider - d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Validate that cleartext passwords are disabled in memory for use with `WDigest`.\\n- Look into preventing access to `LSASS` using capabilities such as LSA protection or antivirus/EDR tools that provide this capability.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://attack.mitre.org/software/S0002/\",\"https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\\n\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"28328685-944c-4a61-9a58-380eb71c7016\",\"rule_id\":\"ac96ceb8-4399-4191-af1d-4feeac1f1f46\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.679Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.287Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\npowershell.file.script_block_text:(\\n (DumpCreds and\\n DumpCerts) or\\n \\\"sekurlsa::logonpasswords\\\" or\\n (\\\"crypto::certificates\\\" and\\n \\\"CERT_SYSTEM_STORE_LOCAL_MACHINE\\\")\\n)\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"467b2038-97a2-41d8-bf73-ac861bc7900d\",\"rule_id\":\"acbc8bb9-2486-49a8-8779-45fb5f9a93ee\",\"revision\":0,\"current_rule\":{\"id\":\"467b2038-97a2-41d8-bf73-ac861bc7900d\",\"updated_at\":\"2024-12-04T19:45:55.290Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.290Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace API Access Granted via Domain-Wide Delegation\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Resources: Investigation Guide\",\"Tactic: Persistence\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target’s data.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace API Access Granted via Domain-Wide Delegation\\n\\nDomain-wide delegation is a feature that allows apps to access users' data across an organization's Google Workspace environment. Only super admins can manage domain-wide delegation, and they must specify each API scope that the application can access. Google Workspace services all have APIs that can be interacted with after domain-wide delegation is established with an OAuth2 client ID of the application. Typically, GCP service accounts and applications are created where the Google Workspace APIs are enabled, thus allowing the application to access resources and services in Google Workspace.\\n\\nApplications authorized to interact with Google Workspace resources and services through APIs have a wide range of capabilities depending on the scopes applied. If the principle of least privilege (PoLP) is not practiced when setting API scopes, threat actors could abuse additional privileges if the application is compromised. New applications created and given API access could indicate an attempt by a threat actor to register their malicious application with the Google Workspace domain in an attempt to establish a command and control foothold.\\n\\nThis rule identifies when an application is authorized API client access.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n - Only users with super admin privileges can authorize API client access.\\n- Identify the API client name by reviewing the `google_workspace.admin.api.client.name` field in the alert.\\n - If GCP audit logs are ingested, pivot to reviewing the last 48 hours of activity related to the service account ID.\\n - Search for the `google_workspace.admin.api.client.name` value with wildcards in the `gcp.audit.resource_name` field.\\n - Search for API client name and aggregated results on `event.action` to determine what the service account is being used for in GWS.\\n- After identifying the involved user, verify super administrative privileges to access domain-wide delegation settings.\\n\\n### False positive analysis\\n\\n- Changes to domain-wide delegation require super admin privileges. Check with the user to ensure these changes were expected.\\n- Review scheduled maintenance notes related to expected API access changes.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Review the scope of the authorized API client access in Google Workspace.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Domain-wide delegation of authority may be granted to service accounts by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-9m\",\"rule_id\":\"acbc8bb9-2486-49a8-8779-45fb5f9a93ee\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[\"https://developers.google.com/admin-sdk/directory/v1/guides/delegation\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin\\n and event.provider:admin\\n and event.category:iam\\n and event.action:AUTHORIZE_API_CLIENT_ACCESS\\n and event.outcome:success\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace API Access Granted via Domain-Wide Delegation\",\"description\":\"Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target’s data.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace API Access Granted via Domain-Wide Delegation\\n\\nDomain-wide delegation is a feature that allows apps to access users' data across an organization's Google Workspace environment. Only super admins can manage domain-wide delegation, and they must specify each API scope that the application can access. Google Workspace services all have APIs that can be interacted with after domain-wide delegation is established with an OAuth2 client ID of the application. Typically, GCP service accounts and applications are created where the Google Workspace APIs are enabled, thus allowing the application to access resources and services in Google Workspace.\\n\\nApplications authorized to interact with Google Workspace resources and services through APIs have a wide range of capabilities depending on the scopes applied. If the principle of least privilege (PoLP) is not practiced when setting API scopes, threat actors could abuse additional privileges if the application is compromised. New applications created and given API access could indicate an attempt by a threat actor to register their malicious application with the Google Workspace domain in an attempt to establish a command and control foothold.\\n\\nThis rule identifies when an application is authorized API client access.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n - Only users with super admin privileges can authorize API client access.\\n- Identify the API client name by reviewing the `google_workspace.admin.api.client.name` field in the alert.\\n - If GCP audit logs are ingested, pivot to reviewing the last 48 hours of activity related to the service account ID.\\n - Search for the `google_workspace.admin.api.client.name` value with wildcards in the `gcp.audit.resource_name` field.\\n - Search for API client name and aggregated results on `event.action` to determine what the service account is being used for in GWS.\\n- After identifying the involved user, verify super administrative privileges to access domain-wide delegation settings.\\n\\n### False positive analysis\\n\\n- Changes to domain-wide delegation require super admin privileges. Check with the user to ensure these changes were expected.\\n- Review scheduled maintenance notes related to expected API access changes.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Review the scope of the authorized API client access in Google Workspace.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Resources: Investigation Guide\",\"Tactic: Persistence\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Domain-wide delegation of authority may be granted to service accounts by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://developers.google.com/admin-sdk/directory/v1/guides/delegation\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"467b2038-97a2-41d8-bf73-ac861bc7900d\",\"rule_id\":\"acbc8bb9-2486-49a8-8779-45fb5f9a93ee\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.679Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.290Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin\\n and event.provider:admin\\n and event.category:iam\\n and event.action:AUTHORIZE_API_CLIENT_ACCESS\\n and event.outcome:success\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developers.google.com/admin-sdk/directory/v1/guides/delegation\"],\"target_version\":[\"https://developers.google.com/admin-sdk/directory/v1/guides/delegation\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://developers.google.com/admin-sdk/directory/v1/guides/delegation\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"55f0ef79-b468-445b-bf36-8078272140a4\",\"rule_id\":\"acf738b5-b5b2-4acc-bad9-1e18ee234f40\",\"revision\":0,\"current_rule\":{\"id\":\"55f0ef79-b468-445b-bf36-8078272140a4\",\"updated_at\":\"2024-12-04T19:45:55.297Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.297Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Managed Code Hosting Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"acf738b5-b5b2-4acc-bad9-1e18ee234f40\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]}],\"to\":\"now\",\"references\":[\"http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.name : (\\\"wscript.exe.log\\\",\\n \\\"cscript.exe.log\\\",\\n \\\"mshta.exe.log\\\",\\n \\\"wmic.exe.log\\\",\\n \\\"svchost.exe.log\\\",\\n \\\"dllhost.exe.log\\\",\\n \\\"cmstp.exe.log\\\",\\n \\\"regsvr32.exe.log\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Managed Code Hosting Process\",\"description\":\"Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"55f0ef79-b468-445b-bf36-8078272140a4\",\"rule_id\":\"acf738b5-b5b2-4acc-bad9-1e18ee234f40\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.679Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.297Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.name : (\\\"wscript.exe.log\\\",\\n \\\"cscript.exe.log\\\",\\n \\\"mshta.exe.log\\\",\\n \\\"wmic.exe.log\\\",\\n \\\"svchost.exe.log\\\",\\n \\\"dllhost.exe.log\\\",\\n \\\"cmstp.exe.log\\\",\\n \\\"regsvr32.exe.log\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6afcaf5a-fb46-49e8-9ff4-b0b5dd710eb8\",\"rule_id\":\"ad0d2742-9a49-11ec-8d6b-acde48001122\",\"revision\":0,\"current_rule\":{\"id\":\"6afcaf5a-fb46-49e8-9ff4-b0b5dd710eb8\",\"updated_at\":\"2024-12-04T19:45:55.299Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.299Z\",\"created_by\":\"elastic\",\"name\":\"Signed Proxy Execution via MS Work Folders\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of Windows Work Folders to execute a potentially masqueraded control.exe file in the current working directory. Misuse of Windows Work Folders could indicate malicious activity.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Signed Proxy Execution via MS Work Folders\\n\\nWork Folders is a role service for file servers running Windows Server that provides a consistent way for users to access their work files from their PCs and devices. This allows users to store work files and access them from anywhere. When called, Work Folders will automatically execute any Portable Executable (PE) named control.exe as an argument before accessing the synced share.\\n\\nUsing Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and increase privileges.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe binary. It resides in the System32 directory by default.\\n- Trace the activity related to the control.exe binary to identify any continuing intrusion activity on the host.\\n- Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity or network traffic.\\n- Determine if control.exe was synced to sync share, indicating potential lateral movement.\\n- Review how control.exe was originally delivered on the host, such as emailed, downloaded from the web, or written to\\ndisk from a separate binary.\\n\\n### False positive analysis\\n\\n- Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the instance where a suspicious control.exe is passed as an argument.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Review the Work Folders synced share to determine if the control.exe was shared and if so remove it.\\n- If no lateral movement was identified during investigation, take the affected host offline if possible and remove the control.exe binary as well as any additional artifacts identified during investigation.\\n- Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using Work Folders.\\n- Confirm with the user whether this was expected or not, and reset their password.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ad0d2742-9a49-11ec-8d6b-acde48001122\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview\",\"https://twitter.com/ElliotKillick/status/1449812843772227588\",\"https://lolbas-project.github.io/lolbas/Binaries/WorkFolders/\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\"\\n and process.name : \\\"control.exe\\\" and process.parent.name : \\\"WorkFolders.exe\\\"\\n and not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\control.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\control.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Signed Proxy Execution via MS Work Folders\",\"description\":\"Identifies the use of Windows Work Folders to execute a potentially masqueraded control.exe file in the current working directory. Misuse of Windows Work Folders could indicate malicious activity.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Signed Proxy Execution via MS Work Folders\\n\\nWork Folders is a role service for file servers running Windows Server that provides a consistent way for users to access their work files from their PCs and devices. This allows users to store work files and access them from anywhere. When called, Work Folders will automatically execute any Portable Executable (PE) named control.exe as an argument before accessing the synced share.\\n\\nUsing Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and increase privileges.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe binary. It resides in the System32 directory by default.\\n- Trace the activity related to the control.exe binary to identify any continuing intrusion activity on the host.\\n- Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity or network traffic.\\n- Determine if control.exe was synced to sync share, indicating potential lateral movement.\\n- Review how control.exe was originally delivered on the host, such as emailed, downloaded from the web, or written to\\ndisk from a separate binary.\\n\\n### False positive analysis\\n\\n- Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the instance where a suspicious control.exe is passed as an argument.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Review the Work Folders synced share to determine if the control.exe was shared and if so remove it.\\n- If no lateral movement was identified during investigation, take the affected host offline if possible and remove the control.exe binary as well as any additional artifacts identified during investigation.\\n- Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using Work Folders.\\n- Confirm with the user whether this was expected or not, and reset their password.\\n\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview\",\"https://twitter.com/ElliotKillick/status/1449812843772227588\",\"https://lolbas-project.github.io/lolbas/Binaries/WorkFolders/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"6afcaf5a-fb46-49e8-9ff4-b0b5dd710eb8\",\"rule_id\":\"ad0d2742-9a49-11ec-8d6b-acde48001122\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.679Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.299Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"control.exe\\\" and process.parent.name : \\\"WorkFolders.exe\\\" and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\control.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\control.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\control.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\control.exe\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\"\\n and process.name : \\\"control.exe\\\" and process.parent.name : \\\"WorkFolders.exe\\\"\\n and not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\control.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\control.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"control.exe\\\" and process.parent.name : \\\"WorkFolders.exe\\\" and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\control.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\control.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\control.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\control.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"control.exe\\\" and process.parent.name : \\\"WorkFolders.exe\\\" and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\control.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\control.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\control.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\control.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"66f82658-1756-40a2-9d99-54050e9e85df\",\"rule_id\":\"ad3f2807-2b3e-47d7-b282-f84acbbe14be\",\"revision\":0,\"current_rule\":{\"id\":\"66f82658-1756-40a2-9d99-54050e9e85df\",\"updated_at\":\"2024-12-04T19:45:55.302Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.302Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace Custom Admin Role Created\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Resources: Investigation Guide\",\"Tactic: Persistence\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Custom Admin Role Created\\n\\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred.\\n\\nRoles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Threat actors might create new admin roles with privileges to advance their intrusion efforts and laterally move throughout the organization if existing roles or users do not have privileges aligned with their modus operandi. Users with unexpected privileges from new admin roles may also cause operational dysfunction if unfamiliar settings are adjusted without warning. Instead of modifying existing roles, administrators might create new roles to accomplish short-term goals and unintentionally introduce additional risk exposure.\\n\\nThis rule identifies when a Google Workspace administrative role is added within the Google Workspace admin console.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- Identify the role added by reviewing the `google_workspace.admin.role.name` field in the alert.\\n- After identifying the involved user, verify if they should have administrative privileges to add administrative roles.\\n- To identify if users have been assigned this role, search for `event.action: ASSIGN_ROLE`.\\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\\n - Adjust the relative time accordingly to identify all users that were possibly assigned this admin role.\\n- Monitor users assigned the admin role for the next 24 hours and look for attempts to use related privileges.\\n - The `event.provider` field will help filter for specific services in Google Workspace such as Drive or Admin.\\n - The `event.action` field will help trace what actions are being taken by users.\\n\\n### False positive analysis\\n\\n- After identifying the user account that created the role, verify whether the action was intentional.\\n- Verify that the user who created the role should have administrative privileges in Google Workspace to create custom roles.\\n- Review organizational units or groups the role may have been added to and ensure the new privileges align properly.\\n- Create a filter with the user's `user.name` and filter for `event.action`. In the results, check if there are multiple `CREATE_ROLE` actions and note whether they are new or historical.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Custom Google Workspace admin roles may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-130m\",\"rule_id\":\"ad3f2807-2b3e-47d7-b282-f84acbbe14be\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/2406043?hl=en\"],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace Custom Admin Role Created\",\"description\":\"Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Custom Admin Role Created\\n\\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred.\\n\\nRoles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Threat actors might create new admin roles with privileges to advance their intrusion efforts and laterally move throughout the organization if existing roles or users do not have privileges aligned with their modus operandi. Users with unexpected privileges from new admin roles may also cause operational dysfunction if unfamiliar settings are adjusted without warning. Instead of modifying existing roles, administrators might create new roles to accomplish short-term goals and unintentionally introduce additional risk exposure.\\n\\nThis rule identifies when a Google Workspace administrative role is added within the Google Workspace admin console.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- Identify the role added by reviewing the `google_workspace.admin.role.name` field in the alert.\\n- After identifying the involved user, verify if they should have administrative privileges to add administrative roles.\\n- To identify if users have been assigned this role, search for `event.action: ASSIGN_ROLE`.\\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\\n - Adjust the relative time accordingly to identify all users that were possibly assigned this admin role.\\n- Monitor users assigned the admin role for the next 24 hours and look for attempts to use related privileges.\\n - The `event.provider` field will help filter for specific services in Google Workspace such as Drive or Admin.\\n - The `event.action` field will help trace what actions are being taken by users.\\n\\n### False positive analysis\\n\\n- After identifying the user account that created the role, verify whether the action was intentional.\\n- Verify that the user who created the role should have administrative privileges in Google Workspace to create custom roles.\\n- Review organizational units or groups the role may have been added to and ensure the new privileges align properly.\\n- Create a filter with the user's `user.name` and filter for `event.action`. In the results, check if there are multiple `CREATE_ROLE` actions and note whether they are new or historical.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Resources: Investigation Guide\",\"Tactic: Persistence\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Custom Google Workspace admin roles may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://support.google.com/a/answer/2406043?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"66f82658-1756-40a2-9d99-54050e9e85df\",\"rule_id\":\"ad3f2807-2b3e-47d7-b282-f84acbbe14be\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.679Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.302Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/2406043?hl=en\"],\"target_version\":[\"https://support.google.com/a/answer/2406043?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/2406043?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b668875e-bdc5-4552-8969-5b619e2bdaae\",\"rule_id\":\"ad84d445-b1ce-4377-82d9-7c633f28bf9a\",\"revision\":0,\"current_rule\":{\"id\":\"b668875e-bdc5-4552-8969-5b619e2bdaae\",\"updated_at\":\"2024-12-04T19:45:55.304Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.304Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Portable Executable Encoded in Powershell Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the presence of a portable executable (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts to inject them into memory, avoiding defences by not writing to disk.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ad84d445-b1ce-4377-82d9-7c633f28bf9a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n TVqQAAMAAAAEAAAA\\n ) and not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Portable Executable Encoded in Powershell Script\",\"description\":\"Detects the presence of a portable executable (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts to inject them into memory, avoiding defences by not writing to disk.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":212,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b668875e-bdc5-4552-8969-5b619e2bdaae\",\"rule_id\":\"ad84d445-b1ce-4377-82d9-7c633f28bf9a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.679Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.304Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n TVqQAAMAAAAEAAAA\\n ) and not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":212,\"merged_version\":212,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"540bca9e-22ba-4d56-9428-071e7e5c8f61\",\"rule_id\":\"ad959eeb-2b7b-4722-ba08-a45f6622f005\",\"revision\":0,\"current_rule\":{\"id\":\"540bca9e-22ba-4d56-9428-071e7e5c8f61\",\"updated_at\":\"2024-12-04T19:45:55.309Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.309Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious APT Package Manager Execution\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects suspicious process events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ad959eeb-2b7b-4722-ba08-a45f6622f005\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name == \\\"apt\\\" and process.args == \\\"-c\\\" and process.name in (\\n \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\"\\n )\\n ] by process.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name : (\\n \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\", \\\"python*\\\", \\\"php*\\\",\\n \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\", \\\"openssl\\\", \\\"nc\\\", \\\"netcat\\\", \\\"ncat\\\", \\\"telnet\\\", \\\"awk\\\"\\n )\\n ] by process.parent.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious APT Package Manager Execution\",\"description\":\"Detects suspicious process events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"540bca9e-22ba-4d56-9428-071e7e5c8f61\",\"rule_id\":\"ad959eeb-2b7b-4722-ba08-a45f6622f005\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.679Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.309Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name == \\\"apt\\\" and process.args == \\\"-c\\\" and process.name in (\\n \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\"\\n )\\n ] by process.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name : (\\n \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\", \\\"python*\\\", \\\"php*\\\",\\n \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\", \\\"openssl\\\", \\\"nc\\\", \\\"netcat\\\", \\\"ncat\\\", \\\"telnet\\\", \\\"awk\\\"\\n )\\n ] by process.parent.entity_id\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3bd35567-73fa-47d7-b061-c62aefc9eb90\",\"rule_id\":\"ae8a142c-6a1d-4918-bea7-0b617e99ecfa\",\"revision\":0,\"current_rule\":{\"id\":\"3bd35567-73fa-47d7-b061-c62aefc9eb90\",\"updated_at\":\"2024-12-04T19:45:55.323Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.323Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Execution via Microsoft Office Add-Ins\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ae8a142c-6a1d-4918-bea7-0b617e99ecfa\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1137\",\"name\":\"Office Application Startup\",\"reference\":\"https://attack.mitre.org/techniques/T1137/\",\"subtechnique\":[{\"id\":\"T1137.006\",\"name\":\"Add-ins\",\"reference\":\"https://attack.mitre.org/techniques/T1137/006/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/Octoberfest7/XLL_Phishing\",\"https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/\"],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where \\n \\n host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n \\n process.name : (\\\"WINWORD.EXE\\\", \\\"EXCEL.EXE\\\", \\\"POWERPNT.EXE\\\", \\\"MSACCESS.EXE\\\", \\\"VSTOInstaller.exe\\\") and \\n \\n process.args regex~ \\\"\\\"\\\".+\\\\.(wll|xll|ppa|ppam|xla|xlam|vsto)\\\"\\\"\\\" and \\n \\n /* Office Add-In from suspicious paths */\\n (process.args :\\n (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Temp\\\\\\\\7z*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Temp\\\\\\\\Rar$*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Temp\\\\\\\\Temp?_*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Temp\\\\\\\\BNZ.*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\*\\\",\\n \\\"http*\\\") or\\n\\t \\n process.parent.name : (\\\"explorer.exe\\\", \\\"OpenWith.exe\\\") or \\n \\n /* Office Add-In from suspicious parent */\\n process.parent.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\")) and\\n\\t \\n /* False Positives */\\n not (process.args : \\\"*.vsto\\\" and\\n process.parent.executable :\\n (\\\"?:\\\\\\\\Program Files\\\\\\\\Logitech\\\\\\\\LogiOptions\\\\\\\\PlugInInstallerUtility*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Logishrd\\\\\\\\LogiOptions\\\\\\\\Plugins\\\\\\\\VSTO\\\\\\\\*\\\\\\\\VSTOInstaller.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Logitech\\\\\\\\LogiOptions\\\\\\\\PlugInInstallerUtility.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\LogiOptionsPlus\\\\\\\\PlugInInstallerUtility*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Logishrd\\\\\\\\LogiOptionsPlus\\\\\\\\Plugins\\\\\\\\VSTO\\\\\\\\*\\\\\\\\VSTOInstaller.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Common Files\\\\\\\\microsoft shared\\\\\\\\VSTO\\\\\\\\*\\\\\\\\VSTOInstaller.exe\\\")) and\\n not (process.args : \\\"/Uninstall\\\" and process.name : \\\"VSTOInstaller.exe\\\") and\\n not (process.parent.name : \\\"rundll32.exe\\\" and\\n process.parent.args : \\\"?:\\\\\\\\WINDOWS\\\\\\\\Installer\\\\\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\\\") and\\n not (process.name : \\\"VSTOInstaller.exe\\\" and process.args : \\\"https://dl.getsidekick.com/outlook/vsto/Sidekick.vsto\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Execution via Microsoft Office Add-Ins\",\"description\":\"Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":205,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/Octoberfest7/XLL_Phishing\",\"https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1137\",\"name\":\"Office Application Startup\",\"reference\":\"https://attack.mitre.org/techniques/T1137/\",\"subtechnique\":[{\"id\":\"T1137.006\",\"name\":\"Add-ins\",\"reference\":\"https://attack.mitre.org/techniques/T1137/006/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3bd35567-73fa-47d7-b061-c62aefc9eb90\",\"rule_id\":\"ae8a142c-6a1d-4918-bea7-0b617e99ecfa\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.679Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.323Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where \\n \\n host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n \\n process.name : (\\\"WINWORD.EXE\\\", \\\"EXCEL.EXE\\\", \\\"POWERPNT.EXE\\\", \\\"MSACCESS.EXE\\\", \\\"VSTOInstaller.exe\\\") and \\n \\n process.args regex~ \\\"\\\"\\\".+\\\\.(wll|xll|ppa|ppam|xla|xlam|vsto)\\\"\\\"\\\" and \\n \\n /* Office Add-In from suspicious paths */\\n (process.args :\\n (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Temp\\\\\\\\7z*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Temp\\\\\\\\Rar$*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Temp\\\\\\\\Temp?_*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Temp\\\\\\\\BNZ.*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\*\\\",\\n \\\"http*\\\") or\\n\\t \\n process.parent.name : (\\\"explorer.exe\\\", \\\"OpenWith.exe\\\") or \\n \\n /* Office Add-In from suspicious parent */\\n process.parent.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\")) and\\n\\t \\n /* False Positives */\\n not (process.args : \\\"*.vsto\\\" and\\n process.parent.executable :\\n (\\\"?:\\\\\\\\Program Files\\\\\\\\Logitech\\\\\\\\LogiOptions\\\\\\\\PlugInInstallerUtility*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Logishrd\\\\\\\\LogiOptions\\\\\\\\Plugins\\\\\\\\VSTO\\\\\\\\*\\\\\\\\VSTOInstaller.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Logitech\\\\\\\\LogiOptions\\\\\\\\PlugInInstallerUtility.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\LogiOptionsPlus\\\\\\\\PlugInInstallerUtility*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Logishrd\\\\\\\\LogiOptionsPlus\\\\\\\\Plugins\\\\\\\\VSTO\\\\\\\\*\\\\\\\\VSTOInstaller.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Common Files\\\\\\\\microsoft shared\\\\\\\\VSTO\\\\\\\\*\\\\\\\\VSTOInstaller.exe\\\")) and\\n not (process.args : \\\"/Uninstall\\\" and process.name : \\\"VSTOInstaller.exe\\\") and\\n not (process.parent.name : \\\"rundll32.exe\\\" and\\n process.parent.args : \\\"?:\\\\\\\\WINDOWS\\\\\\\\Installer\\\\\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\\\") and\\n not (process.name : \\\"VSTOInstaller.exe\\\" and process.args : \\\"https://dl.getsidekick.com/outlook/vsto/Sidekick.vsto\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":205,\"merged_version\":205,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"fd26d9e3-7b42-4efa-aaf9-1fe5b8463ca3\",\"rule_id\":\"aebaa51f-2a91-4f6a-850b-b601db2293f4\",\"revision\":0,\"current_rule\":{\"id\":\"fd26d9e3-7b42-4efa-aaf9-1fe5b8463ca3\",\"updated_at\":\"2024-12-04T19:45:55.325Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.325Z\",\"created_by\":\"elastic\",\"name\":\"Shared Object Created or Changed by Previously Unknown Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Shared Object Created or Changed by Previously Unknown Process\\n\\nA shared object file is a compiled library file (typically with a .so extension) that can be dynamically linked to executable programs at runtime, allowing for code reuse and efficient memory usage. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime.\\n\\nMalicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data.\\n\\nThis rule monitors the creation of shared object files by previously unknown processes through the usage of the new terms rule type.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the shared object that was created or modified through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path = {{file.path}}\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"aebaa51f-2a91-4f6a-850b-b601db2293f4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.006\",\"name\":\"Dynamic Linker Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1574/006/\"}]}]}],\"to\":\"now\",\"references\":[\"https://threatpost.com/sneaky-malware-backdoors-linux/180158/\"],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and \\nfile.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not (\\n process.name:(\\\"dockerd\\\" or \\\"dpkg\\\" or \\\"rpm\\\" or \\\"snapd\\\" or \\\"yum\\\" or \\\"vmis-launcher\\\" or \\\"pacman\\\" or\\n \\\"apt-get\\\" or \\\"dnf\\\" or \\\"podman\\\" or \\\"platform-python\\\") or \\n (process.name:vmware-install.pl and file.path:/usr/lib/vmware-tools/*)\\n)\\n\",\"new_terms_fields\":[\"host.id\",\"file.path\",\"process.executable\"],\"history_window_start\":\"now-10d\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Shared Object Created or Changed by Previously Unknown Process\",\"description\":\"This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Shared Object Created or Changed by Previously Unknown Process\\n\\nA shared object file is a compiled library file (typically with a .so extension) that can be dynamically linked to executable programs at runtime, allowing for code reuse and efficient memory usage. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime.\\n\\nMalicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data.\\n\\nThis rule monitors the creation of shared object files by previously unknown processes through the usage of the new terms rule type.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the shared object that was created or modified through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path = {{file.path}}\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":9,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://threatpost.com/sneaky-malware-backdoors-linux/180158/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.006\",\"name\":\"Dynamic Linker Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1574/006/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"fd26d9e3-7b42-4efa-aaf9-1fe5b8463ca3\",\"rule_id\":\"aebaa51f-2a91-4f6a-850b-b601db2293f4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.679Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.325Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and \\nfile.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not (\\n process.name:(\\n \\\"dockerd\\\" or \\\"dpkg\\\" or \\\"rpm\\\" or \\\"snapd\\\" or \\\"yum\\\" or \\\"vmis-launcher\\\" or \\\"pacman\\\" or \\\"apt-get\\\" or \\\"dnf\\\" or \\\"podman\\\" or\\n platform-python* or \\\"dnf-automatic\\\" or \\\"unattended-upgrade\\\" or \\\"apk\\\" or \\\"snap-update-ns\\\" or \\\"install\\\" or \\\"exe\\\" or\\n \\\"systemd\\\" or \\\"root\\\" or \\\"sshd\\\" or \\\"pip\\\" or \\\"jlink\\\" or python* or \\\"update-alternatives\\\" or pip* or\\n \\\"installer.bin.inst\\\" or \\\"uninstall-bin\\\" or \\\"linux_agent.inst\\\"\\n ) or \\n (process.name:vmware-install.pl and file.path:/usr/lib/vmware-tools/*) or\\n process.executable : (/dev/fd/* or \\\"/\\\" or \\\"/kaniko/executor\\\" or \\\"/usr/bin/buildah\\\")\\n)\\n\",\"new_terms_fields\":[\"file.path\",\"process.executable\"],\"history_window_start\":\"now-10d\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":9,\"merged_version\":9,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and \\nfile.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not (\\n process.name:(\\\"dockerd\\\" or \\\"dpkg\\\" or \\\"rpm\\\" or \\\"snapd\\\" or \\\"yum\\\" or \\\"vmis-launcher\\\" or \\\"pacman\\\" or\\n \\\"apt-get\\\" or \\\"dnf\\\" or \\\"podman\\\" or \\\"platform-python\\\") or \\n (process.name:vmware-install.pl and file.path:/usr/lib/vmware-tools/*)\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and \\nfile.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not (\\n process.name:(\\n \\\"dockerd\\\" or \\\"dpkg\\\" or \\\"rpm\\\" or \\\"snapd\\\" or \\\"yum\\\" or \\\"vmis-launcher\\\" or \\\"pacman\\\" or \\\"apt-get\\\" or \\\"dnf\\\" or \\\"podman\\\" or\\n platform-python* or \\\"dnf-automatic\\\" or \\\"unattended-upgrade\\\" or \\\"apk\\\" or \\\"snap-update-ns\\\" or \\\"install\\\" or \\\"exe\\\" or\\n \\\"systemd\\\" or \\\"root\\\" or \\\"sshd\\\" or \\\"pip\\\" or \\\"jlink\\\" or python* or \\\"update-alternatives\\\" or pip* or\\n \\\"installer.bin.inst\\\" or \\\"uninstall-bin\\\" or \\\"linux_agent.inst\\\"\\n ) or \\n (process.name:vmware-install.pl and file.path:/usr/lib/vmware-tools/*) or\\n process.executable : (/dev/fd/* or \\\"/\\\" or \\\"/kaniko/executor\\\" or \\\"/usr/bin/buildah\\\")\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and \\nfile.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not (\\n process.name:(\\n \\\"dockerd\\\" or \\\"dpkg\\\" or \\\"rpm\\\" or \\\"snapd\\\" or \\\"yum\\\" or \\\"vmis-launcher\\\" or \\\"pacman\\\" or \\\"apt-get\\\" or \\\"dnf\\\" or \\\"podman\\\" or\\n platform-python* or \\\"dnf-automatic\\\" or \\\"unattended-upgrade\\\" or \\\"apk\\\" or \\\"snap-update-ns\\\" or \\\"install\\\" or \\\"exe\\\" or\\n \\\"systemd\\\" or \\\"root\\\" or \\\"sshd\\\" or \\\"pip\\\" or \\\"jlink\\\" or python* or \\\"update-alternatives\\\" or pip* or\\n \\\"installer.bin.inst\\\" or \\\"uninstall-bin\\\" or \\\"linux_agent.inst\\\"\\n ) or \\n (process.name:vmware-install.pl and file.path:/usr/lib/vmware-tools/*) or\\n process.executable : (/dev/fd/* or \\\"/\\\" or \\\"/kaniko/executor\\\" or \\\"/usr/bin/buildah\\\")\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"new_terms_fields\":{\"has_base_version\":false,\"current_version\":[\"host.id\",\"file.path\",\"process.executable\"],\"target_version\":[\"file.path\",\"process.executable\"],\"merged_version\":[\"file.path\",\"process.executable\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f682fdcf-a387-4ece-b0be-b0195e0de9a1\",\"rule_id\":\"afcce5ad-65de-4ed2-8516-5e093d3ac99a\",\"revision\":0,\"current_rule\":{\"id\":\"f682fdcf-a387-4ece-b0be-b0195e0de9a1\",\"updated_at\":\"2024-12-04T19:45:55.330Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.330Z\",\"created_by\":\"elastic\",\"name\":\"Local Scheduled Task Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Indicates the creation of a scheduled task. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks may be created during installation of new software.\"],\"from\":\"now-9m\",\"rule_id\":\"afcce5ad-65de-4ed2-8516-5e093d3ac99a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\",\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.token.integrity_level_name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.type != \\\"end\\\" and\\n ((process.name : (\\\"cmd.exe\\\", \\\"wscript.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\", \\\"wmic.exe\\\", \\\"mshta.exe\\\",\\n \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\", \\\"WmiPrvSe.exe\\\", \\\"wsmprovhost.exe\\\", \\\"winrshost.exe\\\") or\\n process.pe.original_file_name : (\\\"cmd.exe\\\", \\\"wscript.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\", \\\"wmic.exe\\\", \\\"mshta.exe\\\",\\n \\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\", \\\"WmiPrvSe.exe\\\", \\\"wsmprovhost.exe\\\",\\n \\\"winrshost.exe\\\")) or\\n ?process.code_signature.trusted == false)] by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"schtasks.exe\\\" or process.pe.original_file_name == \\\"schtasks.exe\\\") and\\n process.args : (\\\"/create\\\", \\\"-create\\\") and process.args : (\\\"/RU\\\", \\\"/SC\\\", \\\"/TN\\\", \\\"/TR\\\", \\\"/F\\\", \\\"/XML\\\") and\\n /* exclude SYSTEM Integrity Level - look for task creations by non-SYSTEM user */\\n not (?process.Ext.token.integrity_level_name : \\\"System\\\" or ?winlog.event_data.IntegrityLevel : \\\"System\\\")\\n ] by process.parent.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Local Scheduled Task Creation\",\"description\":\"Indicates the creation of a scheduled task. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks may be created during installation of new software.\"],\"references\":[\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\",\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2\",\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\",\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.token.integrity_level_name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"f682fdcf-a387-4ece-b0be-b0195e0de9a1\",\"rule_id\":\"afcce5ad-65de-4ed2-8516-5e093d3ac99a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.679Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.330Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.type != \\\"end\\\" and\\n ((process.name : (\\\"cmd.exe\\\", \\\"wscript.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\", \\\"wmic.exe\\\", \\\"mshta.exe\\\",\\n \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\", \\\"WmiPrvSe.exe\\\", \\\"wsmprovhost.exe\\\", \\\"winrshost.exe\\\") or\\n process.pe.original_file_name : (\\\"cmd.exe\\\", \\\"wscript.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\", \\\"wmic.exe\\\", \\\"mshta.exe\\\",\\n \\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\", \\\"WmiPrvSe.exe\\\", \\\"wsmprovhost.exe\\\",\\n \\\"winrshost.exe\\\")) or\\n ?process.code_signature.trusted == false)] by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"schtasks.exe\\\" or process.pe.original_file_name == \\\"schtasks.exe\\\") and\\n process.args : (\\\"/create\\\", \\\"-create\\\") and process.args : (\\\"/RU\\\", \\\"/SC\\\", \\\"/TN\\\", \\\"/TR\\\", \\\"/F\\\", \\\"/XML\\\") and\\n /* exclude SYSTEM Integrity Level - look for task creations by non-SYSTEM user */\\n not (?process.Ext.token.integrity_level_name : \\\"System\\\" or ?winlog.event_data.IntegrityLevel : \\\"System\\\")\\n ] by process.parent.entity_id\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\",\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2\"],\"target_version\":[\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\",\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2\",\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\",\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"merged_version\":[\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\",\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2\",\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\",\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b05ab49b-a71b-4b36-ad18-75ca5b1d5d79\",\"rule_id\":\"b0638186-4f12-48ac-83d2-47e686d08e82\",\"revision\":0,\"current_rule\":{\"id\":\"b05ab49b-a71b-4b36-ad18-75ca5b1d5d79\",\"updated_at\":\"2024-12-04T19:45:56.473Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.473Z\",\"created_by\":\"elastic\",\"name\":\"Netsh Helper DLL\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its functionality. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed, which can be done by administrators or a scheduled task.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b0638186-4f12-48ac-83d2-47e686d08e82\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.007\",\"name\":\"Netsh Helper DLL\",\"reference\":\"https://attack.mitre.org/techniques/T1546/007/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\netsh\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\netsh\\\\\\\\*\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Netsh Helper DLL\",\"description\":\"Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its functionality. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed, which can be done by administrators or a scheduled task.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":202,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.007\",\"name\":\"Netsh Helper DLL\",\"reference\":\"https://attack.mitre.org/techniques/T1546/007/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b05ab49b-a71b-4b36-ad18-75ca5b1d5d79\",\"rule_id\":\"b0638186-4f12-48ac-83d2-47e686d08e82\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.679Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.473Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\netsh\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\netsh\\\\\\\\*\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\netsh\\\\\\\\*\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":202,\"merged_version\":202,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\netsh\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\netsh\\\\\\\\*\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\netsh\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\netsh\\\\\\\\*\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\netsh\\\\\\\\*\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\netsh\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\netsh\\\\\\\\*\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\netsh\\\\\\\\*\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-windows.sysmon_operational-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-windows.sysmon_operational-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"56ed8f5e-ae6a-4efc-859e-6fa144794f2c\",\"rule_id\":\"b1773d05-f349-45fb-9850-287b8f92f02d\",\"revision\":0,\"current_rule\":{\"id\":\"56ed8f5e-ae6a-4efc-859e-6fa144794f2c\",\"updated_at\":\"2024-12-04T19:46:04.753Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.753Z\",\"created_by\":\"elastic\",\"name\":\"Potential Abuse of Resources by High Token Count and Large Response Sizes\",\"tags\":[\"Domain: LLM\",\"Data Source: AWS Bedrock\",\"Data Source: Amazon Web Services\",\"Data Source: AWS S3\",\"Use Case: Potential Overload\",\"Use Case: Resource Exhaustion\",\"Mitre Atlas: LLM04\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects potential resource exhaustion or data breach attempts by monitoring for users who consistently generate high input token counts, submit numerous requests, and receive large responses. This behavior could indicate an attempt to overload the system or extract an unusually large amount of data, possibly revealing sensitive information or causing service disruptions.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Authorized heavy usage of the system that is business justified and monitored.\"],\"from\":\"now-60m\",\"rule_id\":\"b1773d05-f349-45fb-9850-287b8f92f02d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[],\"to\":\"now\",\"references\":[\"https://atlas.mitre.org/techniques/AML.T0051\",\"https://owasp.org/www-project-top-10-for-large-language-model-applications/\",\"https://www.elastic.co/security-labs/elastic-advances-llm-security\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\\n\\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\\n\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws_bedrock.invocation-*\\n| stats max_tokens = max(gen_ai.usage.prompt_tokens),\\n total_requests = count(*),\\n avg_response_size = avg(gen_ai.usage.completion_tokens)\\n by user.id\\n// tokens count depends on specific LLM, as is related to how embeddings are generated.\\n| where max_tokens > 5000 and total_requests > 10 and avg_response_size > 500\\n| eval risk_factor = (max_tokens / 1000) * total_requests * (avg_response_size / 500)\\n| where risk_factor > 10\\n| sort risk_factor desc\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Abuse of Resources by High Token Count and Large Response Sizes\",\"description\":\"Detects potential resource exhaustion or data breach attempts by monitoring for users who consistently generate high input token counts, submit numerous requests, and receive large responses. This behavior could indicate an attempt to overload the system or extract an unusually large amount of data, possibly revealing sensitive information or causing service disruptions.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Amazon Bedrock Models High Token Count and Large Response Sizes.\\n\\nAmazon Bedrock is AWS’s managed service that enables developers to build and scale generative AI applications using large foundation models (FMs) from top providers.\\n\\nBedrock offers a variety of pretrained models from Amazon (such as the Titan series), as well as models from providers like Anthropic, Meta, Cohere, and AI21 Labs.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that used high prompt token counts and whether it should perform this kind of action.\\n- Investigate large response sizes and the number of requests made by the user account.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's prompts and responses in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that used high prompt and large response sizes, has a business justification for the heavy usage of the system.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n - Identify potential resource exhaustion and impact on billing.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: LLM\",\"Data Source: AWS Bedrock\",\"Data Source: Amazon Web Services\",\"Data Source: AWS S3\",\"Use Case: Potential Overload\",\"Use Case: Resource Exhaustion\",\"Mitre Atlas: LLM04\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-60m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Authorized heavy usage of the system that is business justified and monitored.\"],\"references\":[\"https://atlas.mitre.org/techniques/AML.T0051\",\"https://owasp.org/www-project-top-10-for-large-language-model-applications/\",\"https://www.elastic.co/security-labs/elastic-advances-llm-security\"],\"max_signals\":100,\"threat\":[],\"setup\":\"## Setup\\n\\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\\n\\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\\n\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"56ed8f5e-ae6a-4efc-859e-6fa144794f2c\",\"rule_id\":\"b1773d05-f349-45fb-9850-287b8f92f02d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.679Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.753Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws_bedrock.invocation-*\\n| keep user.id, gen_ai.usage.prompt_tokens, gen_ai.usage.completion_tokens\\n| stats max_tokens = max(gen_ai.usage.prompt_tokens),\\n total_requests = count(*),\\n avg_response_size = avg(gen_ai.usage.completion_tokens)\\n by user.id\\n// tokens count depends on specific LLM, as is related to how embeddings are generated.\\n| where max_tokens > 5000 and total_requests > 10 and avg_response_size > 500\\n| eval risk_factor = (max_tokens / 1000) * total_requests * (avg_response_size / 500)\\n| where risk_factor > 10\\n| sort risk_factor desc\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"note\":{\"has_base_version\":false,\"current_version\":\"\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating Amazon Bedrock Models High Token Count and Large Response Sizes.\\n\\nAmazon Bedrock is AWS’s managed service that enables developers to build and scale generative AI applications using large foundation models (FMs) from top providers.\\n\\nBedrock offers a variety of pretrained models from Amazon (such as the Titan series), as well as models from providers like Anthropic, Meta, Cohere, and AI21 Labs.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that used high prompt token counts and whether it should perform this kind of action.\\n- Investigate large response sizes and the number of requests made by the user account.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's prompts and responses in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that used high prompt and large response sizes, has a business justification for the heavy usage of the system.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n - Identify potential resource exhaustion and impact on billing.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating Amazon Bedrock Models High Token Count and Large Response Sizes.\\n\\nAmazon Bedrock is AWS’s managed service that enables developers to build and scale generative AI applications using large foundation models (FMs) from top providers.\\n\\nBedrock offers a variety of pretrained models from Amazon (such as the Titan series), as well as models from providers like Anthropic, Meta, Cohere, and AI21 Labs.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that used high prompt token counts and whether it should perform this kind of action.\\n- Investigate large response sizes and the number of requests made by the user account.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's prompts and responses in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that used high prompt and large response sizes, has a business justification for the heavy usage of the system.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n - Identify potential resource exhaustion and impact on billing.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| stats max_tokens = max(gen_ai.usage.prompt_tokens),\\n total_requests = count(*),\\n avg_response_size = avg(gen_ai.usage.completion_tokens)\\n by user.id\\n// tokens count depends on specific LLM, as is related to how embeddings are generated.\\n| where max_tokens > 5000 and total_requests > 10 and avg_response_size > 500\\n| eval risk_factor = (max_tokens / 1000) * total_requests * (avg_response_size / 500)\\n| where risk_factor > 10\\n| sort risk_factor desc\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| keep user.id, gen_ai.usage.prompt_tokens, gen_ai.usage.completion_tokens\\n| stats max_tokens = max(gen_ai.usage.prompt_tokens),\\n total_requests = count(*),\\n avg_response_size = avg(gen_ai.usage.completion_tokens)\\n by user.id\\n// tokens count depends on specific LLM, as is related to how embeddings are generated.\\n| where max_tokens > 5000 and total_requests > 10 and avg_response_size > 500\\n| eval risk_factor = (max_tokens / 1000) * total_requests * (avg_response_size / 500)\\n| where risk_factor > 10\\n| sort risk_factor desc\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| keep user.id, gen_ai.usage.prompt_tokens, gen_ai.usage.completion_tokens\\n| stats max_tokens = max(gen_ai.usage.prompt_tokens),\\n total_requests = count(*),\\n avg_response_size = avg(gen_ai.usage.completion_tokens)\\n by user.id\\n// tokens count depends on specific LLM, as is related to how embeddings are generated.\\n| where max_tokens > 5000 and total_requests > 10 and avg_response_size > 500\\n| eval risk_factor = (max_tokens / 1000) * total_requests * (avg_response_size / 500)\\n| where risk_factor > 10\\n| sort risk_factor desc\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bfec04f8-be07-437a-a342-0e8fc9a5c085\",\"rule_id\":\"b2318c71-5959-469a-a3ce-3a0768e63b9c\",\"revision\":0,\"current_rule\":{\"id\":\"bfec04f8-be07-437a-a342-0e8fc9a5c085\",\"updated_at\":\"2024-12-04T19:45:56.477Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.477Z\",\"created_by\":\"elastic\",\"name\":\"Potential Network Share Discovery\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Collection\",\"Rule Type: BBR\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Adversaries may look for folders and drives shared on remote systems to identify sources of information to gather as a precursor for collection and identify potential systems of interest for Lateral Movement.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"b2318c71-5959-469a-a3ce-3a0768e63b9c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1135\",\"name\":\"Network Share Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1135/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1039\",\"name\":\"Data from Network Shared Drive\",\"reference\":\"https://attack.mitre.org/techniques/T1039/\"}]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ShareName\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.*\",\"logs-system.security*\"],\"query\":\"sequence by user.name, source.port, source.ip with maxspan=15s \\n [file where event.action == \\\"network-share-object-access-checked\\\" and \\n winlog.event_data.ShareName in (\\\"\\\\\\\\\\\\\\\\*\\\\\\\\ADMIN$\\\", \\\"\\\\\\\\\\\\\\\\*\\\\\\\\C$\\\") and \\n source.ip != null and source.ip != \\\"0.0.0.0\\\" and source.ip != \\\"::1\\\" and source.ip != \\\"::\\\" and source.ip != \\\"127.0.0.1\\\"]\\n [file where event.action == \\\"network-share-object-access-checked\\\" and \\n winlog.event_data.ShareName in (\\\"\\\\\\\\\\\\\\\\*\\\\\\\\ADMIN$\\\", \\\"\\\\\\\\\\\\\\\\*\\\\\\\\C$\\\") and \\n source.ip != null and source.ip != \\\"0.0.0.0\\\" and source.ip != \\\"::1\\\" and source.ip != \\\"::\\\" and source.ip != \\\"127.0.0.1\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Network Share Discovery\",\"description\":\"Adversaries may look for folders and drives shared on remote systems to identify sources of information to gather as a precursor for collection and identify potential systems of interest for Lateral Movement.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":106,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Collection\",\"Rule Type: BBR\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1135\",\"name\":\"Network Share Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1135/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1039\",\"name\":\"Data from Network Shared Drive\",\"reference\":\"https://attack.mitre.org/techniques/T1039/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ShareName\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"bfec04f8-be07-437a-a342-0e8fc9a5c085\",\"rule_id\":\"b2318c71-5959-469a-a3ce-3a0768e63b9c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.679Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.477Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by user.name, source.port, source.ip with maxspan=15s \\n [file where event.action == \\\"network-share-object-access-checked\\\" and \\n winlog.event_data.ShareName in (\\\"\\\\\\\\\\\\\\\\*\\\\\\\\ADMIN$\\\", \\\"\\\\\\\\\\\\\\\\*\\\\\\\\C$\\\") and \\n source.ip != null and source.ip != \\\"0.0.0.0\\\" and source.ip != \\\"::1\\\" and source.ip != \\\"::\\\" and source.ip != \\\"127.0.0.1\\\"]\\n [file where event.action == \\\"network-share-object-access-checked\\\" and \\n winlog.event_data.ShareName in (\\\"\\\\\\\\\\\\\\\\*\\\\\\\\ADMIN$\\\", \\\"\\\\\\\\\\\\\\\\*\\\\\\\\C$\\\") and \\n source.ip != null and source.ip != \\\"0.0.0.0\\\" and source.ip != \\\"::1\\\" and source.ip != \\\"::\\\" and source.ip != \\\"127.0.0.1\\\"]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.*\",\"logs-system.security*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":106,\"merged_version\":106,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Collection\",\"Rule Type: BBR\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Collection\",\"Rule Type: BBR\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Collection\",\"Rule Type: BBR\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d122adc4-1737-4c10-b405-9f9e7cc0605d\",\"rule_id\":\"b25a7df2-120a-4db2-bd3f-3e4b86b24bee\",\"revision\":0,\"current_rule\":{\"id\":\"d122adc4-1737-4c10-b405-9f9e7cc0605d\",\"updated_at\":\"2024-12-04T19:45:56.486Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.486Z\",\"created_by\":\"elastic\",\"name\":\"Remote File Copy via TeamViewer\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote File Copy via TeamViewer\\n\\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\\n\\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Contact the user to gather information about who and why was conducting the remote access.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b25a7df2-120a-4db2-bd3f-3e4b86b24bee\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"},{\"id\":\"T1219\",\"name\":\"Remote Access Software\",\"reference\":\"https://attack.mitre.org/techniques/T1219/\"}]}],\"to\":\"now\",\"references\":[\"http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and process.name : \\\"TeamViewer.exe\\\" and\\n file.extension : (\\\"exe\\\", \\\"dll\\\", \\\"scr\\\", \\\"com\\\", \\\"bat\\\", \\\"ps1\\\", \\\"vbs\\\", \\\"vbe\\\", \\\"js\\\", \\\"wsh\\\", \\\"hta\\\") and\\n not \\n (\\n file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\*.js\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\TeamViewer\\\\\\\\update.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\?\\\\\\\\TeamViewer\\\\\\\\update.exe\\\"\\n ) and process.code_signature.trusted == true\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Remote File Copy via TeamViewer\",\"description\":\"Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote File Copy via TeamViewer\\n\\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\\n\\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Contact the user to gather information about who and why was conducting the remote access.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":212,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"},{\"id\":\"T1219\",\"name\":\"Remote Access Software\",\"reference\":\"https://attack.mitre.org/techniques/T1219/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d122adc4-1737-4c10-b405-9f9e7cc0605d\",\"rule_id\":\"b25a7df2-120a-4db2-bd3f-3e4b86b24bee\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.680Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.486Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and process.name : \\\"TeamViewer.exe\\\" and\\n file.extension : (\\\"exe\\\", \\\"dll\\\", \\\"scr\\\", \\\"com\\\", \\\"bat\\\", \\\"ps1\\\", \\\"vbs\\\", \\\"vbe\\\", \\\"js\\\", \\\"wsh\\\", \\\"hta\\\") and\\n not \\n (\\n file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\*.js\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\TeamViewer\\\\\\\\update.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\?\\\\\\\\TeamViewer\\\\\\\\update.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\TeamViewer\\\\\\\\CustomConfigs\\\\\\\\???????\\\\\\\\TeamViewer_Resource_??.dll\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\TeamViewer\\\\\\\\CustomConfigs\\\\\\\\???????\\\\\\\\TeamViewer*.exe\\\"\\n ) and process.code_signature.trusted == true\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":212,\"merged_version\":212,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and process.name : \\\"TeamViewer.exe\\\" and\\n file.extension : (\\\"exe\\\", \\\"dll\\\", \\\"scr\\\", \\\"com\\\", \\\"bat\\\", \\\"ps1\\\", \\\"vbs\\\", \\\"vbe\\\", \\\"js\\\", \\\"wsh\\\", \\\"hta\\\") and\\n not \\n (\\n file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\*.js\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\TeamViewer\\\\\\\\update.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\?\\\\\\\\TeamViewer\\\\\\\\update.exe\\\"\\n ) and process.code_signature.trusted == true\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and process.name : \\\"TeamViewer.exe\\\" and\\n file.extension : (\\\"exe\\\", \\\"dll\\\", \\\"scr\\\", \\\"com\\\", \\\"bat\\\", \\\"ps1\\\", \\\"vbs\\\", \\\"vbe\\\", \\\"js\\\", \\\"wsh\\\", \\\"hta\\\") and\\n not \\n (\\n file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\*.js\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\TeamViewer\\\\\\\\update.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\?\\\\\\\\TeamViewer\\\\\\\\update.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\TeamViewer\\\\\\\\CustomConfigs\\\\\\\\???????\\\\\\\\TeamViewer_Resource_??.dll\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\TeamViewer\\\\\\\\CustomConfigs\\\\\\\\???????\\\\\\\\TeamViewer*.exe\\\"\\n ) and process.code_signature.trusted == true\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and process.name : \\\"TeamViewer.exe\\\" and\\n file.extension : (\\\"exe\\\", \\\"dll\\\", \\\"scr\\\", \\\"com\\\", \\\"bat\\\", \\\"ps1\\\", \\\"vbs\\\", \\\"vbe\\\", \\\"js\\\", \\\"wsh\\\", \\\"hta\\\") and\\n not \\n (\\n file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\*.js\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\TeamViewer\\\\\\\\update.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\?\\\\\\\\TeamViewer\\\\\\\\update.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\TeamViewer\\\\\\\\CustomConfigs\\\\\\\\???????\\\\\\\\TeamViewer_Resource_??.dll\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\TeamViewer\\\\\\\\CustomConfigs\\\\\\\\???????\\\\\\\\TeamViewer*.exe\\\"\\n ) and process.code_signature.trusted == true\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c5b27c40-f5a2-4e69-9584-47938e05bfea\",\"rule_id\":\"b29ee2be-bf99-446c-ab1a-2dc0183394b8\",\"revision\":0,\"current_rule\":{\"id\":\"c5b27c40-f5a2-4e69-9584-47938e05bfea\",\"updated_at\":\"2024-12-04T19:45:56.493Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.493Z\",\"created_by\":\"elastic\",\"name\":\"Network Connection via Compiled HTML File\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Network Connection via Compiled HTML File\\n\\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\\n\\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\\n\\nThis rule identifies network connections done by `hh.exe`, which can potentially indicate abuse to download malicious files or tooling, or masquerading.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Examine the command lines for suspicious activities.\\n - Retrieve `.chm`, `.ps1`, and other files that were involved for further examination.\\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\\n- Investigate the target host that the signed binary is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b29ee2be-bf99-446c-ab1a-2dc0183394b8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.001\",\"name\":\"Compiled HTML File\",\"reference\":\"https://attack.mitre.org/techniques/T1218/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and process.name : \\\"hh.exe\\\" and event.type == \\\"start\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"hh.exe\\\" and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\",\\n \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\",\\n \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\",\\n \\\"FE80::/10\\\", \\\"FF00::/8\\\") and\\n not dns.question.name : \\\"localhost\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Network Connection via Compiled HTML File\",\"description\":\"Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Network Connection via Compiled HTML File\\n\\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\\n\\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\\n\\nThis rule identifies network connections done by `hh.exe`, which can potentially indicate abuse to download malicious files or tooling, or masquerading.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Examine the command lines for suspicious activities.\\n - Retrieve `.chm`, `.ps1`, and other files that were involved for further examination.\\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\\n- Investigate the target host that the signed binary is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.001\",\"name\":\"Compiled HTML File\",\"reference\":\"https://attack.mitre.org/techniques/T1218/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c5b27c40-f5a2-4e69-9584-47938e05bfea\",\"rule_id\":\"b29ee2be-bf99-446c-ab1a-2dc0183394b8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.680Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.493Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and process.name : \\\"hh.exe\\\" and event.type == \\\"start\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"hh.exe\\\" and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\",\\n \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\",\\n \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\",\\n \\\"FE80::/10\\\", \\\"FF00::/8\\\") and\\n not dns.question.name : \\\"localhost\\\"]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4653e112-f4ad-4088-9b31-a007c7b11b63\",\"rule_id\":\"b41a13c6-ba45-4bab-a534-df53d0cfed6a\",\"revision\":0,\"current_rule\":{\"id\":\"4653e112-f4ad-4088-9b31-a007c7b11b63\",\"updated_at\":\"2024-12-04T19:45:56.505Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.505Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Endpoint Security Parent Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b41a13c6-ba45-4bab-a534-df53d0cfed6a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"esensor.exe\\\", \\\"elastic-endpoint.exe\\\") and\\n process.parent.executable != null and\\n /* add FPs here */\\n not process.parent.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wermgr.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\"\\n ) and\\n not (\\n process.parent.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SecurityHealthHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\"\\n ) and\\n process.args : (\\n \\\"test\\\", \\\"version\\\",\\n \\\"top\\\", \\\"run\\\",\\n \\\"*help\\\", \\\"status\\\",\\n \\\"upgrade\\\", \\\"/launch\\\",\\n \\\"/enable\\\"\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Endpoint Security Parent Process\",\"description\":\"A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"4653e112-f4ad-4088-9b31-a007c7b11b63\",\"rule_id\":\"b41a13c6-ba45-4bab-a534-df53d0cfed6a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.680Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.505Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"esensor.exe\\\", \\\"elastic-endpoint.exe\\\") and\\n process.parent.executable != null and\\n /* add FPs here */\\n not process.parent.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wermgr.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\"\\n ) and\\n not (\\n process.parent.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SecurityHealthHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\"\\n ) and\\n process.args : (\\n \\\"test\\\", \\\"version\\\",\\n \\\"top\\\", \\\"run\\\",\\n \\\"*help\\\", \\\"status\\\",\\n \\\"upgrade\\\", \\\"/launch\\\",\\n \\\"/enable\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"cb34eb5e-e593-4d61-93ca-a6c4677e89b1\",\"rule_id\":\"b43570de-a908-4f7f-8bdb-b2df6ffd8c80\",\"revision\":0,\"current_rule\":{\"id\":\"cb34eb5e-e593-4d61-93ca-a6c4677e89b1\",\"updated_at\":\"2024-12-04T19:45:56.548Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.548Z\",\"created_by\":\"elastic\",\"name\":\"Code Signing Policy Modification Through Built-in tools\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Code Signing Policy Modification Through Built-in tools\\n\\nWindows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded.\\n\\nThis protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system.\\n\\nThis rule identifies commands that can disable the Driver Signature Enforcement feature.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Use Osquery and endpoint driver events (`event.category = \\\"driver\\\"`) to investigate if suspicious drivers were loaded into the system after the command was executed.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\\\\\"Microsoft\\\\\\\" AND signed == \\\\\\\"1\\\\\\\")\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\\\\\"0\\\\\\\"\\\\n\\\"}}\\n- Identify the driver's `Device Name` and `Service Name`.\\n- Check for alerts from the rules specified in the `Related Rules` section.\\n\\n### False positive analysis\\n\\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\\n\\n### Related Rules\\n\\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\\n - This can be done via PowerShell `Remove-Service` cmdlet.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Remove and block malicious artifacts identified during triage.\\n- Ensure that the Driver Signature Enforcement is enabled on the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b43570de-a908-4f7f-8bdb-b2df6ffd8c80\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1553\",\"name\":\"Subvert Trust Controls\",\"reference\":\"https://attack.mitre.org/techniques/T1553/\",\"subtechnique\":[{\"id\":\"T1553.006\",\"name\":\"Code Signing Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1553/006/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name: \\\"bcdedit.exe\\\" or ?process.pe.original_file_name == \\\"bcdedit.exe\\\") and process.args: (\\\"-set\\\", \\\"/set\\\") and \\n process.args: (\\\"TESTSIGNING\\\", \\\"nointegritychecks\\\", \\\"loadoptions\\\", \\\"DISABLE_INTEGRITY_CHECKS\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Code Signing Policy Modification Through Built-in tools\",\"description\":\"Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Code Signing Policy Modification Through Built-in tools\\n\\nWindows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded.\\n\\nThis protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system.\\n\\nThis rule identifies commands that can disable the Driver Signature Enforcement feature.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Use Osquery and endpoint driver events (`event.category = \\\"driver\\\"`) to investigate if suspicious drivers were loaded into the system after the command was executed.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\\\\\"Microsoft\\\\\\\" AND signed == \\\\\\\"1\\\\\\\")\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\\\\\"0\\\\\\\"\\\\n\\\"}}\\n- Identify the driver's `Device Name` and `Service Name`.\\n- Check for alerts from the rules specified in the `Related Rules` section.\\n\\n### False positive analysis\\n\\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\\n\\n### Related Rules\\n\\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\\n - This can be done via PowerShell `Remove-Service` cmdlet.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Remove and block malicious artifacts identified during triage.\\n- Ensure that the Driver Signature Enforcement is enabled on the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1553\",\"name\":\"Subvert Trust Controls\",\"reference\":\"https://attack.mitre.org/techniques/T1553/\",\"subtechnique\":[{\"id\":\"T1553.006\",\"name\":\"Code Signing Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1553/006/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"cb34eb5e-e593-4d61-93ca-a6c4677e89b1\",\"rule_id\":\"b43570de-a908-4f7f-8bdb-b2df6ffd8c80\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.680Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.548Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name: \\\"bcdedit.exe\\\" or ?process.pe.original_file_name == \\\"bcdedit.exe\\\") and process.args: (\\\"-set\\\", \\\"/set\\\") and \\n process.args: (\\\"TESTSIGNING\\\", \\\"nointegritychecks\\\", \\\"loadoptions\\\", \\\"DISABLE_INTEGRITY_CHECKS\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"55ab0206-6119-417c-9e7a-fb877394ee16\",\"rule_id\":\"b483365c-98a8-40c0-92d8-0458ca25058a\",\"revision\":0,\"current_rule\":{\"id\":\"55ab0206-6119-417c-9e7a-fb877394ee16\",\"updated_at\":\"2024-12-04T19:45:56.557Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.557Z\",\"created_by\":\"elastic\",\"name\":\"At.exe Command Lateral Movement\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of at.exe to interact with the task scheduler on remote hosts. Remote task creations, modifications or execution could be indicative of adversary lateral movement.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"b483365c-98a8-40c0-92d8-0458ca25058a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.002\",\"name\":\"At\",\"reference\":\"https://attack.mitre.org/techniques/T1053/002/\"},{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"at.exe\\\" and process.args : \\\"\\\\\\\\\\\\\\\\*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"At.exe Command Lateral Movement\",\"description\":\"Identifies use of at.exe to interact with the task scheduler on remote hosts. Remote task creations, modifications or execution could be indicative of adversary lateral movement.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.002\",\"name\":\"At\",\"reference\":\"https://attack.mitre.org/techniques/T1053/002/\"},{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"55ab0206-6119-417c-9e7a-fb877394ee16\",\"rule_id\":\"b483365c-98a8-40c0-92d8-0458ca25058a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.680Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.557Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"at.exe\\\" and process.args : \\\"\\\\\\\\\\\\\\\\*\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"958b541e-e820-43c1-a408-61a2cc40e8d0\",\"rule_id\":\"b5877334-677f-4fb9-86d5-a9721274223b\",\"revision\":0,\"current_rule\":{\"id\":\"958b541e-e820-43c1-a408-61a2cc40e8d0\",\"updated_at\":\"2024-12-04T19:45:56.565Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.565Z\",\"created_by\":\"elastic\",\"name\":\"Clearing Windows Console History\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Clearing Windows Console History\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of logging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the execution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Verify if any other anti-forensics behaviors were observed.\\n- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be trying to cover up.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Austin Songer\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b5877334-677f-4fb9-86d5-a9721274223b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.003\",\"name\":\"Clear Command History\",\"reference\":\"https://attack.mitre.org/techniques/T1070/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/\",\"https://www.shellhacks.com/clear-history-powershell/\",\"https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or ?process.pe.original_file_name == \\\"PowerShell.EXE\\\") and\\n (process.args : \\\"*Clear-History*\\\" or\\n (process.args : (\\\"*Remove-Item*\\\", \\\"rm\\\") and process.args : (\\\"*ConsoleHost_history.txt*\\\", \\\"*(Get-PSReadlineOption).HistorySavePath*\\\")) or\\n (process.args : \\\"*Set-PSReadlineOption*\\\" and process.args : \\\"*SaveNothing*\\\"))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Clearing Windows Console History\",\"description\":\"Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Clearing Windows Console History\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of logging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the execution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Verify if any other anti-forensics behaviors were observed.\\n- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be trying to cover up.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility.\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Austin Songer\"],\"false_positives\":[],\"references\":[\"https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/\",\"https://www.shellhacks.com/clear-history-powershell/\",\"https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.003\",\"name\":\"Clear Command History\",\"reference\":\"https://attack.mitre.org/techniques/T1070/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"958b541e-e820-43c1-a408-61a2cc40e8d0\",\"rule_id\":\"b5877334-677f-4fb9-86d5-a9721274223b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.680Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.565Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n (\\n process.args : \\\"*Clear-History*\\\" or\\n (process.args : (\\\"*Remove-Item*\\\", \\\"rm\\\") and process.args : (\\\"*ConsoleHost_history.txt*\\\", \\\"*(Get-PSReadlineOption).HistorySavePath*\\\")) or\\n (process.args : \\\"*Set-PSReadlineOption*\\\" and process.args : \\\"*SaveNothing*\\\")\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or ?process.pe.original_file_name == \\\"PowerShell.EXE\\\") and\\n (process.args : \\\"*Clear-History*\\\" or\\n (process.args : (\\\"*Remove-Item*\\\", \\\"rm\\\") and process.args : (\\\"*ConsoleHost_history.txt*\\\", \\\"*(Get-PSReadlineOption).HistorySavePath*\\\")) or\\n (process.args : \\\"*Set-PSReadlineOption*\\\" and process.args : \\\"*SaveNothing*\\\"))\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n (\\n process.args : \\\"*Clear-History*\\\" or\\n (process.args : (\\\"*Remove-Item*\\\", \\\"rm\\\") and process.args : (\\\"*ConsoleHost_history.txt*\\\", \\\"*(Get-PSReadlineOption).HistorySavePath*\\\")) or\\n (process.args : \\\"*Set-PSReadlineOption*\\\" and process.args : \\\"*SaveNothing*\\\")\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n (\\n process.args : \\\"*Clear-History*\\\" or\\n (process.args : (\\\"*Remove-Item*\\\", \\\"rm\\\") and process.args : (\\\"*ConsoleHost_history.txt*\\\", \\\"*(Get-PSReadlineOption).HistorySavePath*\\\")) or\\n (process.args : \\\"*Set-PSReadlineOption*\\\" and process.args : \\\"*SaveNothing*\\\")\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1ca66e44-1f41-42dc-876c-6a0c8a883225\",\"rule_id\":\"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\",\"revision\":0,\"current_rule\":{\"id\":\"1ca66e44-1f41-42dc-876c-6a0c8a883225\",\"updated_at\":\"2024-12-04T19:45:56.568Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.568Z\",\"created_by\":\"elastic\",\"name\":\"Volume Shadow Copy Deleted or Resized via VssAdmin\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin\\n\\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\\n\\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\\n\\nThis rule monitors the execution of Vssadmin.exe to either delete or resize shadow copies.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Use process name, command line, and file hash to search for occurrences in other hosts.\\n- Check if any files on the host machine have been encrypted.\\n\\n\\n### False positive analysis\\n\\n- This rule may produce benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Related rules\\n\\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- Priority should be given due to the advanced stage of this activity on the attack.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1490\",\"name\":\"Inhibit System Recovery\",\"reference\":\"https://attack.mitre.org/techniques/T1490/\"}]}],\"to\":\"now\",\"references\":[],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\"\\n and (process.name : \\\"vssadmin.exe\\\" or ?process.pe.original_file_name == \\\"VSSADMIN.EXE\\\") and\\n process.args in (\\\"delete\\\", \\\"resize\\\") and process.args : \\\"shadows*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Volume Shadow Copy Deleted or Resized via VssAdmin\",\"description\":\"Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin\\n\\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\\n\\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\\n\\nThis rule monitors the execution of Vssadmin.exe to either delete or resize shadow copies.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Use process name, command line, and file hash to search for occurrences in other hosts.\\n- Check if any files on the host machine have been encrypted.\\n\\n\\n### False positive analysis\\n\\n- This rule may produce benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Related rules\\n\\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- Priority should be given due to the advanced stage of this activity on the attack.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1490\",\"name\":\"Inhibit System Recovery\",\"reference\":\"https://attack.mitre.org/techniques/T1490/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1ca66e44-1f41-42dc-876c-6a0c8a883225\",\"rule_id\":\"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.680Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.568Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"vssadmin.exe\\\" or ?process.pe.original_file_name == \\\"VSSADMIN.EXE\\\") and\\n process.args : (\\\"delete\\\", \\\"resize\\\") and process.args : \\\"shadows*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\"\\n and (process.name : \\\"vssadmin.exe\\\" or ?process.pe.original_file_name == \\\"VSSADMIN.EXE\\\") and\\n process.args in (\\\"delete\\\", \\\"resize\\\") and process.args : \\\"shadows*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"vssadmin.exe\\\" or ?process.pe.original_file_name == \\\"VSSADMIN.EXE\\\") and\\n process.args : (\\\"delete\\\", \\\"resize\\\") and process.args : \\\"shadows*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"vssadmin.exe\\\" or ?process.pe.original_file_name == \\\"VSSADMIN.EXE\\\") and\\n process.args : (\\\"delete\\\", \\\"resize\\\") and process.args : \\\"shadows*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"47a17a33-3363-498f-bb7c-0cd78e04c8b9\",\"rule_id\":\"b605f262-f7dc-41b5-9ebc-06bafe7a83b6\",\"revision\":0,\"current_rule\":{\"id\":\"47a17a33-3363-498f-bb7c-0cd78e04c8b9\",\"updated_at\":\"2024-12-04T19:45:56.570Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.570Z\",\"created_by\":\"elastic\",\"name\":\"Systemd Service Started by Unusual Parent Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Systemctl is a process used in Linux systems to manage systemd processes through service configuration files. Malicious actors can leverage systemd services to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Systemd Service Started by Unusual Parent Process\\n\\nSystemd service files are configuration files in Linux systems used to define and manage systemd services.\\n\\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\\n\\nThis rule monitors the execution of the systemctl binary to start, enable or reenable a systemd service, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE\\\\n'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE '/home/user/.config/systemd/user/%' )\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' )\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b605f262-f7dc-41b5-9ebc-06bafe7a83b6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage\",\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.entry_leader.entry_meta.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.pid\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:process and event.type:start and event.action:exec and\\nprocess.executable:/usr/bin/systemctl and process.args:(enable or reenable or start) and \\nprocess.entry_leader.entry_meta.type:* and\\nnot (\\n process.entry_leader.entry_meta.type:(container or init or unknown) or\\n process.parent.pid:1 or\\n process.parent.executable:(\\n /bin/adduser or /bin/dnf or /bin/dnf-automatic or /bin/dockerd or /bin/dpkg or /bin/microdnf or /bin/pacman or\\n /bin/podman or /bin/rpm or /bin/snapd or /bin/sudo or /bin/useradd or /bin/yum or /usr/bin/dnf or\\n /usr/bin/dnf-automatic or /usr/bin/dockerd or /usr/bin/dpkg or /usr/bin/microdnf or /usr/bin/pacman or\\n /usr/bin/podman or /usr/bin/rpm or /usr/bin/snapd or /usr/bin/sudo or /usr/bin/yum or /usr/sbin/adduser or\\n /usr/sbin/invoke-rc.d or /usr/sbin/useradd or /var/lib/dpkg/*\\n ) or\\n process.args_count >= 5\\n)\\n\",\"new_terms_fields\":[\"process.parent.executable\"],\"history_window_start\":\"now-7d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Systemd Service Started by Unusual Parent Process\",\"description\":\"Systemctl is a process used in Linux systems to manage systemd processes through service configuration files. Malicious actors can leverage systemd services to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Systemd Service Started by Unusual Parent Process\\n\\nSystemd service files are configuration files in Linux systems used to define and manage systemd services.\\n\\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\\n\\nThis rule monitors the execution of the systemctl binary to start, enable or reenable a systemd service, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE\\\\n'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE '/home/user/.config/systemd/user/%' )\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' )\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage\",\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.entry_leader.entry_meta.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.pid\",\"type\":\"long\",\"ecs\":true}],\"id\":\"47a17a33-3363-498f-bb7c-0cd78e04c8b9\",\"rule_id\":\"b605f262-f7dc-41b5-9ebc-06bafe7a83b6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.680Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.570Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:process and event.type:start and event.action:exec and\\nprocess.executable:/usr/bin/systemctl and process.args:(enable or reenable or start) and \\nprocess.entry_leader.entry_meta.type:* and\\nnot (\\n process.entry_leader.entry_meta.type:(container or init or unknown) or\\n process.parent.pid:1 or\\n process.parent.executable:(\\n /bin/adduser or /bin/dnf or /bin/dnf-automatic or /bin/dockerd or /bin/dpkg or /bin/microdnf or /bin/pacman or\\n /bin/podman or /bin/rpm or /bin/snapd or /bin/sudo or /bin/useradd or /bin/yum or /usr/bin/dnf or\\n /usr/bin/dnf-automatic or /usr/bin/dockerd or /usr/bin/dpkg or /usr/bin/microdnf or /usr/bin/pacman or\\n /usr/bin/podman or /usr/bin/rpm or /usr/bin/snapd or /usr/bin/sudo or /usr/bin/yum or /usr/sbin/adduser or\\n /usr/sbin/invoke-rc.d or /usr/sbin/useradd or /var/lib/dpkg/*\\n ) or\\n process.args_count >= 5\\n)\\n\",\"new_terms_fields\":[\"process.parent.executable\"],\"history_window_start\":\"now-7d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage\",\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\"],\"target_version\":[\"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage\",\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage\",\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2843b86c-f844-4f82-b1e5-43264fa468c5\",\"rule_id\":\"b627cd12-dac4-11ec-9582-f661ea17fbcd\",\"revision\":0,\"current_rule\":{\"id\":\"2843b86c-f844-4f82-b1e5-43264fa468c5\",\"updated_at\":\"2024-12-04T19:45:56.573Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.573Z\",\"created_by\":\"elastic\",\"name\":\"Elastic Agent Service Terminated\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b627cd12-dac4-11ec-9582-f661ea17fbcd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"process where\\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\\n(event.type == \\\"start\\\" and\\n process.name : (\\\"net.exe\\\", \\\"sc.exe\\\", \\\"wmic.exe\\\",\\\"powershell.exe\\\",\\\"taskkill.exe\\\",\\\"PsKill.exe\\\",\\\"ProcessHacker.exe\\\") and\\n process.args : (\\\"stopservice\\\",\\\"uninstall\\\", \\\"stop\\\", \\\"disabled\\\",\\\"Stop-Process\\\",\\\"terminate\\\",\\\"suspend\\\") and\\n process.args : (\\\"elasticendpoint\\\", \\\"Elastic Agent\\\",\\\"elastic-agent\\\",\\\"elastic-endpoint\\\"))\\nor\\n/* service or systemctl used to stop Elastic Agent on Linux */\\n(event.type == \\\"end\\\" and\\n (process.name : (\\\"systemctl\\\", \\\"service\\\") and\\n process.args : \\\"elastic-agent\\\" and\\n process.args : \\\"stop\\\")\\n or\\n /* pkill , killall used to stop Elastic Agent on Linux */\\n ( event.type == \\\"end\\\" and process.name : (\\\"pkill\\\", \\\"killall\\\") and process.args: \\\"elastic-agent\\\")\\n or\\n /* Unload Elastic Agent extension on MacOS */\\n (process.name : \\\"kextunload\\\" and\\n process.args : \\\"com.apple.iokit.EndpointSecurity\\\" and\\n event.action : \\\"end\\\"))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Elastic Agent Service Terminated\",\"description\":\"Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2843b86c-f844-4f82-b1e5-43264fa468c5\",\"rule_id\":\"b627cd12-dac4-11ec-9582-f661ea17fbcd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.680Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.573Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where\\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\\n(event.type == \\\"start\\\" and\\n process.name : (\\\"net.exe\\\", \\\"sc.exe\\\", \\\"wmic.exe\\\",\\\"powershell.exe\\\",\\\"taskkill.exe\\\",\\\"PsKill.exe\\\",\\\"ProcessHacker.exe\\\") and\\n process.args : (\\\"stopservice\\\",\\\"uninstall\\\", \\\"stop\\\", \\\"disabled\\\",\\\"Stop-Process\\\",\\\"terminate\\\",\\\"suspend\\\") and\\n process.args : (\\\"elasticendpoint\\\", \\\"Elastic Agent\\\",\\\"elastic-agent\\\",\\\"elastic-endpoint\\\"))\\nor\\n/* service or systemctl used to stop Elastic Agent on Linux */\\n(event.type == \\\"end\\\" and\\n (process.name : (\\\"systemctl\\\", \\\"service\\\") and\\n process.args : \\\"elastic-agent\\\" and\\n process.args : (\\\"stop\\\", \\\"disable\\\"))\\n or\\n /* pkill , killall used to stop Elastic Agent on Linux */\\n ( event.type == \\\"end\\\" and process.name : (\\\"pkill\\\", \\\"killall\\\") and process.args: \\\"elastic-agent\\\")\\n or\\n /* Unload Elastic Agent extension on MacOS */\\n (process.name : \\\"kextunload\\\" and\\n process.args : \\\"com.apple.iokit.EndpointSecurity\\\" and\\n event.action : \\\"end\\\"))\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where\\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\\n(event.type == \\\"start\\\" and\\n process.name : (\\\"net.exe\\\", \\\"sc.exe\\\", \\\"wmic.exe\\\",\\\"powershell.exe\\\",\\\"taskkill.exe\\\",\\\"PsKill.exe\\\",\\\"ProcessHacker.exe\\\") and\\n process.args : (\\\"stopservice\\\",\\\"uninstall\\\", \\\"stop\\\", \\\"disabled\\\",\\\"Stop-Process\\\",\\\"terminate\\\",\\\"suspend\\\") and\\n process.args : (\\\"elasticendpoint\\\", \\\"Elastic Agent\\\",\\\"elastic-agent\\\",\\\"elastic-endpoint\\\"))\\nor\\n/* service or systemctl used to stop Elastic Agent on Linux */\\n(event.type == \\\"end\\\" and\\n (process.name : (\\\"systemctl\\\", \\\"service\\\") and\\n process.args : \\\"elastic-agent\\\" and\\n process.args : \\\"stop\\\")\\n or\\n /* pkill , killall used to stop Elastic Agent on Linux */\\n ( event.type == \\\"end\\\" and process.name : (\\\"pkill\\\", \\\"killall\\\") and process.args: \\\"elastic-agent\\\")\\n or\\n /* Unload Elastic Agent extension on MacOS */\\n (process.name : \\\"kextunload\\\" and\\n process.args : \\\"com.apple.iokit.EndpointSecurity\\\" and\\n event.action : \\\"end\\\"))\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where\\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\\n(event.type == \\\"start\\\" and\\n process.name : (\\\"net.exe\\\", \\\"sc.exe\\\", \\\"wmic.exe\\\",\\\"powershell.exe\\\",\\\"taskkill.exe\\\",\\\"PsKill.exe\\\",\\\"ProcessHacker.exe\\\") and\\n process.args : (\\\"stopservice\\\",\\\"uninstall\\\", \\\"stop\\\", \\\"disabled\\\",\\\"Stop-Process\\\",\\\"terminate\\\",\\\"suspend\\\") and\\n process.args : (\\\"elasticendpoint\\\", \\\"Elastic Agent\\\",\\\"elastic-agent\\\",\\\"elastic-endpoint\\\"))\\nor\\n/* service or systemctl used to stop Elastic Agent on Linux */\\n(event.type == \\\"end\\\" and\\n (process.name : (\\\"systemctl\\\", \\\"service\\\") and\\n process.args : \\\"elastic-agent\\\" and\\n process.args : (\\\"stop\\\", \\\"disable\\\"))\\n or\\n /* pkill , killall used to stop Elastic Agent on Linux */\\n ( event.type == \\\"end\\\" and process.name : (\\\"pkill\\\", \\\"killall\\\") and process.args: \\\"elastic-agent\\\")\\n or\\n /* Unload Elastic Agent extension on MacOS */\\n (process.name : \\\"kextunload\\\" and\\n process.args : \\\"com.apple.iokit.EndpointSecurity\\\" and\\n event.action : \\\"end\\\"))\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where\\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\\n(event.type == \\\"start\\\" and\\n process.name : (\\\"net.exe\\\", \\\"sc.exe\\\", \\\"wmic.exe\\\",\\\"powershell.exe\\\",\\\"taskkill.exe\\\",\\\"PsKill.exe\\\",\\\"ProcessHacker.exe\\\") and\\n process.args : (\\\"stopservice\\\",\\\"uninstall\\\", \\\"stop\\\", \\\"disabled\\\",\\\"Stop-Process\\\",\\\"terminate\\\",\\\"suspend\\\") and\\n process.args : (\\\"elasticendpoint\\\", \\\"Elastic Agent\\\",\\\"elastic-agent\\\",\\\"elastic-endpoint\\\"))\\nor\\n/* service or systemctl used to stop Elastic Agent on Linux */\\n(event.type == \\\"end\\\" and\\n (process.name : (\\\"systemctl\\\", \\\"service\\\") and\\n process.args : \\\"elastic-agent\\\" and\\n process.args : (\\\"stop\\\", \\\"disable\\\"))\\n or\\n /* pkill , killall used to stop Elastic Agent on Linux */\\n ( event.type == \\\"end\\\" and process.name : (\\\"pkill\\\", \\\"killall\\\") and process.args: \\\"elastic-agent\\\")\\n or\\n /* Unload Elastic Agent extension on MacOS */\\n (process.name : \\\"kextunload\\\" and\\n process.args : \\\"com.apple.iokit.EndpointSecurity\\\" and\\n event.action : \\\"end\\\"))\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b2f3f81f-b564-4936-9eff-fe8a10782e32\",\"rule_id\":\"b64b183e-1a76-422d-9179-7b389513e74d\",\"revision\":0,\"current_rule\":{\"id\":\"b2f3f81f-b564-4936-9eff-fe8a10782e32\",\"updated_at\":\"2024-12-04T19:45:56.576Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.576Z\",\"created_by\":\"elastic\",\"name\":\"Windows Script Interpreter Executing Process via WMI\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b64b183e-1a76-422d-9179-7b389513e74d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"},{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.domain\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"sequence by host.id with maxspan = 5s\\n [any where host.os.type == \\\"windows\\\" and \\n (event.category : (\\\"library\\\", \\\"driver\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n (?dll.name : \\\"wmiutils.dll\\\" or file.name : \\\"wmiutils.dll\\\") and process.name : (\\\"wscript.exe\\\", \\\"cscript.exe\\\")]\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"wmiprvse.exe\\\" and\\n user.domain != \\\"NT AUTHORITY\\\" and\\n (process.pe.original_file_name :\\n (\\n \\\"cscript.exe\\\",\\n \\\"wscript.exe\\\",\\n \\\"PowerShell.EXE\\\",\\n \\\"Cmd.Exe\\\",\\n \\\"MSHTA.EXE\\\",\\n \\\"RUNDLL32.EXE\\\",\\n \\\"REGSVR32.EXE\\\",\\n \\\"MSBuild.exe\\\",\\n \\\"InstallUtil.exe\\\",\\n \\\"RegAsm.exe\\\",\\n \\\"RegSvcs.exe\\\",\\n \\\"msxsl.exe\\\",\\n \\\"CONTROL.EXE\\\",\\n \\\"EXPLORER.EXE\\\",\\n \\\"Microsoft.Workflow.Compiler.exe\\\",\\n \\\"msiexec.exe\\\"\\n ) or\\n process.executable : (\\\"C:\\\\\\\\Users\\\\\\\\*.exe\\\", \\\"C:\\\\\\\\ProgramData\\\\\\\\*.exe\\\")\\n )\\n ]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Windows Script Interpreter Executing Process via WMI\",\"description\":\"Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"},{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.domain\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b2f3f81f-b564-4936-9eff-fe8a10782e32\",\"rule_id\":\"b64b183e-1a76-422d-9179-7b389513e74d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.680Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.576Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan = 5s\\n [any where host.os.type == \\\"windows\\\" and \\n (event.category : (\\\"library\\\", \\\"driver\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n (?dll.name : \\\"wmiutils.dll\\\" or file.name : \\\"wmiutils.dll\\\") and process.name : (\\\"wscript.exe\\\", \\\"cscript.exe\\\")]\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"wmiprvse.exe\\\" and\\n user.domain != \\\"NT AUTHORITY\\\" and\\n (process.pe.original_file_name :\\n (\\n \\\"cscript.exe\\\",\\n \\\"wscript.exe\\\",\\n \\\"PowerShell.EXE\\\",\\n \\\"Cmd.Exe\\\",\\n \\\"MSHTA.EXE\\\",\\n \\\"RUNDLL32.EXE\\\",\\n \\\"REGSVR32.EXE\\\",\\n \\\"MSBuild.exe\\\",\\n \\\"InstallUtil.exe\\\",\\n \\\"RegAsm.exe\\\",\\n \\\"RegSvcs.exe\\\",\\n \\\"msxsl.exe\\\",\\n \\\"CONTROL.EXE\\\",\\n \\\"EXPLORER.EXE\\\",\\n \\\"Microsoft.Workflow.Compiler.exe\\\",\\n \\\"msiexec.exe\\\"\\n ) or\\n process.executable : (\\\"C:\\\\\\\\Users\\\\\\\\*.exe\\\", \\\"C:\\\\\\\\ProgramData\\\\\\\\*.exe\\\")\\n )\\n ]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9a026aef-f571-4c11-a392-cd139bc374b8\",\"rule_id\":\"b661f86d-1c23-4ce7-a59e-2edbdba28247\",\"revision\":0,\"current_rule\":{\"id\":\"9a026aef-f571-4c11-a392-cd139bc374b8\",\"updated_at\":\"2024-12-04T19:46:04.755Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.755Z\",\"created_by\":\"elastic\",\"name\":\"Potential Veeam Credential Access Command\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies commands that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b661f86d-1c23-4ce7-a59e-2edbdba28247\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://thedfirreport.com/2021/12/13/diavol-ransomware/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n (process.name : \\\"sqlcmd.exe\\\" or process.pe.original_file_name : \\\"sqlcmd.exe\\\") or\\n process.args : (\\\"Invoke-Sqlcmd\\\", \\\"Invoke-SqlExecute\\\", \\\"Invoke-DbaQuery\\\", \\\"Invoke-SqlQuery\\\")\\n ) and\\n process.args : \\\"*[VeeamBackup].[dbo].[Credentials]*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Veeam Credential Access Command\",\"description\":\"Identifies commands that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":203,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://thedfirreport.com/2021/12/13/diavol-ransomware/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"9a026aef-f571-4c11-a392-cd139bc374b8\",\"rule_id\":\"b661f86d-1c23-4ce7-a59e-2edbdba28247\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.680Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.755Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n (process.name : \\\"sqlcmd.exe\\\" or ?process.pe.original_file_name : \\\"sqlcmd.exe\\\") or\\n process.args : (\\\"Invoke-Sqlcmd\\\", \\\"Invoke-SqlExecute\\\", \\\"Invoke-DbaQuery\\\", \\\"Invoke-SqlQuery\\\")\\n ) and\\n process.args : \\\"*[VeeamBackup].[dbo].[Credentials]*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":203,\"merged_version\":203,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n (process.name : \\\"sqlcmd.exe\\\" or process.pe.original_file_name : \\\"sqlcmd.exe\\\") or\\n process.args : (\\\"Invoke-Sqlcmd\\\", \\\"Invoke-SqlExecute\\\", \\\"Invoke-DbaQuery\\\", \\\"Invoke-SqlQuery\\\")\\n ) and\\n process.args : \\\"*[VeeamBackup].[dbo].[Credentials]*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n (process.name : \\\"sqlcmd.exe\\\" or ?process.pe.original_file_name : \\\"sqlcmd.exe\\\") or\\n process.args : (\\\"Invoke-Sqlcmd\\\", \\\"Invoke-SqlExecute\\\", \\\"Invoke-DbaQuery\\\", \\\"Invoke-SqlQuery\\\")\\n ) and\\n process.args : \\\"*[VeeamBackup].[dbo].[Credentials]*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n (process.name : \\\"sqlcmd.exe\\\" or ?process.pe.original_file_name : \\\"sqlcmd.exe\\\") or\\n process.args : (\\\"Invoke-Sqlcmd\\\", \\\"Invoke-SqlExecute\\\", \\\"Invoke-DbaQuery\\\", \\\"Invoke-SqlQuery\\\")\\n ) and\\n process.args : \\\"*[VeeamBackup].[dbo].[Credentials]*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"324ac927-e192-4a44-bcad-5489e0996fca\",\"rule_id\":\"b66b7e2b-d50a-49b9-a6fc-3a383baedc6b\",\"revision\":0,\"current_rule\":{\"id\":\"324ac927-e192-4a44-bcad-5489e0996fca\",\"updated_at\":\"2024-12-04T19:46:04.757Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.757Z\",\"created_by\":\"elastic\",\"name\":\"Potential Privilege Escalation via Service ImagePath Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies registry modifications to default services that could enable privilege escalation to SYSTEM. Attackers with privileges from groups like Server Operators may change the ImagePath of services to executables under their control or to execute commands.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b66b7e2b-d50a-49b9-a6fc-3a383baedc6b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.011\",\"name\":\"Services Registry Permissions Weakness\",\"reference\":\"https://attack.mitre.org/techniques/T1574/011/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1569\",\"name\":\"System Services\",\"reference\":\"https://attack.mitre.org/techniques/T1569/\",\"subtechnique\":[{\"id\":\"T1569.002\",\"name\":\"Service Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1569/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://cube0x0.github.io/Pocing-Beyond-DA/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.key\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and process.executable != null and \\n event.action == \\\"modification\\\" and registry.value == \\\"ImagePath\\\" and\\n registry.key : (\\n \\\"*\\\\\\\\ADWS\\\", \\\"*\\\\\\\\AppHostSvc\\\", \\\"*\\\\\\\\AppReadiness\\\", \\\"*\\\\\\\\AudioEndpointBuilder\\\", \\\"*\\\\\\\\AxInstSV\\\", \\\"*\\\\\\\\camsvc\\\", \\\"*\\\\\\\\CertSvc\\\",\\n \\\"*\\\\\\\\COMSysApp\\\", \\\"*\\\\\\\\CscService\\\", \\\"*\\\\\\\\defragsvc\\\", \\\"*\\\\\\\\DeviceAssociationService\\\", \\\"*\\\\\\\\DeviceInstall\\\", \\\"*\\\\\\\\DevQueryBroker\\\",\\n \\\"*\\\\\\\\Dfs\\\", \\\"*\\\\\\\\DFSR\\\", \\\"*\\\\\\\\diagnosticshub.standardcollector.service\\\", \\\"*\\\\\\\\DiagTrack\\\", \\\"*\\\\\\\\DmEnrollmentSvc\\\", \\\"*\\\\\\\\DNS\\\",\\n \\\"*\\\\\\\\dot3svc\\\", \\\"*\\\\\\\\Eaphost\\\", \\\"*\\\\\\\\GraphicsPerfSvc\\\", \\\"*\\\\\\\\hidserv\\\", \\\"*\\\\\\\\HvHost\\\", \\\"*\\\\\\\\IISADMIN\\\", \\\"*\\\\\\\\IKEEXT\\\",\\n \\\"*\\\\\\\\InstallService\\\", \\\"*\\\\\\\\iphlpsvc\\\", \\\"*\\\\\\\\IsmServ\\\", \\\"*\\\\\\\\LanmanServer\\\", \\\"*\\\\\\\\MSiSCSI\\\", \\\"*\\\\\\\\NcbService\\\", \\\"*\\\\\\\\Netlogon\\\",\\n \\\"*\\\\\\\\Netman\\\", \\\"*\\\\\\\\NtFrs\\\", \\\"*\\\\\\\\PlugPlay\\\", \\\"*\\\\\\\\Power\\\", \\\"*\\\\\\\\PrintNotify\\\", \\\"*\\\\\\\\ProfSvc\\\", \\\"*\\\\\\\\PushToInstall\\\", \\\"*\\\\\\\\RSoPProv\\\",\\n \\\"*\\\\\\\\sacsvr\\\", \\\"*\\\\\\\\SENS\\\", \\\"*\\\\\\\\SensorDataService\\\", \\\"*\\\\\\\\SgrmBroker\\\", \\\"*\\\\\\\\ShellHWDetection\\\", \\\"*\\\\\\\\shpamsvc\\\", \\\"*\\\\\\\\StorSvc\\\",\\n \\\"*\\\\\\\\svsvc\\\", \\\"*\\\\\\\\swprv\\\", \\\"*\\\\\\\\SysMain\\\", \\\"*\\\\\\\\Themes\\\", \\\"*\\\\\\\\TieringEngineService\\\", \\\"*\\\\\\\\TokenBroker\\\", \\\"*\\\\\\\\TrkWks\\\",\\n \\\"*\\\\\\\\UALSVC\\\", \\\"*\\\\\\\\UserManager\\\", \\\"*\\\\\\\\vm3dservice\\\", \\\"*\\\\\\\\vmicguestinterface\\\", \\\"*\\\\\\\\vmicheartbeat\\\", \\\"*\\\\\\\\vmickvpexchange\\\",\\n \\\"*\\\\\\\\vmicrdv\\\", \\\"*\\\\\\\\vmicshutdown\\\", \\\"*\\\\\\\\vmicvmsession\\\", \\\"*\\\\\\\\vmicvss\\\", \\\"*\\\\\\\\vmvss\\\", \\\"*\\\\\\\\VSS\\\", \\\"*\\\\\\\\w3logsvc\\\", \\\"*\\\\\\\\W3SVC\\\",\\n \\\"*\\\\\\\\WalletService\\\", \\\"*\\\\\\\\WAS\\\", \\\"*\\\\\\\\wercplsupport\\\", \\\"*\\\\\\\\WerSvc\\\", \\\"*\\\\\\\\Winmgmt\\\", \\\"*\\\\\\\\wisvc\\\", \\\"*\\\\\\\\wmiApSrv\\\",\\n \\\"*\\\\\\\\WPDBusEnum\\\", \\\"*\\\\\\\\WSearch\\\"\\n ) and\\n not (\\n registry.data.strings : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\*.exe\\\",\\n \\\"%systemroot%\\\\\\\\system32\\\\\\\\*.exe\\\",\\n \\\"%windir%\\\\\\\\system32\\\\\\\\*.exe\\\",\\n \\\"%SystemRoot%\\\\\\\\system32\\\\\\\\svchost.exe -k *\\\",\\n \\\"%windir%\\\\\\\\system32\\\\\\\\svchost.exe -k *\\\"\\n ) and\\n not registry.data.strings : (\\n \\\"*\\\\\\\\cmd.exe\\\",\\n \\\"*\\\\\\\\cscript.exe\\\",\\n \\\"*\\\\\\\\ieexec.exe\\\",\\n \\\"*\\\\\\\\iexpress.exe\\\",\\n \\\"*\\\\\\\\installutil.exe\\\",\\n \\\"*\\\\\\\\Microsoft.Workflow.Compiler.exe\\\",\\n \\\"*\\\\\\\\msbuild.exe\\\",\\n \\\"*\\\\\\\\mshta.exe\\\",\\n \\\"*\\\\\\\\msiexec.exe\\\",\\n \\\"*\\\\\\\\msxsl.exe\\\",\\n \\\"*\\\\\\\\net.exe\\\",\\n \\\"*\\\\\\\\powershell.exe\\\",\\n \\\"*\\\\\\\\pwsh.exe\\\",\\n \\\"*\\\\\\\\reg.exe\\\",\\n \\\"*\\\\\\\\RegAsm.exe\\\",\\n \\\"*\\\\\\\\RegSvcs.exe\\\",\\n \\\"*\\\\\\\\regsvr32.exe\\\",\\n \\\"*\\\\\\\\rundll32.exe\\\",\\n \\\"*\\\\\\\\vssadmin.exe\\\",\\n \\\"*\\\\\\\\wbadmin.exe\\\",\\n \\\"*\\\\\\\\wmic.exe\\\",\\n \\\"*\\\\\\\\wscript.exe\\\"\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Privilege Escalation via Service ImagePath Modification\",\"description\":\"Identifies registry modifications to default services that could enable privilege escalation to SYSTEM. Attackers with privileges from groups like Server Operators may change the ImagePath of services to executables under their control or to execute commands.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":102,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://cube0x0.github.io/Pocing-Beyond-DA/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.011\",\"name\":\"Services Registry Permissions Weakness\",\"reference\":\"https://attack.mitre.org/techniques/T1574/011/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1569\",\"name\":\"System Services\",\"reference\":\"https://attack.mitre.org/techniques/T1569/\",\"subtechnique\":[{\"id\":\"T1569.002\",\"name\":\"Service Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1569/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.key\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"324ac927-e192-4a44-bcad-5489e0996fca\",\"rule_id\":\"b66b7e2b-d50a-49b9-a6fc-3a383baedc6b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.680Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.757Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and process.executable != null and \\n event.action == \\\"modification\\\" and registry.value == \\\"ImagePath\\\" and\\n registry.key : (\\n \\\"*\\\\\\\\ADWS\\\", \\\"*\\\\\\\\AppHostSvc\\\", \\\"*\\\\\\\\AppReadiness\\\", \\\"*\\\\\\\\AudioEndpointBuilder\\\", \\\"*\\\\\\\\AxInstSV\\\", \\\"*\\\\\\\\camsvc\\\", \\\"*\\\\\\\\CertSvc\\\",\\n \\\"*\\\\\\\\COMSysApp\\\", \\\"*\\\\\\\\CscService\\\", \\\"*\\\\\\\\defragsvc\\\", \\\"*\\\\\\\\DeviceAssociationService\\\", \\\"*\\\\\\\\DeviceInstall\\\", \\\"*\\\\\\\\DevQueryBroker\\\",\\n \\\"*\\\\\\\\Dfs\\\", \\\"*\\\\\\\\DFSR\\\", \\\"*\\\\\\\\diagnosticshub.standardcollector.service\\\", \\\"*\\\\\\\\DiagTrack\\\", \\\"*\\\\\\\\DmEnrollmentSvc\\\", \\\"*\\\\\\\\DNS\\\",\\n \\\"*\\\\\\\\dot3svc\\\", \\\"*\\\\\\\\Eaphost\\\", \\\"*\\\\\\\\GraphicsPerfSvc\\\", \\\"*\\\\\\\\hidserv\\\", \\\"*\\\\\\\\HvHost\\\", \\\"*\\\\\\\\IISADMIN\\\", \\\"*\\\\\\\\IKEEXT\\\",\\n \\\"*\\\\\\\\InstallService\\\", \\\"*\\\\\\\\iphlpsvc\\\", \\\"*\\\\\\\\IsmServ\\\", \\\"*\\\\\\\\LanmanServer\\\", \\\"*\\\\\\\\MSiSCSI\\\", \\\"*\\\\\\\\NcbService\\\", \\\"*\\\\\\\\Netlogon\\\",\\n \\\"*\\\\\\\\Netman\\\", \\\"*\\\\\\\\NtFrs\\\", \\\"*\\\\\\\\PlugPlay\\\", \\\"*\\\\\\\\Power\\\", \\\"*\\\\\\\\PrintNotify\\\", \\\"*\\\\\\\\ProfSvc\\\", \\\"*\\\\\\\\PushToInstall\\\", \\\"*\\\\\\\\RSoPProv\\\",\\n \\\"*\\\\\\\\sacsvr\\\", \\\"*\\\\\\\\SENS\\\", \\\"*\\\\\\\\SensorDataService\\\", \\\"*\\\\\\\\SgrmBroker\\\", \\\"*\\\\\\\\ShellHWDetection\\\", \\\"*\\\\\\\\shpamsvc\\\", \\\"*\\\\\\\\StorSvc\\\",\\n \\\"*\\\\\\\\svsvc\\\", \\\"*\\\\\\\\swprv\\\", \\\"*\\\\\\\\SysMain\\\", \\\"*\\\\\\\\Themes\\\", \\\"*\\\\\\\\TieringEngineService\\\", \\\"*\\\\\\\\TokenBroker\\\", \\\"*\\\\\\\\TrkWks\\\",\\n \\\"*\\\\\\\\UALSVC\\\", \\\"*\\\\\\\\UserManager\\\", \\\"*\\\\\\\\vm3dservice\\\", \\\"*\\\\\\\\vmicguestinterface\\\", \\\"*\\\\\\\\vmicheartbeat\\\", \\\"*\\\\\\\\vmickvpexchange\\\",\\n \\\"*\\\\\\\\vmicrdv\\\", \\\"*\\\\\\\\vmicshutdown\\\", \\\"*\\\\\\\\vmicvmsession\\\", \\\"*\\\\\\\\vmicvss\\\", \\\"*\\\\\\\\vmvss\\\", \\\"*\\\\\\\\VSS\\\", \\\"*\\\\\\\\w3logsvc\\\", \\\"*\\\\\\\\W3SVC\\\",\\n \\\"*\\\\\\\\WalletService\\\", \\\"*\\\\\\\\WAS\\\", \\\"*\\\\\\\\wercplsupport\\\", \\\"*\\\\\\\\WerSvc\\\", \\\"*\\\\\\\\Winmgmt\\\", \\\"*\\\\\\\\wisvc\\\", \\\"*\\\\\\\\wmiApSrv\\\",\\n \\\"*\\\\\\\\WPDBusEnum\\\", \\\"*\\\\\\\\WSearch\\\"\\n ) and\\n not (\\n registry.data.strings : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\*.exe\\\",\\n \\\"%systemroot%\\\\\\\\system32\\\\\\\\*.exe\\\",\\n \\\"%windir%\\\\\\\\system32\\\\\\\\*.exe\\\",\\n \\\"%SystemRoot%\\\\\\\\system32\\\\\\\\svchost.exe -k *\\\",\\n \\\"%windir%\\\\\\\\system32\\\\\\\\svchost.exe -k *\\\"\\n ) and\\n not registry.data.strings : (\\n \\\"*\\\\\\\\cmd.exe\\\",\\n \\\"*\\\\\\\\cscript.exe\\\",\\n \\\"*\\\\\\\\ieexec.exe\\\",\\n \\\"*\\\\\\\\iexpress.exe\\\",\\n \\\"*\\\\\\\\installutil.exe\\\",\\n \\\"*\\\\\\\\Microsoft.Workflow.Compiler.exe\\\",\\n \\\"*\\\\\\\\msbuild.exe\\\",\\n \\\"*\\\\\\\\mshta.exe\\\",\\n \\\"*\\\\\\\\msiexec.exe\\\",\\n \\\"*\\\\\\\\msxsl.exe\\\",\\n \\\"*\\\\\\\\net.exe\\\",\\n \\\"*\\\\\\\\powershell.exe\\\",\\n \\\"*\\\\\\\\pwsh.exe\\\",\\n \\\"*\\\\\\\\reg.exe\\\",\\n \\\"*\\\\\\\\RegAsm.exe\\\",\\n \\\"*\\\\\\\\RegSvcs.exe\\\",\\n \\\"*\\\\\\\\regsvr32.exe\\\",\\n \\\"*\\\\\\\\rundll32.exe\\\",\\n \\\"*\\\\\\\\vssadmin.exe\\\",\\n \\\"*\\\\\\\\wbadmin.exe\\\",\\n \\\"*\\\\\\\\wmic.exe\\\",\\n \\\"*\\\\\\\\wscript.exe\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":102,\"merged_version\":102,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"14611e80-616a-40d5-aa15-480c281553f1\",\"rule_id\":\"b8386923-b02c-4b94-986a-d223d9b01f88\",\"revision\":0,\"current_rule\":{\"id\":\"14611e80-616a-40d5-aa15-480c281553f1\",\"updated_at\":\"2024-12-04T19:45:56.597Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.597Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Invoke-NinjaCopy script\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: PowerShell Logs\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects PowerShell scripts that contain the default exported functions used on Invoke-NinjaCopy. Attackers can use Invoke-NinjaCopy to read SYSTEM files that are normally locked, such as the NTDS.dit file or registry hives.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Invoke-NinjaCopy script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\\n\\nInvoke-NinjaCopy is a PowerShell script capable of reading SYSTEM files that were normally locked, such as `NTDS.dit` or sensitive registry locations. It does so by using the direct volume access technique, which enables attackers to bypass access control mechanisms and file system monitoring by reading the raw data directly from the disk and extracting the file by parsing the file system structures.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Determine whether the script stores the captured data locally.\\n- Check if the imported function was executed and which file it targeted.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b8386923-b02c-4b94-986a-d223d9b01f88\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"},{\"id\":\"T1003.003\",\"name\":\"NTDS\",\"reference\":\"https://attack.mitre.org/techniques/T1003/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1006\",\"name\":\"Direct Volume Access\",\"reference\":\"https://attack.mitre.org/techniques/T1006/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1\"],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"StealthReadFile\\\" or\\n \\\"StealthReadFileAddr\\\" or\\n \\\"StealthCloseFileDelegate\\\" or\\n \\\"StealthOpenFile\\\" or\\n \\\"StealthCloseFile\\\" or\\n \\\"StealthReadFile\\\" or\\n \\\"Invoke-NinjaCopy\\\"\\n )\\n and not user.id : \\\"S-1-5-18\\\"\\n and not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\" and \\\"PowerSploitIndicators\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Invoke-NinjaCopy script\",\"description\":\"Detects PowerShell scripts that contain the default exported functions used on Invoke-NinjaCopy. Attackers can use Invoke-NinjaCopy to read SYSTEM files that are normally locked, such as the NTDS.dit file or registry hives.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Invoke-NinjaCopy script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\\n\\nInvoke-NinjaCopy is a PowerShell script capable of reading SYSTEM files that were normally locked, such as `NTDS.dit` or sensitive registry locations. It does so by using the direct volume access technique, which enables attackers to bypass access control mechanisms and file system monitoring by reading the raw data directly from the disk and extracting the file by parsing the file system structures.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Determine whether the script stores the captured data locally.\\n- Check if the imported function was executed and which file it targeted.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":108,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: PowerShell Logs\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"},{\"id\":\"T1003.003\",\"name\":\"NTDS\",\"reference\":\"https://attack.mitre.org/techniques/T1003/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1006\",\"name\":\"Direct Volume Access\",\"reference\":\"https://attack.mitre.org/techniques/T1006/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"14611e80-616a-40d5-aa15-480c281553f1\",\"rule_id\":\"b8386923-b02c-4b94-986a-d223d9b01f88\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.680Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.597Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"StealthReadFile\\\" or\\n \\\"StealthReadFileAddr\\\" or\\n \\\"StealthCloseFileDelegate\\\" or\\n \\\"StealthOpenFile\\\" or\\n \\\"StealthCloseFile\\\" or\\n \\\"StealthReadFile\\\" or\\n \\\"Invoke-NinjaCopy\\\"\\n )\\n and not user.id : \\\"S-1-5-18\\\"\\n and not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\" and \\\"PowerSploitIndicators\\\"\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":108,\"merged_version\":108,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"38ebc6d5-be0b-4fab-886f-fc88ec800282\",\"rule_id\":\"b83a7e96-2eb3-4edf-8346-427b6858d3bd\",\"revision\":0,\"current_rule\":{\"id\":\"38ebc6d5-be0b-4fab-886f-fc88ec800282\",\"updated_at\":\"2024-12-04T19:45:56.600Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.600Z\",\"created_by\":\"elastic\",\"name\":\"Creation or Modification of Domain Backup DPAPI private key\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b83a7e96-2eb3-4edf-8346-427b6858d3bd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\",\"subtechnique\":[{\"id\":\"T1552.004\",\"name\":\"Private Keys\",\"reference\":\"https://attack.mitre.org/techniques/T1552/004/\"}]},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\"}]}],\"to\":\"now\",\"references\":[\"https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/\",\"https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107\"],\"version\":311,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.name : (\\\"ntds_capi_*.pfx\\\", \\\"ntds_capi_*.pvk\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Creation or Modification of Domain Backup DPAPI private key\",\"description\":\"Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.\\n\",\"output_index\":\"\",\"version\":412,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/\",\"https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\",\"subtechnique\":[{\"id\":\"T1552.004\",\"name\":\"Private Keys\",\"reference\":\"https://attack.mitre.org/techniques/T1552/004/\"}]},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"38ebc6d5-be0b-4fab-886f-fc88ec800282\",\"rule_id\":\"b83a7e96-2eb3-4edf-8346-427b6858d3bd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.680Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.600Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.name : (\\\"ntds_capi_*.pfx\\\", \\\"ntds_capi_*.pvk\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":311,\"target_version\":412,\"merged_version\":412,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6e607c94-f11c-42c9-8253-3fe76627de1d\",\"rule_id\":\"b86afe07-0d98-4738-b15d-8d7465f95ff5\",\"revision\":0,\"current_rule\":{\"id\":\"6e607c94-f11c-42c9-8253-3fe76627de1d\",\"updated_at\":\"2024-12-04T19:45:56.607Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.607Z\",\"created_by\":\"elastic\",\"name\":\"Network Connection via MsXsl\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b86afe07-0d98-4738-b15d-8d7465f95ff5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1220\",\"name\":\"XSL Script Processing\",\"reference\":\"https://attack.mitre.org/techniques/T1220/\"}]}],\"to\":\"now\",\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and process.name : \\\"msxsl.exe\\\" and event.type == \\\"start\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"msxsl.exe\\\" and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\",\\n \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\",\\n \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\",\\n \\\"FE80::/10\\\", \\\"FF00::/8\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Network Connection via MsXsl\",\"description\":\"Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1220\",\"name\":\"XSL Script Processing\",\"reference\":\"https://attack.mitre.org/techniques/T1220/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"6e607c94-f11c-42c9-8253-3fe76627de1d\",\"rule_id\":\"b86afe07-0d98-4738-b15d-8d7465f95ff5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.680Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.607Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and process.name : \\\"msxsl.exe\\\" and event.type == \\\"start\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"msxsl.exe\\\" and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\",\\n \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\",\\n \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\",\\n \\\"FE80::/10\\\", \\\"FF00::/8\\\")]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a883f16c-b92d-4511-a30e-6bb31ed1029b\",\"rule_id\":\"b8f8da2d-a9dc-48c0-90e4-955c0aa1259a\",\"revision\":0,\"current_rule\":{\"id\":\"a883f16c-b92d-4511-a30e-6bb31ed1029b\",\"updated_at\":\"2024-12-04T19:45:56.610Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.610Z\",\"created_by\":\"elastic\",\"name\":\"Kirbi File Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b8f8da2d-a9dc-48c0-90e4-955c0aa1259a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\"}]}],\"to\":\"now\",\"references\":[],\"version\":208,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and file.extension : \\\"kirbi\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Kirbi File Creation\",\"description\":\"Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Elastic Endgame\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a883f16c-b92d-4511-a30e-6bb31ed1029b\",\"rule_id\":\"b8f8da2d-a9dc-48c0-90e4-955c0aa1259a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.680Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.610Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and file.extension : \\\"kirbi\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"winlogbeat-*\",\"endgame-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":208,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Elastic Endgame\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Elastic Endgame\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"severity\":{\"has_base_version\":false,\"current_version\":\"medium\",\"target_version\":\"high\",\"merged_version\":\"high\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"risk_score\":{\"has_base_version\":false,\"current_version\":47,\"target_version\":73,\"merged_version\":73,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"winlogbeat-*\",\"endgame-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"winlogbeat-*\",\"endgame-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"be2bd438-6daf-4c5e-8274-28cc345c3b6d\",\"rule_id\":\"b90cdde7-7e0d-4359-8bf0-2c112ce2008a\",\"revision\":0,\"current_rule\":{\"id\":\"be2bd438-6daf-4c5e-8274-28cc345c3b6d\",\"updated_at\":\"2024-12-04T19:45:56.613Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.613Z\",\"created_by\":\"elastic\",\"name\":\"UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b90cdde7-7e0d-4359-8bf0-2c112ce2008a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1559\",\"name\":\"Inter-Process Communication\",\"reference\":\"https://attack.mitre.org/techniques/T1559/\",\"subtechnique\":[{\"id\":\"T1559.001\",\"name\":\"Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1559/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/hfiref0x/UACME\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"Clipup.exe\\\" and\\n not process.executable : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\ClipUp.exe\\\" and process.parent.name : \\\"dllhost.exe\\\" and\\n /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\\n process.parent.args : \\\"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface\",\"description\":\"Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/hfiref0x/UACME\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1559\",\"name\":\"Inter-Process Communication\",\"reference\":\"https://attack.mitre.org/techniques/T1559/\",\"subtechnique\":[{\"id\":\"T1559.001\",\"name\":\"Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1559/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"be2bd438-6daf-4c5e-8274-28cc345c3b6d\",\"rule_id\":\"b90cdde7-7e0d-4359-8bf0-2c112ce2008a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.681Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.613Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"Clipup.exe\\\" and\\n not process.executable : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\ClipUp.exe\\\" and process.parent.name : \\\"dllhost.exe\\\" and\\n /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\\n process.parent.args : \\\"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bf1dc797-8be7-4044-bcf9-202ffabc541d\",\"rule_id\":\"b910f25a-2d44-47f2-a873-aabdc0d355e6\",\"revision\":0,\"current_rule\":{\"id\":\"bf1dc797-8be7-4044-bcf9-202ffabc541d\",\"updated_at\":\"2024-12-04T19:45:56.615Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.615Z\",\"created_by\":\"elastic\",\"name\":\"Chkconfig Service Add\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Threat: Lightning Framework\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Chkconfig Service Add\\nService files are configuration files in Linux systems used to define and manage system services. The `Chkconfig` binary can be used to manually add, delete or modify a service. \\n\\nMalicious actors can leverage services to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\\n\\nThis rule monitors the usage of the `chkconfig` binary to manually add a service for management by `chkconfig`, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the service that was created or modified.\\n- Investigate the currently enabled system services through the following commands `sudo chkconfig --list | grep on` and `sudo systemctl list-unit-files`.\\n- Investigate the status of potentially suspicious services through the `chkconfig --list service_name` command. \\n- Search for the `rc.d` or `init.d` service files that were created or modified, and analyze their contents.\\n- Investigate whether any other files in any of the available `rc.d` or `init.d` directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/rc%.d/%')\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/init.d/%' OR path LIKE\\\\n'/etc/rc%.d/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses the `chkconfig` binary for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b910f25a-2d44-47f2-a873-aabdc0d355e6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\n( \\n (process.executable : \\\"/usr/sbin/chkconfig\\\" and process.args : \\\"--add\\\") or\\n (process.args : \\\"*chkconfig\\\" and process.args : \\\"--add\\\")\\n) and \\nnot process.parent.name in (\\\"rpm\\\", \\\"qualys-scan-util\\\", \\\"qualys-cloud-agent\\\", \\\"update-alternatives\\\") and\\nnot process.parent.args : (\\\"/var/tmp/rpm*\\\", \\\"/var/lib/waagent/*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Chkconfig Service Add\",\"description\":\"Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Chkconfig Service Add\\nService files are configuration files in Linux systems used to define and manage system services. The `Chkconfig` binary can be used to manually add, delete or modify a service. \\n\\nMalicious actors can leverage services to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\\n\\nThis rule monitors the usage of the `chkconfig` binary to manually add a service for management by `chkconfig`, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the service that was created or modified.\\n- Investigate the currently enabled system services through the following commands `sudo chkconfig --list | grep on` and `sudo systemctl list-unit-files`.\\n- Investigate the status of potentially suspicious services through the `chkconfig --list service_name` command. \\n- Search for the `rc.d` or `init.d` service files that were created or modified, and analyze their contents.\\n- Investigate whether any other files in any of the available `rc.d` or `init.d` directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/rc%.d/%')\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/init.d/%' OR path LIKE\\\\n'/etc/rc%.d/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses the `chkconfig` binary for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":113,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Threat: Lightning Framework\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"bf1dc797-8be7-4044-bcf9-202ffabc541d\",\"rule_id\":\"b910f25a-2d44-47f2-a873-aabdc0d355e6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.681Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.615Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\n( \\n (process.executable : \\\"/usr/sbin/chkconfig\\\" and process.args : \\\"--add\\\") or\\n (process.args : \\\"*chkconfig\\\" and process.args : \\\"--add\\\")\\n) and not (\\n process.parent.name in (\\\"rpm\\\", \\\"qualys-scan-util\\\", \\\"qualys-cloud-agent\\\", \\\"update-alternatives\\\") or\\n process.parent.args : (\\\"/var/tmp/rpm*\\\", \\\"/var/lib/waagent/*\\\") or\\n process.args in (\\\"jexec\\\", \\\"sapinit\\\", \\\"httpd\\\", \\\"dbora\\\")\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":113,\"merged_version\":113,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]}]}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\"}]}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\"}]}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\n( \\n (process.executable : \\\"/usr/sbin/chkconfig\\\" and process.args : \\\"--add\\\") or\\n (process.args : \\\"*chkconfig\\\" and process.args : \\\"--add\\\")\\n) and \\nnot process.parent.name in (\\\"rpm\\\", \\\"qualys-scan-util\\\", \\\"qualys-cloud-agent\\\", \\\"update-alternatives\\\") and\\nnot process.parent.args : (\\\"/var/tmp/rpm*\\\", \\\"/var/lib/waagent/*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\n( \\n (process.executable : \\\"/usr/sbin/chkconfig\\\" and process.args : \\\"--add\\\") or\\n (process.args : \\\"*chkconfig\\\" and process.args : \\\"--add\\\")\\n) and not (\\n process.parent.name in (\\\"rpm\\\", \\\"qualys-scan-util\\\", \\\"qualys-cloud-agent\\\", \\\"update-alternatives\\\") or\\n process.parent.args : (\\\"/var/tmp/rpm*\\\", \\\"/var/lib/waagent/*\\\") or\\n process.args in (\\\"jexec\\\", \\\"sapinit\\\", \\\"httpd\\\", \\\"dbora\\\")\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\n( \\n (process.executable : \\\"/usr/sbin/chkconfig\\\" and process.args : \\\"--add\\\") or\\n (process.args : \\\"*chkconfig\\\" and process.args : \\\"--add\\\")\\n) and not (\\n process.parent.name in (\\\"rpm\\\", \\\"qualys-scan-util\\\", \\\"qualys-cloud-agent\\\", \\\"update-alternatives\\\") or\\n process.parent.args : (\\\"/var/tmp/rpm*\\\", \\\"/var/lib/waagent/*\\\") or\\n process.args in (\\\"jexec\\\", \\\"sapinit\\\", \\\"httpd\\\", \\\"dbora\\\")\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c1eb5905-df0c-41d9-82ce-de6da641eddf\",\"rule_id\":\"b9554892-5e0e-424b-83a0-5aef95aa43bf\",\"revision\":0,\"current_rule\":{\"id\":\"c1eb5905-df0c-41d9-82ce-de6da641eddf\",\"updated_at\":\"2024-12-04T19:45:56.622Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.622Z\",\"created_by\":\"elastic\",\"name\":\"Group Policy Abuse for Privilege Addition\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Group Policy Abuse for Privilege Addition\\n\\nGroup Policy Objects (GPOs) can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO. This file is unique for each GPO, and only exists if the GPO contains security settings. Example Path: \\\"\\\\\\\\DC.com\\\\SysVol\\\\DC.com\\\\Policies\\\\{PolicyGUID}\\\\Machine\\\\Microsoft\\\\Windows NT\\\\SecEdit\\\\GptTmpl.inf\\\"\\n\\n#### Possible investigation steps\\n\\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\\n- Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.\\n- Inspect the user security identifiers (SIDs) associated with these privileges, and if they should have these privileges.\\n\\n### False positive analysis\\n\\n- Inspect whether the user that has done the modifications should be allowed to. The user name can be found in the `winlog.event_data.SubjectUserName` field.\\n\\n### Related rules\\n\\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\\n- Remove the script from the GPO.\\n- Check if other GPOs have suspicious scripts attached.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-6m\",\"rule_id\":\"b9554892-5e0e-424b-83a0-5aef95aa43bf\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1484\",\"name\":\"Domain or Tenant Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/\",\"subtechnique\":[{\"id\":\"T1484.001\",\"name\":\"Group Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md\",\"https://labs.f-secure.com/tools/sharpgpoabuse\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.code: \\\"5136\\\" and\\n winlog.event_data.AttributeLDAPDisplayName:\\\"gPCMachineExtensionNames\\\" and\\n winlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Group Policy Abuse for Privilege Addition\",\"description\":\"Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Group Policy Abuse for Privilege Addition\\n\\nGroup Policy Objects (GPOs) can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO. This file is unique for each GPO, and only exists if the GPO contains security settings. Example Path: \\\"\\\\\\\\DC.com\\\\SysVol\\\\DC.com\\\\Policies\\\\{PolicyGUID}\\\\Machine\\\\Microsoft\\\\Windows NT\\\\SecEdit\\\\GptTmpl.inf\\\"\\n\\n#### Possible investigation steps\\n\\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\\n- Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.\\n- Inspect the user security identifiers (SIDs) associated with these privileges, and if they should have these privileges.\\n\\n### False positive analysis\\n\\n- Inspect whether the user that has done the modifications should be allowed to. The user name can be found in the `winlog.event_data.SubjectUserName` field.\\n\\n### Related rules\\n\\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\\n- Remove the script from the GPO.\\n- Check if other GPOs have suspicious scripts attached.\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md\",\"https://labs.f-secure.com/tools/sharpgpoabuse\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1484\",\"name\":\"Domain or Tenant Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/\",\"subtechnique\":[{\"id\":\"T1484.001\",\"name\":\"Group Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"c1eb5905-df0c-41d9-82ce-de6da641eddf\",\"rule_id\":\"b9554892-5e0e-424b-83a0-5aef95aa43bf\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.681Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.622Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and event.code: \\\"5136\\\" and\\n winlog.event_data.AttributeLDAPDisplayName: \\\"gPCMachineExtensionNames\\\" and\\n winlog.event_data.AttributeValue: \\\"*827D319E-6EAC-11D2-A4EA-00C04F79F83A*\\\" and\\n winlog.event_data.AttributeValue: \\\"*803E14A0-B4FB-11D0-A0D0-00A0C90F574B*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false}],\"target_version\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false}],\"merged_version\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"type\":{\"has_base_version\":false,\"current_version\":\"query\",\"target_version\":\"eql\",\"merged_version\":\"eql\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NON_SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"event.code: \\\"5136\\\" and\\n winlog.event_data.AttributeLDAPDisplayName:\\\"gPCMachineExtensionNames\\\" and\\n winlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"target_version\":{\"query\":\"any where host.os.type == \\\"windows\\\" and event.code: \\\"5136\\\" and\\n winlog.event_data.AttributeLDAPDisplayName: \\\"gPCMachineExtensionNames\\\" and\\n winlog.event_data.AttributeValue: \\\"*827D319E-6EAC-11D2-A4EA-00C04F79F83A*\\\" and\\n winlog.event_data.AttributeValue: \\\"*803E14A0-B4FB-11D0-A0D0-00A0C90F574B*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"any where host.os.type == \\\"windows\\\" and event.code: \\\"5136\\\" and\\n winlog.event_data.AttributeLDAPDisplayName: \\\"gPCMachineExtensionNames\\\" and\\n winlog.event_data.AttributeValue: \\\"*827D319E-6EAC-11D2-A4EA-00C04F79F83A*\\\" and\\n winlog.event_data.AttributeValue: \\\"*803E14A0-B4FB-11D0-A0D0-00A0C90F574B*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":1}},{\"id\":\"cfa0950c-2cf3-4ce8-8e55-875364e8daf6\",\"rule_id\":\"b9666521-4742-49ce-9ddc-b8e84c35acae\",\"revision\":0,\"current_rule\":{\"id\":\"cfa0950c-2cf3-4ce8-8e55-875364e8daf6\",\"updated_at\":\"2024-12-04T19:45:56.625Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.625Z\",\"created_by\":\"elastic\",\"name\":\"Creation of Hidden Files and Directories via CommandLine\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Users can mark specific files as hidden simply by putting a \\\".\\\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values.\"],\"from\":\"now-9m\",\"rule_id\":\"b9666521-4742-49ce-9ddc-b8e84c35acae\",\"max_signals\":33,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\",\"subtechnique\":[{\"id\":\"T1564.001\",\"name\":\"Hidden Files and Directories\",\"reference\":\"https://attack.mitre.org/techniques/T1564/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n#### Custom Ingest Pipeline\\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\nprocess.working_directory in (\\\"/tmp\\\", \\\"/var/tmp\\\", \\\"/dev/shm\\\") and\\nprocess.args regex~ \\\"\\\"\\\"\\\\.[a-z0-9_\\\\-][a-z0-9_\\\\-\\\\.]{1,254}\\\"\\\"\\\" and\\nnot process.name in (\\\"ls\\\", \\\"find\\\", \\\"grep\\\", \\\"git\\\", \\\"jq\\\", \\\"basename\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Creation of Hidden Files and Directories via CommandLine\",\"description\":\"Users can mark specific files as hidden simply by putting a \\\".\\\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":111,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values.\"],\"references\":[],\"max_signals\":33,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\",\"subtechnique\":[{\"id\":\"T1564.001\",\"name\":\"Hidden Files and Directories\",\"reference\":\"https://attack.mitre.org/techniques/T1564/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n#### Custom Ingest Pipeline\\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"cfa0950c-2cf3-4ce8-8e55-875364e8daf6\",\"rule_id\":\"b9666521-4742-49ce-9ddc-b8e84c35acae\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.681Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.625Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\nprocess.working_directory in (\\\"/tmp\\\", \\\"/var/tmp\\\", \\\"/dev/shm\\\") and\\nprocess.args regex~ \\\"\\\"\\\"\\\\.[a-z0-9_\\\\-][a-z0-9_\\\\-\\\\.]{1,254}\\\"\\\"\\\" and\\nnot process.name in (\\n \\\"ls\\\", \\\"find\\\", \\\"grep\\\", \\\"git\\\", \\\"jq\\\", \\\"basename\\\", \\\"check_snmp\\\", \\\"snmpget\\\", \\\"snmpwalk\\\", \\\"cc1plus\\\", \\\"snap\\\",\\n \\\"command-not-found\\\"\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":111,\"merged_version\":111,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\nprocess.working_directory in (\\\"/tmp\\\", \\\"/var/tmp\\\", \\\"/dev/shm\\\") and\\nprocess.args regex~ \\\"\\\"\\\"\\\\.[a-z0-9_\\\\-][a-z0-9_\\\\-\\\\.]{1,254}\\\"\\\"\\\" and\\nnot process.name in (\\\"ls\\\", \\\"find\\\", \\\"grep\\\", \\\"git\\\", \\\"jq\\\", \\\"basename\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\nprocess.working_directory in (\\\"/tmp\\\", \\\"/var/tmp\\\", \\\"/dev/shm\\\") and\\nprocess.args regex~ \\\"\\\"\\\"\\\\.[a-z0-9_\\\\-][a-z0-9_\\\\-\\\\.]{1,254}\\\"\\\"\\\" and\\nnot process.name in (\\n \\\"ls\\\", \\\"find\\\", \\\"grep\\\", \\\"git\\\", \\\"jq\\\", \\\"basename\\\", \\\"check_snmp\\\", \\\"snmpget\\\", \\\"snmpwalk\\\", \\\"cc1plus\\\", \\\"snap\\\",\\n \\\"command-not-found\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\nprocess.working_directory in (\\\"/tmp\\\", \\\"/var/tmp\\\", \\\"/dev/shm\\\") and\\nprocess.args regex~ \\\"\\\"\\\"\\\\.[a-z0-9_\\\\-][a-z0-9_\\\\-\\\\.]{1,254}\\\"\\\"\\\" and\\nnot process.name in (\\n \\\"ls\\\", \\\"find\\\", \\\"grep\\\", \\\"git\\\", \\\"jq\\\", \\\"basename\\\", \\\"check_snmp\\\", \\\"snmpget\\\", \\\"snmpwalk\\\", \\\"cc1plus\\\", \\\"snap\\\",\\n \\\"command-not-found\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bb74b5fe-d219-4a42-964f-e13b597144b6\",\"rule_id\":\"b9960fef-82c6-4816-befa-44745030e917\",\"revision\":0,\"current_rule\":{\"id\":\"bb74b5fe-d219-4a42-964f-e13b597144b6\",\"updated_at\":\"2024-12-04T19:45:40.246Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.246Z\",\"created_by\":\"elastic\",\"name\":\"SolarWinds Process Disabling Services via Registry\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b9960fef-82c6-4816-befa-44745030e917\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Start\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\Start\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\Start\\\"\\n ) and\\n registry.data.strings : (\\\"4\\\", \\\"0x00000004\\\") and\\n process.name : (\\n \\\"SolarWinds.BusinessLayerHost*.exe\\\",\\n \\\"ConfigurationWizard*.exe\\\",\\n \\\"NetflowDatabaseMaintenance*.exe\\\",\\n \\\"NetFlowService*.exe\\\",\\n \\\"SolarWinds.Administration*.exe\\\",\\n \\\"SolarWinds.Collector.Service*.exe\\\",\\n \\\"SolarwindsDiagnostics*.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"SolarWinds Process Disabling Services via Registry\",\"description\":\"Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"bb74b5fe-d219-4a42-964f-e13b597144b6\",\"rule_id\":\"b9960fef-82c6-4816-befa-44745030e917\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.681Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.246Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Start\\\" and\\n process.name : (\\n \\\"SolarWinds.BusinessLayerHost*.exe\\\",\\n \\\"ConfigurationWizard*.exe\\\",\\n \\\"NetflowDatabaseMaintenance*.exe\\\",\\n \\\"NetFlowService*.exe\\\",\\n \\\"SolarWinds.Administration*.exe\\\",\\n \\\"SolarWinds.Collector.Service*.exe\\\",\\n \\\"SolarwindsDiagnostics*.exe\\\"\\n ) and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\Start\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\Start\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\Start\\\"\\n ) and\\n registry.data.strings : (\\\"4\\\", \\\"0x00000004\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Start\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\Start\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\Start\\\"\\n ) and\\n registry.data.strings : (\\\"4\\\", \\\"0x00000004\\\") and\\n process.name : (\\n \\\"SolarWinds.BusinessLayerHost*.exe\\\",\\n \\\"ConfigurationWizard*.exe\\\",\\n \\\"NetflowDatabaseMaintenance*.exe\\\",\\n \\\"NetFlowService*.exe\\\",\\n \\\"SolarWinds.Administration*.exe\\\",\\n \\\"SolarWinds.Collector.Service*.exe\\\",\\n \\\"SolarwindsDiagnostics*.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Start\\\" and\\n process.name : (\\n \\\"SolarWinds.BusinessLayerHost*.exe\\\",\\n \\\"ConfigurationWizard*.exe\\\",\\n \\\"NetflowDatabaseMaintenance*.exe\\\",\\n \\\"NetFlowService*.exe\\\",\\n \\\"SolarWinds.Administration*.exe\\\",\\n \\\"SolarWinds.Collector.Service*.exe\\\",\\n \\\"SolarwindsDiagnostics*.exe\\\"\\n ) and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\Start\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\Start\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\Start\\\"\\n ) and\\n registry.data.strings : (\\\"4\\\", \\\"0x00000004\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Start\\\" and\\n process.name : (\\n \\\"SolarWinds.BusinessLayerHost*.exe\\\",\\n \\\"ConfigurationWizard*.exe\\\",\\n \\\"NetflowDatabaseMaintenance*.exe\\\",\\n \\\"NetFlowService*.exe\\\",\\n \\\"SolarWinds.Administration*.exe\\\",\\n \\\"SolarWinds.Collector.Service*.exe\\\",\\n \\\"SolarwindsDiagnostics*.exe\\\"\\n ) and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\Start\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\Start\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\Start\\\"\\n ) and\\n registry.data.strings : (\\\"4\\\", \\\"0x00000004\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b6c6d9d3-5ff6-4fef-9143-5667428b008a\",\"rule_id\":\"ba342eb2-583c-439f-b04d-1fdd7c1417cc\",\"revision\":0,\"current_rule\":{\"id\":\"b6c6d9d3-5ff6-4fef-9143-5667428b008a\",\"updated_at\":\"2024-12-04T19:45:56.627Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.627Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Windows Network Activity\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Network Activity\\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:\\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"A newly installed program or one that rarely uses the network could trigger this alert.\"],\"from\":\"now-45m\",\"rule_id\":\"ba342eb2-583c-439f-b04d-1fdd7c1417cc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"version\":104,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_network_activity\"],\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Windows Network Activity\",\"description\":\"Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Network Activity\\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:\\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"A newly installed program or one that rarely uses the network could trigger this alert.\"],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"max_signals\":100,\"threat\":[],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"b6c6d9d3-5ff6-4fef-9143-5667428b008a\",\"rule_id\":\"ba342eb2-583c-439f-b04d-1fdd7c1417cc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.681Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.627Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_network_activity\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":104,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e37821ae-340f-4721-b5a0-55182be3c309\",\"rule_id\":\"baa5d22c-5e1c-4f33-bfc9-efa73bb53022\",\"revision\":0,\"current_rule\":{\"id\":\"e37821ae-340f-4721-b5a0-55182be3c309\",\"updated_at\":\"2024-12-04T19:45:56.632Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.632Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Image Load (taskschd.dll) from MS Office\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Image Load (taskschd.dll) from MS Office\\n\\nMicrosoft Office, a widely used suite of productivity applications, is frequently targeted by attackers due to its popularity in corporate environments. These attackers exploit its extensive capabilities, like macro scripts in Word and Excel, to gain initial access to systems. They often use Office documents as delivery mechanisms for malware or phishing attempts, taking advantage of their trusted status in professional settings.\\n\\n`taskschd.dll` provides Command Object Model (COM) interfaces for the Windows Task Scheduler service, allowing developers to programmatically manage scheduled tasks.\\n\\nThis rule looks for an MS Office process loading `taskschd.dll`, which may indicate an adversary abusing COM to configure a scheduled task. This can happen as part of a phishing attack, when a malicious office document registers the scheduled task to download the malware \\\"stage 2\\\" or to establish persistent access.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Analyze the host's scheduled tasks and explore the related Windows events to determine if tasks were created or deleted (Event IDs 4698 and 4699).\\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Examine the files downloaded during the past 24 hours.\\n - Identify files that are related or can be executed in MS Office.\\n - Identify and analyze macros that these documents contain.\\n - Identify suspicious traits in the office macros, such as encoded or encrypted sections.\\n- Retrieve the suspicious files identified in the previous step and determine if they are malicious:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Related Rules\\n\\n- Suspicious WMI Image Load from MS Office - 891cb88e-441a-4c3e-be2d-120d99fe7b0d\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"baa5d22c-5e1c-4f33-bfc9-efa73bb53022\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"to\":\"now\",\"references\":[\"https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\",\"https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"any where host.os.type == \\\"windows\\\" and\\n (event.category : (\\\"library\\\", \\\"driver\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n process.name : (\\\"WINWORD.EXE\\\", \\\"EXCEL.EXE\\\", \\\"POWERPNT.EXE\\\", \\\"MSPUB.EXE\\\", \\\"MSACCESS.EXE\\\") and\\n (?dll.name : \\\"taskschd.dll\\\" or file.name : \\\"taskschd.dll\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Image Load (taskschd.dll) from MS Office\",\"description\":\"Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Image Load (taskschd.dll) from MS Office\\n\\nMicrosoft Office, a widely used suite of productivity applications, is frequently targeted by attackers due to its popularity in corporate environments. These attackers exploit its extensive capabilities, like macro scripts in Word and Excel, to gain initial access to systems. They often use Office documents as delivery mechanisms for malware or phishing attempts, taking advantage of their trusted status in professional settings.\\n\\n`taskschd.dll` provides Command Object Model (COM) interfaces for the Windows Task Scheduler service, allowing developers to programmatically manage scheduled tasks.\\n\\nThis rule looks for an MS Office process loading `taskschd.dll`, which may indicate an adversary abusing COM to configure a scheduled task. This can happen as part of a phishing attack, when a malicious office document registers the scheduled task to download the malware \\\"stage 2\\\" or to establish persistent access.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Analyze the host's scheduled tasks and explore the related Windows events to determine if tasks were created or deleted (Event IDs 4698 and 4699).\\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Examine the files downloaded during the past 24 hours.\\n - Identify files that are related or can be executed in MS Office.\\n - Identify and analyze macros that these documents contain.\\n - Identify suspicious traits in the office macros, such as encoded or encrypted sections.\\n- Retrieve the suspicious files identified in the previous step and determine if they are malicious:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Related Rules\\n\\n- Suspicious WMI Image Load from MS Office - 891cb88e-441a-4c3e-be2d-120d99fe7b0d\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\",\"https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e37821ae-340f-4721-b5a0-55182be3c309\",\"rule_id\":\"baa5d22c-5e1c-4f33-bfc9-efa73bb53022\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.681Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.632Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and\\n (event.category : (\\\"library\\\", \\\"driver\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n process.name : (\\\"WINWORD.EXE\\\", \\\"EXCEL.EXE\\\", \\\"POWERPNT.EXE\\\", \\\"MSPUB.EXE\\\", \\\"MSACCESS.EXE\\\") and\\n (?dll.name : \\\"taskschd.dll\\\" or file.name : \\\"taskschd.dll\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"45ab17ee-ec9b-401d-b249-a6fb1f2e3f1b\",\"rule_id\":\"bbaa96b9-f36c-4898-ace2-581acb00a409\",\"revision\":0,\"current_rule\":{\"id\":\"45ab17ee-ec9b-401d-b249-a6fb1f2e3f1b\",\"updated_at\":\"2024-12-04T19:45:56.647Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.647Z\",\"created_by\":\"elastic\",\"name\":\"Potential SYN-Based Network Scan Detected\",\"tags\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"bbaa96b9-f36c-4898-ace2-581acb00a409\",\"max_signals\":5,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1046\",\"name\":\"Network Service Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1046/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0043\",\"name\":\"Reconnaissance\",\"reference\":\"https://attack.mitre.org/tactics/TA0043/\"},\"technique\":[{\"id\":\"T1595\",\"name\":\"Active Scanning\",\"reference\":\"https://attack.mitre.org/techniques/T1595/\",\"subtechnique\":[{\"id\":\"T1595.001\",\"name\":\"Scanning IP Blocks\",\"reference\":\"https://attack.mitre.org/techniques/T1595/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"network.packets\",\"type\":\"long\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"threshold\",\"language\":\"kuery\",\"index\":[\"logs-endpoint.events.network-*\",\"logs-network_traffic.*\",\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\"],\"query\":\"destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\\n\",\"threshold\":{\"field\":[\"destination.ip\",\"source.ip\"],\"value\":1,\"cardinality\":[{\"field\":\"destination.port\",\"value\":250}]},\"actions\":[]},\"target_rule\":{\"name\":\"Potential SYN-Based Network Scan Detected\",\"description\":\"This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\",\"Data Source: Elastic Defend\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":5,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1046\",\"name\":\"Network Service Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1046/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0043\",\"name\":\"Reconnaissance\",\"reference\":\"https://attack.mitre.org/tactics/TA0043/\"},\"technique\":[{\"id\":\"T1595\",\"name\":\"Active Scanning\",\"reference\":\"https://attack.mitre.org/techniques/T1595/\",\"subtechnique\":[{\"id\":\"T1595.001\",\"name\":\"Scanning IP Blocks\",\"reference\":\"https://attack.mitre.org/techniques/T1595/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"network.packets\",\"type\":\"long\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"45ab17ee-ec9b-401d-b249-a6fb1f2e3f1b\",\"rule_id\":\"bbaa96b9-f36c-4898-ace2-581acb00a409\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.681Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.647Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"threshold\",\"query\":\"destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\\n\",\"threshold\":{\"field\":[\"destination.ip\",\"source.ip\"],\"value\":1,\"cardinality\":[{\"field\":\"destination.port\",\"value\":250}]},\"index\":[\"logs-endpoint.events.network-*\",\"logs-network_traffic.*\",\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-panw.panos*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\"],\"target_version\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\",\"Data Source: Elastic Defend\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\",\"Data Source: Elastic Defend\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"logs-network_traffic.*\",\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"logs-network_traffic.*\",\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-panw.panos*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"logs-network_traffic.*\",\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-panw.panos*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"abb45831-f0c8-4351-a4c2-8189e2a45bfb\",\"rule_id\":\"bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9\",\"revision\":0,\"current_rule\":{\"id\":\"abb45831-f0c8-4351-a4c2-8189e2a45bfb\",\"updated_at\":\"2024-12-04T19:45:57.485Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.485Z\",\"created_by\":\"elastic\",\"name\":\"Potential Non-Standard Port SSH connection\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"OS: macOS\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"SSH over ports apart from the traditional port 22 is highly uncommon. This rule alerts the usage of the such uncommon ports by the ssh service. Tuning is needed to have higher confidence. If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination whitelisted ports for such legitimate ssh activities.\"],\"from\":\"now-9m\",\"rule_id\":\"bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1571\",\"name\":\"Non-Standard Port\",\"reference\":\"https://attack.mitre.org/techniques/T1571/\"}]}],\"to\":\"now\",\"references\":[\"https://attack.mitre.org/techniques/T1571/\"],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"sequence by process.entity_id with maxspan=1m\\n [process where event.action == \\\"exec\\\" and process.name:\\\"ssh\\\" and not process.parent.name in (\\n \\\"rsync\\\", \\\"pyznap\\\", \\\"git\\\", \\\"ansible-playbook\\\", \\\"scp\\\", \\\"pgbackrest\\\", \\\"git-lfs\\\", \\\"expect\\\", \\\"Sourcetree\\\", \\\"ssh-copy-id\\\",\\n \\\"run\\\"\\n )\\n ]\\n [network where process.name:\\\"ssh\\\" and event.action in (\\\"connection_attempted\\\", \\\"connection_accepted\\\") and \\n destination.port != 22 and destination.ip != \\\"127.0.0.1\\\" and network.transport: \\\"tcp\\\"\\n ]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Non-Standard Port SSH connection\",\"description\":\"Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":6,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"OS: macOS\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"SSH over ports apart from the traditional port 22 is highly uncommon. This rule alerts the usage of the such uncommon ports by the ssh service. Tuning is needed to have higher confidence. If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination whitelisted ports for such legitimate ssh activities.\"],\"references\":[\"https://attack.mitre.org/techniques/T1571/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1571\",\"name\":\"Non-Standard Port\",\"reference\":\"https://attack.mitre.org/techniques/T1571/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"abb45831-f0c8-4351-a4c2-8189e2a45bfb\",\"rule_id\":\"bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.681Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.485Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id with maxspan=1m\\n [process where event.action == \\\"exec\\\" and process.name in (\\\"ssh\\\", \\\"sshd\\\") and not process.parent.name in (\\n \\\"rsync\\\", \\\"pyznap\\\", \\\"git\\\", \\\"ansible-playbook\\\", \\\"scp\\\", \\\"pgbackrest\\\", \\\"git-lfs\\\", \\\"expect\\\", \\\"Sourcetree\\\", \\\"ssh-copy-id\\\",\\n \\\"run\\\"\\n )\\n ]\\n [network where process.name:\\\"ssh\\\" and event.action in (\\\"connection_attempted\\\", \\\"connection_accepted\\\") and \\n destination.port != 22 and network.transport == \\\"tcp\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\"\\n )\\n )\\n ]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":6,\"merged_version\":6,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by process.entity_id with maxspan=1m\\n [process where event.action == \\\"exec\\\" and process.name:\\\"ssh\\\" and not process.parent.name in (\\n \\\"rsync\\\", \\\"pyznap\\\", \\\"git\\\", \\\"ansible-playbook\\\", \\\"scp\\\", \\\"pgbackrest\\\", \\\"git-lfs\\\", \\\"expect\\\", \\\"Sourcetree\\\", \\\"ssh-copy-id\\\",\\n \\\"run\\\"\\n )\\n ]\\n [network where process.name:\\\"ssh\\\" and event.action in (\\\"connection_attempted\\\", \\\"connection_accepted\\\") and \\n destination.port != 22 and destination.ip != \\\"127.0.0.1\\\" and network.transport: \\\"tcp\\\"\\n ]\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by process.entity_id with maxspan=1m\\n [process where event.action == \\\"exec\\\" and process.name in (\\\"ssh\\\", \\\"sshd\\\") and not process.parent.name in (\\n \\\"rsync\\\", \\\"pyznap\\\", \\\"git\\\", \\\"ansible-playbook\\\", \\\"scp\\\", \\\"pgbackrest\\\", \\\"git-lfs\\\", \\\"expect\\\", \\\"Sourcetree\\\", \\\"ssh-copy-id\\\",\\n \\\"run\\\"\\n )\\n ]\\n [network where process.name:\\\"ssh\\\" and event.action in (\\\"connection_attempted\\\", \\\"connection_accepted\\\") and \\n destination.port != 22 and network.transport == \\\"tcp\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\"\\n )\\n )\\n ]\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by process.entity_id with maxspan=1m\\n [process where event.action == \\\"exec\\\" and process.name in (\\\"ssh\\\", \\\"sshd\\\") and not process.parent.name in (\\n \\\"rsync\\\", \\\"pyznap\\\", \\\"git\\\", \\\"ansible-playbook\\\", \\\"scp\\\", \\\"pgbackrest\\\", \\\"git-lfs\\\", \\\"expect\\\", \\\"Sourcetree\\\", \\\"ssh-copy-id\\\",\\n \\\"run\\\"\\n )\\n ]\\n [network where process.name:\\\"ssh\\\" and event.action in (\\\"connection_attempted\\\", \\\"connection_accepted\\\") and \\n destination.port != 22 and network.transport == \\\"tcp\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\"\\n )\\n )\\n ]\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6016afa8-76bf-4ade-bb4e-475057f8d85f\",\"rule_id\":\"bd2c86a0-8b61-4457-ab38-96943984e889\",\"revision\":0,\"current_rule\":{\"id\":\"6016afa8-76bf-4ade-bb4e-475057f8d85f\",\"updated_at\":\"2024-12-04T19:45:57.360Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.360Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Keylogging Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Keylogging Script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other valuable information as credit card data and confidential conversations.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Determine whether the script stores the captured data locally.\\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\\n- Assess network data to determine if the host communicated with the exfiltration server.\\n\\n### False positive analysis\\n\\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"bd2c86a0-8b61-4457-ab38-96943984e889\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1056\",\"name\":\"Input Capture\",\"reference\":\"https://attack.mitre.org/techniques/T1056/\",\"subtechnique\":[{\"id\":\"T1056.001\",\"name\":\"Keylogging\",\"reference\":\"https://attack.mitre.org/techniques/T1056/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1\",\"https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1\"],\"version\":113,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n (\\n powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or \\\"Get-Keystrokes\\\") or\\n powershell.file.script_block_text : (\\n (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and\\n (GetForegroundWindow or GetWindowTextA or GetWindowTextW or \\\"WM_KEYBOARD_LL\\\" or \\\"WH_MOUSE_LL\\\")\\n )\\n ) and not user.id : \\\"S-1-5-18\\\"\\n and not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Keylogging Script\",\"description\":\"Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Keylogging Script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other valuable information as credit card data and confidential conversations.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Determine whether the script stores the captured data locally.\\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\\n- Assess network data to determine if the host communicated with the exfiltration server.\\n\\n### False positive analysis\\n\\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":215,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1\",\"https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1056\",\"name\":\"Input Capture\",\"reference\":\"https://attack.mitre.org/techniques/T1056/\",\"subtechnique\":[{\"id\":\"T1056.001\",\"name\":\"Keylogging\",\"reference\":\"https://attack.mitre.org/techniques/T1056/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"6016afa8-76bf-4ade-bb4e-475057f8d85f\",\"rule_id\":\"bd2c86a0-8b61-4457-ab38-96943984e889\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.681Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.360Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n (\\n powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or \\\"Get-Keystrokes\\\") or\\n powershell.file.script_block_text : (\\n (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and\\n (GetForegroundWindow or GetWindowTextA or GetWindowTextW or \\\"WM_KEYBOARD_LL\\\" or \\\"WH_MOUSE_LL\\\")\\n )\\n ) and not user.id : \\\"S-1-5-18\\\"\\n and not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\"\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":113,\"target_version\":215,\"merged_version\":215,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d0d90d07-57a3-4b1e-b604-b685460cb996\",\"rule_id\":\"bd3d058d-5405-4cee-b890-337f09366ba2\",\"revision\":0,\"current_rule\":{\"id\":\"d0d90d07-57a3-4b1e-b604-b685460cb996\",\"updated_at\":\"2024-12-04T19:45:57.366Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.366Z\",\"created_by\":\"elastic\",\"name\":\"Potential Defense Evasion via CMSTP.exe\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program to install Connection Manager service profiles, which accept installation information file (INF) files. Adversaries may abuse CMSTP to proxy the execution of malicious code by supplying INF files that contain malicious commands.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"bd3d058d-5405-4cee-b890-337f09366ba2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.003\",\"name\":\"CMSTP\",\"reference\":\"https://attack.mitre.org/techniques/T1218/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://attack.mitre.org/techniques/T1218/003/\"],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"cmstp.exe\\\" and process.args == \\\"/s\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Defense Evasion via CMSTP.exe\",\"description\":\"The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program to install Connection Manager service profiles, which accept installation information file (INF) files. Adversaries may abuse CMSTP to proxy the execution of malicious code by supplying INF files that contain malicious commands.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://attack.mitre.org/techniques/T1218/003/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.003\",\"name\":\"CMSTP\",\"reference\":\"https://attack.mitre.org/techniques/T1218/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d0d90d07-57a3-4b1e-b604-b685460cb996\",\"rule_id\":\"bd3d058d-5405-4cee-b890-337f09366ba2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.681Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.366Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"cmstp.exe\\\" and process.args == \\\"/s\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"37fde093-6f46-41ef-83a4-b17aa20b3faa\",\"rule_id\":\"bd7eefee-f671-494e-98df-f01daf9e5f17\",\"revision\":0,\"current_rule\":{\"id\":\"37fde093-6f46-41ef-83a4-b17aa20b3faa\",\"updated_at\":\"2024-12-04T19:45:57.369Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.369Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Print Spooler Point and Print DLL\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"bd7eefee-f671-494e-98df-f01daf9e5f17\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"to\":\"now\",\"references\":[\"https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability\",\"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx\",\"https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by host.id with maxspan=30s\\n[registry where host.os.type == \\\"windows\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Print\\\\\\\\Printers\\\\\\\\*\\\\\\\\SpoolDirectory\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Print\\\\\\\\Printers\\\\\\\\*\\\\\\\\SpoolDirectory\\\"\\n ) and\\n registry.data.strings : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\x64\\\\\\\\4\\\"]\\n[registry where host.os.type == \\\"windows\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Print\\\\\\\\Printers\\\\\\\\*\\\\\\\\CopyFiles\\\\\\\\Payload\\\\\\\\Module\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Print\\\\\\\\Printers\\\\\\\\*\\\\\\\\CopyFiles\\\\\\\\Payload\\\\\\\\Module\\\"\\n ) and\\n registry.data.strings : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\x64\\\\\\\\4\\\\\\\\*\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Print Spooler Point and Print DLL\",\"description\":\"Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability\",\"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx\",\"https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"37fde093-6f46-41ef-83a4-b17aa20b3faa\",\"rule_id\":\"bd7eefee-f671-494e-98df-f01daf9e5f17\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.681Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.369Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=30s\\n[registry where host.os.type == \\\"windows\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Print\\\\\\\\Printers\\\\\\\\*\\\\\\\\SpoolDirectory\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Print\\\\\\\\Printers\\\\\\\\*\\\\\\\\SpoolDirectory\\\"\\n ) and\\n registry.data.strings : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\x64\\\\\\\\4\\\"]\\n[registry where host.os.type == \\\"windows\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Print\\\\\\\\Printers\\\\\\\\*\\\\\\\\CopyFiles\\\\\\\\Payload\\\\\\\\Module\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Print\\\\\\\\Printers\\\\\\\\*\\\\\\\\CopyFiles\\\\\\\\Payload\\\\\\\\Module\\\"\\n ) and\\n registry.data.strings : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\x64\\\\\\\\4\\\\\\\\*\\\"]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5684f629-d22d-4c93-85fb-7192c36b72d8\",\"rule_id\":\"bdb04043-f0e3-4efa-bdee-7d9d13fa9edc\",\"revision\":0,\"current_rule\":{\"id\":\"5684f629-d22d-4c93-85fb-7192c36b72d8\",\"updated_at\":\"2024-12-04T19:45:57.371Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.371Z\",\"created_by\":\"elastic\",\"name\":\"Potential Pspy Process Monitoring Detected\",\"tags\":[\"Data Source: Auditd Manager\",\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege escalation vectors.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"bdb04043-f0e3-4efa-bdee-7d9d13fa9edc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1057\",\"name\":\"Process Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1057/\"},{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/DominicBreuker/pspy\"],\"version\":7,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"auditd.data.a0\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.a2\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.syscall\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Auditd Manager.\\n\\n### Auditd Manager Integration Setup\\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"auditd_manager\\\" on a Linux System:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.\\n- Click “Add Auditd Manager”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\\n\\n#### Rule Specific Setup Note\\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\n- For this detection rule the following additional audit rules are required to be added to the integration:\\n -- \\\"-w /proc/ -p r -k audit_proc\\\"\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-auditd_manager.auditd-*\"],\"query\":\"sequence by process.pid, host.id with maxspan=5s\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"openat\\\" and file.path == \\\"/proc\\\" and\\n auditd.data.a0 : (\\\"ffffffffffffff9c\\\", \\\"ffffff9c\\\") and auditd.data.a2 : (\\\"80000\\\", \\\"88000\\\") ] with runs=10\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Pspy Process Monitoring Detected\",\"description\":\"This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege escalation vectors.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":8,\"tags\":[\"Data Source: Auditd Manager\",\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/DominicBreuker/pspy\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1057\",\"name\":\"Process Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1057/\"},{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Auditd Manager.\\n\\n### Auditd Manager Integration Setup\\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"auditd_manager\\\" on a Linux System:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.\\n- Click “Add Auditd Manager”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\\n\\n#### Rule Specific Setup Note\\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\n- For this detection rule the following additional audit rules are required to be added to the integration:\\n -- \\\"-w /proc/ -p r -k audit_proc\\\"\\n\",\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"auditd.data.a0\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.a2\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.syscall\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"id\":\"5684f629-d22d-4c93-85fb-7192c36b72d8\",\"rule_id\":\"bdb04043-f0e3-4efa-bdee-7d9d13fa9edc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.681Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.371Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.pid, host.id with maxspan=5s\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"openat\\\" and file.path == \\\"/proc\\\" and\\n auditd.data.a0 : (\\\"ffffffffffffff9c\\\", \\\"ffffff9c\\\") and auditd.data.a2 : (\\\"80000\\\", \\\"88000\\\") and\\n not process.name == \\\"agentbeat\\\"\\n ] with runs=10\\n\",\"language\":\"eql\",\"index\":[\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":7,\"target_version\":8,\"merged_version\":8,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"auditd.data.a0\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.a2\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.syscall\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"target_version\":[{\"name\":\"auditd.data.a0\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.a2\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.syscall\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"merged_version\":[{\"name\":\"auditd.data.a0\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.a2\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.syscall\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by process.pid, host.id with maxspan=5s\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"openat\\\" and file.path == \\\"/proc\\\" and\\n auditd.data.a0 : (\\\"ffffffffffffff9c\\\", \\\"ffffff9c\\\") and auditd.data.a2 : (\\\"80000\\\", \\\"88000\\\") ] with runs=10\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by process.pid, host.id with maxspan=5s\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"openat\\\" and file.path == \\\"/proc\\\" and\\n auditd.data.a0 : (\\\"ffffffffffffff9c\\\", \\\"ffffff9c\\\") and auditd.data.a2 : (\\\"80000\\\", \\\"88000\\\") and\\n not process.name == \\\"agentbeat\\\"\\n ] with runs=10\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by process.pid, host.id with maxspan=5s\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"openat\\\" and file.path == \\\"/proc\\\" and\\n auditd.data.a0 : (\\\"ffffffffffffff9c\\\", \\\"ffffff9c\\\") and auditd.data.a2 : (\\\"80000\\\", \\\"88000\\\") and\\n not process.name == \\\"agentbeat\\\"\\n ] with runs=10\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7c0346c7-6204-4cb3-91d8-5e933a4867b0\",\"rule_id\":\"bdcf646b-08d4-492c-870a-6c04e3700034\",\"revision\":0,\"current_rule\":{\"id\":\"7c0346c7-6204-4cb3-91d8-5e933a4867b0\",\"updated_at\":\"2024-12-04T19:45:57.374Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.374Z\",\"created_by\":\"elastic\",\"name\":\"Potential Privileged Escalation via SamAccountName Spoofing\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Use Case: Vulnerability\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"bdcf646b-08d4-492c-870a-6c04e3700034\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"},{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[\"https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e\",\"https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/\",\"https://github.com/cube0x0/noPac\",\"https://twitter.com/exploitph/status/1469157138928914432\",\"https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.NewTargetUserName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.OldTargetUserName\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"iam where event.action == \\\"renamed-user-account\\\" and\\n /* machine account name renamed to user like account name */\\n winlog.event_data.OldTargetUserName : \\\"*$\\\" and not winlog.event_data.NewTargetUserName : \\\"*$\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Privileged Escalation via SamAccountName Spoofing\",\"description\":\"Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Use Case: Vulnerability\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e\",\"https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/\",\"https://github.com/cube0x0/noPac\",\"https://twitter.com/exploitph/status/1469157138928914432\",\"https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"},{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.NewTargetUserName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.OldTargetUserName\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"7c0346c7-6204-4cb3-91d8-5e933a4867b0\",\"rule_id\":\"bdcf646b-08d4-492c-870a-6c04e3700034\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.681Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.374Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where event.action == \\\"renamed-user-account\\\" and\\n /* machine account name renamed to user like account name */\\n winlog.event_data.OldTargetUserName : \\\"*$\\\" and not winlog.event_data.NewTargetUserName : \\\"*$\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Use Case: Vulnerability\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Use Case: Vulnerability\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Use Case: Vulnerability\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b0c4f16a-a9fb-49d8-9ecc-f8ad13c3370e\",\"rule_id\":\"bdfebe11-e169-42e3-b344-c5d2015533d3\",\"revision\":0,\"current_rule\":{\"id\":\"b0c4f16a-a9fb-49d8-9ecc-f8ad13c3370e\",\"updated_at\":\"2024-12-04T19:45:57.376Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.376Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Windows Process Cluster Spawned by a Host\",\"tags\":[\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-45m\",\"rule_id\":\"bdfebe11-e169-42e3-b344-c5d2015533d3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"problem_child_high_sum_by_host\"],\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Windows Process Cluster Spawned by a Host\",\"description\":\"A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\\n\",\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"b0c4f16a-a9fb-49d8-9ecc-f8ad13c3370e\",\"rule_id\":\"bdfebe11-e169-42e3-b344-c5d2015533d3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.681Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.376Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"problem_child_high_sum_by_host\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c8afd79d-788b-45e5-bd70-30061b8be45a\",\"rule_id\":\"be8afaed-4bcd-4e0a-b5f9-5562003dde81\",\"revision\":0,\"current_rule\":{\"id\":\"c8afd79d-788b-45e5-bd70-30061b8be45a\",\"updated_at\":\"2024-12-04T19:45:57.381Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.381Z\",\"created_by\":\"elastic\",\"name\":\"Searching for Saved Credentials via VaultCmd\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"be8afaed-4bcd-4e0a-b5f9-5562003dde81\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\",\"subtechnique\":[{\"id\":\"T1555.004\",\"name\":\"Windows Credential Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1555/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\",\"https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (?process.pe.original_file_name:\\\"vaultcmd.exe\\\" or process.name:\\\"vaultcmd.exe\\\") and\\n process.args:\\\"/list*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Searching for Saved Credentials via VaultCmd\",\"description\":\"Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\",\"https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\",\"subtechnique\":[{\"id\":\"T1555.004\",\"name\":\"Windows Credential Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1555/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c8afd79d-788b-45e5-bd70-30061b8be45a\",\"rule_id\":\"be8afaed-4bcd-4e0a-b5f9-5562003dde81\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.681Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.381Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (?process.pe.original_file_name:\\\"vaultcmd.exe\\\" or process.name:\\\"vaultcmd.exe\\\") and\\n process.args:\\\"/list*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"ff2fdf6f-a084-413d-8a9b-bc0fe7f37335\",\"rule_id\":\"bfeaf89b-a2a7-48a3-817f-e41829dc61ee\",\"revision\":0,\"current_rule\":{\"id\":\"ff2fdf6f-a084-413d-8a9b-bc0fe7f37335\",\"updated_at\":\"2024-12-04T19:45:57.390Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.390Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious DLL Loaded for Persistence or Privilege Escalation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious DLL Loaded for Persistence or Privilege Escalation\\n\\nAttackers can execute malicious code by abusing missing modules that processes try to load, enabling them to escalate privileges or gain persistence. This rule identifies the loading of a non-Microsoft-signed DLL that is missing on a default Windows installation or one that can be loaded from a different location by a native Windows process.\\n\\n#### Possible investigation steps\\n\\n- Examine the DLL signature and identify the process that created it.\\n - Investigate any abnormal behaviors by the process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve the DLL and determine if it is malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"bfeaf89b-a2a7-48a3-817f-e41829dc61ee\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.002\",\"name\":\"DLL Side-Loading\",\"reference\":\"https://attack.mitre.org/techniques/T1574/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.001\",\"name\":\"DLL Search Order Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1574/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.001\",\"name\":\"Invalid Code Signature\",\"reference\":\"https://attack.mitre.org/techniques/T1036/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://itm4n.github.io/windows-dll-hijacking-clarified/\",\"http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html\",\"https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html\",\"https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html\",\"https://windows-internals.com/faxing-your-way-to-system/\",\"http://waleedassar.blogspot.com/2013/01/wow64logdll.html\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"dll.code_signature.exists\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"dll.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.hash.sha256\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.library*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"any where host.os.type == \\\"windows\\\" and\\n(event.category : (\\\"driver\\\", \\\"library\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n(\\n /* compatible with Elastic Endpoint Library Events */\\n (\\n ?dll.name : (\\n \\\"wlbsctrl.dll\\\", \\\"wbemcomn.dll\\\", \\\"WptsExtensions.dll\\\", \\\"Tsmsisrv.dll\\\", \\\"TSVIPSrv.dll\\\", \\\"Msfte.dll\\\",\\n \\\"wow64log.dll\\\", \\\"WindowsCoreDeviceInfo.dll\\\", \\\"Ualapi.dll\\\", \\\"wlanhlp.dll\\\", \\\"phoneinfo.dll\\\", \\\"EdgeGdi.dll\\\",\\n \\\"cdpsgshims.dll\\\", \\\"windowsperformancerecordercontrol.dll\\\", \\\"diagtrack_win.dll\\\", \\\"oci.dll\\\", \\\"TPPCOIPW32.dll\\\", \\n \\\"tpgenlic.dll\\\", \\\"thinmon.dll\\\", \\\"fxsst.dll\\\", \\\"msTracer.dll\\\"\\n )\\n and (\\n ?dll.code_signature.trusted != true or\\n ?dll.code_signature.exists != true or\\n (\\n dll.code_signature.trusted == true and\\n not dll.code_signature.subject_name : (\\\"Microsoft Windows\\\", \\\"Microsoft Corporation\\\", \\\"Microsoft Windows Publisher\\\")\\n )\\n ) or\\n\\n /* compatible with Sysmon EventID 7 - Image Load */\\n (file.name : (\\\"wlbsctrl.dll\\\", \\\"wbemcomn.dll\\\", \\\"WptsExtensions.dll\\\", \\\"Tsmsisrv.dll\\\", \\\"TSVIPSrv.dll\\\", \\\"Msfte.dll\\\",\\n \\\"wow64log.dll\\\", \\\"WindowsCoreDeviceInfo.dll\\\", \\\"Ualapi.dll\\\", \\\"wlanhlp.dll\\\", \\\"phoneinfo.dll\\\", \\\"EdgeGdi.dll\\\",\\n \\\"cdpsgshims.dll\\\", \\\"windowsperformancerecordercontrol.dll\\\", \\\"diagtrack_win.dll\\\", \\\"oci.dll\\\", \\\"TPPCOIPW32.dll\\\", \\n \\\"tpgenlic.dll\\\", \\\"thinmon.dll\\\", \\\"fxsst.dll\\\", \\\"msTracer.dll\\\") and \\n not file.hash.sha256 : \\n (\\\"6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f\\\", \\n \\\"b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4\\\", \\n \\\"c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662\\\") and \\n not file.code_signature.status == \\\"Valid\\\")\\n ) and\\n not\\n (\\n ?dll.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wlanhlp.dll\\\"\\n ) or\\n file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wlanhlp.dll\\\"\\n )\\n )\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious DLL Loaded for Persistence or Privilege Escalation\",\"description\":\"Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious DLL Loaded for Persistence or Privilege Escalation\\n\\nAttackers can execute malicious code by abusing missing modules that processes try to load, enabling them to escalate privileges or gain persistence. This rule identifies the loading of a non-Microsoft-signed DLL that is missing on a default Windows installation or one that can be loaded from a different location by a native Windows process.\\n\\n#### Possible investigation steps\\n\\n- Examine the DLL signature and identify the process that created it.\\n - Investigate any abnormal behaviors by the process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve the DLL and determine if it is malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://itm4n.github.io/windows-dll-hijacking-clarified/\",\"http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html\",\"https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html\",\"https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html\",\"https://windows-internals.com/faxing-your-way-to-system/\",\"http://waleedassar.blogspot.com/2013/01/wow64logdll.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.002\",\"name\":\"DLL Side-Loading\",\"reference\":\"https://attack.mitre.org/techniques/T1574/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.001\",\"name\":\"DLL Search Order Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1574/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.001\",\"name\":\"Invalid Code Signature\",\"reference\":\"https://attack.mitre.org/techniques/T1036/001/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"dll.code_signature.exists\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"dll.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.hash.sha256\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"ff2fdf6f-a084-413d-8a9b-bc0fe7f37335\",\"rule_id\":\"bfeaf89b-a2a7-48a3-817f-e41829dc61ee\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.682Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.390Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and\\n(event.category : (\\\"driver\\\", \\\"library\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n(\\n /* compatible with Elastic Endpoint Library Events */\\n (\\n ?dll.name : (\\n \\\"wlbsctrl.dll\\\", \\\"wbemcomn.dll\\\", \\\"WptsExtensions.dll\\\", \\\"Tsmsisrv.dll\\\", \\\"TSVIPSrv.dll\\\", \\\"Msfte.dll\\\",\\n \\\"wow64log.dll\\\", \\\"WindowsCoreDeviceInfo.dll\\\", \\\"Ualapi.dll\\\", \\\"wlanhlp.dll\\\", \\\"phoneinfo.dll\\\", \\\"EdgeGdi.dll\\\",\\n \\\"cdpsgshims.dll\\\", \\\"windowsperformancerecordercontrol.dll\\\", \\\"diagtrack_win.dll\\\", \\\"TPPCOIPW32.dll\\\", \\n \\\"tpgenlic.dll\\\", \\\"thinmon.dll\\\", \\\"fxsst.dll\\\", \\\"msTracer.dll\\\"\\n )\\n and (\\n ?dll.code_signature.trusted != true or\\n ?dll.code_signature.exists != true or\\n (\\n dll.code_signature.trusted == true and\\n not dll.code_signature.subject_name : (\\\"Microsoft Windows\\\", \\\"Microsoft Corporation\\\", \\\"Microsoft Windows Publisher\\\")\\n )\\n ) or\\n /* oci.dll is too noisy due to unsigned Oracle related DLL loaded from random dirs */\\n (\\n (?dll.path : \\\"?:\\\\\\\\Windows\\\\\\\\*\\\\\\\\oci.dll\\\" and process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\*.exe\\\" and \\n (?dll.code_signature.trusted != true or ?dll.code_signature.exists != true)) or \\n \\n (file.path : \\\"?:\\\\\\\\Windows\\\\\\\\*\\\\\\\\oci.dll\\\" and not file.code_signature.status == \\\"Valid\\\" and process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\*.exe\\\")\\n ) or \\n\\n /* compatible with Sysmon EventID 7 - Image Load */\\n (file.name : (\\\"wlbsctrl.dll\\\", \\\"wbemcomn.dll\\\", \\\"WptsExtensions.dll\\\", \\\"Tsmsisrv.dll\\\", \\\"TSVIPSrv.dll\\\", \\\"Msfte.dll\\\",\\n \\\"wow64log.dll\\\", \\\"WindowsCoreDeviceInfo.dll\\\", \\\"Ualapi.dll\\\", \\\"wlanhlp.dll\\\", \\\"phoneinfo.dll\\\", \\\"EdgeGdi.dll\\\",\\n \\\"cdpsgshims.dll\\\", \\\"windowsperformancerecordercontrol.dll\\\", \\\"diagtrack_win.dll\\\", \\\"TPPCOIPW32.dll\\\", \\n \\\"tpgenlic.dll\\\", \\\"thinmon.dll\\\", \\\"fxsst.dll\\\", \\\"msTracer.dll\\\") and \\n not file.hash.sha256 : \\n (\\\"6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f\\\", \\n \\\"b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4\\\", \\n \\\"c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662\\\") and \\n not file.code_signature.status == \\\"Valid\\\")\\n ) and\\n not\\n (\\n ?dll.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wlanhlp.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbemcomn.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wlanhlp.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wlanhlp.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\docker\\\\\\\\windowsfilter\\\\\\\\*\\\\\\\\Files\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\docker\\\\\\\\windowsfilter\\\\\\\\*\\\\\\\\Files\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\vmsmb\\\\\\\\VSMB-{*}\\\\\\\\os\\\\\\\\windows\\\\\\\\system32\\\\\\\\*.dll\\\"\\n ) or\\n file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wlanhlp.dll\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\docker\\\\\\\\windowsfilter\\\\\\\\*\\\\\\\\Files\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\docker\\\\\\\\windowsfilter\\\\\\\\*\\\\\\\\Files\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\vmsmb\\\\\\\\VSMB-{*}\\\\\\\\os\\\\\\\\windows\\\\\\\\system32\\\\\\\\*.dll\\\"\\n )\\n )\\n)\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.library*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"dll.code_signature.exists\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"dll.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.hash.sha256\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"dll.code_signature.exists\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"dll.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.hash.sha256\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"dll.code_signature.exists\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"dll.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.hash.sha256\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"any where host.os.type == \\\"windows\\\" and\\n(event.category : (\\\"driver\\\", \\\"library\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n(\\n /* compatible with Elastic Endpoint Library Events */\\n (\\n ?dll.name : (\\n \\\"wlbsctrl.dll\\\", \\\"wbemcomn.dll\\\", \\\"WptsExtensions.dll\\\", \\\"Tsmsisrv.dll\\\", \\\"TSVIPSrv.dll\\\", \\\"Msfte.dll\\\",\\n \\\"wow64log.dll\\\", \\\"WindowsCoreDeviceInfo.dll\\\", \\\"Ualapi.dll\\\", \\\"wlanhlp.dll\\\", \\\"phoneinfo.dll\\\", \\\"EdgeGdi.dll\\\",\\n \\\"cdpsgshims.dll\\\", \\\"windowsperformancerecordercontrol.dll\\\", \\\"diagtrack_win.dll\\\", \\\"oci.dll\\\", \\\"TPPCOIPW32.dll\\\", \\n \\\"tpgenlic.dll\\\", \\\"thinmon.dll\\\", \\\"fxsst.dll\\\", \\\"msTracer.dll\\\"\\n )\\n and (\\n ?dll.code_signature.trusted != true or\\n ?dll.code_signature.exists != true or\\n (\\n dll.code_signature.trusted == true and\\n not dll.code_signature.subject_name : (\\\"Microsoft Windows\\\", \\\"Microsoft Corporation\\\", \\\"Microsoft Windows Publisher\\\")\\n )\\n ) or\\n\\n /* compatible with Sysmon EventID 7 - Image Load */\\n (file.name : (\\\"wlbsctrl.dll\\\", \\\"wbemcomn.dll\\\", \\\"WptsExtensions.dll\\\", \\\"Tsmsisrv.dll\\\", \\\"TSVIPSrv.dll\\\", \\\"Msfte.dll\\\",\\n \\\"wow64log.dll\\\", \\\"WindowsCoreDeviceInfo.dll\\\", \\\"Ualapi.dll\\\", \\\"wlanhlp.dll\\\", \\\"phoneinfo.dll\\\", \\\"EdgeGdi.dll\\\",\\n \\\"cdpsgshims.dll\\\", \\\"windowsperformancerecordercontrol.dll\\\", \\\"diagtrack_win.dll\\\", \\\"oci.dll\\\", \\\"TPPCOIPW32.dll\\\", \\n \\\"tpgenlic.dll\\\", \\\"thinmon.dll\\\", \\\"fxsst.dll\\\", \\\"msTracer.dll\\\") and \\n not file.hash.sha256 : \\n (\\\"6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f\\\", \\n \\\"b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4\\\", \\n \\\"c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662\\\") and \\n not file.code_signature.status == \\\"Valid\\\")\\n ) and\\n not\\n (\\n ?dll.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wlanhlp.dll\\\"\\n ) or\\n file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wlanhlp.dll\\\"\\n )\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"any where host.os.type == \\\"windows\\\" and\\n(event.category : (\\\"driver\\\", \\\"library\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n(\\n /* compatible with Elastic Endpoint Library Events */\\n (\\n ?dll.name : (\\n \\\"wlbsctrl.dll\\\", \\\"wbemcomn.dll\\\", \\\"WptsExtensions.dll\\\", \\\"Tsmsisrv.dll\\\", \\\"TSVIPSrv.dll\\\", \\\"Msfte.dll\\\",\\n \\\"wow64log.dll\\\", \\\"WindowsCoreDeviceInfo.dll\\\", \\\"Ualapi.dll\\\", \\\"wlanhlp.dll\\\", \\\"phoneinfo.dll\\\", \\\"EdgeGdi.dll\\\",\\n \\\"cdpsgshims.dll\\\", \\\"windowsperformancerecordercontrol.dll\\\", \\\"diagtrack_win.dll\\\", \\\"TPPCOIPW32.dll\\\", \\n \\\"tpgenlic.dll\\\", \\\"thinmon.dll\\\", \\\"fxsst.dll\\\", \\\"msTracer.dll\\\"\\n )\\n and (\\n ?dll.code_signature.trusted != true or\\n ?dll.code_signature.exists != true or\\n (\\n dll.code_signature.trusted == true and\\n not dll.code_signature.subject_name : (\\\"Microsoft Windows\\\", \\\"Microsoft Corporation\\\", \\\"Microsoft Windows Publisher\\\")\\n )\\n ) or\\n /* oci.dll is too noisy due to unsigned Oracle related DLL loaded from random dirs */\\n (\\n (?dll.path : \\\"?:\\\\\\\\Windows\\\\\\\\*\\\\\\\\oci.dll\\\" and process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\*.exe\\\" and \\n (?dll.code_signature.trusted != true or ?dll.code_signature.exists != true)) or \\n \\n (file.path : \\\"?:\\\\\\\\Windows\\\\\\\\*\\\\\\\\oci.dll\\\" and not file.code_signature.status == \\\"Valid\\\" and process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\*.exe\\\")\\n ) or \\n\\n /* compatible with Sysmon EventID 7 - Image Load */\\n (file.name : (\\\"wlbsctrl.dll\\\", \\\"wbemcomn.dll\\\", \\\"WptsExtensions.dll\\\", \\\"Tsmsisrv.dll\\\", \\\"TSVIPSrv.dll\\\", \\\"Msfte.dll\\\",\\n \\\"wow64log.dll\\\", \\\"WindowsCoreDeviceInfo.dll\\\", \\\"Ualapi.dll\\\", \\\"wlanhlp.dll\\\", \\\"phoneinfo.dll\\\", \\\"EdgeGdi.dll\\\",\\n \\\"cdpsgshims.dll\\\", \\\"windowsperformancerecordercontrol.dll\\\", \\\"diagtrack_win.dll\\\", \\\"TPPCOIPW32.dll\\\", \\n \\\"tpgenlic.dll\\\", \\\"thinmon.dll\\\", \\\"fxsst.dll\\\", \\\"msTracer.dll\\\") and \\n not file.hash.sha256 : \\n (\\\"6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f\\\", \\n \\\"b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4\\\", \\n \\\"c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662\\\") and \\n not file.code_signature.status == \\\"Valid\\\")\\n ) and\\n not\\n (\\n ?dll.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wlanhlp.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbemcomn.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wlanhlp.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wlanhlp.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\docker\\\\\\\\windowsfilter\\\\\\\\*\\\\\\\\Files\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\docker\\\\\\\\windowsfilter\\\\\\\\*\\\\\\\\Files\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\vmsmb\\\\\\\\VSMB-{*}\\\\\\\\os\\\\\\\\windows\\\\\\\\system32\\\\\\\\*.dll\\\"\\n ) or\\n file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wlanhlp.dll\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\docker\\\\\\\\windowsfilter\\\\\\\\*\\\\\\\\Files\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\docker\\\\\\\\windowsfilter\\\\\\\\*\\\\\\\\Files\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\vmsmb\\\\\\\\VSMB-{*}\\\\\\\\os\\\\\\\\windows\\\\\\\\system32\\\\\\\\*.dll\\\"\\n )\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"any where host.os.type == \\\"windows\\\" and\\n(event.category : (\\\"driver\\\", \\\"library\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n(\\n /* compatible with Elastic Endpoint Library Events */\\n (\\n ?dll.name : (\\n \\\"wlbsctrl.dll\\\", \\\"wbemcomn.dll\\\", \\\"WptsExtensions.dll\\\", \\\"Tsmsisrv.dll\\\", \\\"TSVIPSrv.dll\\\", \\\"Msfte.dll\\\",\\n \\\"wow64log.dll\\\", \\\"WindowsCoreDeviceInfo.dll\\\", \\\"Ualapi.dll\\\", \\\"wlanhlp.dll\\\", \\\"phoneinfo.dll\\\", \\\"EdgeGdi.dll\\\",\\n \\\"cdpsgshims.dll\\\", \\\"windowsperformancerecordercontrol.dll\\\", \\\"diagtrack_win.dll\\\", \\\"TPPCOIPW32.dll\\\", \\n \\\"tpgenlic.dll\\\", \\\"thinmon.dll\\\", \\\"fxsst.dll\\\", \\\"msTracer.dll\\\"\\n )\\n and (\\n ?dll.code_signature.trusted != true or\\n ?dll.code_signature.exists != true or\\n (\\n dll.code_signature.trusted == true and\\n not dll.code_signature.subject_name : (\\\"Microsoft Windows\\\", \\\"Microsoft Corporation\\\", \\\"Microsoft Windows Publisher\\\")\\n )\\n ) or\\n /* oci.dll is too noisy due to unsigned Oracle related DLL loaded from random dirs */\\n (\\n (?dll.path : \\\"?:\\\\\\\\Windows\\\\\\\\*\\\\\\\\oci.dll\\\" and process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\*.exe\\\" and \\n (?dll.code_signature.trusted != true or ?dll.code_signature.exists != true)) or \\n \\n (file.path : \\\"?:\\\\\\\\Windows\\\\\\\\*\\\\\\\\oci.dll\\\" and not file.code_signature.status == \\\"Valid\\\" and process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\*.exe\\\")\\n ) or \\n\\n /* compatible with Sysmon EventID 7 - Image Load */\\n (file.name : (\\\"wlbsctrl.dll\\\", \\\"wbemcomn.dll\\\", \\\"WptsExtensions.dll\\\", \\\"Tsmsisrv.dll\\\", \\\"TSVIPSrv.dll\\\", \\\"Msfte.dll\\\",\\n \\\"wow64log.dll\\\", \\\"WindowsCoreDeviceInfo.dll\\\", \\\"Ualapi.dll\\\", \\\"wlanhlp.dll\\\", \\\"phoneinfo.dll\\\", \\\"EdgeGdi.dll\\\",\\n \\\"cdpsgshims.dll\\\", \\\"windowsperformancerecordercontrol.dll\\\", \\\"diagtrack_win.dll\\\", \\\"TPPCOIPW32.dll\\\", \\n \\\"tpgenlic.dll\\\", \\\"thinmon.dll\\\", \\\"fxsst.dll\\\", \\\"msTracer.dll\\\") and \\n not file.hash.sha256 : \\n (\\\"6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f\\\", \\n \\\"b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4\\\", \\n \\\"c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662\\\") and \\n not file.code_signature.status == \\\"Valid\\\")\\n ) and\\n not\\n (\\n ?dll.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wlanhlp.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbemcomn.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wlanhlp.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wlanhlp.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\docker\\\\\\\\windowsfilter\\\\\\\\*\\\\\\\\Files\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\docker\\\\\\\\windowsfilter\\\\\\\\*\\\\\\\\Files\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\vmsmb\\\\\\\\VSMB-{*}\\\\\\\\os\\\\\\\\windows\\\\\\\\system32\\\\\\\\*.dll\\\"\\n ) or\\n file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wlanhlp.dll\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\docker\\\\\\\\windowsfilter\\\\\\\\*\\\\\\\\Files\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\docker\\\\\\\\windowsfilter\\\\\\\\*\\\\\\\\Files\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\vmsmb\\\\\\\\VSMB-{*}\\\\\\\\os\\\\\\\\windows\\\\\\\\system32\\\\\\\\*.dll\\\"\\n )\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c42fcf27-2763-4609-876b-bf5ddcc2f92c\",\"rule_id\":\"c0429aa8-9974-42da-bfb6-53a0a515a145\",\"revision\":0,\"current_rule\":{\"id\":\"c42fcf27-2763-4609-876b-bf5ddcc2f92c\",\"updated_at\":\"2024-12-04T19:45:57.395Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.395Z\",\"created_by\":\"elastic\",\"name\":\"Creation or Modification of a new GPO Scheduled Task or Service\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c0429aa8-9974-42da-bfb6-53a0a515a145\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1484\",\"name\":\"Domain or Tenant Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/\",\"subtechnique\":[{\"id\":\"T1484.001\",\"name\":\"Group Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.path : (\\\"?:\\\\\\\\Windows\\\\\\\\SYSVOL\\\\\\\\domain\\\\\\\\Policies\\\\\\\\*\\\\\\\\MACHINE\\\\\\\\Preferences\\\\\\\\ScheduledTasks\\\\\\\\ScheduledTasks.xml\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SYSVOL\\\\\\\\domain\\\\\\\\Policies\\\\\\\\*\\\\\\\\MACHINE\\\\\\\\Preferences\\\\\\\\Services\\\\\\\\Services.xml\\\") and\\n not process.name : \\\"dfsrs.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Creation or Modification of a new GPO Scheduled Task or Service\",\"description\":\"Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1484\",\"name\":\"Domain or Tenant Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/\",\"subtechnique\":[{\"id\":\"T1484.001\",\"name\":\"Group Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c42fcf27-2763-4609-876b-bf5ddcc2f92c\",\"rule_id\":\"c0429aa8-9974-42da-bfb6-53a0a515a145\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.682Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.395Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and event.action != \\\"open\\\" and \\n file.name : (\\\"ScheduledTasks.xml\\\", \\\"Services.xml\\\") and \\n file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\SYSVOL\\\\\\\\domain\\\\\\\\Policies\\\\\\\\*\\\\\\\\MACHINE\\\\\\\\Preferences\\\\\\\\ScheduledTasks\\\\\\\\ScheduledTasks.xml\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SYSVOL\\\\\\\\domain\\\\\\\\Policies\\\\\\\\*\\\\\\\\MACHINE\\\\\\\\Preferences\\\\\\\\Services\\\\\\\\Services.xml\\\"\\n ) and\\n not process.executable : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dfsrs.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.path : (\\\"?:\\\\\\\\Windows\\\\\\\\SYSVOL\\\\\\\\domain\\\\\\\\Policies\\\\\\\\*\\\\\\\\MACHINE\\\\\\\\Preferences\\\\\\\\ScheduledTasks\\\\\\\\ScheduledTasks.xml\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SYSVOL\\\\\\\\domain\\\\\\\\Policies\\\\\\\\*\\\\\\\\MACHINE\\\\\\\\Preferences\\\\\\\\Services\\\\\\\\Services.xml\\\") and\\n not process.name : \\\"dfsrs.exe\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and event.action != \\\"open\\\" and \\n file.name : (\\\"ScheduledTasks.xml\\\", \\\"Services.xml\\\") and \\n file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\SYSVOL\\\\\\\\domain\\\\\\\\Policies\\\\\\\\*\\\\\\\\MACHINE\\\\\\\\Preferences\\\\\\\\ScheduledTasks\\\\\\\\ScheduledTasks.xml\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SYSVOL\\\\\\\\domain\\\\\\\\Policies\\\\\\\\*\\\\\\\\MACHINE\\\\\\\\Preferences\\\\\\\\Services\\\\\\\\Services.xml\\\"\\n ) and\\n not process.executable : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dfsrs.exe\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and event.action != \\\"open\\\" and \\n file.name : (\\\"ScheduledTasks.xml\\\", \\\"Services.xml\\\") and \\n file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\SYSVOL\\\\\\\\domain\\\\\\\\Policies\\\\\\\\*\\\\\\\\MACHINE\\\\\\\\Preferences\\\\\\\\ScheduledTasks\\\\\\\\ScheduledTasks.xml\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SYSVOL\\\\\\\\domain\\\\\\\\Policies\\\\\\\\*\\\\\\\\MACHINE\\\\\\\\Preferences\\\\\\\\Services\\\\\\\\Services.xml\\\"\\n ) and\\n not process.executable : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dfsrs.exe\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e5a29126-2205-4781-97e5-80b1d41b98bc\",\"rule_id\":\"c24e9a43-f67e-431d-991b-09cdb83b3c0c\",\"revision\":0,\"current_rule\":{\"id\":\"e5a29126-2205-4781-97e5-80b1d41b98bc\",\"updated_at\":\"2024-12-04T19:46:04.760Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.760Z\",\"created_by\":\"elastic\",\"name\":\"Active Directory Forced Authentication from Linux Host - SMB Named Pipes\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a potential forced authentication using related SMB named pipes. Attackers may attempt to force targets to authenticate to a host controlled by them to capture hashes or enable relay attacks.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c24e9a43-f67e-431d-991b-09cdb83b3c0c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1187\",\"name\":\"Forced Authentication\",\"reference\":\"https://attack.mitre.org/techniques/T1187/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/p0dalirius/windows-coerced-authentication-methods\",\"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications\",\"https://attack.mitre.org/techniques/T1187/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule uses Elastic Endpoint network events from Linux hosts and system integration events from Domain controllers\\nfor correlation. Both data sources should be collected from the hosts for this detection to work.\\n\\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nObject Access >\\nAudit Detailed File Share (Success,Failure)\\n```\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.network-*\",\"logs-system.security-*\"],\"query\":\"sequence with maxspan=15s\\n[network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and destination.port == 445] by host.ip\\n[file where host.os.type == \\\"windows\\\" and event.code == \\\"5145\\\" and file.name : (\\\"Spoolss\\\", \\\"netdfs\\\", \\\"lsarpc\\\", \\\"lsass\\\", \\\"netlogon\\\", \\\"samr\\\", \\\"efsrpc\\\", \\\"FssagentRpc\\\")] by source.ip\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Active Directory Forced Authentication from Linux Host - SMB Named Pipes\",\"description\":\"Identifies a potential forced authentication using related SMB named pipes. Attackers may attempt to force targets to authenticate to a host controlled by them to capture hashes or enable relay attacks.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/p0dalirius/windows-coerced-authentication-methods\",\"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications\",\"https://attack.mitre.org/techniques/T1187/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1187\",\"name\":\"Forced Authentication\",\"reference\":\"https://attack.mitre.org/techniques/T1187/\"}]}],\"setup\":\"## Setup\\n\\nThis rule uses Elastic Endpoint network events from Linux hosts and system integration events from Domain controllers\\nfor correlation. Both data sources should be collected from the hosts for this detection to work.\\n\\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nObject Access >\\nAudit Detailed File Share (Success,Failure)\\n```\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"data_stream.namespace\",\"type\":\"constant_keyword\",\"ecs\":false},{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"e5a29126-2205-4781-97e5-80b1d41b98bc\",\"rule_id\":\"c24e9a43-f67e-431d-991b-09cdb83b3c0c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.682Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.760Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence with maxspan=15s\\n[network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and destination.port == 445 and not startswith~(string(destination.ip), string(host.ip))] by host.ip, data_stream.namespace\\n[file where host.os.type == \\\"windows\\\" and event.code == \\\"5145\\\" and file.name : (\\\"Spoolss\\\", \\\"netdfs\\\", \\\"lsarpc\\\", \\\"lsass\\\", \\\"netlogon\\\", \\\"samr\\\", \\\"efsrpc\\\", \\\"FssagentRpc\\\")] by source.ip, data_stream.namespace\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.network-*\",\"logs-system.security-*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"target_version\":[{\"name\":\"data_stream.namespace\",\"type\":\"constant_keyword\",\"ecs\":false},{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"merged_version\":[{\"name\":\"data_stream.namespace\",\"type\":\"constant_keyword\",\"ecs\":false},{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence with maxspan=15s\\n[network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and destination.port == 445] by host.ip\\n[file where host.os.type == \\\"windows\\\" and event.code == \\\"5145\\\" and file.name : (\\\"Spoolss\\\", \\\"netdfs\\\", \\\"lsarpc\\\", \\\"lsass\\\", \\\"netlogon\\\", \\\"samr\\\", \\\"efsrpc\\\", \\\"FssagentRpc\\\")] by source.ip\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence with maxspan=15s\\n[network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and destination.port == 445 and not startswith~(string(destination.ip), string(host.ip))] by host.ip, data_stream.namespace\\n[file where host.os.type == \\\"windows\\\" and event.code == \\\"5145\\\" and file.name : (\\\"Spoolss\\\", \\\"netdfs\\\", \\\"lsarpc\\\", \\\"lsass\\\", \\\"netlogon\\\", \\\"samr\\\", \\\"efsrpc\\\", \\\"FssagentRpc\\\")] by source.ip, data_stream.namespace\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence with maxspan=15s\\n[network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and destination.port == 445 and not startswith~(string(destination.ip), string(host.ip))] by host.ip, data_stream.namespace\\n[file where host.os.type == \\\"windows\\\" and event.code == \\\"5145\\\" and file.name : (\\\"Spoolss\\\", \\\"netdfs\\\", \\\"lsarpc\\\", \\\"lsass\\\", \\\"netlogon\\\", \\\"samr\\\", \\\"efsrpc\\\", \\\"FssagentRpc\\\")] by source.ip, data_stream.namespace\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"logs-system.security-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"logs-system.security-*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"logs-system.security-*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"18aa6b86-bc36-4811-bb11-ff76a53c8834\",\"rule_id\":\"c25e9c87-95e1-4368-bfab-9fd34cf867ec\",\"revision\":0,\"current_rule\":{\"id\":\"18aa6b86-bc36-4811-bb11-ff76a53c8834\",\"updated_at\":\"2024-12-04T19:45:57.415Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.415Z\",\"created_by\":\"elastic\",\"name\":\"Microsoft IIS Connection Strings Decryption\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c25e9c87-95e1-4368-bfab-9fd34cf867ec\",\"max_signals\":33,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"}]}],\"to\":\"now\",\"references\":[\"https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/\",\"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"aspnet_regiis.exe\\\" or ?process.pe.original_file_name == \\\"aspnet_regiis.exe\\\") and\\n process.args : \\\"connectionStrings\\\" and process.args : \\\"-pdf\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Microsoft IIS Connection Strings Decryption\",\"description\":\"Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/\",\"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia\"],\"max_signals\":33,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"18aa6b86-bc36-4811-bb11-ff76a53c8834\",\"rule_id\":\"c25e9c87-95e1-4368-bfab-9fd34cf867ec\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.682Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.415Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"aspnet_regiis.exe\\\" or ?process.pe.original_file_name == \\\"aspnet_regiis.exe\\\") and\\n process.args : \\\"connectionStrings\\\" and process.args : \\\"-pdf\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8717cf04-fb92-4f0f-9088-5d7ddba5a019\",\"rule_id\":\"c2d90150-0133-451c-a783-533e736c12d7\",\"revision\":0,\"current_rule\":{\"id\":\"8717cf04-fb92-4f0f-9088-5d7ddba5a019\",\"updated_at\":\"2024-12-04T19:45:57.425Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.425Z\",\"created_by\":\"elastic\",\"name\":\"Mshta Making Network Connections\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-20m\",\"rule_id\":\"c2d90150-0133-451c-a783-533e736c12d7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.005\",\"name\":\"Mshta\",\"reference\":\"https://attack.mitre.org/techniques/T1218/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id with maxspan=10m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"mshta.exe\\\" and\\n not process.parent.name : \\\"Microsoft.ConfigurationManagement.exe\\\" and\\n not (process.parent.executable : \\\"C:\\\\\\\\Amazon\\\\\\\\Amazon Assistant\\\\\\\\amazonAssistantService.exe\\\" or\\n process.parent.executable : \\\"C:\\\\\\\\TeamViewer\\\\\\\\TeamViewer.exe\\\") and\\n not process.args : \\\"ADSelfService_Enroll.hta\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"mshta.exe\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Mshta Making Network Connections\",\"description\":\"Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-20m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.005\",\"name\":\"Mshta\",\"reference\":\"https://attack.mitre.org/techniques/T1218/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"8717cf04-fb92-4f0f-9088-5d7ddba5a019\",\"rule_id\":\"c2d90150-0133-451c-a783-533e736c12d7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.682Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.425Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id with maxspan=10m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"mshta.exe\\\" and\\n not process.parent.name : \\\"Microsoft.ConfigurationManagement.exe\\\" and\\n not (process.parent.executable : \\\"C:\\\\\\\\Amazon\\\\\\\\Amazon Assistant\\\\\\\\amazonAssistantService.exe\\\" or\\n process.parent.executable : \\\"C:\\\\\\\\TeamViewer\\\\\\\\TeamViewer.exe\\\") and\\n not process.args : \\\"ADSelfService_Enroll.hta\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"mshta.exe\\\"]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"merged_version\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1dc15276-a33a-4dcb-8ee2-0750e165ade3\",\"rule_id\":\"c3b915e0-22f3-4bf7-991d-b643513c722f\",\"revision\":0,\"current_rule\":{\"id\":\"1dc15276-a33a-4dcb-8ee2-0750e165ade3\",\"updated_at\":\"2024-12-04T19:45:57.429Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.429Z\",\"created_by\":\"elastic\",\"name\":\"Persistence via BITS Job Notify Cmdline\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c3b915e0-22f3-4bf7-991d-b643513c722f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1197\",\"name\":\"BITS Jobs\",\"reference\":\"https://attack.mitre.org/techniques/T1197/\"}]}],\"to\":\"now\",\"references\":[\"https://pentestlab.blog/2019/10/30/persistence-bits-jobs/\",\"https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline\",\"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline\",\"https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2\"],\"version\":309,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"svchost.exe\\\" and process.parent.args : \\\"BITS\\\" and\\n not process.executable :\\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFaultSecure.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wermgr.exe\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\directxdatabaseupdater.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Persistence via BITS Job Notify Cmdline\",\"description\":\"An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":410,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://pentestlab.blog/2019/10/30/persistence-bits-jobs/\",\"https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline\",\"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline\",\"https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1197\",\"name\":\"BITS Jobs\",\"reference\":\"https://attack.mitre.org/techniques/T1197/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1dc15276-a33a-4dcb-8ee2-0750e165ade3\",\"rule_id\":\"c3b915e0-22f3-4bf7-991d-b643513c722f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.682Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.429Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"svchost.exe\\\" and process.parent.args : \\\"BITS\\\" and\\n not process.executable :\\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFaultSecure.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wermgr.exe\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\directxdatabaseupdater.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":309,\"target_version\":410,\"merged_version\":410,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f177bd68-7ed4-468f-9a7a-9c9f48d78d59\",\"rule_id\":\"c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14\",\"revision\":0,\"current_rule\":{\"id\":\"f177bd68-7ed4-468f-9a7a-9c9f48d78d59\",\"updated_at\":\"2024-12-04T19:45:57.438Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.438Z\",\"created_by\":\"elastic\",\"name\":\"Mounting Hidden or WebDav Remote Shares\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.003\",\"name\":\"Local Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\",\"subtechnique\":[{\"id\":\"T1087.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/001/\"},{\"id\":\"T1087.002\",\"name\":\"Domain Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n ((process.name : \\\"net.exe\\\" or ?process.pe.original_file_name == \\\"net.exe\\\") or ((process.name : \\\"net1.exe\\\" or ?process.pe.original_file_name == \\\"net1.exe\\\") and\\n not process.parent.name : \\\"net.exe\\\")) and\\n process.args : \\\"use\\\" and\\n /* including hidden and webdav based online shares such as onedrive */\\n process.args : (\\\"\\\\\\\\\\\\\\\\*\\\\\\\\*$*\\\", \\\"\\\\\\\\\\\\\\\\*@SSL\\\\\\\\*\\\", \\\"http*\\\") and\\n /* excluding shares deletion operation */\\n not process.args : \\\"/d*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Mounting Hidden or WebDav Remote Shares\",\"description\":\"Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.003\",\"name\":\"Local Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\",\"subtechnique\":[{\"id\":\"T1087.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/001/\"},{\"id\":\"T1087.002\",\"name\":\"Domain Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f177bd68-7ed4-468f-9a7a-9c9f48d78d59\",\"rule_id\":\"c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.682Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.438Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n ((process.name : \\\"net.exe\\\" or ?process.pe.original_file_name == \\\"net.exe\\\") or ((process.name : \\\"net1.exe\\\" or ?process.pe.original_file_name == \\\"net1.exe\\\") and\\n not process.parent.name : \\\"net.exe\\\")) and\\n process.args : \\\"use\\\" and\\n /* including hidden and webdav based online shares such as onedrive */\\n process.args : (\\\"\\\\\\\\\\\\\\\\*\\\\\\\\*$*\\\", \\\"\\\\\\\\\\\\\\\\*@SSL\\\\\\\\*\\\", \\\"http*\\\") and\\n /* excluding shares deletion operation */\\n not process.args : \\\"/d*\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4298dbc2-212c-4339-9fab-b355408587a6\",\"rule_id\":\"c4818812-d44f-47be-aaef-4cfb2f9cc799\",\"revision\":0,\"current_rule\":{\"id\":\"4298dbc2-212c-4339-9fab-b355408587a6\",\"updated_at\":\"2024-12-04T19:45:57.440Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.440Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Print Spooler File Deletion\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as manufacturer and signature information.\"],\"from\":\"now-9m\",\"rule_id\":\"c4818812-d44f-47be-aaef-4cfb2f9cc799\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"to\":\"now\",\"references\":[\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type : \\\"deletion\\\" and\\n not process.name : (\\\"spoolsv.exe\\\", \\\"dllhost.exe\\\", \\\"explorer.exe\\\") and\\n file.path : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\x64\\\\\\\\3\\\\\\\\*.dll\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Print Spooler File Deletion\",\"description\":\"Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":307,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as manufacturer and signature information.\"],\"references\":[\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"4298dbc2-212c-4339-9fab-b355408587a6\",\"rule_id\":\"c4818812-d44f-47be-aaef-4cfb2f9cc799\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.682Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.440Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"deletion\\\" and\\n file.extension : \\\"dll\\\" and file.path : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\x64\\\\\\\\3\\\\\\\\*.dll\\\" and\\n not process.name : (\\\"spoolsv.exe\\\", \\\"dllhost.exe\\\", \\\"explorer.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":307,\"merged_version\":307,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type : \\\"deletion\\\" and\\n not process.name : (\\\"spoolsv.exe\\\", \\\"dllhost.exe\\\", \\\"explorer.exe\\\") and\\n file.path : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\x64\\\\\\\\3\\\\\\\\*.dll\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"deletion\\\" and\\n file.extension : \\\"dll\\\" and file.path : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\x64\\\\\\\\3\\\\\\\\*.dll\\\" and\\n not process.name : (\\\"spoolsv.exe\\\", \\\"dllhost.exe\\\", \\\"explorer.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"deletion\\\" and\\n file.extension : \\\"dll\\\" and file.path : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\x64\\\\\\\\3\\\\\\\\*.dll\\\" and\\n not process.name : (\\\"spoolsv.exe\\\", \\\"dllhost.exe\\\", \\\"explorer.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9d8725db-723b-455d-a6c1-e082ed9d71de\",\"rule_id\":\"c55badd3-3e61-4292-836f-56209dc8a601\",\"revision\":0,\"current_rule\":{\"id\":\"9d8725db-723b-455d-a6c1-e082ed9d71de\",\"updated_at\":\"2024-12-04T19:45:57.445Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.445Z\",\"created_by\":\"elastic\",\"name\":\"Attempted Private Key Access\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"c55badd3-3e61-4292-836f-56209dc8a601\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\",\"subtechnique\":[{\"id\":\"T1552.004\",\"name\":\"Private Keys\",\"reference\":\"https://attack.mitre.org/techniques/T1552/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":4,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.args : (\\\"*.pem *\\\", \\\"*.pem\\\", \\\"*.id_rsa*\\\") and\\n not process.args: (\\\"--tls-cert\\\", \\\"--ssl-cert\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Logishrd\\\\\\\\LogiOptions\\\\\\\\Software\\\\\\\\*\\\\\\\\LogiLuUpdater.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\*\\\\\\\\osqueryd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Guardicore\\\\\\\\gc-controller.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Guardicore\\\\\\\\gc-deception-agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Guardicore\\\\\\\\gc-detection-agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Guardicore\\\\\\\\gc-enforcement-agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Guardicore\\\\\\\\gc-guest-agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Logi\\\\\\\\LogiBolt\\\\\\\\LogiBoltUpdater.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Schneider Electric EcoStruxure\\\\\\\\Building Operation 5.0\\\\\\\\Device Administrator\\\\\\\\Python\\\\\\\\python.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Splunk\\\\\\\\bin\\\\\\\\openssl.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\SplunkUniversalForwarder\\\\\\\\bin\\\\\\\\openssl.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Logi\\\\\\\\LogiBolt\\\\\\\\LogiBoltUpdater.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\icacls.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\OpenSSH\\\\\\\\*\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempted Private Key Access\",\"description\":\"Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":106,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\",\"subtechnique\":[{\"id\":\"T1552.004\",\"name\":\"Private Keys\",\"reference\":\"https://attack.mitre.org/techniques/T1552/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"9d8725db-723b-455d-a6c1-e082ed9d71de\",\"rule_id\":\"c55badd3-3e61-4292-836f-56209dc8a601\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.682Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.445Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.args : (\\\"*.pem *\\\", \\\"*.pem\\\", \\\"*.id_rsa*\\\") and\\n not process.args: (\\\"--tls-cert\\\", \\\"--ssl-cert\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Logishrd\\\\\\\\LogiOptions\\\\\\\\Software\\\\\\\\*\\\\\\\\LogiLuUpdater.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\*\\\\\\\\osqueryd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Guardicore\\\\\\\\gc-controller.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Guardicore\\\\\\\\gc-deception-agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Guardicore\\\\\\\\gc-detection-agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Guardicore\\\\\\\\gc-enforcement-agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Guardicore\\\\\\\\gc-guest-agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Logi\\\\\\\\LogiBolt\\\\\\\\LogiBoltUpdater.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Schneider Electric EcoStruxure\\\\\\\\Building Operation 5.0\\\\\\\\Device Administrator\\\\\\\\Python\\\\\\\\python.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Splunk\\\\\\\\bin\\\\\\\\openssl.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\SplunkUniversalForwarder\\\\\\\\bin\\\\\\\\openssl.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Logi\\\\\\\\LogiBolt\\\\\\\\LogiBoltUpdater.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\icacls.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\OpenSSH\\\\\\\\*\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":4,\"target_version\":106,\"merged_version\":106,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"dee21b62-9ced-4822-b323-4fc0a4ec1de1\",\"rule_id\":\"c5677997-f75b-4cda-b830-a75920514096\",\"revision\":0,\"current_rule\":{\"id\":\"dee21b62-9ced-4822-b323-4fc0a4ec1de1\",\"updated_at\":\"2024-12-04T19:45:57.447Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.447Z\",\"created_by\":\"elastic\",\"name\":\"Service Path Modification via sc.exe\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to modify a service path setting using sc.exe. Attackers may attempt to modify existing services for persistence or privilege escalation.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"c5677997-f75b-4cda-b830-a75920514096\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":4,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where event.type == \\\"start\\\" and process.name : \\\"sc.exe\\\" and\\n process.args : \\\"*config*\\\" and process.args : \\\"*binPath*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Service Path Modification via sc.exe\",\"description\":\"Identifies attempts to modify a service path setting using sc.exe. Attackers may attempt to modify existing services for persistence or privilege escalation.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":106,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"dee21b62-9ced-4822-b323-4fc0a4ec1de1\",\"rule_id\":\"c5677997-f75b-4cda-b830-a75920514096\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.682Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.447Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where event.type == \\\"start\\\" and process.name : \\\"sc.exe\\\" and\\n process.args : \\\"*config*\\\" and process.args : \\\"*binPath*\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":4,\"target_version\":106,\"merged_version\":106,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b9bf3a78-6e00-4b19-b546-42b42b228667\",\"rule_id\":\"c57f8579-e2a5-4804-847f-f2732edc5156\",\"revision\":0,\"current_rule\":{\"id\":\"b9bf3a78-6e00-4b19-b546-42b42b228667\",\"updated_at\":\"2024-12-04T19:45:57.450Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.450Z\",\"created_by\":\"elastic\",\"name\":\"Potential Remote Desktop Shadowing Activity\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c57f8579-e2a5-4804-847f-f2732edc5156\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing\",\"https://swarm.ptsecurity.com/remote-desktop-services-shadowing/\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"/* Identifies the modification of RDP Shadow registry or\\n the execution of processes indicative of active shadow RDP session */\\n\\nany where host.os.type == \\\"windows\\\" and\\n(\\n (event.category == \\\"registry\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Terminal Services\\\\\\\\Shadow\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Terminal Services\\\\\\\\Shadow\\\"\\n )\\n ) or\\n (event.category == \\\"process\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"RdpSaUacHelper.exe\\\", \\\"RdpSaProxy.exe\\\") and process.parent.name : \\\"svchost.exe\\\") or\\n (process.pe.original_file_name : \\\"mstsc.exe\\\" and process.args : \\\"/shadow:*\\\")\\n )\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Remote Desktop Shadowing Activity\",\"description\":\"Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing\",\"https://swarm.ptsecurity.com/remote-desktop-services-shadowing/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b9bf3a78-6e00-4b19-b546-42b42b228667\",\"rule_id\":\"c57f8579-e2a5-4804-847f-f2732edc5156\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.682Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.450Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"/* Identifies the modification of RDP Shadow registry or\\n the execution of processes indicative of active shadow RDP session */\\n\\nany where host.os.type == \\\"windows\\\" and\\n(\\n (event.category == \\\"registry\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Terminal Services\\\\\\\\Shadow\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Terminal Services\\\\\\\\Shadow\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Terminal Services\\\\\\\\Shadow\\\"\\n )\\n ) or\\n (event.category == \\\"process\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"RdpSaUacHelper.exe\\\", \\\"RdpSaProxy.exe\\\") and process.parent.name : \\\"svchost.exe\\\") or\\n (?process.pe.original_file_name : \\\"mstsc.exe\\\" and process.args : \\\"/shadow:*\\\")\\n )\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"/* Identifies the modification of RDP Shadow registry or\\n the execution of processes indicative of active shadow RDP session */\\n\\nany where host.os.type == \\\"windows\\\" and\\n(\\n (event.category == \\\"registry\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Terminal Services\\\\\\\\Shadow\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Terminal Services\\\\\\\\Shadow\\\"\\n )\\n ) or\\n (event.category == \\\"process\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"RdpSaUacHelper.exe\\\", \\\"RdpSaProxy.exe\\\") and process.parent.name : \\\"svchost.exe\\\") or\\n (process.pe.original_file_name : \\\"mstsc.exe\\\" and process.args : \\\"/shadow:*\\\")\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"/* Identifies the modification of RDP Shadow registry or\\n the execution of processes indicative of active shadow RDP session */\\n\\nany where host.os.type == \\\"windows\\\" and\\n(\\n (event.category == \\\"registry\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Terminal Services\\\\\\\\Shadow\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Terminal Services\\\\\\\\Shadow\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Terminal Services\\\\\\\\Shadow\\\"\\n )\\n ) or\\n (event.category == \\\"process\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"RdpSaUacHelper.exe\\\", \\\"RdpSaProxy.exe\\\") and process.parent.name : \\\"svchost.exe\\\") or\\n (?process.pe.original_file_name : \\\"mstsc.exe\\\" and process.args : \\\"/shadow:*\\\")\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"/* Identifies the modification of RDP Shadow registry or\\n the execution of processes indicative of active shadow RDP session */\\n\\nany where host.os.type == \\\"windows\\\" and\\n(\\n (event.category == \\\"registry\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Terminal Services\\\\\\\\Shadow\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Terminal Services\\\\\\\\Shadow\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Terminal Services\\\\\\\\Shadow\\\"\\n )\\n ) or\\n (event.category == \\\"process\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"RdpSaUacHelper.exe\\\", \\\"RdpSaProxy.exe\\\") and process.parent.name : \\\"svchost.exe\\\") or\\n (?process.pe.original_file_name : \\\"mstsc.exe\\\" and process.args : \\\"/shadow:*\\\")\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f14ba7d8-898e-4246-bd0d-f010037416e7\",\"rule_id\":\"c5c9f591-d111-4cf8-baec-c26a39bc31ef\",\"revision\":0,\"current_rule\":{\"id\":\"f14ba7d8-898e-4246-bd0d-f010037416e7\",\"updated_at\":\"2024-12-04T19:45:57.455Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.455Z\",\"created_by\":\"elastic\",\"name\":\"Potential Credential Access via Renamed COM+ Services DLL\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Credential Access via Renamed COM+ Services DLL\\n\\nCOMSVCS.DLL is a Windows library that exports the MiniDump function, which can be used to dump a process memory. Adversaries may attempt to dump LSASS memory using a renamed COMSVCS.DLL to bypass command-line based detection and gain unauthorized access to credentials.\\n\\nThis rule identifies suspicious instances of rundll32.exe loading a renamed COMSVCS.DLL image, which can indicate potential abuse of the MiniDump function for credential theft.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Identify the process that created the DLL using file creation events.\\n - Inspect the file for useful metadata, such as file size and creation or modification time.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable and DLL using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\\n\\n### False positive analysis\\n\\n- False positives may include legitimate instances of rundll32.exe loading a renamed COMSVCS.DLL image for non-malicious purposes, such as during software development, testing, or troubleshooting.\\n\\n### Related Rules\\n\\n- Potential Credential Access via LSASS Memory Dump - 9960432d-9b26-409f-972b-839a959e79e2\\n- Suspicious Module Loaded by LSASS - 3a6001a0-0939-4bbe-86f4-47d8faeb7b97\\n- Suspicious Lsass Process Access - 128468bf-cab1-4637-99ea-fdf3780a4609\\n- LSASS Process Access via Windows API - ff4599cb-409f-4910-a239-52e4e6f532ff\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Implement Elastic Endpoint Security to detect and prevent further post exploitation activities in the environment.\\n - Contain the affected system by isolating it from the network to prevent further spread of the attack.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c5c9f591-d111-4cf8-baec-c26a39bc31ef\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]}],\"to\":\"now\",\"references\":[\"https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.pe.imphash\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nYou will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original\\nFile Name.\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.category == \\\"process\\\" and\\n process.name : \\\"rundll32.exe\\\"]\\n [process where host.os.type == \\\"windows\\\" and event.category == \\\"process\\\" and event.dataset : \\\"windows.sysmon_operational\\\" and event.code == \\\"7\\\" and\\n (file.pe.original_file_name : \\\"COMSVCS.DLL\\\" or file.pe.imphash : \\\"EADBCCBB324829ACB5F2BBE87E5549A8\\\") and\\n /* renamed COMSVCS */\\n not file.name : \\\"COMSVCS.DLL\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Credential Access via Renamed COM+ Services DLL\",\"description\":\"Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Credential Access via Renamed COM+ Services DLL\\n\\nCOMSVCS.DLL is a Windows library that exports the MiniDump function, which can be used to dump a process memory. Adversaries may attempt to dump LSASS memory using a renamed COMSVCS.DLL to bypass command-line based detection and gain unauthorized access to credentials.\\n\\nThis rule identifies suspicious instances of rundll32.exe loading a renamed COMSVCS.DLL image, which can indicate potential abuse of the MiniDump function for credential theft.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Identify the process that created the DLL using file creation events.\\n - Inspect the file for useful metadata, such as file size and creation or modification time.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable and DLL using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\\n\\n### False positive analysis\\n\\n- False positives may include legitimate instances of rundll32.exe loading a renamed COMSVCS.DLL image for non-malicious purposes, such as during software development, testing, or troubleshooting.\\n\\n### Related Rules\\n\\n- Potential Credential Access via LSASS Memory Dump - 9960432d-9b26-409f-972b-839a959e79e2\\n- Suspicious Module Loaded by LSASS - 3a6001a0-0939-4bbe-86f4-47d8faeb7b97\\n- Suspicious Lsass Process Access - 128468bf-cab1-4637-99ea-fdf3780a4609\\n- LSASS Process Access via Windows API - ff4599cb-409f-4910-a239-52e4e6f532ff\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Implement Elastic Endpoint Security to detect and prevent further post exploitation activities in the environment.\\n - Contain the affected system by isolating it from the network to prevent further spread of the attack.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]}],\"setup\":\"## Setup\\n\\nYou will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original\\nFile Name.\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.pe.imphash\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f14ba7d8-898e-4246-bd0d-f010037416e7\",\"rule_id\":\"c5c9f591-d111-4cf8-baec-c26a39bc31ef\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.682Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.455Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.category == \\\"process\\\" and\\n process.name : \\\"rundll32.exe\\\"]\\n [process where host.os.type == \\\"windows\\\" and event.category == \\\"process\\\" and event.dataset : \\\"windows.sysmon_operational\\\" and event.code == \\\"7\\\" and\\n (file.pe.original_file_name : \\\"COMSVCS.DLL\\\" or file.pe.imphash : \\\"EADBCCBB324829ACB5F2BBE87E5549A8\\\") and\\n /* renamed COMSVCS */\\n not file.name : \\\"COMSVCS.DLL\\\"]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7d4c7514-7e50-4439-81fb-61d24071332f\",\"rule_id\":\"c5ce48a6-7f57-4ee8-9313-3d0024caee10\",\"revision\":0,\"current_rule\":{\"id\":\"7d4c7514-7e50-4439-81fb-61d24071332f\",\"updated_at\":\"2024-12-04T19:45:40.243Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.243Z\",\"created_by\":\"elastic\",\"name\":\"Installation of Custom Shim Databases\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c5ce48a6-7f57-4ee8-9313-3d0024caee10\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.011\",\"name\":\"Application Shimming\",\"reference\":\"https://attack.mitre.org/techniques/T1546/011/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Custom\\\\\\\\*.sdb\\\" and \\n not process.executable : \\n (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\DesktopCentral_Agent\\\\\\\\swrepository\\\\\\\\1\\\\\\\\swuploads\\\\\\\\SAP-SLC\\\\\\\\SAPSetupSLC02_14-80001954\\\\\\\\Setup\\\\\\\\NwSapSetup.exe\\\", \\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\SetupPlatform.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SAP\\\\\\\\SAPsetup\\\\\\\\setup\\\\\\\\NwSapSetup.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SAP\\\\\\\\SapSetup\\\\\\\\OnRebootSvc\\\\\\\\NWSAPSetupOnRebootInstSvc.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky Lab\\\\\\\\Kaspersky Security for Windows Server\\\\\\\\kavfs.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Installation of Custom Shim Databases\",\"description\":\"Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.011\",\"name\":\"Application Shimming\",\"reference\":\"https://attack.mitre.org/techniques/T1546/011/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"7d4c7514-7e50-4439-81fb-61d24071332f\",\"rule_id\":\"c5ce48a6-7f57-4ee8-9313-3d0024caee10\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.682Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.243Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Custom\\\\\\\\*.sdb\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Custom\\\\\\\\*.sdb\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Custom\\\\\\\\*.sdb\\\"\\n ) and\\n not process.executable : \\n (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\DesktopCentral_Agent\\\\\\\\swrepository\\\\\\\\1\\\\\\\\swuploads\\\\\\\\SAP-SLC\\\\\\\\SAPSetupSLC02_14-80001954\\\\\\\\Setup\\\\\\\\NwSapSetup.exe\\\", \\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\SetupPlatform.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SAP\\\\\\\\SAPsetup\\\\\\\\setup\\\\\\\\NwSapSetup.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SAP\\\\\\\\SapSetup\\\\\\\\OnRebootSvc\\\\\\\\NWSAPSetupOnRebootInstSvc.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky Lab\\\\\\\\Kaspersky Security for Windows Server\\\\\\\\kavfs.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Custom\\\\\\\\*.sdb\\\" and \\n not process.executable : \\n (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\DesktopCentral_Agent\\\\\\\\swrepository\\\\\\\\1\\\\\\\\swuploads\\\\\\\\SAP-SLC\\\\\\\\SAPSetupSLC02_14-80001954\\\\\\\\Setup\\\\\\\\NwSapSetup.exe\\\", \\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\SetupPlatform.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SAP\\\\\\\\SAPsetup\\\\\\\\setup\\\\\\\\NwSapSetup.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SAP\\\\\\\\SapSetup\\\\\\\\OnRebootSvc\\\\\\\\NWSAPSetupOnRebootInstSvc.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky Lab\\\\\\\\Kaspersky Security for Windows Server\\\\\\\\kavfs.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Custom\\\\\\\\*.sdb\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Custom\\\\\\\\*.sdb\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Custom\\\\\\\\*.sdb\\\"\\n ) and\\n not process.executable : \\n (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\DesktopCentral_Agent\\\\\\\\swrepository\\\\\\\\1\\\\\\\\swuploads\\\\\\\\SAP-SLC\\\\\\\\SAPSetupSLC02_14-80001954\\\\\\\\Setup\\\\\\\\NwSapSetup.exe\\\", \\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\SetupPlatform.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SAP\\\\\\\\SAPsetup\\\\\\\\setup\\\\\\\\NwSapSetup.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SAP\\\\\\\\SapSetup\\\\\\\\OnRebootSvc\\\\\\\\NWSAPSetupOnRebootInstSvc.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky Lab\\\\\\\\Kaspersky Security for Windows Server\\\\\\\\kavfs.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Custom\\\\\\\\*.sdb\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Custom\\\\\\\\*.sdb\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Custom\\\\\\\\*.sdb\\\"\\n ) and\\n not process.executable : \\n (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\DesktopCentral_Agent\\\\\\\\swrepository\\\\\\\\1\\\\\\\\swuploads\\\\\\\\SAP-SLC\\\\\\\\SAPSetupSLC02_14-80001954\\\\\\\\Setup\\\\\\\\NwSapSetup.exe\\\", \\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\SetupPlatform.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SAP\\\\\\\\SAPsetup\\\\\\\\setup\\\\\\\\NwSapSetup.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SAP\\\\\\\\SapSetup\\\\\\\\OnRebootSvc\\\\\\\\NWSAPSetupOnRebootInstSvc.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky Lab\\\\\\\\Kaspersky Security for Windows Server\\\\\\\\kavfs.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"eb62de09-87c2-4bcf-9c70-23f420b93bc4\",\"rule_id\":\"c5dc3223-13a2-44a2-946c-e9dc0aa0449c\",\"revision\":0,\"current_rule\":{\"id\":\"eb62de09-87c2-4bcf-9c70-23f420b93bc4\",\"updated_at\":\"2024-12-04T19:45:57.457Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.457Z\",\"created_by\":\"elastic\",\"name\":\"Microsoft Build Engine Started by an Office Application\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Microsoft Build Engine Started by an Office Application\\n\\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\\n\\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\\n\\nThis rule looks for the `Msbuild.exe` utility spawned by MS Office programs. This is generally the result of the execution of malicious documents.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\\n- Determine if the collected files are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel.\"],\"from\":\"now-9m\",\"rule_id\":\"c5dc3223-13a2-44a2-946c-e9dc0aa0449c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"MSBuild.exe\\\" and\\n process.parent.name : (\\\"eqnedt32.exe\\\",\\n \\\"excel.exe\\\",\\n \\\"fltldr.exe\\\",\\n \\\"msaccess.exe\\\",\\n \\\"mspub.exe\\\",\\n \\\"outlook.exe\\\",\\n \\\"powerpnt.exe\\\",\\n \\\"winword.exe\\\" )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Microsoft Build Engine Started by an Office Application\",\"description\":\"An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Microsoft Build Engine Started by an Office Application\\n\\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\\n\\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\\n\\nThis rule looks for the `Msbuild.exe` utility spawned by MS Office programs. This is generally the result of the execution of malicious documents.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\\n- Determine if the collected files are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel.\"],\"references\":[\"https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"eb62de09-87c2-4bcf-9c70-23f420b93bc4\",\"rule_id\":\"c5dc3223-13a2-44a2-946c-e9dc0aa0449c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.682Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.457Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"MSBuild.exe\\\" and\\n process.parent.name : (\\\"eqnedt32.exe\\\",\\n \\\"excel.exe\\\",\\n \\\"fltldr.exe\\\",\\n \\\"msaccess.exe\\\",\\n \\\"mspub.exe\\\",\\n \\\"outlook.exe\\\",\\n \\\"powerpnt.exe\\\",\\n \\\"winword.exe\\\" )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1852ade3-f245-4002-aaa8-9046b9b8effa\",\"rule_id\":\"c6453e73-90eb-4fe7-a98c-cde7bbfc504a\",\"revision\":0,\"current_rule\":{\"id\":\"1852ade3-f245-4002-aaa8-9046b9b8effa\",\"updated_at\":\"2024-12-04T19:45:57.462Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.462Z\",\"created_by\":\"elastic\",\"name\":\"Remote File Download via MpCmdRun\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote File Download via MpCmdRun\\n\\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\\n\\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the user in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"user.id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{user.id}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the host in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"host.name\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{host.name}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n- Check the reputation of the domain or IP address used to host the downloaded file.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - !{investigate{\\\"label\\\":\\\"Investigate the Subject Process Network Events\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"process.entity_id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{process.entity_id}}\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"event.category\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"network\\\",\\\"valueType\\\":\\\"string\\\"}]]}}\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c6453e73-90eb-4fe7-a98c-cde7bbfc504a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"to\":\"now\",\"references\":[\"https://twitter.com/mohammadaskar2/status/1301263551638761477\",\"https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"MpCmdRun.exe\\\" or ?process.pe.original_file_name == \\\"MpCmdRun.exe\\\") and\\n process.args : \\\"-DownloadFile\\\" and process.args : \\\"-url\\\" and process.args : \\\"-path\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Remote File Download via MpCmdRun\",\"description\":\"Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote File Download via MpCmdRun\\n\\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\\n\\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the user in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"user.id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{user.id}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the host in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"host.name\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{host.name}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n- Check the reputation of the domain or IP address used to host the downloaded file.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - !{investigate{\\\"label\\\":\\\"Investigate the Subject Process Network Events\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"process.entity_id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{process.entity_id}}\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"event.category\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"network\\\",\\\"valueType\\\":\\\"string\\\"}]]}}\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://twitter.com/mohammadaskar2/status/1301263551638761477\",\"https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1852ade3-f245-4002-aaa8-9046b9b8effa\",\"rule_id\":\"c6453e73-90eb-4fe7-a98c-cde7bbfc504a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.682Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.462Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"MpCmdRun.exe\\\" or ?process.pe.original_file_name == \\\"MpCmdRun.exe\\\") and\\n process.args : \\\"-DownloadFile\\\" and process.args : \\\"-url\\\" and process.args : \\\"-path\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d35301fd-b86e-4b43-a001-9168b080d2e4\",\"rule_id\":\"c7894234-7814-44c2-92a9-f7d851ea246a\",\"revision\":0,\"current_rule\":{\"id\":\"d35301fd-b86e-4b43-a001-9168b080d2e4\",\"updated_at\":\"2024-12-04T19:45:57.472Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.472Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Network Connection via DllHost\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command and Control activity.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c7894234-7814-44c2-92a9-f7d851ea246a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"to\":\"now\",\"references\":[\"https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/\",\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by host.id, process.entity_id with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"dllhost.exe\\\" and process.args_count == 1]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"dllhost.exe\\\" and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\", \\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Network Connection via DllHost\",\"description\":\"Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command and Control activity.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/\",\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d35301fd-b86e-4b43-a001-9168b080d2e4\",\"rule_id\":\"c7894234-7814-44c2-92a9-f7d851ea246a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.682Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.472Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id, process.entity_id with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"dllhost.exe\\\" and process.args_count == 1]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"dllhost.exe\\\" and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\", \\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\")]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a8e0b0be-c298-43e7-b22f-5257ff0be5f1\",\"rule_id\":\"c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9\",\"revision\":0,\"current_rule\":{\"id\":\"a8e0b0be-c298-43e7-b22f-5257ff0be5f1\",\"updated_at\":\"2024-12-04T19:45:57.477Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.477Z\",\"created_by\":\"elastic\",\"name\":\"Unusual File Modification by dns.exe\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual File Write\\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1210\",\"name\":\"Exploitation of Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1210/\"}]}],\"to\":\"now\",\"references\":[\"https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/\",\"https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/\",\"https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and process.name : \\\"dns.exe\\\" and event.type in (\\\"creation\\\", \\\"deletion\\\", \\\"change\\\") and\\n not file.name : \\\"dns.log\\\" and not\\n (file.extension : (\\\"old\\\", \\\"temp\\\", \\\"bak\\\", \\\"dns\\\", \\\"arpa\\\") and file.path : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dns\\\\\\\\*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual File Modification by dns.exe\",\"description\":\"Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual File Write\\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/\",\"https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/\",\"https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1210\",\"name\":\"Exploitation of Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1210/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.header_bytes\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a8e0b0be-c298-43e7-b22f-5257ff0be5f1\",\"rule_id\":\"c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.683Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.477Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and process.name : \\\"dns.exe\\\" and event.type in (\\\"creation\\\", \\\"deletion\\\", \\\"change\\\") and\\n not file.name : \\\"dns.log\\\" and not\\n (file.extension : (\\\"old\\\", \\\"temp\\\", \\\"bak\\\", \\\"dns\\\", \\\"arpa\\\") and file.path : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dns\\\\\\\\*\\\") and\\n\\n /* DNS logs with custom names, header converts to \\\"DNS Server log\\\" */\\n not ?file.Ext.header_bytes : \\\"444e5320536572766572206c6f67*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.header_bytes\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.header_bytes\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and process.name : \\\"dns.exe\\\" and event.type in (\\\"creation\\\", \\\"deletion\\\", \\\"change\\\") and\\n not file.name : \\\"dns.log\\\" and not\\n (file.extension : (\\\"old\\\", \\\"temp\\\", \\\"bak\\\", \\\"dns\\\", \\\"arpa\\\") and file.path : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dns\\\\\\\\*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and process.name : \\\"dns.exe\\\" and event.type in (\\\"creation\\\", \\\"deletion\\\", \\\"change\\\") and\\n not file.name : \\\"dns.log\\\" and not\\n (file.extension : (\\\"old\\\", \\\"temp\\\", \\\"bak\\\", \\\"dns\\\", \\\"arpa\\\") and file.path : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dns\\\\\\\\*\\\") and\\n\\n /* DNS logs with custom names, header converts to \\\"DNS Server log\\\" */\\n not ?file.Ext.header_bytes : \\\"444e5320536572766572206c6f67*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and process.name : \\\"dns.exe\\\" and event.type in (\\\"creation\\\", \\\"deletion\\\", \\\"change\\\") and\\n not file.name : \\\"dns.log\\\" and not\\n (file.extension : (\\\"old\\\", \\\"temp\\\", \\\"bak\\\", \\\"dns\\\", \\\"arpa\\\") and file.path : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dns\\\\\\\\*\\\") and\\n\\n /* DNS logs with custom names, header converts to \\\"DNS Server log\\\" */\\n not ?file.Ext.header_bytes : \\\"444e5320536572766572206c6f67*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"03c34e69-2fdd-4f02-8b24-9fe54c3516fa\",\"rule_id\":\"c82b2bd8-d701-420c-ba43-f11a155b681a\",\"revision\":0,\"current_rule\":{\"id\":\"03c34e69-2fdd-4f02-8b24-9fe54c3516fa\",\"updated_at\":\"2024-12-04T19:45:58.370Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.370Z\",\"created_by\":\"elastic\",\"name\":\"SMB (Windows File Sharing) Activity to the Internet\",\"tags\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector or for data exfiltration.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c82b2bd8-d701-420c-ba43-f11a155b681a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1048\",\"name\":\"Exfiltration Over Alternative Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1048/\"}]}],\"to\":\"now\",\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"version\":103,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\\n network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and\\n source.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n ) and\\n not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"SMB (Windows File Sharing) Activity to the Internet\",\"description\":\"This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector or for data exfiltration.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1048\",\"name\":\"Exfiltration Over Alternative Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1048/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"03c34e69-2fdd-4f02-8b24-9fe54c3516fa\",\"rule_id\":\"c82b2bd8-d701-420c-ba43-f11a155b681a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.683Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.370Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\\n network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and\\n source.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n ) and\\n not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":103,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"target_version\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"target_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merged_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"61a6e07e-c84d-48cc-bade-e3e404a7a11d\",\"rule_id\":\"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1\",\"revision\":0,\"current_rule\":{\"id\":\"61a6e07e-c84d-48cc-bade-e3e404a7a11d\",\"updated_at\":\"2024-12-04T19:45:58.373Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.373Z\",\"created_by\":\"elastic\",\"name\":\"Direct Outbound SMB Connection\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Direct Outbound SMB Connection\\n\\nThis rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\"],\"query\":\"sequence by process.entity_id with maxspan=2m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.pid != 4 and \\n not user.id : (\\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and \\n not (process.code_signature.trusted == true and not process.code_signature.subject_name : \\\"Microsoft *\\\") and \\n not (process.name : \\\"powershell.exe\\\" and process.args : \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\Downloads\\\\\\\\PSScript_*.ps1\\\")]\\n [network where host.os.type == \\\"windows\\\" and destination.port == 445 and process.pid != 4 and\\n not cidrmatch(destination.ip, \\\"127.0.0.1\\\", \\\"::1\\\")]\\nuntil [process where host.os.type == \\\"windows\\\" and event.type == \\\"end\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"SMB Connections via LOLBin or Untrusted Process\",\"description\":\"Identifies potentially suspicious processes that are not trusted or living-off-the-land binaries (LOLBin) making Server Message Block (SMB) network connections over port 445. Windows File Sharing is typically implemented over SMB, which communicates between hosts using port 445. Legitimate connections are generally established by the kernel (PID 4). This rule helps to detect processes that might be port scanners, exploits, or user-level processes attempting lateral movement within the network by leveraging SMB connections.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Performance\\n\\nThis rule may have low to medium performance impact due to filtering for LOLBins processes starting, followed by network connections over port 445. Additional filtering is applied to reduce the volume of matching events and improve performance.\\n\\n### Investigating Untrusted Non-Microsoft or LOLBin SMB Connections\\n\\nThis rule looks for unexpected processes or LOLBins making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- In hybrid environments, SMB may be used for legitimate purposes if operations are performed in Azure. In such cases, consider adding exceptions for known Azure services and operations.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":112,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"61a6e07e-c84d-48cc-bade-e3e404a7a11d\",\"rule_id\":\"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.683Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.373Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id with maxspan=1m\\n\\n /* first sequence to capture the start of Windows processes */\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.pid != 4 and\\n\\n /* ignore NT Authority and Network Service accounts */\\n not user.id : (\\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n\\n /* filter out anything trusted but not from Microsoft */\\n /* LOLBins will be inherently trusted and signed, so ignore everything else trusted */\\n not (process.code_signature.trusted == true and not startsWith(process.code_signature.subject_name, \\\"Microsoft\\\")) and\\n\\n /* filter out PowerShell scripts from Windows Defender ATP */\\n not (\\n process.name : \\\"powershell.exe\\\" and\\n process.args :\\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\Downloads\\\\\\\\PSScript_*.ps1\\\")]\\n\\n /* second sequence to capture network connections over port 445 related to SMB */\\n [network where host.os.type == \\\"windows\\\" and destination.port == 445 and process.pid != 4]\\n\\n/* end the sequence when the process ends where joining was on process.entity_id */\\nuntil [process where host.os.type == \\\"windows\\\" and event.type == \\\"end\\\"]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":112,\"merged_version\":112,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"name\":{\"has_base_version\":false,\"current_version\":\"Direct Outbound SMB Connection\",\"target_version\":\"SMB Connections via LOLBin or Untrusted Process\",\"merged_version\":\"SMB Connections via LOLBin or Untrusted Process\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"description\":{\"has_base_version\":false,\"current_version\":\"Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.\",\"target_version\":\"Identifies potentially suspicious processes that are not trusted or living-off-the-land binaries (LOLBin) making Server Message Block (SMB) network connections over port 445. Windows File Sharing is typically implemented over SMB, which communicates between hosts using port 445. Legitimate connections are generally established by the kernel (PID 4). This rule helps to detect processes that might be port scanners, exploits, or user-level processes attempting lateral movement within the network by leveraging SMB connections.\",\"merged_version\":\"Identifies potentially suspicious processes that are not trusted or living-off-the-land binaries (LOLBin) making Server Message Block (SMB) network connections over port 445. Windows File Sharing is typically implemented over SMB, which communicates between hosts using port 445. Legitimate connections are generally established by the kernel (PID 4). This rule helps to detect processes that might be port scanners, exploits, or user-level processes attempting lateral movement within the network by leveraging SMB connections.\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merged_version\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"note\":{\"has_base_version\":false,\"current_version\":\"## Triage and analysis\\n\\n### Investigating Direct Outbound SMB Connection\\n\\nThis rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"target_version\":\"## Triage and analysis\\n\\n### Performance\\n\\nThis rule may have low to medium performance impact due to filtering for LOLBins processes starting, followed by network connections over port 445. Additional filtering is applied to reduce the volume of matching events and improve performance.\\n\\n### Investigating Untrusted Non-Microsoft or LOLBin SMB Connections\\n\\nThis rule looks for unexpected processes or LOLBins making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- In hybrid environments, SMB may be used for legitimate purposes if operations are performed in Azure. In such cases, consider adding exceptions for known Azure services and operations.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Performance\\n\\nThis rule may have low to medium performance impact due to filtering for LOLBins processes starting, followed by network connections over port 445. Additional filtering is applied to reduce the volume of matching events and improve performance.\\n\\n### Investigating Untrusted Non-Microsoft or LOLBin SMB Connections\\n\\nThis rule looks for unexpected processes or LOLBins making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- In hybrid environments, SMB may be used for legitimate purposes if operations are performed in Azure. In such cases, consider adding exceptions for known Azure services and operations.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by process.entity_id with maxspan=2m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.pid != 4 and \\n not user.id : (\\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and \\n not (process.code_signature.trusted == true and not process.code_signature.subject_name : \\\"Microsoft *\\\") and \\n not (process.name : \\\"powershell.exe\\\" and process.args : \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\Downloads\\\\\\\\PSScript_*.ps1\\\")]\\n [network where host.os.type == \\\"windows\\\" and destination.port == 445 and process.pid != 4 and\\n not cidrmatch(destination.ip, \\\"127.0.0.1\\\", \\\"::1\\\")]\\nuntil [process where host.os.type == \\\"windows\\\" and event.type == \\\"end\\\"]\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by process.entity_id with maxspan=1m\\n\\n /* first sequence to capture the start of Windows processes */\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.pid != 4 and\\n\\n /* ignore NT Authority and Network Service accounts */\\n not user.id : (\\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n\\n /* filter out anything trusted but not from Microsoft */\\n /* LOLBins will be inherently trusted and signed, so ignore everything else trusted */\\n not (process.code_signature.trusted == true and not startsWith(process.code_signature.subject_name, \\\"Microsoft\\\")) and\\n\\n /* filter out PowerShell scripts from Windows Defender ATP */\\n not (\\n process.name : \\\"powershell.exe\\\" and\\n process.args :\\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\Downloads\\\\\\\\PSScript_*.ps1\\\")]\\n\\n /* second sequence to capture network connections over port 445 related to SMB */\\n [network where host.os.type == \\\"windows\\\" and destination.port == 445 and process.pid != 4]\\n\\n/* end the sequence when the process ends where joining was on process.entity_id */\\nuntil [process where host.os.type == \\\"windows\\\" and event.type == \\\"end\\\"]\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by process.entity_id with maxspan=1m\\n\\n /* first sequence to capture the start of Windows processes */\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.pid != 4 and\\n\\n /* ignore NT Authority and Network Service accounts */\\n not user.id : (\\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n\\n /* filter out anything trusted but not from Microsoft */\\n /* LOLBins will be inherently trusted and signed, so ignore everything else trusted */\\n not (process.code_signature.trusted == true and not startsWith(process.code_signature.subject_name, \\\"Microsoft\\\")) and\\n\\n /* filter out PowerShell scripts from Windows Defender ATP */\\n not (\\n process.name : \\\"powershell.exe\\\" and\\n process.args :\\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\Downloads\\\\\\\\PSScript_*.ps1\\\")]\\n\\n /* second sequence to capture network connections over port 445 related to SMB */\\n [network where host.os.type == \\\"windows\\\" and destination.port == 445 and process.pid != 4]\\n\\n/* end the sequence when the process ends where joining was on process.entity_id */\\nuntil [process where host.os.type == \\\"windows\\\" and event.type == \\\"end\\\"]\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6297b922-ff34-4ced-bdb8-49125db3dec6\",\"rule_id\":\"c88d4bd0-5649-4c52-87ea-9be59dbfbcf2\",\"revision\":0,\"current_rule\":{\"id\":\"6297b922-ff34-4ced-bdb8-49125db3dec6\",\"updated_at\":\"2024-12-04T19:45:58.381Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.381Z\",\"created_by\":\"elastic\",\"name\":\"Parent Process PID Spoofing\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c88d4bd0-5649-4c52-87ea-9be59dbfbcf2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\",\"subtechnique\":[{\"id\":\"T1134.004\",\"name\":\"Parent PID Spoofing\",\"reference\":\"https://attack.mitre.org/techniques/T1134/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\",\"subtechnique\":[{\"id\":\"T1134.004\",\"name\":\"Parent PID Spoofing\",\"reference\":\"https://attack.mitre.org/techniques/T1134/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://blog.didierstevens.com/2017/03/20/\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.token.integrity_level_name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.code_signature.exists\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.Ext.real.pid\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\"],\"query\":\"/* This rule is compatible with Elastic Endpoint only */\\n\\nsequence by host.id, user.id with maxspan=3m \\n\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.Ext.token.integrity_level_name != \\\"system\\\" and \\n (\\n process.pe.original_file_name : (\\\"winword.exe\\\", \\\"excel.exe\\\", \\\"outlook.exe\\\", \\\"powerpnt.exe\\\", \\\"eqnedt32.exe\\\",\\n \\\"fltldr.exe\\\", \\\"mspub.exe\\\", \\\"msaccess.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\",\\n \\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\", \\\"msbuild.exe\\\",\\n \\\"mshta.exe\\\", \\\"wmic.exe\\\", \\\"cmstp.exe\\\", \\\"msxsl.exe\\\") or \\n \\n (process.executable : (\\\"?:\\\\\\\\Users\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\") and \\n (process.code_signature.exists == false or process.code_signature.status : \\\"errorBadDigest\\\")) or \\n \\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\*.exe\\\" \\n ) and \\n \\n not process.executable : \\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFaultSecure.exe\\\", \\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\SysWOW64\\\\\\\\WerFaultSecure.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe\\\")\\n ] by process.pid\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.Ext.real.pid > 0 and \\n \\n /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */\\n not (process.name : \\\"msedge.exe\\\" and process.parent.name : \\\"sihost.exe\\\") and \\n \\n not process.executable : \\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFaultSecure.exe\\\", \\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\SysWOW64\\\\\\\\WerFaultSecure.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe\\\")\\n ] by process.parent.Ext.real.pid\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Parent Process PID Spoofing\",\"description\":\"Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blog.didierstevens.com/2017/03/20/\",\"https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\",\"subtechnique\":[{\"id\":\"T1134.004\",\"name\":\"Parent PID Spoofing\",\"reference\":\"https://attack.mitre.org/techniques/T1134/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\",\"subtechnique\":[{\"id\":\"T1134.004\",\"name\":\"Parent PID Spoofing\",\"reference\":\"https://attack.mitre.org/techniques/T1134/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.token.integrity_level_name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.code_signature.exists\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.Ext.real.pid\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"6297b922-ff34-4ced-bdb8-49125db3dec6\",\"rule_id\":\"c88d4bd0-5649-4c52-87ea-9be59dbfbcf2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.683Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.381Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"/* This rule is compatible with Elastic Endpoint only */\\n\\nsequence by host.id, user.id with maxspan=3m \\n\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.Ext.token.integrity_level_name != \\\"system\\\" and \\n (\\n process.pe.original_file_name : (\\\"winword.exe\\\", \\\"excel.exe\\\", \\\"outlook.exe\\\", \\\"powerpnt.exe\\\", \\\"eqnedt32.exe\\\",\\n \\\"fltldr.exe\\\", \\\"mspub.exe\\\", \\\"msaccess.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\",\\n \\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\", \\\"msbuild.exe\\\",\\n \\\"mshta.exe\\\", \\\"wmic.exe\\\", \\\"cmstp.exe\\\", \\\"msxsl.exe\\\") or \\n \\n (process.executable : (\\\"?:\\\\\\\\Users\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\") and \\n (process.code_signature.exists == false or process.code_signature.status : \\\"errorBadDigest\\\")) or \\n \\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\*.exe\\\" \\n ) and \\n \\n not process.executable : \\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFaultSecure.exe\\\", \\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\SysWOW64\\\\\\\\WerFaultSecure.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe\\\")\\n ] by process.pid\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.Ext.real.pid > 0 and \\n \\n /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */\\n not (process.name : \\\"msedge.exe\\\" and process.parent.name : \\\"sihost.exe\\\") and \\n \\n not process.executable : \\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFaultSecure.exe\\\", \\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\SysWOW64\\\\\\\\WerFaultSecure.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe\\\")\\n ] by process.parent.Ext.real.pid\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://blog.didierstevens.com/2017/03/20/\"],\"target_version\":[\"https://blog.didierstevens.com/2017/03/20/\",\"https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit\"],\"merged_version\":[\"https://blog.didierstevens.com/2017/03/20/\",\"https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b61ce0eb-9730-42bc-adf8-42c07a16b996\",\"rule_id\":\"c8935a8b-634a-4449-98f7-bb24d3b2c0af\",\"revision\":0,\"current_rule\":{\"id\":\"b61ce0eb-9730-42bc-adf8-42c07a16b996\",\"updated_at\":\"2024-12-04T19:45:58.383Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.383Z\",\"created_by\":\"elastic\",\"name\":\"Potential Linux Ransomware Note Creation Detected\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c8935a8b-634a-4449-98f7-bb24d3b2c0af\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1486\",\"name\":\"Data Encrypted for Impact\",\"reference\":\"https://attack.mitre.org/techniques/T1486/\"}]}],\"to\":\"now\",\"references\":[],\"version\":9,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"sequence by process.entity_id, host.id with maxspan=1s \\n [file where host.os.type == \\\"linux\\\" and event.type == \\\"change\\\" and event.action == \\\"rename\\\" and file.extension : \\\"?*\\\" \\n and process.executable : (\\\"./*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\", \\\"/dev/shm/*\\\", \\\"/var/run/*\\\", \\\"/boot/*\\\") and\\n file.path : (\\n \\\"/home/*/Downloads/*\\\", \\\"/home/*/Documents/*\\\", \\\"/root/*\\\", \\\"/bin/*\\\", \\\"/usr/bin/*\\\", \\\"/var/log/*\\\", \\\"/var/lib/log/*\\\",\\n \\\"/var/backup/*\\\", \\\"/var/www/*\\\") and\\n not process.name : (\\n \\\"dpkg\\\", \\\"yum\\\", \\\"dnf\\\", \\\"rpm\\\", \\\"dockerd\\\", \\\"go\\\", \\\"java\\\", \\\"pip*\\\", \\\"python*\\\", \\\"node\\\", \\\"containerd\\\", \\\"php\\\", \\\"p4d\\\",\\n \\\"conda\\\", \\\"chrome\\\", \\\"imap\\\", \\\"cmake\\\", \\\"firefox\\\", \\\"semanage\\\", \\\"semodule\\\", \\\"ansible-galaxy\\\", \\\"fc-cache\\\", \\\"jammy\\\", \\\"git\\\",\\n \\\"systemsettings\\\", \\\"vmis-launcher\\\", \\\"bundle\\\", \\\"kudu-tserver\\\", \\\"suldownloader\\\", \\\"rustup-init\\\"\\n )\\n ] with runs=25\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and file.name : (\\n \\\"*crypt*\\\", \\\"*restore*\\\", \\\"*lock*\\\", \\\"*recovery*\\\", \\\"*data*\\\", \\\"*read*\\\", \\\"*instruction*\\\", \\\"*how_to*\\\", \\\"*ransom*\\\"\\n )\\n ]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Linux Ransomware Note Creation Detected\",\"description\":\"This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":10,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1486\",\"name\":\"Data Encrypted for Impact\",\"reference\":\"https://attack.mitre.org/techniques/T1486/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b61ce0eb-9730-42bc-adf8-42c07a16b996\",\"rule_id\":\"c8935a8b-634a-4449-98f7-bb24d3b2c0af\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.683Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.383Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id, host.id with maxspan=1s \\n [file where host.os.type == \\\"linux\\\" and event.type == \\\"change\\\" and event.action == \\\"rename\\\" and file.extension : \\\"?*\\\" \\n and process.executable : (\\\"./*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\", \\\"/dev/shm/*\\\", \\\"/var/run/*\\\", \\\"/boot/*\\\") and\\n file.path : (\\n \\\"/home/*/Downloads/*\\\", \\\"/home/*/Documents/*\\\", \\\"/root/*\\\", \\\"/bin/*\\\", \\\"/usr/bin/*\\\", \\\"/var/log/*\\\", \\\"/var/lib/log/*\\\",\\n \\\"/var/backup/*\\\", \\\"/var/www/*\\\") and\\n not process.name : (\\n \\\"dpkg\\\", \\\"yum\\\", \\\"dnf\\\", \\\"rpm\\\", \\\"dockerd\\\", \\\"go\\\", \\\"java\\\", \\\"pip*\\\", \\\"python*\\\", \\\"node\\\", \\\"containerd\\\", \\\"php\\\", \\\"p4d\\\",\\n \\\"conda\\\", \\\"chrome\\\", \\\"imap\\\", \\\"cmake\\\", \\\"firefox\\\", \\\"semanage\\\", \\\"semodule\\\", \\\"ansible-galaxy\\\", \\\"fc-cache\\\", \\\"jammy\\\", \\\"git\\\",\\n \\\"systemsettings\\\", \\\"vmis-launcher\\\", \\\"bundle\\\", \\\"kudu-tserver\\\", \\\"suldownloader\\\", \\\"rustup-init\\\"\\n )\\n ] with runs=25\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and\\n file.name : (\\\"*restore*\\\", \\\"*lock*\\\", \\\"*recovery*\\\", \\\"*read*\\\", \\\"*instruction*\\\", \\\"*how_to*\\\", \\\"*ransom*\\\")\\n ]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":9,\"target_version\":10,\"merged_version\":10,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by process.entity_id, host.id with maxspan=1s \\n [file where host.os.type == \\\"linux\\\" and event.type == \\\"change\\\" and event.action == \\\"rename\\\" and file.extension : \\\"?*\\\" \\n and process.executable : (\\\"./*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\", \\\"/dev/shm/*\\\", \\\"/var/run/*\\\", \\\"/boot/*\\\") and\\n file.path : (\\n \\\"/home/*/Downloads/*\\\", \\\"/home/*/Documents/*\\\", \\\"/root/*\\\", \\\"/bin/*\\\", \\\"/usr/bin/*\\\", \\\"/var/log/*\\\", \\\"/var/lib/log/*\\\",\\n \\\"/var/backup/*\\\", \\\"/var/www/*\\\") and\\n not process.name : (\\n \\\"dpkg\\\", \\\"yum\\\", \\\"dnf\\\", \\\"rpm\\\", \\\"dockerd\\\", \\\"go\\\", \\\"java\\\", \\\"pip*\\\", \\\"python*\\\", \\\"node\\\", \\\"containerd\\\", \\\"php\\\", \\\"p4d\\\",\\n \\\"conda\\\", \\\"chrome\\\", \\\"imap\\\", \\\"cmake\\\", \\\"firefox\\\", \\\"semanage\\\", \\\"semodule\\\", \\\"ansible-galaxy\\\", \\\"fc-cache\\\", \\\"jammy\\\", \\\"git\\\",\\n \\\"systemsettings\\\", \\\"vmis-launcher\\\", \\\"bundle\\\", \\\"kudu-tserver\\\", \\\"suldownloader\\\", \\\"rustup-init\\\"\\n )\\n ] with runs=25\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and file.name : (\\n \\\"*crypt*\\\", \\\"*restore*\\\", \\\"*lock*\\\", \\\"*recovery*\\\", \\\"*data*\\\", \\\"*read*\\\", \\\"*instruction*\\\", \\\"*how_to*\\\", \\\"*ransom*\\\"\\n )\\n ]\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by process.entity_id, host.id with maxspan=1s \\n [file where host.os.type == \\\"linux\\\" and event.type == \\\"change\\\" and event.action == \\\"rename\\\" and file.extension : \\\"?*\\\" \\n and process.executable : (\\\"./*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\", \\\"/dev/shm/*\\\", \\\"/var/run/*\\\", \\\"/boot/*\\\") and\\n file.path : (\\n \\\"/home/*/Downloads/*\\\", \\\"/home/*/Documents/*\\\", \\\"/root/*\\\", \\\"/bin/*\\\", \\\"/usr/bin/*\\\", \\\"/var/log/*\\\", \\\"/var/lib/log/*\\\",\\n \\\"/var/backup/*\\\", \\\"/var/www/*\\\") and\\n not process.name : (\\n \\\"dpkg\\\", \\\"yum\\\", \\\"dnf\\\", \\\"rpm\\\", \\\"dockerd\\\", \\\"go\\\", \\\"java\\\", \\\"pip*\\\", \\\"python*\\\", \\\"node\\\", \\\"containerd\\\", \\\"php\\\", \\\"p4d\\\",\\n \\\"conda\\\", \\\"chrome\\\", \\\"imap\\\", \\\"cmake\\\", \\\"firefox\\\", \\\"semanage\\\", \\\"semodule\\\", \\\"ansible-galaxy\\\", \\\"fc-cache\\\", \\\"jammy\\\", \\\"git\\\",\\n \\\"systemsettings\\\", \\\"vmis-launcher\\\", \\\"bundle\\\", \\\"kudu-tserver\\\", \\\"suldownloader\\\", \\\"rustup-init\\\"\\n )\\n ] with runs=25\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and\\n file.name : (\\\"*restore*\\\", \\\"*lock*\\\", \\\"*recovery*\\\", \\\"*read*\\\", \\\"*instruction*\\\", \\\"*how_to*\\\", \\\"*ransom*\\\")\\n ]\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by process.entity_id, host.id with maxspan=1s \\n [file where host.os.type == \\\"linux\\\" and event.type == \\\"change\\\" and event.action == \\\"rename\\\" and file.extension : \\\"?*\\\" \\n and process.executable : (\\\"./*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\", \\\"/dev/shm/*\\\", \\\"/var/run/*\\\", \\\"/boot/*\\\") and\\n file.path : (\\n \\\"/home/*/Downloads/*\\\", \\\"/home/*/Documents/*\\\", \\\"/root/*\\\", \\\"/bin/*\\\", \\\"/usr/bin/*\\\", \\\"/var/log/*\\\", \\\"/var/lib/log/*\\\",\\n \\\"/var/backup/*\\\", \\\"/var/www/*\\\") and\\n not process.name : (\\n \\\"dpkg\\\", \\\"yum\\\", \\\"dnf\\\", \\\"rpm\\\", \\\"dockerd\\\", \\\"go\\\", \\\"java\\\", \\\"pip*\\\", \\\"python*\\\", \\\"node\\\", \\\"containerd\\\", \\\"php\\\", \\\"p4d\\\",\\n \\\"conda\\\", \\\"chrome\\\", \\\"imap\\\", \\\"cmake\\\", \\\"firefox\\\", \\\"semanage\\\", \\\"semodule\\\", \\\"ansible-galaxy\\\", \\\"fc-cache\\\", \\\"jammy\\\", \\\"git\\\",\\n \\\"systemsettings\\\", \\\"vmis-launcher\\\", \\\"bundle\\\", \\\"kudu-tserver\\\", \\\"suldownloader\\\", \\\"rustup-init\\\"\\n )\\n ] with runs=25\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and\\n file.name : (\\\"*restore*\\\", \\\"*lock*\\\", \\\"*recovery*\\\", \\\"*read*\\\", \\\"*instruction*\\\", \\\"*how_to*\\\", \\\"*ransom*\\\")\\n ]\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"ae303b2e-8e7f-4bee-929f-9202f608281f\",\"rule_id\":\"c8b150f0-0164-475b-a75e-74b47800a9ff\",\"revision\":0,\"current_rule\":{\"id\":\"ae303b2e-8e7f-4bee-929f-9202f608281f\",\"updated_at\":\"2024-12-04T19:45:40.248Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.248Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Startup Shell Folder Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Startup Shell Folder Modification\\n\\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Review the source process and related file tied to the Windows Registry entry.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\\n\\n### Related rules\\n\\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c8b150f0-0164-475b-a75e-74b47800a9ff\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"Common Startup\\\", \\\"Startup\\\") and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\"\\n ) and\\n registry.data.strings != null and\\n /* Normal Startup Folder Paths */\\n not registry.data.strings : (\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"%ProgramData%\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"%USERPROFILE%\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Startup Shell Folder Modification\",\"description\":\"Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Startup Shell Folder Modification\\n\\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Review the source process and related file tied to the Windows Registry entry.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\\n\\n### Related rules\\n\\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\",\"https://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"ae303b2e-8e7f-4bee-929f-9202f608281f\",\"rule_id\":\"c8b150f0-0164-475b-a75e-74b47800a9ff\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.683Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.248Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"Common Startup\\\", \\\"Startup\\\") and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKCU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKCU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\"\\n ) and\\n registry.data.strings != null and\\n /* Normal Startup Folder Paths */\\n not registry.data.strings : (\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"%ProgramData%\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"%USERPROFILE%\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\",\"https://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader\"],\"merged_version\":[\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\",\"https://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"Common Startup\\\", \\\"Startup\\\") and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\"\\n ) and\\n registry.data.strings != null and\\n /* Normal Startup Folder Paths */\\n not registry.data.strings : (\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"%ProgramData%\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"%USERPROFILE%\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"Common Startup\\\", \\\"Startup\\\") and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKCU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKCU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\"\\n ) and\\n registry.data.strings != null and\\n /* Normal Startup Folder Paths */\\n not registry.data.strings : (\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"%ProgramData%\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"%USERPROFILE%\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"Common Startup\\\", \\\"Startup\\\") and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKCU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKCU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\"\\n ) and\\n registry.data.strings != null and\\n /* Normal Startup Folder Paths */\\n not registry.data.strings : (\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"%ProgramData%\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"%USERPROFILE%\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b14af299-f772-48f1-b892-4e200d757fd4\",\"rule_id\":\"c8cccb06-faf2-4cd5-886e-2c9636cfcb87\",\"revision\":0,\"current_rule\":{\"id\":\"b14af299-f772-48f1-b892-4e200d757fd4\",\"updated_at\":\"2024-12-04T19:45:58.386Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.386Z\",\"created_by\":\"elastic\",\"name\":\"Disabling Windows Defender Security Settings via PowerShell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Disabling Windows Defender Security Settings via PowerShell\\n\\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\\n\\nThis rule monitors the execution of commands that can tamper the Windows Defender antivirus features.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the command line to determine which action was executed. Based on that, examine exceptions, antivirus state, sample submission, etc.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\\n\\n### Related rules\\n\\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Based on the command line, take actions to restore the appropriate Windows Defender antivirus configurations.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Planned Windows Defender configuration changes.\"],\"from\":\"now-9m\",\"rule_id\":\"c8cccb06-faf2-4cd5-886e-2c9636cfcb87\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n process.args : \\\"Set-MpPreference\\\" and process.args : (\\\"-Disable*\\\", \\\"Disabled\\\", \\\"NeverSend\\\", \\\"-Exclusion*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Disabling Windows Defender Security Settings via PowerShell\",\"description\":\"Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Disabling Windows Defender Security Settings via PowerShell\\n\\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\\n\\nThis rule monitors the execution of commands that can tamper the Windows Defender antivirus features.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the command line to determine which action was executed. Based on that, examine exceptions, antivirus state, sample submission, etc.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\\n\\n### Related rules\\n\\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Based on the command line, take actions to restore the appropriate Windows Defender antivirus configurations.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Planned Windows Defender configuration changes.\"],\"references\":[\"https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps\",\"https://www.elastic.co/security-labs/operation-bleeding-bear\",\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b14af299-f772-48f1-b892-4e200d757fd4\",\"rule_id\":\"c8cccb06-faf2-4cd5-886e-2c9636cfcb87\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.683Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.386Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n process.args : \\\"Set-MpPreference\\\" and process.args : (\\\"-Disable*\\\", \\\"Disabled\\\", \\\"NeverSend\\\", \\\"-Exclusion*\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps\"],\"target_version\":[\"https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps\",\"https://www.elastic.co/security-labs/operation-bleeding-bear\",\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"merged_version\":[\"https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps\",\"https://www.elastic.co/security-labs/operation-bleeding-bear\",\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2e36aaab-53b0-4306-932e-485d9663c617\",\"rule_id\":\"ca98c7cf-a56e-4057-a4e8-39603f7f0389\",\"revision\":0,\"current_rule\":{\"id\":\"2e36aaab-53b0-4306-932e-485d9663c617\",\"updated_at\":\"2024-12-04T19:45:58.399Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.399Z\",\"created_by\":\"elastic\",\"name\":\"Unsigned DLL Side-Loading from a Suspicious Folder\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ca98c7cf-a56e-4057-a4e8-39603f7f0389\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.001\",\"name\":\"Invalid Code Signature\",\"reference\":\"https://attack.mitre.org/techniques/T1036/001/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.002\",\"name\":\"DLL Side-Loading\",\"reference\":\"https://attack.mitre.org/techniques/T1574/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"dll.Ext.relative_file_creation_time\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"dll.Ext.relative_file_name_modify_time\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"dll.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.library-*\"],\"query\":\"library where host.os.type == \\\"windows\\\" and\\n\\n process.code_signature.trusted == true and \\n \\n (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and \\n \\n not dll.code_signature.status : (\\\"trusted\\\", \\\"errorExpired\\\", \\\"errorCode_endpoint*\\\", \\\"errorChaining\\\") and \\n \\n /* Suspicious Paths */\\n dll.path : (\\\"?:\\\\\\\\PerfLogs\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Pictures\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Music\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Documents\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\AMD\\\\\\\\Temp\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\AppReadiness\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ServiceState\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*.dll\\\",\\n\\t\\t \\\"?:\\\\\\\\Windows\\\\\\\\System\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\IdentityCRL\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Branding\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\csc\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\DigitalLocker\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\en-US\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\wlansvc\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Prefetch\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\diagnostics\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\INF\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\tracing\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\IME\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Performance\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\intel\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\ms\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\dot3svc\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ServiceProfiles\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\panther\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\RemotePackages\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\OCR\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\appcompat\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\apppatch\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\addins\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SKB\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Vss\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Web\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CbsTemp\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Logs\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WaaS\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\twain_32\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ShellExperiences\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ShellComponents\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PLA\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Migration\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\debug\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Cursors\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Containers\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Boot\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\bcastdvr\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\TextInput\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\schemas\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SchCache\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Resources\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\rescache\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Provisioning\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PrintDialog\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PolicyDefinitions\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\media\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Globalization\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\L2Schemas\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LiveKernelReports\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ModemLogs\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\$Recycle.Bin\\\\\\\\*.dll\\\") and \\n\\t \\n\\t /* DLL loaded from the process.executable current directory */\\n\\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unsigned DLL Side-Loading from a Suspicious Folder\",\"description\":\"Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":9,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.001\",\"name\":\"Invalid Code Signature\",\"reference\":\"https://attack.mitre.org/techniques/T1036/001/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.002\",\"name\":\"DLL Side-Loading\",\"reference\":\"https://attack.mitre.org/techniques/T1574/002/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"dll.Ext.relative_file_creation_time\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"dll.Ext.relative_file_name_modify_time\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"dll.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2e36aaab-53b0-4306-932e-485d9663c617\",\"rule_id\":\"ca98c7cf-a56e-4057-a4e8-39603f7f0389\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.683Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.399Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"library where host.os.type == \\\"windows\\\" and\\n\\n process.code_signature.trusted == true and \\n \\n (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and \\n \\n not dll.code_signature.status : (\\\"trusted\\\", \\\"errorExpired\\\", \\\"errorCode_endpoint*\\\", \\\"errorChaining\\\") and \\n \\n /* Suspicious Paths */\\n dll.path : (\\\"?:\\\\\\\\PerfLogs\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Pictures\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Music\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Documents\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\AMD\\\\\\\\Temp\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\AppReadiness\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ServiceState\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*.dll\\\",\\n\\t\\t \\\"?:\\\\\\\\Windows\\\\\\\\System\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\IdentityCRL\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Branding\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\csc\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\DigitalLocker\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\en-US\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\wlansvc\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Prefetch\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\diagnostics\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\INF\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\tracing\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\IME\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Performance\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\intel\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\ms\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\dot3svc\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ServiceProfiles\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\panther\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\RemotePackages\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\OCR\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\appcompat\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\apppatch\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\addins\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SKB\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Vss\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Web\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CbsTemp\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Logs\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WaaS\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\twain_32\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ShellExperiences\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ShellComponents\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PLA\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Migration\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\debug\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Cursors\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Containers\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Boot\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\bcastdvr\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\TextInput\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\schemas\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SchCache\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Resources\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\rescache\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Provisioning\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PrintDialog\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PolicyDefinitions\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\media\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Globalization\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\L2Schemas\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LiveKernelReports\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ModemLogs\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\$Recycle.Bin\\\\\\\\*.dll\\\") and \\n\\t \\n\\t /* DLL loaded from the process.executable current directory */\\n\\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.library-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":9,\"merged_version\":9,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion\"],\"merged_version\":[\"https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"ca0af71a-e575-4694-aae3-f2ab4708e2d1\",\"rule_id\":\"cac91072-d165-11ec-a764-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"ca0af71a-e575-4694-aae3-f2ab4708e2d1\",\"updated_at\":\"2024-12-04T19:45:58.401Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.401Z\",\"created_by\":\"elastic\",\"name\":\"Abnormal Process ID or Lock File Created\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Threat: BPFDoor\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Abnormal Process ID or Lock File Created\\n\\nLinux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value.\\n\\nLinux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented.\\n\\nThis rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files.\\n\\n#### Possible investigation steps\\n\\n- Retrieve the file and determine if it is malicious:\\n - Check the contents of the PID files. They should only contain integer strings.\\n - Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files.\\n - Check the size of the subject file. Legitimate PID files should be under 10 bytes.\\n - Check if the lock or PID file has high entropy. This typically indicates an encrypted payload.\\n - Analysts can use tools like `ent` to measure entropy.\\n - Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation.\\n- Trace the file's creation to ensure it came from a legitimate or authorized process.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\\n\\n### False positive analysis\\n\\n- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious.\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of file name and process executable conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Block the identified indicators of compromise (IoCs).\\n- Take actions to terminate processes and connections used by the attacker.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"False-Positives (FP) can appear if the PID file is legitimate and holding a process ID as intended. To differentiate, if the PID file is an executable or larger than 10 bytes, it should be ruled suspicious.\"],\"from\":\"now-9m\",\"rule_id\":\"cac91072-d165-11ec-a764-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"to\":\"now\",\"references\":[\"https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/\",\"https://twitter.com/GossiTheDog/status/1522964028284411907\",\"https://exatrack.com/public/Tricephalic_Hellkeeper.pdf\",\"https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor\"],\"version\":213,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:file and event.action:(creation or file_create_event) and\\nuser.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and (\\n (process.name : (\\n bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp)\\n ) or (\\n process.executable : (\\n ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*\\n ))\\n) and not process.name : (go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or \\nvzctl or ifup or rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat) and\\nnot file.name : (jem.*.pid)\\n\",\"new_terms_fields\":[\"host.id\",\"process.executable\",\"file.path\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Abnormal Process ID or Lock File Created\",\"description\":\"Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Abnormal Process ID or Lock File Created\\n\\nLinux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value.\\n\\nLinux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented.\\n\\nThis rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files.\\n\\n#### Possible investigation steps\\n\\n- Retrieve the file and determine if it is malicious:\\n - Check the contents of the PID files. They should only contain integer strings.\\n - Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files.\\n - Check the size of the subject file. Legitimate PID files should be under 10 bytes.\\n - Check if the lock or PID file has high entropy. This typically indicates an encrypted payload.\\n - Analysts can use tools like `ent` to measure entropy.\\n - Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation.\\n- Trace the file's creation to ensure it came from a legitimate or authorized process.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\\n\\n### False positive analysis\\n\\n- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious.\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of file name and process executable conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Block the identified indicators of compromise (IoCs).\\n- Take actions to terminate processes and connections used by the attacker.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":214,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Threat: BPFDoor\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"False-Positives (FP) can appear if the PID file is legitimate and holding a process ID as intended. To differentiate, if the PID file is an executable or larger than 10 bytes, it should be ruled suspicious.\"],\"references\":[\"https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/\",\"https://twitter.com/GossiTheDog/status/1522964028284411907\",\"https://exatrack.com/public/Tricephalic_Hellkeeper.pdf\",\"https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"ca0af71a-e575-4694-aae3-f2ab4708e2d1\",\"rule_id\":\"cac91072-d165-11ec-a764-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.683Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.401Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:file and event.action:(creation or file_create_event) and\\nfile.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and (\\n (process.name : (\\n bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp)\\n ) or (\\n process.executable : (\\n ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*\\n ))\\n) and not (\\n process.executable : (\\n /tmp/newroot/* or /run/containerd/* or /run/k3s/containerd/* or /run/k0s/container* or /snap/* or /vz/* or\\n /var/lib/docker/* or /etc/*/universal-hooks/pkgs/mysql-community-server/* or /var/lib/snapd/* or /etc/rubrik/* or\\n /run/udev/data/*\\n ) or\\n process.name : (\\n go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or vzctl or ifup or\\n rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat or redis-server or\\n s6-ipcserver-socketbinder or xinetd\\n ) or\\n file.name : (\\n jem.*.pid or lynis.pid or redis.pid or yum.pid or MFS.pid or jenkins.pid or nvmupdate.pid or openlitespeed.pid or\\n rhnsd.pid\\n ) or\\n file.path : (/run/containerd/* or /var/run/docker/containerd/* or /var/run/jem*.pid)\\n)\\n\",\"new_terms_fields\":[\"process.executable\",\"file.name\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":213,\"target_version\":214,\"merged_version\":214,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:file and event.action:(creation or file_create_event) and\\nuser.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and (\\n (process.name : (\\n bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp)\\n ) or (\\n process.executable : (\\n ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*\\n ))\\n) and not process.name : (go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or \\nvzctl or ifup or rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat) and\\nnot file.name : (jem.*.pid)\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:file and event.action:(creation or file_create_event) and\\nfile.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and (\\n (process.name : (\\n bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp)\\n ) or (\\n process.executable : (\\n ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*\\n ))\\n) and not (\\n process.executable : (\\n /tmp/newroot/* or /run/containerd/* or /run/k3s/containerd/* or /run/k0s/container* or /snap/* or /vz/* or\\n /var/lib/docker/* or /etc/*/universal-hooks/pkgs/mysql-community-server/* or /var/lib/snapd/* or /etc/rubrik/* or\\n /run/udev/data/*\\n ) or\\n process.name : (\\n go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or vzctl or ifup or\\n rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat or redis-server or\\n s6-ipcserver-socketbinder or xinetd\\n ) or\\n file.name : (\\n jem.*.pid or lynis.pid or redis.pid or yum.pid or MFS.pid or jenkins.pid or nvmupdate.pid or openlitespeed.pid or\\n rhnsd.pid\\n ) or\\n file.path : (/run/containerd/* or /var/run/docker/containerd/* or /var/run/jem*.pid)\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:file and event.action:(creation or file_create_event) and\\nfile.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and (\\n (process.name : (\\n bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp)\\n ) or (\\n process.executable : (\\n ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*\\n ))\\n) and not (\\n process.executable : (\\n /tmp/newroot/* or /run/containerd/* or /run/k3s/containerd/* or /run/k0s/container* or /snap/* or /vz/* or\\n /var/lib/docker/* or /etc/*/universal-hooks/pkgs/mysql-community-server/* or /var/lib/snapd/* or /etc/rubrik/* or\\n /run/udev/data/*\\n ) or\\n process.name : (\\n go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or vzctl or ifup or\\n rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat or redis-server or\\n s6-ipcserver-socketbinder or xinetd\\n ) or\\n file.name : (\\n jem.*.pid or lynis.pid or redis.pid or yum.pid or MFS.pid or jenkins.pid or nvmupdate.pid or openlitespeed.pid or\\n rhnsd.pid\\n ) or\\n file.path : (/run/containerd/* or /var/run/docker/containerd/* or /var/run/jem*.pid)\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"new_terms_fields\":{\"has_base_version\":false,\"current_version\":[\"host.id\",\"process.executable\",\"file.path\"],\"target_version\":[\"process.executable\",\"file.name\"],\"merged_version\":[\"process.executable\",\"file.name\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1792879f-b83c-44c5-b2d7-f0c3c17be4d6\",\"rule_id\":\"cad4500a-abd7-4ef3-b5d3-95524de7cfe1\",\"revision\":0,\"current_rule\":{\"id\":\"1792879f-b83c-44c5-b2d7-f0c3c17be4d6\",\"updated_at\":\"2024-12-04T19:45:58.404Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.404Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace MFA Enforcement Disabled\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Impact\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization’s security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace MFA Enforcement Disabled\\n\\nMulti-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan.\\n\\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, an attacker could be using it to gain access. When you require a second form of authentication, security is increased because this additional factor isn't something that's easy for an attacker to obtain or duplicate.\\n\\nFor more information about using MFA in Google Workspace, access the [official documentation](https://support.google.com/a/answer/175197).\\n\\nThis rule identifies the disabling of MFA enforcement in Google Workspace. This modification weakens the security of the accounts and can lead to the compromise of accounts and other assets.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Contact the account and resource owners and confirm whether they are aware of this activity.\\n- Check if this operation was approved and performed according to the organization's change management policy.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Reactivate the multi-factor authentication enforcement.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"MFA policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-130m\",\"rule_id\":\"cad4500a-abd7-4ef3-b5d3-95524de7cfe1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/9176657?hl=en#\"],\"version\":207,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.new_value\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin\\n and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION\\n and google_workspace.admin.new_value:false\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace MFA Enforcement Disabled\",\"description\":\"Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization’s security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace MFA Enforcement Disabled\\n\\nMulti-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan.\\n\\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, an attacker could be using it to gain access. When you require a second form of authentication, security is increased because this additional factor isn't something that's easy for an attacker to obtain or duplicate.\\n\\nFor more information about using MFA in Google Workspace, access the [official documentation](https://support.google.com/a/answer/175197).\\n\\nThis rule identifies the disabling of MFA enforcement in Google Workspace. This modification weakens the security of the accounts and can lead to the compromise of accounts and other assets.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Contact the account and resource owners and confirm whether they are aware of this activity.\\n- Check if this operation was approved and performed according to the organization's change management policy.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Reactivate the multi-factor authentication enforcement.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Impact\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"MFA policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://support.google.com/a/answer/9176657?hl=en#\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.new_value\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"1792879f-b83c-44c5-b2d7-f0c3c17be4d6\",\"rule_id\":\"cad4500a-abd7-4ef3-b5d3-95524de7cfe1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.683Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.404Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin\\n and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION\\n and google_workspace.admin.new_value:false\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":207,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/9176657?hl=en#\"],\"target_version\":[\"https://support.google.com/a/answer/9176657?hl=en#\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/9176657?hl=en#\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e5b916a2-f71b-4b62-9e2f-c95599f5c9ed\",\"rule_id\":\"cc6a8a20-2df2-11ed-8378-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"e5b916a2-f71b-4b62-9e2f-c95599f5c9ed\",\"updated_at\":\"2024-12-04T19:45:58.416Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.416Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace User Organizational Unit Changed\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Users in Google Workspace are typically assigned a specific organizational unit that grants them permissions to certain services and roles that are inherited from this organizational unit. Adversaries may compromise a valid account and change which organizational account the user belongs to which then could allow them to inherit permissions to applications and resources inaccessible prior to.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace User Organizational Unit Changed\\n\\nAn organizational unit is a group that an administrator can create in the Google Admin console to apply settings to a specific set of users for Google Workspace. By default, all users are placed in the top-level (parent) organizational unit. Child organizational units inherit the settings from the parent but can be changed to fit the needs of the child organizational unit.\\n\\nPermissions and privileges for users are often inherited from the organizational unit they are placed in. Therefore, if a user is changed to a separate organizational unit, they will inherit all privileges and permissions. User accounts may have unexpected privileges when switching organizational units that would allow a threat actor to gain a stronger foothold within the organization. The principle of least privileged (PoLP) should be followed when users are switched to different groups in Google Workspace.\\n\\nThis rule identifies when a user has been moved to a different organizational unit.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n - The `user.target.email` field contains the user that had their assigned organizational unit switched.\\n- Identify the user's previously assigned unit and new organizational unit by checking the `google_workspace.admin.org_unit.name` and `google_workspace.admin.new_value` fields.\\n- Identify Google Workspace applications whose settings were explicitly set for this organizational unit.\\n - Search for `event.action` is `CREATE_APPLICATION_SETTING` where `google_workspace.admin.org_unit.name` is the new organizational unit.\\n- After identifying the involved user, verify administrative privileges are scoped properly to allow changing user organizational units.\\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\\n - Add `user.email` with the target user account that recently had their organizational unit changed.\\n- Filter on `user.name` or `user.target.email` of the user who took this action and review the last 48 hours of activity for anything that may indicate a compromise.\\n\\n### False positive analysis\\n\\n- After identifying the user account that changed another user's organizational unit, verify the action was intentional.\\n- Verify whether the target user who received this update is expected to inherit privileges from the new organizational unit.\\n- Review potential maintenance notes or organizational changes. They might explain why a user's organization was changed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Google Workspace administrators may adjust change which organizational unit a user belongs to as a result of internal role adjustments.\"],\"from\":\"now-130m\",\"rule_id\":\"cc6a8a20-2df2-11ed-8378-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/6328701?hl=en#\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.event.type\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.type:change and event.category:iam\\n and google_workspace.event.type:\\\"USER_SETTINGS\\\" and event.action:\\\"MOVE_USER_TO_ORG_UNIT\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace User Organizational Unit Changed\",\"description\":\"Users in Google Workspace are typically assigned a specific organizational unit that grants them permissions to certain services and roles that are inherited from this organizational unit. Adversaries may compromise a valid account and change which organizational account the user belongs to which then could allow them to inherit permissions to applications and resources inaccessible prior to.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace User Organizational Unit Changed\\n\\nAn organizational unit is a group that an administrator can create in the Google Admin console to apply settings to a specific set of users for Google Workspace. By default, all users are placed in the top-level (parent) organizational unit. Child organizational units inherit the settings from the parent but can be changed to fit the needs of the child organizational unit.\\n\\nPermissions and privileges for users are often inherited from the organizational unit they are placed in. Therefore, if a user is changed to a separate organizational unit, they will inherit all privileges and permissions. User accounts may have unexpected privileges when switching organizational units that would allow a threat actor to gain a stronger foothold within the organization. The principle of least privileged (PoLP) should be followed when users are switched to different groups in Google Workspace.\\n\\nThis rule identifies when a user has been moved to a different organizational unit.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n - The `user.target.email` field contains the user that had their assigned organizational unit switched.\\n- Identify the user's previously assigned unit and new organizational unit by checking the `google_workspace.admin.org_unit.name` and `google_workspace.admin.new_value` fields.\\n- Identify Google Workspace applications whose settings were explicitly set for this organizational unit.\\n - Search for `event.action` is `CREATE_APPLICATION_SETTING` where `google_workspace.admin.org_unit.name` is the new organizational unit.\\n- After identifying the involved user, verify administrative privileges are scoped properly to allow changing user organizational units.\\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\\n - Add `user.email` with the target user account that recently had their organizational unit changed.\\n- Filter on `user.name` or `user.target.email` of the user who took this action and review the last 48 hours of activity for anything that may indicate a compromise.\\n\\n### False positive analysis\\n\\n- After identifying the user account that changed another user's organizational unit, verify the action was intentional.\\n- Verify whether the target user who received this update is expected to inherit privileges from the new organizational unit.\\n- Review potential maintenance notes or organizational changes. They might explain why a user's organization was changed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Google Workspace administrators may adjust change which organizational unit a user belongs to as a result of internal role adjustments.\"],\"references\":[\"https://support.google.com/a/answer/6328701?hl=en#\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.event.type\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"e5b916a2-f71b-4b62-9e2f-c95599f5c9ed\",\"rule_id\":\"cc6a8a20-2df2-11ed-8378-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.683Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.416Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.type:change and event.category:iam\\n and google_workspace.event.type:\\\"USER_SETTINGS\\\" and event.action:\\\"MOVE_USER_TO_ORG_UNIT\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/6328701?hl=en#\"],\"target_version\":[\"https://support.google.com/a/answer/6328701?hl=en#\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/6328701?hl=en#\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e8ae7f9f-5e3c-4d3f-8064-9afe7a3b65d7\",\"rule_id\":\"cd66a5af-e34b-4bb0-8931-57d0a043f2ef\",\"revision\":0,\"current_rule\":{\"id\":\"e8ae7f9f-5e3c-4d3f-8064-9afe7a3b65d7\",\"updated_at\":\"2024-12-04T19:45:58.428Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.428Z\",\"created_by\":\"elastic\",\"name\":\"Kernel Module Removal\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all.\"],\"from\":\"now-9m\",\"rule_id\":\"cd66a5af-e34b-4bb0-8931-57d0a043f2ef\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.006\",\"name\":\"Kernel Modules and Extensions\",\"reference\":\"https://attack.mitre.org/techniques/T1547/006/\"}]}]}],\"to\":\"now\",\"references\":[\"http://man7.org/linux/man-pages/man8/modprobe.8.html\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\nprocess.name == \\\"rmmod\\\" or (process.name == \\\"modprobe\\\" and process.args in (\\\"--remove\\\", \\\"-r\\\")) and \\nprocess.parent.name in (\\\"sudo\\\", \\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Kernel Module Removal\",\"description\":\"Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":110,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all.\"],\"references\":[\"http://man7.org/linux/man-pages/man8/modprobe.8.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.006\",\"name\":\"Kernel Modules and Extensions\",\"reference\":\"https://attack.mitre.org/techniques/T1547/006/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e8ae7f9f-5e3c-4d3f-8064-9afe7a3b65d7\",\"rule_id\":\"cd66a5af-e34b-4bb0-8931-57d0a043f2ef\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.683Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.428Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and (\\n process.name == \\\"rmmod\\\" or\\n (process.name == \\\"modprobe\\\" and process.args in (\\\"--remove\\\", \\\"-r\\\"))\\n) and process.parent.name in (\\\"sudo\\\", \\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":110,\"merged_version\":110,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\nprocess.name == \\\"rmmod\\\" or (process.name == \\\"modprobe\\\" and process.args in (\\\"--remove\\\", \\\"-r\\\")) and \\nprocess.parent.name in (\\\"sudo\\\", \\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and (\\n process.name == \\\"rmmod\\\" or\\n (process.name == \\\"modprobe\\\" and process.args in (\\\"--remove\\\", \\\"-r\\\"))\\n) and process.parent.name in (\\\"sudo\\\", \\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and (\\n process.name == \\\"rmmod\\\" or\\n (process.name == \\\"modprobe\\\" and process.args in (\\\"--remove\\\", \\\"-r\\\"))\\n) and process.parent.name in (\\\"sudo\\\", \\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0b02d296-eeea-41c5-a5f5-ca79978f807d\",\"rule_id\":\"cd82e3d6-1346-4afd-8f22-38388bbf34cb\",\"revision\":0,\"current_rule\":{\"id\":\"0b02d296-eeea-41c5-a5f5-ca79978f807d\",\"updated_at\":\"2024-12-04T19:45:58.430Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.430Z\",\"created_by\":\"elastic\",\"name\":\"Downloaded URL Files\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies .url shortcut files downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"cd82e3d6-1346-4afd-8f22-38388bbf34cb\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.windows.zone_identifier\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and file.extension == \\\"url\\\"\\n and file.Ext.windows.zone_identifier > 1 and not process.name : \\\"explorer.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Downloaded URL Files\",\"description\":\"Identifies .url shortcut files downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.windows.zone_identifier\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0b02d296-eeea-41c5-a5f5-ca79978f807d\",\"rule_id\":\"cd82e3d6-1346-4afd-8f22-38388bbf34cb\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.683Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.430Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and file.extension == \\\"url\\\"\\n and file.Ext.windows.zone_identifier > 1 and not process.name : \\\"explorer.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"severity\":{\"has_base_version\":false,\"current_version\":\"low\",\"target_version\":\"medium\",\"merged_version\":\"medium\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"risk_score\":{\"has_base_version\":false,\"current_version\":21,\"target_version\":47,\"merged_version\":47,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0386789c-c0e0-423d-9eaf-3abbd81b9d15\",\"rule_id\":\"cde1bafa-9f01-4f43-a872-605b678968b0\",\"revision\":0,\"current_rule\":{\"id\":\"0386789c-c0e0-423d-9eaf-3abbd81b9d15\",\"updated_at\":\"2024-12-04T19:45:58.441Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.441Z\",\"created_by\":\"elastic\",\"name\":\"Potential PowerShell HackTool Script by Function Names\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential PowerShell HackTool Script by Function Names\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAdversaries often exploit PowerShell's capabilities to execute malicious scripts and perform various attacks. This rule identifies known offensive tooling function names in PowerShell scripts, as attackers commonly use out-of-the-box tools without modifying the code. By monitoring these specific function names, the rule aims to detect and alert potential malicious PowerShell activity.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine the script's execution context, such as the user account, privileges, the role of the system on which it was executed, and any relevant timestamps.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Investigate the origin of the PowerShell script, including its source, download method, and any associated URLs or IP addresses.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This rule may generate false positives if legitimate scripts or tools used by administrators contain any of the listed function names. These function names are commonly associated with offensive tooling, but they may also be present in benign scripts or tools.\\n- To handle these false positives consider adding exceptions - preferably with a combination of full file path and users.\\n\\n### Related Rules\\n\\n- PowerShell Invoke-NinjaCopy script - b8386923-b02c-4b94-986a-d223d9b01f88\\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"cde1bafa-9f01-4f43-a872-605b678968b0\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\",\"https://github.com/BC-SECURITY/Empire\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"Add-DomainGroupMember\\\" or \\\"Add-DomainObjectAcl\\\" or\\n \\\"Add-RemoteConnection\\\" or \\\"Add-ServiceDacl\\\" or\\n \\\"Add-Win32Type\\\" or \\\"Convert-ADName\\\" or\\n \\\"Convert-LDAPProperty\\\" or \\\"ConvertFrom-LDAPLogonHours\\\" or\\n \\\"ConvertFrom-UACValue\\\" or \\\"Copy-ArrayOfMemAddresses\\\" or\\n \\\"Create-NamedPipe\\\" or \\\"Create-ProcessWithToken\\\" or\\n \\\"Create-RemoteThread\\\" or \\\"Create-SuspendedWinLogon\\\" or\\n \\\"Create-WinLogonProcess\\\" or \\\"Emit-CallThreadStub\\\" or\\n \\\"Enable-SeAssignPrimaryTokenPrivilege\\\" or \\\"Enable-SeDebugPrivilege\\\" or\\n \\\"Enum-AllTokens\\\" or \\\"Export-PowerViewCSV\\\" or\\n \\\"Find-AVSignature\\\" or \\\"Find-AppLockerLog\\\" or\\n \\\"Find-DomainLocalGroupMember\\\" or \\\"Find-DomainObjectPropertyOutlier\\\" or\\n \\\"Find-DomainProcess\\\" or \\\"Find-DomainShare\\\" or\\n \\\"Find-DomainUserEvent\\\" or \\\"Find-DomainUserLocation\\\" or\\n \\\"Find-InterestingDomainAcl\\\" or \\\"Find-InterestingDomainShareFile\\\" or\\n \\\"Find-InterestingFile\\\" or \\\"Find-LocalAdminAccess\\\" or\\n \\\"Find-PSScriptsInPSAppLog\\\" or \\\"Find-PathDLLHijack\\\" or\\n \\\"Find-ProcessDLLHijack\\\" or \\\"Find-RDPClientConnection\\\" or\\n \\\"Get-AllAttributesForClass\\\" or \\\"Get-CachedGPPPassword\\\" or\\n \\\"Get-DecryptedCpassword\\\" or \\\"Get-DecryptedSitelistPassword\\\" or\\n \\\"Get-DelegateType\\\" or \\\"New-RelayEnumObject\\\" or\\n \\\"Get-DomainDFSShare\\\" or \\\"Get-DomainDFSShareV1\\\" or\\n \\\"Get-DomainDFSShareV2\\\" or \\\"Get-DomainDNSRecord\\\" or\\n \\\"Get-DomainDNSZone\\\" or \\\"Get-DomainFileServer\\\" or\\n \\\"Get-DomainForeignGroupMember\\\" or \\\"Get-DomainForeignUser\\\" or\\n \\\"Get-DomainGPO\\\" or \\\"Get-DomainGPOComputerLocalGroupMapping\\\" or\\n \\\"Get-DomainGPOLocalGroup\\\" or \\\"Get-DomainGPOUserLocalGroupMapping\\\" or\\n \\\"Get-DomainGUIDMap\\\" or \\\"Get-DomainGroup\\\" or\\n \\\"Get-DomainGroupMember\\\" or \\\"Get-DomainGroupMemberDeleted\\\" or\\n \\\"Get-DomainManagedSecurityGroup\\\" or \\\"Get-DomainOU\\\" or\\n \\\"Get-DomainObject\\\" or \\\"Get-DomainObjectAcl\\\" or\\n \\\"Get-DomainObjectAttributeHistory\\\" or \\\"Get-DomainObjectLinkedAttributeHistory\\\" or\\n \\\"Get-DomainPolicyData\\\" or \\\"Get-DomainSID\\\" or\\n \\\"Get-DomainSPNTicket\\\" or \\\"Get-DomainSearcher\\\" or\\n \\\"Get-DomainSite\\\" or \\\"Get-DomainSubnet\\\" or\\n \\\"Get-DomainTrust\\\" or \\\"Get-DomainTrustMapping\\\" or\\n \\\"Get-DomainUser\\\" or \\\"Get-DomainUserEvent\\\" or\\n \\\"Get-Forest\\\" or \\\"Get-ForestDomain\\\" or\\n \\\"Get-ForestGlobalCatalog\\\" or \\\"Get-ForestSchemaClass\\\" or\\n \\\"Get-ForestTrust\\\" or \\\"Get-GPODelegation\\\" or\\n \\\"Get-GPPAutologon\\\" or \\\"Get-GPPInnerField\\\" or\\n \\\"Get-GPPInnerFields\\\" or \\\"Get-GPPPassword\\\" or\\n \\\"Get-GptTmpl\\\" or \\\"Get-GroupsXML\\\" or\\n \\\"Get-HttpStatus\\\" or \\\"Get-ImageNtHeaders\\\" or\\n \\\"Get-Keystrokes\\\" or \\\"New-SOASerialNumberArray\\\" or \\n \\\"Get-MemoryProcAddress\\\" or \\\"Get-MicrophoneAudio\\\" or\\n \\\"Get-ModifiablePath\\\" or \\\"Get-ModifiableRegistryAutoRun\\\" or\\n \\\"Get-ModifiableScheduledTaskFile\\\" or \\\"Get-ModifiableService\\\" or\\n \\\"Get-ModifiableServiceFile\\\" or \\\"Get-Name\\\" or\\n \\\"Get-NetComputerSiteName\\\" or \\\"Get-NetLocalGroup\\\" or\\n \\\"Get-NetLocalGroupMember\\\" or \\\"Get-NetLoggedon\\\" or\\n \\\"Get-NetRDPSession\\\" or \\\"Get-NetSession\\\" or\\n \\\"Get-NetShare\\\" or \\\"Get-PEArchitecture\\\" or\\n \\\"Get-PEBasicInfo\\\" or \\\"Get-PEDetailedInfo\\\" or\\n \\\"Get-PathAcl\\\" or \\\"Get-PrimaryToken\\\" or\\n \\\"Get-ProcAddress\\\" or \\\"Get-ProcessTokenGroup\\\" or\\n \\\"Get-ProcessTokenPrivilege\\\" or \\\"Get-ProcessTokenType\\\" or\\n \\\"Get-RegLoggedOn\\\" or \\\"Get-RegistryAlwaysInstallElevated\\\" or\\n \\\"Get-RegistryAutoLogon\\\" or \\\"Get-RemoteProcAddress\\\" or\\n \\\"Get-Screenshot\\\" or \\\"Get-ServiceDetail\\\" or\\n \\\"Get-SiteListPassword\\\" or \\\"Get-SitelistField\\\" or\\n \\\"Get-System\\\" or \\\"Get-SystemNamedPipe\\\" or\\n \\\"Get-SystemToken\\\" or \\\"Get-ThreadToken\\\" or\\n \\\"Get-TimedScreenshot\\\" or \\\"Get-TokenInformation\\\" or\\n \\\"Get-TopPort\\\" or \\\"Get-UnattendedInstallFile\\\" or\\n \\\"Get-UniqueTokens\\\" or \\\"Get-UnquotedService\\\" or\\n \\\"Get-VaultCredential\\\" or \\\"Get-VaultElementValue\\\" or\\n \\\"Get-VirtualProtectValue\\\" or \\\"Get-VolumeShadowCopy\\\" or\\n \\\"Get-WMIProcess\\\" or \\\"Get-WMIRegCachedRDPConnection\\\" or\\n \\\"Get-WMIRegLastLoggedOn\\\" or \\\"Get-WMIRegMountedDrive\\\" or\\n \\\"Get-WMIRegProxy\\\" or \\\"Get-WebConfig\\\" or\\n \\\"Get-Win32Constants\\\" or \\\"Get-Win32Functions\\\" or\\n \\\"Get-Win32Types\\\" or \\\"Import-DllImports\\\" or\\n \\\"Import-DllInRemoteProcess\\\" or \\\"Inject-LocalShellcode\\\" or\\n \\\"Inject-RemoteShellcode\\\" or \\\"Install-ServiceBinary\\\" or\\n \\\"Invoke-CompareAttributesForClass\\\" or \\\"Invoke-CreateRemoteThread\\\" or\\n \\\"Invoke-CredentialInjection\\\" or \\\"Invoke-DllInjection\\\" or\\n \\\"Invoke-EventVwrBypass\\\" or \\\"Invoke-ImpersonateUser\\\" or\\n \\\"Invoke-Kerberoast\\\" or \\\"Invoke-MemoryFreeLibrary\\\" or\\n \\\"Invoke-MemoryLoadLibrary\\\" or\\n \\\"Invoke-Mimikatz\\\" or \\\"Invoke-NinjaCopy\\\" or\\n \\\"Invoke-PatchDll\\\" or \\\"Invoke-Portscan\\\" or\\n \\\"Invoke-PrivescAudit\\\" or \\\"Invoke-ReflectivePEInjection\\\" or\\n \\\"Invoke-ReverseDnsLookup\\\" or \\\"Invoke-RevertToSelf\\\" or\\n \\\"Invoke-ServiceAbuse\\\" or \\\"Invoke-Shellcode\\\" or\\n \\\"Invoke-TokenManipulation\\\" or \\\"Invoke-UserImpersonation\\\" or\\n \\\"Invoke-WmiCommand\\\" or \\\"Mount-VolumeShadowCopy\\\" or\\n \\\"New-ADObjectAccessControlEntry\\\" or \\\"New-DomainGroup\\\" or\\n \\\"New-DomainUser\\\" or \\\"New-DynamicParameter\\\" or\\n \\\"New-InMemoryModule\\\" or\\n \\\"New-ThreadedFunction\\\" or \\\"New-VolumeShadowCopy\\\" or\\n \\\"Out-CompressedDll\\\" or \\\"Out-EncodedCommand\\\" or\\n \\\"Out-EncryptedScript\\\" or \\\"Out-Minidump\\\" or\\n \\\"PortScan-Alive\\\" or \\\"Portscan-Port\\\" or\\n \\\"Remove-DomainGroupMember\\\" or \\\"Remove-DomainObjectAcl\\\" or\\n \\\"Remove-RemoteConnection\\\" or \\\"Remove-VolumeShadowCopy\\\" or\\n \\\"Restore-ServiceBinary\\\" or \\\"Set-DesktopACLToAllowEveryone\\\" or\\n \\\"Set-DesktopACLs\\\" or \\\"Set-DomainObject\\\" or\\n \\\"Set-DomainObjectOwner\\\" or \\\"Set-DomainUserPassword\\\" or\\n \\\"Set-ServiceBinaryPath\\\" or \\\"Sub-SignedIntAsUnsigned\\\" or\\n \\\"Test-AdminAccess\\\" or \\\"Test-MemoryRangeValid\\\" or\\n \\\"Test-ServiceDaclPermission\\\" or \\\"Update-ExeFunctions\\\" or\\n \\\"Update-MemoryAddresses\\\" or \\\"Update-MemoryProtectionFlags\\\" or\\n \\\"Write-BytesToMemory\\\" or \\\"Write-HijackDll\\\" or\\n \\\"Write-PortscanOut\\\" or \\\"Write-ServiceBinary\\\" or\\n \\\"Write-UserAddMSI\\\" or \\\"Invoke-Privesc\\\" or\\n \\\"func_get_proc_address\\\" or \\\"Invoke-BloodHound\\\" or\\n \\\"Invoke-HostEnum\\\" or \\\"Get-BrowserInformation\\\" or\\n \\\"Get-DomainAccountPolicy\\\" or \\\"Get-DomainAdmins\\\" or\\n \\\"Get-AVProcesses\\\" or \\\"Get-AVInfo\\\" or\\n \\\"Get-RecycleBin\\\" or \\\"Invoke-BruteForce\\\" or\\n \\\"Get-PassHints\\\" or \\\"Invoke-SessionGopher\\\" or\\n \\\"Get-LSASecret\\\" or \\\"Get-PassHashes\\\" or\\n \\\"Invoke-WdigestDowngrade\\\" or \\\"Get-ChromeDump\\\" or\\n \\\"Invoke-DomainPasswordSpray\\\" or \\\"Get-FoxDump\\\" or\\n \\\"New-HoneyHash\\\" or \\\"Invoke-DCSync\\\" or\\n \\\"Invoke-PowerDump\\\" or \\\"Invoke-SSIDExfil\\\" or\\n \\\"Invoke-PowerShellTCP\\\" or \\\"Add-Exfiltration\\\" or\\n \\\"Do-Exfiltration\\\" or \\\"Invoke-DropboxUpload\\\" or\\n \\\"Invoke-ExfilDataToGitHub\\\" or \\\"Invoke-EgressCheck\\\" or\\n \\\"Invoke-PostExfil\\\" or \\\"Create-MultipleSessions\\\" or\\n \\\"Invoke-NetworkRelay\\\" or \\\"New-GPOImmediateTask\\\" or\\n \\\"Invoke-WMIDebugger\\\" or \\\"Invoke-SQLOSCMD\\\" or\\n \\\"Invoke-SMBExec\\\" or \\\"Invoke-PSRemoting\\\" or\\n \\\"Invoke-ExecuteMSBuild\\\" or \\\"Invoke-DCOM\\\" or\\n \\\"Invoke-InveighRelay\\\" or \\\"Invoke-PsExec\\\" or\\n \\\"Invoke-SSHCommand\\\" or \\\"Find-ActiveUsersWMI\\\" or\\n \\\"Get-SystemDrivesWMI\\\" or \\\"Get-ActiveNICSWMI\\\" or\\n \\\"Remove-Persistence\\\" or \\\"DNS_TXT_Pwnage\\\" or\\n \\\"Execute-OnTime\\\" or \\\"HTTP-Backdoor\\\" or\\n \\\"Add-ConstrainedDelegationBackdoor\\\" or \\\"Add-RegBackdoor\\\" or\\n \\\"Add-ScrnSaveBackdoor\\\" or \\\"Gupt-Backdoor\\\" or\\n \\\"Invoke-ADSBackdoor\\\" or \\\"Add-Persistence\\\" or\\n \\\"Invoke-ResolverBackdoor\\\" or \\\"Invoke-EventLogBackdoor\\\" or\\n \\\"Invoke-DeadUserBackdoor\\\" or \\\"Invoke-DisableMachineAcctChange\\\" or\\n \\\"Invoke-AccessBinary\\\" or \\\"Add-NetUser\\\" or\\n \\\"Invoke-Schtasks\\\" or \\\"Invoke-JSRatRegsvr\\\" or\\n \\\"Invoke-JSRatRundll\\\" or \\\"Invoke-PoshRatHttps\\\" or\\n \\\"Invoke-PsGcatAgent\\\" or \\\"Remove-PoshRat\\\" or\\n \\\"Install-SSP\\\" or \\\"Invoke-BackdoorLNK\\\" or\\n \\\"PowerBreach\\\" or \\\"InstallEXE-Persistence\\\" or\\n \\\"RemoveEXE-Persistence\\\" or \\\"Install-ServiceLevel-Persistence\\\" or\\n \\\"Remove-ServiceLevel-Persistence\\\" or \\\"Invoke-Prompt\\\" or\\n \\\"Invoke-PacketCapture\\\" or \\\"Start-WebcamRecorder\\\" or\\n \\\"Get-USBKeyStrokes\\\" or \\\"Invoke-KeeThief\\\" or\\n \\\"Get-Keystrokes\\\" or \\\"Invoke-NetRipper\\\" or\\n \\\"Get-EmailItems\\\" or \\\"Invoke-MailSearch\\\" or\\n \\\"Invoke-SearchGAL\\\" or \\\"Get-WebCredentials\\\" or\\n \\\"Start-CaptureServer\\\" or \\\"Invoke-PowerShellIcmp\\\" or\\n \\\"Invoke-PowerShellTcpOneLine\\\" or \\\"Invoke-PowerShellTcpOneLineBind\\\" or\\n \\\"Invoke-PowerShellUdp\\\" or \\\"Invoke-PowerShellUdpOneLine\\\" or\\n \\\"Run-EXEonRemote\\\" or \\\"Download-Execute-PS\\\" or\\n \\\"Out-RundllCommand\\\" or \\\"Set-RemoteWMI\\\" or\\n \\\"Set-DCShadowPermissions\\\" or \\\"Invoke-PowerShellWMI\\\" or\\n \\\"Invoke-Vnc\\\" or \\\"Invoke-LockWorkStation\\\" or\\n \\\"Invoke-EternalBlue\\\" or \\\"Invoke-ShellcodeMSIL\\\" or\\n \\\"Invoke-MetasploitPayload\\\" or \\\"Invoke-DowngradeAccount\\\" or\\n \\\"Invoke-RunAs\\\" or \\\"ExetoText\\\" or\\n \\\"Disable-SecuritySettings\\\" or \\\"Set-MacAttribute\\\" or\\n \\\"Invoke-MS16032\\\" or \\\"Invoke-BypassUACTokenManipulation\\\" or\\n \\\"Invoke-SDCLTBypass\\\" or \\\"Invoke-FodHelperBypass\\\" or\\n \\\"Invoke-EventVwrBypass\\\" or \\\"Invoke-EnvBypass\\\" or\\n \\\"Get-ServiceUnquoted\\\" or \\\"Get-ServiceFilePermission\\\" or\\n \\\"Get-ServicePermission\\\" or\\n \\\"Enable-DuplicateToken\\\" or \\\"Invoke-PsUaCme\\\" or\\n \\\"Invoke-Tater\\\" or \\\"Invoke-WScriptBypassUAC\\\" or\\n \\\"Invoke-AllChecks\\\" or \\\"Find-TrustedDocuments\\\" or\\n \\\"Invoke-Interceptor\\\" or \\\"Invoke-PoshRatHttp\\\" or\\n \\\"Invoke-ExecCommandWMI\\\" or \\\"Invoke-KillProcessWMI\\\" or\\n \\\"Invoke-CreateShareandExecute\\\" or \\\"Invoke-RemoteScriptWithOutput\\\" or\\n \\\"Invoke-SchedJobManipulation\\\" or \\\"Invoke-ServiceManipulation\\\" or\\n \\\"Invoke-PowerOptionsWMI\\\" or \\\"Invoke-DirectoryListing\\\" or\\n \\\"Invoke-FileTransferOverWMI\\\" or \\\"Invoke-WMImplant\\\" or\\n \\\"Invoke-WMIObfuscatedPSCommand\\\" or \\\"Invoke-WMIDuplicateClass\\\" or\\n \\\"Invoke-WMIUpload\\\" or \\\"Invoke-WMIRemoteExtract\\\" or \\\"Invoke-winPEAS\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\"\\n ) and\\n not user.id : (\\\"S-1-5-18\\\" or \\\"S-1-5-19\\\")\\n\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\DataCollection\\\\\\\\*\"}}}}],\"actions\":[]},\"target_rule\":{\"name\":\"Potential PowerShell HackTool Script by Function Names\",\"description\":\"Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential PowerShell HackTool Script by Function Names\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAdversaries often exploit PowerShell's capabilities to execute malicious scripts and perform various attacks. This rule identifies known offensive tooling function names in PowerShell scripts, as attackers commonly use out-of-the-box tools without modifying the code. By monitoring these specific function names, the rule aims to detect and alert potential malicious PowerShell activity.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine the script's execution context, such as the user account, privileges, the role of the system on which it was executed, and any relevant timestamps.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Investigate the origin of the PowerShell script, including its source, download method, and any associated URLs or IP addresses.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This rule may generate false positives if legitimate scripts or tools used by administrators contain any of the listed function names. These function names are commonly associated with offensive tooling, but they may also be present in benign scripts or tools.\\n- To handle these false positives consider adding exceptions - preferably with a combination of full file path and users.\\n\\n### Related Rules\\n\\n- PowerShell Invoke-NinjaCopy script - b8386923-b02c-4b94-986a-d223d9b01f88\\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\",\"https://github.com/BC-SECURITY/Empire\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0386789c-c0e0-423d-9eaf-3abbd81b9d15\",\"rule_id\":\"cde1bafa-9f01-4f43-a872-605b678968b0\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.683Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.441Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\DataCollection\\\\\\\\*\"}}}}],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"Add-DomainGroupMember\\\" or \\\"Add-DomainObjectAcl\\\" or\\n \\\"Add-RemoteConnection\\\" or \\\"Add-ServiceDacl\\\" or\\n \\\"Add-Win32Type\\\" or \\\"Convert-ADName\\\" or\\n \\\"Convert-LDAPProperty\\\" or \\\"ConvertFrom-LDAPLogonHours\\\" or\\n \\\"ConvertFrom-UACValue\\\" or \\\"Copy-ArrayOfMemAddresses\\\" or\\n \\\"Create-NamedPipe\\\" or \\\"Create-ProcessWithToken\\\" or\\n \\\"Create-RemoteThread\\\" or \\\"Create-SuspendedWinLogon\\\" or\\n \\\"Create-WinLogonProcess\\\" or \\\"Emit-CallThreadStub\\\" or\\n \\\"Enable-SeAssignPrimaryTokenPrivilege\\\" or \\\"Enable-SeDebugPrivilege\\\" or\\n \\\"Enum-AllTokens\\\" or \\\"Export-PowerViewCSV\\\" or\\n \\\"Find-AVSignature\\\" or \\\"Find-AppLockerLog\\\" or\\n \\\"Find-DomainLocalGroupMember\\\" or \\\"Find-DomainObjectPropertyOutlier\\\" or\\n \\\"Find-DomainProcess\\\" or \\\"Find-DomainShare\\\" or\\n \\\"Find-DomainUserEvent\\\" or \\\"Find-DomainUserLocation\\\" or\\n \\\"Find-InterestingDomainAcl\\\" or \\\"Find-InterestingDomainShareFile\\\" or\\n \\\"Find-InterestingFile\\\" or \\\"Find-LocalAdminAccess\\\" or\\n \\\"Find-PSScriptsInPSAppLog\\\" or \\\"Find-PathDLLHijack\\\" or\\n \\\"Find-ProcessDLLHijack\\\" or \\\"Find-RDPClientConnection\\\" or\\n \\\"Get-AllAttributesForClass\\\" or \\\"Get-CachedGPPPassword\\\" or\\n \\\"Get-DecryptedCpassword\\\" or \\\"Get-DecryptedSitelistPassword\\\" or\\n \\\"Get-DelegateType\\\" or \\\"New-RelayEnumObject\\\" or\\n \\\"Get-DomainDFSShare\\\" or \\\"Get-DomainDFSShareV1\\\" or\\n \\\"Get-DomainDFSShareV2\\\" or \\\"Get-DomainDNSRecord\\\" or\\n \\\"Get-DomainDNSZone\\\" or \\\"Get-DomainFileServer\\\" or\\n \\\"Get-DomainForeignGroupMember\\\" or \\\"Get-DomainForeignUser\\\" or\\n \\\"Get-DomainGPO\\\" or \\\"Get-DomainGPOComputerLocalGroupMapping\\\" or\\n \\\"Get-DomainGPOLocalGroup\\\" or \\\"Get-DomainGPOUserLocalGroupMapping\\\" or\\n \\\"Get-DomainGUIDMap\\\" or \\\"Get-DomainGroup\\\" or\\n \\\"Get-DomainGroupMember\\\" or \\\"Get-DomainGroupMemberDeleted\\\" or\\n \\\"Get-DomainManagedSecurityGroup\\\" or \\\"Get-DomainOU\\\" or\\n \\\"Get-DomainObject\\\" or \\\"Get-DomainObjectAcl\\\" or\\n \\\"Get-DomainObjectAttributeHistory\\\" or \\\"Get-DomainObjectLinkedAttributeHistory\\\" or\\n \\\"Get-DomainPolicyData\\\" or \\\"Get-DomainSID\\\" or\\n \\\"Get-DomainSPNTicket\\\" or \\\"Get-DomainSearcher\\\" or\\n \\\"Get-DomainSite\\\" or \\\"Get-DomainSubnet\\\" or\\n \\\"Get-DomainTrust\\\" or \\\"Get-DomainTrustMapping\\\" or\\n \\\"Get-DomainUser\\\" or \\\"Get-DomainUserEvent\\\" or\\n \\\"Get-Forest\\\" or \\\"Get-ForestDomain\\\" or\\n \\\"Get-ForestGlobalCatalog\\\" or \\\"Get-ForestSchemaClass\\\" or\\n \\\"Get-ForestTrust\\\" or \\\"Get-GPODelegation\\\" or\\n \\\"Get-GPPAutologon\\\" or \\\"Get-GPPInnerField\\\" or\\n \\\"Get-GPPInnerFields\\\" or \\\"Get-GPPPassword\\\" or\\n \\\"Get-GptTmpl\\\" or \\\"Get-GroupsXML\\\" or\\n \\\"Get-HttpStatus\\\" or \\\"Get-ImageNtHeaders\\\" or\\n \\\"Get-Keystrokes\\\" or \\\"New-SOASerialNumberArray\\\" or \\n \\\"Get-MemoryProcAddress\\\" or \\\"Get-MicrophoneAudio\\\" or\\n \\\"Get-ModifiablePath\\\" or \\\"Get-ModifiableRegistryAutoRun\\\" or\\n \\\"Get-ModifiableScheduledTaskFile\\\" or \\\"Get-ModifiableService\\\" or\\n \\\"Get-ModifiableServiceFile\\\" or \\\"Get-Name\\\" or\\n \\\"Get-NetComputerSiteName\\\" or \\\"Get-NetLocalGroup\\\" or\\n \\\"Get-NetLocalGroupMember\\\" or \\\"Get-NetLoggedon\\\" or\\n \\\"Get-NetRDPSession\\\" or \\\"Get-NetSession\\\" or\\n \\\"Get-NetShare\\\" or \\\"Get-PEArchitecture\\\" or\\n \\\"Get-PEBasicInfo\\\" or \\\"Get-PEDetailedInfo\\\" or\\n \\\"Get-PathAcl\\\" or \\\"Get-PrimaryToken\\\" or\\n \\\"Get-ProcAddress\\\" or \\\"Get-ProcessTokenGroup\\\" or\\n \\\"Get-ProcessTokenPrivilege\\\" or \\\"Get-ProcessTokenType\\\" or\\n \\\"Get-RegLoggedOn\\\" or \\\"Get-RegistryAlwaysInstallElevated\\\" or\\n \\\"Get-RegistryAutoLogon\\\" or \\\"Get-RemoteProcAddress\\\" or\\n \\\"Get-Screenshot\\\" or \\\"Get-ServiceDetail\\\" or\\n \\\"Get-SiteListPassword\\\" or \\\"Get-SitelistField\\\" or\\n \\\"Get-System\\\" or \\\"Get-SystemNamedPipe\\\" or\\n \\\"Get-SystemToken\\\" or \\\"Get-ThreadToken\\\" or\\n \\\"Get-TimedScreenshot\\\" or \\\"Get-TokenInformation\\\" or\\n \\\"Get-TopPort\\\" or \\\"Get-UnattendedInstallFile\\\" or\\n \\\"Get-UniqueTokens\\\" or \\\"Get-UnquotedService\\\" or\\n \\\"Get-VaultCredential\\\" or \\\"Get-VaultElementValue\\\" or\\n \\\"Get-VirtualProtectValue\\\" or \\\"Get-VolumeShadowCopy\\\" or\\n \\\"Get-WMIProcess\\\" or \\\"Get-WMIRegCachedRDPConnection\\\" or\\n \\\"Get-WMIRegLastLoggedOn\\\" or \\\"Get-WMIRegMountedDrive\\\" or\\n \\\"Get-WMIRegProxy\\\" or \\\"Get-WebConfig\\\" or\\n \\\"Get-Win32Constants\\\" or \\\"Get-Win32Functions\\\" or\\n \\\"Get-Win32Types\\\" or \\\"Import-DllImports\\\" or\\n \\\"Import-DllInRemoteProcess\\\" or \\\"Inject-LocalShellcode\\\" or\\n \\\"Inject-RemoteShellcode\\\" or \\\"Install-ServiceBinary\\\" or\\n \\\"Invoke-CompareAttributesForClass\\\" or \\\"Invoke-CreateRemoteThread\\\" or\\n \\\"Invoke-CredentialInjection\\\" or \\\"Invoke-DllInjection\\\" or\\n \\\"Invoke-EventVwrBypass\\\" or \\\"Invoke-ImpersonateUser\\\" or\\n \\\"Invoke-Kerberoast\\\" or \\\"Invoke-MemoryFreeLibrary\\\" or\\n \\\"Invoke-MemoryLoadLibrary\\\" or\\n \\\"Invoke-Mimikatz\\\" or \\\"Invoke-NinjaCopy\\\" or\\n \\\"Invoke-PatchDll\\\" or \\\"Invoke-Portscan\\\" or\\n \\\"Invoke-PrivescAudit\\\" or \\\"Invoke-ReflectivePEInjection\\\" or\\n \\\"Invoke-ReverseDnsLookup\\\" or \\\"Invoke-RevertToSelf\\\" or\\n \\\"Invoke-ServiceAbuse\\\" or \\\"Invoke-Shellcode\\\" or\\n \\\"Invoke-TokenManipulation\\\" or \\\"Invoke-UserImpersonation\\\" or\\n \\\"Invoke-WmiCommand\\\" or \\\"Mount-VolumeShadowCopy\\\" or\\n \\\"New-ADObjectAccessControlEntry\\\" or \\\"New-DomainGroup\\\" or\\n \\\"New-DomainUser\\\" or \\\"New-DynamicParameter\\\" or\\n \\\"New-InMemoryModule\\\" or\\n \\\"New-ThreadedFunction\\\" or \\\"New-VolumeShadowCopy\\\" or\\n \\\"Out-CompressedDll\\\" or \\\"Out-EncodedCommand\\\" or\\n \\\"Out-EncryptedScript\\\" or \\\"Out-Minidump\\\" or\\n \\\"PortScan-Alive\\\" or \\\"Portscan-Port\\\" or\\n \\\"Remove-DomainGroupMember\\\" or \\\"Remove-DomainObjectAcl\\\" or\\n \\\"Remove-RemoteConnection\\\" or \\\"Remove-VolumeShadowCopy\\\" or\\n \\\"Restore-ServiceBinary\\\" or \\\"Set-DesktopACLToAllowEveryone\\\" or\\n \\\"Set-DesktopACLs\\\" or \\\"Set-DomainObject\\\" or\\n \\\"Set-DomainObjectOwner\\\" or \\\"Set-DomainUserPassword\\\" or\\n \\\"Set-ServiceBinaryPath\\\" or \\\"Sub-SignedIntAsUnsigned\\\" or\\n \\\"Test-AdminAccess\\\" or \\\"Test-MemoryRangeValid\\\" or\\n \\\"Test-ServiceDaclPermission\\\" or \\\"Update-ExeFunctions\\\" or\\n \\\"Update-MemoryAddresses\\\" or \\\"Update-MemoryProtectionFlags\\\" or\\n \\\"Write-BytesToMemory\\\" or \\\"Write-HijackDll\\\" or\\n \\\"Write-PortscanOut\\\" or \\\"Write-ServiceBinary\\\" or\\n \\\"Write-UserAddMSI\\\" or \\\"Invoke-Privesc\\\" or\\n \\\"func_get_proc_address\\\" or \\\"Invoke-BloodHound\\\" or\\n \\\"Invoke-HostEnum\\\" or \\\"Get-BrowserInformation\\\" or\\n \\\"Get-DomainAccountPolicy\\\" or \\\"Get-DomainAdmins\\\" or\\n \\\"Get-AVProcesses\\\" or \\\"Get-AVInfo\\\" or\\n \\\"Get-RecycleBin\\\" or \\\"Invoke-BruteForce\\\" or\\n \\\"Get-PassHints\\\" or \\\"Invoke-SessionGopher\\\" or\\n \\\"Get-LSASecret\\\" or \\\"Get-PassHashes\\\" or\\n \\\"Invoke-WdigestDowngrade\\\" or \\\"Get-ChromeDump\\\" or\\n \\\"Invoke-DomainPasswordSpray\\\" or \\\"Get-FoxDump\\\" or\\n \\\"New-HoneyHash\\\" or \\\"Invoke-DCSync\\\" or\\n \\\"Invoke-PowerDump\\\" or \\\"Invoke-SSIDExfil\\\" or\\n \\\"Invoke-PowerShellTCP\\\" or \\\"Add-Exfiltration\\\" or\\n \\\"Do-Exfiltration\\\" or \\\"Invoke-DropboxUpload\\\" or\\n \\\"Invoke-ExfilDataToGitHub\\\" or \\\"Invoke-EgressCheck\\\" or\\n \\\"Invoke-PostExfil\\\" or \\\"Create-MultipleSessions\\\" or\\n \\\"Invoke-NetworkRelay\\\" or \\\"New-GPOImmediateTask\\\" or\\n \\\"Invoke-WMIDebugger\\\" or \\\"Invoke-SQLOSCMD\\\" or\\n \\\"Invoke-SMBExec\\\" or \\\"Invoke-PSRemoting\\\" or\\n \\\"Invoke-ExecuteMSBuild\\\" or \\\"Invoke-DCOM\\\" or\\n \\\"Invoke-InveighRelay\\\" or \\\"Invoke-PsExec\\\" or\\n \\\"Invoke-SSHCommand\\\" or \\\"Find-ActiveUsersWMI\\\" or\\n \\\"Get-SystemDrivesWMI\\\" or \\\"Get-ActiveNICSWMI\\\" or\\n \\\"Remove-Persistence\\\" or \\\"DNS_TXT_Pwnage\\\" or\\n \\\"Execute-OnTime\\\" or \\\"HTTP-Backdoor\\\" or\\n \\\"Add-ConstrainedDelegationBackdoor\\\" or \\\"Add-RegBackdoor\\\" or\\n \\\"Add-ScrnSaveBackdoor\\\" or \\\"Gupt-Backdoor\\\" or\\n \\\"Invoke-ADSBackdoor\\\" or \\\"Add-Persistence\\\" or\\n \\\"Invoke-ResolverBackdoor\\\" or \\\"Invoke-EventLogBackdoor\\\" or\\n \\\"Invoke-DeadUserBackdoor\\\" or \\\"Invoke-DisableMachineAcctChange\\\" or\\n \\\"Invoke-AccessBinary\\\" or \\\"Add-NetUser\\\" or\\n \\\"Invoke-Schtasks\\\" or \\\"Invoke-JSRatRegsvr\\\" or\\n \\\"Invoke-JSRatRundll\\\" or \\\"Invoke-PoshRatHttps\\\" or\\n \\\"Invoke-PsGcatAgent\\\" or \\\"Remove-PoshRat\\\" or\\n \\\"Install-SSP\\\" or \\\"Invoke-BackdoorLNK\\\" or\\n \\\"PowerBreach\\\" or \\\"InstallEXE-Persistence\\\" or\\n \\\"RemoveEXE-Persistence\\\" or \\\"Install-ServiceLevel-Persistence\\\" or\\n \\\"Remove-ServiceLevel-Persistence\\\" or \\\"Invoke-Prompt\\\" or\\n \\\"Invoke-PacketCapture\\\" or \\\"Start-WebcamRecorder\\\" or\\n \\\"Get-USBKeyStrokes\\\" or \\\"Invoke-KeeThief\\\" or\\n \\\"Get-Keystrokes\\\" or \\\"Invoke-NetRipper\\\" or\\n \\\"Get-EmailItems\\\" or \\\"Invoke-MailSearch\\\" or\\n \\\"Invoke-SearchGAL\\\" or \\\"Get-WebCredentials\\\" or\\n \\\"Start-CaptureServer\\\" or \\\"Invoke-PowerShellIcmp\\\" or\\n \\\"Invoke-PowerShellTcpOneLine\\\" or \\\"Invoke-PowerShellTcpOneLineBind\\\" or\\n \\\"Invoke-PowerShellUdp\\\" or \\\"Invoke-PowerShellUdpOneLine\\\" or\\n \\\"Run-EXEonRemote\\\" or \\\"Download-Execute-PS\\\" or\\n \\\"Out-RundllCommand\\\" or \\\"Set-RemoteWMI\\\" or\\n \\\"Set-DCShadowPermissions\\\" or \\\"Invoke-PowerShellWMI\\\" or\\n \\\"Invoke-Vnc\\\" or \\\"Invoke-LockWorkStation\\\" or\\n \\\"Invoke-EternalBlue\\\" or \\\"Invoke-ShellcodeMSIL\\\" or\\n \\\"Invoke-MetasploitPayload\\\" or \\\"Invoke-DowngradeAccount\\\" or\\n \\\"Invoke-RunAs\\\" or \\\"ExetoText\\\" or\\n \\\"Disable-SecuritySettings\\\" or \\\"Set-MacAttribute\\\" or\\n \\\"Invoke-MS16032\\\" or \\\"Invoke-BypassUACTokenManipulation\\\" or\\n \\\"Invoke-SDCLTBypass\\\" or \\\"Invoke-FodHelperBypass\\\" or\\n \\\"Invoke-EventVwrBypass\\\" or \\\"Invoke-EnvBypass\\\" or\\n \\\"Get-ServiceUnquoted\\\" or \\\"Get-ServiceFilePermission\\\" or\\n \\\"Get-ServicePermission\\\" or\\n \\\"Enable-DuplicateToken\\\" or \\\"Invoke-PsUaCme\\\" or\\n \\\"Invoke-Tater\\\" or \\\"Invoke-WScriptBypassUAC\\\" or\\n \\\"Invoke-AllChecks\\\" or \\\"Find-TrustedDocuments\\\" or\\n \\\"Invoke-Interceptor\\\" or \\\"Invoke-PoshRatHttp\\\" or\\n \\\"Invoke-ExecCommandWMI\\\" or \\\"Invoke-KillProcessWMI\\\" or\\n \\\"Invoke-CreateShareandExecute\\\" or \\\"Invoke-RemoteScriptWithOutput\\\" or\\n \\\"Invoke-SchedJobManipulation\\\" or \\\"Invoke-ServiceManipulation\\\" or\\n \\\"Invoke-PowerOptionsWMI\\\" or \\\"Invoke-DirectoryListing\\\" or\\n \\\"Invoke-FileTransferOverWMI\\\" or \\\"Invoke-WMImplant\\\" or\\n \\\"Invoke-WMIObfuscatedPSCommand\\\" or \\\"Invoke-WMIDuplicateClass\\\" or\\n \\\"Invoke-WMIUpload\\\" or \\\"Invoke-WMIRemoteExtract\\\" or \\\"Invoke-winPEAS\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\"\\n ) and\\n not user.id : (\\\"S-1-5-18\\\" or \\\"S-1-5-19\\\")\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"10909350-5c6c-43bc-9e26-29ccefd8ee16\",\"rule_id\":\"cdf1a39b-1ca5-4e2a-9739-17fc4d026029\",\"revision\":0,\"current_rule\":{\"id\":\"10909350-5c6c-43bc-9e26-29ccefd8ee16\",\"updated_at\":\"2024-12-04T19:46:04.769Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.769Z\",\"created_by\":\"elastic\",\"name\":\"Shadow File Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for Linux Shadow file modifications. These modifications are indicative of a potential password change or user addition event. Threat actors may attempt to create new users or change the password of a user account to maintain access to a system.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"cdf1a39b-1ca5-4e2a-9739-17fc4d026029\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.path\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click Add integrations.\\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\\n- Click Add Elastic Defend.\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest to select \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click Save and Continue.\\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"change\\\" and event.action == \\\"rename\\\" and\\nfile.path == \\\"/etc/shadow\\\" and file.Ext.original.path != null\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Shadow File Modification\",\"description\":\"This rule monitors for Linux Shadow file modifications. These modifications are indicative of a potential password change or user addition event. Threat actors may attempt to create new users or change the password of a user account to maintain access to a system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click Add integrations.\\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\\n- Click Add Elastic Defend.\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest to select \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click Save and Continue.\\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.path\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"10909350-5c6c-43bc-9e26-29ccefd8ee16\",\"rule_id\":\"cdf1a39b-1ca5-4e2a-9739-17fc4d026029\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.683Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.769Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"change\\\" and event.action == \\\"rename\\\" and\\nfile.path == \\\"/etc/shadow\\\" and file.Ext.original.path != null\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"ec6b8751-cfc7-40c6-be4a-8c5c5ade68c3\",\"rule_id\":\"ce64d965-6cb0-466d-b74f-8d2c76f47f05\",\"revision\":0,\"current_rule\":{\"id\":\"ec6b8751-cfc7-40c6-be4a-8c5c5ade68c3\",\"updated_at\":\"2024-12-04T19:45:58.443Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.443Z\",\"created_by\":\"elastic\",\"name\":\"New ActiveSyncAllowedDeviceID Added via PowerShell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate exchange system administration activity.\"],\"from\":\"now-9m\",\"rule_id\":\"ce64d965-6cb0-466d-b74f-8d2c76f47f05\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.002\",\"name\":\"Additional Email Delegate Permissions\",\"reference\":\"https://attack.mitre.org/techniques/T1098/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\",\"https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name: (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") and process.args : \\\"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"New ActiveSyncAllowedDeviceID Added via PowerShell\",\"description\":\"Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate exchange system administration activity.\"],\"references\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\",\"https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.002\",\"name\":\"Additional Email Delegate Permissions\",\"reference\":\"https://attack.mitre.org/techniques/T1098/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"ec6b8751-cfc7-40c6-be4a-8c5c5ade68c3\",\"rule_id\":\"ce64d965-6cb0-466d-b74f-8d2c76f47f05\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.683Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.443Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name: (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") and process.args : \\\"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"68c8421a-1351-4d3b-82cb-e1b66573ede3\",\"rule_id\":\"cf549724-c577-4fd6-8f9b-d1b8ec519ec0\",\"revision\":0,\"current_rule\":{\"id\":\"68c8421a-1351-4d3b-82cb-e1b66573ede3\",\"updated_at\":\"2024-12-04T19:45:58.448Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.448Z\",\"created_by\":\"elastic\",\"name\":\"Domain Added to Google Workspace Trusted Domains\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target’s organization with less restrictive security controls.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Domain Added to Google Workspace Trusted Domains\\n\\nOrganizations use trusted domains in Google Workspace to give external users access to resources.\\n\\nA threat actor with administrative privileges may be able to add a malicious domain to the trusted domain list. Based on the configuration, potentially sensitive resources may be exposed or accessible by an unintended third-party.\\n\\nThis rule detects when a third-party domain is added to the list of trusted domains in Google Workspace.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- After identifying the user, verify if the user should have administrative privileges to add external domains.\\n- Check the `google_workspace.admin.domain.name` field to find the newly added domain.\\n- Use reputational services, such as VirusTotal, for the trusted domain's third-party intelligence reputation.\\n- Filter your data. Create a filter where `event.dataset` is `google_workspace.drive` and `google_workspace.drive.file.owner.email` is being compared to `user.email`.\\n - If mismatches are identified, this could indicate access from an external Google Workspace domain.\\n\\n### False positive analysis\\n\\n- Verify that the user account should have administrative privileges that allow them to edit trusted domains in Google Workspace.\\n- Talk to the user to evaluate why they added the third-party domain and if the domain has confidentiality risks.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Trusted domains may be added by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-130m\",\"rule_id\":\"cf549724-c577-4fd6-8f9b-d1b8ec519ec0\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/6160020?hl=en\"],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Domain Added to Google Workspace Trusted Domains\",\"description\":\"Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target’s organization with less restrictive security controls.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Domain Added to Google Workspace Trusted Domains\\n\\nOrganizations use trusted domains in Google Workspace to give external users access to resources.\\n\\nA threat actor with administrative privileges may be able to add a malicious domain to the trusted domain list. Based on the configuration, potentially sensitive resources may be exposed or accessible by an unintended third-party.\\n\\nThis rule detects when a third-party domain is added to the list of trusted domains in Google Workspace.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- After identifying the user, verify if the user should have administrative privileges to add external domains.\\n- Check the `google_workspace.admin.domain.name` field to find the newly added domain.\\n- Use reputational services, such as VirusTotal, for the trusted domain's third-party intelligence reputation.\\n- Filter your data. Create a filter where `event.dataset` is `google_workspace.drive` and `google_workspace.drive.file.owner.email` is being compared to `user.email`.\\n - If mismatches are identified, this could indicate access from an external Google Workspace domain.\\n\\n### False positive analysis\\n\\n- Verify that the user account should have administrative privileges that allow them to edit trusted domains in Google Workspace.\\n- Talk to the user to evaluate why they added the third-party domain and if the domain has confidentiality risks.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Trusted domains may be added by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://support.google.com/a/answer/6160020?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"68c8421a-1351-4d3b-82cb-e1b66573ede3\",\"rule_id\":\"cf549724-c577-4fd6-8f9b-d1b8ec519ec0\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.684Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.448Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/6160020?hl=en\"],\"target_version\":[\"https://support.google.com/a/answer/6160020?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/6160020?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"594a7b0c-0369-4e0d-8856-27a41cd705c6\",\"rule_id\":\"cf575427-0839-4c69-a9e6-99fde02606f3\",\"revision\":0,\"current_rule\":{\"id\":\"594a7b0c-0369-4e0d-8856-27a41cd705c6\",\"updated_at\":\"2024-12-04T19:46:04.774Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.774Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Discovery Activity by User\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: Higher-Order Rule\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique host.id and user.id entries.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"cf575427-0839-4c69-a9e6-99fde02606f3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[{\"name\":\"event.kind\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"kibana.alert.rule.rule_id\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:(\\n \\\"d68e95ad-1c82-4074-a12a-125fe10ac8ba\\\" or \\\"7b8bfc26-81d2-435e-965c-d722ee397ef1\\\" or\\n \\\"0635c542-1b96-4335-9b47-126582d2c19a\\\" or \\\"6ea55c81-e2ba-42f2-a134-bccf857ba922\\\" or\\n \\\"e0881d20-54ac-457f-8733-fe0bc5d44c55\\\" or \\\"06568a02-af29-4f20-929c-f3af281e41aa\\\" or\\n \\\"c4e9ed3e-55a2-4309-a012-bc3c78dad10a\\\" or \\\"51176ed2-2d90-49f2-9f3d-17196428b169\\\" or\\n \\\"1d72d014-e2ab-4707-b056-9b96abe7b511\\\"\\n)\\n\",\"new_terms_fields\":[\"host.id\",\"user.id\"],\"history_window_start\":\"now-14d\",\"index\":[\".alerts-security.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Discovery Activity by User\",\"description\":\"This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique host.id and user.id entries.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: Higher-Order Rule\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[]}],\"setup\":\"\",\"related_integrations\":[],\"required_fields\":[{\"name\":\"event.kind\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"kibana.alert.rule.rule_id\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"594a7b0c-0369-4e0d-8856-27a41cd705c6\",\"rule_id\":\"cf575427-0839-4c69-a9e6-99fde02606f3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.684Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.774Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:(\\n \\\"d68e95ad-1c82-4074-a12a-125fe10ac8ba\\\" or \\\"7b8bfc26-81d2-435e-965c-d722ee397ef1\\\" or\\n \\\"0635c542-1b96-4335-9b47-126582d2c19a\\\" or \\\"6ea55c81-e2ba-42f2-a134-bccf857ba922\\\" or\\n \\\"e0881d20-54ac-457f-8733-fe0bc5d44c55\\\" or \\\"06568a02-af29-4f20-929c-f3af281e41aa\\\" or\\n \\\"c4e9ed3e-55a2-4309-a012-bc3c78dad10a\\\" or \\\"51176ed2-2d90-49f2-9f3d-17196428b169\\\" or\\n \\\"1d72d014-e2ab-4707-b056-9b96abe7b511\\\"\\n)\\n\",\"new_terms_fields\":[\"host.id\",\"user.id\"],\"history_window_start\":\"now-14d\",\"index\":[\".alerts-security.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: Higher-Order Rule\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: Higher-Order Rule\",\"Rule Type: BBR\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: Higher-Order Rule\",\"Rule Type: BBR\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c9a3050d-5e17-4073-a163-94edd2f0d06b\",\"rule_id\":\"cff92c41-2225-4763-b4ce-6f71e5bda5e6\",\"revision\":0,\"current_rule\":{\"id\":\"c9a3050d-5e17-4073-a163-94edd2f0d06b\",\"updated_at\":\"2024-12-04T19:45:58.453Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.453Z\",\"created_by\":\"elastic\",\"name\":\"Execution from Unusual Directory - Command Line\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Execution from Unusual Directory - Command Line\\n\\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the command line to determine which commands or scripts were executed.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of parent process executable and command line conditions.\\n\\n### Related rules\\n\\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"cff92c41-2225-4763-b4ce-6f71e5bda5e6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"wscript.exe\\\",\\n \\\"cscript.exe\\\",\\n \\\"rundll32.exe\\\",\\n \\\"regsvr32.exe\\\",\\n \\\"cmstp.exe\\\",\\n \\\"RegAsm.exe\\\",\\n \\\"installutil.exe\\\",\\n \\\"mshta.exe\\\",\\n \\\"RegSvcs.exe\\\",\\n \\\"powershell.exe\\\",\\n \\\"pwsh.exe\\\",\\n \\\"cmd.exe\\\") and\\n\\n /* add suspicious execution paths here */\\n process.args : (\\\"C:\\\\\\\\PerfLogs\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Intel\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\AMD\\\\\\\\Temp\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\AppReadiness\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\ServiceState\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\IdentityCRL\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Branding\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\csc\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\DigitalLocker\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\en-US\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\wlansvc\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Prefetch\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\diagnostics\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\INF\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Speech\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\windows\\\\\\\\tracing\\\\\\\\*\\\",\\n \\\"c:\\\\\\\\windows\\\\\\\\IME\\\\\\\\*\\\",\\n \\\"c:\\\\\\\\Windows\\\\\\\\Performance\\\\\\\\*\\\",\\n \\\"c:\\\\\\\\windows\\\\\\\\intel\\\\\\\\*\\\",\\n \\\"c:\\\\\\\\windows\\\\\\\\ms\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\dot3svc\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\panther\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\RemotePackages\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\OCR\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\appcompat\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\apppatch\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\addins\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\SKB\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Vss\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\CbsTemp\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Logs\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\WaaS\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\twain_32\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\ShellExperiences\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\ShellComponents\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\PLA\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Migration\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\debug\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Cursors\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Containers\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Boot\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\bcastdvr\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\TextInput\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\schemas\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\SchCache\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Resources\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\rescache\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Provisioning\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\PrintDialog\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\PolicyDefinitions\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\media\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Globalization\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\L2Schemas\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\LiveKernelReports\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\ModemLogs\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\$Recycle.Bin\\\\\\\\*\\\") and\\n\\n /* noisy FP patterns */\\n\\n not process.parent.executable : (\\\"C:\\\\\\\\WINDOWS\\\\\\\\System32\\\\\\\\DriverStore\\\\\\\\FileRepository\\\\\\\\*\\\\\\\\igfxCUIService*.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spacedeskService.exe\\\",\\n \\\"C:\\\\\\\\Program Files\\\\\\\\Dell\\\\\\\\SupportAssistAgent\\\\\\\\SRE\\\\\\\\SRE.exe\\\") and\\n not (process.name : \\\"rundll32.exe\\\" and\\n process.args : (\\\"uxtheme.dll,#64\\\",\\n \\\"PRINTUI.DLL,PrintUIEntry\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\FirewallControlPanel.dll,ShowNotificationDialog\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\Speech\\\\\\\\SpeechUX\\\\\\\\sapi.cpl\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\shell32.dll,OpenAs_RunDLL\\\")) and\\n\\n not (process.name : \\\"cscript.exe\\\" and process.args : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\calluxxprovider.vbs\\\") and\\n\\n not (process.name : \\\"cmd.exe\\\" and process.args : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\powercfg.exe\\\" and process.args : \\\"?:\\\\\\\\WINDOWS\\\\\\\\inf\\\\\\\\PowerPlan.log\\\") and\\n\\n not (process.name : \\\"regsvr32.exe\\\" and process.args : \\\"?:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\OEM\\\\\\\\scripts\\\\\\\\checkmui.dll\\\") and\\n\\n not (process.name : \\\"cmd.exe\\\" and\\n process.parent.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\oobe\\\\\\\\windeploy.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\ossec-agent\\\\\\\\wazuh-agent.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\igfxCUIService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\IE*.tmp\\\\\\\\IE*-support\\\\\\\\ienrcore.exe\\\"))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Execution from Unusual Directory - Command Line\",\"description\":\"Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Execution from Unusual Directory - Command Line\\n\\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the command line to determine which commands or scripts were executed.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of parent process executable and command line conditions.\\n\\n### Related rules\\n\\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c9a3050d-5e17-4073-a163-94edd2f0d06b\",\"rule_id\":\"cff92c41-2225-4763-b4ce-6f71e5bda5e6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.684Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.453Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"wscript.exe\\\",\\n \\\"cscript.exe\\\",\\n \\\"rundll32.exe\\\",\\n \\\"regsvr32.exe\\\",\\n \\\"cmstp.exe\\\",\\n \\\"RegAsm.exe\\\",\\n \\\"installutil.exe\\\",\\n \\\"mshta.exe\\\",\\n \\\"RegSvcs.exe\\\",\\n \\\"powershell.exe\\\",\\n \\\"pwsh.exe\\\",\\n \\\"cmd.exe\\\") and\\n\\n /* add suspicious execution paths here */\\n process.args : (\\\"C:\\\\\\\\PerfLogs\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Intel\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\AMD\\\\\\\\Temp\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\AppReadiness\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\ServiceState\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\IdentityCRL\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Branding\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\csc\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\DigitalLocker\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\en-US\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\wlansvc\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Prefetch\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\diagnostics\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\INF\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Speech\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\windows\\\\\\\\tracing\\\\\\\\*\\\",\\n \\\"c:\\\\\\\\windows\\\\\\\\IME\\\\\\\\*\\\",\\n \\\"c:\\\\\\\\Windows\\\\\\\\Performance\\\\\\\\*\\\",\\n \\\"c:\\\\\\\\windows\\\\\\\\intel\\\\\\\\*\\\",\\n \\\"c:\\\\\\\\windows\\\\\\\\ms\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\dot3svc\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\panther\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\RemotePackages\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\OCR\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\appcompat\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\apppatch\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\addins\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\SKB\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Vss\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\CbsTemp\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Logs\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\WaaS\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\twain_32\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\ShellExperiences\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\ShellComponents\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\PLA\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Migration\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\debug\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Cursors\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Containers\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Boot\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\bcastdvr\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\TextInput\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\schemas\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\SchCache\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Resources\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\rescache\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Provisioning\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\PrintDialog\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\PolicyDefinitions\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\media\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Globalization\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\L2Schemas\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\LiveKernelReports\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\ModemLogs\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\$Recycle.Bin\\\\\\\\*\\\") and\\n\\n /* noisy FP patterns */\\n\\n not process.parent.executable : (\\\"C:\\\\\\\\WINDOWS\\\\\\\\System32\\\\\\\\DriverStore\\\\\\\\FileRepository\\\\\\\\*\\\\\\\\igfxCUIService*.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spacedeskService.exe\\\",\\n \\\"C:\\\\\\\\Program Files\\\\\\\\Dell\\\\\\\\SupportAssistAgent\\\\\\\\SRE\\\\\\\\SRE.exe\\\") and\\n not (process.name : \\\"rundll32.exe\\\" and\\n process.args : (\\\"uxtheme.dll,#64\\\",\\n \\\"PRINTUI.DLL,PrintUIEntry\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\FirewallControlPanel.dll,ShowNotificationDialog\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\Speech\\\\\\\\SpeechUX\\\\\\\\sapi.cpl\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\shell32.dll,OpenAs_RunDLL\\\")) and\\n\\n not (process.name : \\\"cscript.exe\\\" and process.args : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\calluxxprovider.vbs\\\") and\\n\\n not (process.name : \\\"cmd.exe\\\" and process.args : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\powercfg.exe\\\" and process.args : \\\"?:\\\\\\\\WINDOWS\\\\\\\\inf\\\\\\\\PowerPlan.log\\\") and\\n\\n not (process.name : \\\"regsvr32.exe\\\" and process.args : \\\"?:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\OEM\\\\\\\\scripts\\\\\\\\checkmui.dll\\\") and\\n\\n not (process.name : \\\"cmd.exe\\\" and\\n process.parent.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\oobe\\\\\\\\windeploy.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\ossec-agent\\\\\\\\wazuh-agent.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\igfxCUIService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\IE*.tmp\\\\\\\\IE*-support\\\\\\\\ienrcore.exe\\\"))\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merged_version\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d8e9c974-16c1-4e6f-9cea-48c3f7ff6a8c\",\"rule_id\":\"d0e159cf-73e9-40d1-a9ed-077e3158a855\",\"revision\":0,\"current_rule\":{\"id\":\"d8e9c974-16c1-4e6f-9cea-48c3f7ff6a8c\",\"updated_at\":\"2024-12-04T19:45:40.251Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.251Z\",\"created_by\":\"elastic\",\"name\":\"Registry Persistence via AppInit DLL\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Registry Persistence via AppInit DLL\\n\\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\\n\\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\\n\\nThis rule identifies modifications on the AppInit registry keys.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Review the source process and related DLL file tied to the Windows Registry entry.\\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Retrieve all DLLs under the AppInit registry keys:\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve AppInit Registry Value\\\",\\\"query\\\":\\\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows' or\\\\nr.key == 'HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows') and r.name ==\\\\n'AppInit_DLLs'\\\\n\\\"}}\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"d0e159cf-73e9-40d1-a9ed-077e3158a855\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.010\",\"name\":\"AppInit DLLs\",\"reference\":\"https://attack.mitre.org/techniques/T1546/010/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\"\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DriverStore\\\\\\\\FileRepository\\\\\\\\*\\\\\\\\Display.NvContainer\\\\\\\\NVDisplay.Container.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Commvault\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Commvault\\\\\\\\ContentStore*\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Commvault\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Commvault\\\\\\\\ContentStore*\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\NVIDIA Corporation\\\\\\\\Display.NvContainer\\\\\\\\NVDisplay.Container.exe\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Registry Persistence via AppInit DLL\",\"description\":\"AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Registry Persistence via AppInit DLL\\n\\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\\n\\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\\n\\nThis rule identifies modifications on the AppInit registry keys.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Review the source process and related DLL file tied to the Windows Registry entry.\\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Retrieve all DLLs under the AppInit registry keys:\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve AppInit Registry Value\\\",\\\"query\\\":\\\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows' or\\\\nr.key == 'HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows') and r.name ==\\\\n'AppInit_DLLs'\\\\n\\\"}}\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.010\",\"name\":\"AppInit DLLs\",\"reference\":\"https://attack.mitre.org/techniques/T1546/010/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d8e9c974-16c1-4e6f-9cea-48c3f7ff6a8c\",\"rule_id\":\"d0e159cf-73e9-40d1-a9ed-077e3158a855\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.684Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.251Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\"\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DriverStore\\\\\\\\FileRepository\\\\\\\\*\\\\\\\\Display.NvContainer\\\\\\\\NVDisplay.Container.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Commvault\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Commvault\\\\\\\\ContentStore*\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Commvault\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Commvault\\\\\\\\ContentStore*\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\NVIDIA Corporation\\\\\\\\Display.NvContainer\\\\\\\\NVDisplay.Container.exe\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\"\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DriverStore\\\\\\\\FileRepository\\\\\\\\*\\\\\\\\Display.NvContainer\\\\\\\\NVDisplay.Container.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Commvault\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Commvault\\\\\\\\ContentStore*\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Commvault\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Commvault\\\\\\\\ContentStore*\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\NVIDIA Corporation\\\\\\\\Display.NvContainer\\\\\\\\NVDisplay.Container.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\"\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DriverStore\\\\\\\\FileRepository\\\\\\\\*\\\\\\\\Display.NvContainer\\\\\\\\NVDisplay.Container.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Commvault\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Commvault\\\\\\\\ContentStore*\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Commvault\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Commvault\\\\\\\\ContentStore*\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\NVIDIA Corporation\\\\\\\\Display.NvContainer\\\\\\\\NVDisplay.Container.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\"\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DriverStore\\\\\\\\FileRepository\\\\\\\\*\\\\\\\\Display.NvContainer\\\\\\\\NVDisplay.Container.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Commvault\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Commvault\\\\\\\\ContentStore*\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Commvault\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Commvault\\\\\\\\ContentStore*\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\NVIDIA Corporation\\\\\\\\Display.NvContainer\\\\\\\\NVDisplay.Container.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"33128964-faa3-4385-a305-60b0141bfb97\",\"rule_id\":\"d117cbb4-7d56-41b4-b999-bdf8c25648a0\",\"revision\":0,\"current_rule\":{\"id\":\"33128964-faa3-4385-a305-60b0141bfb97\",\"updated_at\":\"2024-12-04T19:45:58.460Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.460Z\",\"created_by\":\"elastic\",\"name\":\"Symbolic Link to Shadow Copy Created\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Symbolic Link to Shadow Copy Created\\n\\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Determine if a volume shadow copy was recently created on this endpoint.\\n- Review privileges of the end user as this requires administrative access.\\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\\n- Investigate recent deletions of volume shadow copies.\\n- Identify other files potentially copied from volume shadow copy paths directly.\\n\\n### False positive analysis\\n\\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the entire domain or the `krbtgt` user was compromised:\\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\\n- Locate and remove static files copied from volume shadow copies.\\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[\"Legitimate administrative activity related to shadow copies.\"],\"from\":\"now-9m\",\"rule_id\":\"d117cbb4-7d56-41b4-b999-bdf8c25648a0\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"},{\"id\":\"T1003.003\",\"name\":\"NTDS\",\"reference\":\"https://attack.mitre.org/techniques/T1003/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink\",\"https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf\",\"https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/\",\"https://www.hackingarticles.in/credential-dumping-ntds-dit/\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nEnsure advanced audit policies for Windows are enabled, specifically:\\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nSystem Audit Policies >\\nObject Access >\\nAudit File System (Success,Failure)\\nAudit Handle Manipulation (Success,Failure)\\n```\\n\\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n (?process.pe.original_file_name in (\\\"Cmd.Exe\\\",\\\"PowerShell.EXE\\\")) or\\n (process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\"))\\n ) and\\n\\n /* Create Symbolic Link to Shadow Copies */\\n process.args : (\\\"*mklink*\\\", \\\"*SymbolicLink*\\\") and process.command_line : (\\\"*HarddiskVolumeShadowCopy*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Symbolic Link to Shadow Copy Created\",\"description\":\"Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Symbolic Link to Shadow Copy Created\\n\\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Determine if a volume shadow copy was recently created on this endpoint.\\n- Review privileges of the end user as this requires administrative access.\\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\\n- Investigate recent deletions of volume shadow copies.\\n- Identify other files potentially copied from volume shadow copy paths directly.\\n\\n### False positive analysis\\n\\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the entire domain or the `krbtgt` user was compromised:\\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\\n- Locate and remove static files copied from volume shadow copies.\\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[\"Legitimate administrative activity related to shadow copies.\"],\"references\":[\"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink\",\"https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf\",\"https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/\",\"https://www.hackingarticles.in/credential-dumping-ntds-dit/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"},{\"id\":\"T1003.003\",\"name\":\"NTDS\",\"reference\":\"https://attack.mitre.org/techniques/T1003/003/\"}]}]}],\"setup\":\"## Setup\\n\\nEnsure advanced audit policies for Windows are enabled, specifically:\\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nSystem Audit Policies >\\nObject Access >\\nAudit File System (Success,Failure)\\nAudit Handle Manipulation (Success,Failure)\\n```\\n\\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"33128964-faa3-4385-a305-60b0141bfb97\",\"rule_id\":\"d117cbb4-7d56-41b4-b999-bdf8c25648a0\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.684Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.460Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n (?process.pe.original_file_name in (\\\"Cmd.Exe\\\",\\\"PowerShell.EXE\\\")) or\\n (process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\"))\\n ) and\\n\\n /* Create Symbolic Link to Shadow Copies */\\n process.args : (\\\"*mklink*\\\", \\\"*SymbolicLink*\\\") and process.command_line : (\\\"*HarddiskVolumeShadowCopy*\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nEnsure advanced audit policies for Windows are enabled, specifically:\\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nSystem Audit Policies >\\nObject Access >\\nAudit File System (Success,Failure)\\nAudit Handle Manipulation (Success,Failure)\\n```\\n\\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"## Setup\\n\\nEnsure advanced audit policies for Windows are enabled, specifically:\\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nSystem Audit Policies >\\nObject Access >\\nAudit File System (Success,Failure)\\nAudit Handle Manipulation (Success,Failure)\\n```\\n\\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\\n\",\"merged_version\":\"## Setup\\n\\nEnsure advanced audit policies for Windows are enabled, specifically:\\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nSystem Audit Policies >\\nObject Access >\\nAudit File System (Success,Failure)\\nAudit Handle Manipulation (Success,Failure)\\n```\\n\\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"833e9e6e-ead2-4fd4-b335-abc7f1c67860\",\"rule_id\":\"d31f183a-e5b1-451b-8534-ba62bca0b404\",\"revision\":0,\"current_rule\":{\"id\":\"833e9e6e-ead2-4fd4-b335-abc7f1c67860\",\"updated_at\":\"2024-12-04T19:45:58.473Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.473Z\",\"created_by\":\"elastic\",\"name\":\"Disabling User Account Control via Registry Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Disabling User Account Control via Registry Modification\\n\\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\\n\\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\\n\\nAttackers may disable UAC to execute code directly in high integrity. This rule identifies registry value changes to bypass the UAC protection.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Analyze non-system processes executed with high integrity after UAC was disabled for unknown or suspicious processes.\\n- Retrieve the suspicious processes' executables and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled tasks creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restore UAC settings to the desired state.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"d31f183a-e5b1-451b-8534-ba62bca0b404\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.greyhathacker.net/?p=796\",\"https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings\",\"https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path :\\n (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\EnableLUA\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\ConsentPromptBehaviorAdmin\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\PromptOnSecureDesktop\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\EnableLUA\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\ConsentPromptBehaviorAdmin\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\PromptOnSecureDesktop\\\"\\n ) and\\n registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Disabling User Account Control via Registry Modification\",\"description\":\"User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Disabling User Account Control via Registry Modification\\n\\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\\n\\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\\n\\nAttackers may disable UAC to execute code directly in high integrity. This rule identifies registry value changes to bypass the UAC protection.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Analyze non-system processes executed with high integrity after UAC was disabled for unknown or suspicious processes.\\n- Retrieve the suspicious processes' executables and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled tasks creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restore UAC settings to the desired state.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.greyhathacker.net/?p=796\",\"https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings\",\"https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview\",\"https://www.elastic.co/security-labs/dissecting-remcos-rat-part-four\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"833e9e6e-ead2-4fd4-b335-abc7f1c67860\",\"rule_id\":\"d31f183a-e5b1-451b-8534-ba62bca0b404\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.684Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.473Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path :\\n (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\EnableLUA\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\ConsentPromptBehaviorAdmin\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\PromptOnSecureDesktop\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\EnableLUA\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\ConsentPromptBehaviorAdmin\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\PromptOnSecureDesktop\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\EnableLUA\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\ConsentPromptBehaviorAdmin\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\PromptOnSecureDesktop\\\"\\n ) and\\n registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.greyhathacker.net/?p=796\",\"https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings\",\"https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview\"],\"target_version\":[\"https://www.greyhathacker.net/?p=796\",\"https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings\",\"https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview\",\"https://www.elastic.co/security-labs/dissecting-remcos-rat-part-four\"],\"merged_version\":[\"https://www.greyhathacker.net/?p=796\",\"https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings\",\"https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview\",\"https://www.elastic.co/security-labs/dissecting-remcos-rat-part-four\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path :\\n (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\EnableLUA\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\ConsentPromptBehaviorAdmin\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\PromptOnSecureDesktop\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\EnableLUA\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\ConsentPromptBehaviorAdmin\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\PromptOnSecureDesktop\\\"\\n ) and\\n registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path :\\n (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\EnableLUA\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\ConsentPromptBehaviorAdmin\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\PromptOnSecureDesktop\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\EnableLUA\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\ConsentPromptBehaviorAdmin\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\PromptOnSecureDesktop\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\EnableLUA\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\ConsentPromptBehaviorAdmin\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\PromptOnSecureDesktop\\\"\\n ) and\\n registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path :\\n (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\EnableLUA\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\ConsentPromptBehaviorAdmin\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\PromptOnSecureDesktop\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\EnableLUA\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\ConsentPromptBehaviorAdmin\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\PromptOnSecureDesktop\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\EnableLUA\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\ConsentPromptBehaviorAdmin\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\PromptOnSecureDesktop\\\"\\n ) and\\n registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0e689fd9-2c5b-4096-8404-76cce264a283\",\"rule_id\":\"d331bbe2-6db4-4941-80a5-8270db72eb61\",\"revision\":0,\"current_rule\":{\"id\":\"0e689fd9-2c5b-4096-8404-76cce264a283\",\"updated_at\":\"2024-12-04T19:45:58.476Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.476Z\",\"created_by\":\"elastic\",\"name\":\"Clearing Windows Event Logs\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Clearing Windows Event Logs\\n\\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\\n\\nThis rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Verify if any other anti-forensics behaviors were observed.\\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for this action.\\n- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear non-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"d331bbe2-6db4-4941-80a5-8270db72eb61\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.001\",\"name\":\"Clear Windows Event Logs\",\"reference\":\"https://attack.mitre.org/techniques/T1070/001/\"},{\"id\":\"T1562.002\",\"name\":\"Disable Windows Event Logging\",\"reference\":\"https://attack.mitre.org/techniques/T1562/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (process.name : \\\"wevtutil.exe\\\" or ?process.pe.original_file_name == \\\"wevtutil.exe\\\") and\\n process.args : (\\\"/e:false\\\", \\\"cl\\\", \\\"clear-log\\\")\\n ) or\\n (\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") and\\n process.args : \\\"Clear-EventLog\\\"\\n )\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Clearing Windows Event Logs\",\"description\":\"Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Clearing Windows Event Logs\\n\\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\\n\\nThis rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Verify if any other anti-forensics behaviors were observed.\\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for this action.\\n- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear non-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":315,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.001\",\"name\":\"Clear Windows Event Logs\",\"reference\":\"https://attack.mitre.org/techniques/T1070/001/\"},{\"id\":\"T1562.002\",\"name\":\"Disable Windows Event Logging\",\"reference\":\"https://attack.mitre.org/techniques/T1562/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0e689fd9-2c5b-4096-8404-76cce264a283\",\"rule_id\":\"d331bbe2-6db4-4941-80a5-8270db72eb61\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.684Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.476Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (process.name : \\\"wevtutil.exe\\\" or ?process.pe.original_file_name == \\\"wevtutil.exe\\\") and\\n process.args : (\\\"/e:false\\\", \\\"cl\\\", \\\"clear-log\\\")\\n ) or\\n (\\n (\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n process.args : \\\"Clear-EventLog\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":315,\"merged_version\":315,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"merged_version\":[\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (process.name : \\\"wevtutil.exe\\\" or ?process.pe.original_file_name == \\\"wevtutil.exe\\\") and\\n process.args : (\\\"/e:false\\\", \\\"cl\\\", \\\"clear-log\\\")\\n ) or\\n (\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") and\\n process.args : \\\"Clear-EventLog\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (process.name : \\\"wevtutil.exe\\\" or ?process.pe.original_file_name == \\\"wevtutil.exe\\\") and\\n process.args : (\\\"/e:false\\\", \\\"cl\\\", \\\"clear-log\\\")\\n ) or\\n (\\n (\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n process.args : \\\"Clear-EventLog\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (process.name : \\\"wevtutil.exe\\\" or ?process.pe.original_file_name == \\\"wevtutil.exe\\\") and\\n process.args : (\\\"/e:false\\\", \\\"cl\\\", \\\"clear-log\\\")\\n ) or\\n (\\n (\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n process.args : \\\"Clear-EventLog\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"fc9425c7-279d-4083-abad-41bda97fa14d\",\"rule_id\":\"d33ea3bf-9a11-463e-bd46-f648f2a0f4b1\",\"revision\":0,\"current_rule\":{\"id\":\"fc9425c7-279d-4083-abad-41bda97fa14d\",\"updated_at\":\"2024-12-04T19:45:58.478Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.478Z\",\"created_by\":\"elastic\",\"name\":\"Remote Windows Service Installed\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Persistence\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\\\"\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"d33ea3bf-9a11-463e-bd46-f648f2a0f4b1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.ServiceFileName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.id\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"sequence by winlog.logon.id, winlog.computer_name with maxspan=1m\\n[authentication where event.action == \\\"logged-in\\\" and winlog.logon.type : \\\"Network\\\" and\\nevent.outcome==\\\"success\\\" and source.ip != null and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"]\\n[iam where event.action == \\\"service-installed\\\" and\\n not winlog.event_data.SubjectLogonId : \\\"0x3e7\\\" and\\n not winlog.event_data.ServiceFileName :\\n (\\\"?:\\\\\\\\Windows\\\\\\\\ADCR_Agent\\\\\\\\adcrsvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VSSVC.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\TrustedInstaller.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PSEXESVC.EXE\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sppsvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\RemoteAuditService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\VeeamLogShipper\\\\\\\\VeeamLogShipper.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CAInvokerService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\upfc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\AdminArsenal\\\\\\\\PDQ*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vds.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Veeam\\\\\\\\Backup\\\\\\\\VeeamDeploymentSvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ProPatches\\\\\\\\Scheduler\\\\\\\\STSchedEx.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\certsrv.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\eset-remote-install-service.exe\\\",\\n \\\"?:\\\\\\\\Pella Corporation\\\\\\\\Pella Order Management\\\\\\\\GPAutoSvc.exe\\\",\\n \\\"?:\\\\\\\\Pella Corporation\\\\\\\\OSCToGPAutoService\\\\\\\\OSCToGPAutoSvc.exe\\\",\\n \\\"?:\\\\\\\\Pella Corporation\\\\\\\\Pella Order Management\\\\\\\\GPAutoSvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\NwxExeSvc\\\\\\\\NwxExeSvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostex.exe\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Remote Windows Service Installed\",\"description\":\"Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\\\"\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Persistence\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.ServiceFileName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.id\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"fc9425c7-279d-4083-abad-41bda97fa14d\",\"rule_id\":\"d33ea3bf-9a11-463e-bd46-f648f2a0f4b1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.684Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.478Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by winlog.logon.id, winlog.computer_name with maxspan=1m\\n[authentication where event.action == \\\"logged-in\\\" and winlog.logon.type : \\\"Network\\\" and\\nevent.outcome==\\\"success\\\" and source.ip != null and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"]\\n[iam where event.action == \\\"service-installed\\\" and\\n not winlog.event_data.SubjectLogonId : \\\"0x3e7\\\" and\\n not winlog.event_data.ServiceFileName :\\n (\\\"?:\\\\\\\\Windows\\\\\\\\ADCR_Agent\\\\\\\\adcrsvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VSSVC.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\TrustedInstaller.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PSEXESVC.EXE\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sppsvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\RemoteAuditService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\VeeamLogShipper\\\\\\\\VeeamLogShipper.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CAInvokerService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\upfc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\AdminArsenal\\\\\\\\PDQ*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vds.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Veeam\\\\\\\\Backup\\\\\\\\VeeamDeploymentSvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ProPatches\\\\\\\\Scheduler\\\\\\\\STSchedEx.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\certsrv.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\eset-remote-install-service.exe\\\",\\n \\\"?:\\\\\\\\Pella Corporation\\\\\\\\Pella Order Management\\\\\\\\GPAutoSvc.exe\\\",\\n \\\"?:\\\\\\\\Pella Corporation\\\\\\\\OSCToGPAutoService\\\\\\\\OSCToGPAutoSvc.exe\\\",\\n \\\"?:\\\\\\\\Pella Corporation\\\\\\\\Pella Order Management\\\\\\\\GPAutoSvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\NwxExeSvc\\\\\\\\NwxExeSvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostex.exe\\\")]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Persistence\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Persistence\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Persistence\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"ba0f24fd-ef0b-4e9a-8bcc-07be5baa9483\",\"rule_id\":\"d3551433-782f-4e22-bbea-c816af2d41c6\",\"revision\":0,\"current_rule\":{\"id\":\"ba0f24fd-ef0b-4e9a-8bcc-07be5baa9483\",\"updated_at\":\"2024-12-04T19:45:58.481Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.481Z\",\"created_by\":\"elastic\",\"name\":\"WMI WBEMTEST Utility Execution\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Adversaries may abuse the WMI diagnostic tool, wbemtest.exe, to enumerate WMI object instances or invoke methods against local or remote endpoints.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"d3551433-782f-4e22-bbea-c816af2d41c6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"wbemtest.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"WMI WBEMTEST Utility Execution\",\"description\":\"Adversaries may abuse the WMI diagnostic tool, wbemtest.exe, to enumerate WMI object instances or invoke methods against local or remote endpoints.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"ba0f24fd-ef0b-4e9a-8bcc-07be5baa9483\",\"rule_id\":\"d3551433-782f-4e22-bbea-c816af2d41c6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.684Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.481Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"wbemtest.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"61b0c2b3-5881-4740-bc54-e3d7027d0a6c\",\"rule_id\":\"d563aaba-2e72-462b-8658-3e5ea22db3a6\",\"revision\":0,\"current_rule\":{\"id\":\"61b0c2b3-5881-4740-bc54-e3d7027d0a6c\",\"updated_at\":\"2024-12-04T19:45:40.253Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.253Z\",\"created_by\":\"elastic\",\"name\":\"Privilege Escalation via Windir Environment Variable\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"d563aaba-2e72-462b-8658-3e5ea22db3a6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.007\",\"name\":\"Path Interception by PATH Environment Variable\",\"reference\":\"https://attack.mitre.org/techniques/T1574/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\nregistry.value : (\\\"windir\\\", \\\"systemroot\\\") and\\nregistry.path : (\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\"\\n ) and\\n not registry.data.strings : (\\\"C:\\\\\\\\windows\\\", \\\"%SystemRoot%\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Privilege Escalation via Windir Environment Variable\",\"description\":\"Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.007\",\"name\":\"Path Interception by PATH Environment Variable\",\"reference\":\"https://attack.mitre.org/techniques/T1574/007/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"61b0c2b3-5881-4740-bc54-e3d7027d0a6c\",\"rule_id\":\"d563aaba-2e72-462b-8658-3e5ea22db3a6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.684Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.253Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\nregistry.value : (\\\"windir\\\", \\\"systemroot\\\") and\\nregistry.path : (\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"HKCU\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"HKCU\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\"\\n ) and\\n not registry.data.strings : (\\\"C:\\\\\\\\windows\\\", \\\"%SystemRoot%\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\nregistry.value : (\\\"windir\\\", \\\"systemroot\\\") and\\nregistry.path : (\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\"\\n ) and\\n not registry.data.strings : (\\\"C:\\\\\\\\windows\\\", \\\"%SystemRoot%\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\nregistry.value : (\\\"windir\\\", \\\"systemroot\\\") and\\nregistry.path : (\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"HKCU\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"HKCU\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\"\\n ) and\\n not registry.data.strings : (\\\"C:\\\\\\\\windows\\\", \\\"%SystemRoot%\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\nregistry.value : (\\\"windir\\\", \\\"systemroot\\\") and\\nregistry.path : (\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"HKCU\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"HKCU\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\"\\n ) and\\n not registry.data.strings : (\\\"C:\\\\\\\\windows\\\", \\\"%SystemRoot%\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"87a39cab-3811-437c-880b-5261bbc1256f\",\"rule_id\":\"d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\",\"revision\":0,\"current_rule\":{\"id\":\"87a39cab-3811-437c-880b-5261bbc1256f\",\"updated_at\":\"2024-12-04T19:45:59.628Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.628Z\",\"created_by\":\"elastic\",\"name\":\"Service Command Lateral Movement\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1569\",\"name\":\"System Services\",\"reference\":\"https://attack.mitre.org/techniques/T1569/\",\"subtechnique\":[{\"id\":\"T1569.002\",\"name\":\"Service Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1569/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id with maxspan = 1m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"sc.exe\\\" or process.pe.original_file_name : \\\"sc.exe\\\") and\\n process.args : \\\"\\\\\\\\\\\\\\\\*\\\" and process.args : (\\\"binPath=*\\\", \\\"binpath=*\\\") and\\n process.args : (\\\"create\\\", \\\"config\\\", \\\"failure\\\", \\\"start\\\")]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"sc.exe\\\" and destination.ip != \\\"127.0.0.1\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Service Command Lateral Movement\",\"description\":\"Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1569\",\"name\":\"System Services\",\"reference\":\"https://attack.mitre.org/techniques/T1569/\",\"subtechnique\":[{\"id\":\"T1569.002\",\"name\":\"Service Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1569/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"87a39cab-3811-437c-880b-5261bbc1256f\",\"rule_id\":\"d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.684Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.628Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id with maxspan = 1m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"sc.exe\\\" or process.pe.original_file_name : \\\"sc.exe\\\") and\\n process.args : \\\"\\\\\\\\\\\\\\\\*\\\" and process.args : (\\\"binPath=*\\\", \\\"binpath=*\\\") and\\n process.args : (\\\"create\\\", \\\"config\\\", \\\"failure\\\", \\\"start\\\")]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"sc.exe\\\" and destination.ip != \\\"127.0.0.1\\\"]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1621465c-c22b-49a5-8d69-b7b192c0998b\",\"rule_id\":\"d6241c90-99f2-44db-b50f-299b6ebd7ee9\",\"revision\":0,\"current_rule\":{\"id\":\"1621465c-c22b-49a5-8d69-b7b192c0998b\",\"updated_at\":\"2024-12-04T19:46:04.783Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.783Z\",\"created_by\":\"elastic\",\"name\":\"Unusual DPKG Execution\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects the execution of the DPKG command by processes not associated with the DPKG package manager. The DPKG command is used to install, remove, and manage Debian packages on a Linux system. Attackers can abuse the DPKG command to install malicious packages on a system.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"d6241c90-99f2-44db-b50f-299b6ebd7ee9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.makeuseof.com/how-deb-packages-are-backdoored-how-to-detect-it/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.group_leader.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.session_leader.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\nprocess.executable : \\\"/var/lib/dpkg/info/*\\\" and process.session_leader.name != null and\\nprocess.group_leader.name != null and not (\\n process.parent.name in (\\\"dpkg\\\", \\\"dpkg-reconfigure\\\") or\\n process.session_leader.name == \\\"dpkg\\\" or\\n process.group_leader.name == \\\"dpkg\\\"\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual DPKG Execution\",\"description\":\"This rule detects the execution of the DPKG command by processes not associated with the DPKG package manager. The DPKG command is used to install, remove, and manage Debian packages on a Linux system. Attackers can abuse the DPKG command to install malicious packages on a system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.makeuseof.com/how-deb-packages-are-backdoored-how-to-detect-it/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.group_leader.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.session_leader.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1621465c-c22b-49a5-8d69-b7b192c0998b\",\"rule_id\":\"d6241c90-99f2-44db-b50f-299b6ebd7ee9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.684Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.783Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\nprocess.executable : \\\"/var/lib/dpkg/info/*\\\" and process.session_leader.name != null and\\nprocess.group_leader.name != null and not (\\n process.parent.name in (\\\"dpkg\\\", \\\"dpkg-reconfigure\\\") or\\n process.session_leader.name == \\\"dpkg\\\" or\\n process.group_leader.name == \\\"dpkg\\\" or\\n process.parent.executable in (\\\"/usr/share/debconf/frontend\\\", \\\"/usr/bin/unattended-upgrade\\\")\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.group_leader.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.session_leader.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.group_leader.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.session_leader.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.group_leader.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.session_leader.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\nprocess.executable : \\\"/var/lib/dpkg/info/*\\\" and process.session_leader.name != null and\\nprocess.group_leader.name != null and not (\\n process.parent.name in (\\\"dpkg\\\", \\\"dpkg-reconfigure\\\") or\\n process.session_leader.name == \\\"dpkg\\\" or\\n process.group_leader.name == \\\"dpkg\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\nprocess.executable : \\\"/var/lib/dpkg/info/*\\\" and process.session_leader.name != null and\\nprocess.group_leader.name != null and not (\\n process.parent.name in (\\\"dpkg\\\", \\\"dpkg-reconfigure\\\") or\\n process.session_leader.name == \\\"dpkg\\\" or\\n process.group_leader.name == \\\"dpkg\\\" or\\n process.parent.executable in (\\\"/usr/share/debconf/frontend\\\", \\\"/usr/bin/unattended-upgrade\\\")\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\nprocess.executable : \\\"/var/lib/dpkg/info/*\\\" and process.session_leader.name != null and\\nprocess.group_leader.name != null and not (\\n process.parent.name in (\\\"dpkg\\\", \\\"dpkg-reconfigure\\\") or\\n process.session_leader.name == \\\"dpkg\\\" or\\n process.group_leader.name == \\\"dpkg\\\" or\\n process.parent.executable in (\\\"/usr/share/debconf/frontend\\\", \\\"/usr/bin/unattended-upgrade\\\")\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"33176669-3e96-40d2-bd02-447aec71fcb4\",\"rule_id\":\"d68e95ad-1c82-4074-a12a-125fe10ac8ba\",\"revision\":0,\"current_rule\":{\"id\":\"33176669-3e96-40d2-bd02-447aec71fcb4\",\"updated_at\":\"2024-12-04T19:45:59.503Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.503Z\",\"created_by\":\"elastic\",\"name\":\"System Information Discovery via Windows Command Shell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"note\":\"## Triage and analysis\\n\\n### Investigating System Information Discovery via Windows Command Shell\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule identifies commands to enumerate system information, files, and folders using the Windows Command Shell.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"d68e95ad-1c82-4074-a12a-125fe10ac8ba\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"},{\"id\":\"T1083\",\"name\":\"File and Directory Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1083/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":11,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.*\",\"logs-endpoint.events.process-*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"cmd.exe\\\" and process.args : \\\"/c\\\" and process.args : (\\\"set\\\", \\\"dir\\\") and\\n not process.parent.executable : (\\\"?:\\\\\\\\Program Files\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\", \\\"?:\\\\\\\\PROGRA~1\\\\\\\\*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"System Information Discovery via Windows Command Shell\",\"description\":\"Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating System Information Discovery via Windows Command Shell\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule identifies commands to enumerate system information, files, and folders using the Windows Command Shell.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":114,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"},{\"id\":\"T1083\",\"name\":\"File and Directory Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1083/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"33176669-3e96-40d2-bd02-447aec71fcb4\",\"rule_id\":\"d68e95ad-1c82-4074-a12a-125fe10ac8ba\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.684Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.503Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"cmd.exe\\\" and process.args : \\\"/c\\\" and process.args : (\\\"set\\\", \\\"dir\\\") and\\n not process.parent.executable : (\\\"?:\\\\\\\\Program Files\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\", \\\"?:\\\\\\\\PROGRA~1\\\\\\\\*\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.*\",\"logs-endpoint.events.process-*\",\"endgame-*\",\"logs-system.security*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":11,\"target_version\":114,\"merged_version\":114,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1394b0d4-5fec-4e43-91f6-93d11722fc4c\",\"rule_id\":\"d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\",\"revision\":0,\"current_rule\":{\"id\":\"1394b0d4-5fec-4e43-91f6-93d11722fc4c\",\"updated_at\":\"2024-12-04T19:45:40.256Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.256Z\",\"created_by\":\"elastic\",\"name\":\"Modification of WDigest Security Provider\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Modification of WDigest Security Provider\\n\\nIn Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol allows clients to send cleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications based on RFC 2617 and 2831. Windows versions up to 8 and 2012 store logon credentials in memory in plaintext by default, which is no longer the case with newer Windows versions.\\n\\nStill, attackers can force WDigest to store the passwords insecurely on the memory by modifying the `HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential` registry key. This activity is commonly related to the execution of credential dumping tools.\\n\\n#### Possible investigation steps\\n\\n- It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should treat any activity triggered from this rule with high priority as it typically represents an active adversary.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Determine if credential dumping tools were run on the host, and retrieve and analyze suspicious executables:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Use process name, command line, and file hash to search for occurrences on other hosts.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team, as these modifications expose the entire domain to credential compromises and consequently unauthorized access.\\n\\n### Related rules\\n\\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reimage the host operating system and restore compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html\",\"https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019\",\"https://frsecure.com/compromised-credentials-response-playbook\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\\\\\\\UseLogonCredential\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\\\\\\\UseLogonCredential\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\") and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\" and user.id : \\\"S-1-5-18\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Modification of WDigest Security Provider\",\"description\":\"Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Modification of WDigest Security Provider\\n\\nIn Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol allows clients to send cleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications based on RFC 2617 and 2831. Windows versions up to 8 and 2012 store logon credentials in memory in plaintext by default, which is no longer the case with newer Windows versions.\\n\\nStill, attackers can force WDigest to store the passwords insecurely on the memory by modifying the `HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential` registry key. This activity is commonly related to the execution of credential dumping tools.\\n\\n#### Possible investigation steps\\n\\n- It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should treat any activity triggered from this rule with high priority as it typically represents an active adversary.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Determine if credential dumping tools were run on the host, and retrieve and analyze suspicious executables:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Use process name, command line, and file hash to search for occurrences on other hosts.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team, as these modifications expose the entire domain to credential compromises and consequently unauthorized access.\\n\\n### Related rules\\n\\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reimage the host operating system and restore compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html\",\"https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019\",\"https://frsecure.com/compromised-credentials-response-playbook\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1394b0d4-5fec-4e43-91f6-93d11722fc4c\",\"rule_id\":\"d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.684Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.256Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\\\\\\\UseLogonCredential\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\\\\\\\UseLogonCredential\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\") and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\" and user.id : \\\"S-1-5-18\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f2bffa4a-d691-4468-9679-1023de64900a\",\"rule_id\":\"d72e33fc-6e91-42ff-ac8b-e573268c5a87\",\"revision\":0,\"current_rule\":{\"id\":\"f2bffa4a-d691-4468-9679-1023de64900a\",\"updated_at\":\"2024-12-04T19:45:59.508Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.508Z\",\"created_by\":\"elastic\",\"name\":\"Command Execution via SolarWinds Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Trusted SolarWinds child processes. Verify process details such as network connections and file writes.\"],\"from\":\"now-9m\",\"rule_id\":\"d72e33fc-6e91-42ff-ac8b-e573268c5a87\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\",\"https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name: (\\\"cmd.exe\\\", \\\"powershell.exe\\\") and\\nprocess.parent.name: (\\n \\\"ConfigurationWizard*.exe\\\",\\n \\\"NetflowDatabaseMaintenance*.exe\\\",\\n \\\"NetFlowService*.exe\\\",\\n \\\"SolarWinds.Administration*.exe\\\",\\n \\\"SolarWinds.Collector.Service*.exe\\\",\\n \\\"SolarwindsDiagnostics*.exe\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Command Execution via SolarWinds Process\",\"description\":\"A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Trusted SolarWinds child processes. Verify process details such as network connections and file writes.\"],\"references\":[\"https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\",\"https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f2bffa4a-d691-4468-9679-1023de64900a\",\"rule_id\":\"d72e33fc-6e91-42ff-ac8b-e573268c5a87\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.686Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.508Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name: (\\\"cmd.exe\\\", \\\"powershell.exe\\\") and\\nprocess.parent.name: (\\n \\\"ConfigurationWizard*.exe\\\",\\n \\\"NetflowDatabaseMaintenance*.exe\\\",\\n \\\"NetFlowService*.exe\\\",\\n \\\"SolarWinds.Administration*.exe\\\",\\n \\\"SolarWinds.Collector.Service*.exe\\\",\\n \\\"SolarwindsDiagnostics*.exe\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"74c1b448-7b3f-4514-b5af-000a3eb7bd59\",\"rule_id\":\"d74d6506-427a-4790-b170-0c2a6ddac799\",\"revision\":0,\"current_rule\":{\"id\":\"74c1b448-7b3f-4514-b5af-000a3eb7bd59\",\"updated_at\":\"2024-12-04T19:45:59.512Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.512Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Memory grep Activity\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Monitors for grep activity related to memory mapping. The /proc/*/maps file in Linux provides a memory map for a specific process, detailing the memory segments, permissions, and what files are mapped to these segments. Attackers may read a process's memory map to identify memory addresses for code injection or process hijacking.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"d74d6506-427a-4790-b170-0c2a6ddac799\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1057\",\"name\":\"Process Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1057/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/arget13/DDexec\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\nprocess.name in (\\\"grep\\\", \\\"egrep\\\", \\\"fgrep\\\", \\\"rgrep\\\") and process.args in (\\\"[stack]\\\", \\\"[vdso]\\\", \\\"[heap]\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Memory grep Activity\",\"description\":\"Monitors for grep activity related to memory mapping. The /proc/*/maps file in Linux provides a memory map for a specific process, detailing the memory segments, permissions, and what files are mapped to these segments. Attackers may read a process's memory map to identify memory addresses for code injection or process hijacking.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/arget13/DDexec\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1057\",\"name\":\"Process Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1057/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"74c1b448-7b3f-4514-b5af-000a3eb7bd59\",\"rule_id\":\"d74d6506-427a-4790-b170-0c2a6ddac799\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.686Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.512Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\nprocess.name in (\\\"grep\\\", \\\"egrep\\\", \\\"fgrep\\\", \\\"rgrep\\\") and process.args in (\\\"[stack]\\\", \\\"[vdso]\\\", \\\"[heap]\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"building_block\":{\"has_base_version\":false,\"current_version\":{\"type\":\"default\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a324c56b-91da-4e57-b65e-00c4dd3cbc42\",\"rule_id\":\"d7e62693-aab9-4f66-a21a-3d79ecdd603d\",\"revision\":0,\"current_rule\":{\"id\":\"a324c56b-91da-4e57-b65e-00c4dd3cbc42\",\"updated_at\":\"2024-12-04T19:45:59.528Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.528Z\",\"created_by\":\"elastic\",\"name\":\"SMTP on Port 26/TCP\",\"tags\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior.\"],\"from\":\"now-9m\",\"rule_id\":\"d7e62693-aab9-4f66-a21a-3d79ecdd603d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1048\",\"name\":\"Exfiltration Over Alternative Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1048/\"}]}],\"to\":\"now\",\"references\":[\"https://unit42.paloaltonetworks.com/unit42-badpatch/\",\"https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/\"],\"version\":104,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"],\"query\":\"(event.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"SMTP on Port 26/TCP\",\"description\":\"This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior.\"],\"references\":[\"https://unit42.paloaltonetworks.com/unit42-badpatch/\",\"https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1048\",\"name\":\"Exfiltration Over Alternative Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1048/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a324c56b-91da-4e57-b65e-00c4dd3cbc42\",\"rule_id\":\"d7e62693-aab9-4f66-a21a-3d79ecdd603d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.686Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.528Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"],\"query\":\"(event.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":104,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"target_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"target_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merged_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"80c0743d-7c09-4988-b776-0c75fc10e100\",\"rule_id\":\"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958\",\"revision\":0,\"current_rule\":{\"id\":\"80c0743d-7c09-4988-b776-0c75fc10e100\",\"updated_at\":\"2024-12-04T19:45:59.533Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.533Z\",\"created_by\":\"elastic\",\"name\":\"AWS IAM Deactivation of MFA Device\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Resources: Investigation Guide\",\"Tactic: Impact\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS IAM Deactivation of MFA Device\\n\\nMulti-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password (the first factor—what they know), as well as for an authentication code from their AWS MFA device (the second factor—what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.\\n\\nFor more information about using MFA in AWS, access the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html).\\n\\nThis rule looks for the deactivation or deletion of AWS MFA devices. These modifications weaken account security and can lead to the compromise of accounts and other assets.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Contact the account and resource owners and confirm whether they are aware of this activity.\\n- Check if this operation was approved and performed according to the organization's change management policy.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Reactivate multi-factor authentication for the user.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[\"A MFA device may be deactivated by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. MFA device deactivations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\"],\"from\":\"now-60m\",\"rule_id\":\"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"to\":\"now\",\"references\":[\"https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html\",\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html\"],\"version\":209,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"query\":\"event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS IAM Deactivation of MFA Device\",\"description\":\"Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS IAM Deactivation of MFA Device\\n\\nMulti-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password (the first factor—what they know), as well as for an authentication code from their AWS MFA device (the second factor—what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.\\n\\nFor more information about using MFA in AWS, access the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html).\\n\\nThis rule looks for the deactivation or deletion of AWS MFA devices. These modifications weaken account security and can lead to the compromise of accounts and other assets.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Contact the account and resource owners and confirm whether they are aware of this activity.\\n- Check if this operation was approved and performed according to the organization's change management policy.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Reactivate multi-factor authentication for the user.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Resources: Investigation Guide\",\"Tactic: Impact\",\"Tactic: Persistence\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-60m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[\"A MFA device may be deactivated by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. MFA device deactivations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\"],\"references\":[\"https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html\",\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\",\"subtechnique\":[{\"id\":\"T1556.006\",\"name\":\"Multi-Factor Authentication\",\"reference\":\"https://attack.mitre.org/techniques/T1556/006/\"}]}]}],\"setup\":\"The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"80c0743d-7c09-4988-b776-0c75fc10e100\",\"rule_id\":\"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.686Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.533Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"query\":\"event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":209,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Resources: Investigation Guide\",\"Tactic: Impact\"],\"target_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Resources: Investigation Guide\",\"Tactic: Impact\",\"Tactic: Persistence\"],\"merged_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Resources: Investigation Guide\",\"Tactic: Impact\",\"Tactic: Persistence\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\",\"subtechnique\":[{\"id\":\"T1556.006\",\"name\":\"Multi-Factor Authentication\",\"reference\":\"https://attack.mitre.org/techniques/T1556/006/\"}]}]}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\",\"subtechnique\":[{\"id\":\"T1556.006\",\"name\":\"Multi-Factor Authentication\",\"reference\":\"https://attack.mitre.org/techniques/T1556/006/\"}]}]}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2e283175-35a4-4110-bac8-91703710af27\",\"rule_id\":\"d93e61db-82d6-4095-99aa-714988118064\",\"revision\":0,\"current_rule\":{\"id\":\"2e283175-35a4-4110-bac8-91703710af27\",\"updated_at\":\"2024-12-04T19:46:04.785Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.785Z\",\"created_by\":\"elastic\",\"name\":\"NTDS Dump via Wbadmin\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of wbadmin to access the NTDS.dit file in a domain controller. Attackers with privileges from groups like Backup Operators can abuse the utility to perform credential access and compromise the domain.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"d93e61db-82d6-4095-99aa-714988118064\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"},{\"id\":\"T1003.003\",\"name\":\"NTDS\",\"reference\":\"https://attack.mitre.org/techniques/T1003/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1006\",\"name\":\"Direct Volume Access\",\"reference\":\"https://attack.mitre.org/techniques/T1006/\"}]}],\"to\":\"now\",\"references\":[\"https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"wbadmin.exe\\\" or ?process.pe.original_file_name : \\\"wbadmin.exe\\\") and \\n process.args : \\\"recovery\\\" and process.command_line : \\\"*ntds.dit*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"NTDS Dump via Wbadmin\",\"description\":\"Identifies the execution of wbadmin to access the NTDS.dit file in a domain controller. Attackers with privileges from groups like Backup Operators can abuse the utility to perform credential access and compromise the domain.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":203,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"},{\"id\":\"T1003.003\",\"name\":\"NTDS\",\"reference\":\"https://attack.mitre.org/techniques/T1003/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1006\",\"name\":\"Direct Volume Access\",\"reference\":\"https://attack.mitre.org/techniques/T1006/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2e283175-35a4-4110-bac8-91703710af27\",\"rule_id\":\"d93e61db-82d6-4095-99aa-714988118064\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.686Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.785Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"wbadmin.exe\\\" or ?process.pe.original_file_name : \\\"wbadmin.exe\\\") and \\n process.args : \\\"recovery\\\" and process.command_line : \\\"*ntds.dit*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":203,\"merged_version\":203,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"03028b45-42f2-4493-a46b-0653238062c2\",\"rule_id\":\"d99a037b-c8e2-47a5-97b9-170d076827c4\",\"revision\":0,\"current_rule\":{\"id\":\"03028b45-42f2-4493-a46b-0653238062c2\",\"updated_at\":\"2024-12-04T19:45:59.535Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.535Z\",\"created_by\":\"elastic\",\"name\":\"Volume Shadow Copy Deletion via PowerShell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Volume Shadow Copy Deletion via PowerShell\\n\\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\\n\\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\\n\\nThis rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow copy objects, and delete them.\\n\\n#### Possible investigation steps\\n\\n- Investigate the program execution chain (parent process tree).\\n- Check whether the account is authorized to perform this operation.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Use process name, command line, and file hash to search for occurrences in other hosts.\\n- Check if any files on the host machine have been encrypted.\\n\\n\\n### False positive analysis\\n\\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Related rules\\n\\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- Priority should be given due to the advanced stage of this activity on the attack.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"d99a037b-c8e2-47a5-97b9-170d076827c4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1490\",\"name\":\"Inhibit System Recovery\",\"reference\":\"https://attack.mitre.org/techniques/T1490/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy\",\"https://powershell.one/wmi/root/cimv2/win32_shadowcopy\",\"https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") and\\n process.args : (\\\"*Get-WmiObject*\\\", \\\"*gwmi*\\\", \\\"*Get-CimInstance*\\\", \\\"*gcim*\\\") and\\n process.args : (\\\"*Win32_ShadowCopy*\\\") and\\n process.args : (\\\"*.Delete()*\\\", \\\"*Remove-WmiObject*\\\", \\\"*rwmi*\\\", \\\"*Remove-CimInstance*\\\", \\\"*rcim*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Volume Shadow Copy Deletion via PowerShell\",\"description\":\"Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Volume Shadow Copy Deletion via PowerShell\\n\\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\\n\\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\\n\\nThis rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow copy objects, and delete them.\\n\\n#### Possible investigation steps\\n\\n- Investigate the program execution chain (parent process tree).\\n- Check whether the account is authorized to perform this operation.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Use process name, command line, and file hash to search for occurrences in other hosts.\\n- Check if any files on the host machine have been encrypted.\\n\\n\\n### False positive analysis\\n\\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Related rules\\n\\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- Priority should be given due to the advanced stage of this activity on the attack.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy\",\"https://powershell.one/wmi/root/cimv2/win32_shadowcopy\",\"https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1490\",\"name\":\"Inhibit System Recovery\",\"reference\":\"https://attack.mitre.org/techniques/T1490/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"03028b45-42f2-4493-a46b-0653238062c2\",\"rule_id\":\"d99a037b-c8e2-47a5-97b9-170d076827c4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.686Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.535Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") and\\n process.args : (\\\"*Get-WmiObject*\\\", \\\"*gwmi*\\\", \\\"*Get-CimInstance*\\\", \\\"*gcim*\\\") and\\n process.args : (\\\"*Win32_ShadowCopy*\\\") and\\n process.args : (\\\"*.Delete()*\\\", \\\"*Remove-WmiObject*\\\", \\\"*rwmi*\\\", \\\"*Remove-CimInstance*\\\", \\\"*rcim*\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"27a55253-63bc-418c-b12a-7bed1c11980f\",\"rule_id\":\"da7733b1-fe08-487e-b536-0a04c6d8b0cd\",\"revision\":0,\"current_rule\":{\"id\":\"27a55253-63bc-418c-b12a-7bed1c11980f\",\"updated_at\":\"2024-12-04T19:45:40.259Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.259Z\",\"created_by\":\"elastic\",\"name\":\"Code Signing Policy Modification Through Registry\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to disable the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Code Signing Policy Modification Through Registry\\n\\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \\n\\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\\n\\nThis rule identifies registry modifications that can disable DSE.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Use Osquery and endpoint driver events (`event.category = \\\"driver\\\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\\\\\"Microsoft\\\\\\\" AND signed == \\\\\\\"1\\\\\\\")\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\\\\\"0\\\\\\\"\\\\n\\\"}}\\n- Identify the driver's `Device Name` and `Service Name`.\\n- Check for alerts from the rules specified in the `Related Rules` section.\\n\\n### False positive analysis\\n\\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\\n\\n### Related Rules\\n\\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\\n - This can be done via PowerShell `Remove-Service` cmdlet.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Remove and block malicious artifacts identified during triage.\\n- Ensure that the Driver Signature Enforcement is enabled on the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"da7733b1-fe08-487e-b536-0a04c6d8b0cd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1553\",\"name\":\"Subvert Trust Controls\",\"reference\":\"https://attack.mitre.org/techniques/T1553/\",\"subtechnique\":[{\"id\":\"T1553.006\",\"name\":\"Code Signing Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1553/006/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":11,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value: \\\"BehaviorOnFailedVerify\\\" and\\n registry.path : (\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Driver Signing\\\\\\\\BehaviorOnFailedVerify\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Driver Signing\\\\\\\\BehaviorOnFailedVerify\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Driver Signing\\\\\\\\BehaviorOnFailedVerify\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\", \\\"1\\\", \\\"0x00000001\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Code Signing Policy Modification Through Registry\",\"description\":\"Identifies attempts to disable the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Code Signing Policy Modification Through Registry\\n\\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \\n\\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\\n\\nThis rule identifies registry modifications that can disable DSE.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Use Osquery and endpoint driver events (`event.category = \\\"driver\\\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\\\\\"Microsoft\\\\\\\" AND signed == \\\\\\\"1\\\\\\\")\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\\\\\"0\\\\\\\"\\\\n\\\"}}\\n- Identify the driver's `Device Name` and `Service Name`.\\n- Check for alerts from the rules specified in the `Related Rules` section.\\n\\n### False positive analysis\\n\\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\\n\\n### Related Rules\\n\\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\\n - This can be done via PowerShell `Remove-Service` cmdlet.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Remove and block malicious artifacts identified during triage.\\n- Ensure that the Driver Signature Enforcement is enabled on the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1553\",\"name\":\"Subvert Trust Controls\",\"reference\":\"https://attack.mitre.org/techniques/T1553/\",\"subtechnique\":[{\"id\":\"T1553.006\",\"name\":\"Code Signing Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1553/006/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"27a55253-63bc-418c-b12a-7bed1c11980f\",\"rule_id\":\"da7733b1-fe08-487e-b536-0a04c6d8b0cd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.686Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.259Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value: \\\"BehaviorOnFailedVerify\\\" and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\", \\\"1\\\", \\\"0x00000001\\\")\\n\\n /*\\n Full registry key path omitted due to data source variations:\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Driver Signing\\\\\\\\BehaviorOnFailedVerify\\\"\\n */\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":11,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value: \\\"BehaviorOnFailedVerify\\\" and\\n registry.path : (\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Driver Signing\\\\\\\\BehaviorOnFailedVerify\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Driver Signing\\\\\\\\BehaviorOnFailedVerify\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Driver Signing\\\\\\\\BehaviorOnFailedVerify\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\", \\\"1\\\", \\\"0x00000001\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value: \\\"BehaviorOnFailedVerify\\\" and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\", \\\"1\\\", \\\"0x00000001\\\")\\n\\n /*\\n Full registry key path omitted due to data source variations:\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Driver Signing\\\\\\\\BehaviorOnFailedVerify\\\"\\n */\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value: \\\"BehaviorOnFailedVerify\\\" and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\", \\\"1\\\", \\\"0x00000001\\\")\\n\\n /*\\n Full registry key path omitted due to data source variations:\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Driver Signing\\\\\\\\BehaviorOnFailedVerify\\\"\\n */\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"eca10c21-a412-4074-8fc1-2a26a1af6dc7\",\"rule_id\":\"da87eee1-129c-4661-a7aa-57d0b9645fad\",\"revision\":0,\"current_rule\":{\"id\":\"eca10c21-a412-4074-8fc1-2a26a1af6dc7\",\"updated_at\":\"2024-12-04T19:45:59.540Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.540Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Service was Installed in the System\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of a new Windows service with suspicious Service command values. Windows services typically run as SYSTEM and can be used for privilege escalation and persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Service was Installed in the System\\n\\nAttackers may create new services to execute system shells and other command execution utilities to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these utilities with persistence payloads.\\n\\nThis rule looks for suspicious services being created with suspicious traits compatible with the above behavior.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\\\\\"Microsoft\\\\\\\" AND signed == \\\\\\\"1\\\\\\\")\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\\\\\"0\\\\\\\"\\\\n\\\"}}\\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n\\n### False positive analysis\\n\\n- Certain services such as PSEXECSVC may happen legitimately. The security team should address any potential benign true positive (B-TP) by excluding the relevant FP by pattern.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"da87eee1-129c-4661-a7aa-57d0b9645fad\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":9,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ImagePath\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ServiceFileName\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"any where\\n (event.code : \\\"4697\\\" and\\n (winlog.event_data.ServiceFileName : \\n (\\\"*COMSPEC*\\\", \\\"*\\\\\\\\127.0.0.1*\\\", \\\"*Admin$*\\\", \\\"*powershell*\\\", \\\"*rundll32*\\\", \\\"*cmd.exe*\\\", \\\"*PSEXESVC*\\\", \\n \\\"*echo*\\\", \\\"*RemComSvc*\\\", \\\"*.bat*\\\", \\\"*.cmd*\\\", \\\"*certutil*\\\", \\\"*vssadmin*\\\", \\\"*certmgr*\\\", \\\"*bitsadmin*\\\", \\n \\\"*\\\\\\\\Users\\\\\\\\*\\\", \\\"*\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\", \\\"*\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\", \\\"*\\\\\\\\PerfLogs\\\\\\\\*\\\", \\\"*\\\\\\\\Windows\\\\\\\\Debug\\\\\\\\*\\\",\\n \\\"*regsvr32*\\\", \\\"*msbuild*\\\") or\\n winlog.event_data.ServiceFileName regex~ \\\"\\\"\\\"%systemroot%\\\\\\\\[a-z0-9]+\\\\.exe\\\"\\\"\\\")) or\\n\\n (event.code : \\\"7045\\\" and\\n winlog.event_data.ImagePath : (\\n \\\"*COMSPEC*\\\", \\\"*\\\\\\\\127.0.0.1*\\\", \\\"*Admin$*\\\", \\\"*powershell*\\\", \\\"*rundll32*\\\", \\\"*cmd.exe*\\\", \\\"*PSEXESVC*\\\",\\n \\\"*echo*\\\", \\\"*RemComSvc*\\\", \\\"*.bat*\\\", \\\"*.cmd*\\\", \\\"*certutil*\\\", \\\"*vssadmin*\\\", \\\"*certmgr*\\\", \\\"*bitsadmin*\\\",\\n \\\"*\\\\\\\\Users\\\\\\\\*\\\", \\\"*\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\", \\\"*\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\", \\\"*\\\\\\\\PerfLogs\\\\\\\\*\\\", \\\"*\\\\\\\\Windows\\\\\\\\Debug\\\\\\\\*\\\",\\n \\\"*regsvr32*\\\", \\\"*msbuild*\\\"))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Service was Installed in the System\",\"description\":\"Identifies the creation of a new Windows service with suspicious Service command values. Windows services typically run as SYSTEM and can be used for privilege escalation and persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Service was Installed in the System\\n\\nAttackers may create new services to execute system shells and other command execution utilities to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these utilities with persistence payloads.\\n\\nThis rule looks for suspicious services being created with suspicious traits compatible with the above behavior.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\\\\\"Microsoft\\\\\\\" AND signed == \\\\\\\"1\\\\\\\")\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\\\\\"0\\\\\\\"\\\\n\\\"}}\\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n\\n### False positive analysis\\n\\n- Certain services such as PSEXECSVC may happen legitimately. The security team should address any potential benign true positive (B-TP) by excluding the relevant FP by pattern.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":110,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ImagePath\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ServiceFileName\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"eca10c21-a412-4074-8fc1-2a26a1af6dc7\",\"rule_id\":\"da87eee1-129c-4661-a7aa-57d0b9645fad\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.686Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.540Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where\\n (event.code : \\\"4697\\\" and\\n (winlog.event_data.ServiceFileName : \\n (\\\"*COMSPEC*\\\", \\\"*\\\\\\\\127.0.0.1*\\\", \\\"*Admin$*\\\", \\\"*powershell*\\\", \\\"*rundll32*\\\", \\\"*cmd.exe*\\\", \\\"*PSEXESVC*\\\", \\n \\\"*echo*\\\", \\\"*RemComSvc*\\\", \\\"*.bat*\\\", \\\"*.cmd*\\\", \\\"*certutil*\\\", \\\"*vssadmin*\\\", \\\"*certmgr*\\\", \\\"*bitsadmin*\\\", \\n \\\"*\\\\\\\\Users\\\\\\\\*\\\", \\\"*\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\", \\\"*\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\", \\\"*\\\\\\\\PerfLogs\\\\\\\\*\\\", \\\"*\\\\\\\\Windows\\\\\\\\Debug\\\\\\\\*\\\",\\n \\\"*regsvr32*\\\", \\\"*msbuild*\\\") or\\n winlog.event_data.ServiceFileName regex~ \\\"\\\"\\\"%systemroot%\\\\\\\\[a-z0-9]+\\\\.exe\\\"\\\"\\\")) or\\n\\n (event.code : \\\"7045\\\" and\\n winlog.event_data.ImagePath : (\\n \\\"*COMSPEC*\\\", \\\"*\\\\\\\\127.0.0.1*\\\", \\\"*Admin$*\\\", \\\"*powershell*\\\", \\\"*rundll32*\\\", \\\"*cmd.exe*\\\", \\\"*PSEXESVC*\\\",\\n \\\"*echo*\\\", \\\"*RemComSvc*\\\", \\\"*.bat*\\\", \\\"*.cmd*\\\", \\\"*certutil*\\\", \\\"*vssadmin*\\\", \\\"*certmgr*\\\", \\\"*bitsadmin*\\\",\\n \\\"*\\\\\\\\Users\\\\\\\\*\\\", \\\"*\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\", \\\"*\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\", \\\"*\\\\\\\\PerfLogs\\\\\\\\*\\\", \\\"*\\\\\\\\Windows\\\\\\\\Debug\\\\\\\\*\\\",\\n \\\"*regsvr32*\\\", \\\"*msbuild*\\\"))\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":9,\"target_version\":110,\"merged_version\":110,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"16a5c92a-7a61-451e-9047-c2d0883727c1\",\"rule_id\":\"daafdf96-e7b1-4f14-b494-27e0d24b11f6\",\"revision\":0,\"current_rule\":{\"id\":\"16a5c92a-7a61-451e-9047-c2d0883727c1\",\"updated_at\":\"2024-12-04T19:45:59.543Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.543Z\",\"created_by\":\"elastic\",\"name\":\"Potential Pass-the-Hash (PtH) Attempt\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"daafdf96-e7b1-4f14-b494-27e0d24b11f6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.002\",\"name\":\"Pass the Hash\",\"reference\":\"https://attack.mitre.org/techniques/T1550/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://attack.mitre.org/techniques/T1550/002/\"],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.LogonProcessName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"host.os.type:\\\"windows\\\" and \\nevent.category : \\\"authentication\\\" and event.action : \\\"logged-in\\\" and \\nwinlog.logon.type : \\\"NewCredentials\\\" and event.outcome : \\\"success\\\" and \\nuser.id : (S-1-5-21-* or S-1-12-1-*) and winlog.event_data.LogonProcessName : \\\"seclogo\\\"\\n\",\"new_terms_fields\":[\"user.id\"],\"history_window_start\":\"now-10d\",\"index\":[\"winlogbeat-*\",\"logs-windows.*\",\"logs-system.security*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Pass-the-Hash (PtH) Attempt\",\"description\":\"Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":106,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://attack.mitre.org/techniques/T1550/002/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.002\",\"name\":\"Pass the Hash\",\"reference\":\"https://attack.mitre.org/techniques/T1550/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.LogonProcessName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"16a5c92a-7a61-451e-9047-c2d0883727c1\",\"rule_id\":\"daafdf96-e7b1-4f14-b494-27e0d24b11f6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.687Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.543Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:\\\"windows\\\" and \\nevent.category : \\\"authentication\\\" and event.action : \\\"logged-in\\\" and \\nwinlog.logon.type : \\\"NewCredentials\\\" and event.outcome : \\\"success\\\" and \\nuser.id : (S-1-5-21-* or S-1-12-1-*) and winlog.event_data.LogonProcessName : \\\"seclogo\\\"\\n\",\"new_terms_fields\":[\"user.id\"],\"history_window_start\":\"now-10d\",\"index\":[\"winlogbeat-*\",\"logs-windows.*\",\"logs-system.security*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":106,\"merged_version\":106,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e215fe1f-5ca6-44ef-9c42-f6252e358301\",\"rule_id\":\"db65f5ba-d1ef-4944-b9e8-7e51060c2b42\",\"revision\":0,\"current_rule\":{\"id\":\"e215fe1f-5ca6-44ef-9c42-f6252e358301\",\"updated_at\":\"2024-12-04T19:45:59.547Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.547Z\",\"created_by\":\"elastic\",\"name\":\"Network-Level Authentication (NLA) Disabled\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the attempt to disable Network-Level Authentication (NLA) via registry modification. Network Level Authentication (NLA) is a feature on Windows that provides an extra layer of security for Remote Desktop (RDP) connections, as it requires users to authenticate before allowing a full RDP session. Attackers can disable NLA to enable persistence methods that require access to the Windows sign-in screen without authenticating, such as Accessibility Features persistence methods, like Sticky Keys.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"db65f5ba-d1ef-4944-b9e8-7e51060c2b42\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\"}]}],\"to\":\"now\",\"references\":[\"https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/\"],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and\\n registry.path :\\n (\\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\UserAuthentication\\\", \\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\UserAuthentication\\\" ) and\\n registry.data.strings : \\\"0\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Network-Level Authentication (NLA) Disabled\",\"description\":\"Identifies the attempt to disable Network-Level Authentication (NLA) via registry modification. Network Level Authentication (NLA) is a feature on Windows that provides an extra layer of security for Remote Desktop (RDP) connections, as it requires users to authenticate before allowing a full RDP session. Attackers can disable NLA to enable persistence methods that require access to the Windows sign-in screen without authenticating, such as Accessibility Features persistence methods, like Sticky Keys.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":203,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e215fe1f-5ca6-44ef-9c42-f6252e358301\",\"rule_id\":\"db65f5ba-d1ef-4944-b9e8-7e51060c2b42\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.687Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.547Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and registry.value : \\\"UserAuthentication\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\UserAuthentication\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\UserAuthentication\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\UserAuthentication\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":203,\"merged_version\":203,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and\\n registry.path :\\n (\\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\UserAuthentication\\\", \\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\UserAuthentication\\\" ) and\\n registry.data.strings : \\\"0\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and registry.value : \\\"UserAuthentication\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\UserAuthentication\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\UserAuthentication\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\UserAuthentication\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and registry.value : \\\"UserAuthentication\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\UserAuthentication\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\UserAuthentication\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\UserAuthentication\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-windows.sysmon_operational-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-windows.sysmon_operational-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7a743460-c43e-4d98-a6c3-6fe68a799a9b\",\"rule_id\":\"db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\",\"revision\":0,\"current_rule\":{\"id\":\"7a743460-c43e-4d98-a6c3-6fe68a799a9b\",\"updated_at\":\"2024-12-04T19:45:59.550Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.550Z\",\"created_by\":\"elastic\",\"name\":\"Execution via Windows Subsystem for Linux\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]}],\"to\":\"now\",\"references\":[\"https://learn.microsoft.com/en-us/windows/wsl/wsl-config\"],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type : \\\"start\\\" and\\n process.parent.name : (\\\"wsl.exe\\\", \\\"wslhost.exe\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\\\\\wsl*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lxss\\\\\\\\wslhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sys*\\\\\\\\wslconfig.exe\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Execution via Windows Subsystem for Linux\",\"description\":\"Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://learn.microsoft.com/en-us/windows/wsl/wsl-config\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"7a743460-c43e-4d98-a6c3-6fe68a799a9b\",\"rule_id\":\"db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.687Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.550Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type : \\\"start\\\" and\\n process.parent.name : (\\\"wsl.exe\\\", \\\"wslhost.exe\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\\\\\wsl*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lxss\\\\\\\\wslhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\wslconfig.exe\\\"\\n ) and\\n not (\\n event.dataset == \\\"crowdstrike.fdr\\\" and\\n process.executable : (\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\\\\\wsl*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lxss\\\\\\\\wslhost.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\wslconfig.exe\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type : \\\"start\\\" and\\n process.parent.name : (\\\"wsl.exe\\\", \\\"wslhost.exe\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\\\\\wsl*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lxss\\\\\\\\wslhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sys*\\\\\\\\wslconfig.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type : \\\"start\\\" and\\n process.parent.name : (\\\"wsl.exe\\\", \\\"wslhost.exe\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\\\\\wsl*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lxss\\\\\\\\wslhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\wslconfig.exe\\\"\\n ) and\\n not (\\n event.dataset == \\\"crowdstrike.fdr\\\" and\\n process.executable : (\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\\\\\wsl*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lxss\\\\\\\\wslhost.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\wslconfig.exe\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type : \\\"start\\\" and\\n process.parent.name : (\\\"wsl.exe\\\", \\\"wslhost.exe\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\\\\\wsl*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lxss\\\\\\\\wslhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\wslconfig.exe\\\"\\n ) and\\n not (\\n event.dataset == \\\"crowdstrike.fdr\\\" and\\n process.executable : (\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\\\\\wsl*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lxss\\\\\\\\wslhost.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\wslconfig.exe\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"62b2a6a2-0907-4698-90b3-a17f325fd1c0\",\"rule_id\":\"dc61f382-dc0c-4cc0-a845-069f2a071704\",\"revision\":0,\"current_rule\":{\"id\":\"62b2a6a2-0907-4698-90b3-a17f325fd1c0\",\"updated_at\":\"2024-12-04T19:46:04.788Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.788Z\",\"created_by\":\"elastic\",\"name\":\"Git Hook Command Execution\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects the execution of a potentially malicious process from a Git hook. Git hooks are scripts that Git executes before or after events such as: commit, push, and receive. An attacker can abuse Git hooks to execute arbitrary commands on the system and establish persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"dc61f382-dc0c-4cc0-a845-069f2a071704\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process*\"],\"query\":\"sequence by host.id with maxspan=3s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name == \\\"git\\\" and process.args : \\\".git/hooks/*\\\" and\\n process.name in (\\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n ] by process.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")] by process.parent.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Git Hook Command Execution\",\"description\":\"This rule detects the execution of a potentially malicious process from a Git hook. Git hooks are scripts that Git executes before or after events such as: commit, push, and receive. An attacker can abuse Git hooks to execute arbitrary commands on the system and establish persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"62b2a6a2-0907-4698-90b3-a17f325fd1c0\",\"rule_id\":\"dc61f382-dc0c-4cc0-a845-069f2a071704\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.687Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.788Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=3s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name == \\\"git\\\" and process.args : \\\".git/hooks/*\\\" and\\n process.name in (\\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n ] by process.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")] by process.parent.entity_id\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git\"],\"target_version\":[\"https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0c4380c6-1b40-4b8d-8b3d-697920439d55\",\"rule_id\":\"dc71c186-9fe4-4437-a4d0-85ebb32b8204\",\"revision\":0,\"current_rule\":{\"id\":\"0c4380c6-1b40-4b8d-8b3d-697920439d55\",\"updated_at\":\"2024-12-04T19:45:59.561Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.561Z\",\"created_by\":\"elastic\",\"name\":\"Potential Hidden Process via Mount Hidepid\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"dc71c186-9fe4-4437-a4d0-85ebb32b8204\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\"}]}],\"to\":\"now\",\"references\":[\"https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/\"],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name == \\\"mount\\\" and process.args == \\\"/proc\\\" and process.args == \\\"-o\\\" and\\nprocess.args : \\\"*hidepid=2*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Hidden Process via Mount Hidepid\",\"description\":\"Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":9,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true}],\"id\":\"0c4380c6-1b40-4b8d-8b3d-697920439d55\",\"rule_id\":\"dc71c186-9fe4-4437-a4d0-85ebb32b8204\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.687Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.561Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and\\nprocess.name == \\\"mount\\\" and process.args == \\\"/proc\\\" and process.args == \\\"-o\\\" and process.args : \\\"*hidepid=2*\\\" and\\nnot process.parent.command_line like \\\"/opt/cloudlinux/*\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":9,\"merged_version\":9,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name == \\\"mount\\\" and process.args == \\\"/proc\\\" and process.args == \\\"-o\\\" and\\nprocess.args : \\\"*hidepid=2*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and\\nprocess.name == \\\"mount\\\" and process.args == \\\"/proc\\\" and process.args == \\\"-o\\\" and process.args : \\\"*hidepid=2*\\\" and\\nnot process.parent.command_line like \\\"/opt/cloudlinux/*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and\\nprocess.name == \\\"mount\\\" and process.args == \\\"/proc\\\" and process.args == \\\"-o\\\" and process.args : \\\"*hidepid=2*\\\" and\\nnot process.parent.command_line like \\\"/opt/cloudlinux/*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"05eebead-22eb-4ea0-af5d-a4a2c5a725a3\",\"rule_id\":\"dc9c1f74-dac3-48e3-b47f-eb79db358f57\",\"revision\":0,\"current_rule\":{\"id\":\"05eebead-22eb-4ea0-af5d-a4a2c5a725a3\",\"updated_at\":\"2024-12-04T19:45:59.564Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.564Z\",\"created_by\":\"elastic\",\"name\":\"Volume Shadow Copy Deletion via WMIC\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Volume Shadow Copy Deletion via WMIC\\n\\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\\n\\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\\n\\nThis rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter.\\n\\n#### Possible investigation steps\\n\\n- Investigate the program execution chain (parent process tree).\\n- Check whether the account is authorized to perform this operation.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Use process name, command line, and file hash to search for occurrences in other hosts.\\n- Check if any files on the host machine have been encrypted.\\n\\n\\n### False positive analysis\\n\\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Related rules\\n\\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Priority should be given due to the advanced stage of this activity on the attack.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"dc9c1f74-dac3-48e3-b47f-eb79db358f57\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1490\",\"name\":\"Inhibit System Recovery\",\"reference\":\"https://attack.mitre.org/techniques/T1490/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"WMIC.exe\\\" or ?process.pe.original_file_name == \\\"wmic.exe\\\") and\\n process.args : \\\"delete\\\" and process.args : \\\"shadowcopy\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Volume Shadow Copy Deletion via WMIC\",\"description\":\"Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Volume Shadow Copy Deletion via WMIC\\n\\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\\n\\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\\n\\nThis rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter.\\n\\n#### Possible investigation steps\\n\\n- Investigate the program execution chain (parent process tree).\\n- Check whether the account is authorized to perform this operation.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Use process name, command line, and file hash to search for occurrences in other hosts.\\n- Check if any files on the host machine have been encrypted.\\n\\n\\n### False positive analysis\\n\\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Related rules\\n\\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Priority should be given due to the advanced stage of this activity on the attack.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1490\",\"name\":\"Inhibit System Recovery\",\"reference\":\"https://attack.mitre.org/techniques/T1490/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"05eebead-22eb-4ea0-af5d-a4a2c5a725a3\",\"rule_id\":\"dc9c1f74-dac3-48e3-b47f-eb79db358f57\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.687Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.564Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"WMIC.exe\\\" or ?process.pe.original_file_name == \\\"wmic.exe\\\") and\\n process.args : \\\"delete\\\" and process.args : \\\"shadowcopy\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0a25a1d5-8648-4765-9177-88c0fabecde0\",\"rule_id\":\"dca6b4b0-ae70-44eb-bb7a-ce6db502ee78\",\"revision\":0,\"current_rule\":{\"id\":\"0a25a1d5-8648-4765-9177-88c0fabecde0\",\"updated_at\":\"2024-12-04T19:45:59.568Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.568Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Execution from INET Cache\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Command and Control\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of a process with arguments pointing to the INetCache Folder. Adversaries may deliver malicious content via WININET during initial access.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"dca6b4b0-ae70-44eb-bb7a-ce6db502ee78\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"to\":\"now\",\"references\":[\"https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n process.parent.name : (\\\"explorer.exe\\\", \\\"winrar.exe\\\", \\\"7zFM.exe\\\", \\\"Bandizip.exe\\\") and\\n (process.args : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\*\\\" or\\n process.executable : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Execution from INET Cache\",\"description\":\"Identifies the execution of a process with arguments pointing to the INetCache Folder. Adversaries may deliver malicious content via WININET during initial access.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":204,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Command and Control\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0a25a1d5-8648-4765-9177-88c0fabecde0\",\"rule_id\":\"dca6b4b0-ae70-44eb-bb7a-ce6db502ee78\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.687Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.568Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n process.parent.name : (\\\"explorer.exe\\\", \\\"winrar.exe\\\", \\\"7zFM.exe\\\", \\\"Bandizip.exe\\\") and\\n (\\n process.args : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\*\\\" or\\n process.executable : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\*\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":204,\"merged_version\":204,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Command and Control\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Command and Control\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Command and Control\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n process.parent.name : (\\\"explorer.exe\\\", \\\"winrar.exe\\\", \\\"7zFM.exe\\\", \\\"Bandizip.exe\\\") and\\n (process.args : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\*\\\" or\\n process.executable : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n process.parent.name : (\\\"explorer.exe\\\", \\\"winrar.exe\\\", \\\"7zFM.exe\\\", \\\"Bandizip.exe\\\") and\\n (\\n process.args : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\*\\\" or\\n process.executable : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\*\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n process.parent.name : (\\\"explorer.exe\\\", \\\"winrar.exe\\\", \\\"7zFM.exe\\\", \\\"Bandizip.exe\\\") and\\n (\\n process.args : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\*\\\" or\\n process.executable : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\*\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2e10c937-6c2f-485f-a1bd-7158bddb6850\",\"rule_id\":\"dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e\",\"revision\":0,\"current_rule\":{\"id\":\"2e10c937-6c2f-485f-a1bd-7158bddb6850\",\"updated_at\":\"2024-12-04T19:45:59.571Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.571Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Install Kali Linux via WSL\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]}],\"to\":\"now\",\"references\":[\"https://learn.microsoft.com/en-us/windows/wsl/wsl-config\"],\"version\":7,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (process.name : \\\"wsl.exe\\\" and process.args : (\\\"-d\\\", \\\"--distribution\\\", \\\"-i\\\", \\\"--install\\\") and process.args : \\\"kali*\\\") or \\n process.executable : \\n (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\packages\\\\\\\\kalilinux*\\\", \\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\WindowsApps\\\\\\\\kali.exe\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\KaliLinux.*\\\\\\\\kali.exe\\\")\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Install Kali Linux via WSL\",\"description\":\"Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://learn.microsoft.com/en-us/windows/wsl/wsl-config\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2e10c937-6c2f-485f-a1bd-7158bddb6850\",\"rule_id\":\"dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.687Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.571Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (process.name : \\\"wsl.exe\\\" and process.args : (\\\"-d\\\", \\\"--distribution\\\", \\\"-i\\\", \\\"--install\\\") and process.args : \\\"kali*\\\") or \\n process.executable : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\packages\\\\\\\\kalilinux*\\\", \\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\WindowsApps\\\\\\\\kali.exe\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\KaliLinux.*\\\\\\\\kali.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\packages\\\\\\\\kalilinux*\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\WindowsApps\\\\\\\\kali.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\KaliLinux.*\\\\\\\\kali.exe\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":7,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (process.name : \\\"wsl.exe\\\" and process.args : (\\\"-d\\\", \\\"--distribution\\\", \\\"-i\\\", \\\"--install\\\") and process.args : \\\"kali*\\\") or \\n process.executable : \\n (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\packages\\\\\\\\kalilinux*\\\", \\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\WindowsApps\\\\\\\\kali.exe\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\KaliLinux.*\\\\\\\\kali.exe\\\")\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (process.name : \\\"wsl.exe\\\" and process.args : (\\\"-d\\\", \\\"--distribution\\\", \\\"-i\\\", \\\"--install\\\") and process.args : \\\"kali*\\\") or \\n process.executable : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\packages\\\\\\\\kalilinux*\\\", \\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\WindowsApps\\\\\\\\kali.exe\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\KaliLinux.*\\\\\\\\kali.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\packages\\\\\\\\kalilinux*\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\WindowsApps\\\\\\\\kali.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\KaliLinux.*\\\\\\\\kali.exe\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (process.name : \\\"wsl.exe\\\" and process.args : (\\\"-d\\\", \\\"--distribution\\\", \\\"-i\\\", \\\"--install\\\") and process.args : \\\"kali*\\\") or \\n process.executable : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\packages\\\\\\\\kalilinux*\\\", \\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\WindowsApps\\\\\\\\kali.exe\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\KaliLinux.*\\\\\\\\kali.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\packages\\\\\\\\kalilinux*\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\WindowsApps\\\\\\\\kali.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\KaliLinux.*\\\\\\\\kali.exe\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"964edf62-5a23-43fa-a2a9-3fc9d03f35ad\",\"rule_id\":\"dd52d45a-4602-4195-9018-ebe0f219c273\",\"revision\":0,\"current_rule\":{\"id\":\"964edf62-5a23-43fa-a2a9-3fc9d03f35ad\",\"updated_at\":\"2024-12-04T19:45:59.573Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.573Z\",\"created_by\":\"elastic\",\"name\":\"Network Connections Initiated Through XDG Autostart Entry\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects network connections initiated through Cross-Desktop Group (XDG) autostart entries for GNOME and XFCE-based Linux distributions. XDG Autostart entries can be used to execute arbitrary commands or scripts when a user logs in. This rule helps to identify potential malicious activity where an attacker may have modified XDG autostart scripts to establish persistence on the system.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"dd52d45a-4602-4195-9018-ebe0f219c273\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.013\",\"name\":\"XDG Autostart Entries\",\"reference\":\"https://attack.mitre.org/techniques/T1547/013/\"}]}]}],\"to\":\"now\",\"references\":[\"https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html\",\"https://hadess.io/the-art-of-linux-persistence/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n#### Custom Ingest Pipeline\\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"sequence by host.id, process.entity_id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and (\\n (process.parent.executable == \\\"/usr/bin/xfce4-session\\\") or\\n (process.executable == \\\"/bin/sh\\\" and process.args == \\\"-e\\\" and process.args == \\\"-u\\\" and\\n process.args == \\\"-c\\\" and process.args : \\\"export GIO_LAUNCHED_DESKTOP_FILE_PID=$$;*\\\")\\n )\\n ]\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\", \\\"172.31.0.0/16\\\"\\n ) or\\n process.executable in (\\n \\\"/usr/lib64/firefox/firefox\\\", \\\"/usr/lib/firefox/firefox\\\", \\\"/opt/forticlient/fortitraylauncher\\\"\\n )\\n )\\n ]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Network Connections Initiated Through XDG Autostart Entry\",\"description\":\"Detects network connections initiated through Cross-Desktop Group (XDG) autostart entries for GNOME and XFCE-based Linux distributions. XDG Autostart entries can be used to execute arbitrary commands or scripts when a user logs in. This rule helps to identify potential malicious activity where an attacker may have modified XDG autostart scripts to establish persistence on the system.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html\",\"https://hadess.io/the-art-of-linux-persistence/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.013\",\"name\":\"XDG Autostart Entries\",\"reference\":\"https://attack.mitre.org/techniques/T1547/013/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n#### Custom Ingest Pipeline\\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"964edf62-5a23-43fa-a2a9-3fc9d03f35ad\",\"rule_id\":\"dd52d45a-4602-4195-9018-ebe0f219c273\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.687Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.573Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id, process.entity_id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and (\\n (process.parent.executable == \\\"/usr/bin/xfce4-session\\\") or\\n (process.executable == \\\"/bin/sh\\\" and process.args == \\\"-e\\\" and process.args == \\\"-u\\\" and\\n process.args == \\\"-c\\\" and process.args : \\\"export GIO_LAUNCHED_DESKTOP_FILE_PID=$$;*\\\")\\n )\\n ]\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\", \\\"172.31.0.0/16\\\"\\n ) or\\n process.executable in (\\n \\\"/usr/lib64/firefox/firefox\\\", \\\"/usr/lib/firefox/firefox\\\", \\\"/opt/forticlient/fortitraylauncher\\\"\\n )\\n )\\n ]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html\",\"https://hadess.io/the-art-of-linux-persistence/\"],\"target_version\":[\"https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html\",\"https://hadess.io/the-art-of-linux-persistence/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html\",\"https://hadess.io/the-art-of-linux-persistence/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0db9115e-a4be-4b91-a39a-1488df5d90ae\",\"rule_id\":\"ddab1f5f-7089-44f5-9fda-de5b11322e77\",\"revision\":0,\"current_rule\":{\"id\":\"0db9115e-a4be-4b91-a39a-1488df5d90ae\",\"updated_at\":\"2024-12-04T19:45:40.261Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.261Z\",\"created_by\":\"elastic\",\"name\":\"NullSessionPipe Registry Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ddab1f5f-7089-44f5-9fda-de5b11322e77\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[\"https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/\",\"https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\nregistry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\services\\\\\\\\LanmanServer\\\\\\\\Parameters\\\\\\\\NullSessionPipes\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\services\\\\\\\\LanmanServer\\\\\\\\Parameters\\\\\\\\NullSessionPipes\\\"\\n) and length(registry.data.strings) > 0 and\\nnot registry.data.strings : \\\"(empty)\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"NullSessionPipe Registry Modification\",\"description\":\"Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/\",\"https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0db9115e-a4be-4b91-a39a-1488df5d90ae\",\"rule_id\":\"ddab1f5f-7089-44f5-9fda-de5b11322e77\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.687Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.261Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\nregistry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\services\\\\\\\\LanmanServer\\\\\\\\Parameters\\\\\\\\NullSessionPipes\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\services\\\\\\\\LanmanServer\\\\\\\\Parameters\\\\\\\\NullSessionPipes\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\services\\\\\\\\LanmanServer\\\\\\\\Parameters\\\\\\\\NullSessionPipes\\\"\\n) and length(registry.data.strings) > 0 and\\nnot registry.data.strings : \\\"(empty)\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\nregistry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\services\\\\\\\\LanmanServer\\\\\\\\Parameters\\\\\\\\NullSessionPipes\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\services\\\\\\\\LanmanServer\\\\\\\\Parameters\\\\\\\\NullSessionPipes\\\"\\n) and length(registry.data.strings) > 0 and\\nnot registry.data.strings : \\\"(empty)\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\nregistry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\services\\\\\\\\LanmanServer\\\\\\\\Parameters\\\\\\\\NullSessionPipes\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\services\\\\\\\\LanmanServer\\\\\\\\Parameters\\\\\\\\NullSessionPipes\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\services\\\\\\\\LanmanServer\\\\\\\\Parameters\\\\\\\\NullSessionPipes\\\"\\n) and length(registry.data.strings) > 0 and\\nnot registry.data.strings : \\\"(empty)\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\nregistry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\services\\\\\\\\LanmanServer\\\\\\\\Parameters\\\\\\\\NullSessionPipes\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\services\\\\\\\\LanmanServer\\\\\\\\Parameters\\\\\\\\NullSessionPipes\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\services\\\\\\\\LanmanServer\\\\\\\\Parameters\\\\\\\\NullSessionPipes\\\"\\n) and length(registry.data.strings) > 0 and\\nnot registry.data.strings : \\\"(empty)\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"49794abf-8d09-4353-83d8-2fd3a7540618\",\"rule_id\":\"dde13d58-bc39-4aa0-87fd-b4bdbf4591da\",\"revision\":0,\"current_rule\":{\"id\":\"49794abf-8d09-4353-83d8-2fd3a7540618\",\"updated_at\":\"2024-12-04T19:45:59.576Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.576Z\",\"created_by\":\"elastic\",\"name\":\"AWS IAM AdministratorAccess Policy Attached to Role\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to compromised IAM roles. This rule looks for use of the IAM `AttachRolePolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM role.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to Role\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources. \\nWith access to the `iam:AttachRolePolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to a compromised role for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachRolePolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachRolePolicy` permission and that the `role.name` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected role(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachRolePolicy` API operation to attach the `AdministratorAccess` policy to the target role.\"],\"from\":\"now-6m\",\"rule_id\":\"dde13d58-bc39-4aa0-87fd-b4bdbf4591da\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html\",\"https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html\",\"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-*\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachRolePolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?roleName}=%{role.name}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS IAM AdministratorAccess Policy Attached to Role\",\"description\":\"An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to compromised IAM roles. This rule looks for use of the IAM `AttachRolePolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM role.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to Role\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources.\\nWith access to the `iam:AttachRolePolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to a compromised role for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachRolePolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachRolePolicy` permission and that the `role.name` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected role(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment.\\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachRolePolicy` API operation to attach the `AdministratorAccess` policy to the target role.\"],\"references\":[\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html\",\"https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html\",\"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"49794abf-8d09-4353-83d8-2fd3a7540618\",\"rule_id\":\"dde13d58-bc39-4aa0-87fd-b4bdbf4591da\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.687Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.576Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachRolePolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?roleName}=%{role.name}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n| keep @timestamp, event.provider, event.action, event.outcome, policyName, role.name\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"note\":{\"has_base_version\":false,\"current_version\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to Role\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources. \\nWith access to the `iam:AttachRolePolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to a compromised role for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachRolePolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachRolePolicy` permission and that the `role.name` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected role(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to Role\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources.\\nWith access to the `iam:AttachRolePolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to a compromised role for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachRolePolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachRolePolicy` permission and that the `role.name` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected role(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment.\\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to Role\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources.\\nWith access to the `iam:AttachRolePolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to a compromised role for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachRolePolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachRolePolicy` permission and that the `role.name` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected role(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment.\\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-aws.cloudtrail-*\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachRolePolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?roleName}=%{role.name}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachRolePolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?roleName}=%{role.name}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n| keep @timestamp, event.provider, event.action, event.outcome, policyName, role.name\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachRolePolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?roleName}=%{role.name}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n| keep @timestamp, event.provider, event.action, event.outcome, policyName, role.name\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"46a53b6c-22b7-41e0-ad5e-79f6fbf8ab75\",\"rule_id\":\"de9bd7e0-49e9-4e92-a64d-53ade2e66af1\",\"revision\":0,\"current_rule\":{\"id\":\"46a53b6c-22b7-41e0-ad5e-79f6fbf8ab75\",\"updated_at\":\"2024-12-04T19:45:59.578Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.578Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Child Process from a System Virtual Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"de9bd7e0-49e9-4e92-a64d-53ade2e66af1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.pid\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.pid == 4 and process.executable : \\\"?*\\\" and\\n not process.executable : (\\\"Registry\\\", \\\"MemCompression\\\", \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\smss.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Child Process from a System Virtual Process\",\"description\":\"Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.pid\",\"type\":\"long\",\"ecs\":true}],\"id\":\"46a53b6c-22b7-41e0-ad5e-79f6fbf8ab75\",\"rule_id\":\"de9bd7e0-49e9-4e92-a64d-53ade2e66af1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.687Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.578Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.pid == 4 and process.executable : \\\"?*\\\" and\\n not process.executable : (\\\"Registry\\\", \\\"MemCompression\\\", \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\smss.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9d8e98fc-fe44-4b92-a5e5-1f0ee310fe92\",\"rule_id\":\"df197323-72a8-46a9-a08e-3f5b04a4a97a\",\"revision\":0,\"current_rule\":{\"id\":\"9d8e98fc-fe44-4b92-a5e5-1f0ee310fe92\",\"updated_at\":\"2024-12-04T19:45:59.588Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.588Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Windows User Calling the Metadata Service\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Credential Access\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule.\"],\"from\":\"now-45m\",\"rule_id\":\"df197323-72a8-46a9-a08e-3f5b04a4a97a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\",\"subtechnique\":[{\"id\":\"T1552.005\",\"name\":\"Cloud Instance Metadata API\",\"reference\":\"https://attack.mitre.org/techniques/T1552/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":104,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"v3_windows_rare_metadata_user\"],\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Windows User Calling the Metadata Service\",\"description\":\"Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Credential Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\",\"subtechnique\":[{\"id\":\"T1552.005\",\"name\":\"Cloud Instance Metadata API\",\"reference\":\"https://attack.mitre.org/techniques/T1552/005/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"9d8e98fc-fe44-4b92-a5e5-1f0ee310fe92\",\"rule_id\":\"df197323-72a8-46a9-a08e-3f5b04a4a97a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.687Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.588Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"v3_windows_rare_metadata_user\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":104,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"279556ee-ac22-45c8-9b5f-2deb1972d1ef\",\"rule_id\":\"df919b5e-a0f6-4fd8-8598-e3ce79299e3b\",\"revision\":0,\"current_rule\":{\"id\":\"279556ee-ac22-45c8-9b5f-2deb1972d1ef\",\"updated_at\":\"2024-12-04T19:45:59.602Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.602Z\",\"created_by\":\"elastic\",\"name\":\"AWS IAM AdministratorAccess Policy Attached to Group\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to user groups the compromised user account belongs to. This rule looks for use of the IAM `AttachGroupPolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM user group.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to Group\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources. \\nWith access to the `iam:AttachGroupPolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to the current user's groups for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachGroupPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected group(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachGroupPolicy` API operation to attach the `AdministratorAccess` policy to the user group.\"],\"from\":\"now-6m\",\"rule_id\":\"df919b5e-a0f6-4fd8-8598-e3ce79299e3b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\",\"https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html\",\"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-*\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachGroupPolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?groupName}=%{group.name}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS IAM AdministratorAccess Policy Attached to Group\",\"description\":\"An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to user groups the compromised user account belongs to. This rule looks for use of the IAM `AttachGroupPolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM user group.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to Group\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources.\\nWith access to the `iam:AttachGroupPolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to the current user's groups for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachGroupPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected group(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment.\\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachGroupPolicy` API operation to attach the `AdministratorAccess` policy to the user group.\"],\"references\":[\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\",\"https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html\",\"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"279556ee-ac22-45c8-9b5f-2deb1972d1ef\",\"rule_id\":\"df919b5e-a0f6-4fd8-8598-e3ce79299e3b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.687Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.602Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachGroupPolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?groupName}=%{group.name}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n| keep @timestamp, event.provider, event.action, event.outcome, policyName, group.name\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"note\":{\"has_base_version\":false,\"current_version\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to Group\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources. \\nWith access to the `iam:AttachGroupPolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to the current user's groups for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachGroupPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected group(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to Group\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources.\\nWith access to the `iam:AttachGroupPolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to the current user's groups for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachGroupPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected group(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment.\\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to Group\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources.\\nWith access to the `iam:AttachGroupPolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to the current user's groups for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachGroupPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected group(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment.\\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-aws.cloudtrail-*\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachGroupPolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?groupName}=%{group.name}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachGroupPolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?groupName}=%{group.name}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n| keep @timestamp, event.provider, event.action, event.outcome, policyName, group.name\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachGroupPolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?groupName}=%{group.name}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n| keep @timestamp, event.provider, event.action, event.outcome, policyName, group.name\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"14b7b1d4-dd0e-4df7-aada-e18adc399a8c\",\"rule_id\":\"dffbd37c-d4c5-46f8-9181-5afdd9172b4c\",\"revision\":0,\"current_rule\":{\"id\":\"14b7b1d4-dd0e-4df7-aada-e18adc399a8c\",\"updated_at\":\"2024-12-04T19:46:04.790Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.790Z\",\"created_by\":\"elastic\",\"name\":\"Potential privilege escalation via CVE-2022-38028\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"dffbd37c-d4c5-46f8-9181-5afdd9172b4c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"to\":\"now\",\"references\":[\"https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and\\n file.path : (\\\"?:\\\\\\\\*\\\\\\\\Windows\\\\\\\\system32\\\\\\\\DriVerStoRe\\\\\\\\FiLeRePoSiToRy\\\\\\\\*\\\\\\\\MPDW-constraints.js\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\amd64_microsoft-windows-printing-printtopdf_*\\\\\\\\MPDW-constraints.js\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential privilege escalation via CVE-2022-38028\",\"description\":\"Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":203,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"14b7b1d4-dd0e-4df7-aada-e18adc399a8c\",\"rule_id\":\"dffbd37c-d4c5-46f8-9181-5afdd9172b4c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.687Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.790Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.name : \\\"MPDW-constraints.js\\\" and\\n file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\Windows\\\\\\\\system32\\\\\\\\DriVerStoRe\\\\\\\\FiLeRePoSiToRy\\\\\\\\*\\\\\\\\MPDW-constraints.js\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\amd64_microsoft-windows-printing-printtopdf_*\\\\\\\\MPDW-constraints.js\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":203,\"merged_version\":203,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and\\n file.path : (\\\"?:\\\\\\\\*\\\\\\\\Windows\\\\\\\\system32\\\\\\\\DriVerStoRe\\\\\\\\FiLeRePoSiToRy\\\\\\\\*\\\\\\\\MPDW-constraints.js\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\amd64_microsoft-windows-printing-printtopdf_*\\\\\\\\MPDW-constraints.js\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.name : \\\"MPDW-constraints.js\\\" and\\n file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\Windows\\\\\\\\system32\\\\\\\\DriVerStoRe\\\\\\\\FiLeRePoSiToRy\\\\\\\\*\\\\\\\\MPDW-constraints.js\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\amd64_microsoft-windows-printing-printtopdf_*\\\\\\\\MPDW-constraints.js\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.name : \\\"MPDW-constraints.js\\\" and\\n file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\Windows\\\\\\\\system32\\\\\\\\DriVerStoRe\\\\\\\\FiLeRePoSiToRy\\\\\\\\*\\\\\\\\MPDW-constraints.js\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\amd64_microsoft-windows-printing-printtopdf_*\\\\\\\\MPDW-constraints.js\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"24390b22-6ad8-4af4-9c68-74d19392316c\",\"rule_id\":\"e052c845-48d0-4f46-8a13-7d0aba05df82\",\"revision\":0,\"current_rule\":{\"id\":\"24390b22-6ad8-4af4-9c68-74d19392316c\",\"updated_at\":\"2024-12-04T19:45:59.609Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.609Z\",\"created_by\":\"elastic\",\"name\":\"KRBTGT Delegation Backdoor\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e052c845-48d0-4f46-8a13-7d0aba05df82\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\"}]}],\"to\":\"now\",\"references\":[\"https://skyblue.team/posts/delegate-krbtgt\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AllowedToDelegateTo\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nAccount Management >\\nAudit User Account Management (Success,Failure)\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:modified-user-account and event.code:4738 and\\n winlog.event_data.AllowedToDelegateTo:*krbtgt*\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"KRBTGT Delegation Backdoor\",\"description\":\"Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://skyblue.team/posts/delegate-krbtgt\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\"}]}],\"setup\":\"## Setup\\n\\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nAccount Management >\\nAudit User Account Management (Success,Failure)\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AllowedToDelegateTo\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"24390b22-6ad8-4af4-9c68-74d19392316c\",\"rule_id\":\"e052c845-48d0-4f46-8a13-7d0aba05df82\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.687Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.609Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where event.action == \\\"modified-user-account\\\" and event.code == \\\"4738\\\" and\\n winlog.event_data.AllowedToDelegateTo : \\\"*krbtgt*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"type\":{\"has_base_version\":false,\"current_version\":\"query\",\"target_version\":\"eql\",\"merged_version\":\"eql\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NON_SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"event.action:modified-user-account and event.code:4738 and\\n winlog.event_data.AllowedToDelegateTo:*krbtgt*\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"target_version\":{\"query\":\"iam where event.action == \\\"modified-user-account\\\" and event.code == \\\"4738\\\" and\\n winlog.event_data.AllowedToDelegateTo : \\\"*krbtgt*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"iam where event.action == \\\"modified-user-account\\\" and event.code == \\\"4738\\\" and\\n winlog.event_data.AllowedToDelegateTo : \\\"*krbtgt*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":1}},{\"id\":\"4159bcfe-8411-48a5-a348-a973e52d1508\",\"rule_id\":\"e0881d20-54ac-457f-8733-fe0bc5d44c55\",\"revision\":0,\"current_rule\":{\"id\":\"4159bcfe-8411-48a5-a348-a973e52d1508\",\"updated_at\":\"2024-12-04T19:45:59.611Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.611Z\",\"created_by\":\"elastic\",\"name\":\"System Service Discovery through built-in Windows Utilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the usage of commonly used system service discovery techniques, which attackers may use during the reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or escalate privileges.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e0881d20-54ac-457f-8733-fe0bc5d44c55\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1007\",\"name\":\"System Service Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1007/\"}]}],\"to\":\"now\",\"references\":[],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n ((process.name: \\\"net.exe\\\" or process.pe.original_file_name == \\\"net.exe\\\" or (process.name : \\\"net1.exe\\\" and \\n not process.parent.name : \\\"net.exe\\\")) and process.args : (\\\"start\\\", \\\"use\\\") and process.args_count == 2) or\\n ((process.name: \\\"sc.exe\\\" or process.pe.original_file_name == \\\"sc.exe\\\") and process.args: (\\\"query\\\", \\\"q*\\\")) or\\n ((process.name: \\\"tasklist.exe\\\" or process.pe.original_file_name == \\\"tasklist.exe\\\") and process.args: \\\"/svc\\\") or\\n (process.name : \\\"psservice.exe\\\" or process.pe.original_file_name == \\\"psservice.exe\\\")\\n ) and not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"System Service Discovery through built-in Windows Utilities\",\"description\":\"Detects the usage of commonly used system service discovery techniques, which attackers may use during the reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or escalate privileges.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":109,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1007\",\"name\":\"System Service Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1007/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"4159bcfe-8411-48a5-a348-a973e52d1508\",\"rule_id\":\"e0881d20-54ac-457f-8733-fe0bc5d44c55\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.688Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.611Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n ((process.name: \\\"net.exe\\\" or process.pe.original_file_name == \\\"net.exe\\\" or (process.name : \\\"net1.exe\\\" and \\n not process.parent.name : \\\"net.exe\\\")) and process.args : (\\\"start\\\", \\\"use\\\") and process.args_count == 2) or\\n ((process.name: \\\"sc.exe\\\" or process.pe.original_file_name == \\\"sc.exe\\\") and process.args: (\\\"query\\\", \\\"q*\\\")) or\\n ((process.name: \\\"tasklist.exe\\\" or process.pe.original_file_name == \\\"tasklist.exe\\\") and process.args: \\\"/svc\\\") or\\n (process.name : \\\"psservice.exe\\\" or process.pe.original_file_name == \\\"psservice.exe\\\")\\n ) and not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":109,\"merged_version\":109,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a5530889-c9ac-4026-84ee-ddd6e963e7ca\",\"rule_id\":\"e0cc3807-e108-483c-bf66-5a4fbe0d7e89\",\"revision\":0,\"current_rule\":{\"id\":\"a5530889-c9ac-4026-84ee-ddd6e963e7ca\",\"updated_at\":\"2024-12-04T19:45:59.616Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.616Z\",\"created_by\":\"elastic\",\"name\":\"Potentially Suspicious Process Started via tmux or screen\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux to execute commands while attempting to evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e0cc3807-e108-483c-bf66-5a4fbe0d7e89\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"to\":\"now\",\"references\":[],\"version\":4,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.parent.name in (\\\"screen\\\", \\\"tmux\\\") and process.name : (\\n \\\"nmap\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"socat\\\", \\\"nc.openbsd\\\", \\\"ngrok\\\", \\\"ping\\\", \\\"java\\\", \\\"python*\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\",\\n \\\"lua*\\\", \\\"openssl\\\", \\\"telnet\\\", \\\"awk\\\", \\\"wget\\\", \\\"curl\\\", \\\"id\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potentially Suspicious Process Started via tmux or screen\",\"description\":\"This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux to execute commands while attempting to evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":5,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a5530889-c9ac-4026-84ee-ddd6e963e7ca\",\"rule_id\":\"e0cc3807-e108-483c-bf66-5a4fbe0d7e89\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.688Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.616Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.parent.name in (\\\"screen\\\", \\\"tmux\\\") and process.name like (\\n \\\"nmap\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"socat\\\", \\\"nc.openbsd\\\", \\\"ngrok\\\", \\\"ping\\\", \\\"java\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\",\\n \\\"openssl\\\", \\\"telnet\\\", \\\"wget\\\", \\\"curl\\\", \\\"id\\\"\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":4,\"target_version\":5,\"merged_version\":5,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.parent.name in (\\\"screen\\\", \\\"tmux\\\") and process.name : (\\n \\\"nmap\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"socat\\\", \\\"nc.openbsd\\\", \\\"ngrok\\\", \\\"ping\\\", \\\"java\\\", \\\"python*\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\",\\n \\\"lua*\\\", \\\"openssl\\\", \\\"telnet\\\", \\\"awk\\\", \\\"wget\\\", \\\"curl\\\", \\\"id\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.parent.name in (\\\"screen\\\", \\\"tmux\\\") and process.name like (\\n \\\"nmap\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"socat\\\", \\\"nc.openbsd\\\", \\\"ngrok\\\", \\\"ping\\\", \\\"java\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\",\\n \\\"openssl\\\", \\\"telnet\\\", \\\"wget\\\", \\\"curl\\\", \\\"id\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.parent.name in (\\\"screen\\\", \\\"tmux\\\") and process.name like (\\n \\\"nmap\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"socat\\\", \\\"nc.openbsd\\\", \\\"ngrok\\\", \\\"ping\\\", \\\"java\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\",\\n \\\"openssl\\\", \\\"telnet\\\", \\\"wget\\\", \\\"curl\\\", \\\"id\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2d6cf7ff-ad9c-41e9-82b0-6e7a61e5f9a8\",\"rule_id\":\"e26f042e-c590-4e82-8e05-41e81bd822ad\",\"revision\":0,\"current_rule\":{\"id\":\"2d6cf7ff-ad9c-41e9-82b0-6e7a61e5f9a8\",\"updated_at\":\"2024-12-04T19:46:00.527Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.527Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious .NET Reflection via PowerShell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious .NET Reflection via PowerShell\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e26f042e-c590-4e82-8e05-41e81bd822ad\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1620\",\"name\":\"Reflective Code Loading\",\"reference\":\"https://attack.mitre.org/techniques/T1620/\"},{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\",\"subtechnique\":[{\"id\":\"T1055.001\",\"name\":\"Dynamic-link Library Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/001/\"},{\"id\":\"T1055.002\",\"name\":\"Portable Executable Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load\"],\"version\":213,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"[System.Reflection.Assembly]::Load\\\" or\\n \\\"[Reflection.Assembly]::Load\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n (\\\"CommonWorkflowParameters\\\" or \\\"RelatedLinksHelpInfo\\\") and\\n \\\"HelpDisplayStrings\\\"\\n ) and\\n not (powershell.file.script_block_text :\\n (\\\"Get-SolutionFiles\\\" or \\\"Get-VisualStudio\\\" or \\\"Select-MSBuildPath\\\") and\\n file.name : \\\"PathFunctions.ps1\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n \\\"Microsoft.PowerShell.Workflow.ServiceCore\\\" and \\\"ExtractPluginProperties([string]$pluginDir\\\"\\n ) and\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\Monitoring Host Temporary Files*\\\\\\\\AvailabilityGroupMonitoring.ps1\"}}}}],\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious .NET Reflection via PowerShell\",\"description\":\"Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious .NET Reflection via PowerShell\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":316,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1620\",\"name\":\"Reflective Code Loading\",\"reference\":\"https://attack.mitre.org/techniques/T1620/\"},{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\",\"subtechnique\":[{\"id\":\"T1055.001\",\"name\":\"Dynamic-link Library Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/001/\"},{\"id\":\"T1055.002\",\"name\":\"Portable Executable Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2d6cf7ff-ad9c-41e9-82b0-6e7a61e5f9a8\",\"rule_id\":\"e26f042e-c590-4e82-8e05-41e81bd822ad\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.688Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.527Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\Monitoring Host Temporary Files*\\\\\\\\AvailabilityGroupMonitoring.ps1\"}}}}],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"[System.Reflection.Assembly]::Load\\\" or\\n \\\"[Reflection.Assembly]::Load\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n (\\\"CommonWorkflowParameters\\\" or \\\"RelatedLinksHelpInfo\\\") and\\n \\\"HelpDisplayStrings\\\"\\n ) and\\n not (powershell.file.script_block_text :\\n (\\\"Get-SolutionFiles\\\" or \\\"Get-VisualStudio\\\" or \\\"Select-MSBuildPath\\\") and\\n file.name : \\\"PathFunctions.ps1\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n \\\"Microsoft.PowerShell.Workflow.ServiceCore\\\" and \\\"ExtractPluginProperties([string]$pluginDir\\\"\\n ) and \\n \\n not powershell.file.script_block_text : (\\\"reflection.assembly]::Load('System.\\\" or \\\"LoadWithPartialName('Microsoft.\\\" or \\\"::Load(\\\\\\\"Microsoft.\\\" or \\\"Microsoft.Build.Utilities.Core.dll\\\") and \\n \\n not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":213,\"target_version\":316,\"merged_version\":316,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"[System.Reflection.Assembly]::Load\\\" or\\n \\\"[Reflection.Assembly]::Load\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n (\\\"CommonWorkflowParameters\\\" or \\\"RelatedLinksHelpInfo\\\") and\\n \\\"HelpDisplayStrings\\\"\\n ) and\\n not (powershell.file.script_block_text :\\n (\\\"Get-SolutionFiles\\\" or \\\"Get-VisualStudio\\\" or \\\"Select-MSBuildPath\\\") and\\n file.name : \\\"PathFunctions.ps1\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n \\\"Microsoft.PowerShell.Workflow.ServiceCore\\\" and \\\"ExtractPluginProperties([string]$pluginDir\\\"\\n ) and\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\Monitoring Host Temporary Files*\\\\\\\\AvailabilityGroupMonitoring.ps1\"}}}}]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"[System.Reflection.Assembly]::Load\\\" or\\n \\\"[Reflection.Assembly]::Load\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n (\\\"CommonWorkflowParameters\\\" or \\\"RelatedLinksHelpInfo\\\") and\\n \\\"HelpDisplayStrings\\\"\\n ) and\\n not (powershell.file.script_block_text :\\n (\\\"Get-SolutionFiles\\\" or \\\"Get-VisualStudio\\\" or \\\"Select-MSBuildPath\\\") and\\n file.name : \\\"PathFunctions.ps1\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n \\\"Microsoft.PowerShell.Workflow.ServiceCore\\\" and \\\"ExtractPluginProperties([string]$pluginDir\\\"\\n ) and \\n \\n not powershell.file.script_block_text : (\\\"reflection.assembly]::Load('System.\\\" or \\\"LoadWithPartialName('Microsoft.\\\" or \\\"::Load(\\\\\\\"Microsoft.\\\" or \\\"Microsoft.Build.Utilities.Core.dll\\\") and \\n \\n not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\Monitoring Host Temporary Files*\\\\\\\\AvailabilityGroupMonitoring.ps1\"}}}}]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"[System.Reflection.Assembly]::Load\\\" or\\n \\\"[Reflection.Assembly]::Load\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n (\\\"CommonWorkflowParameters\\\" or \\\"RelatedLinksHelpInfo\\\") and\\n \\\"HelpDisplayStrings\\\"\\n ) and\\n not (powershell.file.script_block_text :\\n (\\\"Get-SolutionFiles\\\" or \\\"Get-VisualStudio\\\" or \\\"Select-MSBuildPath\\\") and\\n file.name : \\\"PathFunctions.ps1\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n \\\"Microsoft.PowerShell.Workflow.ServiceCore\\\" and \\\"ExtractPluginProperties([string]$pluginDir\\\"\\n ) and \\n \\n not powershell.file.script_block_text : (\\\"reflection.assembly]::Load('System.\\\" or \\\"LoadWithPartialName('Microsoft.\\\" or \\\"::Load(\\\\\\\"Microsoft.\\\" or \\\"Microsoft.Build.Utilities.Core.dll\\\") and \\n \\n not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\Monitoring Host Temporary Files*\\\\\\\\AvailabilityGroupMonitoring.ps1\"}}}}]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0c91f416-162a-44ad-a8df-e911c8cc88c3\",\"rule_id\":\"e28b8093-833b-4eda-b877-0873d134cf3c\",\"revision\":0,\"current_rule\":{\"id\":\"0c91f416-162a-44ad-a8df-e911c8cc88c3\",\"updated_at\":\"2024-12-04T19:46:00.530Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.530Z\",\"created_by\":\"elastic\",\"name\":\"Network Traffic Capture via CAP_NET_RAW\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the ability of a process to be able to create RAW and PACKET socket types for the available network namespaces by a non-root user. A malicious process with this capability may exploit routing between hosts, bypass network access controls, and otherwise tamper with host networking if a firewall is not in place to limit the packet types and contents. The CAP_NET_RAW capability allows the process to bind to any address within the available namespaces, which allows network traffic sniffing by a non root user. The rule identifies previously unknown processes executing with CAP_NET_RAW capabilities through the use of the new terms rule type.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e28b8093-833b-4eda-b877-0873d134cf3c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1040\",\"name\":\"Network Sniffing\",\"reference\":\"https://attack.mitre.org/techniques/T1040/\"}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.effective\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.permitted\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"new_terms\",\"query\":\"event.category:\\\"process\\\" and host.os.type:\\\"linux\\\" and event.type:\\\"start\\\" and event.action:\\\"exec\\\" and process.name:* and\\n(process.thread.capabilities.effective:\\\"CAP_NET_RAW\\\" or process.thread.capabilities.permitted:\\\"CAP_NET_RAW\\\") and\\nnot user.id:\\\"0\\\"\\n\",\"new_terms_fields\":[\"host.id\",\"user.id\",\"process.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Network Traffic Capture via CAP_NET_RAW\",\"description\":\"Identifies the ability of a process to be able to create RAW and PACKET socket types for the available network namespaces by a non-root user. A malicious process with this capability may exploit routing between hosts, bypass network access controls, and otherwise tamper with host networking if a firewall is not in place to limit the packet types and contents. The CAP_NET_RAW capability allows the process to bind to any address within the available namespaces, which allows network traffic sniffing by a non root user. The rule identifies previously unknown processes executing with CAP_NET_RAW capabilities through the use of the new terms rule type.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1040\",\"name\":\"Network Sniffing\",\"reference\":\"https://attack.mitre.org/techniques/T1040/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.effective\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.permitted\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0c91f416-162a-44ad-a8df-e911c8cc88c3\",\"rule_id\":\"e28b8093-833b-4eda-b877-0873d134cf3c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.688Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.530Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.category:\\\"process\\\" and host.os.type:\\\"linux\\\" and event.type:\\\"start\\\" and event.action:\\\"exec\\\" and process.name:* and\\n(process.thread.capabilities.effective:\\\"CAP_NET_RAW\\\" or process.thread.capabilities.permitted:\\\"CAP_NET_RAW\\\") and\\nnot user.id:\\\"0\\\"\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"target_version\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"merged_version\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"new_terms_fields\":{\"has_base_version\":false,\"current_version\":[\"host.id\",\"user.id\",\"process.executable\"],\"target_version\":[\"process.executable\"],\"merged_version\":[\"process.executable\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9c0a39d1-f2c9-47a2-8f66-5a1bc60ecdf6\",\"rule_id\":\"e2e0537d-7d8f-4910-a11d-559bcf61295a\",\"revision\":0,\"current_rule\":{\"id\":\"9c0a39d1-f2c9-47a2-8f66-5a1bc60ecdf6\",\"updated_at\":\"2024-12-04T19:46:00.537Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.537Z\",\"created_by\":\"elastic\",\"name\":\"Windows Subsystem for Linux Enabled via Dism Utility\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable and use WSL for Linux to avoid detection.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Subsystem for Linux Enabled via Dism Utility\\n\\nThe Windows Subsystem for Linux (WSL) lets developers install a Linux distribution (such as Ubuntu, OpenSUSE, Kali, Debian, Arch Linux, etc) and use Linux applications, utilities, and Bash command-line tools directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup. Attackers may abuse WSL to avoid security protections on a Windows host and perform a wide range of attacks.\\n\\nThis rule identifies attempts to enable WSL using the Dism utility. It monitors for the execution of Dism and checks if the command line contains the string \\\"Microsoft-Windows-Subsystem-Linux\\\". \\n\\n### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and WSL is homologated and approved in the environment.\\n\\n### Related Rules\\n\\n- Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\\n- Suspicious Execution via Windows Subsystem for Linux - 3e0eeb75-16e8-4f2f-9826-62461ca128b7\\n- Host Files System Changes via Windows Subsystem for Linux - e88d1fe9-b2f4-48d4-bace-a026dc745d4b\\n- Windows Subsystem for Linux Distribution Installed - a1699af0-8e1e-4ed0-8ec1-89783538a061\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e2e0537d-7d8f-4910-a11d-559bcf61295a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]}],\"to\":\"now\",\"references\":[\"https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/\"],\"version\":7,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type : \\\"start\\\" and\\n (process.name : \\\"Dism.exe\\\" or ?process.pe.original_file_name == \\\"DISM.EXE\\\") and \\n process.command_line : \\\"*Microsoft-Windows-Subsystem-Linux*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Windows Subsystem for Linux Enabled via Dism Utility\",\"description\":\"Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable and use WSL for Linux to avoid detection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Subsystem for Linux Enabled via Dism Utility\\n\\nThe Windows Subsystem for Linux (WSL) lets developers install a Linux distribution (such as Ubuntu, OpenSUSE, Kali, Debian, Arch Linux, etc) and use Linux applications, utilities, and Bash command-line tools directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup. Attackers may abuse WSL to avoid security protections on a Windows host and perform a wide range of attacks.\\n\\nThis rule identifies attempts to enable WSL using the Dism utility. It monitors for the execution of Dism and checks if the command line contains the string \\\"Microsoft-Windows-Subsystem-Linux\\\". \\n\\n### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and WSL is homologated and approved in the environment.\\n\\n### Related Rules\\n\\n- Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\\n- Suspicious Execution via Windows Subsystem for Linux - 3e0eeb75-16e8-4f2f-9826-62461ca128b7\\n- Host Files System Changes via Windows Subsystem for Linux - e88d1fe9-b2f4-48d4-bace-a026dc745d4b\\n- Windows Subsystem for Linux Distribution Installed - a1699af0-8e1e-4ed0-8ec1-89783538a061\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"9c0a39d1-f2c9-47a2-8f66-5a1bc60ecdf6\",\"rule_id\":\"e2e0537d-7d8f-4910-a11d-559bcf61295a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.688Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.537Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type : \\\"start\\\" and\\n (process.name : \\\"Dism.exe\\\" or ?process.pe.original_file_name == \\\"DISM.EXE\\\") and \\n process.command_line : \\\"*Microsoft-Windows-Subsystem-Linux*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":7,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"94f9c0dc-8b5e-4333-8fde-043ec9cafcb3\",\"rule_id\":\"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2\",\"revision\":0,\"current_rule\":{\"id\":\"94f9c0dc-8b5e-4333-8fde-043ec9cafcb3\",\"updated_at\":\"2024-12-04T19:46:00.539Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.539Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Process Execution via Renamed PsExec Executable\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Process Execution via Renamed PsExec Executable\\n\\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. It operates by executing a service component `Psexecsvc` on a remote system, which then runs a specified process and returns the results to the local system. Microsoft develops PsExec as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\\n\\nThis rule identifies instances where the PsExec service component is executed using a custom name. This behavior can indicate an attempt to bypass security controls or detections that look for the default PsExec service component name.\\n\\n#### Possible investigation steps\\n\\n- Check if the usage of this tool complies with the organization's administration policy.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Identify the target computer and its role in the IT environment.\\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - Prioritize cases involving critical servers and users.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1569\",\"name\":\"System Services\",\"reference\":\"https://attack.mitre.org/techniques/T1569/\",\"subtechnique\":[{\"id\":\"T1569.002\",\"name\":\"Service Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1569/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.003\",\"name\":\"Rename System Utilities\",\"reference\":\"https://attack.mitre.org/techniques/T1036/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.pe.original_file_name : \\\"psexesvc.exe\\\" and not process.name : \\\"PSEXESVC.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Process Execution via Renamed PsExec Executable\",\"description\":\"Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Process Execution via Renamed PsExec Executable\\n\\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. It operates by executing a service component `Psexecsvc` on a remote system, which then runs a specified process and returns the results to the local system. Microsoft develops PsExec as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\\n\\nThis rule identifies instances where the PsExec service component is executed using a custom name. This behavior can indicate an attempt to bypass security controls or detections that look for the default PsExec service component name.\\n\\n#### Possible investigation steps\\n\\n- Check if the usage of this tool complies with the organization's administration policy.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Identify the target computer and its role in the IT environment.\\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - Prioritize cases involving critical servers and users.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":212,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1569\",\"name\":\"System Services\",\"reference\":\"https://attack.mitre.org/techniques/T1569/\",\"subtechnique\":[{\"id\":\"T1569.002\",\"name\":\"Service Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1569/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.003\",\"name\":\"Rename System Utilities\",\"reference\":\"https://attack.mitre.org/techniques/T1036/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"94f9c0dc-8b5e-4333-8fde-043ec9cafcb3\",\"rule_id\":\"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.688Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.539Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.pe.original_file_name : \\\"psexesvc.exe\\\" and not process.name : \\\"PSEXESVC.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":212,\"merged_version\":212,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"39993620-12d5-4e1a-8aa2-0a72e5a06a4c\",\"rule_id\":\"e3343ab9-4245-4715-b344-e11c56b0a47f\",\"revision\":0,\"current_rule\":{\"id\":\"39993620-12d5-4e1a-8aa2-0a72e5a06a4c\",\"updated_at\":\"2024-12-04T19:46:00.549Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.549Z\",\"created_by\":\"elastic\",\"name\":\"Process Activity via Compiled HTML File\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Process Activity via Compiled HTML File\\n\\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\\n\\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate the parent process to gain understanding of what triggered this behavior.\\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code.\"],\"from\":\"now-9m\",\"rule_id\":\"e3343ab9-4245-4715-b344-e11c56b0a47f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.001\",\"name\":\"Compiled HTML File\",\"reference\":\"https://attack.mitre.org/techniques/T1218/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"hh.exe\\\" and\\n process.name : (\\\"mshta.exe\\\", \\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\", \\\"cscript.exe\\\", \\\"wscript.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Process Activity via Compiled HTML File\",\"description\":\"Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Process Activity via Compiled HTML File\\n\\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\\n\\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate the parent process to gain understanding of what triggered this behavior.\\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.001\",\"name\":\"Compiled HTML File\",\"reference\":\"https://attack.mitre.org/techniques/T1218/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"39993620-12d5-4e1a-8aa2-0a72e5a06a4c\",\"rule_id\":\"e3343ab9-4245-4715-b344-e11c56b0a47f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.688Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.549Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"hh.exe\\\" and\\n process.name : (\\\"mshta.exe\\\", \\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\", \\\"cscript.exe\\\", \\\"wscript.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"90d55a26-08d3-486c-909c-51b286b75f15\",\"rule_id\":\"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d\",\"revision\":0,\"current_rule\":{\"id\":\"90d55a26-08d3-486c-909c-51b286b75f15\",\"updated_at\":\"2024-12-04T19:46:00.558Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.558Z\",\"created_by\":\"elastic\",\"name\":\"Connection to Commonly Abused Free SSL Certificate Providers\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1573\",\"name\":\"Encrypted Channel\",\"reference\":\"https://attack.mitre.org/techniques/T1573/\"}]}],\"to\":\"now\",\"references\":[],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"network where host.os.type == \\\"windows\\\" and network.protocol == \\\"dns\\\" and\\n /* Add new free SSL certificate provider domains here */\\n dns.question.name : (\\\"*letsencrypt.org\\\", \\\"*.sslforfree.com\\\", \\\"*.zerossl.com\\\", \\\"*.freessl.org\\\") and\\n\\n /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\\n process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System\\\\\\\\*.exe\\\",\\n\\t \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe\\\",\\n\\t\\t \\\"C:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework*\\\\\\\\*.exe\\\",\\n\\t\\t \\\"C:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\n\\t\\t \\\"C:\\\\\\\\Windows\\\\\\\\notepad.exe\\\") and\\n\\n /* Insert noisy false positives here */\\n not process.name : (\\\"svchost.exe\\\", \\\"MicrosoftEdge*.exe\\\", \\\"msedge.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Connection to Commonly Abused Free SSL Certificate Providers\",\"description\":\"Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1573\",\"name\":\"Encrypted Channel\",\"reference\":\"https://attack.mitre.org/techniques/T1573/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"90d55a26-08d3-486c-909c-51b286b75f15\",\"rule_id\":\"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.688Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.558Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"network where host.os.type == \\\"windows\\\" and network.protocol == \\\"dns\\\" and\\n /* Add new free SSL certificate provider domains here */\\n dns.question.name : (\\\"*letsencrypt.org\\\", \\\"*.sslforfree.com\\\", \\\"*.zerossl.com\\\", \\\"*.freessl.org\\\") and\\n\\n /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\\n process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System\\\\\\\\*.exe\\\",\\n\\t \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe\\\",\\n\\t\\t \\\"C:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework*\\\\\\\\*.exe\\\",\\n\\t\\t \\\"C:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\n\\t\\t \\\"C:\\\\\\\\Windows\\\\\\\\notepad.exe\\\") and\\n\\n /* Insert noisy false positives here */\\n not process.name : (\\\"svchost.exe\\\", \\\"MicrosoftEdge*.exe\\\", \\\"msedge.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a0b5cfa9-a1c9-4257-859c-ab06bb412d46\",\"rule_id\":\"e3e904b3-0a8e-4e68-86a8-977a163e21d3\",\"revision\":0,\"current_rule\":{\"id\":\"a0b5cfa9-a1c9-4257-859c-ab06bb412d46\",\"updated_at\":\"2024-12-04T19:46:00.560Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.560Z\",\"created_by\":\"elastic\",\"name\":\"Persistence via KDE AutoStart Script or Desktop File Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Persistence via KDE AutoStart Script or Desktop File Modification\\n\\nK Desktop Environment (KDE) is a popular graphical desktop environment for Linux systems. It supports AutoStart scripts and desktop files that execute automatically upon user logon.\\n\\nAdversaries may exploit this feature to maintain persistence on a compromised system by creating or modifying these files.\\n\\nThe detection rule 'Persistence via KDE AutoStart Script or Desktop File Modification' is designed to identify such activities by monitoring file events on Linux systems. It specifically targets the creation or modification of files with extensions \\\".sh\\\" or \\\".desktop\\\" in various AutoStart directories. By detecting these events, the rule helps security analysts identify potential abuse of KDE AutoStart functionality by malicious actors.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n### Possible investigation steps\\n\\n- Investigate the file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE ( path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop'\\\\nOR path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR path LIKE\\\\n'/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR path LIKE '/root/.kde/Autostart/%.sh'\\\\nOR path LIKE '/root/.kde/Autostart/%.desktop' OR path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde4/Autostart/%.desktop' OR path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE\\\\n'/root/.kde4/Autostart/%.desktop' OR path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde/share/autostart/%.desktop' OR path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE\\\\n'/root/.kde/share/autostart/%.desktop' OR path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde4/share/autostart/%.desktop' OR path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE\\\\n'/root/.kde4/share/autostart/%.desktop' OR path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE\\\\n'/home/%/.local/share/autostart/%.desktop' OR path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE\\\\n'/root/.local/share/autostart/%.desktop' OR path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE\\\\n'/home/%/.config/autostart-scripts/%.desktop' OR path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE\\\\n'/root/.config/autostart-scripts/%.desktop' OR path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE\\\\n'/etc/xdg/autostart/%.desktop' OR path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' )\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/home/%/.config/autostart/%.sh' OR\\\\npath LIKE '/home/%/.config/autostart/%.desktop' OR path LIKE '/root/.config/autostart/%.sh' OR path LIKE\\\\n'/root/.config/autostart/%.desktop' OR path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde/Autostart/%.desktop' OR path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE\\\\n'/root/.kde/Autostart/%.desktop' OR path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde4/Autostart/%.desktop' OR path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE\\\\n'/root/.kde4/Autostart/%.desktop' OR path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde/share/autostart/%.desktop' OR path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE\\\\n'/root/.kde/share/autostart/%.desktop' OR path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde4/share/autostart/%.desktop' OR path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE\\\\n'/root/.kde4/share/autostart/%.desktop' OR path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE\\\\n'/home/%/.local/share/autostart/%.desktop' OR path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE\\\\n'/root/.local/share/autostart/%.desktop' OR path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE\\\\n'/home/%/.config/autostart-scripts/%.desktop' OR path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE\\\\n'/root/.config/autostart-scripts/%.desktop' OR path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE\\\\n'/etc/xdg/autostart/%.desktop' OR path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' )\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False positive analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e3e904b3-0a8e-4e68-86a8-977a163e21d3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\"}]}],\"to\":\"now\",\"references\":[\"https://userbase.kde.org/System_Settings/Autostart\",\"https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\",\"https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n#### Custom Ingest Pipeline\\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.type != \\\"deletion\\\" and\\n file.extension in (\\\"sh\\\", \\\"desktop\\\") and\\n file.path :\\n (\\n \\\"/home/*/.config/autostart/*\\\", \\\"/root/.config/autostart/*\\\",\\n \\\"/home/*/.kde/Autostart/*\\\", \\\"/root/.kde/Autostart/*\\\",\\n \\\"/home/*/.kde4/Autostart/*\\\", \\\"/root/.kde4/Autostart/*\\\",\\n \\\"/home/*/.kde/share/autostart/*\\\", \\\"/root/.kde/share/autostart/*\\\",\\n \\\"/home/*/.kde4/share/autostart/*\\\", \\\"/root/.kde4/share/autostart/*\\\",\\n \\\"/home/*/.local/share/autostart/*\\\", \\\"/root/.local/share/autostart/*\\\",\\n \\\"/home/*/.config/autostart-scripts/*\\\", \\\"/root/.config/autostart-scripts/*\\\",\\n \\\"/etc/xdg/autostart/*\\\", \\\"/usr/share/autostart/*\\\"\\n ) and\\n not process.name in (\\\"yum\\\", \\\"dpkg\\\", \\\"install\\\", \\\"dnf\\\", \\\"teams\\\", \\\"yum-cron\\\", \\\"dnf-automatic\\\", \\\"docker\\\", \\\"dockerd\\\", \\n \\\"rpm\\\", \\\"pacman\\\", \\\"podman\\\", \\\"nautilus\\\", \\\"remmina\\\", \\\"cinnamon-settings.py\\\", \\\"executor\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Persistence via KDE AutoStart Script or Desktop File Modification\",\"description\":\"Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Persistence via KDE AutoStart Script or Desktop File Modification\\n\\nK Desktop Environment (KDE) is a popular graphical desktop environment for Linux systems. It supports AutoStart scripts and desktop files that execute automatically upon user logon.\\n\\nAdversaries may exploit this feature to maintain persistence on a compromised system by creating or modifying these files.\\n\\nThe detection rule 'Persistence via KDE AutoStart Script or Desktop File Modification' is designed to identify such activities by monitoring file events on Linux systems. It specifically targets the creation or modification of files with extensions \\\".sh\\\" or \\\".desktop\\\" in various AutoStart directories. By detecting these events, the rule helps security analysts identify potential abuse of KDE AutoStart functionality by malicious actors.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n### Possible investigation steps\\n\\n- Investigate the file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE ( path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop'\\\\nOR path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR path LIKE\\\\n'/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR path LIKE '/root/.kde/Autostart/%.sh'\\\\nOR path LIKE '/root/.kde/Autostart/%.desktop' OR path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde4/Autostart/%.desktop' OR path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE\\\\n'/root/.kde4/Autostart/%.desktop' OR path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde/share/autostart/%.desktop' OR path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE\\\\n'/root/.kde/share/autostart/%.desktop' OR path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde4/share/autostart/%.desktop' OR path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE\\\\n'/root/.kde4/share/autostart/%.desktop' OR path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE\\\\n'/home/%/.local/share/autostart/%.desktop' OR path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE\\\\n'/root/.local/share/autostart/%.desktop' OR path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE\\\\n'/home/%/.config/autostart-scripts/%.desktop' OR path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE\\\\n'/root/.config/autostart-scripts/%.desktop' OR path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE\\\\n'/etc/xdg/autostart/%.desktop' OR path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' )\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/home/%/.config/autostart/%.sh' OR\\\\npath LIKE '/home/%/.config/autostart/%.desktop' OR path LIKE '/root/.config/autostart/%.sh' OR path LIKE\\\\n'/root/.config/autostart/%.desktop' OR path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde/Autostart/%.desktop' OR path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE\\\\n'/root/.kde/Autostart/%.desktop' OR path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde4/Autostart/%.desktop' OR path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE\\\\n'/root/.kde4/Autostart/%.desktop' OR path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde/share/autostart/%.desktop' OR path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE\\\\n'/root/.kde/share/autostart/%.desktop' OR path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde4/share/autostart/%.desktop' OR path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE\\\\n'/root/.kde4/share/autostart/%.desktop' OR path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE\\\\n'/home/%/.local/share/autostart/%.desktop' OR path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE\\\\n'/root/.local/share/autostart/%.desktop' OR path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE\\\\n'/home/%/.config/autostart-scripts/%.desktop' OR path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE\\\\n'/root/.config/autostart-scripts/%.desktop' OR path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE\\\\n'/etc/xdg/autostart/%.desktop' OR path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' )\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False positive analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":114,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://userbase.kde.org/System_Settings/Autostart\",\"https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\",\"https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n#### Custom Ingest Pipeline\\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a0b5cfa9-a1c9-4257-859c-ab06bb412d46\",\"rule_id\":\"e3e904b3-0a8e-4e68-86a8-977a163e21d3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.688Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.560Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.type != \\\"deletion\\\" and\\n file.extension in (\\\"sh\\\", \\\"desktop\\\") and\\n file.path :\\n (\\n \\\"/home/*/.config/autostart/*\\\", \\\"/root/.config/autostart/*\\\",\\n \\\"/home/*/.kde/Autostart/*\\\", \\\"/root/.kde/Autostart/*\\\",\\n \\\"/home/*/.kde4/Autostart/*\\\", \\\"/root/.kde4/Autostart/*\\\",\\n \\\"/home/*/.kde/share/autostart/*\\\", \\\"/root/.kde/share/autostart/*\\\",\\n \\\"/home/*/.kde4/share/autostart/*\\\", \\\"/root/.kde4/share/autostart/*\\\",\\n \\\"/home/*/.local/share/autostart/*\\\", \\\"/root/.local/share/autostart/*\\\",\\n \\\"/home/*/.config/autostart-scripts/*\\\", \\\"/root/.config/autostart-scripts/*\\\",\\n \\\"/etc/xdg/autostart/*\\\", \\\"/usr/share/autostart/*\\\"\\n ) and\\n not process.name in (\\n \\\"yum\\\", \\\"dpkg\\\", \\\"install\\\", \\\"dnf\\\", \\\"teams\\\", \\\"yum-cron\\\", \\\"dnf-automatic\\\", \\\"docker\\\", \\\"dockerd\\\", \\\"rpm\\\", \\\"pacman\\\",\\n \\\"podman\\\", \\\"nautilus\\\", \\\"remmina\\\", \\\"cinnamon-settings.py\\\", \\\"executor\\\", \\\"xfce4-clipman\\\", \\\"jetbrains-toolbox\\\",\\n \\\"ansible-admin\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":114,\"merged_version\":114,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://userbase.kde.org/System_Settings/Autostart\",\"https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\",\"https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/\"],\"target_version\":[\"https://userbase.kde.org/System_Settings/Autostart\",\"https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\",\"https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://userbase.kde.org/System_Settings/Autostart\",\"https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\",\"https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type != \\\"deletion\\\" and\\n file.extension in (\\\"sh\\\", \\\"desktop\\\") and\\n file.path :\\n (\\n \\\"/home/*/.config/autostart/*\\\", \\\"/root/.config/autostart/*\\\",\\n \\\"/home/*/.kde/Autostart/*\\\", \\\"/root/.kde/Autostart/*\\\",\\n \\\"/home/*/.kde4/Autostart/*\\\", \\\"/root/.kde4/Autostart/*\\\",\\n \\\"/home/*/.kde/share/autostart/*\\\", \\\"/root/.kde/share/autostart/*\\\",\\n \\\"/home/*/.kde4/share/autostart/*\\\", \\\"/root/.kde4/share/autostart/*\\\",\\n \\\"/home/*/.local/share/autostart/*\\\", \\\"/root/.local/share/autostart/*\\\",\\n \\\"/home/*/.config/autostart-scripts/*\\\", \\\"/root/.config/autostart-scripts/*\\\",\\n \\\"/etc/xdg/autostart/*\\\", \\\"/usr/share/autostart/*\\\"\\n ) and\\n not process.name in (\\\"yum\\\", \\\"dpkg\\\", \\\"install\\\", \\\"dnf\\\", \\\"teams\\\", \\\"yum-cron\\\", \\\"dnf-automatic\\\", \\\"docker\\\", \\\"dockerd\\\", \\n \\\"rpm\\\", \\\"pacman\\\", \\\"podman\\\", \\\"nautilus\\\", \\\"remmina\\\", \\\"cinnamon-settings.py\\\", \\\"executor\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type != \\\"deletion\\\" and\\n file.extension in (\\\"sh\\\", \\\"desktop\\\") and\\n file.path :\\n (\\n \\\"/home/*/.config/autostart/*\\\", \\\"/root/.config/autostart/*\\\",\\n \\\"/home/*/.kde/Autostart/*\\\", \\\"/root/.kde/Autostart/*\\\",\\n \\\"/home/*/.kde4/Autostart/*\\\", \\\"/root/.kde4/Autostart/*\\\",\\n \\\"/home/*/.kde/share/autostart/*\\\", \\\"/root/.kde/share/autostart/*\\\",\\n \\\"/home/*/.kde4/share/autostart/*\\\", \\\"/root/.kde4/share/autostart/*\\\",\\n \\\"/home/*/.local/share/autostart/*\\\", \\\"/root/.local/share/autostart/*\\\",\\n \\\"/home/*/.config/autostart-scripts/*\\\", \\\"/root/.config/autostart-scripts/*\\\",\\n \\\"/etc/xdg/autostart/*\\\", \\\"/usr/share/autostart/*\\\"\\n ) and\\n not process.name in (\\n \\\"yum\\\", \\\"dpkg\\\", \\\"install\\\", \\\"dnf\\\", \\\"teams\\\", \\\"yum-cron\\\", \\\"dnf-automatic\\\", \\\"docker\\\", \\\"dockerd\\\", \\\"rpm\\\", \\\"pacman\\\",\\n \\\"podman\\\", \\\"nautilus\\\", \\\"remmina\\\", \\\"cinnamon-settings.py\\\", \\\"executor\\\", \\\"xfce4-clipman\\\", \\\"jetbrains-toolbox\\\",\\n \\\"ansible-admin\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type != \\\"deletion\\\" and\\n file.extension in (\\\"sh\\\", \\\"desktop\\\") and\\n file.path :\\n (\\n \\\"/home/*/.config/autostart/*\\\", \\\"/root/.config/autostart/*\\\",\\n \\\"/home/*/.kde/Autostart/*\\\", \\\"/root/.kde/Autostart/*\\\",\\n \\\"/home/*/.kde4/Autostart/*\\\", \\\"/root/.kde4/Autostart/*\\\",\\n \\\"/home/*/.kde/share/autostart/*\\\", \\\"/root/.kde/share/autostart/*\\\",\\n \\\"/home/*/.kde4/share/autostart/*\\\", \\\"/root/.kde4/share/autostart/*\\\",\\n \\\"/home/*/.local/share/autostart/*\\\", \\\"/root/.local/share/autostart/*\\\",\\n \\\"/home/*/.config/autostart-scripts/*\\\", \\\"/root/.config/autostart-scripts/*\\\",\\n \\\"/etc/xdg/autostart/*\\\", \\\"/usr/share/autostart/*\\\"\\n ) and\\n not process.name in (\\n \\\"yum\\\", \\\"dpkg\\\", \\\"install\\\", \\\"dnf\\\", \\\"teams\\\", \\\"yum-cron\\\", \\\"dnf-automatic\\\", \\\"docker\\\", \\\"dockerd\\\", \\\"rpm\\\", \\\"pacman\\\",\\n \\\"podman\\\", \\\"nautilus\\\", \\\"remmina\\\", \\\"cinnamon-settings.py\\\", \\\"executor\\\", \\\"xfce4-clipman\\\", \\\"jetbrains-toolbox\\\",\\n \\\"ansible-admin\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e72486f1-5867-4489-9a32-ab6ed3b32479\",\"rule_id\":\"e468f3f6-7c4c-45bb-846a-053738b3fe5d\",\"revision\":0,\"current_rule\":{\"id\":\"e72486f1-5867-4489-9a32-ab6ed3b32479\",\"updated_at\":\"2024-12-04T19:46:00.563Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.563Z\",\"created_by\":\"elastic\",\"name\":\"First Time Seen NewCredentials Logon Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token forging capability that are often abused to bypass access control restrictions.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e468f3f6-7c4c-45bb-846a-053738b3fe5d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\",\"subtechnique\":[{\"id\":\"T1134.001\",\"name\":\"Token Impersonation/Theft\",\"reference\":\"https://attack.mitre.org/techniques/T1134/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.LogonProcessName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.category:\\\"authentication\\\" and host.os.type:\\\"windows\\\" and winlog.logon.type:\\\"NewCredentials\\\" and winlog.event_data.LogonProcessName:(Advapi* or \\\"Advapi \\\") and not winlog.event_data.SubjectUserName:*$ and not process.executable :???\\\\\\\\Program?Files*\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-7d\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Time Seen NewCredentials Logon Process\",\"description\":\"Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token forging capability that are often abused to bypass access control restrictions.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\",\"subtechnique\":[{\"id\":\"T1134.001\",\"name\":\"Token Impersonation/Theft\",\"reference\":\"https://attack.mitre.org/techniques/T1134/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.LogonProcessName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"e72486f1-5867-4489-9a32-ab6ed3b32479\",\"rule_id\":\"e468f3f6-7c4c-45bb-846a-053738b3fe5d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.688Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.563Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.category:\\\"authentication\\\" and host.os.type:\\\"windows\\\" and winlog.logon.type:\\\"NewCredentials\\\" and winlog.event_data.LogonProcessName:(Advapi* or \\\"Advapi \\\") and not winlog.event_data.SubjectUserName:*$ and not process.executable :???\\\\\\\\Program?Files*\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-7d\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"200dc80f-1443-4971-afd4-0c1da8fb2333\",\"rule_id\":\"e4e31051-ee01-4307-a6ee-b21b186958f4\",\"revision\":0,\"current_rule\":{\"id\":\"200dc80f-1443-4971-afd4-0c1da8fb2333\",\"updated_at\":\"2024-12-04T19:46:00.568Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.568Z\",\"created_by\":\"elastic\",\"name\":\"Service Creation via Local Kerberos Authentication\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Credential Access\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, followed by a sevice creation from the same LogonId. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e4e31051-ee01-4307-a6ee-b21b186958f4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/Dec0ne/KrbRelayUp\",\"https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html\",\"https://github.com/cube0x0/KrbRelay\",\"https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82\"],\"version\":105,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.AuthenticationPackageName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetLogonId\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"sequence by winlog.computer_name with maxspan=5m\\n [authentication where\\n\\n /* event 4624 need to be logged */\\n event.action == \\\"logged-in\\\" and event.outcome == \\\"success\\\" and\\n\\n /* authenticate locally using relayed kerberos Ticket */\\n winlog.event_data.AuthenticationPackageName :\\\"Kerberos\\\" and winlog.logon.type == \\\"Network\\\" and\\n cidrmatch(source.ip, \\\"127.0.0.0/8\\\", \\\"::1\\\") and source.port > 0] by winlog.event_data.TargetLogonId\\n\\n [any where\\n /* event 4697 need to be logged */\\n event.action : \\\"service-installed\\\"] by winlog.event_data.SubjectLogonId\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Service Creation via Local Kerberos Authentication\",\"description\":\"Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, followed by a sevice creation from the same LogonId. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Credential Access\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/Dec0ne/KrbRelayUp\",\"https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html\",\"https://github.com/cube0x0/KrbRelay\",\"https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.AuthenticationPackageName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetLogonId\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"200dc80f-1443-4971-afd4-0c1da8fb2333\",\"rule_id\":\"e4e31051-ee01-4307-a6ee-b21b186958f4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.688Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.568Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by winlog.computer_name with maxspan=5m\\n [authentication where\\n\\n /* event 4624 need to be logged */\\n event.action == \\\"logged-in\\\" and event.outcome == \\\"success\\\" and\\n\\n /* authenticate locally using relayed kerberos Ticket */\\n winlog.event_data.AuthenticationPackageName :\\\"Kerberos\\\" and winlog.logon.type == \\\"Network\\\" and\\n cidrmatch(source.ip, \\\"127.0.0.0/8\\\", \\\"::1\\\") and source.port > 0] by winlog.event_data.TargetLogonId\\n\\n [any where\\n /* event 4697 need to be logged */\\n event.action : \\\"service-installed\\\"] by winlog.event_data.SubjectLogonId\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":105,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Credential Access\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Credential Access\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Credential Access\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"63c92c36-4930-4c47-925e-8f671c1a6f08\",\"rule_id\":\"e514d8cd-ed15-4011-84e2-d15147e059f1\",\"revision\":0,\"current_rule\":{\"id\":\"63c92c36-4930-4c47-925e-8f671c1a6f08\",\"updated_at\":\"2024-12-04T19:46:00.570Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.570Z\",\"created_by\":\"elastic\",\"name\":\"Kerberos Pre-authentication Disabled for User\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Kerberos Pre-authentication Disabled for User\\n\\nKerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' – Enabled` should not be enabled for user accounts because it weakens security for the account’s Kerberos authentication.\\n\\nAS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that if the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that can be brute-forced offline, similarly to Kerberoasting.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Determine if the target account is sensitive or privileged.\\n- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe.\\n\\n### False positive analysis\\n\\n- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Reset the target account's password if there is any risk of TGTs having been retrieved.\\n- Re-enable the preauthentication option or disable the target account.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e514d8cd-ed15-4011-84e2-d15147e059f1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\",\"subtechnique\":[{\"id\":\"T1558.004\",\"name\":\"AS-REP Roasting\",\"reference\":\"https://attack.mitre.org/techniques/T1558/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://harmj0y.medium.com/roasting-as-reps-e6179a65216b\",\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"message\",\"type\":\"match_only_text\",\"ecs\":true},{\"name\":\"winlog.api\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nAccount Management >\\nAudit User Account Management (Success,Failure)\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.code:4738 and winlog.api:\\\"wineventlog\\\" and message:\\\"'Don't Require Preauth' - Enabled\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Kerberos Pre-authentication Disabled for User\",\"description\":\"Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Kerberos Pre-authentication Disabled for User\\n\\nKerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' – Enabled` should not be enabled for user accounts because it weakens security for the account’s Kerberos authentication.\\n\\nAS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that if the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that can be brute-forced offline, similarly to Kerberoasting.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Determine if the target account is sensitive or privileged.\\n- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe.\\n\\n### False positive analysis\\n\\n- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Reset the target account's password if there is any risk of TGTs having been retrieved.\\n- Re-enable the preauthentication option or disable the target account.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://harmj0y.medium.com/roasting-as-reps-e6179a65216b\",\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\",\"subtechnique\":[{\"id\":\"T1558.004\",\"name\":\"AS-REP Roasting\",\"reference\":\"https://attack.mitre.org/techniques/T1558/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nAccount Management >\\nAudit User Account Management (Success,Failure)\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"message\",\"type\":\"match_only_text\",\"ecs\":true},{\"name\":\"winlog.api\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"63c92c36-4930-4c47-925e-8f671c1a6f08\",\"rule_id\":\"e514d8cd-ed15-4011-84e2-d15147e059f1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.688Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.570Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.code:4738 and winlog.api:\\\"wineventlog\\\" and message:\\\"'Don't Require Preauth' - Enabled\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"84436b7d-15c5-4efd-b4df-effca376edf4\",\"rule_id\":\"e555105c-ba6d-481f-82bb-9b633e7b4827\",\"revision\":0,\"current_rule\":{\"id\":\"84436b7d-15c5-4efd-b4df-effca376edf4\",\"updated_at\":\"2024-12-04T19:46:00.573Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.573Z\",\"created_by\":\"elastic\",\"name\":\"MFA Disabled for Google Workspace Organization\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating MFA Disabled for Google Workspace Organization\\n\\nMulti-factor authentication (MFA) is a process in which users are prompted for an additional form of identification, such as a code on their cell phone or a fingerprint scan, during the sign-in process.\\n\\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the users's password is weak or has been exposed elsewhere, an attacker could use it to gain access. Requiring a second form of authentication increases security because attackers cannot easily obtain or duplicate the additional authentication factor.\\n\\nFor more information about using MFA in Google Workspace, access the [official documentation](https://support.google.com/a/answer/175197).\\n\\nThis rule identifies when MFA enforcement is turned off in Google Workspace. This modification weakens account security and can lead to accounts and other assets being compromised.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Contact the account and resource owners and confirm whether they are aware of this activity.\\n- Check if this operation was approved and performed according to the organization's change management policy.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Reactivate the multi-factor authentication enforcement.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"MFA settings may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-130m\",\"rule_id\":\"e555105c-ba6d-481f-82bb-9b633e7b4827\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]}],\"to\":\"now\",\"references\":[],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.new_value\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"MFA Disabled for Google Workspace Organization\",\"description\":\"Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating MFA Disabled for Google Workspace Organization\\n\\nMulti-factor authentication (MFA) is a process in which users are prompted for an additional form of identification, such as a code on their cell phone or a fingerprint scan, during the sign-in process.\\n\\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the users's password is weak or has been exposed elsewhere, an attacker could use it to gain access. Requiring a second form of authentication increases security because attackers cannot easily obtain or duplicate the additional authentication factor.\\n\\nFor more information about using MFA in Google Workspace, access the [official documentation](https://support.google.com/a/answer/175197).\\n\\nThis rule identifies when MFA enforcement is turned off in Google Workspace. This modification weakens account security and can lead to accounts and other assets being compromised.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Contact the account and resource owners and confirm whether they are aware of this activity.\\n- Check if this operation was approved and performed according to the organization's change management policy.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Reactivate the multi-factor authentication enforcement.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"MFA settings may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://support.google.com/a/answer/7061566\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.new_value\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"84436b7d-15c5-4efd-b4df-effca376edf4\",\"rule_id\":\"e555105c-ba6d-481f-82bb-9b633e7b4827\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.688Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.573Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://support.google.com/a/answer/7061566\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/7061566\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"856c61c5-0a0d-4838-b15a-2b78d7be7014\",\"rule_id\":\"e7125cea-9fe1-42a5-9a05-b0792cf86f5a\",\"revision\":0,\"current_rule\":{\"id\":\"856c61c5-0a0d-4838-b15a-2b78d7be7014\",\"updated_at\":\"2024-12-04T19:46:00.594Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.594Z\",\"created_by\":\"elastic\",\"name\":\"Execution of Persistent Suspicious Program\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and command line usage.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e7125cea-9fe1-42a5-9a05-b0792cf86f5a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */\\nsequence by host.id, user.name with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"userinit.exe\\\" and process.parent.name : \\\"winlogon.exe\\\"]\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"explorer.exe\\\"]\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"explorer.exe\\\" and\\n /* add suspicious programs here */\\n process.pe.original_file_name in (\\\"cscript.exe\\\",\\n \\\"wscript.exe\\\",\\n \\\"PowerShell.EXE\\\",\\n \\\"MSHTA.EXE\\\",\\n \\\"RUNDLL32.EXE\\\",\\n \\\"REGSVR32.EXE\\\",\\n \\\"RegAsm.exe\\\",\\n \\\"MSBuild.exe\\\",\\n \\\"InstallUtil.exe\\\") and\\n /* add potential suspicious paths here */\\n process.args : (\\\"C:\\\\\\\\Users\\\\\\\\*\\\", \\\"C:\\\\\\\\ProgramData\\\\\\\\*\\\", \\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\", \\\"C:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\", \\\"C:\\\\\\\\PerfLogs\\\\\\\\*\\\", \\\"C:\\\\\\\\Intel\\\\\\\\*\\\")\\n ]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Execution of Persistent Suspicious Program\",\"description\":\"Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and command line usage.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"856c61c5-0a0d-4838-b15a-2b78d7be7014\",\"rule_id\":\"e7125cea-9fe1-42a5-9a05-b0792cf86f5a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.688Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.594Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */\\nsequence by host.id, user.name with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"userinit.exe\\\" and process.parent.name : \\\"winlogon.exe\\\"]\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"explorer.exe\\\"]\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"explorer.exe\\\" and\\n /* add suspicious programs here */\\n process.pe.original_file_name in (\\\"cscript.exe\\\",\\n \\\"wscript.exe\\\",\\n \\\"PowerShell.EXE\\\",\\n \\\"MSHTA.EXE\\\",\\n \\\"RUNDLL32.EXE\\\",\\n \\\"REGSVR32.EXE\\\",\\n \\\"RegAsm.exe\\\",\\n \\\"MSBuild.exe\\\",\\n \\\"InstallUtil.exe\\\") and\\n /* add potential suspicious paths here */\\n process.args : (\\\"C:\\\\\\\\Users\\\\\\\\*\\\", \\\"C:\\\\\\\\ProgramData\\\\\\\\*\\\", \\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\", \\\"C:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\", \\\"C:\\\\\\\\PerfLogs\\\\\\\\*\\\", \\\"C:\\\\\\\\Intel\\\\\\\\*\\\")\\n ]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8e32eb17-680b-4f22-acb6-09f4752e247f\",\"rule_id\":\"e72f87d0-a70e-4f8d-8443-a6407bc34643\",\"revision\":0,\"current_rule\":{\"id\":\"8e32eb17-680b-4f22-acb6-09f4752e247f\",\"updated_at\":\"2024-12-04T19:46:00.596Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.596Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious WMI Event Subscription Created\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the creation of a WMI Event Subscription. Attackers can abuse this mechanism for persistence or to elevate to SYSTEM privileges.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e72f87d0-a70e-4f8d-8443-a6407bc34643\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.003\",\"name\":\"Windows Management Instrumentation Event Subscription\",\"reference\":\"https://attack.mitre.org/techniques/T1546/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf\",\"https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.Consumer\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.Operation\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"any where event.dataset == \\\"windows.sysmon_operational\\\" and event.code == \\\"21\\\" and\\n winlog.event_data.Operation : \\\"Created\\\" and winlog.event_data.Consumer : (\\\"*subscription:CommandLineEventConsumer*\\\", \\\"*subscription:ActiveScriptEventConsumer*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious WMI Event Subscription Created\",\"description\":\"Detects the creation of a WMI Event Subscription. Attackers can abuse this mechanism for persistence or to elevate to SYSTEM privileges.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf\",\"https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.003\",\"name\":\"Windows Management Instrumentation Event Subscription\",\"reference\":\"https://attack.mitre.org/techniques/T1546/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.Consumer\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.Operation\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"8e32eb17-680b-4f22-acb6-09f4752e247f\",\"rule_id\":\"e72f87d0-a70e-4f8d-8443-a6407bc34643\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.688Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.596Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where event.dataset == \\\"windows.sysmon_operational\\\" and event.code == \\\"21\\\" and\\n winlog.event_data.Operation : \\\"Created\\\" and winlog.event_data.Consumer : (\\\"*subscription:CommandLineEventConsumer*\\\", \\\"*subscription:ActiveScriptEventConsumer*\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"eba51dd5-0e78-4607-ad88-feb077cb4586\",\"rule_id\":\"e760c72b-bb1f-44f0-9f0d-37d51744ee75\",\"revision\":0,\"current_rule\":{\"id\":\"eba51dd5-0e78-4607-ad88-feb077cb4586\",\"updated_at\":\"2024-12-04T19:46:04.795Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.795Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Execution via Microsoft Common Console File\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of a child process from a Microsoft Common Console file. Adversaries may embed a malicious command in an MSC file in order to trick victims into executing malicious commands.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Execution via Microsoft Common Console File\\n\\n- Investigate the source of the MSC file.\\n- Investigate the process execution chain (all spawned child processes and their descendants).\\n- Investigate the process and it's descendants network and file events.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n\\n### Response and remediation\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e760c72b-bb1f-44f0-9f0d-37d51744ee75\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.genians.co.kr/blog/threat_intelligence/facebook\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\" and endswith~(process.parent.args, \\\".msc\\\") and\\n not process.parent.args : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.msc\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.msc\\\", \\\"?:\\\\\\\\Program files\\\\\\\\*.msc\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.msc\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Execution via Microsoft Common Console File\",\"description\":\"Identifies the execution of a child process from a Microsoft Common Console file. Adversaries may embed a malicious command in an MSC file in order to trick victims into executing malicious commands.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Execution via Microsoft Common Console File\\n\\n- Investigate the source of the MSC file.\\n- Investigate the process execution chain (all spawned child processes and their descendants).\\n- Investigate the process and it's descendants network and file events.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n\\n### Response and remediation\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":201,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.genians.co.kr/blog/threat_intelligence/facebook\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"eba51dd5-0e78-4607-ad88-feb077cb4586\",\"rule_id\":\"e760c72b-bb1f-44f0-9f0d-37d51744ee75\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.688Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.795Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\" and endswith~(process.parent.args, \\\".msc\\\") and\\n not process.parent.args : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.msc\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.msc\\\", \\\"?:\\\\\\\\Program files\\\\\\\\*.msc\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.msc\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":201,\"merged_version\":201,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a7c4bb65-5ae3-49e2-b918-894b81071360\",\"rule_id\":\"e8571d5f-bea1-46c2-9f56-998de2d3ed95\",\"revision\":0,\"current_rule\":{\"id\":\"a7c4bb65-5ae3-49e2-b918-894b81071360\",\"updated_at\":\"2024-12-04T19:46:00.606Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.606Z\",\"created_by\":\"elastic\",\"name\":\"Service Control Spawned via Script Interpreter\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Service Control Spawned via Script Interpreter\\n\\nWindows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components.\\n\\nThe `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics.\\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service or restore it to the original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e8571d5f-bea1-46c2-9f56-998de2d3ed95\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"},{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"},{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.010\",\"name\":\"Regsvr32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/010/\"},{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-system.*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"],\"query\":\"/* This rule is not compatible with Sysmon due to user.id issues */\\n\\nprocess where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"sc.exe\\\" or process.pe.original_file_name == \\\"sc.exe\\\") and\\n process.parent.name : (\\\"cmd.exe\\\", \\\"wscript.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\",\\n \\\"wmic.exe\\\", \\\"mshta.exe\\\",\\\"powershell.exe\\\", \\\"pwsh.exe\\\") and\\n process.args:(\\\"config\\\", \\\"create\\\", \\\"start\\\", \\\"delete\\\", \\\"stop\\\", \\\"pause\\\") and\\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Service Control Spawned via Script Interpreter\",\"description\":\"Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Service Control Spawned via Script Interpreter\\n\\nWindows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components.\\n\\nThe `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics.\\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service or restore it to the original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"},{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"},{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.010\",\"name\":\"Regsvr32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/010/\"},{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a7c4bb65-5ae3-49e2-b918-894b81071360\",\"rule_id\":\"e8571d5f-bea1-46c2-9f56-998de2d3ed95\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.689Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.606Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"/* This rule is not compatible with Sysmon due to user.id issues */\\n\\nprocess where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"sc.exe\\\" or ?process.pe.original_file_name == \\\"sc.exe\\\") and\\n process.parent.name : (\\\"cmd.exe\\\", \\\"wscript.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\",\\n \\\"wmic.exe\\\", \\\"mshta.exe\\\",\\\"powershell.exe\\\", \\\"pwsh.exe\\\") and\\n process.args:(\\\"config\\\", \\\"create\\\", \\\"start\\\", \\\"delete\\\", \\\"stop\\\", \\\"pause\\\") and\\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-system.security*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"merged_version\":[\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"/* This rule is not compatible with Sysmon due to user.id issues */\\n\\nprocess where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"sc.exe\\\" or process.pe.original_file_name == \\\"sc.exe\\\") and\\n process.parent.name : (\\\"cmd.exe\\\", \\\"wscript.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\",\\n \\\"wmic.exe\\\", \\\"mshta.exe\\\",\\\"powershell.exe\\\", \\\"pwsh.exe\\\") and\\n process.args:(\\\"config\\\", \\\"create\\\", \\\"start\\\", \\\"delete\\\", \\\"stop\\\", \\\"pause\\\") and\\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"/* This rule is not compatible with Sysmon due to user.id issues */\\n\\nprocess where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"sc.exe\\\" or ?process.pe.original_file_name == \\\"sc.exe\\\") and\\n process.parent.name : (\\\"cmd.exe\\\", \\\"wscript.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\",\\n \\\"wmic.exe\\\", \\\"mshta.exe\\\",\\\"powershell.exe\\\", \\\"pwsh.exe\\\") and\\n process.args:(\\\"config\\\", \\\"create\\\", \\\"start\\\", \\\"delete\\\", \\\"stop\\\", \\\"pause\\\") and\\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"/* This rule is not compatible with Sysmon due to user.id issues */\\n\\nprocess where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"sc.exe\\\" or ?process.pe.original_file_name == \\\"sc.exe\\\") and\\n process.parent.name : (\\\"cmd.exe\\\", \\\"wscript.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\",\\n \\\"wmic.exe\\\", \\\"mshta.exe\\\",\\\"powershell.exe\\\", \\\"pwsh.exe\\\") and\\n process.args:(\\\"config\\\", \\\"create\\\", \\\"start\\\", \\\"delete\\\", \\\"stop\\\", \\\"pause\\\") and\\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-system.*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-system.security*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-system.security*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9c8cb1fc-a6dc-4653-bd31-0fd2be3e3fea\",\"rule_id\":\"e86da94d-e54b-4fb5-b96c-cecff87e8787\",\"revision\":0,\"current_rule\":{\"id\":\"9c8cb1fc-a6dc-4653-bd31-0fd2be3e3fea\",\"updated_at\":\"2024-12-04T19:45:40.264Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.264Z\",\"created_by\":\"elastic\",\"name\":\"Installation of Security Support Provider\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e86da94d-e54b-4fb5-b96c-cecff87e8787\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.005\",\"name\":\"Security Support Provider\",\"reference\":\"https://attack.mitre.org/techniques/T1547/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security Packages*\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security Packages*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security Packages*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security Packages*\\\"\\n ) and\\n not process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Installation of Security Support Provider\",\"description\":\"Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.005\",\"name\":\"Security Support Provider\",\"reference\":\"https://attack.mitre.org/techniques/T1547/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"9c8cb1fc-a6dc-4653-bd31-0fd2be3e3fea\",\"rule_id\":\"e86da94d-e54b-4fb5-b96c-cecff87e8787\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.689Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.264Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security Packages*\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security Packages*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security Packages*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security Packages*\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security Packages*\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security Packages*\\\"\\n ) and\\n not process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security Packages*\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security Packages*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security Packages*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security Packages*\\\"\\n ) and\\n not process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security Packages*\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security Packages*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security Packages*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security Packages*\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security Packages*\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security Packages*\\\"\\n ) and\\n not process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security Packages*\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security Packages*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security Packages*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security Packages*\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security Packages*\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security Packages*\\\"\\n ) and\\n not process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"93bc1b4e-8dfa-46b8-9ade-9e17b528a630\",\"rule_id\":\"e88d1fe9-b2f4-48d4-bace-a026dc745d4b\",\"revision\":0,\"current_rule\":{\"id\":\"93bc1b4e-8dfa-46b8-9ade-9e17b528a630\",\"updated_at\":\"2024-12-04T19:46:00.608Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.608Z\",\"created_by\":\"elastic\",\"name\":\"Host Files System Changes via Windows Subsystem for Linux\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e88d1fe9-b2f4-48d4-bace-a026dc745d4b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/microsoft/WSL\"],\"version\":7,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id with maxspan=5m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"dllhost.exe\\\" and \\n /* Plan9FileSystem CLSID - WSL Host File System Worker */\\n process.command_line : \\\"*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*\\\"]\\n [file where host.os.type == \\\"windows\\\" and process.name : \\\"dllhost.exe\\\" and not file.path : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Host Files System Changes via Windows Subsystem for Linux\",\"description\":\"Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/microsoft/WSL\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"93bc1b4e-8dfa-46b8-9ade-9e17b528a630\",\"rule_id\":\"e88d1fe9-b2f4-48d4-bace-a026dc745d4b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.689Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.608Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id with maxspan=5m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"dllhost.exe\\\" and \\n /* Plan9FileSystem CLSID - WSL Host File System Worker */\\n process.command_line : \\\"*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*\\\"]\\n [file where host.os.type == \\\"windows\\\" and process.name : \\\"dllhost.exe\\\" and not file.path : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*\\\"]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":7,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b66fded7-798c-49eb-a817-ea2098e04b30\",\"rule_id\":\"e9001ee6-2d00-4d2f-849e-b8b1fb05234c\",\"revision\":0,\"current_rule\":{\"id\":\"b66fded7-798c-49eb-a817-ea2098e04b30\",\"updated_at\":\"2024-12-04T19:46:00.613Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.613Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious System Commands Executed by Previously Unknown Executable\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for the execution of several commonly used system commands executed by a previously unknown executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e9001ee6-2d00-4d2f-849e-b8b1fb05234c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and\\nprocess.executable:(\\n (/etc/crontab or /bin/* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or\\n /etc/update-motd.d/* or /home/*/.* or /tmp/* or /usr/bin/* or /usr/lib/update-notifier/* or\\n /usr/share/* or /var/tmp/*) and not /tmp/go-build*\\n) and\\nprocess.args:(hostname or id or ifconfig or ls or netstat or ps or pwd or route or top or uptime or whoami) and\\nnot process.name:(\\n apt or dnf or docker or dockerd or dpkg or hostname or id or ls or netstat or ps or pwd or rpm or snap or snapd\\n or sudo or top or uptime or which or whoami or yum\\n) and\\nnot process.parent.executable:(\\n /opt/cassandra/bin/cassandra or /opt/nessus/sbin/nessusd or /opt/nessus_agent/sbin/nessus-agent-module or\\n /opt/puppetlabs/puppet/bin/puppet or /opt/puppetlabs/puppet/bin/ruby or /usr/libexec/platform-python or\\n /usr/local/cloudamize/bin/CCAgent or /usr/sbin/sshd or /bin/* or /etc/network/* or /opt/Elastic/* or\\n /run/k3s/* or /tmp/newroot/* or /usr/bin/*\\n)\\n\",\"new_terms_fields\":[\"process.parent.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious System Commands Executed by Previously Unknown Executable\",\"description\":\"This rule monitors for the execution of several commonly used system commands executed by a previously unknown executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b66fded7-798c-49eb-a817-ea2098e04b30\",\"rule_id\":\"e9001ee6-2d00-4d2f-849e-b8b1fb05234c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.689Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.613Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and\\nprocess.executable:(* and (\\n /etc/crontab or /bin/* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or /etc/update-motd.d/* or\\n /home/*/.* or /tmp/* or /usr/bin/* or /usr/lib/update-notifier/* or /usr/share/* or /var/tmp/*\\n) and not /tmp/go-build*) and\\nprocess.args:(hostname or id or ifconfig or ls or netstat or ps or pwd or route or top or uptime or whoami) and\\nnot (process.name:\\n (apt or dnf or docker or dockerd or dpkg or hostname or id or ls or netstat or ps or pwd or rpm or snap or\\n snapd or sudo or top or uptime or which or whoami or yum) or\\nprocess.parent.executable:(\\n /opt/cassandra/bin/cassandra or /opt/nessus/sbin/nessusd or /opt/nessus_agent/sbin/nessus-agent-module or /opt/puppetlabs/puppet/bin/puppet or\\n /opt/puppetlabs/puppet/bin/ruby or /usr/libexec/platform-python or /usr/local/cloudamize/bin/CCAgent or /usr/sbin/sshd or /bin/* or\\n /etc/network/* or /opt/Elastic/* or /opt/TrendMicro* or /opt/aws/* or /opt/eset/* or /opt/rapid7/* or /run/containerd/* or /run/k3s/* or\\n /snap/* or /tmp/dpkg-licenses* or /tmp/newroot/* or /usr/bin/* or /var/lib/amagent/* or /var/lib/docker/* or /vz/*\\n ) or\\n process.executable:(/run/containerd/* or /srv/snp/docker/* or /tmp/.criu*)\\n)\\n\",\"new_terms_fields\":[\"process.parent.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and\\nprocess.executable:(\\n (/etc/crontab or /bin/* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or\\n /etc/update-motd.d/* or /home/*/.* or /tmp/* or /usr/bin/* or /usr/lib/update-notifier/* or\\n /usr/share/* or /var/tmp/*) and not /tmp/go-build*\\n) and\\nprocess.args:(hostname or id or ifconfig or ls or netstat or ps or pwd or route or top or uptime or whoami) and\\nnot process.name:(\\n apt or dnf or docker or dockerd or dpkg or hostname or id or ls or netstat or ps or pwd or rpm or snap or snapd\\n or sudo or top or uptime or which or whoami or yum\\n) and\\nnot process.parent.executable:(\\n /opt/cassandra/bin/cassandra or /opt/nessus/sbin/nessusd or /opt/nessus_agent/sbin/nessus-agent-module or\\n /opt/puppetlabs/puppet/bin/puppet or /opt/puppetlabs/puppet/bin/ruby or /usr/libexec/platform-python or\\n /usr/local/cloudamize/bin/CCAgent or /usr/sbin/sshd or /bin/* or /etc/network/* or /opt/Elastic/* or\\n /run/k3s/* or /tmp/newroot/* or /usr/bin/*\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and\\nprocess.executable:(* and (\\n /etc/crontab or /bin/* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or /etc/update-motd.d/* or\\n /home/*/.* or /tmp/* or /usr/bin/* or /usr/lib/update-notifier/* or /usr/share/* or /var/tmp/*\\n) and not /tmp/go-build*) and\\nprocess.args:(hostname or id or ifconfig or ls or netstat or ps or pwd or route or top or uptime or whoami) and\\nnot (process.name:\\n (apt or dnf or docker or dockerd or dpkg or hostname or id or ls or netstat or ps or pwd or rpm or snap or\\n snapd or sudo or top or uptime or which or whoami or yum) or\\nprocess.parent.executable:(\\n /opt/cassandra/bin/cassandra or /opt/nessus/sbin/nessusd or /opt/nessus_agent/sbin/nessus-agent-module or /opt/puppetlabs/puppet/bin/puppet or\\n /opt/puppetlabs/puppet/bin/ruby or /usr/libexec/platform-python or /usr/local/cloudamize/bin/CCAgent or /usr/sbin/sshd or /bin/* or\\n /etc/network/* or /opt/Elastic/* or /opt/TrendMicro* or /opt/aws/* or /opt/eset/* or /opt/rapid7/* or /run/containerd/* or /run/k3s/* or\\n /snap/* or /tmp/dpkg-licenses* or /tmp/newroot/* or /usr/bin/* or /var/lib/amagent/* or /var/lib/docker/* or /vz/*\\n ) or\\n process.executable:(/run/containerd/* or /srv/snp/docker/* or /tmp/.criu*)\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and\\nprocess.executable:(* and (\\n /etc/crontab or /bin/* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or /etc/update-motd.d/* or\\n /home/*/.* or /tmp/* or /usr/bin/* or /usr/lib/update-notifier/* or /usr/share/* or /var/tmp/*\\n) and not /tmp/go-build*) and\\nprocess.args:(hostname or id or ifconfig or ls or netstat or ps or pwd or route or top or uptime or whoami) and\\nnot (process.name:\\n (apt or dnf or docker or dockerd or dpkg or hostname or id or ls or netstat or ps or pwd or rpm or snap or\\n snapd or sudo or top or uptime or which or whoami or yum) or\\nprocess.parent.executable:(\\n /opt/cassandra/bin/cassandra or /opt/nessus/sbin/nessusd or /opt/nessus_agent/sbin/nessus-agent-module or /opt/puppetlabs/puppet/bin/puppet or\\n /opt/puppetlabs/puppet/bin/ruby or /usr/libexec/platform-python or /usr/local/cloudamize/bin/CCAgent or /usr/sbin/sshd or /bin/* or\\n /etc/network/* or /opt/Elastic/* or /opt/TrendMicro* or /opt/aws/* or /opt/eset/* or /opt/rapid7/* or /run/containerd/* or /run/k3s/* or\\n /snap/* or /tmp/dpkg-licenses* or /tmp/newroot/* or /usr/bin/* or /var/lib/amagent/* or /var/lib/docker/* or /vz/*\\n ) or\\n process.executable:(/run/containerd/* or /srv/snp/docker/* or /tmp/.criu*)\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b6c42178-5672-4f5c-8e33-4356718f520e\",\"rule_id\":\"e94262f2-c1e9-4d3f-a907-aeab16712e1a\",\"revision\":0,\"current_rule\":{\"id\":\"b6c42178-5672-4f5c-8e33-4356718f520e\",\"updated_at\":\"2024-12-04T19:46:00.627Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.627Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Executable File Creation by a System Critical Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Executable File Creation by a System Critical Process\\n\\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\\n\\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e94262f2-c1e9-4d3f-a907-aeab16712e1a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1211\",\"name\":\"Exploitation for Defense Evasion\",\"reference\":\"https://attack.mitre.org/techniques/T1211/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1203\",\"name\":\"Exploitation for Client Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1203/\"}]}],\"to\":\"now\",\"references\":[],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.extension : (\\\"exe\\\", \\\"dll\\\") and\\n process.name : (\\\"smss.exe\\\",\\n \\\"autochk.exe\\\",\\n \\\"csrss.exe\\\",\\n \\\"wininit.exe\\\",\\n \\\"services.exe\\\",\\n \\\"lsass.exe\\\",\\n \\\"winlogon.exe\\\",\\n \\\"userinit.exe\\\",\\n \\\"LogonUI.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Executable File Creation by a System Critical Process\",\"description\":\"Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Executable File Creation by a System Critical Process\\n\\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\\n\\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1211\",\"name\":\"Exploitation for Defense Evasion\",\"reference\":\"https://attack.mitre.org/techniques/T1211/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1203\",\"name\":\"Exploitation for Client Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1203/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b6c42178-5672-4f5c-8e33-4356718f520e\",\"rule_id\":\"e94262f2-c1e9-4d3f-a907-aeab16712e1a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.689Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.627Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.extension : (\\\"exe\\\", \\\"dll\\\") and\\n process.name : (\\\"smss.exe\\\",\\n \\\"autochk.exe\\\",\\n \\\"csrss.exe\\\",\\n \\\"wininit.exe\\\",\\n \\\"services.exe\\\",\\n \\\"lsass.exe\\\",\\n \\\"winlogon.exe\\\",\\n \\\"userinit.exe\\\",\\n \\\"LogonUI.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f8f3e1bb-20eb-413b-8e87-c0bac60414fa\",\"rule_id\":\"e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb\",\"revision\":0,\"current_rule\":{\"id\":\"f8f3e1bb-20eb-413b-8e87-c0bac60414fa\",\"updated_at\":\"2024-12-04T19:46:00.630Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.630Z\",\"created_by\":\"elastic\",\"name\":\"Potential LSA Authentication Package Abuse\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.002\",\"name\":\"Authentication Package\",\"reference\":\"https://attack.mitre.org/techniques/T1547/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.002\",\"name\":\"Authentication Package\",\"reference\":\"https://attack.mitre.org/techniques/T1547/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":105,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Authentication Packages\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Authentication Packages\\\"\\n ) and\\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential LSA Authentication Package Abuse\",\"description\":\"Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":106,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.002\",\"name\":\"Authentication Package\",\"reference\":\"https://attack.mitre.org/techniques/T1547/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.002\",\"name\":\"Authentication Package\",\"reference\":\"https://attack.mitre.org/techniques/T1547/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f8f3e1bb-20eb-413b-8e87-c0bac60414fa\",\"rule_id\":\"e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.689Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.630Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Authentication Packages\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Authentication Packages\\\"\\n ) and\\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":105,\"target_version\":106,\"merged_version\":106,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c369dc43-5df6-4331-9c73-396ec3d567e3\",\"rule_id\":\"ea09ff26-3902-4c53-bb8e-24b7a5d029dd\",\"revision\":0,\"current_rule\":{\"id\":\"c369dc43-5df6-4331-9c73-396ec3d567e3\",\"updated_at\":\"2024-12-04T19:46:00.637Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.637Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Process Spawned by a Parent Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-45m\",\"rule_id\":\"ea09ff26-3902-4c53-bb8e-24b7a5d029dd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"problem_child_rare_process_by_parent\"],\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Process Spawned by a Parent Process\",\"description\":\"A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\\n\",\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"c369dc43-5df6-4331-9c73-396ec3d567e3\",\"rule_id\":\"ea09ff26-3902-4c53-bb8e-24b7a5d029dd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.689Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.637Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"problem_child_rare_process_by_parent\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c0c82ba1-65ef-4b3b-aeb5-84c35c5452b3\",\"rule_id\":\"eaef8a35-12e0-4ac0-bc14-81c72b6bd27c\",\"revision\":0,\"current_rule\":{\"id\":\"c0c82ba1-65ef-4b3b-aeb5-84c35c5452b3\",\"updated_at\":\"2024-12-04T19:46:00.644Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.644Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious APT Package Manager Network Connection\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Command and Control\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects suspicious network events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"eaef8a35-12e0-4ac0-bc14-81c72b6bd27c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name == \\\"apt\\\" and process.args == \\\"-c\\\" and process.name in (\\n \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\"\\n )\\n ] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and event.type == \\\"start\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\", \\\"172.31.0.0/16\\\"\\n )\\n ) and not process.executable == \\\"/usr/bin/apt-listbugs\\\"\\n ] by process.parent.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious APT Package Manager Network Connection\",\"description\":\"Detects suspicious network events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Command and Control\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c0c82ba1-65ef-4b3b-aeb5-84c35c5452b3\",\"rule_id\":\"eaef8a35-12e0-4ac0-bc14-81c72b6bd27c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.689Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.644Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name == \\\"apt\\\" and process.args == \\\"-c\\\" and process.name in (\\n \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\"\\n )\\n ] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and event.type == \\\"start\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\", \\\"172.31.0.0/16\\\"\\n )\\n ) and not process.executable == \\\"/usr/bin/apt-listbugs\\\"\\n ] by process.parent.entity_id\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"}},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"}},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"}},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"262430f4-f263-4d58-8518-d50d6533f0b4\",\"rule_id\":\"eb44611f-62a8-4036-a5ef-587098be6c43\",\"revision\":0,\"current_rule\":{\"id\":\"262430f4-f263-4d58-8518-d50d6533f0b4\",\"updated_at\":\"2024-12-04T19:46:00.649Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.649Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Script with Webcam Video Capture Capabilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or spy on victims.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"eb44611f-62a8-4036-a5ef-587098be6c43\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1125\",\"name\":\"Video Capture\",\"reference\":\"https://attack.mitre.org/techniques/T1125/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py\"],\"version\":4,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"NewFrameEventHandler\\\" or\\n \\\"VideoCaptureDevice\\\" or\\n \\\"DirectX.Capture.Filters\\\" or\\n \\\"VideoCompressors\\\" or\\n \\\"Start-WebcamRecorder\\\" or\\n (\\n (\\\"capCreateCaptureWindowA\\\" or\\n \\\"capCreateCaptureWindow\\\" or\\n \\\"capGetDriverDescription\\\") and\\n (\\\"avicap32.dll\\\" or \\\"avicap32\\\")\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Script with Webcam Video Capture Capabilities\",\"description\":\"Detects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or spy on victims.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":106,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1125\",\"name\":\"Video Capture\",\"reference\":\"https://attack.mitre.org/techniques/T1125/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"262430f4-f263-4d58-8518-d50d6533f0b4\",\"rule_id\":\"eb44611f-62a8-4036-a5ef-587098be6c43\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.689Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.649Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"NewFrameEventHandler\\\" or\\n \\\"VideoCaptureDevice\\\" or\\n \\\"DirectX.Capture.Filters\\\" or\\n \\\"VideoCompressors\\\" or\\n \\\"Start-WebcamRecorder\\\" or\\n (\\n (\\\"capCreateCaptureWindowA\\\" or\\n \\\"capCreateCaptureWindow\\\" or\\n \\\"capGetDriverDescription\\\") and\\n (\\\"avicap32.dll\\\" or \\\"avicap32\\\")\\n )\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":4,\"target_version\":106,\"merged_version\":106,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"57acbe66-56b1-4502-a2fd-5ace25fe58a6\",\"rule_id\":\"eb610e70-f9e6-4949-82b9-f1c5bcd37c39\",\"revision\":0,\"current_rule\":{\"id\":\"57acbe66-56b1-4502-a2fd-5ace25fe58a6\",\"updated_at\":\"2024-12-04T19:46:00.652Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.652Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Kerberos Ticket Request\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is a common step in Kerberoasting toolkits to crack service accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Kerberos Ticket Request\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\\n\\nAccounts associated with a service principal name (SPN) are viable targets for Kerberoasting attacks, which use brute force to crack the user password, which is used to encrypt a Kerberos TGS ticket.\\n\\nAttackers can use PowerShell to request these Kerberos tickets, with the intent of extracting them from memory to perform Kerberoasting.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate if the script was executed, and if so, which account was targeted.\\n- Validate if the account has an SPN associated with it.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Check if the script has any other functionality that can be potentially malicious.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Review event ID [4769](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769) related to this account and service name for additional information.\\n\\n### False positive analysis\\n\\n- A possible false positive can be identified if the script content is not malicious/harmful or does not request Kerberos tickets for user accounts, as computer accounts are not vulnerable to Kerberoasting due to complex password requirements and policy.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"eb610e70-f9e6-4949-82b9-f1c5bcd37c39\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\",\"subtechnique\":[{\"id\":\"T1558.003\",\"name\":\"Kerberoasting\",\"reference\":\"https://attack.mitre.org/techniques/T1558/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://cobalt.io/blog/kerberoast-attack-techniques\",\"https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n KerberosRequestorSecurityToken\\n ) and not user.id : (\\\"S-1-5-18\\\" or \\\"S-1-5-20\\\") and\\n not powershell.file.script_block_text : (\\n (\\\"sentinelbreakpoints\\\" and (\\\"Set-PSBreakpoint\\\" or \\\"Set-HookFunctionTabs\\\")) or\\n (\\\"function global\\\" and \\\"\\\\\\\\windows\\\\\\\\sentinel\\\\\\\\4\\\")\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Kerberos Ticket Request\",\"description\":\"Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is a common step in Kerberoasting toolkits to crack service accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Kerberos Ticket Request\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\\n\\nAccounts associated with a service principal name (SPN) are viable targets for Kerberoasting attacks, which use brute force to crack the user password, which is used to encrypt a Kerberos TGS ticket.\\n\\nAttackers can use PowerShell to request these Kerberos tickets, with the intent of extracting them from memory to perform Kerberoasting.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate if the script was executed, and if so, which account was targeted.\\n- Validate if the account has an SPN associated with it.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Check if the script has any other functionality that can be potentially malicious.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Review event ID [4769](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769) related to this account and service name for additional information.\\n\\n### False positive analysis\\n\\n- A possible false positive can be identified if the script content is not malicious/harmful or does not request Kerberos tickets for user accounts, as computer accounts are not vulnerable to Kerberoasting due to complex password requirements and policy.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://cobalt.io/blog/kerberoast-attack-techniques\",\"https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\",\"subtechnique\":[{\"id\":\"T1558.003\",\"name\":\"Kerberoasting\",\"reference\":\"https://attack.mitre.org/techniques/T1558/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"57acbe66-56b1-4502-a2fd-5ace25fe58a6\",\"rule_id\":\"eb610e70-f9e6-4949-82b9-f1c5bcd37c39\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.689Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.652Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n KerberosRequestorSecurityToken\\n ) and not user.id : (\\\"S-1-5-18\\\" or \\\"S-1-5-20\\\") and\\n not powershell.file.script_block_text : (\\n (\\\"sentinelbreakpoints\\\" and (\\\"Set-PSBreakpoint\\\" or \\\"Set-HookFunctionTabs\\\")) or\\n (\\\"function global\\\" and \\\"\\\\\\\\windows\\\\\\\\sentinel\\\\\\\\4\\\")\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0cc41b75-deb3-4d2f-afd2-a5055f1af941\",\"rule_id\":\"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\",\"revision\":0,\"current_rule\":{\"id\":\"0cc41b75-deb3-4d2f-afd2-a5055f1af941\",\"updated_at\":\"2024-12-04T19:46:01.881Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.881Z\",\"created_by\":\"elastic\",\"name\":\"Mimikatz Memssp Log File Detected\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the password log file from the default Mimikatz memssp module.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Mimikatz Memssp Log File Detected\\n\\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.\\n\\nThis rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp module, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer account password, running service credentials, and any accounts that logon.\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\\n- Retrieve and inspect the log file contents.\\n- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.\\n - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.\\n - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n - Identify the process that created the DLL using file creation events.\\n\\n### False positive analysis\\n\\n- This file name `mimilsa.log` should not legitimately be created.\\n\\n### Related rules\\n\\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the host is a Domain Controller (DC):\\n - Activate your incident response plan for total Active Directory compromise.\\n - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is being followed and reduce the attack surface.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reboot the host to remove the injected SSP from memory.\\n- Reimage the host operating system or restore compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/security-labs/detect-credential-access\"],\"version\":311,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and file.name : \\\"mimilsa.log\\\" and process.name : \\\"lsass.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Mimikatz Memssp Log File Detected\",\"description\":\"Identifies the password log file from the default Mimikatz memssp module.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Mimikatz Memssp Log File Detected\\n\\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.\\n\\nThis rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp module, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer account password, running service credentials, and any accounts that logon.\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\\n- Retrieve and inspect the log file contents.\\n- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.\\n - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.\\n - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n - Identify the process that created the DLL using file creation events.\\n\\n### False positive analysis\\n\\n- This file name `mimilsa.log` should not legitimately be created.\\n\\n### Related rules\\n\\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the host is a Domain Controller (DC):\\n - Activate your incident response plan for total Active Directory compromise.\\n - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is being followed and reduce the attack surface.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reboot the host to remove the injected SSP from memory.\\n- Reimage the host operating system or restore compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":412,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/detect-credential-access\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0cc41b75-deb3-4d2f-afd2-a5055f1af941\",\"rule_id\":\"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.689Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.881Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and file.name : \\\"mimilsa.log\\\" and process.name : \\\"lsass.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":311,\"target_version\":412,\"merged_version\":412,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"917d79ec-71d4-4068-bfec-1720edaf072a\",\"rule_id\":\"ebf1adea-ccf2-4943-8b96-7ab11ca173a5\",\"revision\":0,\"current_rule\":{\"id\":\"917d79ec-71d4-4068-bfec-1720edaf072a\",\"updated_at\":\"2024-12-04T19:46:01.648Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.648Z\",\"created_by\":\"elastic\",\"name\":\"IIS HTTP Logging Disabled\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating IIS HTTP Logging Disabled\\n\\nIIS (Internet Information Services) is a Microsoft web server software used to host websites and web applications on Windows. It provides features for serving dynamic and static content, and can be managed through a graphical interface or command-line tools.\\n\\nIIS logging is a data source that can be used for security monitoring, forensics, and incident response. It contains mainly information related to requests done to the web server, and can be used to spot malicious activities like webshells. Adversaries can tamper, clear, and delete this data to evade detection, cover their tracks, and slow down incident response.\\n\\nThis rule monitors commands that disable IIS logging.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Verify if any other anti-forensics behaviors were observed.\\n- Verify whether the logs stored in the `C:\\\\inetpub\\\\logs\\\\logfiles\\\\w3svc1` directory were deleted after this action.\\n- Check if this operation is done under change management and approved according to the organization's policy.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Re-enable affected logging components, services, and security monitoring.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ebf1adea-ccf2-4943-8b96-7ab11ca173a5\",\"max_signals\":33,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.002\",\"name\":\"Disable Windows Event Logging\",\"reference\":\"https://attack.mitre.org/techniques/T1562/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"appcmd.exe\\\" or ?process.pe.original_file_name == \\\"appcmd.exe\\\") and\\n process.args : \\\"/dontLog*:*True\\\" and\\n not process.parent.name : \\\"iissetup.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"IIS HTTP Logging Disabled\",\"description\":\"Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating IIS HTTP Logging Disabled\\n\\nIIS (Internet Information Services) is a Microsoft web server software used to host websites and web applications on Windows. It provides features for serving dynamic and static content, and can be managed through a graphical interface or command-line tools.\\n\\nIIS logging is a data source that can be used for security monitoring, forensics, and incident response. It contains mainly information related to requests done to the web server, and can be used to spot malicious activities like webshells. Adversaries can tamper, clear, and delete this data to evade detection, cover their tracks, and slow down incident response.\\n\\nThis rule monitors commands that disable IIS logging.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Verify if any other anti-forensics behaviors were observed.\\n- Verify whether the logs stored in the `C:\\\\inetpub\\\\logs\\\\logfiles\\\\w3svc1` directory were deleted after this action.\\n- Check if this operation is done under change management and approved according to the organization's policy.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Re-enable affected logging components, services, and security monitoring.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":33,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.002\",\"name\":\"Disable Windows Event Logging\",\"reference\":\"https://attack.mitre.org/techniques/T1562/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"917d79ec-71d4-4068-bfec-1720edaf072a\",\"rule_id\":\"ebf1adea-ccf2-4943-8b96-7ab11ca173a5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.689Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.648Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"appcmd.exe\\\" or ?process.pe.original_file_name == \\\"appcmd.exe\\\") and\\n process.args : \\\"/dontLog*:*True\\\" and\\n not process.parent.name : \\\"iissetup.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3062355f-82db-49d7-b903-4bb724ef54d9\",\"rule_id\":\"ebfe1448-7fac-4d59-acea-181bd89b1f7f\",\"revision\":0,\"current_rule\":{\"id\":\"3062355f-82db-49d7-b903-4bb724ef54d9\",\"updated_at\":\"2024-12-04T19:46:01.652Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.652Z\",\"created_by\":\"elastic\",\"name\":\"Process Execution from an Unusual Directory\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Process Execution from an Unusual Directory\\n\\nThis rule identifies processes that are executed from suspicious default Windows directories. Adversaries may abuse this technique by planting malware in trusted paths, making it difficult for security analysts to discern if their activities are malicious or take advantage of exceptions that may apply to these paths.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes, examining their executable files for prevalence, location, and valid digital signatures.\\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine arguments and working directory to determine the program's source or the nature of the tasks it is performing.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of executable and signature conditions.\\n\\n### Related Rules\\n\\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\\n- Execution from Unusual Directory - Command Line - cff92c41-2225-4763-b4ce-6f71e5bda5e6\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ebfe1448-7fac-4d59-acea-181bd89b1f7f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n /* add suspicious execution paths here */\\n process.executable : (\\n \\\"?:\\\\\\\\PerfLogs\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\AMD\\\\\\\\Temp\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\AppReadiness\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ServiceState\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\IdentityCRL\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Branding\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\csc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\DigitalLocker\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\en-US\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\wlansvc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Prefetch\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\diagnostics\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\INF\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Speech\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\windows\\\\\\\\tracing\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\IME\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Performance\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\windows\\\\\\\\intel\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\ms\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\dot3svc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\panther\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\RemotePackages\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\OCR\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\appcompat\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\apppatch\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\addins\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SKB\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Vss\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Web\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\CbsTemp\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Logs\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\WaaS\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\ShellExperiences\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ShellComponents\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PLA\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Migration\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\debug\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Cursors\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Containers\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Boot\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\bcastdvr\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\assembly\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\TextInput\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\schemas\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SchCache\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Resources\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\rescache\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Provisioning\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PrintDialog\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PolicyDefinitions\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\media\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Globalization\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\L2Schemas\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LiveKernelReports\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\ModemLogs\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\*.exe\\\"\\n ) and\\n \\n not process.name : (\\n \\\"SpeechUXWiz.exe\\\", \\\"SystemSettings.exe\\\", \\\"TrustedInstaller.exe\\\",\\n \\\"PrintDialog.exe\\\", \\\"MpSigStub.exe\\\", \\\"LMS.exe\\\", \\\"mpam-*.exe\\\"\\n ) and\\n not process.executable :\\n (\\\"?:\\\\\\\\Intel\\\\\\\\Wireless\\\\\\\\WUSetupLauncher.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\Wireless\\\\\\\\Setup.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\Move Mouse.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\Panther\\\\\\\\DiagTrackRunner.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\GC64\\\\\\\\tzupd.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\res\\\\\\\\RemoteLite.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\IBM\\\\\\\\ClientSolutions\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Documents\\\\\\\\syspin.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\res\\\\\\\\FileWatcher.exe\\\")\\n /* uncomment once in winlogbeat */\\n /* and not (process.code_signature.subject_name == \\\"Microsoft Corporation\\\" and process.code_signature.trusted == true) */\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Process Execution from an Unusual Directory\",\"description\":\"Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Process Execution from an Unusual Directory\\n\\nThis rule identifies processes that are executed from suspicious default Windows directories. Adversaries may abuse this technique by planting malware in trusted paths, making it difficult for security analysts to discern if their activities are malicious or take advantage of exceptions that may apply to these paths.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes, examining their executable files for prevalence, location, and valid digital signatures.\\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine arguments and working directory to determine the program's source or the nature of the tasks it is performing.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of executable and signature conditions.\\n\\n### Related Rules\\n\\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\\n- Execution from Unusual Directory - Command Line - cff92c41-2225-4763-b4ce-6f71e5bda5e6\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3062355f-82db-49d7-b903-4bb724ef54d9\",\"rule_id\":\"ebfe1448-7fac-4d59-acea-181bd89b1f7f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.689Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.652Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n /* add suspicious execution paths here */\\n process.executable : (\\n \\\"?:\\\\\\\\PerfLogs\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\AMD\\\\\\\\Temp\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\AppReadiness\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ServiceState\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\IdentityCRL\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Branding\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\csc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\DigitalLocker\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\en-US\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\wlansvc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Prefetch\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\diagnostics\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\INF\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Speech\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\windows\\\\\\\\tracing\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\IME\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Performance\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\windows\\\\\\\\intel\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\ms\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\dot3svc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\panther\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\RemotePackages\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\OCR\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\appcompat\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\apppatch\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\addins\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SKB\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Vss\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Web\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\CbsTemp\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Logs\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\WaaS\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\ShellExperiences\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ShellComponents\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PLA\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Migration\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\debug\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Cursors\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Containers\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Boot\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\bcastdvr\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\assembly\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\TextInput\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\schemas\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SchCache\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Resources\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\rescache\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Provisioning\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PrintDialog\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PolicyDefinitions\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\media\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Globalization\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\L2Schemas\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LiveKernelReports\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\ModemLogs\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\*.exe\\\"\\n ) and\\n \\n not process.name : (\\n \\\"SpeechUXWiz.exe\\\", \\\"SystemSettings.exe\\\", \\\"TrustedInstaller.exe\\\",\\n \\\"PrintDialog.exe\\\", \\\"MpSigStub.exe\\\", \\\"LMS.exe\\\", \\\"mpam-*.exe\\\"\\n ) and\\n not process.executable :\\n (\\\"?:\\\\\\\\Intel\\\\\\\\Wireless\\\\\\\\WUSetupLauncher.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\Wireless\\\\\\\\Setup.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\Move Mouse.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\Panther\\\\\\\\DiagTrackRunner.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\GC64\\\\\\\\tzupd.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\res\\\\\\\\RemoteLite.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\IBM\\\\\\\\ClientSolutions\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Documents\\\\\\\\syspin.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\res\\\\\\\\FileWatcher.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merged_version\":[\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n /* add suspicious execution paths here */\\n process.executable : (\\n \\\"?:\\\\\\\\PerfLogs\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\AMD\\\\\\\\Temp\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\AppReadiness\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ServiceState\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\IdentityCRL\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Branding\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\csc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\DigitalLocker\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\en-US\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\wlansvc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Prefetch\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\diagnostics\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\INF\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Speech\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\windows\\\\\\\\tracing\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\IME\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Performance\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\windows\\\\\\\\intel\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\ms\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\dot3svc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\panther\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\RemotePackages\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\OCR\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\appcompat\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\apppatch\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\addins\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SKB\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Vss\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Web\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\CbsTemp\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Logs\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\WaaS\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\ShellExperiences\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ShellComponents\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PLA\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Migration\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\debug\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Cursors\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Containers\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Boot\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\bcastdvr\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\assembly\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\TextInput\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\schemas\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SchCache\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Resources\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\rescache\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Provisioning\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PrintDialog\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PolicyDefinitions\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\media\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Globalization\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\L2Schemas\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LiveKernelReports\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\ModemLogs\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\*.exe\\\"\\n ) and\\n \\n not process.name : (\\n \\\"SpeechUXWiz.exe\\\", \\\"SystemSettings.exe\\\", \\\"TrustedInstaller.exe\\\",\\n \\\"PrintDialog.exe\\\", \\\"MpSigStub.exe\\\", \\\"LMS.exe\\\", \\\"mpam-*.exe\\\"\\n ) and\\n not process.executable :\\n (\\\"?:\\\\\\\\Intel\\\\\\\\Wireless\\\\\\\\WUSetupLauncher.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\Wireless\\\\\\\\Setup.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\Move Mouse.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\Panther\\\\\\\\DiagTrackRunner.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\GC64\\\\\\\\tzupd.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\res\\\\\\\\RemoteLite.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\IBM\\\\\\\\ClientSolutions\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Documents\\\\\\\\syspin.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\res\\\\\\\\FileWatcher.exe\\\")\\n /* uncomment once in winlogbeat */\\n /* and not (process.code_signature.subject_name == \\\"Microsoft Corporation\\\" and process.code_signature.trusted == true) */\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n /* add suspicious execution paths here */\\n process.executable : (\\n \\\"?:\\\\\\\\PerfLogs\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\AMD\\\\\\\\Temp\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\AppReadiness\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ServiceState\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\IdentityCRL\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Branding\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\csc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\DigitalLocker\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\en-US\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\wlansvc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Prefetch\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\diagnostics\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\INF\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Speech\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\windows\\\\\\\\tracing\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\IME\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Performance\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\windows\\\\\\\\intel\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\ms\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\dot3svc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\panther\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\RemotePackages\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\OCR\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\appcompat\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\apppatch\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\addins\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SKB\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Vss\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Web\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\CbsTemp\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Logs\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\WaaS\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\ShellExperiences\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ShellComponents\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PLA\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Migration\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\debug\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Cursors\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Containers\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Boot\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\bcastdvr\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\assembly\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\TextInput\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\schemas\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SchCache\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Resources\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\rescache\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Provisioning\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PrintDialog\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PolicyDefinitions\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\media\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Globalization\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\L2Schemas\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LiveKernelReports\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\ModemLogs\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\*.exe\\\"\\n ) and\\n \\n not process.name : (\\n \\\"SpeechUXWiz.exe\\\", \\\"SystemSettings.exe\\\", \\\"TrustedInstaller.exe\\\",\\n \\\"PrintDialog.exe\\\", \\\"MpSigStub.exe\\\", \\\"LMS.exe\\\", \\\"mpam-*.exe\\\"\\n ) and\\n not process.executable :\\n (\\\"?:\\\\\\\\Intel\\\\\\\\Wireless\\\\\\\\WUSetupLauncher.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\Wireless\\\\\\\\Setup.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\Move Mouse.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\Panther\\\\\\\\DiagTrackRunner.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\GC64\\\\\\\\tzupd.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\res\\\\\\\\RemoteLite.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\IBM\\\\\\\\ClientSolutions\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Documents\\\\\\\\syspin.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\res\\\\\\\\FileWatcher.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n /* add suspicious execution paths here */\\n process.executable : (\\n \\\"?:\\\\\\\\PerfLogs\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\AMD\\\\\\\\Temp\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\AppReadiness\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ServiceState\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\IdentityCRL\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Branding\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\csc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\DigitalLocker\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\en-US\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\wlansvc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Prefetch\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\diagnostics\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\INF\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Speech\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\windows\\\\\\\\tracing\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\IME\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Performance\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\windows\\\\\\\\intel\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\ms\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\dot3svc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\panther\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\RemotePackages\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\OCR\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\appcompat\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\apppatch\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\addins\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SKB\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Vss\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Web\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\CbsTemp\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Logs\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\WaaS\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\ShellExperiences\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ShellComponents\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PLA\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Migration\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\debug\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Cursors\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Containers\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Boot\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\bcastdvr\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\assembly\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\TextInput\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\schemas\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SchCache\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Resources\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\rescache\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Provisioning\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PrintDialog\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PolicyDefinitions\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\media\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Globalization\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\L2Schemas\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LiveKernelReports\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\ModemLogs\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\*.exe\\\"\\n ) and\\n \\n not process.name : (\\n \\\"SpeechUXWiz.exe\\\", \\\"SystemSettings.exe\\\", \\\"TrustedInstaller.exe\\\",\\n \\\"PrintDialog.exe\\\", \\\"MpSigStub.exe\\\", \\\"LMS.exe\\\", \\\"mpam-*.exe\\\"\\n ) and\\n not process.executable :\\n (\\\"?:\\\\\\\\Intel\\\\\\\\Wireless\\\\\\\\WUSetupLauncher.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\Wireless\\\\\\\\Setup.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\Move Mouse.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\Panther\\\\\\\\DiagTrackRunner.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\GC64\\\\\\\\tzupd.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\res\\\\\\\\RemoteLite.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\IBM\\\\\\\\ClientSolutions\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Documents\\\\\\\\syspin.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\res\\\\\\\\FileWatcher.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"01c85f34-25e4-4cfe-b44c-ee1bcc57b058\",\"rule_id\":\"eda499b8-a073-4e35-9733-22ec71f57f3a\",\"revision\":0,\"current_rule\":{\"id\":\"01c85f34-25e4-4cfe-b44c-ee1bcc57b058\",\"updated_at\":\"2024-12-04T19:46:01.676Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.676Z\",\"created_by\":\"elastic\",\"name\":\"AdFind Command Activity\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating AdFind Command Activity\\n\\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of this tool being adopted by ransomware and criminal groups and used in compromises.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Examine the command line to determine what information was retrieved by the tool.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators.\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in isolation, so reviewing previous logs/activity from impacted machines can be very telling.\\n\\n### Related rules\\n\\n- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1\\n- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d\\n- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"eda499b8-a073-4e35-9733-22ec71f57f3a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1016\",\"name\":\"System Network Configuration Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1016/\"},{\"id\":\"T1018\",\"name\":\"Remote System Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1018/\"},{\"id\":\"T1069\",\"name\":\"Permission Groups Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1069/\",\"subtechnique\":[{\"id\":\"T1069.002\",\"name\":\"Domain Groups\",\"reference\":\"https://attack.mitre.org/techniques/T1069/002/\"}]},{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\",\"subtechnique\":[{\"id\":\"T1087.002\",\"name\":\"Domain Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/002/\"}]},{\"id\":\"T1482\",\"name\":\"Domain Trust Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1482/\"}]}],\"to\":\"now\",\"references\":[\"http://www.joeware.net/freetools/tools/adfind/\",\"https://thedfirreport.com/2020/05/08/adfind-recon/\",\"https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\",\"https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\",\"https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html\",\"https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"AdFind.exe\\\" or ?process.pe.original_file_name == \\\"AdFind.exe\\\") and\\n process.args : (\\\"objectcategory=computer\\\", \\\"(objectcategory=computer)\\\",\\n \\\"objectcategory=person\\\", \\\"(objectcategory=person)\\\",\\n \\\"objectcategory=subnet\\\", \\\"(objectcategory=subnet)\\\",\\n \\\"objectcategory=group\\\", \\\"(objectcategory=group)\\\",\\n \\\"objectcategory=organizationalunit\\\", \\\"(objectcategory=organizationalunit)\\\",\\n \\\"objectcategory=attributeschema\\\", \\\"(objectcategory=attributeschema)\\\",\\n \\\"domainlist\\\", \\\"dcmodes\\\", \\\"adinfo\\\", \\\"dclist\\\", \\\"computers_pwnotreqd\\\", \\\"trustdmp\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AdFind Command Activity\",\"description\":\"This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating AdFind Command Activity\\n\\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of this tool being adopted by ransomware and criminal groups and used in compromises.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Examine the command line to determine what information was retrieved by the tool.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators.\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in isolation, so reviewing previous logs/activity from impacted machines can be very telling.\\n\\n### Related rules\\n\\n- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1\\n- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d\\n- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"http://www.joeware.net/freetools/tools/adfind/\",\"https://thedfirreport.com/2020/05/08/adfind-recon/\",\"https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\",\"https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\",\"https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html\",\"https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1016\",\"name\":\"System Network Configuration Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1016/\"},{\"id\":\"T1018\",\"name\":\"Remote System Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1018/\"},{\"id\":\"T1069\",\"name\":\"Permission Groups Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1069/\",\"subtechnique\":[{\"id\":\"T1069.002\",\"name\":\"Domain Groups\",\"reference\":\"https://attack.mitre.org/techniques/T1069/002/\"}]},{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\",\"subtechnique\":[{\"id\":\"T1087.002\",\"name\":\"Domain Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/002/\"}]},{\"id\":\"T1482\",\"name\":\"Domain Trust Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1482/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"01c85f34-25e4-4cfe-b44c-ee1bcc57b058\",\"rule_id\":\"eda499b8-a073-4e35-9733-22ec71f57f3a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.689Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.676Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"AdFind*.exe\\\" or ?process.pe.original_file_name == \\\"AdFind.exe\\\") and\\n process.args : (\\\"objectcategory=computer\\\", \\\"(objectcategory=computer)\\\",\\n \\\"objectcategory=person\\\", \\\"(objectcategory=person)\\\",\\n \\\"objectcategory=subnet\\\", \\\"(objectcategory=subnet)\\\",\\n \\\"objectcategory=group\\\", \\\"(objectcategory=group)\\\",\\n \\\"objectcategory=organizationalunit\\\", \\\"(objectcategory=organizationalunit)\\\",\\n \\\"objectcategory=attributeschema\\\", \\\"(objectcategory=attributeschema)\\\",\\n \\\"domainlist\\\", \\\"dcmodes\\\", \\\"adinfo\\\", \\\"dclist\\\", \\\"computers_pwnotreqd\\\", \\\"trustdmp\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"AdFind.exe\\\" or ?process.pe.original_file_name == \\\"AdFind.exe\\\") and\\n process.args : (\\\"objectcategory=computer\\\", \\\"(objectcategory=computer)\\\",\\n \\\"objectcategory=person\\\", \\\"(objectcategory=person)\\\",\\n \\\"objectcategory=subnet\\\", \\\"(objectcategory=subnet)\\\",\\n \\\"objectcategory=group\\\", \\\"(objectcategory=group)\\\",\\n \\\"objectcategory=organizationalunit\\\", \\\"(objectcategory=organizationalunit)\\\",\\n \\\"objectcategory=attributeschema\\\", \\\"(objectcategory=attributeschema)\\\",\\n \\\"domainlist\\\", \\\"dcmodes\\\", \\\"adinfo\\\", \\\"dclist\\\", \\\"computers_pwnotreqd\\\", \\\"trustdmp\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"AdFind*.exe\\\" or ?process.pe.original_file_name == \\\"AdFind.exe\\\") and\\n process.args : (\\\"objectcategory=computer\\\", \\\"(objectcategory=computer)\\\",\\n \\\"objectcategory=person\\\", \\\"(objectcategory=person)\\\",\\n \\\"objectcategory=subnet\\\", \\\"(objectcategory=subnet)\\\",\\n \\\"objectcategory=group\\\", \\\"(objectcategory=group)\\\",\\n \\\"objectcategory=organizationalunit\\\", \\\"(objectcategory=organizationalunit)\\\",\\n \\\"objectcategory=attributeschema\\\", \\\"(objectcategory=attributeschema)\\\",\\n \\\"domainlist\\\", \\\"dcmodes\\\", \\\"adinfo\\\", \\\"dclist\\\", \\\"computers_pwnotreqd\\\", \\\"trustdmp\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"AdFind*.exe\\\" or ?process.pe.original_file_name == \\\"AdFind.exe\\\") and\\n process.args : (\\\"objectcategory=computer\\\", \\\"(objectcategory=computer)\\\",\\n \\\"objectcategory=person\\\", \\\"(objectcategory=person)\\\",\\n \\\"objectcategory=subnet\\\", \\\"(objectcategory=subnet)\\\",\\n \\\"objectcategory=group\\\", \\\"(objectcategory=group)\\\",\\n \\\"objectcategory=organizationalunit\\\", \\\"(objectcategory=organizationalunit)\\\",\\n \\\"objectcategory=attributeschema\\\", \\\"(objectcategory=attributeschema)\\\",\\n \\\"domainlist\\\", \\\"dcmodes\\\", \\\"adinfo\\\", \\\"dclist\\\", \\\"computers_pwnotreqd\\\", \\\"trustdmp\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"038519a1-8ecd-432b-aed5-5c5d310017b1\",\"rule_id\":\"edf8ee23-5ea7-4123-ba19-56b41e424ae3\",\"revision\":0,\"current_rule\":{\"id\":\"038519a1-8ecd-432b-aed5-5c5d310017b1\",\"updated_at\":\"2024-12-04T19:46:01.692Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.692Z\",\"created_by\":\"elastic\",\"name\":\"ImageLoad via Windows Update Auto Update Client\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating ImageLoad via Windows Update Auto Update Client\\n\\nThe Windows Update Auto Update Client (wuauclt.exe) is the component responsible for managing system updates. However, adversaries may abuse this process to load a malicious DLL and execute malicious code while blending into a legitimate system mechanism. \\n\\nThis rule identifies potential abuse for code execution by monitoring for specific process arguments (\\\"/RunHandlerComServer\\\" and \\\"/UpdateDeploymentProvider\\\") and common writable paths where the target DLL can be placed (e.g., \\\"C:\\\\Users\\\\*.dll\\\", \\\"C:\\\\ProgramData\\\\*.dll\\\", etc.).\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the command line and identify the DLL location.\\n- Examine whether the DLL is signed.\\n- Retrieve the DLL and determine if it is malicious:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate the behavior of child processes, such as network connections, registry or file modifications, and any spawned processes.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timeline_id\":\"e70679c2-6cde-4510-9764-4823df18f7db\",\"timeline_title\":\"Comprehensive Process Timeline\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"edf8ee23-5ea7-4123-ba19-56b41e424ae3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"to\":\"now\",\"references\":[\"https://dtm.uk/wuauclt/\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (?process.pe.original_file_name == \\\"wuauclt.exe\\\" or process.name : \\\"wuauclt.exe\\\") and\\n /* necessary windows update client args to load a dll */\\n process.args : \\\"/RunHandlerComServer\\\" and process.args : \\\"/UpdateDeploymentProvider\\\" and\\n /* common paths writeable by a standard user where the target DLL can be placed */\\n process.args : (\\\"C:\\\\\\\\Users\\\\\\\\*.dll\\\", \\\"C:\\\\\\\\ProgramData\\\\\\\\*.dll\\\", \\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*.dll\\\", \\\"C:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*.dll\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"ImageLoad via Windows Update Auto Update Client\",\"description\":\"Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"timeline_id\":\"e70679c2-6cde-4510-9764-4823df18f7db\",\"timeline_title\":\"Comprehensive Process Timeline\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating ImageLoad via Windows Update Auto Update Client\\n\\nThe Windows Update Auto Update Client (wuauclt.exe) is the component responsible for managing system updates. However, adversaries may abuse this process to load a malicious DLL and execute malicious code while blending into a legitimate system mechanism. \\n\\nThis rule identifies potential abuse for code execution by monitoring for specific process arguments (\\\"/RunHandlerComServer\\\" and \\\"/UpdateDeploymentProvider\\\") and common writable paths where the target DLL can be placed (e.g., \\\"C:\\\\Users\\\\*.dll\\\", \\\"C:\\\\ProgramData\\\\*.dll\\\", etc.).\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the command line and identify the DLL location.\\n- Examine whether the DLL is signed.\\n- Retrieve the DLL and determine if it is malicious:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate the behavior of child processes, such as network connections, registry or file modifications, and any spawned processes.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://dtm.uk/wuauclt/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"038519a1-8ecd-432b-aed5-5c5d310017b1\",\"rule_id\":\"edf8ee23-5ea7-4123-ba19-56b41e424ae3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.689Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.692Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (?process.pe.original_file_name == \\\"wuauclt.exe\\\" or process.name : \\\"wuauclt.exe\\\") and\\n /* necessary windows update client args to load a dll */\\n process.args : \\\"/RunHandlerComServer\\\" and process.args : \\\"/UpdateDeploymentProvider\\\" and\\n /* common paths writeable by a standard user where the target DLL can be placed */\\n process.args : (\\\"C:\\\\\\\\Users\\\\\\\\*.dll\\\", \\\"C:\\\\\\\\ProgramData\\\\\\\\*.dll\\\", \\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*.dll\\\", \\\"C:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*.dll\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"02011518-721d-47d8-bb33-f91f9e864726\",\"rule_id\":\"edfd5ca9-9d6c-44d9-b615-1e56b920219c\",\"revision\":0,\"current_rule\":{\"id\":\"02011518-721d-47d8-bb33-f91f9e864726\",\"updated_at\":\"2024-12-04T19:46:01.696Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.696Z\",\"created_by\":\"elastic\",\"name\":\"Linux User Account Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to create new users. Attackers may add new users to establish persistence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Linux User Account Creation\\n\\nThe `useradd` and `adduser` commands are used to create new user accounts in Linux-based operating systems.\\n\\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\\n\\nThis rule identifies the usage of `useradd` and `adduser` to create new accounts.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n\\n- Investigate whether the user was created succesfully.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific Group\\\",\\\"query\\\":\\\"SELECT * FROM groups WHERE groupname = {{group.name}}\\\"}}\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Delete the created account.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"edfd5ca9-9d6c-44d9-b615-1e56b920219c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Filebeat.\\n\\n### Filebeat Setup\\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\\n\\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\\n- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\\n\\n#### Rule Specific Setup Note\\n- This rule requires the “Filebeat System Module” to be enabled.\\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-system.auth-*\"],\"query\":\"iam where host.os.type == \\\"linux\\\" and (event.type == \\\"user\\\" and event.type == \\\"creation\\\") and\\nprocess.name in (\\\"useradd\\\", \\\"adduser\\\") and user.name != null\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Linux User Account Creation\",\"description\":\"Identifies attempts to create new users. Attackers may add new users to establish persistence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Linux User Account Creation\\n\\nThe `useradd` and `adduser` commands are used to create new user accounts in Linux-based operating systems.\\n\\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\\n\\nThis rule identifies the usage of `useradd` and `adduser` to create new accounts.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n\\n- Investigate whether the user was created succesfully.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific Group\\\",\\\"query\\\":\\\"SELECT * FROM groups WHERE groupname = {{group.name}}\\\"}}\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Delete the created account.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":6,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Filebeat.\\n\\n### Filebeat Setup\\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\\n\\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\\n- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\\n\\n#### Rule Specific Setup Note\\n- This rule requires the “Filebeat System Module” to be enabled.\\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"02011518-721d-47d8-bb33-f91f9e864726\",\"rule_id\":\"edfd5ca9-9d6c-44d9-b615-1e56b920219c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.689Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.696Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where host.os.type == \\\"linux\\\" and (event.type == \\\"user\\\" and event.type == \\\"creation\\\") and\\nprocess.name in (\\\"useradd\\\", \\\"adduser\\\") and user.name != null\\n\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-system.auth-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":6,\"merged_version\":6,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b714f7c6-f6ac-44e1-a261-c39c94bb53f3\",\"rule_id\":\"ee5300a7-7e31-4a72-a258-250abb8b3aa1\",\"revision\":0,\"current_rule\":{\"id\":\"b714f7c6-f6ac-44e1-a261-c39c94bb53f3\",\"updated_at\":\"2024-12-04T19:46:01.704Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.704Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Print Spooler Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information.\"],\"from\":\"now-9m\",\"rule_id\":\"ee5300a7-7e31-4a72-a258-250abb8b3aa1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"to\":\"now\",\"references\":[\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.token.integrity_level_name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"spoolsv.exe\\\" and process.command_line != null and \\n (?process.Ext.token.integrity_level_name : \\\"System\\\" or ?winlog.event_data.IntegrityLevel : \\\"System\\\") and\\n\\n /* exclusions for FP control below */\\n not process.name : (\\\"splwow64.exe\\\", \\\"PDFCreator.exe\\\", \\\"acrodist.exe\\\", \\\"spoolsv.exe\\\", \\\"msiexec.exe\\\", \\\"route.exe\\\", \\\"WerFault.exe\\\") and\\n not process.command_line : \\\"*\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\spool\\\\\\\\DRIVERS*\\\" and\\n not (process.name : \\\"net.exe\\\" and process.command_line : (\\\"*stop*\\\", \\\"*start*\\\")) and\\n not (process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\") and process.command_line : (\\\"*.spl*\\\", \\\"*\\\\\\\\program files*\\\", \\\"*route add*\\\")) and\\n not (process.name : \\\"netsh.exe\\\" and process.command_line : (\\\"*add portopening*\\\", \\\"*rule name*\\\")) and\\n not (process.name : \\\"regsvr32.exe\\\" and process.command_line : \\\"*PrintConfig.dll*\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CutePDF Writer\\\\\\\\CPWriter2.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\GPLGS\\\\\\\\gswin32c.exe\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Print Spooler Child Process\",\"description\":\"Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information.\"],\"references\":[\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.token.integrity_level_name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"b714f7c6-f6ac-44e1-a261-c39c94bb53f3\",\"rule_id\":\"ee5300a7-7e31-4a72-a258-250abb8b3aa1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.689Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.704Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"spoolsv.exe\\\" and process.command_line != null and \\n (?process.Ext.token.integrity_level_name : \\\"System\\\" or ?winlog.event_data.IntegrityLevel : \\\"System\\\") and\\n\\n /* exclusions for FP control below */\\n not process.name : (\\\"splwow64.exe\\\", \\\"PDFCreator.exe\\\", \\\"acrodist.exe\\\", \\\"spoolsv.exe\\\", \\\"msiexec.exe\\\", \\\"route.exe\\\", \\\"WerFault.exe\\\") and\\n not process.command_line : \\\"*\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\spool\\\\\\\\DRIVERS*\\\" and\\n not (process.name : \\\"net.exe\\\" and process.command_line : (\\\"*stop*\\\", \\\"*start*\\\")) and\\n not (process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\") and process.command_line : (\\\"*.spl*\\\", \\\"*\\\\\\\\program files*\\\", \\\"*route add*\\\")) and\\n not (process.name : \\\"netsh.exe\\\" and process.command_line : (\\\"*add portopening*\\\", \\\"*rule name*\\\")) and\\n not (process.name : \\\"regsvr32.exe\\\" and process.command_line : \\\"*PrintConfig.dll*\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CutePDF Writer\\\\\\\\CPWriter2.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\GPLGS\\\\\\\\gswin32c.exe\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"logs-system.security*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e0e8651b-6a9c-4eca-a26d-079a7b956843\",\"rule_id\":\"ef862985-3f13-4262-a686-5f357bbb9bc2\",\"revision\":0,\"current_rule\":{\"id\":\"e0e8651b-6a9c-4eca-a26d-079a7b956843\",\"updated_at\":\"2024-12-04T19:46:01.724Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.724Z\",\"created_by\":\"elastic\",\"name\":\"Whoami Process Activity\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Whoami Process Activity\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current privileges, discover the current user, determine if a privilege escalation was successful, etc.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Related rules\\n\\n- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual.\"],\"from\":\"now-9m\",\"rule_id\":\"ef862985-3f13-4262-a686-5f357bbb9bc2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1033\",\"name\":\"System Owner/User Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1033/\"}]}],\"to\":\"now\",\"references\":[],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.domain\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"logs-system.*\",\"endgame-*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"whoami.exe\\\" and\\n(\\n (\\n /* scoped for whoami execution under system privileges */\\n (\\n user.domain : (\\\"NT *\\\", \\\"* NT\\\", \\\"IIS APPPOOL\\\") and\\n user.id : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\", \\\"S-1-5-82-*\\\") and\\n not ?winlog.event_data.SubjectUserName : \\\"*$\\\"\\n ) and\\n not (\\n process.parent.name : \\\"cmd.exe\\\" and\\n process.parent.args : (\\n \\\"chcp 437>nul 2>&1 & C:\\\\\\\\WINDOWS\\\\\\\\System32\\\\\\\\whoami.exe /groups\\\",\\n \\\"chcp 437>nul 2>&1 & %systemroot%\\\\\\\\system32\\\\\\\\whoami /user\\\",\\n \\\"C:\\\\\\\\WINDOWS\\\\\\\\System32\\\\\\\\whoami.exe /groups\\\",\\n \\\"*WINDOWS\\\\\\\\system32\\\\\\\\config\\\\\\\\systemprofile*\\\"\\n )\\n ) and\\n not (process.parent.executable : \\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\inetsrv\\\\\\\\appcmd.exe\\\" and process.parent.args : \\\"LIST\\\") and\\n not process.parent.executable : (\\n \\\"C:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\\\",\\n \\\"C:\\\\\\\\Program Files\\\\\\\\Cohesity\\\\\\\\cohesity_windows_agent_service.exe\\\"\\n )\\n ) or\\n process.parent.name : (\\\"wsmprovhost.exe\\\", \\\"w3wp.exe\\\", \\\"wmiprvse.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\")\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Whoami Process Activity\",\"description\":\"Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Whoami Process Activity\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current privileges, discover the current user, determine if a privilege escalation was successful, etc.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Related rules\\n\\n- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1033\",\"name\":\"System Owner/User Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1033/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.domain\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"e0e8651b-6a9c-4eca-a26d-079a7b956843\",\"rule_id\":\"ef862985-3f13-4262-a686-5f357bbb9bc2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.690Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.724Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"whoami.exe\\\" and\\n(\\n (\\n /* scoped for whoami execution under system privileges */\\n (\\n user.domain : (\\\"NT *\\\", \\\"* NT\\\", \\\"IIS APPPOOL\\\") and\\n user.id : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\", \\\"S-1-5-82-*\\\") and\\n not ?winlog.event_data.SubjectUserName : \\\"*$\\\"\\n ) and\\n not (\\n process.parent.name : \\\"cmd.exe\\\" and\\n process.parent.args : (\\n \\\"chcp 437>nul 2>&1 & C:\\\\\\\\WINDOWS\\\\\\\\System32\\\\\\\\whoami.exe /groups\\\",\\n \\\"chcp 437>nul 2>&1 & %systemroot%\\\\\\\\system32\\\\\\\\whoami /user\\\",\\n \\\"C:\\\\\\\\WINDOWS\\\\\\\\System32\\\\\\\\whoami.exe /groups\\\",\\n \\\"*WINDOWS\\\\\\\\system32\\\\\\\\config\\\\\\\\systemprofile*\\\"\\n )\\n ) and\\n not (process.parent.executable : \\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\inetsrv\\\\\\\\appcmd.exe\\\" and process.parent.args : \\\"LIST\\\") and\\n not process.parent.executable : (\\n \\\"C:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\\\",\\n \\\"C:\\\\\\\\Program Files\\\\\\\\Cohesity\\\\\\\\cohesity_windows_agent_service.exe\\\"\\n )\\n ) or\\n process.parent.name : (\\\"wsmprovhost.exe\\\", \\\"w3wp.exe\\\", \\\"wmiprvse.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\")\\n)\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"logs-system.*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"727a714e-10d1-4b39-9664-7d3c917e7d15\",\"rule_id\":\"f036953a-4615-4707-a1ca-dc53bf69dcd5\",\"revision\":0,\"current_rule\":{\"id\":\"727a714e-10d1-4b39-9664-7d3c917e7d15\",\"updated_at\":\"2024-12-04T19:46:01.732Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.732Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Child Processes of RunDLL32\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"30m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Child Processes of RunDLL32\\n\\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\\n\\nRunDLL32 is a legitimate Windows utility used to load and execute functions within dynamic-link libraries (DLLs). However, adversaries may abuse RunDLL32 to execute malicious code, bypassing security measures and evading detection. This rule identifies potential abuse by looking for an unusual process creation with no arguments followed by the creation of a child process.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate the behavior of child processes, such as network connections, registry or file modifications, and any spawned processes.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related Rules\\n\\n- Unusual Network Connection via RunDLL32 - 52aaab7b-b51c-441a-89ce-4387b3aea886\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-60m\",\"rule_id\":\"f036953a-4615-4707-a1ca-dc53bf69dcd5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence with maxspan=1h\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"rundll32.exe\\\" or process.pe.original_file_name == \\\"RUNDLL32.EXE\\\") and\\n process.args_count == 1\\n ] by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"rundll32.exe\\\"\\n ] by process.parent.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Child Processes of RunDLL32\",\"description\":\"Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Child Processes of RunDLL32\\n\\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\\n\\nRunDLL32 is a legitimate Windows utility used to load and execute functions within dynamic-link libraries (DLLs). However, adversaries may abuse RunDLL32 to execute malicious code, bypassing security measures and evading detection. This rule identifies potential abuse by looking for an unusual process creation with no arguments followed by the creation of a child process.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate the behavior of child processes, such as network connections, registry or file modifications, and any spawned processes.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related Rules\\n\\n- Unusual Network Connection via RunDLL32 - 52aaab7b-b51c-441a-89ce-4387b3aea886\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"30m\",\"from\":\"now-60m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"727a714e-10d1-4b39-9664-7d3c917e7d15\",\"rule_id\":\"f036953a-4615-4707-a1ca-dc53bf69dcd5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.690Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.732Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence with maxspan=1h\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"rundll32.exe\\\" or process.pe.original_file_name == \\\"RUNDLL32.EXE\\\") and\\n process.args_count == 1\\n ] by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"rundll32.exe\\\"\\n ] by process.parent.entity_id\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a938fafb-810b-4df9-8827-661e9eafdf3b\",\"rule_id\":\"f0493cb4-9b15-43a9-9359-68c23a7f2cf3\",\"revision\":0,\"current_rule\":{\"id\":\"a938fafb-810b-4df9-8827-661e9eafdf3b\",\"updated_at\":\"2024-12-04T19:46:01.736Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.736Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious HTML File Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f0493cb4-9b15-43a9-9359-68c23a7f2cf3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1027\",\"name\":\"Obfuscated Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1027/\",\"subtechnique\":[{\"id\":\"T1027.006\",\"name\":\"HTML Smuggling\",\"reference\":\"https://attack.mitre.org/techniques/T1027/006/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.entropy\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.size\",\"type\":\"long\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\"],\"query\":\"sequence by user.id with maxspan=5m\\n [file where host.os.type == \\\"windows\\\" and event.action in (\\\"creation\\\", \\\"rename\\\") and\\n file.extension : (\\\"htm\\\", \\\"html\\\") and\\n file.path : (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Content.Outlook\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Temp?_*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\7z*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Rar$*\\\") and\\n ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000)]\\n [process where host.os.type == \\\"windows\\\" and event.action == \\\"start\\\" and\\n (\\n (process.name in (\\\"chrome.exe\\\", \\\"msedge.exe\\\", \\\"brave.exe\\\", \\\"whale.exe\\\", \\\"browser.exe\\\", \\\"dragon.exe\\\", \\\"vivaldi.exe\\\", \\\"opera.exe\\\")\\n and process.args == \\\"--single-argument\\\") or\\n (process.name == \\\"iexplore.exe\\\" and process.args_count == 2) or\\n (process.name in (\\\"firefox.exe\\\", \\\"waterfox.exe\\\") and process.args == \\\"-url\\\")\\n )\\n and process.args : (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Content.Outlook\\\\\\\\*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Temp?_*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\7z*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Rar$*.htm*\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious HTML File Creation\",\"description\":\"Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"This rule may have a low to medium performance impact due variety of file paths potentially matching each EQL sequence.\",\"output_index\":\"\",\"version\":108,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1027\",\"name\":\"Obfuscated Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1027/\",\"subtechnique\":[{\"id\":\"T1027.006\",\"name\":\"HTML Smuggling\",\"reference\":\"https://attack.mitre.org/techniques/T1027/006/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.entropy\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.size\",\"type\":\"long\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a938fafb-810b-4df9-8827-661e9eafdf3b\",\"rule_id\":\"f0493cb4-9b15-43a9-9359-68c23a7f2cf3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.690Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.736Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by user.id with maxspan=2m\\n\\n [file where host.os.type == \\\"windows\\\" and event.action in (\\\"creation\\\", \\\"rename\\\") and\\n\\n /* Check for HTML files with high entropy and size */\\n file.extension : (\\\"htm\\\", \\\"html\\\") and ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000) and\\n\\n /* Check for file paths in common download and temporary directories */\\n file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Content.Outlook\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Temp?_*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\7z*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Rar$*\\\")]\\n [process where host.os.type == \\\"windows\\\" and event.action == \\\"start\\\" and\\n (\\n /* Check for browser processes opening HTML files with single argument */\\n (process.name in (\\\"chrome.exe\\\", \\\"msedge.exe\\\", \\\"brave.exe\\\", \\\"whale.exe\\\", \\\"browser.exe\\\", \\\"dragon.exe\\\", \\\"vivaldi.exe\\\", \\\"opera.exe\\\")\\n and process.args == \\\"--single-argument\\\") or\\n\\n /* Optionally, check for browser processes opening HTML files with two arguments */\\n (process.name == \\\"iexplore.exe\\\" and process.args_count == 2) or\\n\\n /* Optionally, check for browser processes opening HTML files with URL argument */\\n (process.name in (\\\"firefox.exe\\\", \\\"waterfox.exe\\\") and process.args == \\\"-url\\\")\\n )\\n /* Check for file paths in common download and temporary directories targeted in the process arguments */\\n and process.args : (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Content.Outlook\\\\\\\\*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Temp?_*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\7z*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Rar$*.htm*\\\")]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":108,\"merged_version\":108,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"note\":{\"has_base_version\":false,\"current_version\":\"\",\"target_version\":\"This rule may have a low to medium performance impact due variety of file paths potentially matching each EQL sequence.\",\"merged_version\":\"This rule may have a low to medium performance impact due variety of file paths potentially matching each EQL sequence.\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by user.id with maxspan=5m\\n [file where host.os.type == \\\"windows\\\" and event.action in (\\\"creation\\\", \\\"rename\\\") and\\n file.extension : (\\\"htm\\\", \\\"html\\\") and\\n file.path : (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Content.Outlook\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Temp?_*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\7z*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Rar$*\\\") and\\n ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000)]\\n [process where host.os.type == \\\"windows\\\" and event.action == \\\"start\\\" and\\n (\\n (process.name in (\\\"chrome.exe\\\", \\\"msedge.exe\\\", \\\"brave.exe\\\", \\\"whale.exe\\\", \\\"browser.exe\\\", \\\"dragon.exe\\\", \\\"vivaldi.exe\\\", \\\"opera.exe\\\")\\n and process.args == \\\"--single-argument\\\") or\\n (process.name == \\\"iexplore.exe\\\" and process.args_count == 2) or\\n (process.name in (\\\"firefox.exe\\\", \\\"waterfox.exe\\\") and process.args == \\\"-url\\\")\\n )\\n and process.args : (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Content.Outlook\\\\\\\\*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Temp?_*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\7z*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Rar$*.htm*\\\")]\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by user.id with maxspan=2m\\n\\n [file where host.os.type == \\\"windows\\\" and event.action in (\\\"creation\\\", \\\"rename\\\") and\\n\\n /* Check for HTML files with high entropy and size */\\n file.extension : (\\\"htm\\\", \\\"html\\\") and ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000) and\\n\\n /* Check for file paths in common download and temporary directories */\\n file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Content.Outlook\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Temp?_*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\7z*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Rar$*\\\")]\\n [process where host.os.type == \\\"windows\\\" and event.action == \\\"start\\\" and\\n (\\n /* Check for browser processes opening HTML files with single argument */\\n (process.name in (\\\"chrome.exe\\\", \\\"msedge.exe\\\", \\\"brave.exe\\\", \\\"whale.exe\\\", \\\"browser.exe\\\", \\\"dragon.exe\\\", \\\"vivaldi.exe\\\", \\\"opera.exe\\\")\\n and process.args == \\\"--single-argument\\\") or\\n\\n /* Optionally, check for browser processes opening HTML files with two arguments */\\n (process.name == \\\"iexplore.exe\\\" and process.args_count == 2) or\\n\\n /* Optionally, check for browser processes opening HTML files with URL argument */\\n (process.name in (\\\"firefox.exe\\\", \\\"waterfox.exe\\\") and process.args == \\\"-url\\\")\\n )\\n /* Check for file paths in common download and temporary directories targeted in the process arguments */\\n and process.args : (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Content.Outlook\\\\\\\\*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Temp?_*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\7z*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Rar$*.htm*\\\")]\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by user.id with maxspan=2m\\n\\n [file where host.os.type == \\\"windows\\\" and event.action in (\\\"creation\\\", \\\"rename\\\") and\\n\\n /* Check for HTML files with high entropy and size */\\n file.extension : (\\\"htm\\\", \\\"html\\\") and ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000) and\\n\\n /* Check for file paths in common download and temporary directories */\\n file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Content.Outlook\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Temp?_*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\7z*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Rar$*\\\")]\\n [process where host.os.type == \\\"windows\\\" and event.action == \\\"start\\\" and\\n (\\n /* Check for browser processes opening HTML files with single argument */\\n (process.name in (\\\"chrome.exe\\\", \\\"msedge.exe\\\", \\\"brave.exe\\\", \\\"whale.exe\\\", \\\"browser.exe\\\", \\\"dragon.exe\\\", \\\"vivaldi.exe\\\", \\\"opera.exe\\\")\\n and process.args == \\\"--single-argument\\\") or\\n\\n /* Optionally, check for browser processes opening HTML files with two arguments */\\n (process.name == \\\"iexplore.exe\\\" and process.args_count == 2) or\\n\\n /* Optionally, check for browser processes opening HTML files with URL argument */\\n (process.name in (\\\"firefox.exe\\\", \\\"waterfox.exe\\\") and process.args == \\\"-url\\\")\\n )\\n /* Check for file paths in common download and temporary directories targeted in the process arguments */\\n and process.args : (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Content.Outlook\\\\\\\\*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Temp?_*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\7z*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Rar$*.htm*\\\")]\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"dc721cb0-766e-43b6-ae45-36ac1793d490\",\"rule_id\":\"f1a6d0f4-95b8-11ed-9517-f661ea17fbcc\",\"revision\":0,\"current_rule\":{\"id\":\"dc721cb0-766e-43b6-ae45-36ac1793d490\",\"updated_at\":\"2024-12-04T19:46:01.766Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.766Z\",\"created_by\":\"elastic\",\"name\":\"Forwarded Google Workspace Security Alert\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Log Auditing\",\"Use Case: Threat Detection\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning of a potential security issue that Google has detected.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\nThis is a promotion rule for Google Workspace security events, which are alertable events per the vendor.\\nConsult vendor documentation on interpreting specific events.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"rule_name_override\":\"google_workspace.alert.type\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"To tune this rule, add exceptions to exclude any google_workspace.alert.type which should not trigger this rule.\",\"For additional tuning, severity exceptions for google_workspace.alert.metadata.severity can be added.\"],\"from\":\"now-130m\",\"rule_id\":\"f1a6d0f4-95b8-11ed-9517-f661ea17fbcc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[{\"field\":\"google_workspace.alert.metadata.severity\",\"operator\":\"equals\",\"severity\":\"low\",\"value\":\"LOW\"},{\"field\":\"google_workspace.alert.metadata.severity\",\"operator\":\"equals\",\"severity\":\"medium\",\"value\":\"MEDIUM\"},{\"field\":\"google_workspace.alert.metadata.severity\",\"operator\":\"equals\",\"severity\":\"high\",\"value\":\"HIGH\"}],\"threat\":[],\"to\":\"now\",\"references\":[\"https://workspace.google.com/products/admin/alert-center/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset: google_workspace.alert\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Forwarded Google Workspace Security Alert\",\"description\":\"Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning of a potential security issue that Google has detected.\",\"risk_score\":73,\"severity\":\"high\",\"rule_name_override\":\"google_workspace.alert.type\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\nThis is a promotion rule for Google Workspace security events, which are alertable events per the vendor.\\nConsult vendor documentation on interpreting specific events.\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Log Auditing\",\"Use Case: Threat Detection\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[{\"field\":\"google_workspace.alert.metadata.severity\",\"operator\":\"equals\",\"severity\":\"low\",\"value\":\"LOW\"},{\"field\":\"google_workspace.alert.metadata.severity\",\"operator\":\"equals\",\"severity\":\"medium\",\"value\":\"MEDIUM\"},{\"field\":\"google_workspace.alert.metadata.severity\",\"operator\":\"equals\",\"severity\":\"high\",\"value\":\"HIGH\"}],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"To tune this rule, add exceptions to exclude any google_workspace.alert.type which should not trigger this rule.\",\"For additional tuning, severity exceptions for google_workspace.alert.metadata.severity can be added.\"],\"references\":[\"https://workspace.google.com/products/admin/alert-center/\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[],\"setup\":\"\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"dc721cb0-766e-43b6-ae45-36ac1793d490\",\"rule_id\":\"f1a6d0f4-95b8-11ed-9517-f661ea17fbcc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.690Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.766Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset: google_workspace.alert\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://workspace.google.com/products/admin/alert-center/\"],\"target_version\":[\"https://workspace.google.com/products/admin/alert-center/\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://workspace.google.com/products/admin/alert-center/\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7c9551cd-c88f-4674-8ca0-36dad0d04f54\",\"rule_id\":\"f243fe39-83a4-46f3-a3b6-707557a102df\",\"revision\":0,\"current_rule\":{\"id\":\"7c9551cd-c88f-4674-8ca0-36dad0d04f54\",\"updated_at\":\"2024-12-04T19:46:01.774Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.774Z\",\"created_by\":\"elastic\",\"name\":\"Service Path Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to modify a service path by an unusual process. Attackers may attempt to modify existing services for persistence or privilege escalation.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"f243fe39-83a4-46f3-a3b6-707557a102df\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\"\\n ) and not (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\"\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Service Path Modification\",\"description\":\"Identifies attempts to modify a service path by an unusual process. Attackers may attempt to modify existing services for persistence or privilege escalation.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"7c9551cd-c88f-4674-8ca0-36dad0d04f54\",\"rule_id\":\"f243fe39-83a4-46f3-a3b6-707557a102df\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.690Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.774Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\"\\n ) and not (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6356c521-68c8-4d56-b0cd-7354e1ca9704\",\"rule_id\":\"f2c7b914-eda3-40c2-96ac-d23ef91776ca\",\"revision\":0,\"current_rule\":{\"id\":\"6356c521-68c8-4d56-b0cd-7354e1ca9704\",\"updated_at\":\"2024-12-04T19:45:40.273Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.273Z\",\"created_by\":\"elastic\",\"name\":\"SIP Provider Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f2c7b914-eda3-40c2-96ac-d23ef91776ca\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1553\",\"name\":\"Subvert Trust Controls\",\"reference\":\"https://attack.mitre.org/techniques/T1553/\",\"subtechnique\":[{\"id\":\"T1553.003\",\"name\":\"SIP and Trust Provider Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1553/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/mattifestation/PoCSubjectInterfacePackage\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : (\\\"Dll\\\", \\\"$Dll\\\") and\\n registry.path: (\\n \\\"*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Cryptography\\\\\\\\OID\\\\\\\\EncodingType 0\\\\\\\\CryptSIPDllPutSignedDataMsg\\\\\\\\{*}\\\\\\\\Dll\\\",\\n \\\"*\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Cryptography\\\\\\\\OID\\\\\\\\EncodingType 0\\\\\\\\CryptSIPDllPutSignedDataMsg\\\\\\\\{*}\\\\\\\\Dll\\\",\\n \\\"*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Cryptography\\\\\\\\Providers\\\\\\\\Trust\\\\\\\\FinalPolicy\\\\\\\\{*}\\\\\\\\$Dll\\\",\\n \\\"*\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Cryptography\\\\\\\\Providers\\\\\\\\Trust\\\\\\\\FinalPolicy\\\\\\\\{*}\\\\\\\\$Dll\\\"\\n ) and\\n registry.data.strings:\\\"*.dll\\\" and\\n not (process.name : \\\"msiexec.exe\\\" and registry.data.strings : \\\"mso.dll\\\") and\\n not (process.name : \\\"regsvr32.exe\\\" and registry.data.strings == \\\"WINTRUST.DLL\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"SIP Provider Modification\",\"description\":\"Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/mattifestation/PoCSubjectInterfacePackage\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1553\",\"name\":\"Subvert Trust Controls\",\"reference\":\"https://attack.mitre.org/techniques/T1553/\",\"subtechnique\":[{\"id\":\"T1553.003\",\"name\":\"SIP and Trust Provider Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1553/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"6356c521-68c8-4d56-b0cd-7354e1ca9704\",\"rule_id\":\"f2c7b914-eda3-40c2-96ac-d23ef91776ca\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.690Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.273Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : (\\\"Dll\\\", \\\"$Dll\\\") and\\n registry.path: (\\n \\\"*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Cryptography\\\\\\\\OID\\\\\\\\EncodingType 0\\\\\\\\CryptSIPDllPutSignedDataMsg\\\\\\\\{*}\\\\\\\\Dll\\\",\\n \\\"*\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Cryptography\\\\\\\\OID\\\\\\\\EncodingType 0\\\\\\\\CryptSIPDllPutSignedDataMsg\\\\\\\\{*}\\\\\\\\Dll\\\",\\n \\\"*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Cryptography\\\\\\\\Providers\\\\\\\\Trust\\\\\\\\FinalPolicy\\\\\\\\{*}\\\\\\\\$Dll\\\",\\n \\\"*\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Cryptography\\\\\\\\Providers\\\\\\\\Trust\\\\\\\\FinalPolicy\\\\\\\\{*}\\\\\\\\$Dll\\\"\\n ) and\\n registry.data.strings:\\\"*.dll\\\" and\\n not (process.name : \\\"msiexec.exe\\\" and registry.data.strings : \\\"mso.dll\\\") and\\n not (process.name : \\\"regsvr32.exe\\\" and registry.data.strings == \\\"WINTRUST.DLL\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"935fc687-c017-4b3f-b8e7-e2a08a9b9b7e\",\"rule_id\":\"f2f46686-6f3c-4724-bd7d-24e31c70f98f\",\"revision\":0,\"current_rule\":{\"id\":\"935fc687-c017-4b3f-b8e7-e2a08a9b9b7e\",\"updated_at\":\"2024-12-04T19:46:01.786Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.786Z\",\"created_by\":\"elastic\",\"name\":\"LSASS Memory Dump Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating LSASS Memory Dump Creation\\n\\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\\n\\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the process responsible for creating the dump file.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timeline_id\":\"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c\",\"timeline_title\":\"Comprehensive File Timeline\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f2f46686-6f3c-4724-bd7d-24e31c70f98f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/outflanknl/Dumpert\",\"https://github.com/hoangprod/AndrewSpecial\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and\\n file.name : (\\\"lsass*.dmp\\\", \\\"dumpert.dmp\\\", \\\"Andrew.dmp\\\", \\\"SQLDmpr*.mdmp\\\", \\\"Coredump.dmp\\\") and\\n\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\Shared\\\\\\\\SqlDumper.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe\\\"\\n ) and\\n file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\Reporting Services\\\\\\\\Logfiles\\\\\\\\SQLDmpr*.mdmp\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\Shared\\\\\\\\ErrorDumps\\\\\\\\SQLDmpr*.mdmp\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\MSSQL\\\\\\\\LOG\\\\\\\\SQLDmpr*.mdmp\\\"\\n )\\n ) and\\n\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFaultSecure.exe\\\"\\n ) and\\n file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\AppData\\\\\\\\Local\\\\\\\\CrashDumps\\\\\\\\lsass.exe.*.dmp\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\%LOCALAPPDATA%\\\\\\\\CrashDumps\\\\\\\\lsass.exe.*.dmp\\\"\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"LSASS Memory Dump Creation\",\"description\":\"Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"timeline_id\":\"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c\",\"timeline_title\":\"Comprehensive File Timeline\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating LSASS Memory Dump Creation\\n\\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\\n\\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the process responsible for creating the dump file.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/outflanknl/Dumpert\",\"https://github.com/hoangprod/AndrewSpecial\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"935fc687-c017-4b3f-b8e7-e2a08a9b9b7e\",\"rule_id\":\"f2f46686-6f3c-4724-bd7d-24e31c70f98f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.690Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.786Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and\\n file.name : (\\\"lsass*.dmp\\\", \\\"dumpert.dmp\\\", \\\"Andrew.dmp\\\", \\\"SQLDmpr*.mdmp\\\", \\\"Coredump.dmp\\\") and\\n\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\Shared\\\\\\\\SqlDumper.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server Reporting Services\\\\\\\\SSRS\\\\\\\\ReportServer\\\\\\\\bin\\\\\\\\SqlDumper.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe\\\"\\n ) and\\n file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\Reporting Services\\\\\\\\Logfiles\\\\\\\\SQLDmpr*.mdmp\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server Reporting Services\\\\\\\\SSRS\\\\\\\\Logfiles\\\\\\\\SQLDmpr*.mdmp\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\Shared\\\\\\\\ErrorDumps\\\\\\\\SQLDmpr*.mdmp\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\MSSQL\\\\\\\\LOG\\\\\\\\SQLDmpr*.mdmp\\\"\\n )\\n ) and\\n\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFaultSecure.exe\\\"\\n ) and\\n file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\AppData\\\\\\\\Local\\\\\\\\CrashDumps\\\\\\\\lsass.exe.*.dmp\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\%LOCALAPPDATA%\\\\\\\\CrashDumps\\\\\\\\lsass.exe.*.dmp\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and\\n file.name : (\\\"lsass*.dmp\\\", \\\"dumpert.dmp\\\", \\\"Andrew.dmp\\\", \\\"SQLDmpr*.mdmp\\\", \\\"Coredump.dmp\\\") and\\n\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\Shared\\\\\\\\SqlDumper.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe\\\"\\n ) and\\n file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\Reporting Services\\\\\\\\Logfiles\\\\\\\\SQLDmpr*.mdmp\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\Shared\\\\\\\\ErrorDumps\\\\\\\\SQLDmpr*.mdmp\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\MSSQL\\\\\\\\LOG\\\\\\\\SQLDmpr*.mdmp\\\"\\n )\\n ) and\\n\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFaultSecure.exe\\\"\\n ) and\\n file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\AppData\\\\\\\\Local\\\\\\\\CrashDumps\\\\\\\\lsass.exe.*.dmp\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\%LOCALAPPDATA%\\\\\\\\CrashDumps\\\\\\\\lsass.exe.*.dmp\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and\\n file.name : (\\\"lsass*.dmp\\\", \\\"dumpert.dmp\\\", \\\"Andrew.dmp\\\", \\\"SQLDmpr*.mdmp\\\", \\\"Coredump.dmp\\\") and\\n\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\Shared\\\\\\\\SqlDumper.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server Reporting Services\\\\\\\\SSRS\\\\\\\\ReportServer\\\\\\\\bin\\\\\\\\SqlDumper.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe\\\"\\n ) and\\n file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\Reporting Services\\\\\\\\Logfiles\\\\\\\\SQLDmpr*.mdmp\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server Reporting Services\\\\\\\\SSRS\\\\\\\\Logfiles\\\\\\\\SQLDmpr*.mdmp\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\Shared\\\\\\\\ErrorDumps\\\\\\\\SQLDmpr*.mdmp\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\MSSQL\\\\\\\\LOG\\\\\\\\SQLDmpr*.mdmp\\\"\\n )\\n ) and\\n\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFaultSecure.exe\\\"\\n ) and\\n file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\AppData\\\\\\\\Local\\\\\\\\CrashDumps\\\\\\\\lsass.exe.*.dmp\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\%LOCALAPPDATA%\\\\\\\\CrashDumps\\\\\\\\lsass.exe.*.dmp\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and\\n file.name : (\\\"lsass*.dmp\\\", \\\"dumpert.dmp\\\", \\\"Andrew.dmp\\\", \\\"SQLDmpr*.mdmp\\\", \\\"Coredump.dmp\\\") and\\n\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\Shared\\\\\\\\SqlDumper.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server Reporting Services\\\\\\\\SSRS\\\\\\\\ReportServer\\\\\\\\bin\\\\\\\\SqlDumper.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe\\\"\\n ) and\\n file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\Reporting Services\\\\\\\\Logfiles\\\\\\\\SQLDmpr*.mdmp\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server Reporting Services\\\\\\\\SSRS\\\\\\\\Logfiles\\\\\\\\SQLDmpr*.mdmp\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\Shared\\\\\\\\ErrorDumps\\\\\\\\SQLDmpr*.mdmp\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\MSSQL\\\\\\\\LOG\\\\\\\\SQLDmpr*.mdmp\\\"\\n )\\n ) and\\n\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFaultSecure.exe\\\"\\n ) and\\n file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\AppData\\\\\\\\Local\\\\\\\\CrashDumps\\\\\\\\lsass.exe.*.dmp\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\%LOCALAPPDATA%\\\\\\\\CrashDumps\\\\\\\\lsass.exe.*.dmp\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8a5fe898-3cc2-4573-ba8a-ad48edde0f82\",\"rule_id\":\"f33e68a4-bd19-11ed-b02f-f661ea17fbcc\",\"revision\":0,\"current_rule\":{\"id\":\"8a5fe898-3cc2-4573-ba8a-ad48edde0f82\",\"updated_at\":\"2024-12-04T19:46:01.793Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.793Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace Object Copied to External Drive with App Consent\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a user copies a Google spreadsheet, form, document or script from an external drive. Sequence logic has been added to also detect when a user grants a custom Google application permission via OAuth shortly after. An adversary may send a phishing email to the victim with a Drive object link where \\\"copy\\\" is included in the URI, thus copying the object to the victim's drive. If a container-bound script exists within the object, execution will require permission access via OAuth in which the user has to accept.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Object Copied to External Drive with App Consent\\n\\nGoogle Workspace users can share access to Drive objects such as documents, sheets, and forms via email delivery or a shared link. Shared link URIs have parameters like `view` or `edit` to indicate the recipient's permissions. The `copy` parameter allows the recipient to copy the object to their own Drive, which grants the object with the same privileges as the recipient. Specific objects in Google Drive allow container-bound scripts that run on Google's Apps Script platform. Container-bound scripts can contain malicious code that executes with the recipient's privileges if in their Drive.\\n\\nThis rule aims to detect when a user copies an external Drive object to their Drive storage and then grants permissions to a custom application via OAuth prompt.\\n\\n#### Possible investigation steps\\n- Identify user account(s) associated by reviewing `user.name` or `source.user.email` in the alert.\\n- Identify the name of the file copied by reviewing `file.name` as well as the `file.id` for triaging.\\n- Identify the file type by reviewing `google_workspace.drive.file.type`.\\n- With the information gathered so far, query across data for the file metadata to determine if this activity is isolated or widespread.\\n- Within the OAuth token event, identify the application name by reviewing `google_workspace.token.app_name`.\\n - Review the application ID as well from `google_workspace.token.client.id`.\\n - This metadata can be used to report the malicious application to Google for permanent blacklisting.\\n- Identify the permissions granted to the application by the user by reviewing `google_workspace.token.scope.data.scope_name`.\\n - This information will help pivot and triage into what services may have been affected.\\n- If a container-bound script was attached to the copied object, it will also exist in the user's drive.\\n - This object should be removed from all users affected and investigated for a better understanding of the malicious code.\\n\\n### False positive analysis\\n- Communicate with the affected user to identify if these actions were intentional\\n- If a container-bound script exists, review code to identify if it is benign or malicious\\n\\n### Response and remediation\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n - Resetting passwords will revoke OAuth tokens which could have been stolen.\\n- Reactivate multi-factor authentication for the user.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n## Setup\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Google Workspace users typically share Drive resources with a shareable link where parameters are edited to indicate when it is viewable or editable by the intended recipient. It is uncommon for a user in an organization to manually copy a Drive object from an external drive to their corporate drive. This may happen where users find a useful spreadsheet in a public drive, for example, and replicate it to their Drive. It is uncommon for the copied object to execute a container-bound script either unless the user was intentionally aware, suggesting the object uses container-bound scripts to accomplish a legitimate task.\"],\"from\":\"now-9m\",\"rule_id\":\"f33e68a4-bd19-11ed-b02f-f661ea17fbcc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://developers.google.com/apps-script/guides/bound\",\"https://support.google.com/a/users/answer/13004165#share_make_a_copy_links\"],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.drive.copy_type\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"google_workspace.drive.file.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.drive.owner_is_team_drive\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"google_workspace.token.client.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"source.user.email\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"sequence by source.user.email with maxspan=3m\\n[file where event.dataset == \\\"google_workspace.drive\\\" and event.action == \\\"copy\\\" and\\n\\n /* Should only match if the object lives in a Drive that is external to the user's GWS organization */\\n google_workspace.drive.owner_is_team_drive == \\\"false\\\" and google_workspace.drive.copy_type == \\\"external\\\" and\\n\\n /* Google Script, Forms, Sheets and Document can have container-bound scripts */\\n google_workspace.drive.file.type: (\\\"script\\\", \\\"form\\\", \\\"spreadsheet\\\", \\\"document\\\")]\\n\\n[any where event.dataset == \\\"google_workspace.token\\\" and event.action == \\\"authorize\\\" and\\n\\n /* Ensures application ID references custom app in Google Workspace and not GCP */\\n google_workspace.token.client.id : \\\"*apps.googleusercontent.com\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace Object Copied to External Drive with App Consent\",\"description\":\"Detects when a user copies a Google spreadsheet, form, document or script from an external drive. Sequence logic has been added to also detect when a user grants a custom Google application permission via OAuth shortly after. An adversary may send a phishing email to the victim with a Drive object link where \\\"copy\\\" is included in the URI, thus copying the object to the victim's drive. If a container-bound script exists within the object, execution will require permission access via OAuth in which the user has to accept.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Object Copied to External Drive with App Consent\\n\\nGoogle Workspace users can share access to Drive objects such as documents, sheets, and forms via email delivery or a shared link. Shared link URIs have parameters like `view` or `edit` to indicate the recipient's permissions. The `copy` parameter allows the recipient to copy the object to their own Drive, which grants the object with the same privileges as the recipient. Specific objects in Google Drive allow container-bound scripts that run on Google's Apps Script platform. Container-bound scripts can contain malicious code that executes with the recipient's privileges if in their Drive.\\n\\nThis rule aims to detect when a user copies an external Drive object to their Drive storage and then grants permissions to a custom application via OAuth prompt.\\n\\n#### Possible investigation steps\\n- Identify user account(s) associated by reviewing `user.name` or `source.user.email` in the alert.\\n- Identify the name of the file copied by reviewing `file.name` as well as the `file.id` for triaging.\\n- Identify the file type by reviewing `google_workspace.drive.file.type`.\\n- With the information gathered so far, query across data for the file metadata to determine if this activity is isolated or widespread.\\n- Within the OAuth token event, identify the application name by reviewing `google_workspace.token.app_name`.\\n - Review the application ID as well from `google_workspace.token.client.id`.\\n - This metadata can be used to report the malicious application to Google for permanent blacklisting.\\n- Identify the permissions granted to the application by the user by reviewing `google_workspace.token.scope.data.scope_name`.\\n - This information will help pivot and triage into what services may have been affected.\\n- If a container-bound script was attached to the copied object, it will also exist in the user's drive.\\n - This object should be removed from all users affected and investigated for a better understanding of the malicious code.\\n\\n### False positive analysis\\n- Communicate with the affected user to identify if these actions were intentional\\n- If a container-bound script exists, review code to identify if it is benign or malicious\\n\\n### Response and remediation\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n - Resetting passwords will revoke OAuth tokens which could have been stolen.\\n- Reactivate multi-factor authentication for the user.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n## Setup\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Google Workspace users typically share Drive resources with a shareable link where parameters are edited to indicate when it is viewable or editable by the intended recipient. It is uncommon for a user in an organization to manually copy a Drive object from an external drive to their corporate drive. This may happen where users find a useful spreadsheet in a public drive, for example, and replicate it to their Drive. It is uncommon for the copied object to execute a container-bound script either unless the user was intentionally aware, suggesting the object uses container-bound scripts to accomplish a legitimate task.\"],\"references\":[\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\",\"https://developers.google.com/apps-script/guides/bound\",\"https://support.google.com/a/users/answer/13004165#share_make_a_copy_links\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.drive.copy_type\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"google_workspace.drive.file.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.drive.owner_is_team_drive\",\"type\":\"boolean\",\"ecs\":false},{\"name\":\"google_workspace.token.client.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"source.user.email\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"8a5fe898-3cc2-4573-ba8a-ad48edde0f82\",\"rule_id\":\"f33e68a4-bd19-11ed-b02f-f661ea17fbcc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.690Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.793Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by source.user.email with maxspan=3m\\n[file where event.dataset == \\\"google_workspace.drive\\\" and event.action == \\\"copy\\\" and\\n\\n /* Should only match if the object lives in a Drive that is external to the user's GWS organization */\\n google_workspace.drive.owner_is_team_drive == \\\"false\\\" and google_workspace.drive.copy_type == \\\"external\\\" and\\n\\n /* Google Script, Forms, Sheets and Document can have container-bound scripts */\\n google_workspace.drive.file.type: (\\\"script\\\", \\\"form\\\", \\\"spreadsheet\\\", \\\"document\\\")]\\n\\n[any where event.dataset == \\\"google_workspace.token\\\" and event.action == \\\"authorize\\\" and\\n\\n /* Ensures application ID references custom app in Google Workspace and not GCP */\\n google_workspace.token.client.id : \\\"*apps.googleusercontent.com\\\"]\\n\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://developers.google.com/apps-script/guides/bound\",\"https://support.google.com/a/users/answer/13004165#share_make_a_copy_links\"],\"target_version\":[\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\",\"https://developers.google.com/apps-script/guides/bound\",\"https://support.google.com/a/users/answer/13004165#share_make_a_copy_links\"],\"merged_version\":[\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\",\"https://developers.google.com/apps-script/guides/bound\",\"https://support.google.com/a/users/answer/13004165#share_make_a_copy_links\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.drive.copy_type\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"google_workspace.drive.file.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.drive.owner_is_team_drive\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"google_workspace.token.client.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"source.user.email\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.drive.copy_type\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"google_workspace.drive.file.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.drive.owner_is_team_drive\",\"type\":\"boolean\",\"ecs\":false},{\"name\":\"google_workspace.token.client.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"source.user.email\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.drive.copy_type\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"google_workspace.drive.file.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.drive.owner_is_team_drive\",\"type\":\"boolean\",\"ecs\":false},{\"name\":\"google_workspace.token.client.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"source.user.email\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"269b41b3-2c89-4461-ac3b-5761b321ea8e\",\"rule_id\":\"f3475224-b179-4f78-8877-c2bd64c26b88\",\"revision\":0,\"current_rule\":{\"id\":\"269b41b3-2c89-4461-ac3b-5761b321ea8e\",\"updated_at\":\"2024-12-04T19:46:01.840Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.840Z\",\"created_by\":\"elastic\",\"name\":\"WMI Incoming Lateral Movement\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f3475224-b179-4f78-8877-c2bd64c26b88\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.token.integrity_level_name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by host.id with maxspan = 2s\\n\\n /* Accepted Incoming RPC connection by Winmgmt service */\\n\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"svchost.exe\\\" and network.direction : (\\\"incoming\\\", \\\"ingress\\\") and\\n source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and source.port >= 49152 and destination.port >= 49152\\n ]\\n\\n /* Excluding Common FPs Nessus and SCCM */\\n\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"WmiPrvSE.exe\\\" and\\n not (?process.Ext.token.integrity_level_name : \\\"System\\\" or ?winlog.event_data.IntegrityLevel : \\\"System\\\") and\\n not user.id : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n not process.executable :\\n (\\\"?:\\\\\\\\Program Files\\\\\\\\HPWBEM\\\\\\\\Tools\\\\\\\\hpsum_swdiscovery.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\Ccm32BitLauncher.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\mofcomp.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework*\\\\\\\\csc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\powercfg.exe\\\") and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\" and process.args : \\\"REBOOT=ReallySuppress\\\") and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\appcmd.exe\\\" and process.args : \\\"uninstall\\\")\\n ]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"WMI Incoming Lateral Movement\",\"description\":\"Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.token.integrity_level_name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"269b41b3-2c89-4461-ac3b-5761b321ea8e\",\"rule_id\":\"f3475224-b179-4f78-8877-c2bd64c26b88\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.690Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.840Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan = 2s\\n\\n /* Accepted Incoming RPC connection by Winmgmt service */\\n\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"svchost.exe\\\" and network.direction : (\\\"incoming\\\", \\\"ingress\\\") and\\n source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and source.port >= 49152 and destination.port >= 49152\\n ]\\n\\n /* Excluding Common FPs Nessus and SCCM */\\n\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"WmiPrvSE.exe\\\" and\\n not (?process.Ext.token.integrity_level_name : \\\"System\\\" or ?winlog.event_data.IntegrityLevel : \\\"System\\\") and\\n not user.id : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n not process.executable :\\n (\\\"?:\\\\\\\\Program Files\\\\\\\\HPWBEM\\\\\\\\Tools\\\\\\\\hpsum_swdiscovery.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\Ccm32BitLauncher.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\mofcomp.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework*\\\\\\\\csc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\powercfg.exe\\\") and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\" and process.args : \\\"REBOOT=ReallySuppress\\\") and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\appcmd.exe\\\" and process.args : \\\"uninstall\\\")\\n ]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"70a7c922-9799-43bd-b6e3-1fa8e70c72b4\",\"rule_id\":\"f3818c85-2207-4b51-8a28-d70fb156ee87\",\"revision\":0,\"current_rule\":{\"id\":\"70a7c922-9799-43bd-b6e3-1fa8e70c72b4\",\"updated_at\":\"2024-12-04T19:46:01.849Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.849Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Network Connection via systemd\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Command and Control\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects suspicious network events executed by systemd, potentially indicating persistence through a systemd backdoor. Systemd is a system and service manager for Linux operating systems, used to initialize and manage system processes. Attackers can backdoor systemd for persistence by creating or modifying systemd unit files to execute malicious scripts or commands, or by replacing legitimate systemd binaries with compromised ones, ensuring that their malicious code is automatically executed at system startup or during certain system events.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f3818c85-2207-4b51-8a28-d70fb156ee87\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name == \\\"systemd\\\" and process.name in (\\n \\\"python*\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\", \\\"openssl\\\", \\\"nc\\\", \\\"netcat\\\", \\\"ncat\\\", \\\"telnet\\\", \\\"awk\\\"\\n )\\n ] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and event.type == \\\"start\\\"\\n ] by process.parent.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Network Connection via systemd\",\"description\":\"Detects suspicious network events executed by systemd, potentially indicating persistence through a systemd backdoor. Systemd is a system and service manager for Linux operating systems, used to initialize and manage system processes. Attackers can backdoor systemd for persistence by creating or modifying systemd unit files to execute malicious scripts or commands, or by replacing legitimate systemd binaries with compromised ones, ensuring that their malicious code is automatically executed at system startup or during certain system events.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Command and Control\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"70a7c922-9799-43bd-b6e3-1fa8e70c72b4\",\"rule_id\":\"f3818c85-2207-4b51-8a28-d70fb156ee87\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.690Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.849Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name == \\\"systemd\\\" and process.name in (\\n \\\"python*\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\", \\\"openssl\\\", \\\"nc\\\", \\\"netcat\\\", \\\"ncat\\\", \\\"telnet\\\", \\\"awk\\\"\\n )\\n ] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and event.type == \\\"start\\\" and\\n not process.executable == \\\"/tmp/newroot/bin/curl\\\"] by process.parent.entity_id\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name == \\\"systemd\\\" and process.name in (\\n \\\"python*\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\", \\\"openssl\\\", \\\"nc\\\", \\\"netcat\\\", \\\"ncat\\\", \\\"telnet\\\", \\\"awk\\\"\\n )\\n ] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and event.type == \\\"start\\\"\\n ] by process.parent.entity_id\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name == \\\"systemd\\\" and process.name in (\\n \\\"python*\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\", \\\"openssl\\\", \\\"nc\\\", \\\"netcat\\\", \\\"ncat\\\", \\\"telnet\\\", \\\"awk\\\"\\n )\\n ] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and event.type == \\\"start\\\" and\\n not process.executable == \\\"/tmp/newroot/bin/curl\\\"] by process.parent.entity_id\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name == \\\"systemd\\\" and process.name in (\\n \\\"python*\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\", \\\"openssl\\\", \\\"nc\\\", \\\"netcat\\\", \\\"ncat\\\", \\\"telnet\\\", \\\"awk\\\"\\n )\\n ] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and event.type == \\\"start\\\" and\\n not process.executable == \\\"/tmp/newroot/bin/curl\\\"] by process.parent.entity_id\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1462f3b9-0c67-4e51-ba83-79206e33690c\",\"rule_id\":\"f41296b4-9975-44d6-9486-514c6f635b2d\",\"revision\":0,\"current_rule\":{\"id\":\"1462f3b9-0c67-4e51-ba83-79206e33690c\",\"updated_at\":\"2024-12-04T19:46:01.854Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.854Z\",\"created_by\":\"elastic\",\"name\":\"Potential curl CVE-2023-38545 Exploitation\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Use Case: Vulnerability\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f41296b4-9975-44d6-9486-514c6f635b2d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1203\",\"name\":\"Exploitation for Client Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1203/\"}]}],\"to\":\"now\",\"references\":[\"https://curl.se/docs/CVE-2023-38545.html\",\"https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/\",\"https://twitter.com/_JohnHammond/status/1711986412554531015\"],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.env_vars\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\nElastic Defend integration does not collect environment variable logging by default.\\nIn order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the Elastic Defend integration.\\n #### To set up environment variable capture for an Elastic Agent policy:\\n- Go to “Security → Manage → Policies”.\\n- Select an “Elastic Agent policy”.\\n- Click “Show advanced settings”.\\n- Scroll down or search for “linux.advanced.capture_env_vars”.\\n- Enter the names of environment variables you want to capture, separated by commas.\\n- For this rule the linux.advanced.capture_env_vars variable should be set to \\\"http_proxy,HTTPS_PROXY,ALL_PROXY\\\".\\n- Click “Save”.\\nAfter saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly.\\nFor more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"curl\\\" \\nand (\\n process.args : (\\\"--socks5-hostname\\\", \\\"--proxy\\\", \\\"--preproxy\\\", \\\"socks5*\\\") or \\n process.env_vars: (\\\"http_proxy=socks5h://*\\\", \\\"HTTPS_PROXY=socks5h://*\\\", \\\"ALL_PROXY=socks5h://*\\\")\\n) and length(process.command_line) > 255 and \\nnot process.parent.name in (\\\"cf-agent\\\", \\\"agent-run\\\", \\\"agent-check\\\", \\\"rudder\\\", \\\"agent-inventory\\\", \\\"cf-execd\\\") and\\nnot process.args == \\\"/opt/rudder/bin/curl\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential curl CVE-2023-38545 Exploitation\",\"description\":\"Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":6,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Use Case: Vulnerability\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://curl.se/docs/CVE-2023-38545.html\",\"https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/\",\"https://twitter.com/_JohnHammond/status/1711986412554531015\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1203\",\"name\":\"Exploitation for Client Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1203/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\nElastic Defend integration does not collect environment variable logging by default.\\nIn order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the Elastic Defend integration.\\n #### To set up environment variable capture for an Elastic Agent policy:\\n- Go to “Security → Manage → Policies”.\\n- Select an “Elastic Agent policy”.\\n- Click “Show advanced settings”.\\n- Scroll down or search for “linux.advanced.capture_env_vars”.\\n- Enter the names of environment variables you want to capture, separated by commas.\\n- For this rule the linux.advanced.capture_env_vars variable should be set to \\\"http_proxy,HTTPS_PROXY,ALL_PROXY\\\".\\n- Click “Save”.\\nAfter saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly.\\nFor more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.env_vars\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1462f3b9-0c67-4e51-ba83-79206e33690c\",\"rule_id\":\"f41296b4-9975-44d6-9486-514c6f635b2d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.690Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.854Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"curl\\\" \\nand (\\n process.args like (\\\"--socks5-hostname\\\", \\\"--proxy\\\", \\\"--preproxy\\\", \\\"socks5*\\\") or \\n process.env_vars like (\\\"http_proxy=socks5h://*\\\", \\\"HTTPS_PROXY=socks5h://*\\\", \\\"ALL_PROXY=socks5h://*\\\")\\n) and length(process.command_line) > 255 and not (\\n process.parent.name in (\\\"cf-agent\\\", \\\"agent-run\\\", \\\"agent-check\\\", \\\"rudder\\\", \\\"agent-inventory\\\", \\\"cf-execd\\\") or\\n process.args like \\\"/opt/rudder/*\\\" or\\n process.parent.executable like (\\\"/vz/root/*\\\", \\\"/var/rudder/*\\\")\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":6,\"merged_version\":6,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.env_vars\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.env_vars\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.env_vars\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"curl\\\" \\nand (\\n process.args : (\\\"--socks5-hostname\\\", \\\"--proxy\\\", \\\"--preproxy\\\", \\\"socks5*\\\") or \\n process.env_vars: (\\\"http_proxy=socks5h://*\\\", \\\"HTTPS_PROXY=socks5h://*\\\", \\\"ALL_PROXY=socks5h://*\\\")\\n) and length(process.command_line) > 255 and \\nnot process.parent.name in (\\\"cf-agent\\\", \\\"agent-run\\\", \\\"agent-check\\\", \\\"rudder\\\", \\\"agent-inventory\\\", \\\"cf-execd\\\") and\\nnot process.args == \\\"/opt/rudder/bin/curl\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"curl\\\" \\nand (\\n process.args like (\\\"--socks5-hostname\\\", \\\"--proxy\\\", \\\"--preproxy\\\", \\\"socks5*\\\") or \\n process.env_vars like (\\\"http_proxy=socks5h://*\\\", \\\"HTTPS_PROXY=socks5h://*\\\", \\\"ALL_PROXY=socks5h://*\\\")\\n) and length(process.command_line) > 255 and not (\\n process.parent.name in (\\\"cf-agent\\\", \\\"agent-run\\\", \\\"agent-check\\\", \\\"rudder\\\", \\\"agent-inventory\\\", \\\"cf-execd\\\") or\\n process.args like \\\"/opt/rudder/*\\\" or\\n process.parent.executable like (\\\"/vz/root/*\\\", \\\"/var/rudder/*\\\")\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"curl\\\" \\nand (\\n process.args like (\\\"--socks5-hostname\\\", \\\"--proxy\\\", \\\"--preproxy\\\", \\\"socks5*\\\") or \\n process.env_vars like (\\\"http_proxy=socks5h://*\\\", \\\"HTTPS_PROXY=socks5h://*\\\", \\\"ALL_PROXY=socks5h://*\\\")\\n) and length(process.command_line) > 255 and not (\\n process.parent.name in (\\\"cf-agent\\\", \\\"agent-run\\\", \\\"agent-check\\\", \\\"rudder\\\", \\\"agent-inventory\\\", \\\"cf-execd\\\") or\\n process.args like \\\"/opt/rudder/*\\\" or\\n process.parent.executable like (\\\"/vz/root/*\\\", \\\"/var/rudder/*\\\")\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7ee02713-6604-47a0-a88d-55cd181146d9\",\"rule_id\":\"f44fa4b6-524c-4e87-8d9e-a32599e4fb7c\",\"revision\":0,\"current_rule\":{\"id\":\"7ee02713-6604-47a0-a88d-55cd181146d9\",\"updated_at\":\"2024-12-04T19:46:01.857Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.857Z\",\"created_by\":\"elastic\",\"name\":\"Persistence via Microsoft Office AddIns\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f44fa4b6-524c-4e87-8d9e-a32599e4fb7c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1137\",\"name\":\"Office Application Startup\",\"reference\":\"https://attack.mitre.org/techniques/T1137/\",\"subtechnique\":[{\"id\":\"T1137.006\",\"name\":\"Add-ins\",\"reference\":\"https://attack.mitre.org/techniques/T1137/006/\"}]}]}],\"to\":\"now\",\"references\":[\"https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.extension : (\\\"wll\\\",\\\"xll\\\",\\\"ppa\\\",\\\"ppam\\\",\\\"xla\\\",\\\"xlam\\\") and\\n file.path :\\n (\\n \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Word\\\\\\\\Startup\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\AddIns\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Excel\\\\\\\\XLSTART\\\\\\\\*\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Persistence via Microsoft Office AddIns\",\"description\":\"Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1137\",\"name\":\"Office Application Startup\",\"reference\":\"https://attack.mitre.org/techniques/T1137/\",\"subtechnique\":[{\"id\":\"T1137.006\",\"name\":\"Add-ins\",\"reference\":\"https://attack.mitre.org/techniques/T1137/006/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"7ee02713-6604-47a0-a88d-55cd181146d9\",\"rule_id\":\"f44fa4b6-524c-4e87-8d9e-a32599e4fb7c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.690Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.857Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.extension : (\\\"wll\\\",\\\"xll\\\",\\\"ppa\\\",\\\"ppam\\\",\\\"xla\\\",\\\"xlam\\\") and\\n file.path :\\n (\\n \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Word\\\\\\\\Startup\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\AddIns\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Excel\\\\\\\\XLSTART\\\\\\\\*\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a352f8b9-1eb1-4c5c-9c07-c26f1684d8e3\",\"rule_id\":\"f494c678-3c33-43aa-b169-bb3d5198c41d\",\"revision\":0,\"current_rule\":{\"id\":\"a352f8b9-1eb1-4c5c-9c07-c26f1684d8e3\",\"updated_at\":\"2024-12-04T19:46:01.862Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.862Z\",\"created_by\":\"elastic\",\"name\":\"Sensitive Privilege SeEnableDelegationPrivilege assigned to a User\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the assignment of the SeEnableDelegationPrivilege sensitive \\\"user right\\\" to a user. The SeEnableDelegationPrivilege \\\"user right\\\" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Sensitive Privilege SeEnableDelegationPrivilege assigned to a User\\n\\nKerberos delegation is an Active Directory feature that allows user and computer accounts to impersonate other accounts, act on their behalf, and use their privileges. Delegation (constrained and unconstrained) can be configured for user and computer objects.\\n\\nEnabling unconstrained delegation for a computer causes the computer to store the ticket-granting ticket (TGT) in memory at any time an account connects to the computer, so it can be used by the computer for impersonation when needed. Risk is heightened if an attacker compromises computers with unconstrained delegation enabled, as they could extract TGTs from memory and then replay them to move laterally on the domain. If the attacker coerces a privileged user to connect to the server, or if the user does so routinely, the account will be compromised and the attacker will be able to pass-the-ticket to privileged assets.\\n\\nSeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a domain controller and is managed through Group Policy. This setting is named **Enable computer and user accounts to be trusted for delegation**.\\n\\nIt is critical to control the assignment of this privilege. A user with this privilege and write access to a computer can control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to the system.\\n\\n#### Possible investigation steps\\n\\n- Investigate how the privilege was assigned to the user and who assigned it.\\n- Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the `user.id` and `winlog.activity_id` fields as a filter during the past 48 hours.\\n- Investigate other alerts associated with the users/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- The SeEnableDelegationPrivilege privilege should not be assigned to users. If this rule is triggered in your environment legitimately, the security team should notify the administrators about the risks of using it.\\n\\n### Related rules\\n\\n- KRBTGT Delegation Backdoor - e052c845-48d0-4f46-8a13-7d0aba05df82\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Remove the privilege from the account.\\n- Review the privileges of the administrator account that performed the action.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f494c678-3c33-43aa-b169-bb3d5198c41d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[\"https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_alert_active_directory_user_control.yml\",\"https://twitter.com/_nwodtuhs/status/1454049485080907776\",\"https://www.thehacker.recipes/ad/movement/kerberos/delegations\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.PrivilegeList\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policy Configuration >\\nAudit Policies >\\nPolicy Change >\\nAudit Authorization Policy Change (Success,Failure)\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:\\\"Authorization Policy Change\\\" and event.code:4704 and\\n winlog.event_data.PrivilegeList:\\\"SeEnableDelegationPrivilege\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Sensitive Privilege SeEnableDelegationPrivilege assigned to a User\",\"description\":\"Identifies the assignment of the SeEnableDelegationPrivilege sensitive \\\"user right\\\" to a user. The SeEnableDelegationPrivilege \\\"user right\\\" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Sensitive Privilege SeEnableDelegationPrivilege assigned to a User\\n\\nKerberos delegation is an Active Directory feature that allows user and computer accounts to impersonate other accounts, act on their behalf, and use their privileges. Delegation (constrained and unconstrained) can be configured for user and computer objects.\\n\\nEnabling unconstrained delegation for a computer causes the computer to store the ticket-granting ticket (TGT) in memory at any time an account connects to the computer, so it can be used by the computer for impersonation when needed. Risk is heightened if an attacker compromises computers with unconstrained delegation enabled, as they could extract TGTs from memory and then replay them to move laterally on the domain. If the attacker coerces a privileged user to connect to the server, or if the user does so routinely, the account will be compromised and the attacker will be able to pass-the-ticket to privileged assets.\\n\\nSeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a domain controller and is managed through Group Policy. This setting is named **Enable computer and user accounts to be trusted for delegation**.\\n\\nIt is critical to control the assignment of this privilege. A user with this privilege and write access to a computer can control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to the system.\\n\\n#### Possible investigation steps\\n\\n- Investigate how the privilege was assigned to the user and who assigned it.\\n- Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the `user.id` and `winlog.activity_id` fields as a filter during the past 48 hours.\\n- Investigate other alerts associated with the users/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- The SeEnableDelegationPrivilege privilege should not be assigned to users. If this rule is triggered in your environment legitimately, the security team should notify the administrators about the risks of using it.\\n\\n### Related rules\\n\\n- KRBTGT Delegation Backdoor - e052c845-48d0-4f46-8a13-7d0aba05df82\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Remove the privilege from the account.\\n- Review the privileges of the administrator account that performed the action.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_alert_active_directory_user_control.yml\",\"https://twitter.com/_nwodtuhs/status/1454049485080907776\",\"https://www.thehacker.recipes/ad/movement/kerberos/delegations\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policy Configuration >\\nAudit Policies >\\nPolicy Change >\\nAudit Authorization Policy Change (Success,Failure)\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.PrivilegeList\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"a352f8b9-1eb1-4c5c-9c07-c26f1684d8e3\",\"rule_id\":\"f494c678-3c33-43aa-b169-bb3d5198c41d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.690Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.862Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:\\\"Authorization Policy Change\\\" and event.code:4704 and\\n winlog.event_data.PrivilegeList:\\\"SeEnableDelegationPrivilege\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f2fbe5fc-635d-41fc-878a-31ed25163437\",\"rule_id\":\"f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c\",\"revision\":0,\"current_rule\":{\"id\":\"f2fbe5fc-635d-41fc-878a-31ed25163437\",\"updated_at\":\"2024-12-04T19:46:04.807Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.807Z\",\"created_by\":\"elastic\",\"name\":\"AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request\",\"tags\":[\"Domain: LLM\",\"Data Source: AWS Bedrock\",\"Data Source: AWS S3\",\"Resources: Investigation Guide\",\"Use Case: Policy Violation\",\"Mitre Atlas: T0051\",\"Mitre Atlas: T0054\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies multiple violations of AWS Bedrock guardrails within a single request, resulting in a block action, increasing the likelihood of malicious intent. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate misunderstanding by users or overly strict policies\"],\"from\":\"now-60m\",\"rule_id\":\"f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html\",\"https://atlas.mitre.org/techniques/AML.T0051\",\"https://atlas.mitre.org/techniques/AML.T0054\",\"https://www.elastic.co/security-labs/elastic-advances-llm-security\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\\n\\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\\n\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.policy.action == \\\"BLOCKED\\\"\\n| eval policy_violations = mv_count(gen_ai.policy.name)\\n| where policy_violations > 1\\n| stats total_unique_request_violations = count(*) by policy_violations, user.id, gen_ai.request.model.id, cloud.account.id\\n| sort total_unique_request_violations desc\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request\",\"description\":\"Identifies multiple violations of AWS Bedrock guardrails within a single request, resulting in a block action, increasing the likelihood of malicious intent. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Amazon Bedrock Guardrail Multiple Policy Violations Within a Single Blocked Request.\\n\\nAmazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.\\n\\nIt enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.\\n\\nThrough Guardrail, organizations can define \\\"denied topics\\\" to prevent the model from generating content on specific, undesired subjects,\\nand they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account and the user request that caused multiple policy violations and whether it should perform this kind of action.\\n- Investigate the user activity that might indicate a potential brute force attack.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's prompts and responses in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that caused multiple policy violations, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: LLM\",\"Data Source: AWS Bedrock\",\"Data Source: AWS S3\",\"Resources: Investigation Guide\",\"Use Case: Policy Violation\",\"Mitre Atlas: T0051\",\"Mitre Atlas: T0054\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-60m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate misunderstanding by users or overly strict policies\"],\"references\":[\"https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html\",\"https://atlas.mitre.org/techniques/AML.T0051\",\"https://atlas.mitre.org/techniques/AML.T0054\",\"https://www.elastic.co/security-labs/elastic-advances-llm-security\"],\"max_signals\":100,\"threat\":[],\"setup\":\"## Setup\\n\\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\\n\\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\\n\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"f2fbe5fc-635d-41fc-878a-31ed25163437\",\"rule_id\":\"f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.690Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.807Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.policy.action == \\\"BLOCKED\\\"\\n| eval policy_violations = mv_count(gen_ai.policy.name)\\n| where policy_violations > 1\\n| keep gen_ai.policy.action, policy_violations, user.id, gen_ai.request.model.id, cloud.account.id, user.id\\n| stats total_unique_request_violations = count(*) by policy_violations, user.id, gen_ai.request.model.id, cloud.account.id\\n| sort total_unique_request_violations desc\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"note\":{\"has_base_version\":false,\"current_version\":\"\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating Amazon Bedrock Guardrail Multiple Policy Violations Within a Single Blocked Request.\\n\\nAmazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.\\n\\nIt enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.\\n\\nThrough Guardrail, organizations can define \\\"denied topics\\\" to prevent the model from generating content on specific, undesired subjects,\\nand they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account and the user request that caused multiple policy violations and whether it should perform this kind of action.\\n- Investigate the user activity that might indicate a potential brute force attack.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's prompts and responses in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that caused multiple policy violations, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating Amazon Bedrock Guardrail Multiple Policy Violations Within a Single Blocked Request.\\n\\nAmazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.\\n\\nIt enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.\\n\\nThrough Guardrail, organizations can define \\\"denied topics\\\" to prevent the model from generating content on specific, undesired subjects,\\nand they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account and the user request that caused multiple policy violations and whether it should perform this kind of action.\\n- Investigate the user activity that might indicate a potential brute force attack.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's prompts and responses in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that caused multiple policy violations, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.policy.action == \\\"BLOCKED\\\"\\n| eval policy_violations = mv_count(gen_ai.policy.name)\\n| where policy_violations > 1\\n| stats total_unique_request_violations = count(*) by policy_violations, user.id, gen_ai.request.model.id, cloud.account.id\\n| sort total_unique_request_violations desc\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.policy.action == \\\"BLOCKED\\\"\\n| eval policy_violations = mv_count(gen_ai.policy.name)\\n| where policy_violations > 1\\n| keep gen_ai.policy.action, policy_violations, user.id, gen_ai.request.model.id, cloud.account.id, user.id\\n| stats total_unique_request_violations = count(*) by policy_violations, user.id, gen_ai.request.model.id, cloud.account.id\\n| sort total_unique_request_violations desc\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.policy.action == \\\"BLOCKED\\\"\\n| eval policy_violations = mv_count(gen_ai.policy.name)\\n| where policy_violations > 1\\n| keep gen_ai.policy.action, policy_violations, user.id, gen_ai.request.model.id, cloud.account.id, user.id\\n| stats total_unique_request_violations = count(*) by policy_violations, user.id, gen_ai.request.model.id, cloud.account.id\\n| sort total_unique_request_violations desc\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"111539a0-6f80-45b3-b41b-4ac808860a77\",\"rule_id\":\"f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee\",\"revision\":0,\"current_rule\":{\"id\":\"111539a0-6f80-45b3-b41b-4ac808860a77\",\"updated_at\":\"2024-12-04T19:46:04.809Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.809Z\",\"created_by\":\"elastic\",\"name\":\"DPKG Package Installed by Unusual Parent Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects the installation of a Debian package (dpkg) by an unusual parent process. The dpkg command is used to install, remove, and manage Debian packages on a Linux system. Attackers can abuse the dpkg command to install malicious packages on a system.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.makeuseof.com/how-deb-packages-are-backdoored-how-to-detect-it/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:dpkg and\\nprocess.args:(\\\"-i\\\" or \\\"--install\\\")\\n\",\"new_terms_fields\":[\"process.parent.executable\"],\"history_window_start\":\"now-7d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"DPKG Package Installed by Unusual Parent Process\",\"description\":\"This rule detects the installation of a Debian package (dpkg) by an unusual parent process. The dpkg command is used to install, remove, and manage Debian packages on a Linux system. Attackers can abuse the dpkg command to install malicious packages on a system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.makeuseof.com/how-deb-packages-are-backdoored-how-to-detect-it/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"111539a0-6f80-45b3-b41b-4ac808860a77\",\"rule_id\":\"f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.690Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.809Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:dpkg and\\nprocess.args:(\\\"-i\\\" or \\\"--install\\\")\\n\",\"new_terms_fields\":[\"process.parent.executable\"],\"history_window_start\":\"now-7d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c83ce436-fad6-4947-a7c6-a91c5fa65152\",\"rule_id\":\"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc\",\"revision\":0,\"current_rule\":{\"id\":\"c83ce436-fad6-4947-a7c6-a91c5fa65152\",\"updated_at\":\"2024-12-04T19:46:01.867Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.867Z\",\"created_by\":\"elastic\",\"name\":\"Windows Script Executing PowerShell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Script Executing PowerShell\\n\\nThe Windows Script Host (WSH) is an Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\\n\\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\\n\\nThis rule looks for the spawn of the `powershell.exe` process with `cscript.exe` or `wscript.exe` as its parent process.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate commands executed by the spawned PowerShell process.\\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Determine how the script file was delivered (email attachment, dropped by other processes, etc.).\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Reimage the host operating system and restore compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"cscript.exe\\\", \\\"wscript.exe\\\") and process.name : \\\"powershell.exe\\\" and\\n not (\\n process.parent.name : \\\"wscript.exe\\\" and\\n process.parent.args : \\\"?:\\\\\\\\ProgramData\\\\\\\\intune-drive-mapping-generator\\\\\\\\IntuneDriveMapping-VBSHelper.vbs\\\" and\\n process.parent.args : \\\"?:\\\\\\\\ProgramData\\\\\\\\intune-drive-mapping-generator\\\\\\\\DriveMapping.ps1\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Windows Script Executing PowerShell\",\"description\":\"Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Script Executing PowerShell\\n\\nThe Windows Script Host (WSH) is an Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\\n\\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\\n\\nThis rule looks for the spawn of the `powershell.exe` process with `cscript.exe` or `wscript.exe` as its parent process.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate commands executed by the spawned PowerShell process.\\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Determine how the script file was delivered (email attachment, dropped by other processes, etc.).\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Reimage the host operating system and restore compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/operation-bleeding-bear\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c83ce436-fad6-4947-a7c6-a91c5fa65152\",\"rule_id\":\"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.690Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.867Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"cscript.exe\\\", \\\"wscript.exe\\\") and process.name : \\\"powershell.exe\\\" and\\n not (\\n process.parent.name : \\\"wscript.exe\\\" and\\n process.parent.args : \\\"?:\\\\\\\\ProgramData\\\\\\\\intune-drive-mapping-generator\\\\\\\\IntuneDriveMapping-VBSHelper.vbs\\\" and\\n process.parent.args : \\\"?:\\\\\\\\ProgramData\\\\\\\\intune-drive-mapping-generator\\\\\\\\DriveMapping.ps1\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/operation-bleeding-bear\"],\"merged_version\":[\"https://www.elastic.co/security-labs/operation-bleeding-bear\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6efb7d73-471a-4f3d-93d5-6d29fed99e7d\",\"rule_id\":\"f580bf0a-2d23-43bb-b8e1-17548bb947ec\",\"revision\":0,\"current_rule\":{\"id\":\"6efb7d73-471a-4f3d-93d5-6d29fed99e7d\",\"updated_at\":\"2024-12-04T19:46:01.872Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.872Z\",\"created_by\":\"elastic\",\"name\":\"Rare SMB Connection to the Internet\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f580bf0a-2d23-43bb-b8e1-17548bb947ec\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1048\",\"name\":\"Exfiltration Over Alternative Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1048/\"}]}],\"to\":\"now\",\"references\":[\"https://www.securify.nl/en/blog/living-off-the-land-stealing-netntlm-hashes/\"],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.category:network and host.os.type:windows and process.pid:4 and \\n network.transport:tcp and destination.port:(139 or 445) and \\n source.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n ) and\\n not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n )\\n\",\"new_terms_fields\":[\"destination.ip\"],\"history_window_start\":\"now-7d\",\"index\":[\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Rare SMB Connection to the Internet\",\"description\":\"This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.securify.nl/en/blog/living-off-the-land-stealing-netntlm-hashes/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1048\",\"name\":\"Exfiltration Over Alternative Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1048/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"6efb7d73-471a-4f3d-93d5-6d29fed99e7d\",\"rule_id\":\"f580bf0a-2d23-43bb-b8e1-17548bb947ec\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.691Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.872Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.category:network and host.os.type:windows and process.pid:4 and \\n network.transport:tcp and destination.port:(139 or 445) and \\n source.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n ) and\\n not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n )\\n\",\"new_terms_fields\":[\"destination.ip\"],\"history_window_start\":\"now-7d\",\"index\":[\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"77f1ba56-a564-40c6-9fd8-78f70dff4b8a\",\"rule_id\":\"f5861570-e39a-4b8a-9259-abd39f84cb97\",\"revision\":0,\"current_rule\":{\"id\":\"77f1ba56-a564-40c6-9fd8-78f70dff4b8a\",\"updated_at\":\"2024-12-04T19:46:01.875Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.875Z\",\"created_by\":\"elastic\",\"name\":\"WRITEDAC Access on Active Directory Object\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Rule Type: BBR\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the access on an object with WRITEDAC permissions. With the WRITEDAC permission, the user can perform a Write Discretionary Access Control List (WriteDACL) operation, which is used to modify the access control rules associated with a specific object within Active Directory. Attackers may abuse this privilege to grant themselves or other compromised accounts additional rights, ultimately compromising the target object, resulting in privilege escalation, lateral movement, and persistence.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"f5861570-e39a-4b8a-9259-abd39f84cb97\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1222\",\"name\":\"File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/\",\"subtechnique\":[{\"id\":\"T1222.001\",\"name\":\"Windows File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors.pdf\"],\"version\":4,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessMask\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Access (Success,Failure)\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.*\"],\"query\":\"host.os.type: \\\"windows\\\" and event.action : (\\\"Directory Service Access\\\" or \\\"object-operation-performed\\\") and\\n event.code : \\\"4662\\\" and winlog.event_data.AccessMask:\\\"0x40000\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"WRITEDAC Access on Active Directory Object\",\"description\":\"Identifies the access on an object with WRITEDAC permissions. With the WRITEDAC permission, the user can perform a Write Discretionary Access Control List (WriteDACL) operation, which is used to modify the access control rules associated with a specific object within Active Directory. Attackers may abuse this privilege to grant themselves or other compromised accounts additional rights, ultimately compromising the target object, resulting in privilege escalation, lateral movement, and persistence.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Rule Type: BBR\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors.pdf\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1222\",\"name\":\"File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/\",\"subtechnique\":[{\"id\":\"T1222.001\",\"name\":\"Windows File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Access (Success,Failure)\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessMask\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"77f1ba56-a564-40c6-9fd8-78f70dff4b8a\",\"rule_id\":\"f5861570-e39a-4b8a-9259-abd39f84cb97\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.691Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.875Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.*\"],\"query\":\"host.os.type: \\\"windows\\\" and event.action : (\\\"Directory Service Access\\\" or \\\"object-operation-performed\\\") and\\n event.code : \\\"4662\\\" and winlog.event_data.AccessMask:\\\"0x40000\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":4,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Rule Type: BBR\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Rule Type: BBR\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Rule Type: BBR\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9411a3ea-b6cf-4682-a4f9-9795fc0a5701\",\"rule_id\":\"f59668de-caa0-4b84-94c1-3a1549e1e798\",\"revision\":0,\"current_rule\":{\"id\":\"9411a3ea-b6cf-4682-a4f9-9795fc0a5701\",\"updated_at\":\"2024-12-04T19:46:01.878Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.878Z\",\"created_by\":\"elastic\",\"name\":\"WMIC Remote Command\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of wmic.exe to run commands on remote hosts. While this can be used by administrators legitimately, attackers can abuse this built-in utility to achieve lateral movement.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"f59668de-caa0-4b84-94c1-3a1549e1e798\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.006\",\"name\":\"Windows Remote Management\",\"reference\":\"https://attack.mitre.org/techniques/T1021/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"WMIC.exe\\\" and\\n process.args : \\\"*node:*\\\" and\\n process.args : (\\\"call\\\", \\\"set\\\", \\\"get\\\") and\\n not process.args : (\\\"*/node:localhost*\\\", \\\"*/node:\\\\\\\"127.0.0.1\\\\\\\"*\\\", \\\"/node:127.0.0.1\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"WMIC Remote Command\",\"description\":\"Identifies the use of wmic.exe to run commands on remote hosts. While this can be used by administrators legitimately, attackers can abuse this built-in utility to achieve lateral movement.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.006\",\"name\":\"Windows Remote Management\",\"reference\":\"https://attack.mitre.org/techniques/T1021/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"9411a3ea-b6cf-4682-a4f9-9795fc0a5701\",\"rule_id\":\"f59668de-caa0-4b84-94c1-3a1549e1e798\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.691Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.878Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"WMIC.exe\\\" and\\n process.args : \\\"*node:*\\\" and\\n process.args : (\\\"call\\\", \\\"set\\\", \\\"get\\\") and\\n not process.args : (\\\"*/node:localhost*\\\", \\\"*/node:\\\\\\\"127.0.0.1\\\\\\\"*\\\", \\\"/node:127.0.0.1\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"056c380c-f7be-43ff-9dac-b3df39554b9c\",\"rule_id\":\"f5c005d3-4e17-48b0-9cd7-444d48857f97\",\"revision\":0,\"current_rule\":{\"id\":\"056c380c-f7be-43ff-9dac-b3df39554b9c\",\"updated_at\":\"2024-12-04T19:46:02.758Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.758Z\",\"created_by\":\"elastic\",\"name\":\"Setcap setuid/setgid Capability Set\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Setcap setuid/setgid Capability Set\\n\\nSetuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group.\\n\\nThreat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions.\\n\\nThis rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the file that was targeted by the addition of the setuid/setgid capability through OSQuery.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f5c005d3-4e17-48b0-9cd7-444d48857f97\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.001\",\"name\":\"Setuid and Setgid\",\"reference\":\"https://attack.mitre.org/techniques/T1548/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.name == \\\"setcap\\\" and process.args : \\\"cap_set?id+ep\\\" and not process.parent.name in (\\\"jem\\\", \\\"vzctl\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Setcap setuid/setgid Capability Set\",\"description\":\"This rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Setcap setuid/setgid Capability Set\\n\\nSetuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group.\\n\\nThreat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions.\\n\\nThis rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the file that was targeted by the addition of the setuid/setgid capability through OSQuery.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":6,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.001\",\"name\":\"Setuid and Setgid\",\"reference\":\"https://attack.mitre.org/techniques/T1548/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"056c380c-f7be-43ff-9dac-b3df39554b9c\",\"rule_id\":\"f5c005d3-4e17-48b0-9cd7-444d48857f97\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.691Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.758Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.name == \\\"setcap\\\" and process.args : \\\"cap_set?id+ep\\\" and not (\\n process.parent.name in (\\\"jem\\\", \\\"vzctl\\\") or\\n process.args like \\\"/usr/bin/new?idmap\\\"\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":6,\"merged_version\":6,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.name == \\\"setcap\\\" and process.args : \\\"cap_set?id+ep\\\" and not process.parent.name in (\\\"jem\\\", \\\"vzctl\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.name == \\\"setcap\\\" and process.args : \\\"cap_set?id+ep\\\" and not (\\n process.parent.name in (\\\"jem\\\", \\\"vzctl\\\") or\\n process.args like \\\"/usr/bin/new?idmap\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.name == \\\"setcap\\\" and process.args : \\\"cap_set?id+ep\\\" and not (\\n process.parent.name in (\\\"jem\\\", \\\"vzctl\\\") or\\n process.args like \\\"/usr/bin/new?idmap\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"54e56a2a-c7b2-4abe-9003-ae9b642c7365\",\"rule_id\":\"f5d9d36d-7c30-4cdb-a856-9f653c13d4e0\",\"revision\":0,\"current_rule\":{\"id\":\"54e56a2a-c7b2-4abe-9003-ae9b642c7365\",\"updated_at\":\"2024-12-04T19:46:02.625Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.625Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Windows Process Cluster Spawned by a Parent Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-45m\",\"rule_id\":\"f5d9d36d-7c30-4cdb-a856-9f653c13d4e0\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"problem_child_high_sum_by_parent\"],\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Windows Process Cluster Spawned by a Parent Process\",\"description\":\"A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\\n\",\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"54e56a2a-c7b2-4abe-9003-ae9b642c7365\",\"rule_id\":\"f5d9d36d-7c30-4cdb-a856-9f653c13d4e0\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.691Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.625Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"problem_child_high_sum_by_parent\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b36a105d-1aa0-41ed-81c1-350e7051837c\",\"rule_id\":\"f5fb4598-4f10-11ed-bdc3-0242ac120002\",\"revision\":0,\"current_rule\":{\"id\":\"b36a105d-1aa0-41ed-81c1-350e7051837c\",\"updated_at\":\"2024-12-04T19:46:02.627Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.627Z\",\"created_by\":\"elastic\",\"name\":\"Masquerading Space After Filename\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rules identifies a process created from an executable with a space appended to the end of the filename. This may indicate an attempt to masquerade a malicious file as benign to gain user execution. When a space is added to the end of certain files, the OS will execute the file according to it's true filetype instead of it's extension. Adversaries can hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name so that the OS automatically executes the file when it's double-clicked.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f5fb4598-4f10-11ed-bdc3-0242ac120002\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.006\",\"name\":\"Space after Filename\",\"reference\":\"https://attack.mitre.org/techniques/T1036/006/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1036-masquerading\"],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\"],\"query\":\"process where host.os.type:(\\\"linux\\\",\\\"macos\\\") and\\n event.type == \\\"start\\\" and\\n (process.executable regex~ \\\"\\\"\\\"/[a-z0-9\\\\s_\\\\-\\\\\\\\./]+\\\\s\\\"\\\"\\\") and not\\n process.name in (\\\"ls\\\", \\\"find\\\", \\\"grep\\\", \\\"xkbcomp\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Masquerading Space After Filename\",\"description\":\"This rules identifies a process created from an executable with a space appended to the end of the filename. This may indicate an attempt to masquerade a malicious file as benign to gain user execution. When a space is added to the end of certain files, the OS will execute the file according to it's true filetype instead of it's extension. Adversaries can hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name so that the OS automatically executes the file when it's double-clicked.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1036-masquerading\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.006\",\"name\":\"Space after Filename\",\"reference\":\"https://attack.mitre.org/techniques/T1036/006/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b36a105d-1aa0-41ed-81c1-350e7051837c\",\"rule_id\":\"f5fb4598-4f10-11ed-bdc3-0242ac120002\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.691Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.627Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type:(\\\"linux\\\",\\\"macos\\\") and event.type == \\\"start\\\" and\\nprocess.executable regex~ \\\"\\\"\\\"/[a-z0-9\\\\s_\\\\-\\\\\\\\./]+\\\\s\\\"\\\"\\\" and not (\\n process.name in (\\\"ls\\\", \\\"find\\\", \\\"grep\\\", \\\"xkbcomp\\\") or\\n process.executable like (\\\"/opt/nessus_agent/*\\\", \\\"/opt/gitlab/sv/gitlab-exporter/*\\\", \\\"/tmp/ansible-admin/*\\\") or\\n process.parent.args in (\\n \\\"./check_rubrik\\\", \\\"/usr/bin/check_mk_agent\\\", \\\"/etc/rubrik/start_stop_bootstrap.sh\\\", \\\"/etc/rubrik/start_stop_agent.sh\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type:(\\\"linux\\\",\\\"macos\\\") and\\n event.type == \\\"start\\\" and\\n (process.executable regex~ \\\"\\\"\\\"/[a-z0-9\\\\s_\\\\-\\\\\\\\./]+\\\\s\\\"\\\"\\\") and not\\n process.name in (\\\"ls\\\", \\\"find\\\", \\\"grep\\\", \\\"xkbcomp\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type:(\\\"linux\\\",\\\"macos\\\") and event.type == \\\"start\\\" and\\nprocess.executable regex~ \\\"\\\"\\\"/[a-z0-9\\\\s_\\\\-\\\\\\\\./]+\\\\s\\\"\\\"\\\" and not (\\n process.name in (\\\"ls\\\", \\\"find\\\", \\\"grep\\\", \\\"xkbcomp\\\") or\\n process.executable like (\\\"/opt/nessus_agent/*\\\", \\\"/opt/gitlab/sv/gitlab-exporter/*\\\", \\\"/tmp/ansible-admin/*\\\") or\\n process.parent.args in (\\n \\\"./check_rubrik\\\", \\\"/usr/bin/check_mk_agent\\\", \\\"/etc/rubrik/start_stop_bootstrap.sh\\\", \\\"/etc/rubrik/start_stop_agent.sh\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type:(\\\"linux\\\",\\\"macos\\\") and event.type == \\\"start\\\" and\\nprocess.executable regex~ \\\"\\\"\\\"/[a-z0-9\\\\s_\\\\-\\\\\\\\./]+\\\\s\\\"\\\"\\\" and not (\\n process.name in (\\\"ls\\\", \\\"find\\\", \\\"grep\\\", \\\"xkbcomp\\\") or\\n process.executable like (\\\"/opt/nessus_agent/*\\\", \\\"/opt/gitlab/sv/gitlab-exporter/*\\\", \\\"/tmp/ansible-admin/*\\\") or\\n process.parent.args in (\\n \\\"./check_rubrik\\\", \\\"/usr/bin/check_mk_agent\\\", \\\"/etc/rubrik/start_stop_bootstrap.sh\\\", \\\"/etc/rubrik/start_stop_agent.sh\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c0ae5ab3-a104-4b70-a65e-d2dc45db6663\",\"rule_id\":\"f63c8e3c-d396-404f-b2ea-0379d3942d73\",\"revision\":0,\"current_rule\":{\"id\":\"c0ae5ab3-a104-4b70-a65e-d2dc45db6663\",\"updated_at\":\"2024-12-04T19:46:02.632Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.632Z\",\"created_by\":\"elastic\",\"name\":\"Windows Firewall Disabled via PowerShell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and network lateral communication restrictions.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Firewall Disabled via PowerShell\\n\\nWindows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\\n\\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\\n\\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Re-enable the firewall with its desired configurations.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Austin Songer\"],\"false_positives\":[\"Windows Firewall can be disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\"],\"from\":\"now-9m\",\"rule_id\":\"f63c8e3c-d396-404f-b2ea-0379d3942d73\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.004\",\"name\":\"Disable or Modify System Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps\",\"https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell\",\"http://powershellhelp.space/commands/set-netfirewallrule-psv5.php\",\"http://woshub.com/manage-windows-firewall-powershell/\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.action == \\\"start\\\" and\\n (process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or ?process.pe.original_file_name == \\\"PowerShell.EXE\\\") and\\n process.args : \\\"*Set-NetFirewallProfile*\\\" and\\n (process.args : \\\"*-Enabled*\\\" and process.args : \\\"*False*\\\") and\\n (process.args : \\\"*-All*\\\" or process.args : (\\\"*Public*\\\", \\\"*Domain*\\\", \\\"*Private*\\\"))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Windows Firewall Disabled via PowerShell\",\"description\":\"Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and network lateral communication restrictions.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Firewall Disabled via PowerShell\\n\\nWindows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\\n\\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\\n\\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Re-enable the firewall with its desired configurations.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Austin Songer\"],\"false_positives\":[\"Windows Firewall can be disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\"],\"references\":[\"https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps\",\"https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell\",\"http://powershellhelp.space/commands/set-netfirewallrule-psv5.php\",\"http://woshub.com/manage-windows-firewall-powershell/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.004\",\"name\":\"Disable or Modify System Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c0ae5ab3-a104-4b70-a65e-d2dc45db6663\",\"rule_id\":\"f63c8e3c-d396-404f-b2ea-0379d3942d73\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.691Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.632Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n process.args : \\\"*Set-NetFirewallProfile*\\\" and\\n process.args : \\\"*-Enabled*\\\" and process.args : \\\"*False*\\\" and\\n process.args : (\\\"*-All*\\\", \\\"*Public*\\\", \\\"*Domain*\\\", \\\"*Private*\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.action == \\\"start\\\" and\\n (process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or ?process.pe.original_file_name == \\\"PowerShell.EXE\\\") and\\n process.args : \\\"*Set-NetFirewallProfile*\\\" and\\n (process.args : \\\"*-Enabled*\\\" and process.args : \\\"*False*\\\") and\\n (process.args : \\\"*-All*\\\" or process.args : (\\\"*Public*\\\", \\\"*Domain*\\\", \\\"*Private*\\\"))\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n process.args : \\\"*Set-NetFirewallProfile*\\\" and\\n process.args : \\\"*-Enabled*\\\" and process.args : \\\"*False*\\\" and\\n process.args : (\\\"*-All*\\\", \\\"*Public*\\\", \\\"*Domain*\\\", \\\"*Private*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n process.args : \\\"*Set-NetFirewallProfile*\\\" and\\n process.args : \\\"*-Enabled*\\\" and process.args : \\\"*False*\\\" and\\n process.args : (\\\"*-All*\\\", \\\"*Public*\\\", \\\"*Domain*\\\", \\\"*Private*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"06e80b86-d513-4aca-8daa-e5ad3d552b77\",\"rule_id\":\"f675872f-6d85-40a3-b502-c0d2ef101e92\",\"revision\":0,\"current_rule\":{\"id\":\"06e80b86-d513-4aca-8daa-e5ad3d552b77\",\"updated_at\":\"2024-12-04T19:46:02.637Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.637Z\",\"created_by\":\"elastic\",\"name\":\"Delete Volume USN Journal with Fsutil\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Delete Volume USN Journal with Fsutil\\n\\nThe Update Sequence Number (USN) Journal is a feature in the NTFS file system used by Microsoft Windows operating systems to keep track of changes made to files and directories on a disk volume. The journal records metadata for changes such as file creation, deletion, modification, and permission changes. It is used by the operating system for various purposes, including backup and recovery, file indexing, and file replication.\\n\\nThis artifact can provide valuable information in forensic analysis, such as programs executed (prefetch file operations), file modification events in suspicious directories, deleted files, etc. Attackers may delete this artifact in an attempt to cover their tracks, and this rule identifies the usage of the `fsutil.exe` utility to accomplish it.\\n\\nConsider using the Elastic Defend integration instead of USN Journal, as the Elastic Defend integration provides more visibility and context in the file operations it records.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Verify if any other anti-forensics behaviors were observed.\\n- Review file operation logs from Elastic Defend for suspicious activity the attacker tried to hide.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f675872f-6d85-40a3-b502-c0d2ef101e92\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.004\",\"name\":\"File Deletion\",\"reference\":\"https://attack.mitre.org/techniques/T1070/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"fsutil.exe\\\" or ?process.pe.original_file_name == \\\"fsutil.exe\\\") and\\n process.args : \\\"deletejournal\\\" and process.args : \\\"usn\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Delete Volume USN Journal with Fsutil\",\"description\":\"Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Delete Volume USN Journal with Fsutil\\n\\nThe Update Sequence Number (USN) Journal is a feature in the NTFS file system used by Microsoft Windows operating systems to keep track of changes made to files and directories on a disk volume. The journal records metadata for changes such as file creation, deletion, modification, and permission changes. It is used by the operating system for various purposes, including backup and recovery, file indexing, and file replication.\\n\\nThis artifact can provide valuable information in forensic analysis, such as programs executed (prefetch file operations), file modification events in suspicious directories, deleted files, etc. Attackers may delete this artifact in an attempt to cover their tracks, and this rule identifies the usage of the `fsutil.exe` utility to accomplish it.\\n\\nConsider using the Elastic Defend integration instead of USN Journal, as the Elastic Defend integration provides more visibility and context in the file operations it records.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Verify if any other anti-forensics behaviors were observed.\\n- Review file operation logs from Elastic Defend for suspicious activity the attacker tried to hide.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.004\",\"name\":\"File Deletion\",\"reference\":\"https://attack.mitre.org/techniques/T1070/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"06e80b86-d513-4aca-8daa-e5ad3d552b77\",\"rule_id\":\"f675872f-6d85-40a3-b502-c0d2ef101e92\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.691Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.637Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"fsutil.exe\\\" or ?process.pe.original_file_name == \\\"fsutil.exe\\\") and\\n process.args : \\\"deletejournal\\\" and process.args : \\\"usn\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"092e7b91-32d4-4fe6-828e-2d6cb20b57de\",\"rule_id\":\"f7c4dc5a-a58d-491d-9f14-9b66507121c0\",\"revision\":0,\"current_rule\":{\"id\":\"092e7b91-32d4-4fe6-828e-2d6cb20b57de\",\"updated_at\":\"2024-12-04T19:46:02.655Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.655Z\",\"created_by\":\"elastic\",\"name\":\"Persistent Scripts in the Startup Directory\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Persistent Scripts in the Startup Directory\\n\\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\\n\\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f7c4dc5a-a58d-491d-9f14-9b66507121c0\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"},{\"id\":\"T1547.009\",\"name\":\"Shortcut Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1547/009/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.domain\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n\\n file.extension : (\\\"lnk\\\", \\\"vbs\\\", \\\"vbe\\\", \\\"wsh\\\", \\\"wsf\\\", \\\"js\\\") and\\n not (startsWith(user.domain, \\\"NT\\\") or endsWith(user.domain, \\\"NT\\\")) and\\n\\n /* detect shortcuts created by wscript.exe or cscript.exe */\\n (file.path : \\\"C:\\\\\\\\*\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.lnk\\\" and\\n process.name : (\\\"wscript.exe\\\", \\\"cscript.exe\\\")) or\\n\\n /* detect vbs or js files created by any process */\\n file.path : (\\\"C:\\\\\\\\*\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.vbs\\\",\\n \\\"C:\\\\\\\\*\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.vbe\\\",\\n \\\"C:\\\\\\\\*\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.wsh\\\",\\n \\\"C:\\\\\\\\*\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.wsf\\\",\\n \\\"C:\\\\\\\\*\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.js\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Persistent Scripts in the Startup Directory\",\"description\":\"Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Performance\\n\\nThis rule may have low to medium performance impact due to the generic nature of VBS and JS scripts being loaded by Windows script engines.\\n\\n### Investigating Persistent Scripts in the Startup Directory\\n\\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\\n\\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"},{\"id\":\"T1547.009\",\"name\":\"Shortcut Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1547/009/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.domain\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"092e7b91-32d4-4fe6-828e-2d6cb20b57de\",\"rule_id\":\"f7c4dc5a-a58d-491d-9f14-9b66507121c0\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.691Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.655Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n\\n /* Call attention to file extensions that may be used for malicious purposes */\\n /* Optionally, Windows scripting engine processes targeting shortcut files */\\n (\\n file.extension : (\\\"vbs\\\", \\\"vbe\\\", \\\"wsh\\\", \\\"wsf\\\", \\\"js\\\") or\\n process.name : (\\\"wscript.exe\\\", \\\"cscript.exe\\\")\\n ) and not (startsWith(user.domain, \\\"NT\\\") or endsWith(user.domain, \\\"NT\\\"))\\n\\n /* Identify files created or changed in the startup folder */\\n and file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\StartUp\\\\\\\\*\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"note\":{\"has_base_version\":false,\"current_version\":\"## Triage and analysis\\n\\n### Investigating Persistent Scripts in the Startup Directory\\n\\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\\n\\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"target_version\":\"## Triage and analysis\\n\\n### Performance\\n\\nThis rule may have low to medium performance impact due to the generic nature of VBS and JS scripts being loaded by Windows script engines.\\n\\n### Investigating Persistent Scripts in the Startup Directory\\n\\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\\n\\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Performance\\n\\nThis rule may have low to medium performance impact due to the generic nature of VBS and JS scripts being loaded by Windows script engines.\\n\\n### Investigating Persistent Scripts in the Startup Directory\\n\\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\\n\\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n\\n file.extension : (\\\"lnk\\\", \\\"vbs\\\", \\\"vbe\\\", \\\"wsh\\\", \\\"wsf\\\", \\\"js\\\") and\\n not (startsWith(user.domain, \\\"NT\\\") or endsWith(user.domain, \\\"NT\\\")) and\\n\\n /* detect shortcuts created by wscript.exe or cscript.exe */\\n (file.path : \\\"C:\\\\\\\\*\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.lnk\\\" and\\n process.name : (\\\"wscript.exe\\\", \\\"cscript.exe\\\")) or\\n\\n /* detect vbs or js files created by any process */\\n file.path : (\\\"C:\\\\\\\\*\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.vbs\\\",\\n \\\"C:\\\\\\\\*\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.vbe\\\",\\n \\\"C:\\\\\\\\*\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.wsh\\\",\\n \\\"C:\\\\\\\\*\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.wsf\\\",\\n \\\"C:\\\\\\\\*\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.js\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n\\n /* Call attention to file extensions that may be used for malicious purposes */\\n /* Optionally, Windows scripting engine processes targeting shortcut files */\\n (\\n file.extension : (\\\"vbs\\\", \\\"vbe\\\", \\\"wsh\\\", \\\"wsf\\\", \\\"js\\\") or\\n process.name : (\\\"wscript.exe\\\", \\\"cscript.exe\\\")\\n ) and not (startsWith(user.domain, \\\"NT\\\") or endsWith(user.domain, \\\"NT\\\"))\\n\\n /* Identify files created or changed in the startup folder */\\n and file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\StartUp\\\\\\\\*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n\\n /* Call attention to file extensions that may be used for malicious purposes */\\n /* Optionally, Windows scripting engine processes targeting shortcut files */\\n (\\n file.extension : (\\\"vbs\\\", \\\"vbe\\\", \\\"wsh\\\", \\\"wsf\\\", \\\"js\\\") or\\n process.name : (\\\"wscript.exe\\\", \\\"cscript.exe\\\")\\n ) and not (startsWith(user.domain, \\\"NT\\\") or endsWith(user.domain, \\\"NT\\\"))\\n\\n /* Identify files created or changed in the startup folder */\\n and file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\StartUp\\\\\\\\*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"085f1c62-934c-4d06-af93-f24d2b0832bb\",\"rule_id\":\"f7c70f2e-4616-439c-85ac-5b98415042fe\",\"revision\":0,\"current_rule\":{\"id\":\"085f1c62-934c-4d06-af93-f24d2b0832bb\",\"updated_at\":\"2024-12-04T19:46:02.657Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.657Z\",\"created_by\":\"elastic\",\"name\":\"Potential Privilege Escalation via Linux DAC permissions\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies potential privilege escalation exploitation of DAC (Discretionary access control) file permissions. The rule identifies exploitation of DAC checks on sensitive file paths via suspicious processes whose capabilities include CAP_DAC_OVERRIDE (where a process can bypass all read write and execution checks) or CAP_DAC_READ_SEARCH (where a process can read any file or perform any executable permission on the directories).\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f7c70f2e-4616-439c-85ac-5b98415042fe\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.thread.capabilities.effective\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.permitted\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"new_terms\",\"query\":\"event.category:process and host.os.type:linux and event.type:start and event.action:exec and\\n(process.thread.capabilities.permitted:CAP_DAC_* or process.thread.capabilities.effective: CAP_DAC_*) and\\nprocess.command_line:(*sudoers* or *passwd* or *shadow* or */root/*) and not user.id:\\\"0\\\"\\n\",\"new_terms_fields\":[\"host.id\",\"process.command_line\",\"process.executable\"],\"history_window_start\":\"now-10d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Privilege Escalation via Linux DAC permissions\",\"description\":\"Identifies potential privilege escalation exploitation of DAC (Discretionary access control) file permissions. The rule identifies exploitation of DAC checks on sensitive file paths via suspicious processes whose capabilities include CAP_DAC_OVERRIDE (where a process can bypass all read write and execution checks) or CAP_DAC_READ_SEARCH (where a process can read any file or perform any executable permission on the directories).\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"setup\":\"## Setup\\n\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.effective\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.permitted\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"085f1c62-934c-4d06-af93-f24d2b0832bb\",\"rule_id\":\"f7c70f2e-4616-439c-85ac-5b98415042fe\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.691Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.657Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.category:process and host.os.type:linux and event.type:start and event.action:exec and\\n(process.thread.capabilities.permitted:CAP_DAC_* or process.thread.capabilities.effective: CAP_DAC_*) and\\nprocess.command_line:(*sudoers* or *passwd* or *shadow* or */root/*) and not (\\n user.id : \\\"0\\\" or\\n process.name : (\\n \\\"tar\\\" or \\\"getent\\\" or \\\"su\\\" or \\\"stat\\\" or \\\"dirname\\\" or \\\"chown\\\" or \\\"sudo\\\" or \\\"dpkg-split\\\" or \\\"dpkg-deb\\\" or \\\"dpkg\\\" or\\n \\\"podman\\\" or \\\"awk\\\" or \\\"passwd\\\" or \\\"dpkg-maintscript-helper\\\" or \\\"mutt_dotlock\\\" or \\\"nscd\\\" or \\\"logger\\\" or \\\"gpasswd\\\"\\n ) or\\n process.executable : /usr/lib/*/lxc/rootfs/* or\\n process.parent.name : (\\n \\\"dpkg\\\" or \\\"java\\\" or *postinst or \\\"dpkg-preconfigure\\\" or \\\"gnome-shell\\\"\\n )\\n)\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-10d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.thread.capabilities.effective\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.permitted\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.effective\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.permitted\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.effective\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.permitted\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"event.category:process and host.os.type:linux and event.type:start and event.action:exec and\\n(process.thread.capabilities.permitted:CAP_DAC_* or process.thread.capabilities.effective: CAP_DAC_*) and\\nprocess.command_line:(*sudoers* or *passwd* or *shadow* or */root/*) and not user.id:\\\"0\\\"\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"event.category:process and host.os.type:linux and event.type:start and event.action:exec and\\n(process.thread.capabilities.permitted:CAP_DAC_* or process.thread.capabilities.effective: CAP_DAC_*) and\\nprocess.command_line:(*sudoers* or *passwd* or *shadow* or */root/*) and not (\\n user.id : \\\"0\\\" or\\n process.name : (\\n \\\"tar\\\" or \\\"getent\\\" or \\\"su\\\" or \\\"stat\\\" or \\\"dirname\\\" or \\\"chown\\\" or \\\"sudo\\\" or \\\"dpkg-split\\\" or \\\"dpkg-deb\\\" or \\\"dpkg\\\" or\\n \\\"podman\\\" or \\\"awk\\\" or \\\"passwd\\\" or \\\"dpkg-maintscript-helper\\\" or \\\"mutt_dotlock\\\" or \\\"nscd\\\" or \\\"logger\\\" or \\\"gpasswd\\\"\\n ) or\\n process.executable : /usr/lib/*/lxc/rootfs/* or\\n process.parent.name : (\\n \\\"dpkg\\\" or \\\"java\\\" or *postinst or \\\"dpkg-preconfigure\\\" or \\\"gnome-shell\\\"\\n )\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"event.category:process and host.os.type:linux and event.type:start and event.action:exec and\\n(process.thread.capabilities.permitted:CAP_DAC_* or process.thread.capabilities.effective: CAP_DAC_*) and\\nprocess.command_line:(*sudoers* or *passwd* or *shadow* or */root/*) and not (\\n user.id : \\\"0\\\" or\\n process.name : (\\n \\\"tar\\\" or \\\"getent\\\" or \\\"su\\\" or \\\"stat\\\" or \\\"dirname\\\" or \\\"chown\\\" or \\\"sudo\\\" or \\\"dpkg-split\\\" or \\\"dpkg-deb\\\" or \\\"dpkg\\\" or\\n \\\"podman\\\" or \\\"awk\\\" or \\\"passwd\\\" or \\\"dpkg-maintscript-helper\\\" or \\\"mutt_dotlock\\\" or \\\"nscd\\\" or \\\"logger\\\" or \\\"gpasswd\\\"\\n ) or\\n process.executable : /usr/lib/*/lxc/rootfs/* or\\n process.parent.name : (\\n \\\"dpkg\\\" or \\\"java\\\" or *postinst or \\\"dpkg-preconfigure\\\" or \\\"gnome-shell\\\"\\n )\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"new_terms_fields\":{\"has_base_version\":false,\"current_version\":[\"host.id\",\"process.command_line\",\"process.executable\"],\"target_version\":[\"process.executable\"],\"merged_version\":[\"process.executable\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bbbf87fa-a57c-4cbf-a886-089a9a85e667\",\"rule_id\":\"f81ee52c-297e-46d9-9205-07e66931df26\",\"revision\":0,\"current_rule\":{\"id\":\"bbbf87fa-a57c-4cbf-a886-089a9a85e667\",\"updated_at\":\"2024-12-04T19:46:02.660Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.660Z\",\"created_by\":\"elastic\",\"name\":\"Microsoft Exchange Worker Spawning Suspicious Processes\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f81ee52c-297e-46d9-9205-07e66931df26\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers\",\"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities\",\"https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"w3wp.exe\\\" and process.parent.args : \\\"MSExchange*AppPool\\\" and\\n (process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\"))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Microsoft Exchange Worker Spawning Suspicious Processes\",\"description\":\"Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers\",\"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities\",\"https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"bbbf87fa-a57c-4cbf-a886-089a9a85e667\",\"rule_id\":\"f81ee52c-297e-46d9-9205-07e66931df26\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.691Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.660Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"w3wp.exe\\\" and process.parent.args : \\\"MSExchange*AppPool\\\" and\\n (process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\"))\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b04fc522-01d5-497a-b717-a939587ca483\",\"rule_id\":\"f874315d-5188-4b4a-8521-d1c73093a7e4\",\"revision\":0,\"current_rule\":{\"id\":\"b04fc522-01d5-497a-b717-a939587ca483\",\"updated_at\":\"2024-12-04T19:45:40.267Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.267Z\",\"created_by\":\"elastic\",\"name\":\"Modification of AmsiEnable Registry Key\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An adversary can modify this key to disable AMSI protections.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Modification of AmsiEnable Registry Key\\n\\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\\n\\nSince AMSI is widely used across security products for increased visibility, attackers can disable it to evade detections that rely on it.\\n\\nThis rule monitors the modifications to the Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable registry key.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the execution of scripts and macros after the registry modification.\\n- Retrieve scripts or Microsoft Office files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Use process name, command line, and file hash to search for occurrences on other hosts.\\n\\n### False positive analysis\\n\\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\\n\\n### Related rules\\n\\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Delete or set the key to its default value.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f874315d-5188-4b4a-8521-d1c73093a7e4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf\",\"https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"AmsiEnable\\\" and\\n registry.path : (\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows Script\\\\\\\\Settings\\\\\\\\AmsiEnable\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows Script\\\\\\\\Settings\\\\\\\\AmsiEnable\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows Script\\\\\\\\Settings\\\\\\\\AmsiEnable\\\"\\n ) and\\n registry.data.strings: (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Modification of AmsiEnable Registry Key\",\"description\":\"Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An adversary can modify this key to disable AMSI protections.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Modification of AmsiEnable Registry Key\\n\\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\\n\\nSince AMSI is widely used across security products for increased visibility, attackers can disable it to evade detections that rely on it.\\n\\nThis rule monitors the modifications to the Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable registry key.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the execution of scripts and macros after the registry modification.\\n- Retrieve scripts or Microsoft Office files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Use process name, command line, and file hash to search for occurrences on other hosts.\\n\\n### False positive analysis\\n\\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\\n\\n### Related rules\\n\\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Delete or set the key to its default value.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf\",\"https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b04fc522-01d5-497a-b717-a939587ca483\",\"rule_id\":\"f874315d-5188-4b4a-8521-d1c73093a7e4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.691Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.267Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : \\\"AmsiEnable\\\" and registry.data.strings: (\\\"0\\\", \\\"0x00000000\\\")\\n\\n /*\\n Full registry key path omitted due to data source variations:\\n HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows Script\\\\\\\\Settings\\\\\\\\AmsiEnable\\\"\\n */\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"AmsiEnable\\\" and\\n registry.path : (\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows Script\\\\\\\\Settings\\\\\\\\AmsiEnable\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows Script\\\\\\\\Settings\\\\\\\\AmsiEnable\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows Script\\\\\\\\Settings\\\\\\\\AmsiEnable\\\"\\n ) and\\n registry.data.strings: (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : \\\"AmsiEnable\\\" and registry.data.strings: (\\\"0\\\", \\\"0x00000000\\\")\\n\\n /*\\n Full registry key path omitted due to data source variations:\\n HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows Script\\\\\\\\Settings\\\\\\\\AmsiEnable\\\"\\n */\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : \\\"AmsiEnable\\\" and registry.data.strings: (\\\"0\\\", \\\"0x00000000\\\")\\n\\n /*\\n Full registry key path omitted due to data source variations:\\n HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows Script\\\\\\\\Settings\\\\\\\\AmsiEnable\\\"\\n */\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"611de3ce-20c0-478e-bf29-4370514e7adf\",\"rule_id\":\"f8822053-a5d2-46db-8c96-d460b12c36ac\",\"revision\":0,\"current_rule\":{\"id\":\"611de3ce-20c0-478e-bf29-4370514e7adf\",\"updated_at\":\"2024-12-04T19:46:04.814Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.814Z\",\"created_by\":\"elastic\",\"name\":\"Potential Active Directory Replication Account Backdoor\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a user/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f8822053-a5d2-46db-8c96-d460b12c36ac\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.006\",\"name\":\"DCSync\",\"reference\":\"https://attack.mitre.org/techniques/T1003/006/\"}]}]}],\"to\":\"now\",\"references\":[\"https://twitter.com/menasec1/status/1111556090137903104\",\"https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml\",\"https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-all\",\"https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes\",\"https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-in-filtered-set\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"],\"query\":\"event.action:(\\\"Directory Service Changes\\\" or \\\"directory-service-object-modified\\\") and event.code:\\\"5136\\\" and\\n winlog.event_data.AttributeLDAPDisplayName:\\\"nTSecurityDescriptor\\\" and\\n winlog.event_data.AttributeValue : (\\n (\\n *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and\\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and\\n *89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-*\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Active Directory Replication Account Backdoor\",\"description\":\"Identifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a user/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://twitter.com/menasec1/status/1111556090137903104\",\"https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml\",\"https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-all\",\"https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes\",\"https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-in-filtered-set\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.006\",\"name\":\"DCSync\",\"reference\":\"https://attack.mitre.org/techniques/T1003/006/\"}]}]}],\"setup\":\"The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"611de3ce-20c0-478e-bf29-4370514e7adf\",\"rule_id\":\"f8822053-a5d2-46db-8c96-d460b12c36ac\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.691Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.814Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"],\"query\":\"event.action:(\\\"Directory Service Changes\\\" or \\\"directory-service-object-modified\\\") and event.code:\\\"5136\\\" and\\n winlog.event_data.AttributeLDAPDisplayName:\\\"nTSecurityDescriptor\\\" and\\n winlog.event_data.AttributeValue : (\\n (\\n *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and\\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and\\n *89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-*\\n )\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"65c62703-8295-46ca-abd5-fe743ece7e8d\",\"rule_id\":\"f95972d3-c23b-463b-89a8-796b3f369b49\",\"revision\":0,\"current_rule\":{\"id\":\"65c62703-8295-46ca-abd5-fe743ece7e8d\",\"updated_at\":\"2024-12-04T19:46:02.667Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.667Z\",\"created_by\":\"elastic\",\"name\":\"Ingress Transfer via Windows BITS\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Ingress Transfer via Windows BITS\\n\\nWindows Background Intelligent Transfer Service (BITS) is a technology that allows the transfer of files between a client and a server, which makes it a dual-use mechanism, being used by both legitimate apps and attackers. When malicious applications create BITS jobs, files are downloaded or uploaded in the context of the service host process, which can bypass security protections, and it helps to obscure which application requested the transfer.\\n\\nThis rule identifies such abuse by monitoring for file renaming events involving \\\"svchost.exe\\\" and \\\"BIT*.tmp\\\" on Windows systems.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Gain context into the BITS transfer.\\n - Try to determine the process that initiated the BITS transfer.\\n - Search `bitsadmin.exe` processes and examine their command lines.\\n - Look for unusual processes loading `Bitsproxy.dll` and other BITS-related DLLs.\\n - Try to determine the origin of the file.\\n - Inspect network connections initiated by `svchost.exe`.\\n - Inspect `Microsoft-Windows-Bits-Client/Operational` Windows logs, specifically the event ID 59, for unusual events.\\n - Velociraptor can be used to extract these entries using the [bitsadmin artifact](https://docs.velociraptor.app/exchange/artifacts/pages/bitsadmin/).\\n - Check the reputation of the remote server involved in the BITS transfer, such as its IP address or domain, using threat intelligence platforms or online reputation services.\\n - Check if the domain is newly registered or unexpected.\\n - Use the identified domain as an indicator of compromise (IoCs) to scope other compromised hosts in the environment.\\n - [BitsParser](https://github.com/fireeye/BitsParser) can be used to parse BITS database files to extract BITS job information.\\n- Examine the details of the dropped file, and whether it was executed.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the involved executables using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n\\n### False positive analysis\\n\\n- Known false positives for the rule include legitimate software and system updates that use BITS for downloading files.\\n\\n### Related Rules\\n\\n- Persistence via BITS Job Notify Cmdline - c3b915e0-22f3-4bf7-991d-b643513c722f\\n- Unsigned BITS Service Client Process - 9a3884d0-282d-45ea-86ce-b9c81100f026\\n- Bitsadmin Activity - 8eec4df1-4b4b-4502-b6c3-c788714604c9\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f95972d3-c23b-463b-89a8-796b3f369b49\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1197\",\"name\":\"BITS Jobs\",\"reference\":\"https://attack.mitre.org/techniques/T1197/\"}]}],\"to\":\"now\",\"references\":[\"https://attack.mitre.org/techniques/T1197/\"],\"version\":7,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.header_bytes\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.Ext.original.name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.action == \\\"rename\\\" and\\n process.name : \\\"svchost.exe\\\" and file.Ext.original.name : \\\"BIT*.tmp\\\" and \\n (file.extension : (\\\"exe\\\", \\\"zip\\\", \\\"rar\\\", \\\"bat\\\", \\\"dll\\\", \\\"ps1\\\", \\\"vbs\\\", \\\"wsh\\\", \\\"js\\\", \\\"vbe\\\", \\\"pif\\\", \\\"scr\\\", \\\"cmd\\\", \\\"cpl\\\") or\\n file.Ext.header_bytes : \\\"4d5a*\\\") and \\n \\n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\\n not file.path : (\\\"?:\\\\\\\\Program Files\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\", \\\"?:\\\\\\\\Windows\\\\\\\\*\\\", \\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\\\\\\*\\\") and \\n \\n /* lot of third party SW use BITS to download executables with a long file name */\\n not length(file.name) > 30 and\\n not file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp*\\\\\\\\wct*.tmp\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Adobe\\\\\\\\ARM\\\\\\\\*\\\\\\\\RdrServicesUpdater*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Adobe\\\\\\\\ARM\\\\\\\\*\\\\\\\\AcroServicesUpdater2_x64.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Docker Desktop Installer\\\\\\\\update-*.exe\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Ingress Transfer via Windows BITS\",\"description\":\"Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Ingress Transfer via Windows BITS\\n\\nWindows Background Intelligent Transfer Service (BITS) is a technology that allows the transfer of files between a client and a server, which makes it a dual-use mechanism, being used by both legitimate apps and attackers. When malicious applications create BITS jobs, files are downloaded or uploaded in the context of the service host process, which can bypass security protections, and it helps to obscure which application requested the transfer.\\n\\nThis rule identifies such abuse by monitoring for file renaming events involving \\\"svchost.exe\\\" and \\\"BIT*.tmp\\\" on Windows systems.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Gain context into the BITS transfer.\\n - Try to determine the process that initiated the BITS transfer.\\n - Search `bitsadmin.exe` processes and examine their command lines.\\n - Look for unusual processes loading `Bitsproxy.dll` and other BITS-related DLLs.\\n - Try to determine the origin of the file.\\n - Inspect network connections initiated by `svchost.exe`.\\n - Inspect `Microsoft-Windows-Bits-Client/Operational` Windows logs, specifically the event ID 59, for unusual events.\\n - Velociraptor can be used to extract these entries using the [bitsadmin artifact](https://docs.velociraptor.app/exchange/artifacts/pages/bitsadmin/).\\n - Check the reputation of the remote server involved in the BITS transfer, such as its IP address or domain, using threat intelligence platforms or online reputation services.\\n - Check if the domain is newly registered or unexpected.\\n - Use the identified domain as an indicator of compromise (IoCs) to scope other compromised hosts in the environment.\\n - [BitsParser](https://github.com/fireeye/BitsParser) can be used to parse BITS database files to extract BITS job information.\\n- Examine the details of the dropped file, and whether it was executed.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the involved executables using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n\\n### False positive analysis\\n\\n- Known false positives for the rule include legitimate software and system updates that use BITS for downloading files.\\n\\n### Related Rules\\n\\n- Persistence via BITS Job Notify Cmdline - c3b915e0-22f3-4bf7-991d-b643513c722f\\n- Unsigned BITS Service Client Process - 9a3884d0-282d-45ea-86ce-b9c81100f026\\n- Bitsadmin Activity - 8eec4df1-4b4b-4502-b6c3-c788714604c9\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":8,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://attack.mitre.org/techniques/T1197/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1197\",\"name\":\"BITS Jobs\",\"reference\":\"https://attack.mitre.org/techniques/T1197/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.header_bytes\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.Ext.original.name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"65c62703-8295-46ca-abd5-fe743ece7e8d\",\"rule_id\":\"f95972d3-c23b-463b-89a8-796b3f369b49\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.691Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.667Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.action == \\\"rename\\\" and\\n process.name : \\\"svchost.exe\\\" and file.Ext.original.name : \\\"BIT*.tmp\\\" and \\n (file.extension : (\\\"exe\\\", \\\"zip\\\", \\\"rar\\\", \\\"bat\\\", \\\"dll\\\", \\\"ps1\\\", \\\"vbs\\\", \\\"wsh\\\", \\\"js\\\", \\\"vbe\\\", \\\"pif\\\", \\\"scr\\\", \\\"cmd\\\", \\\"cpl\\\") or\\n file.Ext.header_bytes : \\\"4d5a*\\\") and \\n \\n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\\n not file.path : (\\\"?:\\\\\\\\Program Files\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\", \\\"?:\\\\\\\\Windows\\\\\\\\*\\\", \\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\\\\\\*\\\") and \\n \\n /* lot of third party SW use BITS to download executables with a long file name */\\n not length(file.name) > 30 and\\n not file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp*\\\\\\\\wct*.tmp\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Adobe\\\\\\\\ARM\\\\\\\\*\\\\\\\\RdrServicesUpdater*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Adobe\\\\\\\\ARM\\\\\\\\*\\\\\\\\AcroServicesUpdater*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Docker Desktop Installer\\\\\\\\update-*.exe\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":7,\"target_version\":8,\"merged_version\":8,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.action == \\\"rename\\\" and\\n process.name : \\\"svchost.exe\\\" and file.Ext.original.name : \\\"BIT*.tmp\\\" and \\n (file.extension : (\\\"exe\\\", \\\"zip\\\", \\\"rar\\\", \\\"bat\\\", \\\"dll\\\", \\\"ps1\\\", \\\"vbs\\\", \\\"wsh\\\", \\\"js\\\", \\\"vbe\\\", \\\"pif\\\", \\\"scr\\\", \\\"cmd\\\", \\\"cpl\\\") or\\n file.Ext.header_bytes : \\\"4d5a*\\\") and \\n \\n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\\n not file.path : (\\\"?:\\\\\\\\Program Files\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\", \\\"?:\\\\\\\\Windows\\\\\\\\*\\\", \\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\\\\\\*\\\") and \\n \\n /* lot of third party SW use BITS to download executables with a long file name */\\n not length(file.name) > 30 and\\n not file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp*\\\\\\\\wct*.tmp\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Adobe\\\\\\\\ARM\\\\\\\\*\\\\\\\\RdrServicesUpdater*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Adobe\\\\\\\\ARM\\\\\\\\*\\\\\\\\AcroServicesUpdater2_x64.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Docker Desktop Installer\\\\\\\\update-*.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.action == \\\"rename\\\" and\\n process.name : \\\"svchost.exe\\\" and file.Ext.original.name : \\\"BIT*.tmp\\\" and \\n (file.extension : (\\\"exe\\\", \\\"zip\\\", \\\"rar\\\", \\\"bat\\\", \\\"dll\\\", \\\"ps1\\\", \\\"vbs\\\", \\\"wsh\\\", \\\"js\\\", \\\"vbe\\\", \\\"pif\\\", \\\"scr\\\", \\\"cmd\\\", \\\"cpl\\\") or\\n file.Ext.header_bytes : \\\"4d5a*\\\") and \\n \\n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\\n not file.path : (\\\"?:\\\\\\\\Program Files\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\", \\\"?:\\\\\\\\Windows\\\\\\\\*\\\", \\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\\\\\\*\\\") and \\n \\n /* lot of third party SW use BITS to download executables with a long file name */\\n not length(file.name) > 30 and\\n not file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp*\\\\\\\\wct*.tmp\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Adobe\\\\\\\\ARM\\\\\\\\*\\\\\\\\RdrServicesUpdater*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Adobe\\\\\\\\ARM\\\\\\\\*\\\\\\\\AcroServicesUpdater*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Docker Desktop Installer\\\\\\\\update-*.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.action == \\\"rename\\\" and\\n process.name : \\\"svchost.exe\\\" and file.Ext.original.name : \\\"BIT*.tmp\\\" and \\n (file.extension : (\\\"exe\\\", \\\"zip\\\", \\\"rar\\\", \\\"bat\\\", \\\"dll\\\", \\\"ps1\\\", \\\"vbs\\\", \\\"wsh\\\", \\\"js\\\", \\\"vbe\\\", \\\"pif\\\", \\\"scr\\\", \\\"cmd\\\", \\\"cpl\\\") or\\n file.Ext.header_bytes : \\\"4d5a*\\\") and \\n \\n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\\n not file.path : (\\\"?:\\\\\\\\Program Files\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\", \\\"?:\\\\\\\\Windows\\\\\\\\*\\\", \\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\\\\\\*\\\") and \\n \\n /* lot of third party SW use BITS to download executables with a long file name */\\n not length(file.name) > 30 and\\n not file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp*\\\\\\\\wct*.tmp\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Adobe\\\\\\\\ARM\\\\\\\\*\\\\\\\\RdrServicesUpdater*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Adobe\\\\\\\\ARM\\\\\\\\*\\\\\\\\AcroServicesUpdater*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Docker Desktop Installer\\\\\\\\update-*.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"557c76a6-262d-4032-979e-a0cf1f276496\",\"rule_id\":\"f97504ac-1053-498f-aeaa-c6d01e76b379\",\"revision\":0,\"current_rule\":{\"id\":\"557c76a6-262d-4032-979e-a0cf1f276496\",\"updated_at\":\"2024-12-04T19:46:02.669Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.669Z\",\"created_by\":\"elastic\",\"name\":\"Browser Extension Install\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f97504ac-1053-498f-aeaa-c6d01e76b379\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1176\",\"name\":\"Browser Extensions\",\"reference\":\"https://attack.mitre.org/techniques/T1176/\"}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.action : \\\"creation\\\" and \\n(\\n /* Firefox-Based Browsers */\\n (\\n file.name : \\\"*.xpi\\\" and\\n file.path : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\*\\\\\\\\Profiles\\\\\\\\*\\\\\\\\Extensions\\\\\\\\*.xpi\\\" and\\n not \\n (\\n process.name : \\\"firefox.exe\\\" and\\n file.name : (\\\"langpack-*@firefox.mozilla.org.xpi\\\", \\\"*@dictionaries.addons.mozilla.org.xpi\\\")\\n )\\n ) or\\n /* Chromium-Based Browsers */\\n (\\n file.name : \\\"*.crx\\\" and\\n file.path : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\*\\\\\\\\*\\\\\\\\User Data\\\\\\\\Webstore Downloads\\\\\\\\*\\\"\\n )\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Browser Extension Install\",\"description\":\"Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":202,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1176\",\"name\":\"Browser Extensions\",\"reference\":\"https://attack.mitre.org/techniques/T1176/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"557c76a6-262d-4032-979e-a0cf1f276496\",\"rule_id\":\"f97504ac-1053-498f-aeaa-c6d01e76b379\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.691Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.669Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type : \\\"creation\\\" and \\n(\\n /* Firefox-Based Browsers */\\n (\\n file.name : \\\"*.xpi\\\" and\\n file.path : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\*\\\\\\\\Profiles\\\\\\\\*\\\\\\\\Extensions\\\\\\\\*.xpi\\\" and\\n not \\n (\\n process.name : \\\"firefox.exe\\\" and\\n file.name : (\\\"langpack-*@firefox.mozilla.org.xpi\\\", \\\"*@dictionaries.addons.mozilla.org.xpi\\\")\\n )\\n ) or\\n /* Chromium-Based Browsers */\\n (\\n file.name : \\\"*.crx\\\" and\\n file.path : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\*\\\\\\\\*\\\\\\\\User Data\\\\\\\\Webstore Downloads\\\\\\\\*\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":202,\"merged_version\":202,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.action : \\\"creation\\\" and \\n(\\n /* Firefox-Based Browsers */\\n (\\n file.name : \\\"*.xpi\\\" and\\n file.path : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\*\\\\\\\\Profiles\\\\\\\\*\\\\\\\\Extensions\\\\\\\\*.xpi\\\" and\\n not \\n (\\n process.name : \\\"firefox.exe\\\" and\\n file.name : (\\\"langpack-*@firefox.mozilla.org.xpi\\\", \\\"*@dictionaries.addons.mozilla.org.xpi\\\")\\n )\\n ) or\\n /* Chromium-Based Browsers */\\n (\\n file.name : \\\"*.crx\\\" and\\n file.path : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\*\\\\\\\\*\\\\\\\\User Data\\\\\\\\Webstore Downloads\\\\\\\\*\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type : \\\"creation\\\" and \\n(\\n /* Firefox-Based Browsers */\\n (\\n file.name : \\\"*.xpi\\\" and\\n file.path : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\*\\\\\\\\Profiles\\\\\\\\*\\\\\\\\Extensions\\\\\\\\*.xpi\\\" and\\n not \\n (\\n process.name : \\\"firefox.exe\\\" and\\n file.name : (\\\"langpack-*@firefox.mozilla.org.xpi\\\", \\\"*@dictionaries.addons.mozilla.org.xpi\\\")\\n )\\n ) or\\n /* Chromium-Based Browsers */\\n (\\n file.name : \\\"*.crx\\\" and\\n file.path : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\*\\\\\\\\*\\\\\\\\User Data\\\\\\\\Webstore Downloads\\\\\\\\*\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type : \\\"creation\\\" and \\n(\\n /* Firefox-Based Browsers */\\n (\\n file.name : \\\"*.xpi\\\" and\\n file.path : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\*\\\\\\\\Profiles\\\\\\\\*\\\\\\\\Extensions\\\\\\\\*.xpi\\\" and\\n not \\n (\\n process.name : \\\"firefox.exe\\\" and\\n file.name : (\\\"langpack-*@firefox.mozilla.org.xpi\\\", \\\"*@dictionaries.addons.mozilla.org.xpi\\\")\\n )\\n ) or\\n /* Chromium-Based Browsers */\\n (\\n file.name : \\\"*.crx\\\" and\\n file.path : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\*\\\\\\\\*\\\\\\\\User Data\\\\\\\\Webstore Downloads\\\\\\\\*\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"endgame-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"endgame-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"31359b29-3eeb-449d-a1fa-b5cd7fe08fdd\",\"rule_id\":\"f9790abf-bd0c-45f9-8b5f-d0b74015e029\",\"revision\":0,\"current_rule\":{\"id\":\"31359b29-3eeb-449d-a1fa-b5cd7fe08fdd\",\"updated_at\":\"2024-12-04T19:46:02.671Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.671Z\",\"created_by\":\"elastic\",\"name\":\"Privileged Account Brute Force\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies multiple consecutive logon failures targeting an Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Privileged Account Brute Force\\n\\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\\n\\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the logon failure reason code and the targeted user name.\\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\\n- Investigate the source IP address of the failed Network Logon attempts.\\n - Identify whether these attempts are coming from the internet or are internal.\\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\\n- Identify the source and the target computer and their roles in the IT environment.\\n- Check whether the involved credentials are used in automation or scheduled tasks.\\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\\n- Examine the source host for derived artifacts that indicate compromise:\\n - Observe and collect information about the following activities in the alert source host:\\n - Attempts to contact external domains and addresses.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\\n\\n### False positive analysis\\n\\n- Authentication misconfiguration or obsolete credentials.\\n- Service account password expired.\\n- Domain trust relationship issues.\\n- Infrastructure or availability issues.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the source host to prevent further post-compromise behavior.\\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f9790abf-bd0c-45f9-8b5f-d0b74015e029\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.001\",\"name\":\"Password Guessing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/001/\"},{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625\"],\"version\":9,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.Status\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"],\"query\":\"sequence by winlog.computer_name, source.ip with maxspan=10s\\n [authentication where event.action == \\\"logon-failed\\\" and winlog.logon.type : \\\"Network\\\" and\\n source.ip != null and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and user.name : \\\"*admin*\\\" and\\n\\n /* noisy failure status codes often associated to authentication misconfiguration */\\n not winlog.event_data.Status : (\\\"0xC000015B\\\", \\\"0XC000005E\\\", \\\"0XC0000133\\\", \\\"0XC0000192\\\")] with runs=5\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Privileged Account Brute Force\",\"description\":\"Identifies multiple consecutive logon failures targeting an Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Privileged Account Brute Force\\n\\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\\n\\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the logon failure reason code and the targeted user name.\\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\\n- Investigate the source IP address of the failed Network Logon attempts.\\n - Identify whether these attempts are coming from the internet or are internal.\\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\\n- Identify the source and the target computer and their roles in the IT environment.\\n- Check whether the involved credentials are used in automation or scheduled tasks.\\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\\n- Examine the source host for derived artifacts that indicate compromise:\\n - Observe and collect information about the following activities in the alert source host:\\n - Attempts to contact external domains and addresses.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\\n\\n### False positive analysis\\n\\n- Authentication misconfiguration or obsolete credentials.\\n- Service account password expired.\\n- Domain trust relationship issues.\\n- Infrastructure or availability issues.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the source host to prevent further post-compromise behavior.\\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":110,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.001\",\"name\":\"Password Guessing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/001/\"},{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.Status\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"31359b29-3eeb-449d-a1fa-b5cd7fe08fdd\",\"rule_id\":\"f9790abf-bd0c-45f9-8b5f-d0b74015e029\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.691Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.671Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by winlog.computer_name, source.ip with maxspan=10s\\n [authentication where event.action == \\\"logon-failed\\\" and winlog.logon.type : \\\"Network\\\" and\\n source.ip != null and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and user.name : \\\"*admin*\\\" and\\n\\n /* noisy failure status codes often associated to authentication misconfiguration */\\n not winlog.event_data.Status : (\\\"0xC000015B\\\", \\\"0XC000005E\\\", \\\"0XC0000133\\\", \\\"0XC0000192\\\")] with runs=5\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":9,\"target_version\":110,\"merged_version\":110,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7b8ca9f0-c1c0-4532-9f27-3acf8e9edddf\",\"rule_id\":\"fa01341d-6662-426b-9d0c-6d81e33c8a9d\",\"revision\":0,\"current_rule\":{\"id\":\"7b8ca9f0-c1c0-4532-9f27-3acf8e9edddf\",\"updated_at\":\"2024-12-04T19:46:02.676Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.676Z\",\"created_by\":\"elastic\",\"name\":\"Remote File Copy to a Hidden Share\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"fa01341d-6662-426b-9d0c-6d81e33c8a9d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"xcopy.exe\\\") and\\n process.args : (\\\"copy*\\\", \\\"move*\\\", \\\"cp\\\", \\\"mv\\\") or\\n process.name : \\\"robocopy.exe\\\"\\n ) and process.args : \\\"*\\\\\\\\\\\\\\\\*\\\\\\\\*$*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Remote File Copy to a Hidden Share\",\"description\":\"Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"7b8ca9f0-c1c0-4532-9f27-3acf8e9edddf\",\"rule_id\":\"fa01341d-6662-426b-9d0c-6d81e33c8a9d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.692Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.676Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"xcopy.exe\\\") and\\n process.args : (\\\"copy*\\\", \\\"move*\\\", \\\"cp\\\", \\\"mv\\\") or\\n process.name : \\\"robocopy.exe\\\"\\n ) and process.args : \\\"*\\\\\\\\\\\\\\\\*\\\\\\\\*$*\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merged_version\":[\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c658e6cb-a995-4571-a158-18f70bdbf38f\",\"rule_id\":\"fa488440-04cc-41d7-9279-539387bf2a17\",\"revision\":0,\"current_rule\":{\"id\":\"c658e6cb-a995-4571-a158-18f70bdbf38f\",\"updated_at\":\"2024-12-04T19:46:02.688Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.688Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Antimalware Scan Interface DLL\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Antimalware Scan Interface DLL\\n\\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\\n\\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the process that created the DLL and which account was used.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the execution of scripts and macros after the registry modification.\\n- Investigate other processes launched from the directory that the DLL was created.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\\n - Observe and collect information about the following activities in the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n\\n### False positive analysis\\n\\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"fa488440-04cc-41d7-9279-539387bf2a17\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.001\",\"name\":\"DLL Search Order Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1574/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell\"],\"version\":212,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.path != null and\\n file.name : (\\\"amsi.dll\\\", \\\"amsi\\\") and not file.path : (\\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\amsi.dll\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Syswow64\\\\\\\\amsi.dll\\\", \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\NewOS\\\\\\\\Windows\\\\\\\\WinSXS\\\\\\\\*\\\", \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\NewOS\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\LCU\\\\\\\\*\\\", \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Work\\\\\\\\*\\\\\\\\*\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Antimalware Scan Interface DLL\",\"description\":\"Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Antimalware Scan Interface DLL\\n\\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\\n\\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the process that created the DLL and which account was used.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the execution of scripts and macros after the registry modification.\\n- Investigate other processes launched from the directory that the DLL was created.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\\n - Observe and collect information about the following activities in the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n\\n### False positive analysis\\n\\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.001\",\"name\":\"DLL Search Order Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1574/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c658e6cb-a995-4571-a158-18f70bdbf38f\",\"rule_id\":\"fa488440-04cc-41d7-9279-539387bf2a17\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.692Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.688Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.path != null and\\n file.name : (\\\"amsi.dll\\\", \\\"amsi\\\") and\\n not file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\amsi.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Syswow64\\\\\\\\amsi.dll\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\DUImageSandbox\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\NewOS\\\\\\\\Windows\\\\\\\\WinSXS\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\NewOS\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\LCU\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Work\\\\\\\\*\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\amd64_microsoft-antimalware-scan-interface_*\\\\\\\\amsi.dll\\\"\\n ) and\\n not\\n (\\n process.executable : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbengine.exe\\\" and\\n file.path : (\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume??\\\\\\\\Windows\\\\\\\\system32\\\\\\\\amsi.dll\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume??\\\\\\\\Windows\\\\\\\\syswow64\\\\\\\\amsi.dll\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume??\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\\\\\\amsi.dll\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":212,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.path != null and\\n file.name : (\\\"amsi.dll\\\", \\\"amsi\\\") and not file.path : (\\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\amsi.dll\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Syswow64\\\\\\\\amsi.dll\\\", \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\NewOS\\\\\\\\Windows\\\\\\\\WinSXS\\\\\\\\*\\\", \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\NewOS\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\LCU\\\\\\\\*\\\", \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Work\\\\\\\\*\\\\\\\\*\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.path != null and\\n file.name : (\\\"amsi.dll\\\", \\\"amsi\\\") and\\n not file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\amsi.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Syswow64\\\\\\\\amsi.dll\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\DUImageSandbox\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\NewOS\\\\\\\\Windows\\\\\\\\WinSXS\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\NewOS\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\LCU\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Work\\\\\\\\*\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\amd64_microsoft-antimalware-scan-interface_*\\\\\\\\amsi.dll\\\"\\n ) and\\n not\\n (\\n process.executable : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbengine.exe\\\" and\\n file.path : (\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume??\\\\\\\\Windows\\\\\\\\system32\\\\\\\\amsi.dll\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume??\\\\\\\\Windows\\\\\\\\syswow64\\\\\\\\amsi.dll\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume??\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\\\\\\amsi.dll\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.path != null and\\n file.name : (\\\"amsi.dll\\\", \\\"amsi\\\") and\\n not file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\amsi.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Syswow64\\\\\\\\amsi.dll\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\DUImageSandbox\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\NewOS\\\\\\\\Windows\\\\\\\\WinSXS\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\NewOS\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\LCU\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Work\\\\\\\\*\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\amd64_microsoft-antimalware-scan-interface_*\\\\\\\\amsi.dll\\\"\\n ) and\\n not\\n (\\n process.executable : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbengine.exe\\\" and\\n file.path : (\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume??\\\\\\\\Windows\\\\\\\\system32\\\\\\\\amsi.dll\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume??\\\\\\\\Windows\\\\\\\\syswow64\\\\\\\\amsi.dll\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume??\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\\\\\\amsi.dll\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"710955b8-6220-4ddd-bac4-685b5b989d46\",\"rule_id\":\"fac52c69-2646-4e79-89c0-fd7653461010\",\"revision\":0,\"current_rule\":{\"id\":\"710955b8-6220-4ddd-bac4-685b5b989d46\",\"updated_at\":\"2024-12-04T19:46:02.690Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.690Z\",\"created_by\":\"elastic\",\"name\":\"Potential Disabling of AppArmor\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"fac52c69-2646-4e79-89c0-fd7653461010\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and (\\n (process.name == \\\"systemctl\\\" and process.args == \\\"disable\\\" and process.args == \\\"apparmor\\\") or\\n (process.name == \\\"ln\\\" and process.args : \\\"/etc/apparmor.d/*\\\" and process.args == \\\"/etc/apparmor.d/disable/\\\")\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Disabling of AppArmor\",\"description\":\"This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"710955b8-6220-4ddd-bac4-685b5b989d46\",\"rule_id\":\"fac52c69-2646-4e79-89c0-fd7653461010\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.692Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.690Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and (\\n (process.name == \\\"systemctl\\\" and process.args in (\\\"stop\\\", \\\"disable\\\", \\\"kill\\\") and process.args in (\\\"apparmor\\\", \\\"apparmor.service\\\")) or\\n (process.name == \\\"service\\\" and process.args == \\\"apparmor\\\" and process.args == \\\"stop\\\") or \\n (process.name == \\\"chkconfig\\\" and process.args == \\\"apparmor\\\" and process.args == \\\"off\\\") or\\n (process.name == \\\"ln\\\" and process.args : \\\"/etc/apparmor.d/*\\\" and process.args == \\\"/etc/apparmor.d/disable/\\\")\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and (\\n (process.name == \\\"systemctl\\\" and process.args == \\\"disable\\\" and process.args == \\\"apparmor\\\") or\\n (process.name == \\\"ln\\\" and process.args : \\\"/etc/apparmor.d/*\\\" and process.args == \\\"/etc/apparmor.d/disable/\\\")\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and (\\n (process.name == \\\"systemctl\\\" and process.args in (\\\"stop\\\", \\\"disable\\\", \\\"kill\\\") and process.args in (\\\"apparmor\\\", \\\"apparmor.service\\\")) or\\n (process.name == \\\"service\\\" and process.args == \\\"apparmor\\\" and process.args == \\\"stop\\\") or \\n (process.name == \\\"chkconfig\\\" and process.args == \\\"apparmor\\\" and process.args == \\\"off\\\") or\\n (process.name == \\\"ln\\\" and process.args : \\\"/etc/apparmor.d/*\\\" and process.args == \\\"/etc/apparmor.d/disable/\\\")\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and (\\n (process.name == \\\"systemctl\\\" and process.args in (\\\"stop\\\", \\\"disable\\\", \\\"kill\\\") and process.args in (\\\"apparmor\\\", \\\"apparmor.service\\\")) or\\n (process.name == \\\"service\\\" and process.args == \\\"apparmor\\\" and process.args == \\\"stop\\\") or \\n (process.name == \\\"chkconfig\\\" and process.args == \\\"apparmor\\\" and process.args == \\\"off\\\") or\\n (process.name == \\\"ln\\\" and process.args : \\\"/etc/apparmor.d/*\\\" and process.args == \\\"/etc/apparmor.d/disable/\\\")\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bf569d29-bebe-492b-aa5f-6d155b54663e\",\"rule_id\":\"fb02b8d3-71ee-4af1-bacd-215d23f17efa\",\"revision\":0,\"current_rule\":{\"id\":\"bf569d29-bebe-492b-aa5f-6d155b54663e\",\"updated_at\":\"2024-12-04T19:46:02.695Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.695Z\",\"created_by\":\"elastic\",\"name\":\"Network Connection via Registration Utility\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Network Connection via Registration Utility\\n\\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity such as masquerading, and deserve further investigation.\\n\\nThis rule looks for the execution of `regsvr32.exe`, `RegAsm.exe`, or `RegSvcs.exe` utilities followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\\n- Investigate the target host that the signed binary is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of destination IP address and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual.\"],\"from\":\"now-9m\",\"rule_id\":\"fb02b8d3-71ee-4af1-bacd-215d23f17efa\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.009\",\"name\":\"Regsvcs/Regasm\",\"reference\":\"https://attack.mitre.org/techniques/T1218/009/\"},{\"id\":\"T1218.010\",\"name\":\"Regsvr32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/010/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.token.integrity_level_name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"regsvr32.exe\\\", \\\"RegAsm.exe\\\", \\\"RegSvcs.exe\\\") and\\n not (\\n (?process.Ext.token.integrity_level_name : \\\"System\\\" or ?winlog.event_data.IntegrityLevel : \\\"System\\\") and\\n (process.parent.name : \\\"msiexec.exe\\\" or process.parent.executable : (\\\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\", \\\"C:\\\\\\\\Program Files\\\\\\\\*.exe\\\"))\\n )\\n ]\\n [network where host.os.type == \\\"windows\\\" and process.name : (\\\"regsvr32.exe\\\", \\\"RegAsm.exe\\\", \\\"RegSvcs.exe\\\") and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\",\\n \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\",\\n \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\",\\n \\\"FE80::/10\\\", \\\"FF00::/8\\\") and network.protocol != \\\"dns\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Network Connection via Registration Utility\",\"description\":\"Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Network Connection via Registration Utility\\n\\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity such as masquerading, and deserve further investigation.\\n\\nThis rule looks for the execution of `regsvr32.exe`, `RegAsm.exe`, or `RegSvcs.exe` utilities followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\\n- Investigate the target host that the signed binary is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of destination IP address and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual.\"],\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.009\",\"name\":\"Regsvcs/Regasm\",\"reference\":\"https://attack.mitre.org/techniques/T1218/009/\"},{\"id\":\"T1218.010\",\"name\":\"Regsvr32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/010/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.token.integrity_level_name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"bf569d29-bebe-492b-aa5f-6d155b54663e\",\"rule_id\":\"fb02b8d3-71ee-4af1-bacd-215d23f17efa\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.692Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.695Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"regsvr32.exe\\\", \\\"RegAsm.exe\\\", \\\"RegSvcs.exe\\\") and\\n not (\\n (?process.Ext.token.integrity_level_name : \\\"System\\\" or ?winlog.event_data.IntegrityLevel : \\\"System\\\") and\\n (process.parent.name : \\\"msiexec.exe\\\" or process.parent.executable : (\\\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\", \\\"C:\\\\\\\\Program Files\\\\\\\\*.exe\\\"))\\n )\\n ]\\n [network where host.os.type == \\\"windows\\\" and process.name : (\\\"regsvr32.exe\\\", \\\"RegAsm.exe\\\", \\\"RegSvcs.exe\\\") and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\",\\n \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\",\\n \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\",\\n \\\"FE80::/10\\\", \\\"FF00::/8\\\") and network.protocol != \\\"dns\\\"]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"dd0dac56-cbaa-487d-9b4d-024453f08a63\",\"rule_id\":\"fc7c0fa4-8f03-4b3e-8336-c5feab0be022\",\"revision\":0,\"current_rule\":{\"id\":\"dd0dac56-cbaa-487d-9b4d-024453f08a63\",\"updated_at\":\"2024-12-04T19:46:02.700Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.700Z\",\"created_by\":\"elastic\",\"name\":\"UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"fc7c0fa4-8f03-4b3e-8336-c5feab0be022\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1559\",\"name\":\"Inter-Process Communication\",\"reference\":\"https://attack.mitre.org/techniques/T1559/\",\"subtechnique\":[{\"id\":\"T1559.001\",\"name\":\"Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1559/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : \\\"C:\\\\\\\\*\\\\\\\\AppData\\\\\\\\*\\\\\\\\Temp\\\\\\\\IDC*.tmp\\\\\\\\*.exe\\\" and\\n process.parent.name : \\\"ieinstal.exe\\\" and process.parent.args : \\\"-Embedding\\\"\\n\\n /* uncomment once in winlogbeat */\\n /* and not (process.code_signature.subject_name == \\\"Microsoft Corporation\\\" and process.code_signature.trusted == true) */\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer\",\"description\":\"Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1559\",\"name\":\"Inter-Process Communication\",\"reference\":\"https://attack.mitre.org/techniques/T1559/\",\"subtechnique\":[{\"id\":\"T1559.001\",\"name\":\"Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1559/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"dd0dac56-cbaa-487d-9b4d-024453f08a63\",\"rule_id\":\"fc7c0fa4-8f03-4b3e-8336-c5feab0be022\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.692Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.700Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : \\\"C:\\\\\\\\*\\\\\\\\AppData\\\\\\\\*\\\\\\\\Temp\\\\\\\\IDC*.tmp\\\\\\\\*.exe\\\" and\\n process.parent.name : \\\"ieinstal.exe\\\" and process.parent.args : \\\"-Embedding\\\"\\n\\n /* uncomment once in winlogbeat */\\n /* and not (process.code_signature.subject_name == \\\"Microsoft Corporation\\\" and process.code_signature.trusted == true) */\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6f59d6a8-daef-457f-abff-282d4aa7c750\",\"rule_id\":\"fcf733d5-7801-4eb0-92ac-8ffacf3658f2\",\"revision\":0,\"current_rule\":{\"id\":\"6f59d6a8-daef-457f-abff-282d4aa7c750\",\"updated_at\":\"2024-12-04T19:46:02.702Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.702Z\",\"created_by\":\"elastic\",\"name\":\"User or Group Creation/Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule leverages the `auditd_manager` integration to detect user or group creation or modification events on Linux systems. Threat actors may attempt to create or modify users or groups to establish persistence on the system.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"fcf733d5-7801-4eb0-92ac-8ffacf3658f2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"auditd.result\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Auditd Manager.\\n\\n### Auditd Manager Integration Setup\\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"auditd_manager\\\" on a Linux System:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.\\n- Click “Add Auditd Manager”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\\n\\n#### Rule Specific Setup Note\\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\\n```\\n-w /usr/sbin/groupadd -p x -k group_modification\\n-w /sbin/groupadd -p x -k group_modification\\n-w /usr/sbin/groupmod -p x -k group_modification\\n-w /sbin/groupmod -p x -k group_modification\\n-w /usr/sbin/addgroup -p x -k group_modification\\n-w /sbin/addgroup -p x -k group_modification\\n-w /usr/sbin/usermod -p x -k user_modification\\n-w /sbin/usermod -p x -k user_modification\\n-w /usr/sbin/userdel -p x -k user_modification\\n-w /sbin/userdel -p x -k user_modification\\n-w /usr/sbin/useradd -p x -k user_modification\\n-w /sbin/useradd -p x -k user_modification\\n-w /usr/sbin/adduser -p x -k user_modification\\n-w /sbin/adduser -p x -k user_modification\\n```\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"iam where host.os.type == \\\"linux\\\" and event.type in (\\\"creation\\\", \\\"change\\\") and auditd.result == \\\"success\\\" and \\nevent.action in (\\\"changed-password\\\", \\\"added-user-account\\\", \\\"added-group-account-to\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"User or Group Creation/Modification\",\"description\":\"This rule leverages the `auditd_manager` integration to detect user or group creation or modification events on Linux systems. Threat actors may attempt to create or modify users or groups to establish persistence on the system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Auditd Manager.\\n\\n### Auditd Manager Integration Setup\\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"auditd_manager\\\" on a Linux System:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.\\n- Click “Add Auditd Manager”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\\n\\n#### Rule Specific Setup Note\\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\\n```\\n-w /usr/sbin/groupadd -p x -k group_modification\\n-w /sbin/groupadd -p x -k group_modification\\n-w /usr/sbin/groupmod -p x -k group_modification\\n-w /sbin/groupmod -p x -k group_modification\\n-w /usr/sbin/addgroup -p x -k group_modification\\n-w /sbin/addgroup -p x -k group_modification\\n-w /usr/sbin/usermod -p x -k user_modification\\n-w /sbin/usermod -p x -k user_modification\\n-w /usr/sbin/userdel -p x -k user_modification\\n-w /sbin/userdel -p x -k user_modification\\n-w /usr/sbin/useradd -p x -k user_modification\\n-w /sbin/useradd -p x -k user_modification\\n-w /usr/sbin/adduser -p x -k user_modification\\n-w /sbin/adduser -p x -k user_modification\\n```\\n\",\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"auditd.result\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"6f59d6a8-daef-457f-abff-282d4aa7c750\",\"rule_id\":\"fcf733d5-7801-4eb0-92ac-8ffacf3658f2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.692Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.702Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where host.os.type == \\\"linux\\\" and event.type in (\\\"creation\\\", \\\"change\\\") and auditd.result == \\\"success\\\" and \\nevent.action in (\\\"changed-password\\\", \\\"added-user-account\\\", \\\"added-group-account-to\\\")\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b843aba0-219d-4e1f-a1b6-1c9f5596c1cd\",\"rule_id\":\"fd4a992d-6130-4802-9ff8-829b89ae801f\",\"revision\":0,\"current_rule\":{\"id\":\"b843aba0-219d-4e1f-a1b6-1c9f5596c1cd\",\"updated_at\":\"2024-12-04T19:46:02.707Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.707Z\",\"created_by\":\"elastic\",\"name\":\"Potential Application Shimming via Sdbinst\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"fd4a992d-6130-4802-9ff8-829b89ae801f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.011\",\"name\":\"Application Shimming\",\"reference\":\"https://attack.mitre.org/techniques/T1546/011/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.011\",\"name\":\"Application Shimming\",\"reference\":\"https://attack.mitre.org/techniques/T1546/011/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"sdbinst.exe\\\" and\\n process.args : \\\"?*\\\" and\\n not (process.args : \\\"-m\\\" and process.args : \\\"-bg\\\") and\\n not process.args : \\\"-mm\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Application Shimming via Sdbinst\",\"description\":\"The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.011\",\"name\":\"Application Shimming\",\"reference\":\"https://attack.mitre.org/techniques/T1546/011/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.011\",\"name\":\"Application Shimming\",\"reference\":\"https://attack.mitre.org/techniques/T1546/011/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b843aba0-219d-4e1f-a1b6-1c9f5596c1cd\",\"rule_id\":\"fd4a992d-6130-4802-9ff8-829b89ae801f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.692Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.707Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"sdbinst.exe\\\" and\\n process.args : \\\"?*\\\" and\\n not (process.args : \\\"-m\\\" and process.args : \\\"-bg\\\") and\\n not process.args : \\\"-mm\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b5f3f306-bf2e-40dc-9bc8-3c9b2205a610\",\"rule_id\":\"fd70c98a-c410-42dc-a2e3-761c71848acf\",\"revision\":0,\"current_rule\":{\"id\":\"b5f3f306-bf2e-40dc-9bc8-3c9b2205a610\",\"updated_at\":\"2024-12-04T19:46:02.709Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.709Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious CertUtil Commands\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious CertUtil Commands\\n\\n`certutil.exe` is a command line utility program that is included with Microsoft Windows operating systems. It is used to manage and manipulate digital certificates and certificate services on computers running Windows.\\n\\nAttackers can abuse `certutil.exe` utility to download and/or deobfuscate malware, offensive security tools, and certificates from external sources to take the next steps in a compromised environment. This rule identifies command line arguments used to accomplish these behaviors.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the command line to determine the nature of the execution.\\n - If files were downloaded, retrieve them and check whether they were run, and under which security context.\\n - If files were obfuscated or deobfuscated, retrieve them.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the involved files using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timeline_id\":\"e70679c2-6cde-4510-9764-4823df18f7db\",\"timeline_title\":\"Comprehensive Process Timeline\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"fd70c98a-c410-42dc-a2e3-761c71848acf\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1140\",\"name\":\"Deobfuscate/Decode Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1140/\"}]}],\"to\":\"now\",\"references\":[\"https://twitter.com/Moriarty_Meng/status/984380793383370752\",\"https://twitter.com/egre55/status/1087685529016193025\",\"https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx\",\"https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"certutil.exe\\\" or ?process.pe.original_file_name == \\\"CertUtil.exe\\\") and\\n process.args : (\\\"?decode\\\", \\\"?encode\\\", \\\"?urlcache\\\", \\\"?verifyctl\\\", \\\"?encodehex\\\", \\\"?decodehex\\\", \\\"?exportPFX\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious CertUtil Commands\",\"description\":\"Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"timeline_id\":\"e70679c2-6cde-4510-9764-4823df18f7db\",\"timeline_title\":\"Comprehensive Process Timeline\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious CertUtil Commands\\n\\n`certutil.exe` is a command line utility program that is included with Microsoft Windows operating systems. It is used to manage and manipulate digital certificates and certificate services on computers running Windows.\\n\\nAttackers can abuse `certutil.exe` utility to download and/or deobfuscate malware, offensive security tools, and certificates from external sources to take the next steps in a compromised environment. This rule identifies command line arguments used to accomplish these behaviors.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the command line to determine the nature of the execution.\\n - If files were downloaded, retrieve them and check whether they were run, and under which security context.\\n - If files were obfuscated or deobfuscated, retrieve them.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the involved files using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[],\"references\":[\"https://twitter.com/Moriarty_Meng/status/984380793383370752\",\"https://twitter.com/egre55/status/1087685529016193025\",\"https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx\",\"https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1140\",\"name\":\"Deobfuscate/Decode Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1140/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b5f3f306-bf2e-40dc-9bc8-3c9b2205a610\",\"rule_id\":\"fd70c98a-c410-42dc-a2e3-761c71848acf\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.692Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.709Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"certutil.exe\\\" or ?process.pe.original_file_name == \\\"CertUtil.exe\\\") and\\n process.args : (\\\"?decode\\\", \\\"?encode\\\", \\\"?urlcache\\\", \\\"?verifyctl\\\", \\\"?encodehex\\\", \\\"?decodehex\\\", \\\"?exportPFX\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://twitter.com/Moriarty_Meng/status/984380793383370752\",\"https://twitter.com/egre55/status/1087685529016193025\",\"https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx\",\"https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil\"],\"target_version\":[\"https://twitter.com/Moriarty_Meng/status/984380793383370752\",\"https://twitter.com/egre55/status/1087685529016193025\",\"https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx\",\"https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merged_version\":[\"https://twitter.com/Moriarty_Meng/status/984380793383370752\",\"https://twitter.com/egre55/status/1087685529016193025\",\"https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx\",\"https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5cb4336b-1ba0-4f45-a321-935b449fd68f\",\"rule_id\":\"fd7a6052-58fa-4397-93c3-4795249ccfa2\",\"revision\":0,\"current_rule\":{\"id\":\"5cb4336b-1ba0-4f45-a321-935b449fd68f\",\"updated_at\":\"2024-12-04T19:46:02.712Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.712Z\",\"created_by\":\"elastic\",\"name\":\"Svchost spawning Cmd\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Svchost spawning Cmd\\n\\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\\n\\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timeline_id\":\"e70679c2-6cde-4510-9764-4823df18f7db\",\"timeline_title\":\"Comprehensive Process Timeline\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"fd7a6052-58fa-4397-93c3-4795249ccfa2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\"}]}],\"to\":\"now\",\"references\":[\"https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747\"],\"version\":212,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:windows and event.category:process and event.type:start and process.parent.name:\\\"svchost.exe\\\" and\\nprocess.name:(\\\"cmd.exe\\\" or \\\"Cmd.exe\\\" or \\\"CMD.EXE\\\") and\\nnot process.command_line : \\\"\\\\\\\"cmd.exe\\\\\\\" /C sc control hptpsmarthealthservice 211\\\"\\n\",\"new_terms_fields\":[\"host.id\",\"process.command_line\",\"user.id\"],\"history_window_start\":\"now-14d\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"logs-system.security*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"process.args\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\silcollector.cmd\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"process.command_line\":{\"case_insensitive\":true,\"value\":\"*?:\\\\\\\\Program Files\\\\\\\\Npcap\\\\\\\\CheckStatus.bat*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"process.command_line\":{\"case_insensitive\":true,\"value\":\"*?:\\\\\\\\Program Files*\\\\\\\\Pulseway\\\\\\\\watchdog.bat*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"process.command_line\":{\"case_insensitive\":true,\"value\":\"cmd /C \\\".\\\\\\\\inetsrv\\\\\\\\iissetup.exe /keygen \\\"\"}}}}],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Svchost spawning Cmd\",\"description\":\"Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"timeline_id\":\"e70679c2-6cde-4510-9764-4823df18f7db\",\"timeline_title\":\"Comprehensive Process Timeline\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Svchost spawning Cmd\\n\\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\\n\\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":418,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"5cb4336b-1ba0-4f45-a321-935b449fd68f\",\"rule_id\":\"fd7a6052-58fa-4397-93c3-4795249ccfa2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.692Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.712Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:windows and event.category:process and event.type:start and process.parent.name:\\\"svchost.exe\\\" and\\nprocess.name:(\\\"cmd.exe\\\" or \\\"Cmd.exe\\\" or \\\"CMD.EXE\\\") and\\nnot process.command_line : \\\"\\\\\\\"cmd.exe\\\\\\\" /C sc control hptpsmarthealthservice 211\\\"\\n\",\"new_terms_fields\":[\"host.id\",\"process.command_line\",\"user.id\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"process.args\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\silcollector.cmd\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"process.command_line\":{\"case_insensitive\":true,\"value\":\"*?:\\\\\\\\Program Files\\\\\\\\Npcap\\\\\\\\CheckStatus.bat*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"process.command_line\":{\"case_insensitive\":true,\"value\":\"*?:\\\\\\\\Program Files*\\\\\\\\Pulseway\\\\\\\\watchdog.bat*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"process.command_line\":{\"case_insensitive\":true,\"value\":\"cmd /C \\\".\\\\\\\\inetsrv\\\\\\\\iissetup.exe /keygen \\\"\"}}}}],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":212,\"target_version\":418,\"merged_version\":418,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"63c52e74-5701-43d9-93b0-7298f97c46d7\",\"rule_id\":\"fda1d332-5e08-4f27-8a9b-8c802e3292a6\",\"revision\":0,\"current_rule\":{\"id\":\"63c52e74-5701-43d9-93b0-7298f97c46d7\",\"updated_at\":\"2024-12-04T19:45:40.276Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.276Z\",\"created_by\":\"elastic\",\"name\":\"System Binary Moved or Copied\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for the copying or moving of a system binary. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"fda1d332-5e08-4f27-8a9b-8c802e3292a6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.003\",\"name\":\"Rename System Utilities\",\"reference\":\"https://attack.mitre.org/techniques/T1036/003/\"}]},{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\"}]}],\"to\":\"now\",\"references\":[\"https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\"],\"version\":11,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.Ext.original.path\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"change\\\" and event.action == \\\"rename\\\" and\\nfile.Ext.original.path : (\\n \\\"/bin/*\\\", \\\"/usr/bin/*\\\", \\\"/usr/local/bin/*\\\", \\\"/sbin/*\\\", \\\"/usr/sbin/*\\\", \\\"/usr/local/sbin/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/usr/bin/update-alternatives\\\", \\\"/bin/update-alternatives\\\", \\\"/usr/sbin/update-alternatives\\\",\\n \\\"/sbin/update-alternatives\\\", \\\"/usr/bin/pip3\\\", \\\"/bin/pip3\\\", \\\"/usr/local/bin/pip3\\\", \\\"/usr/local/bin/node\\\",\\n \\\"/bin/node\\\", \\\"/usr/bin/node\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\", \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/pip\\\", \\\"/bin/pip\\\",\\n \\\"/usr/local/bin/pip\\\", \\\"/usr/libexec/platform-python\\\", \\\"/usr/bin/platform-python\\\", \\\"/bin/platform-python\\\",\\n \\\"/usr/lib/systemd/systemd\\\", \\\"/usr/sbin/sshd\\\", \\\"/sbin/sshd\\\", \\\"/usr/local/sbin/sshd\\\", \\\"/usr/sbin/crond\\\", \\\"/sbin/crond\\\",\\n \\\"/usr/local/sbin/crond\\\", \\\"/usr/sbin/gdm\\\"\\n ) or\\n file.Ext.original.path : (\\n \\\"/bin/*.tmp\\\", \\\"/usr/bin/*.tmp\\\", \\\"/usr/local/bin/*.tmp\\\", \\\"/sbin/*.tmp\\\", \\\"/usr/sbin/*.tmp\\\", \\\"/usr/local/sbin/*.tmp\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\") or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"System Binary Moved or Copied\",\"description\":\"This rule monitors for the copying or moving of a system binary. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":13,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.003\",\"name\":\"Rename System Utilities\",\"reference\":\"https://attack.mitre.org/techniques/T1036/003/\"}]},{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.Ext.original.path\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"63c52e74-5701-43d9-93b0-7298f97c46d7\",\"rule_id\":\"fda1d332-5e08-4f27-8a9b-8c802e3292a6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.692Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.276Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"change\\\" and event.action == \\\"rename\\\" and process.name != null and\\nfile.Ext.original.path : (\\n \\\"/bin/*\\\", \\\"/usr/bin/*\\\", \\\"/usr/local/bin/*\\\", \\\"/sbin/*\\\", \\\"/usr/sbin/*\\\", \\\"/usr/local/sbin/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/usr/bin/update-alternatives\\\", \\\"/bin/update-alternatives\\\", \\\"/usr/sbin/update-alternatives\\\",\\n \\\"/sbin/update-alternatives\\\", \\\"/usr/bin/pip3\\\", \\\"/bin/pip3\\\", \\\"/usr/local/bin/pip3\\\", \\\"/usr/local/bin/node\\\",\\n \\\"/bin/node\\\", \\\"/usr/bin/node\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\", \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/pip\\\", \\\"/bin/pip\\\",\\n \\\"/usr/local/bin/pip\\\", \\\"/usr/libexec/platform-python\\\", \\\"/usr/bin/platform-python\\\", \\\"/bin/platform-python\\\",\\n \\\"/usr/lib/systemd/systemd\\\", \\\"/usr/sbin/sshd\\\", \\\"/sbin/sshd\\\", \\\"/usr/local/sbin/sshd\\\", \\\"/usr/sbin/crond\\\", \\\"/sbin/crond\\\",\\n \\\"/usr/local/sbin/crond\\\", \\\"/usr/sbin/gdm\\\"\\n ) or\\n process.name like (\\n \\\"python*\\\", \\\"packagekitd\\\", \\\"systemd\\\", \\\"ln\\\", \\\"platform-python\\\", \\\"dnf_install\\\", \\\"runc\\\", \\\"apt-get\\\", \\\"ssm-agent-worker\\\",\\n \\\"convert-usrmerge\\\", \\\"updatenow.static-cpanelsync\\\", \\\"apk\\\", \\\"exe\\\", \\\"php\\\", \\\"containerd-shim-runc-v2\\\", \\\"dpkg\\\", \\\"sed\\\",\\n \\\"platform-python*\\\", \\\"gedit\\\", \\\"crond\\\", \\\"sshd\\\", \\\"ruby\\\", \\\"sudo\\\", \\\"chainctl\\\", \\\"update-alternatives\\\", \\\"pip*\\\"\\n ) or\\n file.Ext.original.path : (\\n \\\"/bin/*.tmp\\\", \\\"/usr/bin/*.tmp\\\", \\\"/usr/local/bin/*.tmp\\\", \\\"/sbin/*.tmp\\\", \\\"/usr/sbin/*.tmp\\\", \\\"/usr/local/sbin/*.tmp\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\") or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":11,\"target_version\":13,\"merged_version\":13,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\"],\"target_version\":[\"https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"change\\\" and event.action == \\\"rename\\\" and\\nfile.Ext.original.path : (\\n \\\"/bin/*\\\", \\\"/usr/bin/*\\\", \\\"/usr/local/bin/*\\\", \\\"/sbin/*\\\", \\\"/usr/sbin/*\\\", \\\"/usr/local/sbin/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/usr/bin/update-alternatives\\\", \\\"/bin/update-alternatives\\\", \\\"/usr/sbin/update-alternatives\\\",\\n \\\"/sbin/update-alternatives\\\", \\\"/usr/bin/pip3\\\", \\\"/bin/pip3\\\", \\\"/usr/local/bin/pip3\\\", \\\"/usr/local/bin/node\\\",\\n \\\"/bin/node\\\", \\\"/usr/bin/node\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\", \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/pip\\\", \\\"/bin/pip\\\",\\n \\\"/usr/local/bin/pip\\\", \\\"/usr/libexec/platform-python\\\", \\\"/usr/bin/platform-python\\\", \\\"/bin/platform-python\\\",\\n \\\"/usr/lib/systemd/systemd\\\", \\\"/usr/sbin/sshd\\\", \\\"/sbin/sshd\\\", \\\"/usr/local/sbin/sshd\\\", \\\"/usr/sbin/crond\\\", \\\"/sbin/crond\\\",\\n \\\"/usr/local/sbin/crond\\\", \\\"/usr/sbin/gdm\\\"\\n ) or\\n file.Ext.original.path : (\\n \\\"/bin/*.tmp\\\", \\\"/usr/bin/*.tmp\\\", \\\"/usr/local/bin/*.tmp\\\", \\\"/sbin/*.tmp\\\", \\\"/usr/sbin/*.tmp\\\", \\\"/usr/local/sbin/*.tmp\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\") or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"change\\\" and event.action == \\\"rename\\\" and process.name != null and\\nfile.Ext.original.path : (\\n \\\"/bin/*\\\", \\\"/usr/bin/*\\\", \\\"/usr/local/bin/*\\\", \\\"/sbin/*\\\", \\\"/usr/sbin/*\\\", \\\"/usr/local/sbin/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/usr/bin/update-alternatives\\\", \\\"/bin/update-alternatives\\\", \\\"/usr/sbin/update-alternatives\\\",\\n \\\"/sbin/update-alternatives\\\", \\\"/usr/bin/pip3\\\", \\\"/bin/pip3\\\", \\\"/usr/local/bin/pip3\\\", \\\"/usr/local/bin/node\\\",\\n \\\"/bin/node\\\", \\\"/usr/bin/node\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\", \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/pip\\\", \\\"/bin/pip\\\",\\n \\\"/usr/local/bin/pip\\\", \\\"/usr/libexec/platform-python\\\", \\\"/usr/bin/platform-python\\\", \\\"/bin/platform-python\\\",\\n \\\"/usr/lib/systemd/systemd\\\", \\\"/usr/sbin/sshd\\\", \\\"/sbin/sshd\\\", \\\"/usr/local/sbin/sshd\\\", \\\"/usr/sbin/crond\\\", \\\"/sbin/crond\\\",\\n \\\"/usr/local/sbin/crond\\\", \\\"/usr/sbin/gdm\\\"\\n ) or\\n process.name like (\\n \\\"python*\\\", \\\"packagekitd\\\", \\\"systemd\\\", \\\"ln\\\", \\\"platform-python\\\", \\\"dnf_install\\\", \\\"runc\\\", \\\"apt-get\\\", \\\"ssm-agent-worker\\\",\\n \\\"convert-usrmerge\\\", \\\"updatenow.static-cpanelsync\\\", \\\"apk\\\", \\\"exe\\\", \\\"php\\\", \\\"containerd-shim-runc-v2\\\", \\\"dpkg\\\", \\\"sed\\\",\\n \\\"platform-python*\\\", \\\"gedit\\\", \\\"crond\\\", \\\"sshd\\\", \\\"ruby\\\", \\\"sudo\\\", \\\"chainctl\\\", \\\"update-alternatives\\\", \\\"pip*\\\"\\n ) or\\n file.Ext.original.path : (\\n \\\"/bin/*.tmp\\\", \\\"/usr/bin/*.tmp\\\", \\\"/usr/local/bin/*.tmp\\\", \\\"/sbin/*.tmp\\\", \\\"/usr/sbin/*.tmp\\\", \\\"/usr/local/sbin/*.tmp\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\") or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"change\\\" and event.action == \\\"rename\\\" and process.name != null and\\nfile.Ext.original.path : (\\n \\\"/bin/*\\\", \\\"/usr/bin/*\\\", \\\"/usr/local/bin/*\\\", \\\"/sbin/*\\\", \\\"/usr/sbin/*\\\", \\\"/usr/local/sbin/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/usr/bin/update-alternatives\\\", \\\"/bin/update-alternatives\\\", \\\"/usr/sbin/update-alternatives\\\",\\n \\\"/sbin/update-alternatives\\\", \\\"/usr/bin/pip3\\\", \\\"/bin/pip3\\\", \\\"/usr/local/bin/pip3\\\", \\\"/usr/local/bin/node\\\",\\n \\\"/bin/node\\\", \\\"/usr/bin/node\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\", \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/pip\\\", \\\"/bin/pip\\\",\\n \\\"/usr/local/bin/pip\\\", \\\"/usr/libexec/platform-python\\\", \\\"/usr/bin/platform-python\\\", \\\"/bin/platform-python\\\",\\n \\\"/usr/lib/systemd/systemd\\\", \\\"/usr/sbin/sshd\\\", \\\"/sbin/sshd\\\", \\\"/usr/local/sbin/sshd\\\", \\\"/usr/sbin/crond\\\", \\\"/sbin/crond\\\",\\n \\\"/usr/local/sbin/crond\\\", \\\"/usr/sbin/gdm\\\"\\n ) or\\n process.name like (\\n \\\"python*\\\", \\\"packagekitd\\\", \\\"systemd\\\", \\\"ln\\\", \\\"platform-python\\\", \\\"dnf_install\\\", \\\"runc\\\", \\\"apt-get\\\", \\\"ssm-agent-worker\\\",\\n \\\"convert-usrmerge\\\", \\\"updatenow.static-cpanelsync\\\", \\\"apk\\\", \\\"exe\\\", \\\"php\\\", \\\"containerd-shim-runc-v2\\\", \\\"dpkg\\\", \\\"sed\\\",\\n \\\"platform-python*\\\", \\\"gedit\\\", \\\"crond\\\", \\\"sshd\\\", \\\"ruby\\\", \\\"sudo\\\", \\\"chainctl\\\", \\\"update-alternatives\\\", \\\"pip*\\\"\\n ) or\\n file.Ext.original.path : (\\n \\\"/bin/*.tmp\\\", \\\"/usr/bin/*.tmp\\\", \\\"/usr/local/bin/*.tmp\\\", \\\"/sbin/*.tmp\\\", \\\"/usr/sbin/*.tmp\\\", \\\"/usr/local/sbin/*.tmp\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\") or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5cffce90-b89a-4fa5-9ef4-44886b12acf9\",\"rule_id\":\"fddff193-48a3-484d-8d35-90bb3d323a56\",\"revision\":0,\"current_rule\":{\"id\":\"5cffce90-b89a-4fa5-9ef4-44886b12acf9\",\"updated_at\":\"2024-12-04T19:46:02.716Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.716Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Kerberos Ticket Dump\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects PowerShell scripts that have the capability of dumping Kerberos tickets from LSA, which potentially indicates an attacker's attempt to acquire credentials for lateral movement.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Kerberos Ticket Dump\\n\\nKerberos is an authentication protocol that relies on tickets to grant access to network resources. Adversaries may abuse this protocol to acquire credentials for lateral movement within a network.\\n\\nThis rule indicates the use of scripts that contain code capable of dumping Kerberos tickets, which can indicate potential PowerShell abuse for credential theft.\\n\\n### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate if the script was executed, and if so, which account was targeted.\\n- Identify the account involved and contact the owner to confirm whether they are aware of this activity.\\n- Check if the script has any other functionality that can be potentially malicious.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate other potentially compromised accounts and hosts. Review login events (like 4624) for suspicious events involving the subject and target accounts.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of file path and user ID conditions.\\n\\n### Related Rules\\n\\n- PowerShell Kerberos Ticket Request - eb610e70-f9e6-4949-82b9-f1c5bcd37c39\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Disable or limit involved accounts during the investigation and response.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"fddff193-48a3-484d-8d35-90bb3d323a56\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1\"],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"LsaCallAuthenticationPackage\\\" and\\n (\\n \\\"KerbRetrieveEncodedTicketMessage\\\" or\\n \\\"KerbQueryTicketCacheMessage\\\" or\\n \\\"KerbQueryTicketCacheExMessage\\\" or\\n \\\"KerbQueryTicketCacheEx2Message\\\" or\\n \\\"KerbRetrieveTicketMessage\\\" or\\n \\\"KerbDecryptDataMessage\\\"\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Kerberos Ticket Dump\",\"description\":\"Detects PowerShell scripts that have the capability of dumping Kerberos tickets from LSA, which potentially indicates an attacker's attempt to acquire credentials for lateral movement.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Kerberos Ticket Dump\\n\\nKerberos is an authentication protocol that relies on tickets to grant access to network resources. Adversaries may abuse this protocol to acquire credentials for lateral movement within a network.\\n\\nThis rule indicates the use of scripts that contain code capable of dumping Kerberos tickets, which can indicate potential PowerShell abuse for credential theft.\\n\\n### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate if the script was executed, and if so, which account was targeted.\\n- Identify the account involved and contact the owner to confirm whether they are aware of this activity.\\n- Check if the script has any other functionality that can be potentially malicious.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate other potentially compromised accounts and hosts. Review login events (like 4624) for suspicious events involving the subject and target accounts.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of file path and user ID conditions.\\n\\n### Related Rules\\n\\n- PowerShell Kerberos Ticket Request - eb610e70-f9e6-4949-82b9-f1c5bcd37c39\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Disable or limit involved accounts during the investigation and response.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"5cffce90-b89a-4fa5-9ef4-44886b12acf9\",\"rule_id\":\"fddff193-48a3-484d-8d35-90bb3d323a56\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.692Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.716Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"LsaCallAuthenticationPackage\\\" and\\n (\\n \\\"KerbRetrieveEncodedTicketMessage\\\" or\\n \\\"KerbQueryTicketCacheMessage\\\" or\\n \\\"KerbQueryTicketCacheExMessage\\\" or\\n \\\"KerbQueryTicketCacheEx2Message\\\" or\\n \\\"KerbRetrieveTicketMessage\\\" or\\n \\\"KerbDecryptDataMessage\\\"\\n )\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c4f42ce5-ae7c-455b-a315-ab56ea383ef0\",\"rule_id\":\"fe25d5bc-01fa-494a-95ff-535c29cc4c96\",\"revision\":0,\"current_rule\":{\"id\":\"c4f42ce5-ae7c-455b-a315-ab56ea383ef0\",\"updated_at\":\"2024-12-04T19:46:02.723Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.723Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Script with Password Policy Discovery Capabilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Execution\",\"Data Source: PowerShell Logs\",\"Rule Type: BBR\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"fe25d5bc-01fa-494a-95ff-535c29cc4c96\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1201\",\"name\":\"Password Policy Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1201/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category: \\\"process\\\" and host.os.type:windows and\\n(\\n powershell.file.script_block_text: (\\n \\\"Get-ADDefaultDomainPasswordPolicy\\\" or\\n \\\"Get-ADFineGrainedPasswordPolicy\\\" or\\n \\\"Get-ADUserResultantPasswordPolicy\\\" or\\n \\\"Get-DomainPolicy\\\" or\\n \\\"Get-GPPPassword\\\" or\\n \\\"Get-PassPol\\\"\\n )\\n or\\n powershell.file.script_block_text: (\\n (\\\"defaultNamingContext\\\" or \\\"ActiveDirectory.DirectoryContext\\\" or \\\"ActiveDirectory.DirectorySearcher\\\") and\\n (\\n (\\n \\\".MinLengthPassword\\\" or\\n \\\".MinPasswordAge\\\" or\\n \\\".MaxPasswordAge\\\"\\n ) or\\n (\\n \\\"minPwdAge\\\" or\\n \\\"maxPwdAge\\\" or\\n \\\"minPwdLength\\\"\\n ) or\\n (\\n \\\"msDS-PasswordSettings\\\"\\n )\\n )\\n )\\n) and not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\" and \\\"PowerSploitIndicators\\\"\\n )\\n and not \\n (\\n powershell.file.script_block_text : (\\\"43c15630-959c-49e4-a977-758c5cc93408\\\" and \\\"CmdletsToExport\\\" and \\\"ActiveDirectory.Types.ps1xml\\\")\\n )\\n and not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Script with Password Policy Discovery Capabilities\",\"description\":\"Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Execution\",\"Data Source: PowerShell Logs\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1201\",\"name\":\"Password Policy Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1201/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c4f42ce5-ae7c-455b-a315-ab56ea383ef0\",\"rule_id\":\"fe25d5bc-01fa-494a-95ff-535c29cc4c96\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.692Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.723Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category: \\\"process\\\" and host.os.type:windows and\\n(\\n powershell.file.script_block_text: (\\n \\\"Get-ADDefaultDomainPasswordPolicy\\\" or\\n \\\"Get-ADFineGrainedPasswordPolicy\\\" or\\n \\\"Get-ADUserResultantPasswordPolicy\\\" or\\n \\\"Get-DomainPolicy\\\" or\\n \\\"Get-GPPPassword\\\" or\\n \\\"Get-PassPol\\\"\\n )\\n or\\n powershell.file.script_block_text: (\\n (\\\"defaultNamingContext\\\" or \\\"ActiveDirectory.DirectoryContext\\\" or \\\"ActiveDirectory.DirectorySearcher\\\") and\\n (\\n (\\n \\\".MinLengthPassword\\\" or\\n \\\".MinPasswordAge\\\" or\\n \\\".MaxPasswordAge\\\"\\n ) or\\n (\\n \\\"minPwdAge\\\" or\\n \\\"maxPwdAge\\\" or\\n \\\"minPwdLength\\\"\\n ) or\\n (\\n \\\"msDS-PasswordSettings\\\"\\n )\\n )\\n )\\n) and not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\" and \\\"PowerSploitIndicators\\\"\\n )\\n and not \\n (\\n powershell.file.script_block_text : (\\\"43c15630-959c-49e4-a977-758c5cc93408\\\" and \\\"CmdletsToExport\\\" and \\\"ActiveDirectory.Types.ps1xml\\\")\\n )\\n and not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bf5b46ab-b443-427c-b911-19df63fea65a\",\"rule_id\":\"fe794edd-487f-4a90-b285-3ee54f2af2d3\",\"revision\":0,\"current_rule\":{\"id\":\"bf5b46ab-b443-427c-b911-19df63fea65a\",\"updated_at\":\"2024-12-04T19:45:40.278Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.278Z\",\"created_by\":\"elastic\",\"name\":\"Microsoft Windows Defender Tampering\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Microsoft Windows Defender Tampering\\n\\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\\n\\nThis rule monitors the registry for modifications that disable Windows Defender features.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine which features have been disabled, and check if this operation is done under change management and approved according to the organization's policy.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\\n\\n### Related rules\\n\\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Take actions to restore the appropriate Windows Defender antivirus configurations.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Austin Songer\"],\"false_positives\":[\"Legitimate Windows Defender configuration changes\"],\"from\":\"now-9m\",\"rule_id\":\"fe794edd-487f-4a90-b285-3ee54f2af2d3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\"}]}],\"to\":\"now\",\"references\":[\"https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\",\"https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html\",\"https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html\",\"https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html\",\"https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html\",\"https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html\",\"https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html\",\"https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html\"],\"version\":113,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and process.executable != null and\\n (\\n (\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\PUAProtection\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender Security Center\\\\\\\\App and Browser protection\\\\\\\\DisallowExploitProtectionOverride\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Features\\\\\\\\TamperProtection\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Windows Defender Exploit Guard\\\\\\\\Controlled Folder Access\\\\\\\\EnableControlledFolderAccess\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\SpynetReporting\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\SubmitSamplesConsent\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n ) or\\n (\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\DisableAntiSpyware\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableRealtimeMonitoring\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableIntrusionPreventionSystem\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableScriptScanning\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableIOAVProtection\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Reporting\\\\\\\\DisableEnhancedNotifications\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\DisableBlockAtFirstSeen\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableBehaviorMonitoring\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")\\n )\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DeviceEnroller.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\Security Agent\\\\\\\\tmuninst.exe\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Microsoft Windows Defender Tampering\",\"description\":\"Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Microsoft Windows Defender Tampering\\n\\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\\n\\nThis rule monitors the registry for modifications that disable Windows Defender features.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine which features have been disabled, and check if this operation is done under change management and approved according to the organization's policy.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\\n\\n### Related rules\\n\\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Take actions to restore the appropriate Windows Defender antivirus configurations.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Austin Songer\"],\"false_positives\":[\"Legitimate Windows Defender configuration changes\"],\"references\":[\"https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\",\"https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html\",\"https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html\",\"https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html\",\"https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html\",\"https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html\",\"https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html\",\"https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html\",\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"bf5b46ab-b443-427c-b911-19df63fea65a\",\"rule_id\":\"fe794edd-487f-4a90-b285-3ee54f2af2d3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.692Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.278Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and process.executable != null and\\n (\\n (\\n registry.value : (\\n \\\"PUAProtection\\\", \\\"DisallowExploitProtectionOverride\\\", \\\"TamperProtection\\\", \\\"EnableControlledFolderAccess\\\",\\n \\\"SpynetReporting\\\", \\\"SubmitSamplesConsent\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n ) or\\n (\\n registry.path : (\\n \\\"DisableAntiSpyware\\\", \\\"DisableRealtimeMonitoring\\\", \\\"DisableIntrusionPreventionSystem\\\", \\\"DisableScriptScanning\\\",\\n \\\"DisableIOAVProtection\\\", \\\"DisableEnhancedNotifications\\\", \\\"DisableBlockAtFirstSeen\\\", \\\"DisableBehaviorMonitoring\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")\\n )\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DeviceEnroller.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\Security Agent\\\\\\\\tmuninst.exe\\\"\\n )\\n\\n/*\\n Full registry key paths omitted due to data source variations:\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\DisableAntiSpyware\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableRealtimeMonitoring\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableIntrusionPreventionSystem\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableScriptScanning\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableIOAVProtection\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Reporting\\\\\\\\DisableEnhancedNotifications\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\DisableBlockAtFirstSeen\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableBehaviorMonitoring\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\PUAProtection\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender Security Center\\\\\\\\App and Browser protection\\\\\\\\DisallowExploitProtectionOverride\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Features\\\\\\\\TamperProtection\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Windows Defender Exploit Guard\\\\\\\\Controlled Folder Access\\\\\\\\EnableControlledFolderAccess\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\SpynetReporting\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\SubmitSamplesConsent\\\"\\n*/\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":113,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\",\"https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html\",\"https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html\",\"https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html\",\"https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html\",\"https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html\",\"https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html\",\"https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html\"],\"target_version\":[\"https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\",\"https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html\",\"https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html\",\"https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html\",\"https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html\",\"https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html\",\"https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html\",\"https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html\",\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"merged_version\":[\"https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\",\"https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html\",\"https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html\",\"https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html\",\"https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html\",\"https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html\",\"https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html\",\"https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html\",\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and process.executable != null and\\n (\\n (\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\PUAProtection\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender Security Center\\\\\\\\App and Browser protection\\\\\\\\DisallowExploitProtectionOverride\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Features\\\\\\\\TamperProtection\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Windows Defender Exploit Guard\\\\\\\\Controlled Folder Access\\\\\\\\EnableControlledFolderAccess\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\SpynetReporting\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\SubmitSamplesConsent\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n ) or\\n (\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\DisableAntiSpyware\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableRealtimeMonitoring\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableIntrusionPreventionSystem\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableScriptScanning\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableIOAVProtection\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Reporting\\\\\\\\DisableEnhancedNotifications\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\DisableBlockAtFirstSeen\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableBehaviorMonitoring\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")\\n )\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DeviceEnroller.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\Security Agent\\\\\\\\tmuninst.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and process.executable != null and\\n (\\n (\\n registry.value : (\\n \\\"PUAProtection\\\", \\\"DisallowExploitProtectionOverride\\\", \\\"TamperProtection\\\", \\\"EnableControlledFolderAccess\\\",\\n \\\"SpynetReporting\\\", \\\"SubmitSamplesConsent\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n ) or\\n (\\n registry.path : (\\n \\\"DisableAntiSpyware\\\", \\\"DisableRealtimeMonitoring\\\", \\\"DisableIntrusionPreventionSystem\\\", \\\"DisableScriptScanning\\\",\\n \\\"DisableIOAVProtection\\\", \\\"DisableEnhancedNotifications\\\", \\\"DisableBlockAtFirstSeen\\\", \\\"DisableBehaviorMonitoring\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")\\n )\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DeviceEnroller.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\Security Agent\\\\\\\\tmuninst.exe\\\"\\n )\\n\\n/*\\n Full registry key paths omitted due to data source variations:\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\DisableAntiSpyware\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableRealtimeMonitoring\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableIntrusionPreventionSystem\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableScriptScanning\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableIOAVProtection\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Reporting\\\\\\\\DisableEnhancedNotifications\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\DisableBlockAtFirstSeen\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableBehaviorMonitoring\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\PUAProtection\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender Security Center\\\\\\\\App and Browser protection\\\\\\\\DisallowExploitProtectionOverride\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Features\\\\\\\\TamperProtection\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Windows Defender Exploit Guard\\\\\\\\Controlled Folder Access\\\\\\\\EnableControlledFolderAccess\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\SpynetReporting\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\SubmitSamplesConsent\\\"\\n*/\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and process.executable != null and\\n (\\n (\\n registry.value : (\\n \\\"PUAProtection\\\", \\\"DisallowExploitProtectionOverride\\\", \\\"TamperProtection\\\", \\\"EnableControlledFolderAccess\\\",\\n \\\"SpynetReporting\\\", \\\"SubmitSamplesConsent\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n ) or\\n (\\n registry.path : (\\n \\\"DisableAntiSpyware\\\", \\\"DisableRealtimeMonitoring\\\", \\\"DisableIntrusionPreventionSystem\\\", \\\"DisableScriptScanning\\\",\\n \\\"DisableIOAVProtection\\\", \\\"DisableEnhancedNotifications\\\", \\\"DisableBlockAtFirstSeen\\\", \\\"DisableBehaviorMonitoring\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")\\n )\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DeviceEnroller.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\Security Agent\\\\\\\\tmuninst.exe\\\"\\n )\\n\\n/*\\n Full registry key paths omitted due to data source variations:\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\DisableAntiSpyware\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableRealtimeMonitoring\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableIntrusionPreventionSystem\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableScriptScanning\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableIOAVProtection\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Reporting\\\\\\\\DisableEnhancedNotifications\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\DisableBlockAtFirstSeen\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableBehaviorMonitoring\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\PUAProtection\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender Security Center\\\\\\\\App and Browser protection\\\\\\\\DisallowExploitProtectionOverride\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Features\\\\\\\\TamperProtection\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Windows Defender Exploit Guard\\\\\\\\Controlled Folder Access\\\\\\\\EnableControlledFolderAccess\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\SpynetReporting\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\SubmitSamplesConsent\\\"\\n*/\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":8,\"num_fields_with_conflicts\":7,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a4887e93-132d-4c46-8af4-d6c6a0ee9f4e\",\"rule_id\":\"feeed87c-5e95-4339-aef1-47fd79bcfbe3\",\"revision\":0,\"current_rule\":{\"id\":\"a4887e93-132d-4c46-8af4-d6c6a0ee9f4e\",\"updated_at\":\"2024-12-04T19:45:40.281Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.281Z\",\"created_by\":\"elastic\",\"name\":\"MS Office Macro Security Registry Modifications\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Microsoft Office Products offer options for users and developers to control the security settings for running and using Macros. Adversaries may abuse these security settings to modify the default behavior of the Office Application to trust future macros and/or disable security warnings, which could increase their chances of establishing persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating MS Office Macro Security Registry Modifications\\n\\nMacros are small programs that are used to automate repetitive tasks in Microsoft Office applications. Historically, macros have been used for a variety of reasons -- from automating part of a job, to building entire processes and data flows. Macros are written in Visual Basic for Applications (VBA) and are saved as part of Microsoft Office files.\\n\\nMacros are often created for legitimate reasons, but they can also be written by attackers to gain access, harm a system, or bypass other security controls such as application allow listing. In fact, exploitation from malicious macros is one of the top ways that organizations are compromised today. These attacks are often conducted through phishing or spear phishing campaigns.\\n\\nAttackers can convince victims to modify Microsoft Office security settings, so their macros are trusted by default and no warnings are displayed when they are executed. These settings include:\\n\\n- *Trust access to the VBA project object model* - When enabled, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\\n- *VbaWarnings* - When set to 1, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\\n\\nThis rule looks for registry changes affecting the conditions above.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the user and check if the change was done manually.\\n- Verify whether malicious macros were executed after the registry change.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve recently executed Office documents and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Reset the registry key value.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Explore using GPOs to manage security settings for Microsoft Office macros.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"feeed87c-5e95-4339-aef1-47fd79bcfbe3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : (\\\"AccessVBOM\\\", \\\"VbaWarnings\\\") and\\n registry.path : (\\n \\\"HKU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"HKU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\"\\n ) and\\n registry.data.strings : (\\\"0x00000001\\\", \\\"1\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"MS Office Macro Security Registry Modifications\",\"description\":\"Microsoft Office Products offer options for users and developers to control the security settings for running and using Macros. Adversaries may abuse these security settings to modify the default behavior of the Office Application to trust future macros and/or disable security warnings, which could increase their chances of establishing persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating MS Office Macro Security Registry Modifications\\n\\nMacros are small programs that are used to automate repetitive tasks in Microsoft Office applications. Historically, macros have been used for a variety of reasons -- from automating part of a job, to building entire processes and data flows. Macros are written in Visual Basic for Applications (VBA) and are saved as part of Microsoft Office files.\\n\\nMacros are often created for legitimate reasons, but they can also be written by attackers to gain access, harm a system, or bypass other security controls such as application allow listing. In fact, exploitation from malicious macros is one of the top ways that organizations are compromised today. These attacks are often conducted through phishing or spear phishing campaigns.\\n\\nAttackers can convince victims to modify Microsoft Office security settings, so their macros are trusted by default and no warnings are displayed when they are executed. These settings include:\\n\\n- *Trust access to the VBA project object model* - When enabled, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\\n- *VbaWarnings* - When set to 1, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\\n\\nThis rule looks for registry changes affecting the conditions above.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the user and check if the change was done manually.\\n- Verify whether malicious macros were executed after the registry change.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve recently executed Office documents and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Reset the registry key value.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Explore using GPOs to manage security settings for Microsoft Office macros.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a4887e93-132d-4c46-8af4-d6c6a0ee9f4e\",\"rule_id\":\"feeed87c-5e95-4339-aef1-47fd79bcfbe3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.692Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.281Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : (\\\"AccessVBOM\\\", \\\"VbaWarnings\\\") and\\n registry.path : (\\n /* Sysmon */\\n \\\"HKU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"HKU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n /* MDE */\\n \\\"HKCU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKCU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"HKCU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKCU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n /* Endgame */\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n /* SentinelOne */\\n \\\"USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\"\\n ) and\\n registry.data.strings : (\\\"0x00000001\\\", \\\"1\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : (\\\"AccessVBOM\\\", \\\"VbaWarnings\\\") and\\n registry.path : (\\n \\\"HKU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"HKU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\"\\n ) and\\n registry.data.strings : (\\\"0x00000001\\\", \\\"1\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : (\\\"AccessVBOM\\\", \\\"VbaWarnings\\\") and\\n registry.path : (\\n /* Sysmon */\\n \\\"HKU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"HKU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n /* MDE */\\n \\\"HKCU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKCU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"HKCU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKCU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n /* Endgame */\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n /* SentinelOne */\\n \\\"USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\"\\n ) and\\n registry.data.strings : (\\\"0x00000001\\\", \\\"1\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : (\\\"AccessVBOM\\\", \\\"VbaWarnings\\\") and\\n registry.path : (\\n /* Sysmon */\\n \\\"HKU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"HKU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n /* MDE */\\n \\\"HKCU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKCU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"HKCU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKCU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n /* Endgame */\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n /* SentinelOne */\\n \\\"USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\"\\n ) and\\n registry.data.strings : (\\\"0x00000001\\\", \\\"1\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5d957416-519c-4f6b-aa10-b1c642c28f1a\",\"rule_id\":\"ff013cb4-274d-434a-96bb-fe15ddd3ae92\",\"revision\":0,\"current_rule\":{\"id\":\"5d957416-519c-4f6b-aa10-b1c642c28f1a\",\"updated_at\":\"2024-12-04T19:46:02.730Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.730Z\",\"created_by\":\"elastic\",\"name\":\"Roshal Archive (RAR) or PowerShell File Downloaded from the Internet\",\"tags\":[\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Domain: Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Threat intel\\n\\nThis activity has been observed in FIN7 campaigns.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected.\"],\"from\":\"now-9m\",\"rule_id\":\"ff013cb4-274d-434a-96bb-fe15ddd3ae92\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"to\":\"now\",\"references\":[\"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html\",\"https://www.justice.gov/opa/press-release/file/1084361/download\",\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"version\":103,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"url.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"url.path\",\"type\":\"wildcard\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"],\"query\":\"(event.dataset: (network_traffic.http or network_traffic.tls) or\\n (event.category: (network or network_traffic) and network.protocol: http)) and\\n (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and\\n not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n ) and\\n source.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Roshal Archive (RAR) or PowerShell File Downloaded from the Internet\",\"description\":\"Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Threat intel\\n\\nThis activity has been observed in FIN7 campaigns.\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected.\"],\"references\":[\"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html\",\"https://www.justice.gov/opa/press-release/file/1084361/download\",\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"url.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"url.path\",\"type\":\"wildcard\",\"ecs\":true}],\"id\":\"5d957416-519c-4f6b-aa10-b1c642c28f1a\",\"rule_id\":\"ff013cb4-274d-434a-96bb-fe15ddd3ae92\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.692Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.730Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"],\"query\":\"(event.dataset: (network_traffic.http or network_traffic.tls) or\\n (event.category: (network or network_traffic) and network.protocol: http)) and\\n (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and\\n not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n ) and\\n source.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":103,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Domain: Endpoint\"],\"target_version\":[\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"target_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merged_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3f1ed75a-6cc2-4f0c-9f96-fa924ddda6f7\",\"rule_id\":\"ff10d4d8-fea7-422d-afb1-e5a2702369a9\",\"revision\":0,\"current_rule\":{\"id\":\"3f1ed75a-6cc2-4f0c-9f96-fa924ddda6f7\",\"updated_at\":\"2024-12-04T19:46:02.735Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.735Z\",\"created_by\":\"elastic\",\"name\":\"Cron Job Created or Modified\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for (ana)cron jobs being created or renamed. Linux cron jobs are scheduled tasks that can be leveraged by system administrators to set up scheduled tasks, but may be abused by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Cron Job Created or Modified\\nLinux cron jobs are scheduled tasks that run at specified intervals or times, managed by the cron daemon. \\n\\nBy creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\\n\\nThis rule monitors the creation of cron jobs by monitoring for file creation and rename events in the most common cron job task location directories.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the cron job file that was created or modified.\\n- Investigate whether any other files in any of the available cron job directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/cron.allow.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/cron.hourly/%'\\\\nOR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR path LIKE '/etc/cron.monthly/%' OR path LIKE\\\\n'/var/spool/cron/crontabs/%')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Cron File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path = '/etc/cron.allow' OR path = '/etc/cron.deny' OR path = '/etc/crontab')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/cron.allow.d/%' OR path LIKE\\\\n'/etc/cron.d/%' OR path LIKE '/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR\\\\npath LIKE '/etc/cron.monthly/%' OR path LIKE '/var/spool/cron/crontabs/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\\n- Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\\n- Systemd Service Created - 17b0a495-4d9f-414c-8ad0-92f018b8e001\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ff10d4d8-fea7-422d-afb1-e5a2702369a9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\"],\"version\":12,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and\\nevent.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/cron.allow\\\", \\\"/etc/cron.deny\\\", \\\"/etc/cron.d/*\\\", \\\"/etc/cron.hourly/*\\\", \\\"/etc/cron.daily/*\\\", \\\"/etc/cron.weekly/*\\\",\\n \\\"/etc/cron.monthly/*\\\", \\\"/etc/crontab\\\", \\\"/var/spool/cron/crontabs/*\\\", \\\"/var/spool/anacron/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/opt/elasticbeanstalk/bin/platform-engine\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/opt/imunify360/venv/bin/python3\\\",\\n \\\"/opt/eset/efs/lib/utild\\\", \\\"/usr/sbin/anacron\\\", \\\"/usr/bin/podman\\\", \\\"/kaniko/kaniko-executor\\\"\\n ) or\\n file.path : \\\"/var/spool/cron/crontabs/tmp.*\\\" or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/libexec/platform-python*\\\"\\n ) or\\n process.executable == null or\\n process.name in (\\\"crontab\\\", \\\"crond\\\", \\\"executor\\\", \\\"puppet\\\", \\\"droplet-agent.postinst\\\", \\\"cf-agent\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Cron Job Created or Modified\",\"description\":\"This rule monitors for (ana)cron jobs being created or renamed. Linux cron jobs are scheduled tasks that can be leveraged by system administrators to set up scheduled tasks, but may be abused by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Cron Job Created or Modified\\nLinux cron jobs are scheduled tasks that run at specified intervals or times, managed by the cron daemon. \\n\\nBy creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\\n\\nThis rule monitors the creation of cron jobs by monitoring for file creation and rename events in the most common cron job task location directories.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the cron job file that was created or modified.\\n- Investigate whether any other files in any of the available cron job directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/cron.allow.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/cron.hourly/%'\\\\nOR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR path LIKE '/etc/cron.monthly/%' OR path LIKE\\\\n'/var/spool/cron/crontabs/%')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Cron File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path = '/etc/cron.allow' OR path = '/etc/cron.deny' OR path = '/etc/crontab')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/cron.allow.d/%' OR path LIKE\\\\n'/etc/cron.d/%' OR path LIKE '/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR\\\\npath LIKE '/etc/cron.monthly/%' OR path LIKE '/var/spool/cron/crontabs/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\\n- Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\\n- Systemd Service Created - 17b0a495-4d9f-414c-8ad0-92f018b8e001\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":14,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3f1ed75a-6cc2-4f0c-9f96-fa924ddda6f7\",\"rule_id\":\"ff10d4d8-fea7-422d-afb1-e5a2702369a9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.692Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.735Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and\\nevent.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/cron.allow\\\", \\\"/etc/cron.deny\\\", \\\"/etc/cron.d/*\\\", \\\"/etc/cron.hourly/*\\\", \\\"/etc/cron.daily/*\\\", \\\"/etc/cron.weekly/*\\\",\\n \\\"/etc/cron.monthly/*\\\", \\\"/etc/crontab\\\", \\\"/var/spool/cron/crontabs/*\\\", \\\"/var/spool/anacron/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/opt/elasticbeanstalk/bin/platform-engine\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/opt/imunify360/venv/bin/python3\\\",\\n \\\"/opt/eset/efs/lib/utild\\\", \\\"/usr/sbin/anacron\\\", \\\"/usr/bin/podman\\\", \\\"/kaniko/kaniko-executor\\\"\\n ) or\\n file.path like (\\\"/var/spool/cron/crontabs/tmp.*\\\", \\\"/etc/cron.d/jumpcloud-updater\\\") or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/libexec/platform-python*\\\"\\n ) or\\n process.executable == null or\\n process.name in (\\n \\\"crond\\\", \\\"executor\\\", \\\"puppet\\\", \\\"droplet-agent.postinst\\\", \\\"cf-agent\\\", \\\"schedd\\\", \\\"imunify-notifier\\\", \\\"perl\\\",\\n \\\"jumpcloud-agent\\\", \\\"crio\\\", \\\"dnf_install\\\", \\\"utild\\\"\\n ) or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":12,\"target_version\":14,\"merged_version\":14,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\"],\"target_version\":[\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and\\nevent.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/cron.allow\\\", \\\"/etc/cron.deny\\\", \\\"/etc/cron.d/*\\\", \\\"/etc/cron.hourly/*\\\", \\\"/etc/cron.daily/*\\\", \\\"/etc/cron.weekly/*\\\",\\n \\\"/etc/cron.monthly/*\\\", \\\"/etc/crontab\\\", \\\"/var/spool/cron/crontabs/*\\\", \\\"/var/spool/anacron/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/opt/elasticbeanstalk/bin/platform-engine\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/opt/imunify360/venv/bin/python3\\\",\\n \\\"/opt/eset/efs/lib/utild\\\", \\\"/usr/sbin/anacron\\\", \\\"/usr/bin/podman\\\", \\\"/kaniko/kaniko-executor\\\"\\n ) or\\n file.path : \\\"/var/spool/cron/crontabs/tmp.*\\\" or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/libexec/platform-python*\\\"\\n ) or\\n process.executable == null or\\n process.name in (\\\"crontab\\\", \\\"crond\\\", \\\"executor\\\", \\\"puppet\\\", \\\"droplet-agent.postinst\\\", \\\"cf-agent\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and\\nevent.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/cron.allow\\\", \\\"/etc/cron.deny\\\", \\\"/etc/cron.d/*\\\", \\\"/etc/cron.hourly/*\\\", \\\"/etc/cron.daily/*\\\", \\\"/etc/cron.weekly/*\\\",\\n \\\"/etc/cron.monthly/*\\\", \\\"/etc/crontab\\\", \\\"/var/spool/cron/crontabs/*\\\", \\\"/var/spool/anacron/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/opt/elasticbeanstalk/bin/platform-engine\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/opt/imunify360/venv/bin/python3\\\",\\n \\\"/opt/eset/efs/lib/utild\\\", \\\"/usr/sbin/anacron\\\", \\\"/usr/bin/podman\\\", \\\"/kaniko/kaniko-executor\\\"\\n ) or\\n file.path like (\\\"/var/spool/cron/crontabs/tmp.*\\\", \\\"/etc/cron.d/jumpcloud-updater\\\") or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/libexec/platform-python*\\\"\\n ) or\\n process.executable == null or\\n process.name in (\\n \\\"crond\\\", \\\"executor\\\", \\\"puppet\\\", \\\"droplet-agent.postinst\\\", \\\"cf-agent\\\", \\\"schedd\\\", \\\"imunify-notifier\\\", \\\"perl\\\",\\n \\\"jumpcloud-agent\\\", \\\"crio\\\", \\\"dnf_install\\\", \\\"utild\\\"\\n ) or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and\\nevent.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/cron.allow\\\", \\\"/etc/cron.deny\\\", \\\"/etc/cron.d/*\\\", \\\"/etc/cron.hourly/*\\\", \\\"/etc/cron.daily/*\\\", \\\"/etc/cron.weekly/*\\\",\\n \\\"/etc/cron.monthly/*\\\", \\\"/etc/crontab\\\", \\\"/var/spool/cron/crontabs/*\\\", \\\"/var/spool/anacron/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/opt/elasticbeanstalk/bin/platform-engine\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/opt/imunify360/venv/bin/python3\\\",\\n \\\"/opt/eset/efs/lib/utild\\\", \\\"/usr/sbin/anacron\\\", \\\"/usr/bin/podman\\\", \\\"/kaniko/kaniko-executor\\\"\\n ) or\\n file.path like (\\\"/var/spool/cron/crontabs/tmp.*\\\", \\\"/etc/cron.d/jumpcloud-updater\\\") or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/libexec/platform-python*\\\"\\n ) or\\n process.executable == null or\\n process.name in (\\n \\\"crond\\\", \\\"executor\\\", \\\"puppet\\\", \\\"droplet-agent.postinst\\\", \\\"cf-agent\\\", \\\"schedd\\\", \\\"imunify-notifier\\\", \\\"perl\\\",\\n \\\"jumpcloud-agent\\\", \\\"crio\\\", \\\"dnf_install\\\", \\\"utild\\\"\\n ) or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a24b9d97-c29b-4456-b0a8-6a439c043964\",\"rule_id\":\"ff4599cb-409f-4910-a239-52e4e6f532ff\",\"revision\":0,\"current_rule\":{\"id\":\"a24b9d97-c29b-4456-b0a8-6a439c043964\",\"updated_at\":\"2024-12-04T19:46:02.740Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.740Z\",\"created_by\":\"elastic\",\"name\":\"LSASS Process Access via Windows API\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating LSASS Process Access via Windows API\\n\\nThe Local Security Authority Subsystem Service (LSASS) is a critical Windows component responsible for managing user authentication and security policies. Adversaries may attempt to access the LSASS handle to dump credentials from its memory, which can be used for lateral movement and privilege escalation.\\n\\nThis rule identifies attempts to access LSASS by monitoring for specific API calls (OpenProcess, OpenThread) targeting the \\\"lsass.exe\\\" process.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) of the process that accessed the LSASS handle.\\n - Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Determine the first time the process executable was seen in the environment and if this behavior happened in the past.\\n - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n - Investigate any abnormal behavior by the subject process, such as network connections, DLLs loaded, registry or file modifications, and any spawned child processes.\\n- Assess the access rights (`process.Ext.api.parameters.desired_access`field) requested by the process. This [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights) may be useful to help the interpretation.\\n- If there are traces of LSASS memory being successfully dumped, investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the executables of the processes using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n\\n### False positive analysis\\n\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of `process.executable`, `process.code_signature.subject_name` and `process.Ext.api.parameters.desired_access_numeric` conditions.\\n\\n### Related Rules\\n\\n- Suspicious Lsass Process Access - 128468bf-cab1-4637-99ea-fdf3780a4609\\n- Potential Credential Access via DuplicateHandle in LSASS - 02a4576a-7480-4284-9327-548a806b5e48\\n- LSASS Memory Dump Handle Access - 208dbe77-01ed-4954-8d44-1e5751cb20de\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ff4599cb-409f-4910-a239-52e4e6f532ff\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md\"],\"version\":9,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"Target.process.name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.api.name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.api-*\",\"logs-m365_defender.event-*\"],\"query\":\"api where host.os.type == \\\"windows\\\" and \\n process.Ext.api.name in (\\\"OpenProcess\\\", \\\"OpenThread\\\") and Target.process.name : \\\"lsass.exe\\\" and \\n not \\n (\\n process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\GetSupportService*\\\\\\\\Updates\\\\\\\\Update_*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Asiainfo Security\\\\\\\\OfficeScan Client\\\\\\\\NTRTScan.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Blackpoint\\\\\\\\SnapAgent\\\\\\\\SnapAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\eScan\\\\\\\\reload.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Update\\\\\\\\GoogleUpdate.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky Lab\\\\\\\\*\\\\\\\\avp.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\N-able Technologies\\\\\\\\Reactive\\\\\\\\bin\\\\\\\\NableReactiveManagement.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\N-able Technologies\\\\\\\\Windows Agent\\\\\\\\bin\\\\\\\\agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\*\\\\\\\\CCSF\\\\\\\\TmCCSF.exe\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\Windows Defender\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Bitdefender\\\\\\\\Endpoint Security\\\\\\\\EPSecurityService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Cisco\\\\\\\\AMP\\\\\\\\*\\\\\\\\sfc.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Common Files\\\\\\\\McAfee\\\\\\\\AVSolution\\\\\\\\mcshield.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\EA\\\\\\\\AC\\\\\\\\EAAntiCheat.GameService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\agentbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\metricbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\osqueryd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\packetbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\ESET\\\\\\\\ESET Security\\\\\\\\ekrn.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Fortinet\\\\\\\\FortiClient\\\\\\\\FortiProxy.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Huntress\\\\\\\\HuntressAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\LogicMonitor\\\\\\\\Agent\\\\\\\\bin\\\\\\\\sbshutdown.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Security Client\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Qualys\\\\\\\\QualysAgent\\\\\\\\QualysAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\TDAgent\\\\\\\\ossec-agent\\\\\\\\ossec-agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Topaz OFD\\\\\\\\Warsaw\\\\\\\\core.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\VMware\\\\\\\\VMware Tools\\\\\\\\vmtoolsd.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\AdminArsenal\\\\\\\\PDQDeployRunner\\\\\\\\*\\\\\\\\exec\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\csrss.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MRT.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RtkAudUService64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\\\", \\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\*\\\\\\\\pmfexe.exe\\\", \\n \\\"?:\\\\\\\\Program Files\\\\\\\\Goverlan Inc\\\\\\\\GoverlanAgent\\\\\\\\GovAgentx64.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CheckPoint\\\\\\\\Endpoint Security\\\\\\\\EFR\\\\\\\\EFRService.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CyberCNSAgent\\\\\\\\osqueryi.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\Security Agent\\\\\\\\TMASutility.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky Lab\\\\\\\\KES*\\\\\\\\avp.exe\\\", \\n \\\"?:\\\\\\\\Program Files\\\\\\\\Wise\\\\\\\\Wise Memory Optimizer\\\\\\\\WiseMemoryOptimzer.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe\\\"\\n ) and not ?process.code_signature.trusted == false\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"LSASS Process Access via Windows API\",\"description\":\"Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating LSASS Process Access via Windows API\\n\\nThe Local Security Authority Subsystem Service (LSASS) is a critical Windows component responsible for managing user authentication and security policies. Adversaries may attempt to access the LSASS handle to dump credentials from its memory, which can be used for lateral movement and privilege escalation.\\n\\nThis rule identifies attempts to access LSASS by monitoring for specific API calls (OpenProcess, OpenThread) targeting the \\\"lsass.exe\\\" process.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) of the process that accessed the LSASS handle.\\n - Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Determine the first time the process executable was seen in the environment and if this behavior happened in the past.\\n - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n - Investigate any abnormal behavior by the subject process, such as network connections, DLLs loaded, registry or file modifications, and any spawned child processes.\\n- Assess the access rights (`process.Ext.api.parameters.desired_access`field) requested by the process. This [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights) may be useful to help the interpretation.\\n- If there are traces of LSASS memory being successfully dumped, investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the executables of the processes using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n\\n### False positive analysis\\n\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of `process.executable`, `process.code_signature.subject_name` and `process.Ext.api.parameters.desired_access_numeric` conditions.\\n\\n### Related Rules\\n\\n- Suspicious Lsass Process Access - 128468bf-cab1-4637-99ea-fdf3780a4609\\n- Potential Credential Access via DuplicateHandle in LSASS - 02a4576a-7480-4284-9327-548a806b5e48\\n- LSASS Memory Dump Handle Access - 208dbe77-01ed-4954-8d44-1e5751cb20de\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":10,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"Target.process.name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.api.name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a24b9d97-c29b-4456-b0a8-6a439c043964\",\"rule_id\":\"ff4599cb-409f-4910-a239-52e4e6f532ff\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.693Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.740Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"api where host.os.type == \\\"windows\\\" and \\n process.Ext.api.name in (\\\"OpenProcess\\\", \\\"OpenThread\\\") and Target.process.name : \\\"lsass.exe\\\" and \\n not \\n (\\n process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\GetSupportService*\\\\\\\\Updates\\\\\\\\Update_*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Asiainfo Security\\\\\\\\OfficeScan Client\\\\\\\\NTRTScan.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Blackpoint\\\\\\\\SnapAgent\\\\\\\\SnapAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CheckPoint\\\\\\\\Endpoint Security\\\\\\\\EFR\\\\\\\\EFRService.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CyberCNSAgent\\\\\\\\osqueryi.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\cisco\\\\\\\\cisco anyconnect secure mobility client\\\\\\\\vpnagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\cisco\\\\\\\\cisco anyconnect secure mobility client\\\\\\\\aciseagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\cisco\\\\\\\\cisco anyconnect secure mobility client\\\\\\\\vpndownloader.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\eScan\\\\\\\\reload.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Update\\\\\\\\GoogleUpdate.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky Lab\\\\\\\\*\\\\\\\\avp.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\microsoft intune management extension\\\\\\\\microsoft.management.services.intunewindowsagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\N-able Technologies\\\\\\\\Reactive\\\\\\\\bin\\\\\\\\NableReactiveManagement.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\N-able Technologies\\\\\\\\Windows Agent\\\\\\\\bin\\\\\\\\agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Tanium\\\\\\\\Tanium Client\\\\\\\\TaniumClient.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\*\\\\\\\\CCSF\\\\\\\\TmCCSF.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\Security Agent\\\\\\\\TMASutility.exe\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\Windows Defender\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Bitdefender\\\\\\\\Endpoint Security\\\\\\\\EPSecurityService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Cisco\\\\\\\\AMP\\\\\\\\*\\\\\\\\sfc.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Common Files\\\\\\\\McAfee\\\\\\\\AVSolution\\\\\\\\mcshield.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\EA\\\\\\\\AC\\\\\\\\EAAntiCheat.GameService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\agentbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\metricbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\osqueryd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\packetbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\ESET\\\\\\\\ESET Security\\\\\\\\ekrn.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Fortinet\\\\\\\\FortiClient\\\\\\\\FortiProxy.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Fortinet\\\\\\\\FortiClient\\\\\\\\FortiSSLVPNdaemon.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Goverlan Inc\\\\\\\\GoverlanAgent\\\\\\\\GovAgentx64.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Huntress\\\\\\\\HuntressAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\LogicMonitor\\\\\\\\Agent\\\\\\\\bin\\\\\\\\sbshutdown.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Malwarebytes\\\\\\\\Anti-Malware\\\\\\\\MBAMService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\*\\\\\\\\pmfexe.exe\\\", \\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Security Client\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Qualys\\\\\\\\QualysAgent\\\\\\\\QualysAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\smart-x\\\\\\\\controlupagent\\\\\\\\version*\\\\\\\\cuagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\TDAgent\\\\\\\\ossec-agent\\\\\\\\ossec-agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Topaz OFD\\\\\\\\Warsaw\\\\\\\\core.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Trend Micro\\\\\\\\Deep Security Agent\\\\\\\\netagent\\\\\\\\tm_netagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\VMware\\\\\\\\VMware Tools\\\\\\\\vmtoolsd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\MsSense.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Wise\\\\\\\\Wise Memory Optimizer\\\\\\\\WiseMemoryOptimzer.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\AdminArsenal\\\\\\\\PDQDeployRunner\\\\\\\\*\\\\\\\\exec\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\csrss.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MRT.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RtkAudUService64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe\\\"\\n ) and not ?process.code_signature.trusted == false\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.api-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":9,\"target_version\":10,\"merged_version\":10,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"api where host.os.type == \\\"windows\\\" and \\n process.Ext.api.name in (\\\"OpenProcess\\\", \\\"OpenThread\\\") and Target.process.name : \\\"lsass.exe\\\" and \\n not \\n (\\n process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\GetSupportService*\\\\\\\\Updates\\\\\\\\Update_*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Asiainfo Security\\\\\\\\OfficeScan Client\\\\\\\\NTRTScan.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Blackpoint\\\\\\\\SnapAgent\\\\\\\\SnapAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\eScan\\\\\\\\reload.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Update\\\\\\\\GoogleUpdate.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky Lab\\\\\\\\*\\\\\\\\avp.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\N-able Technologies\\\\\\\\Reactive\\\\\\\\bin\\\\\\\\NableReactiveManagement.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\N-able Technologies\\\\\\\\Windows Agent\\\\\\\\bin\\\\\\\\agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\*\\\\\\\\CCSF\\\\\\\\TmCCSF.exe\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\Windows Defender\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Bitdefender\\\\\\\\Endpoint Security\\\\\\\\EPSecurityService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Cisco\\\\\\\\AMP\\\\\\\\*\\\\\\\\sfc.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Common Files\\\\\\\\McAfee\\\\\\\\AVSolution\\\\\\\\mcshield.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\EA\\\\\\\\AC\\\\\\\\EAAntiCheat.GameService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\agentbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\metricbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\osqueryd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\packetbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\ESET\\\\\\\\ESET Security\\\\\\\\ekrn.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Fortinet\\\\\\\\FortiClient\\\\\\\\FortiProxy.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Huntress\\\\\\\\HuntressAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\LogicMonitor\\\\\\\\Agent\\\\\\\\bin\\\\\\\\sbshutdown.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Security Client\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Qualys\\\\\\\\QualysAgent\\\\\\\\QualysAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\TDAgent\\\\\\\\ossec-agent\\\\\\\\ossec-agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Topaz OFD\\\\\\\\Warsaw\\\\\\\\core.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\VMware\\\\\\\\VMware Tools\\\\\\\\vmtoolsd.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\AdminArsenal\\\\\\\\PDQDeployRunner\\\\\\\\*\\\\\\\\exec\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\csrss.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MRT.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RtkAudUService64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\\\", \\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\*\\\\\\\\pmfexe.exe\\\", \\n \\\"?:\\\\\\\\Program Files\\\\\\\\Goverlan Inc\\\\\\\\GoverlanAgent\\\\\\\\GovAgentx64.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CheckPoint\\\\\\\\Endpoint Security\\\\\\\\EFR\\\\\\\\EFRService.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CyberCNSAgent\\\\\\\\osqueryi.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\Security Agent\\\\\\\\TMASutility.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky Lab\\\\\\\\KES*\\\\\\\\avp.exe\\\", \\n \\\"?:\\\\\\\\Program Files\\\\\\\\Wise\\\\\\\\Wise Memory Optimizer\\\\\\\\WiseMemoryOptimzer.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe\\\"\\n ) and not ?process.code_signature.trusted == false\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"api where host.os.type == \\\"windows\\\" and \\n process.Ext.api.name in (\\\"OpenProcess\\\", \\\"OpenThread\\\") and Target.process.name : \\\"lsass.exe\\\" and \\n not \\n (\\n process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\GetSupportService*\\\\\\\\Updates\\\\\\\\Update_*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Asiainfo Security\\\\\\\\OfficeScan Client\\\\\\\\NTRTScan.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Blackpoint\\\\\\\\SnapAgent\\\\\\\\SnapAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CheckPoint\\\\\\\\Endpoint Security\\\\\\\\EFR\\\\\\\\EFRService.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CyberCNSAgent\\\\\\\\osqueryi.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\cisco\\\\\\\\cisco anyconnect secure mobility client\\\\\\\\vpnagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\cisco\\\\\\\\cisco anyconnect secure mobility client\\\\\\\\aciseagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\cisco\\\\\\\\cisco anyconnect secure mobility client\\\\\\\\vpndownloader.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\eScan\\\\\\\\reload.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Update\\\\\\\\GoogleUpdate.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky Lab\\\\\\\\*\\\\\\\\avp.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\microsoft intune management extension\\\\\\\\microsoft.management.services.intunewindowsagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\N-able Technologies\\\\\\\\Reactive\\\\\\\\bin\\\\\\\\NableReactiveManagement.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\N-able Technologies\\\\\\\\Windows Agent\\\\\\\\bin\\\\\\\\agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Tanium\\\\\\\\Tanium Client\\\\\\\\TaniumClient.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\*\\\\\\\\CCSF\\\\\\\\TmCCSF.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\Security Agent\\\\\\\\TMASutility.exe\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\Windows Defender\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Bitdefender\\\\\\\\Endpoint Security\\\\\\\\EPSecurityService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Cisco\\\\\\\\AMP\\\\\\\\*\\\\\\\\sfc.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Common Files\\\\\\\\McAfee\\\\\\\\AVSolution\\\\\\\\mcshield.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\EA\\\\\\\\AC\\\\\\\\EAAntiCheat.GameService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\agentbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\metricbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\osqueryd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\packetbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\ESET\\\\\\\\ESET Security\\\\\\\\ekrn.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Fortinet\\\\\\\\FortiClient\\\\\\\\FortiProxy.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Fortinet\\\\\\\\FortiClient\\\\\\\\FortiSSLVPNdaemon.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Goverlan Inc\\\\\\\\GoverlanAgent\\\\\\\\GovAgentx64.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Huntress\\\\\\\\HuntressAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\LogicMonitor\\\\\\\\Agent\\\\\\\\bin\\\\\\\\sbshutdown.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Malwarebytes\\\\\\\\Anti-Malware\\\\\\\\MBAMService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\*\\\\\\\\pmfexe.exe\\\", \\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Security Client\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Qualys\\\\\\\\QualysAgent\\\\\\\\QualysAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\smart-x\\\\\\\\controlupagent\\\\\\\\version*\\\\\\\\cuagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\TDAgent\\\\\\\\ossec-agent\\\\\\\\ossec-agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Topaz OFD\\\\\\\\Warsaw\\\\\\\\core.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Trend Micro\\\\\\\\Deep Security Agent\\\\\\\\netagent\\\\\\\\tm_netagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\VMware\\\\\\\\VMware Tools\\\\\\\\vmtoolsd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\MsSense.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Wise\\\\\\\\Wise Memory Optimizer\\\\\\\\WiseMemoryOptimzer.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\AdminArsenal\\\\\\\\PDQDeployRunner\\\\\\\\*\\\\\\\\exec\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\csrss.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MRT.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RtkAudUService64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe\\\"\\n ) and not ?process.code_signature.trusted == false\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"api where host.os.type == \\\"windows\\\" and \\n process.Ext.api.name in (\\\"OpenProcess\\\", \\\"OpenThread\\\") and Target.process.name : \\\"lsass.exe\\\" and \\n not \\n (\\n process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\GetSupportService*\\\\\\\\Updates\\\\\\\\Update_*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Asiainfo Security\\\\\\\\OfficeScan Client\\\\\\\\NTRTScan.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Blackpoint\\\\\\\\SnapAgent\\\\\\\\SnapAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CheckPoint\\\\\\\\Endpoint Security\\\\\\\\EFR\\\\\\\\EFRService.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CyberCNSAgent\\\\\\\\osqueryi.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\cisco\\\\\\\\cisco anyconnect secure mobility client\\\\\\\\vpnagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\cisco\\\\\\\\cisco anyconnect secure mobility client\\\\\\\\aciseagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\cisco\\\\\\\\cisco anyconnect secure mobility client\\\\\\\\vpndownloader.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\eScan\\\\\\\\reload.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Update\\\\\\\\GoogleUpdate.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky Lab\\\\\\\\*\\\\\\\\avp.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\microsoft intune management extension\\\\\\\\microsoft.management.services.intunewindowsagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\N-able Technologies\\\\\\\\Reactive\\\\\\\\bin\\\\\\\\NableReactiveManagement.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\N-able Technologies\\\\\\\\Windows Agent\\\\\\\\bin\\\\\\\\agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Tanium\\\\\\\\Tanium Client\\\\\\\\TaniumClient.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\*\\\\\\\\CCSF\\\\\\\\TmCCSF.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\Security Agent\\\\\\\\TMASutility.exe\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\Windows Defender\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Bitdefender\\\\\\\\Endpoint Security\\\\\\\\EPSecurityService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Cisco\\\\\\\\AMP\\\\\\\\*\\\\\\\\sfc.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Common Files\\\\\\\\McAfee\\\\\\\\AVSolution\\\\\\\\mcshield.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\EA\\\\\\\\AC\\\\\\\\EAAntiCheat.GameService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\agentbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\metricbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\osqueryd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\packetbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\ESET\\\\\\\\ESET Security\\\\\\\\ekrn.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Fortinet\\\\\\\\FortiClient\\\\\\\\FortiProxy.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Fortinet\\\\\\\\FortiClient\\\\\\\\FortiSSLVPNdaemon.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Goverlan Inc\\\\\\\\GoverlanAgent\\\\\\\\GovAgentx64.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Huntress\\\\\\\\HuntressAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\LogicMonitor\\\\\\\\Agent\\\\\\\\bin\\\\\\\\sbshutdown.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Malwarebytes\\\\\\\\Anti-Malware\\\\\\\\MBAMService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\*\\\\\\\\pmfexe.exe\\\", \\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Security Client\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Qualys\\\\\\\\QualysAgent\\\\\\\\QualysAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\smart-x\\\\\\\\controlupagent\\\\\\\\version*\\\\\\\\cuagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\TDAgent\\\\\\\\ossec-agent\\\\\\\\ossec-agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Topaz OFD\\\\\\\\Warsaw\\\\\\\\core.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Trend Micro\\\\\\\\Deep Security Agent\\\\\\\\netagent\\\\\\\\tm_netagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\VMware\\\\\\\\VMware Tools\\\\\\\\vmtoolsd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\MsSense.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Wise\\\\\\\\Wise Memory Optimizer\\\\\\\\WiseMemoryOptimzer.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\AdminArsenal\\\\\\\\PDQDeployRunner\\\\\\\\*\\\\\\\\exec\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\csrss.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MRT.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RtkAudUService64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe\\\"\\n ) and not ?process.code_signature.trusted == false\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"88e24f90-a29d-493b-a681-fd7c5eca7ddc\",\"rule_id\":\"ff6cf8b9-b76c-4cc1-ac1b-4935164d1029\",\"revision\":0,\"current_rule\":{\"id\":\"88e24f90-a29d-493b-a681-fd7c5eca7ddc\",\"updated_at\":\"2024-12-04T19:46:04.826Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.826Z\",\"created_by\":\"elastic\",\"name\":\"Alternate Data Stream Creation/Execution at Volume Root Directory\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of an Alternate Data Stream (ADS) at a volume root directory, which can indicate the attempt to hide tools and malware, as ADSs created in this directory are not displayed by system utilities.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ff6cf8b9-b76c-4cc1-ac1b-4935164d1029\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\",\"subtechnique\":[{\"id\":\"T1564.004\",\"name\":\"NTFS File Attributes\",\"reference\":\"https://attack.mitre.org/techniques/T1564/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"any where host.os.type == \\\"windows\\\" and event.category in (\\\"file\\\", \\\"process\\\") and \\n (\\n (event.type == \\\"creation\\\" and file.path regex~ \\\"\\\"\\\"[A-Z]:\\\\\\\\:.+\\\"\\\"\\\") or \\n (event.type == \\\"start\\\" and process.executable regex~ \\\"\\\"\\\"[A-Z]:\\\\\\\\:.+\\\"\\\"\\\")\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Alternate Data Stream Creation/Execution at Volume Root Directory\",\"description\":\"Identifies the creation of an Alternate Data Stream (ADS) at a volume root directory, which can indicate the attempt to hide tools and malware, as ADSs created in this directory are not displayed by system utilities.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":201,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\",\"subtechnique\":[{\"id\":\"T1564.004\",\"name\":\"NTFS File Attributes\",\"reference\":\"https://attack.mitre.org/techniques/T1564/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"88e24f90-a29d-493b-a681-fd7c5eca7ddc\",\"rule_id\":\"ff6cf8b9-b76c-4cc1-ac1b-4935164d1029\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:11.693Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.826Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and event.category in (\\\"file\\\", \\\"process\\\") and \\n (\\n (event.type == \\\"creation\\\" and file.path regex~ \\\"\\\"\\\"[A-Z]:\\\\\\\\:.+\\\"\\\"\\\") or \\n (event.type == \\\"start\\\" and process.executable regex~ \\\"\\\"\\\"[A-Z]:\\\\\\\\:.+\\\"\\\"\\\")\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":201,\"merged_version\":201,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}}]}" }, "redirectURL": "", "headersSize": 1392, "bodySize": 988044, "_transferSize": 989436, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "127.0.0.1", "startedDateTime": "2024-12-06T16:51:09.771Z", "time": 2017.7690000273287, "timings": { "blocked": 0.7569999996870757, "dns": -1, "ssl": -1, "connect": -1, "send": 0.06799999999999995, "wait": 1960.5590000241398, "receive": 56.38500000350177, "_blocked_queueing": 0.21399999968707561, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } }, { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "fetchResponse", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19594, "columnNumber": 30 }, { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19518, "columnNumber": 39 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19514, "columnNumber": 13 }, { "functionName": "getPrebuiltRulesStatus", "scriptId": "9051", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js", "lineNumber": 142115, "columnNumber": 83 }, { "functionName": "Object", "scriptId": "9051", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js", "lineNumber": 142307, "columnNumber": 94 }, { "functionName": "fetchFn", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197509, "columnNumber": 26 }, { "functionName": "run", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198971, "columnNumber": 30 }, { "functionName": "createRetryer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 199019, "columnNumber": 4 }, { "functionName": "fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197564, "columnNumber": 88 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198077, "columnNumber": 19 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198074, "columnNumber": 171 }, { "functionName": "batch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196861, "columnNumber": 15 }, { "functionName": "refetchQueries", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198074, "columnNumber": 89 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198068, "columnNumber": 18 }, { "functionName": "batch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196861, "columnNumber": 15 }, { "functionName": "invalidateQueries", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198054, "columnNumber": 79 }, { "functionName": "", "scriptId": "9051", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js", "lineNumber": 142327, "columnNumber": 16 }, { "functionName": "onSettled", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 276606, "columnNumber": 6 }, { "functionName": "execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196444, "columnNumber": 122 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "mutate", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196777, "columnNumber": 32 }, { "functionName": "", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299145, "columnNumber": 12 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "onClick", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299204, "columnNumber": 10 }, { "functionName": "callCallback", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335355, "columnNumber": 13 }, { "functionName": "invokeGuardedCallbackDev", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335404, "columnNumber": 15 }, { "functionName": "invokeGuardedCallback", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335466, "columnNumber": 30 }, { "functionName": "invokeGuardedCallbackAndCatchFirstError", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335480, "columnNumber": 24 }, { "functionName": "executeDispatch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339653, "columnNumber": 2 }, { "functionName": "processDispatchQueueItemsInOrder", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339685, "columnNumber": 6 }, { "functionName": "processDispatchQueue", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339698, "columnNumber": 4 }, { "functionName": "dispatchEventsForPlugins", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339709, "columnNumber": 2 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339918, "columnNumber": 11 }, { "functionName": "batchedEventUpdates$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 353801, "columnNumber": 11 }, { "functionName": "batchedEventUpdates", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335155, "columnNumber": 11 }, { "functionName": "dispatchEventForPluginEventSystem", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339917, "columnNumber": 2 }, { "functionName": "attemptToDispatchEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337415, "columnNumber": 2 }, { "functionName": "dispatchEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337334, "columnNumber": 18 }, { "functionName": "unstable_runWithPriority", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 416192, "columnNumber": 11 }, { "functionName": "runWithPriority$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 342686, "columnNumber": 9 }, { "functionName": "discreteUpdates$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 353818, "columnNumber": 13 }, { "functionName": "discreteUpdates", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335166, "columnNumber": 11 }, { "functionName": "dispatchDiscreteEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337299, "columnNumber": 2 } ] } } } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "connection": "2395192", "request": { "method": "GET", "url": "http://localhost:5601/internal/detection_engine/prebuilt_rules/status", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Accept", "value": "*/*" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br, zstd" }, { "name": "Accept-Language", "value": "en-US,en;q=0.9" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Content-Type", "value": "application/json" }, { "name": "Host", "value": "localhost:5601" }, { "name": "Referer", "value": "http://localhost:5601/app/security/rules/updates?rulesTable=(searchTerm:%27Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%27)&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(.alerts-security.alerts-default)))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)),timeline:(linkTo:!(global),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)))&timeline=(activeTab:query,graphEventId:%27%27,isOpen:!f)" }, { "name": "Sec-Fetch-Dest", "value": "empty" }, { "name": "Sec-Fetch-Mode", "value": "cors" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "elastic-api-version", "value": "1" }, { "name": "kbn-build-number", "value": "9007199254740991" }, { "name": "kbn-version", "value": "9.0.0" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "x-elastic-internal-origin", "value": "Kibana" }, { "name": "x-kbn-context", "value": "%7B%22type%22%3A%22application%22%2C%22name%22%3A%22securitySolutionUI%22%2C%22url%22%3A%22%2Fapp%2Fsecurity%2Frules%2Fid%2F52c14042-8edf-4151-b8dd-5b0fe95da87d%2Falerts%22%2C%22page%22%3A%22%2Frules%2Fupdates%22%7D" } ], "queryString": [], "cookies": [], "headersSize": 2005, "bodySize": 0 }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Connection", "value": "keep-alive" }, { "name": "Date", "value": "Fri, 06 Dec 2024 16:51:11 GMT" }, { "name": "Keep-Alive", "value": "timeout=120" }, { "name": "accept-ranges", "value": "bytes" }, { "name": "cache-control", "value": "private, no-cache, no-store, must-revalidate" }, { "name": "content-length", "value": "161" }, { "name": "content-security-policy", "value": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'" }, { "name": "content-security-policy-report-only", "value": "form-action 'report-sample' 'self'" }, { "name": "content-type", "value": "application/json; charset=utf-8" }, { "name": "cross-origin-opener-policy", "value": "same-origin" }, { "name": "elastic-api-version", "value": "1" }, { "name": "kbn-license-sig", "value": "c34833e07d48ee883c2bd846933c4c336916c9888243f9e5a9793597b858595c" }, { "name": "kbn-name", "value": "Paulas-MacBook-Pro.local" }, { "name": "permissions-policy", "value": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()" }, { "name": "referrer-policy", "value": "strict-origin-when-cross-origin" }, { "name": "x-content-type-options", "value": "nosniff" } ], "cookies": [], "content": { "size": 161, "mimeType": "application/json", "compression": 0, "text": "{\"stats\":{\"num_prebuilt_rules_installed\":1191,\"num_prebuilt_rules_to_install\":65,\"num_prebuilt_rules_to_upgrade\":661,\"num_prebuilt_rules_total_in_package\":1256}}" }, "redirectURL": "", "headersSize": 1360, "bodySize": 161, "_transferSize": 1521, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "127.0.0.1", "startedDateTime": "2024-12-06T16:51:09.771Z", "time": 1925.288999977056, "timings": { "blocked": 0.7310000001974404, "dns": -1, "ssl": -1, "connect": -1, "send": 0.019000000000000017, "wait": 1923.148999986507, "receive": 1.3899999903514981, "_blocked_queueing": 0.23700000019744039, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } }, { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "", "scriptId": "8966", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/telemetry/1.0.0/telemetry.plugin.js", "lineNumber": 413, "columnNumber": 49 }, { "functionName": "step", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420580, "columnNumber": 22 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420561, "columnNumber": 52 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420554, "columnNumber": 70 }, { "functionName": "__awaiter", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420550, "columnNumber": 11 }, { "functionName": "../../../node_modules/@elastic/ebt/shippers/elastic_v3/browser/src/browser_shipper.js.ElasticV3BrowserShipper.makeRequest", "scriptId": "8966", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/telemetry/1.0.0/telemetry.plugin.js", "lineNumber": 409, "columnNumber": 23 }, { "functionName": "", "scriptId": "8966", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/telemetry/1.0.0/telemetry.plugin.js", "lineNumber": 394, "columnNumber": 50 }, { "functionName": "step", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420580, "columnNumber": 22 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420561, "columnNumber": 52 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420554, "columnNumber": 70 }, { "functionName": "__awaiter", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420550, "columnNumber": 11 }, { "functionName": "../../../node_modules/@elastic/ebt/shippers/elastic_v3/browser/src/browser_shipper.js.ElasticV3BrowserShipper.sendEvents", "scriptId": "8966", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/telemetry/1.0.0/telemetry.plugin.js", "lineNumber": 388, "columnNumber": 23 }, { "functionName": "", "scriptId": "8966", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/telemetry/1.0.0/telemetry.plugin.js", "lineNumber": 377, "columnNumber": 50 }, { "functionName": "step", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420580, "columnNumber": 22 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420561, "columnNumber": 52 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420554, "columnNumber": 70 }, { "functionName": "__awaiter", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420550, "columnNumber": 11 }, { "functionName": "", "scriptId": "8966", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/telemetry/1.0.0/telemetry.plugin.js", "lineNumber": 372, "columnNumber": 65 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 80 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409345, "columnNumber": 28 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ] } } } } } } } } } } } } } } } } } } } } } } } } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "request": { "method": "POST", "url": "https://telemetry-staging.elastic.co/v3/send/kibana-browser", "httpVersion": "h3", "headers": [ { "name": ":authority", "value": "telemetry-staging.elastic.co" }, { "name": ":method", "value": "POST" }, { "name": ":path", "value": "/v3/send/kibana-browser" }, { "name": ":scheme", "value": "https" }, { "name": "accept", "value": "*/*" }, { "name": "accept-encoding", "value": "gzip, deflate, br, zstd" }, { "name": "accept-language", "value": "en-US,en;q=0.9" }, { "name": "content-length", "value": "1927" }, { "name": "content-type", "value": "application/x-ndjson" }, { "name": "origin", "value": "http://localhost:5601" }, { "name": "priority", "value": "u=1, i" }, { "name": "referer", "value": "http://localhost:5601/" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "sec-fetch-dest", "value": "empty" }, { "name": "sec-fetch-mode", "value": "cors" }, { "name": "sec-fetch-site", "value": "cross-site" }, { "name": "user-agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "x-elastic-cluster-id", "value": "EHqtcAR2QhGSP7yHLfNlwg" }, { "name": "x-elastic-license-id", "value": "3c8db61e-5e38-46f9-9136-ef1d1e649473" }, { "name": "x-elastic-stack-version", "value": "9.0.0" } ], "queryString": [], "cookies": [], "headersSize": -1, "bodySize": 1927, "postData": { "mimeType": "application/x-ndjson", "text": "{\"timestamp\":\"2024-12-06T16:51:09.577Z\",\"event_type\":\"click\",\"context\":{\"isDev\":true,\"isDistributable\":false,\"version\":\"9.0.0\",\"branch\":\"main\",\"buildNum\":9007199254740991,\"buildSha\":\"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\",\"session_id\":\"954374bc-5779-4072-8be3-6c6c157902a0\",\"user_agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36\",\"preferred_language\":\"en-US\",\"preferred_languages\":[\"en-US\",\"en\"],\"viewport_width\":1613,\"viewport_height\":546,\"cluster_name\":\"elasticsearch\",\"cluster_uuid\":\"EHqtcAR2QhGSP7yHLfNlwg\",\"cluster_version\":\"9.0.0-SNAPSHOT\",\"cluster_build_flavor\":\"default\",\"pageName\":\"application:securitySolutionUI:/rules/updates\",\"applicationId\":\"securitySolutionUI\",\"page\":\"/rules/updates\",\"page_title\":\"Elastic\",\"page_url\":\"/app/security/rules/updates\",\"license_id\":\"3c8db61e-5e38-46f9-9136-ef1d1e649473\",\"license_status\":\"active\",\"license_type\":\"trial\",\"labels\":{},\"discoverProfiles\":[],\"userId\":\"986051385feae5b9850804db2d701c0b029ad24f09bce340c12aee7a5c8a0391\",\"isElasticCloudUser\":false},\"properties\":{\"target\":[\"DIV\",\"data-focus-lock-disabled=false\",\"DIV\",\"class=euiFlyout css-8sfk26-euiFlyout-l-l-noMaxWidth-overlay-right-right\",\"id=updatePrebuiltRulePreview\",\"data-test-subj=updatePrebuiltRulePreview\",\"aria-labelledby=prebuiltRulesFlyoutTitle_3a207d41-b3f2-11ef-8ce2-dbbfaafa5713\",\"role=dialog\",\"tabindex=0\",\"aria-describedby=i3a207d43-b3f2-11ef-8ce2-dbbfaafa5713\",\"data-autofocus=true\",\"DIV\",\"class=euiFlyoutFooter css-1tozt5i-euiFlyoutFooter\",\"DIV\",\"class=euiFlexGroup css-i9roje-euiFlexGroup-responsive-l-spaceBetween-stretch-row\",\"DIV\",\"class=euiFlexItem css-kpsrin-euiFlexItem-growZero\",\"BUTTON\",\"type=button\",\"class=euiButton css-4wl8yg-euiButtonDisplay-m-defaultMinWidth-fill-primary\",\"data-test-subj=updatePrebuiltRuleFromFlyoutButton\",\"SPAN\",\"class=css-cf8eum-euiButtonDisplayContent\",\"SPAN\",\"class=eui-textTruncate\"]}}\n" } }, "response": { "status": 200, "statusText": "", "httpVersion": "h3", "headers": [ { "name": "access-control-allow-origin", "value": "*" }, { "name": "alt-svc", "value": "h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000" }, { "name": "alt-svc", "value": "h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000" }, { "name": "content-encoding", "value": "gzip" }, { "name": "content-type", "value": "application/json" }, { "name": "date", "value": "Fri, 06 Dec 2024 16:51:10 GMT" }, { "name": "function-execution-id", "value": "2lucu9y227lm" }, { "name": "server", "value": "Google Frontend" }, { "name": "via", "value": "1.1 google" }, { "name": "x-cloud-trace-context", "value": "07c65f3d9b324277a4b3291b332bf3e7" } ], "cookies": [], "content": { "size": 16, "mimeType": "application/json", "text": "{\"status\": \"ok\"}" }, "redirectURL": "", "headersSize": -1, "bodySize": -1, "_transferSize": 57, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "[2600:1901:0:2fb7::]", "startedDateTime": "2024-12-06T16:51:09.850Z", "time": 251.53700000373647, "timings": { "blocked": 65.70100000594184, "dns": -1, "ssl": -1, "connect": -1, "send": 0.127, "wait": 185.390000013493, "receive": 0.3189999843016267, "_blocked_queueing": 65.50500000594184, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } }, { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "", "scriptId": "8966", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/telemetry/1.0.0/telemetry.plugin.js", "lineNumber": 413, "columnNumber": 49 }, { "functionName": "step", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420580, "columnNumber": 22 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420561, "columnNumber": 52 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420554, "columnNumber": 70 }, { "functionName": "__awaiter", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420550, "columnNumber": 11 }, { "functionName": "../../../node_modules/@elastic/ebt/shippers/elastic_v3/browser/src/browser_shipper.js.ElasticV3BrowserShipper.makeRequest", "scriptId": "8966", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/telemetry/1.0.0/telemetry.plugin.js", "lineNumber": 409, "columnNumber": 23 }, { "functionName": "", "scriptId": "8966", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/telemetry/1.0.0/telemetry.plugin.js", "lineNumber": 394, "columnNumber": 50 }, { "functionName": "step", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420580, "columnNumber": 22 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420561, "columnNumber": 52 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420554, "columnNumber": 70 }, { "functionName": "__awaiter", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420550, "columnNumber": 11 }, { "functionName": "../../../node_modules/@elastic/ebt/shippers/elastic_v3/browser/src/browser_shipper.js.ElasticV3BrowserShipper.sendEvents", "scriptId": "8966", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/telemetry/1.0.0/telemetry.plugin.js", "lineNumber": 388, "columnNumber": 23 }, { "functionName": "", "scriptId": "8966", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/telemetry/1.0.0/telemetry.plugin.js", "lineNumber": 377, "columnNumber": 50 }, { "functionName": "step", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420580, "columnNumber": 22 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420561, "columnNumber": 52 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420554, "columnNumber": 70 }, { "functionName": "__awaiter", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420550, "columnNumber": 11 }, { "functionName": "", "scriptId": "8966", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/telemetry/1.0.0/telemetry.plugin.js", "lineNumber": 372, "columnNumber": 65 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 80 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409345, "columnNumber": 28 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ] } } } } } } } } } } } } } } } } } } } } } } } } } } } } } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "request": { "method": "POST", "url": "https://telemetry-staging.elastic.co/v3/send/kibana-browser", "httpVersion": "h3", "headers": [ { "name": ":authority", "value": "telemetry-staging.elastic.co" }, { "name": ":method", "value": "POST" }, { "name": ":path", "value": "/v3/send/kibana-browser" }, { "name": ":scheme", "value": "https" }, { "name": "accept", "value": "*/*" }, { "name": "accept-encoding", "value": "gzip, deflate, br, zstd" }, { "name": "accept-language", "value": "en-US,en;q=0.9" }, { "name": "content-length", "value": "1727" }, { "name": "content-type", "value": "application/x-ndjson" }, { "name": "origin", "value": "http://localhost:5601" }, { "name": "priority", "value": "u=1, i" }, { "name": "referer", "value": "http://localhost:5601/" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "sec-fetch-dest", "value": "empty" }, { "name": "sec-fetch-mode", "value": "cors" }, { "name": "sec-fetch-site", "value": "cross-site" }, { "name": "user-agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "x-elastic-cluster-id", "value": "EHqtcAR2QhGSP7yHLfNlwg" }, { "name": "x-elastic-license-id", "value": "3c8db61e-5e38-46f9-9136-ef1d1e649473" }, { "name": "x-elastic-stack-version", "value": "9.0.0" } ], "queryString": [], "cookies": [], "headersSize": -1, "bodySize": 1727, "postData": { "mimeType": "application/x-ndjson", "text": "{\"timestamp\":\"2024-12-06T16:51:14.133Z\",\"event_type\":\"click\",\"context\":{\"isDev\":true,\"isDistributable\":false,\"version\":\"9.0.0\",\"branch\":\"main\",\"buildNum\":9007199254740991,\"buildSha\":\"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\",\"session_id\":\"954374bc-5779-4072-8be3-6c6c157902a0\",\"user_agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36\",\"preferred_language\":\"en-US\",\"preferred_languages\":[\"en-US\",\"en\"],\"viewport_width\":1613,\"viewport_height\":546,\"cluster_name\":\"elasticsearch\",\"cluster_uuid\":\"EHqtcAR2QhGSP7yHLfNlwg\",\"cluster_version\":\"9.0.0-SNAPSHOT\",\"cluster_build_flavor\":\"default\",\"pageName\":\"application:securitySolutionUI:/rules/updates\",\"applicationId\":\"securitySolutionUI\",\"page\":\"/rules/updates\",\"page_title\":\"Elastic\",\"page_url\":\"/app/security/rules/updates\",\"license_id\":\"3c8db61e-5e38-46f9-9136-ef1d1e649473\",\"license_status\":\"active\",\"license_type\":\"trial\",\"labels\":{},\"discoverProfiles\":[],\"userId\":\"986051385feae5b9850804db2d701c0b029ad24f09bce340c12aee7a5c8a0391\",\"isElasticCloudUser\":false},\"properties\":{\"target\":[\"HTML\",\"lang=en\",\"BODY\",\"class=coreSystemRootDomElement euiBody--headerIsFixed kbnBody kbnBody--noHeaderBanner kbnBody--chromeVisible kbnVersion-9-0-0\",\"DIV\",\"DIV\",\"DIV\",\"aria-live=polite\",\"role=log\",\"class=euiGlobalToastList css-l1wxwy-euiGlobalToastList-right\",\"aria-label=Notification message list\",\"data-test-subj=globalToastList\",\"DIV\",\"class=euiToast euiGlobalToastListItem css-182movu-euiToast-success-euiGlobalToastListItem-dismissed\",\"id=1\",\"BUTTON\",\"class=euiButtonIcon css-1eubb6s-euiButtonIcon-xs-empty-text-euiToast__closeButton\",\"type=button\",\"aria-label=Dismiss toast\",\"data-test-subj=toastCloseButton\"]}}\n" } }, "response": { "status": 200, "statusText": "", "httpVersion": "h3", "headers": [ { "name": "access-control-allow-origin", "value": "*" }, { "name": "alt-svc", "value": "h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000" }, { "name": "alt-svc", "value": "h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000" }, { "name": "content-encoding", "value": "gzip" }, { "name": "content-type", "value": "application/json" }, { "name": "date", "value": "Fri, 06 Dec 2024 16:51:15 GMT" }, { "name": "function-execution-id", "value": "gs3ek9e3jknq" }, { "name": "server", "value": "Google Frontend" }, { "name": "via", "value": "1.1 google" }, { "name": "x-cloud-trace-context", "value": "7593054ad0b5185d43ec5729e4e4a148" } ], "cookies": [], "content": { "size": 16, "mimeType": "application/json", "text": "{\"status\": \"ok\"}" }, "redirectURL": "", "headersSize": -1, "bodySize": -1, "_transferSize": 57, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "[2600:1901:0:2fb7::]", "startedDateTime": "2024-12-06T16:51:14.939Z", "time": 281.55600000172853, "timings": { "blocked": 74.83699997603894, "dns": -1, "ssl": -1, "connect": -1, "send": 0.21200000000000002, "wait": 205.59000002811848, "receive": 0.9169999975711107, "_blocked_queueing": 74.42199997603893, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } }, { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "fetchResponse", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19594, "columnNumber": 30 }, { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19518, "columnNumber": 39 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19514, "columnNumber": 13 }, { "functionName": "performUpgradeSpecificRules", "scriptId": "9051", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js", "lineNumber": 142168, "columnNumber": 83 }, { "functionName": "Object", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 276596, "columnNumber": 83 }, { "functionName": "fn", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196387, "columnNumber": 30 }, { "functionName": "run", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198971, "columnNumber": 30 }, { "functionName": "createRetryer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 199019, "columnNumber": 4 }, { "functionName": "executeMutation", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196381, "columnNumber": 90 }, { "functionName": "execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196438, "columnNumber": 25 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "mutate", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196777, "columnNumber": 32 }, { "functionName": "", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299145, "columnNumber": 12 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299185, "columnNumber": 12 }, { "functionName": "onClick", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299923, "columnNumber": 21 }, { "functionName": "callCallback", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335355, "columnNumber": 13 }, { "functionName": "invokeGuardedCallbackDev", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335404, "columnNumber": 15 }, { "functionName": "invokeGuardedCallback", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335466, "columnNumber": 30 }, { "functionName": "invokeGuardedCallbackAndCatchFirstError", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335480, "columnNumber": 24 }, { "functionName": "executeDispatch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339653, "columnNumber": 2 }, { "functionName": "processDispatchQueueItemsInOrder", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339685, "columnNumber": 6 }, { "functionName": "processDispatchQueue", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339698, "columnNumber": 4 }, { "functionName": "dispatchEventsForPlugins", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339709, "columnNumber": 2 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339918, "columnNumber": 11 }, { "functionName": "batchedEventUpdates$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 353801, "columnNumber": 11 }, { "functionName": "batchedEventUpdates", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335155, "columnNumber": 11 }, { "functionName": "dispatchEventForPluginEventSystem", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339917, "columnNumber": 2 }, { "functionName": "attemptToDispatchEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337415, "columnNumber": 2 }, { "functionName": "dispatchEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337334, "columnNumber": 18 }, { "functionName": "unstable_runWithPriority", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 416192, "columnNumber": 11 }, { "functionName": "runWithPriority$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 342686, "columnNumber": 9 }, { "functionName": "discreteUpdates$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 353818, "columnNumber": 13 }, { "functionName": "discreteUpdates", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335166, "columnNumber": 11 }, { "functionName": "dispatchDiscreteEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337299, "columnNumber": 2 } ] } } } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "connection": "2395198", "request": { "method": "POST", "url": "http://localhost:5601/internal/detection_engine/prebuilt_rules/upgrade/_perform", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Accept", "value": "*/*" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br, zstd" }, { "name": "Accept-Language", "value": "en-US,en;q=0.9" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Content-Length", "value": "760" }, { "name": "Content-Type", "value": "application/json" }, { "name": "Host", "value": "localhost:5601" }, { "name": "Origin", "value": "http://localhost:5601" }, { "name": "Referer", "value": "http://localhost:5601/app/security/rules/updates?rulesTable=(searchTerm:%27Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%27)&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(.alerts-security.alerts-default)))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)),timeline:(linkTo:!(global),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)))&timeline=(activeTab:query,graphEventId:%27%27,isOpen:!f)" }, { "name": "Sec-Fetch-Dest", "value": "empty" }, { "name": "Sec-Fetch-Mode", "value": "cors" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "elastic-api-version", "value": "1" }, { "name": "kbn-build-number", "value": "9007199254740991" }, { "name": "kbn-version", "value": "9.0.0" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "x-elastic-internal-origin", "value": "Kibana" }, { "name": "x-kbn-context", "value": "%7B%22type%22%3A%22application%22%2C%22name%22%3A%22securitySolutionUI%22%2C%22url%22%3A%22%2Fapp%2Fsecurity%2Frules%2Fid%2F52c14042-8edf-4151-b8dd-5b0fe95da87d%2Falerts%22%2C%22page%22%3A%22%2Frules%2Fupdates%22%7D" } ], "queryString": [], "cookies": [], "headersSize": 2068, "bodySize": 760, "postData": { "mimeType": "application/json", "text": "{\"mode\":\"SPECIFIC_RULES\",\"rules\":[{\"rule_id\":\"000047bb-b27a-47ec-8b62-ef1a5d2c9e19\",\"version\":310,\"revision\":1,\"fields\":{\"references\":{\"pick_version\":\"RESOLVED\",\"resolved_value\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"]},\"related_integrations\":{\"pick_version\":\"RESOLVED\",\"resolved_value\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}]}}}],\"pick_version\":\"MERGED\"}" } }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Connection", "value": "keep-alive" }, { "name": "Date", "value": "Fri, 06 Dec 2024 16:51:18 GMT" }, { "name": "Keep-Alive", "value": "timeout=120" }, { "name": "Transfer-Encoding", "value": "chunked" }, { "name": "cache-control", "value": "private, no-cache, no-store, must-revalidate" }, { "name": "content-encoding", "value": "gzip" }, { "name": "content-security-policy", "value": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'" }, { "name": "content-security-policy-report-only", "value": "form-action 'report-sample' 'self'" }, { "name": "content-type", "value": "application/json; charset=utf-8" }, { "name": "cross-origin-opener-policy", "value": "same-origin" }, { "name": "elastic-api-version", "value": "1" }, { "name": "kbn-license-sig", "value": "c34833e07d48ee883c2bd846933c4c336916c9888243f9e5a9793597b858595c" }, { "name": "kbn-name", "value": "Paulas-MacBook-Pro.local" }, { "name": "permissions-policy", "value": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()" }, { "name": "referrer-policy", "value": "strict-origin-when-cross-origin" }, { "name": "vary", "value": "accept-encoding" }, { "name": "x-content-type-options", "value": "nosniff" } ], "cookies": [], "content": { "size": 5306, "mimeType": "application/json", "compression": 2916, "text": "{\"summary\":{\"total\":1,\"skipped\":0,\"succeeded\":1,\"failed\":0},\"results\":{\"updated\":[{\"name\":\"Attempt to Modify an Okta Policy Rule\",\"description\":\"Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"timestamp_override_fallback_disabled\":false,\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Modify an Okta Policy Rule\\n\\nThe modification of an Okta policy rule can be an indication of malicious activity as it may aim to weaken an organization's security controls.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\\n- Check the `okta.outcome.result` field to confirm the rule modification attempt.\\n- Check if there are multiple rule modification attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the modification attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized modification is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Defense Evasion\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-60s\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[{\"id\":\"82679834-e475-499c-a873-2bc20692221e\",\"list_id\":\"6e519c12-80ab-4e69-894f-e5cec55be127\",\"type\":\"rule_default\",\"namespace_type\":\"single\"}],\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization.\"],\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"561cb5f3-6c26-4547-8959-681ac9b83e2b\",\"rule_id\":\"000047bb-b27a-47ec-8b62-ef1a5d2c9e19\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":true},\"updated_at\":\"2024-12-06T16:51:18.436Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.284Z\",\"created_by\":\"elastic\",\"revision\":2,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"filters\":[],\"query\":\"event.dataset:okta.system and event.action:policy.rule.update\\n\",\"language\":\"kuery\"}],\"skipped\":[]},\"errors\":[]}" }, "redirectURL": "", "headersSize": 1392, "bodySize": 2390, "_transferSize": 3782, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "127.0.0.1", "startedDateTime": "2024-12-06T16:51:18.327Z", "time": 653.7680000183173, "timings": { "blocked": 0.720000011894852, "dns": -1, "ssl": -1, "connect": -1, "send": 0.07100000000000001, "wait": 652.268000021059, "receive": 0.7089999853633344, "_blocked_queueing": 0.4220000118948519, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } }, { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "", "scriptId": "8966", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/telemetry/1.0.0/telemetry.plugin.js", "lineNumber": 413, "columnNumber": 49 }, { "functionName": "step", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420580, "columnNumber": 22 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420561, "columnNumber": 52 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420554, "columnNumber": 70 }, { "functionName": "__awaiter", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420550, "columnNumber": 11 }, { "functionName": "../../../node_modules/@elastic/ebt/shippers/elastic_v3/browser/src/browser_shipper.js.ElasticV3BrowserShipper.makeRequest", "scriptId": "8966", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/telemetry/1.0.0/telemetry.plugin.js", "lineNumber": 409, "columnNumber": 23 }, { "functionName": "", "scriptId": "8966", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/telemetry/1.0.0/telemetry.plugin.js", "lineNumber": 394, "columnNumber": 50 }, { "functionName": "step", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420580, "columnNumber": 22 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420561, "columnNumber": 52 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420554, "columnNumber": 70 }, { "functionName": "__awaiter", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420550, "columnNumber": 11 }, { "functionName": "../../../node_modules/@elastic/ebt/shippers/elastic_v3/browser/src/browser_shipper.js.ElasticV3BrowserShipper.sendEvents", "scriptId": "8966", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/telemetry/1.0.0/telemetry.plugin.js", "lineNumber": 388, "columnNumber": 23 }, { "functionName": "", "scriptId": "8966", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/telemetry/1.0.0/telemetry.plugin.js", "lineNumber": 377, "columnNumber": 50 }, { "functionName": "step", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420580, "columnNumber": 22 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420561, "columnNumber": 52 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420554, "columnNumber": 70 }, { "functionName": "__awaiter", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420550, "columnNumber": 11 }, { "functionName": "", "scriptId": "8966", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/telemetry/1.0.0/telemetry.plugin.js", "lineNumber": 372, "columnNumber": 65 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 80 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409345, "columnNumber": 28 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ] } } } } } } } } } } } } } } } } } } } } } } } } } } } } } } } } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "request": { "method": "POST", "url": "https://telemetry-staging.elastic.co/v3/send/kibana-browser", "httpVersion": "h3", "headers": [ { "name": ":authority", "value": "telemetry-staging.elastic.co" }, { "name": ":method", "value": "POST" }, { "name": ":path", "value": "/v3/send/kibana-browser" }, { "name": ":scheme", "value": "https" }, { "name": "accept", "value": "*/*" }, { "name": "accept-encoding", "value": "gzip, deflate, br, zstd" }, { "name": "accept-language", "value": "en-US,en;q=0.9" }, { "name": "content-length", "value": "3116" }, { "name": "content-type", "value": "application/x-ndjson" }, { "name": "origin", "value": "http://localhost:5601" }, { "name": "priority", "value": "u=1, i" }, { "name": "referer", "value": "http://localhost:5601/" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "sec-fetch-dest", "value": "empty" }, { "name": "sec-fetch-mode", "value": "cors" }, { "name": "sec-fetch-site", "value": "cross-site" }, { "name": "user-agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "x-elastic-cluster-id", "value": "EHqtcAR2QhGSP7yHLfNlwg" }, { "name": "x-elastic-license-id", "value": "3c8db61e-5e38-46f9-9136-ef1d1e649473" }, { "name": "x-elastic-stack-version", "value": "9.0.0" } ], "queryString": [], "cookies": [], "headersSize": -1, "bodySize": 3116, "postData": { "mimeType": "application/x-ndjson", "text": "{\"timestamp\":\"2024-12-06T16:51:18.327Z\",\"event_type\":\"click\",\"context\":{\"isDev\":true,\"isDistributable\":false,\"version\":\"9.0.0\",\"branch\":\"main\",\"buildNum\":9007199254740991,\"buildSha\":\"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\",\"session_id\":\"954374bc-5779-4072-8be3-6c6c157902a0\",\"user_agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36\",\"preferred_language\":\"en-US\",\"preferred_languages\":[\"en-US\",\"en\"],\"viewport_width\":1613,\"viewport_height\":546,\"cluster_name\":\"elasticsearch\",\"cluster_uuid\":\"EHqtcAR2QhGSP7yHLfNlwg\",\"cluster_version\":\"9.0.0-SNAPSHOT\",\"cluster_build_flavor\":\"default\",\"pageName\":\"application:securitySolutionUI:/rules/updates\",\"applicationId\":\"securitySolutionUI\",\"page\":\"/rules/updates\",\"page_title\":\"Elastic\",\"page_url\":\"/app/security/rules/updates\",\"license_id\":\"3c8db61e-5e38-46f9-9136-ef1d1e649473\",\"license_status\":\"active\",\"license_type\":\"trial\",\"labels\":{},\"discoverProfiles\":[],\"userId\":\"986051385feae5b9850804db2d701c0b029ad24f09bce340c12aee7a5c8a0391\",\"isElasticCloudUser\":false},\"properties\":{\"target\":[\"HTML\",\"lang=en\",\"BODY\",\"class=coreSystemRootDomElement euiBody--headerIsFixed kbnBody kbnBody--noHeaderBanner kbnBody--chromeVisible kbnVersion-9-0-0\",\"DIV\",\"id=kibana-body\",\"data-test-subj=kibanaChrome\",\"DIV\",\"class=kbnAppWrapper\",\"data-test-subj=kbnAppWrapper visibleChrome\",\"DIV\",\"class=kbnAppWrapper\",\"aria-busy=false\",\"DIV\",\"id=security-solution-app\",\"class=SecuritySolutionAppWrapper-sc-2kezi3-0 mHTfD kbnAppWrapper\",\"DIV\",\"theme=[object Object]\",\"class=euiPageTemplate kbnPageTemplate StyledKibanaPageTemplate-sc-hfq6ac-0 dddWni css-cjgvy1-euiPageOuter-row-grow\",\"style=padding-block-start: 0px;\",\"MAIN\",\"id=EuiPageTemplateInner_36d5e621-b3f2-11ef-8ce2-dbbfaafa5713\",\"class=css-1fu6ml5-euiPageInner-panelled-left\",\"DIV\",\"class=securityPageWrapper css-1rmm09i-euiPageSection-grow-l-top-plain\",\"data-test-subj=pageContainer\",\"DIV\",\"class=css-53k5cm-euiPageSection__content-l\",\"DIV\",\"class=Wrapper-sc-1kulm59-0 gxuUvv securitySolutionWrapper securitySolutionWrapper--withTimeline\",\"DIV\",\"aria-busy=false\",\"data-test-subj=euiSkeletonLoadingAriaWrapper\",\"DIV\",\"class=euiBasicTable\",\"data-test-subj=rules-upgrades-table\",\"TABLE\",\"tabindex=-1\",\"class=euiTable css-scsls8-euiTable-fixed-uncompressed-desktop\",\"id=__table_38d81ec1-b3f2-11ef-8ce2-dbbfaafa5713\",\"TBODY\",\"class=css-0\",\"TR\",\"class=euiTableRow euiTableRow-isSelectable css-1hxpkd1-euiTableRow-desktop\",\"TD\",\"class=euiTableRowCell css-dmrba8-euiTableRowCell-middle-desktop\",\"style=width: 10%;\",\"DIV\",\"class=euiTableCellContent css-1hdv18y-euiTableCellContent-center-wrapText\",\"SPAN\",\"class=euiToolTipAnchor css-jcaat8-euiToolTipAnchor-inlineBlock\",\"BUTTON\",\"class=euiButtonEmpty css-bzmdi2-euiButtonDisplay-euiButtonEmpty-s-empty-disabled-isDisabled\",\"type=button\",\"data-test-subj=upgradeSinglePrebuiltRuleButton-000047bb-b27a-47ec-8b62-ef1a5d2c9e19\",\"aria-describedby=i38d8bb07-b3f2-11ef-8ce2-dbbfaafa5713\",\"disabled=\",\"SPAN\",\"class=euiButtonEmpty__content css-cf8eum-euiButtonDisplayContent\",\"SPAN\",\"class=eui-textTruncate euiButtonEmpty__text\"]}}\n" } }, "response": { "status": 200, "statusText": "", "httpVersion": "h3", "headers": [ { "name": "access-control-allow-origin", "value": "*" }, { "name": "alt-svc", "value": "h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000" }, { "name": "alt-svc", "value": "h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000" }, { "name": "content-encoding", "value": "gzip" }, { "name": "content-type", "value": "application/json" }, { "name": "date", "value": "Fri, 06 Dec 2024 16:51:19 GMT" }, { "name": "function-execution-id", "value": "nxp5gfz5499u" }, { "name": "server", "value": "Google Frontend" }, { "name": "via", "value": "1.1 google" }, { "name": "x-cloud-trace-context", "value": "8adf8bf2fdae0de810bddc9ad4c467de" } ], "cookies": [], "content": { "size": 16, "mimeType": "application/json", "text": "{\"status\": \"ok\"}" }, "redirectURL": "", "headersSize": -1, "bodySize": -1, "_transferSize": 57, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "[2600:1901:0:2fb7::]", "startedDateTime": "2024-12-06T16:51:18.946Z", "time": 206.90300001297146, "timings": { "blocked": 2.679999999932945, "dns": -1, "ssl": -1, "connect": -1, "send": 0.18699999999999994, "wait": 203.76499998677895, "receive": 0.2710000262595713, "_blocked_queueing": 2.2779999999329448, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } }, { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "fetchResponse", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19594, "columnNumber": 30 }, { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19518, "columnNumber": 39 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19514, "columnNumber": 13 }, { "functionName": "fetchRules", "scriptId": "9051", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js", "lineNumber": 141804, "columnNumber": 86 }, { "functionName": "Object", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 277380, "columnNumber": 82 }, { "functionName": "fetchFn", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197509, "columnNumber": 26 }, { "functionName": "run", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198971, "columnNumber": 30 }, { "functionName": "createRetryer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 199019, "columnNumber": 4 }, { "functionName": "fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197564, "columnNumber": 88 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198077, "columnNumber": 19 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198074, "columnNumber": 171 }, { "functionName": "batch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196861, "columnNumber": 15 }, { "functionName": "refetchQueries", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198074, "columnNumber": 89 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198068, "columnNumber": 18 }, { "functionName": "batch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196861, "columnNumber": 15 }, { "functionName": "invalidateQueries", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198054, "columnNumber": 79 }, { "functionName": "", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 277411, "columnNumber": 16 }, { "functionName": "onSettled", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 276602, "columnNumber": 6 }, { "functionName": "execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196444, "columnNumber": 122 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "mutate", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196777, "columnNumber": 32 }, { "functionName": "", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299145, "columnNumber": 12 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299185, "columnNumber": 12 }, { "functionName": "onClick", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299923, "columnNumber": 21 }, { "functionName": "callCallback", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335355, "columnNumber": 13 }, { "functionName": "invokeGuardedCallbackDev", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335404, "columnNumber": 15 }, { "functionName": "invokeGuardedCallback", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335466, "columnNumber": 30 }, { "functionName": "invokeGuardedCallbackAndCatchFirstError", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335480, "columnNumber": 24 }, { "functionName": "executeDispatch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339653, "columnNumber": 2 }, { "functionName": "processDispatchQueueItemsInOrder", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339685, "columnNumber": 6 }, { "functionName": "processDispatchQueue", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339698, "columnNumber": 4 }, { "functionName": "dispatchEventsForPlugins", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339709, "columnNumber": 2 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339918, "columnNumber": 11 }, { "functionName": "batchedEventUpdates$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 353801, "columnNumber": 11 }, { "functionName": "batchedEventUpdates", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335155, "columnNumber": 11 }, { "functionName": "dispatchEventForPluginEventSystem", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339917, "columnNumber": 2 }, { "functionName": "attemptToDispatchEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337415, "columnNumber": 2 }, { "functionName": "dispatchEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337334, "columnNumber": 18 }, { "functionName": "unstable_runWithPriority", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 416192, "columnNumber": 11 }, { "functionName": "runWithPriority$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 342686, "columnNumber": 9 }, { "functionName": "discreteUpdates$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 353818, "columnNumber": 13 }, { "functionName": "discreteUpdates", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335166, "columnNumber": 11 }, { "functionName": "dispatchDiscreteEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337299, "columnNumber": 2 } ] } } } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "connection": "2395198", "request": { "method": "GET", "url": "http://localhost:5601/api/detection_engine/rules/_find?page=1&per_page=20&sort_field=enabled&sort_order=desc&filter=(alert.attributes.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.index%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.tactic.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.tactic.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.subtechnique.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.subtechnique.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22)", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Accept", "value": "*/*" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br, zstd" }, { "name": "Accept-Language", "value": "en-US,en;q=0.9" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Content-Type", "value": "application/json" }, { "name": "Host", "value": "localhost:5601" }, { "name": "Referer", "value": "http://localhost:5601/app/security/rules/updates?rulesTable=(searchTerm:%27Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%27)&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(.alerts-security.alerts-default)))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)),timeline:(linkTo:!(global),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)))&timeline=(activeTab:query,graphEventId:%27%27,isOpen:!f)" }, { "name": "Sec-Fetch-Dest", "value": "empty" }, { "name": "Sec-Fetch-Mode", "value": "cors" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "elastic-api-version", "value": "2023-10-31" }, { "name": "kbn-build-number", "value": "9007199254740991" }, { "name": "kbn-version", "value": "9.0.0" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "x-elastic-internal-origin", "value": "Kibana" }, { "name": "x-kbn-context", "value": "%7B%22type%22%3A%22application%22%2C%22name%22%3A%22securitySolutionUI%22%2C%22url%22%3A%22%2Fapp%2Fsecurity%2Frules%2Fid%2F52c14042-8edf-4151-b8dd-5b0fe95da87d%2Falerts%22%2C%22page%22%3A%22%2Frules%2Fupdates%22%7D" } ], "queryString": [ { "name": "page", "value": "1" }, { "name": "per_page", "value": "20" }, { "name": "sort_field", "value": "enabled" }, { "name": "sort_order", "value": "desc" }, { "name": "filter", "value": "(alert.attributes.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.index%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.tactic.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.tactic.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.subtechnique.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.subtechnique.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22)" } ], "cookies": [], "headersSize": 2941, "bodySize": 0 }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Connection", "value": "keep-alive" }, { "name": "Date", "value": "Fri, 06 Dec 2024 16:51:20 GMT" }, { "name": "Keep-Alive", "value": "timeout=120" }, { "name": "Transfer-Encoding", "value": "chunked" }, { "name": "cache-control", "value": "private, no-cache, no-store, must-revalidate" }, { "name": "content-encoding", "value": "gzip" }, { "name": "content-security-policy", "value": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'" }, { "name": "content-security-policy-report-only", "value": "form-action 'report-sample' 'self'" }, { "name": "content-type", "value": "application/json; charset=utf-8" }, { "name": "cross-origin-opener-policy", "value": "same-origin" }, { "name": "elastic-api-version", "value": "2023-10-31" }, { "name": "kbn-license-sig", "value": "c34833e07d48ee883c2bd846933c4c336916c9888243f9e5a9793597b858595c" }, { "name": "kbn-name", "value": "Paulas-MacBook-Pro.local" }, { "name": "permissions-policy", "value": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()" }, { "name": "referrer-policy", "value": "strict-origin-when-cross-origin" }, { "name": "vary", "value": "accept-encoding" }, { "name": "x-content-type-options", "value": "nosniff" } ], "cookies": [], "content": { "size": 5239, "mimeType": "application/json", "compression": 2887, "text": "{\"page\":1,\"perPage\":20,\"total\":1,\"data\":[{\"id\":\"561cb5f3-6c26-4547-8959-681ac9b83e2b\",\"updated_at\":\"2024-12-06T16:51:18.436Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.284Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Modify an Okta Policy Rule\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Defense Evasion\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":2,\"description\":\"Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Modify an Okta Policy Rule\\n\\nThe modification of an Okta policy rule can be an indication of malicious activity as it may aim to weaken an organization's security controls.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\\n- Check the `okta.outcome.result` field to confirm the rule modification attempt.\\n- Check if there are multiple rule modification attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the modification attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized modification is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"timestamp_override_fallback_disabled\":false,\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization.\"],\"from\":\"now-60s\",\"rule_id\":\"000047bb-b27a-47ec-8b62-ef1a5d2c9e19\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"version\":310,\"exceptions_list\":[{\"id\":\"82679834-e475-499c-a873-2bc20692221e\",\"list_id\":\"6e519c12-80ab-4e69-894f-e5cec55be127\",\"type\":\"rule_default\",\"namespace_type\":\"single\"}],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":true},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.rule.update\\n\",\"filters\":[],\"actions\":[]}]}" }, "redirectURL": "", "headersSize": 1401, "bodySize": 2352, "_transferSize": 3753, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "127.0.0.1", "startedDateTime": "2024-12-06T16:51:19.017Z", "time": 1542.8979999851435, "timings": { "blocked": 0.8609999927803874, "dns": -1, "ssl": -1, "connect": -1, "send": 0.061, "wait": 1540.7490000208131, "receive": 1.226999971549958, "_blocked_queueing": 0.4729999927803874, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } }, { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "fetchResponse", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19594, "columnNumber": 30 }, { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19518, "columnNumber": 39 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19514, "columnNumber": 13 }, { "functionName": "fetchRulesSnoozeSettings", "scriptId": "9051", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js", "lineNumber": 141850, "columnNumber": 102 }, { "functionName": "Object", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 277303, "columnNumber": 77 }, { "functionName": "fetchFn", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197509, "columnNumber": 26 }, { "functionName": "run", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198971, "columnNumber": 30 }, { "functionName": "createRetryer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 199019, "columnNumber": 4 }, { "functionName": "fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197564, "columnNumber": 88 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198077, "columnNumber": 19 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198074, "columnNumber": 171 }, { "functionName": "batch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196861, "columnNumber": 15 }, { "functionName": "refetchQueries", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198074, "columnNumber": 89 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198068, "columnNumber": 18 }, { "functionName": "batch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196861, "columnNumber": 15 }, { "functionName": "invalidateQueries", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198054, "columnNumber": 79 }, { "functionName": "", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 277325, "columnNumber": 23 }, { "functionName": "onSettled", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 276603, "columnNumber": 6 }, { "functionName": "execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196444, "columnNumber": 122 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "mutate", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196777, "columnNumber": 32 }, { "functionName": "", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299145, "columnNumber": 12 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299185, "columnNumber": 12 }, { "functionName": "onClick", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299923, "columnNumber": 21 }, { "functionName": "callCallback", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335355, "columnNumber": 13 }, { "functionName": "invokeGuardedCallbackDev", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335404, "columnNumber": 15 }, { "functionName": "invokeGuardedCallback", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335466, "columnNumber": 30 }, { "functionName": "invokeGuardedCallbackAndCatchFirstError", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335480, "columnNumber": 24 }, { "functionName": "executeDispatch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339653, "columnNumber": 2 }, { "functionName": "processDispatchQueueItemsInOrder", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339685, "columnNumber": 6 }, { "functionName": "processDispatchQueue", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339698, "columnNumber": 4 }, { "functionName": "dispatchEventsForPlugins", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339709, "columnNumber": 2 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339918, "columnNumber": 11 }, { "functionName": "batchedEventUpdates$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 353801, "columnNumber": 11 }, { "functionName": "batchedEventUpdates", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335155, "columnNumber": 11 }, { "functionName": "dispatchEventForPluginEventSystem", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339917, "columnNumber": 2 }, { "functionName": "attemptToDispatchEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337415, "columnNumber": 2 }, { "functionName": "dispatchEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337334, "columnNumber": 18 }, { "functionName": "unstable_runWithPriority", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 416192, "columnNumber": 11 }, { "functionName": "runWithPriority$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 342686, "columnNumber": 9 }, { "functionName": "discreteUpdates$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 353818, "columnNumber": 13 }, { "functionName": "discreteUpdates", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335166, "columnNumber": 11 }, { "functionName": "dispatchDiscreteEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337299, "columnNumber": 2 } ] } } } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "connection": "2395192", "request": { "method": "POST", "url": "http://localhost:5601/internal/alerting/rules/_find", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Accept", "value": "*/*" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br, zstd" }, { "name": "Accept-Language", "value": "en-US,en;q=0.9" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Content-Length", "value": "162" }, { "name": "Content-Type", "value": "application/json" }, { "name": "Host", "value": "localhost:5601" }, { "name": "Origin", "value": "http://localhost:5601" }, { "name": "Referer", "value": "http://localhost:5601/app/security/rules/updates?rulesTable=(searchTerm:%27Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%27)&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(.alerts-security.alerts-default)))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)),timeline:(linkTo:!(global),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)))&timeline=(activeTab:query,graphEventId:%27%27,isOpen:!f)" }, { "name": "Sec-Fetch-Dest", "value": "empty" }, { "name": "Sec-Fetch-Mode", "value": "cors" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "kbn-build-number", "value": "9007199254740991" }, { "name": "kbn-version", "value": "9.0.0" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "x-elastic-internal-origin", "value": "Kibana" }, { "name": "x-kbn-context", "value": "%7B%22type%22%3A%22application%22%2C%22name%22%3A%22securitySolutionUI%22%2C%22url%22%3A%22%2Fapp%2Fsecurity%2Frules%2Fid%2F52c14042-8edf-4151-b8dd-5b0fe95da87d%2Falerts%22%2C%22page%22%3A%22%2Frules%2Fupdates%22%7D" } ], "queryString": [], "cookies": [], "headersSize": 2016, "bodySize": 162, "postData": { "mimeType": "application/json", "text": "{\"filter\":\"alert.id:\\\"alert:561cb5f3-6c26-4547-8959-681ac9b83e2b\\\"\",\"fields\":\"[\\\"muteAll\\\",\\\"activeSnoozes\\\",\\\"isSnoozedUntil\\\",\\\"snoozeSchedule\\\"]\",\"per_page\":1}" } }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Connection", "value": "keep-alive" }, { "name": "Date", "value": "Fri, 06 Dec 2024 16:51:19 GMT" }, { "name": "Keep-Alive", "value": "timeout=120" }, { "name": "cache-control", "value": "private, no-cache, no-store, must-revalidate" }, { "name": "content-length", "value": "163" }, { "name": "content-security-policy", "value": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'" }, { "name": "content-security-policy-report-only", "value": "form-action 'report-sample' 'self'" }, { "name": "content-type", "value": "application/json; charset=utf-8" }, { "name": "cross-origin-opener-policy", "value": "same-origin" }, { "name": "kbn-license-sig", "value": "c34833e07d48ee883c2bd846933c4c336916c9888243f9e5a9793597b858595c" }, { "name": "kbn-name", "value": "Paulas-MacBook-Pro.local" }, { "name": "permissions-policy", "value": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()" }, { "name": "referrer-policy", "value": "strict-origin-when-cross-origin" }, { "name": "x-content-type-options", "value": "nosniff" } ], "cookies": [], "content": { "size": 163, "mimeType": "application/json", "compression": 0, "text": "{\"page\":1,\"per_page\":1,\"total\":1,\"data\":[{\"id\":\"561cb5f3-6c26-4547-8959-681ac9b83e2b\",\"actions\":[],\"mute_all\":false,\"snooze_schedule\":[],\"is_snoozed_until\":null}]}" }, "redirectURL": "", "headersSize": 1314, "bodySize": 163, "_transferSize": 1477, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "127.0.0.1", "startedDateTime": "2024-12-06T16:51:19.017Z", "time": 120.51199999405071, "timings": { "blocked": 0.9559999499581754, "dns": -1, "ssl": -1, "connect": -1, "send": 0.03300000000000003, "wait": 119.15900000817702, "receive": 0.36400003591552377, "_blocked_queueing": 0.3679999499581754, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } }, { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "fetchResponse", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19594, "columnNumber": 30 }, { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19518, "columnNumber": 39 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19514, "columnNumber": 13 }, { "functionName": "fetchRuleManagementFilters", "scriptId": "9051", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js", "lineNumber": 142020, "columnNumber": 83 }, { "functionName": "Object", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 277231, "columnNumber": 98 }, { "functionName": "fetchFn", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197509, "columnNumber": 26 }, { "functionName": "run", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198971, "columnNumber": 30 }, { "functionName": "createRetryer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 199019, "columnNumber": 4 }, { "functionName": "fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197564, "columnNumber": 88 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198077, "columnNumber": 19 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198074, "columnNumber": 171 }, { "functionName": "batch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196861, "columnNumber": 15 }, { "functionName": "refetchQueries", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198074, "columnNumber": 89 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198068, "columnNumber": 18 }, { "functionName": "batch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196861, "columnNumber": 15 }, { "functionName": "invalidateQueries", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198054, "columnNumber": 79 }, { "functionName": "", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 277251, "columnNumber": 16 }, { "functionName": "onSettled", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 276604, "columnNumber": 6 }, { "functionName": "execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196444, "columnNumber": 122 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "mutate", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196777, "columnNumber": 32 }, { "functionName": "", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299145, "columnNumber": 12 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299185, "columnNumber": 12 }, { "functionName": "onClick", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299923, "columnNumber": 21 }, { "functionName": "callCallback", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335355, "columnNumber": 13 }, { "functionName": "invokeGuardedCallbackDev", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335404, "columnNumber": 15 }, { "functionName": "invokeGuardedCallback", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335466, "columnNumber": 30 }, { "functionName": "invokeGuardedCallbackAndCatchFirstError", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335480, "columnNumber": 24 }, { "functionName": "executeDispatch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339653, "columnNumber": 2 }, { "functionName": "processDispatchQueueItemsInOrder", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339685, "columnNumber": 6 }, { "functionName": "processDispatchQueue", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339698, "columnNumber": 4 }, { "functionName": "dispatchEventsForPlugins", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339709, "columnNumber": 2 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339918, "columnNumber": 11 }, { "functionName": "batchedEventUpdates$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 353801, "columnNumber": 11 }, { "functionName": "batchedEventUpdates", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335155, "columnNumber": 11 }, { "functionName": "dispatchEventForPluginEventSystem", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339917, "columnNumber": 2 }, { "functionName": "attemptToDispatchEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337415, "columnNumber": 2 }, { "functionName": "dispatchEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337334, "columnNumber": 18 }, { "functionName": "unstable_runWithPriority", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 416192, "columnNumber": 11 }, { "functionName": "runWithPriority$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 342686, "columnNumber": 9 }, { "functionName": "discreteUpdates$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 353818, "columnNumber": 13 }, { "functionName": "discreteUpdates", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335166, "columnNumber": 11 }, { "functionName": "dispatchDiscreteEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337299, "columnNumber": 2 } ] } } } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "connection": "2396293", "request": { "method": "GET", "url": "http://localhost:5601/internal/detection_engine/rules/_rule_management_filters", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Accept", "value": "*/*" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br, zstd" }, { "name": "Accept-Language", "value": "en-US,en;q=0.9" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Content-Type", "value": "application/json" }, { "name": "Host", "value": "localhost:5601" }, { "name": "Referer", "value": "http://localhost:5601/app/security/rules/updates?rulesTable=(searchTerm:%27Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%27)&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(.alerts-security.alerts-default)))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)),timeline:(linkTo:!(global),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)))&timeline=(activeTab:query,graphEventId:%27%27,isOpen:!f)" }, { "name": "Sec-Fetch-Dest", "value": "empty" }, { "name": "Sec-Fetch-Mode", "value": "cors" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "elastic-api-version", "value": "1" }, { "name": "kbn-build-number", "value": "9007199254740991" }, { "name": "kbn-version", "value": "9.0.0" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "x-elastic-internal-origin", "value": "Kibana" }, { "name": "x-kbn-context", "value": "%7B%22type%22%3A%22application%22%2C%22name%22%3A%22securitySolutionUI%22%2C%22url%22%3A%22%2Fapp%2Fsecurity%2Frules%2Fid%2F52c14042-8edf-4151-b8dd-5b0fe95da87d%2Falerts%22%2C%22page%22%3A%22%2Frules%2Fupdates%22%7D" } ], "queryString": [], "cookies": [], "headersSize": 2014, "bodySize": 0 }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Connection", "value": "keep-alive" }, { "name": "Date", "value": "Fri, 06 Dec 2024 16:51:19 GMT" }, { "name": "Keep-Alive", "value": "timeout=120" }, { "name": "Transfer-Encoding", "value": "chunked" }, { "name": "cache-control", "value": "private, no-cache, no-store, must-revalidate" }, { "name": "content-encoding", "value": "gzip" }, { "name": "content-security-policy", "value": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'" }, { "name": "content-security-policy-report-only", "value": "form-action 'report-sample' 'self'" }, { "name": "content-type", "value": "application/json; charset=utf-8" }, { "name": "cross-origin-opener-policy", "value": "same-origin" }, { "name": "elastic-api-version", "value": "1" }, { "name": "kbn-license-sig", "value": "c34833e07d48ee883c2bd846933c4c336916c9888243f9e5a9793597b858595c" }, { "name": "kbn-name", "value": "Paulas-MacBook-Pro.local" }, { "name": "permissions-policy", "value": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()" }, { "name": "referrer-policy", "value": "strict-origin-when-cross-origin" }, { "name": "vary", "value": "accept-encoding" }, { "name": "x-content-type-options", "value": "nosniff" } ], "cookies": [], "content": { "size": 2972, "mimeType": "application/json", "compression": 1962, "text": "{\"rules_summary\":{\"custom_count\":0,\"prebuilt_installed_count\":1191},\"aggregated_fields\":{\"tags\":[\"Data Source: APM\",\"Data Source: AWS\",\"Data Source: AWS Bedrock\",\"Data Source: AWS CloudWatch\",\"Data Source: AWS Cloudtrail\",\"Data Source: AWS EC2\",\"Data Source: AWS IAM\",\"Data Source: AWS KMS\",\"Data Source: AWS Lambda\",\"Data Source: AWS RDS\",\"Data Source: AWS Redshift\",\"Data Source: AWS Route53\",\"Data Source: AWS S3\",\"Data Source: AWS SSM\",\"Data Source: AWS STS\",\"Data Source: AWS Secrets Manager\",\"Data Source: AWS Signin\",\"Data Source: AWS Systems Manager\",\"Data Source: Active Directory\",\"Data Source: Amazon EC2\",\"Data Source: Amazon Route53\",\"Data Source: Amazon S3\",\"Data Source: Amazon Web Services\",\"Data Source: Auditd Manager\",\"Data Source: Azure\",\"Data Source: Cloudformation\",\"Data Source: CyberArk PAS\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Defend for Containers\",\"Data Source: Elastic Endgame\",\"Data Source: File Integrity Monitoring\",\"Data Source: GCP\",\"Data Source: Github\",\"Data Source: Google Cloud Platform\",\"Data Source: Google Workspace\",\"Data Source: Kubernetes\",\"Data Source: Microsoft 365\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Microsoft Entra ID\",\"Data Source: Network\",\"Data Source: Okta\",\"Data Source: PowerShell Logs\",\"Data Source: Rapid7 Threat Command\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: System\",\"Data Source: Windows\",\"Data Source: Zoom\",\"Domain: Cloud\",\"Domain: Container\",\"Domain: Endpoint\",\"Domain: LLM\",\"Domain: Network\",\"Domain: SaaS\",\"Mitre Atlas: LLM04\",\"Mitre Atlas: T0015\",\"Mitre Atlas: T0034\",\"Mitre Atlas: T0051\",\"Mitre Atlas: T0054\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Resources: Investigation Guide\",\"Rule Type: BBR\",\"Rule Type: Higher-Order Rule\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Rule Type: Threat Match\",\"Tactic: Collection\",\"Tactic: Command and Control\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Tactic: Discovery\",\"Tactic: Execution\",\"Tactic: Exfiltration\",\"Tactic: Impact\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Tactic: Reconnaissance\",\"Tactic: Resource Development\",\"Tactic:Execution\",\"Threat: BPFDoor\",\"Threat: Cobalt Strike\",\"Threat: Lightning Framework\",\"Threat: Orbit\",\"Threat: Rootkit\",\"Threat: TripleCross\",\"Use Case: Active Directory Monitoring\",\"Use Case: Asset Visibility\",\"Use Case: C2 Beaconing Detection\",\"Use Case: Configuration Audit\",\"Use Case: Continuous Monitoring\",\"Use Case: Data Exfiltration Detection\",\"Use Case: Domain Generation Algorithm Detection\",\"Use Case: Guided Onboarding\",\"Use Case: Identity and Access Audit\",\"Use Case: Lateral Movement Detection\",\"Use Case: Living off the Land Attack Detection\",\"Use Case: Log Auditing\",\"Use Case: Network Security Monitoring\",\"Use Case: Policy Violation\",\"Use Case: Potential Overload\",\"Use Case: Resource Exhaustion\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Use Case: Vulnerability\"]}}" }, "redirectURL": "", "headersSize": 1392, "bodySize": 1010, "_transferSize": 2402, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "127.0.0.1", "startedDateTime": "2024-12-06T16:51:19.017Z", "time": 1021.2249999749474, "timings": { "blocked": 0.9539999734684825, "dns": -1, "ssl": -1, "connect": -1, "send": 0.02299999999999991, "wait": 664.483000015784, "receive": 355.7649999856949, "_blocked_queueing": 0.2869999734684825, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } }, { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "fetchResponse", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19594, "columnNumber": 30 }, { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19518, "columnNumber": 39 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19514, "columnNumber": 13 }, { "functionName": "reviewRuleUpgrade", "scriptId": "9051", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js", "lineNumber": 142130, "columnNumber": 83 }, { "functionName": "Object", "scriptId": "9051", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js", "lineNumber": 142370, "columnNumber": 89 }, { "functionName": "fetchFn", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197509, "columnNumber": 26 }, { "functionName": "run", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198971, "columnNumber": 30 }, { "functionName": "createRetryer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 199019, "columnNumber": 4 }, { "functionName": "fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197564, "columnNumber": 88 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198077, "columnNumber": 19 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198074, "columnNumber": 171 }, { "functionName": "batch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196861, "columnNumber": 15 }, { "functionName": "refetchQueries", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198074, "columnNumber": 89 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198068, "columnNumber": 18 }, { "functionName": "batch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196861, "columnNumber": 15 }, { "functionName": "invalidateQueries", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198054, "columnNumber": 79 }, { "functionName": "", "scriptId": "9051", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js", "lineNumber": 142390, "columnNumber": 16 }, { "functionName": "onSettled", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 276605, "columnNumber": 6 }, { "functionName": "execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196444, "columnNumber": 122 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "mutate", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196777, "columnNumber": 32 }, { "functionName": "", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299145, "columnNumber": 12 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299185, "columnNumber": 12 }, { "functionName": "onClick", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299923, "columnNumber": 21 }, { "functionName": "callCallback", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335355, "columnNumber": 13 }, { "functionName": "invokeGuardedCallbackDev", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335404, "columnNumber": 15 }, { "functionName": "invokeGuardedCallback", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335466, "columnNumber": 30 }, { "functionName": "invokeGuardedCallbackAndCatchFirstError", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335480, "columnNumber": 24 }, { "functionName": "executeDispatch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339653, "columnNumber": 2 }, { "functionName": "processDispatchQueueItemsInOrder", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339685, "columnNumber": 6 }, { "functionName": "processDispatchQueue", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339698, "columnNumber": 4 }, { "functionName": "dispatchEventsForPlugins", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339709, "columnNumber": 2 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339918, "columnNumber": 11 }, { "functionName": "batchedEventUpdates$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 353801, "columnNumber": 11 }, { "functionName": "batchedEventUpdates", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335155, "columnNumber": 11 }, { "functionName": "dispatchEventForPluginEventSystem", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339917, "columnNumber": 2 }, { "functionName": "attemptToDispatchEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337415, "columnNumber": 2 }, { "functionName": "dispatchEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337334, "columnNumber": 18 }, { "functionName": "unstable_runWithPriority", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 416192, "columnNumber": 11 }, { "functionName": "runWithPriority$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 342686, "columnNumber": 9 }, { "functionName": "discreteUpdates$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 353818, "columnNumber": 13 }, { "functionName": "discreteUpdates", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335166, "columnNumber": 11 }, { "functionName": "dispatchDiscreteEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337299, "columnNumber": 2 } ] } } } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "connection": "2395210", "request": { "method": "POST", "url": "http://localhost:5601/internal/detection_engine/prebuilt_rules/upgrade/_review", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Accept", "value": "*/*" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br, zstd" }, { "name": "Accept-Language", "value": "en-US,en;q=0.9" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Content-Length", "value": "0" }, { "name": "Content-Type", "value": "application/json" }, { "name": "Host", "value": "localhost:5601" }, { "name": "Origin", "value": "http://localhost:5601" }, { "name": "Referer", "value": "http://localhost:5601/app/security/rules/updates?rulesTable=(searchTerm:%27Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%27)&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(.alerts-security.alerts-default)))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)),timeline:(linkTo:!(global),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)))&timeline=(activeTab:query,graphEventId:%27%27,isOpen:!f)" }, { "name": "Sec-Fetch-Dest", "value": "empty" }, { "name": "Sec-Fetch-Mode", "value": "cors" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "elastic-api-version", "value": "1" }, { "name": "kbn-build-number", "value": "9007199254740991" }, { "name": "kbn-version", "value": "9.0.0" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "x-elastic-internal-origin", "value": "Kibana" }, { "name": "x-kbn-context", "value": "%7B%22type%22%3A%22application%22%2C%22name%22%3A%22securitySolutionUI%22%2C%22url%22%3A%22%2Fapp%2Fsecurity%2Frules%2Fid%2F52c14042-8edf-4151-b8dd-5b0fe95da87d%2Falerts%22%2C%22page%22%3A%22%2Frules%2Fupdates%22%7D" } ], "queryString": [], "cookies": [], "headersSize": 2065, "bodySize": 0 }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Connection", "value": "keep-alive" }, { "name": "Date", "value": "Fri, 06 Dec 2024 16:51:21 GMT" }, { "name": "Keep-Alive", "value": "timeout=120" }, { "name": "Transfer-Encoding", "value": "chunked" }, { "name": "cache-control", "value": "private, no-cache, no-store, must-revalidate" }, { "name": "content-encoding", "value": "gzip" }, { "name": "content-security-policy", "value": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'" }, { "name": "content-security-policy-report-only", "value": "form-action 'report-sample' 'self'" }, { "name": "content-type", "value": "application/json; charset=utf-8" }, { "name": "cross-origin-opener-policy", "value": "same-origin" }, { "name": "elastic-api-version", "value": "1" }, { "name": "kbn-license-sig", "value": "c34833e07d48ee883c2bd846933c4c336916c9888243f9e5a9793597b858595c" }, { "name": "kbn-name", "value": "Paulas-MacBook-Pro.local" }, { "name": "permissions-policy", "value": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()" }, { "name": "referrer-policy", "value": "strict-origin-when-cross-origin" }, { "name": "vary", "value": "accept-encoding" }, { "name": "x-content-type-options", "value": "nosniff" } ], "cookies": [], "content": { "size": 9390747, "mimeType": "application/json", "compression": 8404651, "text": "{\"stats\":{\"num_rules_to_upgrade_total\":660,\"num_rules_with_conflicts\":659,\"num_rules_with_non_solvable_conflicts\":8,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Impact\",\"Data Source: Github\",\"Tactic: Execution\",\"Rule Type: BBR\",\"Tactic: Defense Evasion\",\"Tactic: Initial Access\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Credential Access\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Rule Type: Higher-Order Rule\",\"Domain: Endpoint\",\"Tactic: Lateral Movement\",\"Use Case: Network Security Monitoring\",\"Domain: SaaS\",\"OS: Windows\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Google Workspace\",\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"OS: Linux\",\"OS: macOS\",\"Data Source: Sysmon\",\"Tactic: Privilege Escalation\",\"Tactic: Collection\",\"Tactic: Exfiltration\",\"Data Source: PowerShell Logs\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Domain: LLM\",\"Data Source: AWS Bedrock\",\"Data Source: AWS S3\",\"Use Case: Policy Violation\",\"Mitre Atlas: T0051\",\"Mitre Atlas: T0054\",\"Use Case: Living off the Land Attack Detection\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS Lambda\",\"Use Case: Asset Visibility\",\"Tactic: Command and Control\",\"Mitre Atlas: T0015\",\"Mitre Atlas: T0034\",\"Data Source: File Integrity Monitoring\",\"Threat: Orbit\",\"Threat: Lightning Framework\",\"Data Source: Auditd Manager\",\"Threat: Rootkit\",\"Use Case: Vulnerability\",\"Data Source: Microsoft 365\",\"Data Source: AWS EC2\",\"Data Source: AWS STS\",\"Data Source: AWS SSM\",\"Use Case: Log Auditing\",\"Use Case: Configuration Audit\",\"Data Source: APM\",\"Data Source: Windows\",\"Data Source: System\",\"Data Source: AWS IAM\",\"Tactic:Execution\",\"Domain: Container\",\"Data Source: AWS KMS\",\"Use Case: Potential Overload\",\"Use Case: Resource Exhaustion\",\"Mitre Atlas: LLM04\",\"Threat: BPFDoor\"]},\"rules\":[{\"id\":\"1c7756fc-ed22-401a-a96e-454a7751ca3f\",\"rule_id\":\"345889c4-23a8-4bc0-b7ca-756bd17ce83b\",\"revision\":0,\"current_rule\":{\"id\":\"1c7756fc-ed22-401a-a96e-454a7751ca3f\",\"updated_at\":\"2024-12-04T19:45:45.870Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.870Z\",\"created_by\":\"elastic\",\"name\":\"GitHub Repository Deleted\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Impact\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component used within an organization to manage work, collaborate with others and release products to the public. Any delete action against a repository should be investigated to determine it's validity. Unauthorized deletion of organization repositories could cause irreversible loss of intellectual property and indicate compromise within your organization.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"345889c4-23a8-4bc0-b7ca-756bd17ce83b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1485\",\"name\":\"Data Destruction\",\"reference\":\"https://attack.mitre.org/techniques/T1485/\"}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.module\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"],\"query\":\"configuration where event.module == \\\"github\\\" and event.action == \\\"repo.destroy\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"GitHub Repository Deleted\",\"description\":\"This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component used within an organization to manage work, collaborate with others and release products to the public. Any delete action against a repository should be investigated to determine it's validity. Unauthorized deletion of organization repositories could cause irreversible loss of intellectual property and indicate compromise within your organization.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":102,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Impact\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1485\",\"name\":\"Data Destruction\",\"reference\":\"https://attack.mitre.org/techniques/T1485/\"}]}],\"setup\":\"\",\"related_integrations\":[],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.module\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1c7756fc-ed22-401a-a96e-454a7751ca3f\",\"rule_id\":\"345889c4-23a8-4bc0-b7ca-756bd17ce83b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.992Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.870Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"configuration where event.module == \\\"github\\\" and event.action == \\\"repo.destroy\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":true,\"base_version\":2,\"current_version\":2,\"target_version\":102,\"merged_version\":102,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=A, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"}},\"num_fields_with_updates\":1,\"num_fields_with_conflicts\":0,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"44d3d1d3-17ce-4282-89e2-320ef6d019aa\",\"rule_id\":\"01c49712-25bc-49d2-a27d-d7ce52f5dc49\",\"revision\":0,\"current_rule\":{\"id\":\"44d3d1d3-17ce-4282-89e2-320ef6d019aa\",\"updated_at\":\"2024-12-04T19:46:02.749Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.749Z\",\"created_by\":\"elastic\",\"name\":\"First Occurrence of GitHub User Interaction with Private Repo\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Execution\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects a new private repo interaction for a GitHub user not seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"01c49712-25bc-49d2-a27d-d7ce52f5dc49\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.repo\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.repository_public\",\"type\":\"boolean\",\"ecs\":false},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.repo:* and user.name:* and \\ngithub.repository_public:false\\n\",\"new_terms_fields\":[\"user.name\",\"github.repo\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Occurrence of GitHub User Interaction with Private Repo\",\"description\":\"Detects a new private repo interaction for a GitHub user not seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Execution\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.repo\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.repository_public\",\"type\":\"boolean\",\"ecs\":false},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"44d3d1d3-17ce-4282-89e2-320ef6d019aa\",\"rule_id\":\"01c49712-25bc-49d2-a27d-d7ce52f5dc49\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.992Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.749Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.repo:* and user.name:* and \\ngithub.repository_public:false\\n\",\"new_terms_fields\":[\"user.name\",\"github.repo\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"16e50d16-cc0e-4d7c-adef-a22717be93b5\",\"rule_id\":\"0294f105-d7af-4a02-ae90-35f56763ffa2\",\"revision\":0,\"current_rule\":{\"id\":\"16e50d16-cc0e-4d7c-adef-a22717be93b5\",\"updated_at\":\"2024-12-04T19:46:02.752Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.752Z\",\"created_by\":\"elastic\",\"name\":\"First Occurrence of GitHub Repo Interaction From a New IP\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Execution\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects an interaction with a private GitHub repository from a new IP address not seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"0294f105-d7af-4a02-ae90-35f56763ffa2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.actor_ip\",\"type\":\"ip\",\"ecs\":false},{\"name\":\"github.repo\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.repository_public\",\"type\":\"boolean\",\"ecs\":false}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.actor_ip:* and github.repo:* and \\ngithub.repository_public:false\\n\",\"new_terms_fields\":[\"github.repo\",\"github.actor_ip\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Occurrence of GitHub Repo Interaction From a New IP\",\"description\":\"Detects an interaction with a private GitHub repository from a new IP address not seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Execution\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.actor_ip\",\"type\":\"ip\",\"ecs\":false},{\"name\":\"github.repo\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.repository_public\",\"type\":\"boolean\",\"ecs\":false}],\"id\":\"16e50d16-cc0e-4d7c-adef-a22717be93b5\",\"rule_id\":\"0294f105-d7af-4a02-ae90-35f56763ffa2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.992Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.752Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.actor_ip:* and github.repo:* and \\ngithub.repository_public:false\\n\",\"new_terms_fields\":[\"github.repo\",\"github.actor_ip\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bbb1c48c-459e-4732-bfa6-80a8f649d159\",\"rule_id\":\"07639887-da3a-4fbf-9532-8ce748ff8c50\",\"revision\":0,\"current_rule\":{\"id\":\"bbb1c48c-459e-4732-bfa6-80a8f649d159\",\"updated_at\":\"2024-12-04T19:45:41.470Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.470Z\",\"created_by\":\"elastic\",\"name\":\"GitHub Protected Branch Settings Changed\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in your repository. Changes to these protected branch settings should be investigated and verified as legitimate activity. Unauthorized changes could be used to lower your organization's security posture and leave you exposed for future attacks.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"07639887-da3a-4fbf-9532-8ce748ff8c50\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.category\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"],\"query\":\"configuration where event.dataset == \\\"github.audit\\\" \\n and github.category == \\\"protected_branch\\\" and event.type == \\\"change\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"GitHub Protected Branch Settings Changed\",\"description\":\"This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in your repository. Changes to these protected branch settings should be investigated and verified as legitimate activity. Unauthorized changes could be used to lower your organization's security posture and leave you exposed for future attacks.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.category\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"bbb1c48c-459e-4732-bfa6-80a8f649d159\",\"rule_id\":\"07639887-da3a-4fbf-9532-8ce748ff8c50\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.992Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.470Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"configuration where event.dataset == \\\"github.audit\\\" \\n and github.category == \\\"protected_branch\\\" and event.type == \\\"change\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"78952d71-2968-4cfb-b42f-a04c52ea5ec5\",\"rule_id\":\"095b6a58-8f88-4b59-827c-ab584ad4e759\",\"revision\":0,\"current_rule\":{\"id\":\"78952d71-2968-4cfb-b42f-a04c52ea5ec5\",\"updated_at\":\"2024-12-04T19:46:03.682Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.682Z\",\"created_by\":\"elastic\",\"name\":\"Member Removed From GitHub Organization\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Impact\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A member was removed or their invitation to join was removed from a GitHub Organization.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"095b6a58-8f88-4b59-827c-ab584ad4e759\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"],\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and event.action == \\\"org.remove_member\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Member Removed From GitHub Organization\",\"description\":\"A member was removed or their invitation to join was removed from a GitHub Organization.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Impact\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"78952d71-2968-4cfb-b42f-a04c52ea5ec5\",\"rule_id\":\"095b6a58-8f88-4b59-827c-ab584ad4e759\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.992Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.682Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and event.action == \\\"org.remove_member\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c3dbe726-9b7e-4f6a-bf64-8f01c180e8c8\",\"rule_id\":\"0e4367a0-a483-439d-ad2e-d90500b925fd\",\"revision\":0,\"current_rule\":{\"id\":\"c3dbe726-9b7e-4f6a-bf64-8f01c180e8c8\",\"updated_at\":\"2024-12-04T19:46:03.689Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.689Z\",\"created_by\":\"elastic\",\"name\":\"First Occurrence of User Agent For a GitHub Personal Access Token (PAT)\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Initial Access\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects a new user agent used for a GitHub PAT not previously seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"0e4367a0-a483-439d-ad2e-d90500b925fd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.hashed_token\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.programmatic_access_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.user_agent\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.user_agent:* and github.hashed_token:* and\\ngithub.programmatic_access_type:(\\\"OAuth access token\\\" or \\\"Fine-grained personal access token\\\")\\n\",\"new_terms_fields\":[\"github.hashed_token\",\"github.user_agent\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Occurrence of User Agent For a GitHub Personal Access Token (PAT)\",\"description\":\"Detects a new user agent used for a GitHub PAT not previously seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Initial Access\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.hashed_token\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.programmatic_access_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.user_agent\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"c3dbe726-9b7e-4f6a-bf64-8f01c180e8c8\",\"rule_id\":\"0e4367a0-a483-439d-ad2e-d90500b925fd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.992Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.689Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.user_agent:* and github.hashed_token:* and\\ngithub.programmatic_access_type:(\\\"OAuth access token\\\" or \\\"Fine-grained personal access token\\\")\\n\",\"new_terms_fields\":[\"github.hashed_token\",\"github.user_agent\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"29106a32-8e19-47c0-a497-8966ab272f62\",\"rule_id\":\"1ca62f14-4787-4913-b7af-df11745a49da\",\"revision\":0,\"current_rule\":{\"id\":\"29106a32-8e19-47c0-a497-8966ab272f62\",\"updated_at\":\"2024-12-04T19:46:03.708Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.708Z\",\"created_by\":\"elastic\",\"name\":\"New GitHub App Installed\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects when a new GitHub App has been installed in your organization account. GitHub Apps extend GitHub's functionality both within and outside of GitHub. When an app is installed it is granted permissions to read or modify your repository and organization data. Only trusted apps should be installed and any newly installed apps should be investigated to verify their legitimacy. Unauthorized app installation could lower your organization's security posture and leave you exposed for future attacks.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1ca62f14-4787-4913-b7af-df11745a49da\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1072\",\"name\":\"Software Deployment Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1072/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"],\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and event.action == \\\"integration_installation.create\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"New GitHub App Installed\",\"description\":\"This rule detects when a new GitHub App has been installed in your organization account. GitHub Apps extend GitHub's functionality both within and outside of GitHub. When an app is installed it is granted permissions to read or modify your repository and organization data. Only trusted apps should be installed and any newly installed apps should be investigated to verify their legitimacy. Unauthorized app installation could lower your organization's security posture and leave you exposed for future attacks.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1072\",\"name\":\"Software Deployment Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1072/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"29106a32-8e19-47c0-a497-8966ab272f62\",\"rule_id\":\"1ca62f14-4787-4913-b7af-df11745a49da\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.992Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.708Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and event.action == \\\"integration_installation.create\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0ef1e7bd-a61c-44b2-a7c2-80117bb4ff5d\",\"rule_id\":\"1ceb05c4-7d25-11ee-9562-f661ea17fbcd\",\"revision\":0,\"current_rule\":{\"id\":\"0ef1e7bd-a61c-44b2-a7c2-80117bb4ff5d\",\"updated_at\":\"2024-12-04T19:45:43.581Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.581Z\",\"created_by\":\"elastic\",\"name\":\"Okta Sign-In Events via Third-Party IdP\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Initial Access\",\"Data Source: Okta\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Okta Sign-In Events via Third-Party IdP\\n\\nThis rule detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).\\n\\nAdversaries may attempt to add an unauthorized IdP to an Okta tenant to gain access to the tenant. Following this action, adversaries may attempt to sign in to the tenant using the unauthorized IdP. This rule detects both the addition of an unauthorized IdP and the subsequent sign-in attempt.\\n\\n#### Possible investigation steps:\\n- Identify the third-party IdP by examining the `okta.authentication_context.issuer.id` field.\\n- Once the third-party IdP is identified, determine if this IdP is authorized to be used by the tenant.\\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\\n- Identify the actor associated with the IdP creation by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields in historical data.\\n - The `New Okta Identity Provider (IdP) Added by Admin` rule may be helpful in identifying the actor and the IdP creation event.\\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n\\n### False positive analysis:\\n- It might be a false positive if this IdP is authorized to be used by the tenant.\\n- This may be a false positive if an authorized third-party IdP is used to sign in to the tenant but failures occurred due to an incorrect configuration.\\n\\n### Response and remediation:\\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\\n- Reset the effected user's password and enforce MFA re-enrollment, if applicable.\\n- Mobile device forensics may be required to determine if the user's device is compromised.\\n- If the IdP is authorized, ensure that the actor who created it is authorized to do so.\\n- If the actor is unauthorized, deactivate their account via the Okta console.\\n- If the actor is authorized, ensure that the actor's account is not compromised.\\n\\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- If the deactivated IdP was crucial to the organization, consider adding a new IdP and removing the unauthorized IdP.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-30m\",\"rule_id\":\"1ceb05c4-7d25-11ee-9562-f661ea17fbcd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1199\",\"name\":\"Trusted Relationship\",\"reference\":\"https://attack.mitre.org/techniques/T1199/\"}]}],\"to\":\"now\",\"references\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.authentication_context.issuer.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.debug_context.debug_data.request_uri\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.reason\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.result\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and\\n (not okta.authentication_context.issuer.id:Okta and event.action:(user.authentication.auth_via_IDP\\n or user.authentication.auth_via_inbound_SAML\\n or user.authentication.auth_via_mfa\\n or user.authentication.auth_via_social)\\n or event.action:user.session.start) or\\n (event.action:user.authentication.auth_via_IDP and okta.outcome.result:FAILURE\\n and okta.outcome.reason:(\\\"A SAML assert with the same ID has already been processed by Okta for a previous request\\\"\\n or \\\"Unable to match transformed username\\\"\\n or \\\"Unable to resolve IdP endpoint\\\"\\n or \\\"Unable to validate SAML Response\\\"\\n or \\\"Unable to validate incoming SAML Assertion\\\"))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Okta Sign-In Events via Third-Party IdP\",\"description\":\"Detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Okta Sign-In Events via Third-Party IdP\\n\\nThis rule detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).\\n\\nAdversaries may attempt to add an unauthorized IdP to an Okta tenant to gain access to the tenant. Following this action, adversaries may attempt to sign in to the tenant using the unauthorized IdP. This rule detects both the addition of an unauthorized IdP and the subsequent sign-in attempt.\\n\\n#### Possible investigation steps:\\n- Identify the third-party IdP by examining the `okta.authentication_context.issuer.id` field.\\n- Once the third-party IdP is identified, determine if this IdP is authorized to be used by the tenant.\\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\\n- Identify the actor associated with the IdP creation by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields in historical data.\\n - The `New Okta Identity Provider (IdP) Added by Admin` rule may be helpful in identifying the actor and the IdP creation event.\\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n\\n### False positive analysis:\\n- It might be a false positive if this IdP is authorized to be used by the tenant.\\n- This may be a false positive if an authorized third-party IdP is used to sign in to the tenant but failures occurred due to an incorrect configuration.\\n\\n### Response and remediation:\\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\\n- Reset the effected user's password and enforce MFA re-enrollment, if applicable.\\n- Mobile device forensics may be required to determine if the user's device is compromised.\\n- If the IdP is authorized, ensure that the actor who created it is authorized to do so.\\n- If the actor is unauthorized, deactivate their account via the Okta console.\\n- If the actor is authorized, ensure that the actor's account is not compromised.\\n\\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- If the deactivated IdP was crucial to the organization, consider adding a new IdP and removing the unauthorized IdP.\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Initial Access\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-30m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1199\",\"name\":\"Trusted Relationship\",\"reference\":\"https://attack.mitre.org/techniques/T1199/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.authentication_context.issuer.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.debug_context.debug_data.request_uri\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.reason\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.result\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"0ef1e7bd-a61c-44b2-a7c2-80117bb4ff5d\",\"rule_id\":\"1ceb05c4-7d25-11ee-9562-f661ea17fbcd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.992Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.581Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and\\n (not okta.authentication_context.issuer.id:Okta and event.action:(user.authentication.auth_via_IDP\\n or user.authentication.auth_via_inbound_SAML\\n or user.authentication.auth_via_mfa\\n or user.authentication.auth_via_social)\\n or event.action:user.session.start) or\\n (event.action:user.authentication.auth_via_IDP and okta.outcome.result:FAILURE\\n and okta.outcome.reason:(\\\"A SAML assert with the same ID has already been processed by Okta for a previous request\\\"\\n or \\\"Unable to match transformed username\\\"\\n or \\\"Unable to resolve IdP endpoint\\\"\\n or \\\"Unable to validate SAML Response\\\"\\n or \\\"Unable to validate incoming SAML Assertion\\\"))\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\"],\"target_version\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d9233b2d-a3fb-421d-b6b8-ba55797dce5a\",\"rule_id\":\"1e9b271c-8caa-4e20-aed8-e91e34de9283\",\"revision\":0,\"current_rule\":{\"id\":\"d9233b2d-a3fb-421d-b6b8-ba55797dce5a\",\"updated_at\":\"2024-12-04T19:46:03.710Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.710Z\",\"created_by\":\"elastic\",\"name\":\"First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Execution\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects a new private repo interaction for a GitHub PAT not seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1e9b271c-8caa-4e20-aed8-e91e34de9283\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.hashed_token\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.programmatic_access_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.repo\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.repository_public\",\"type\":\"boolean\",\"ecs\":false}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.repo:* and github.hashed_token:* and\\ngithub.programmatic_access_type:(\\\"OAuth access token\\\" or \\\"Fine-grained personal access token\\\") and \\ngithub.repository_public:false\\n\",\"new_terms_fields\":[\"github.hashed_token\",\"github.repo\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)\",\"description\":\"Detects a new private repo interaction for a GitHub PAT not seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Execution\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.hashed_token\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.programmatic_access_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.repo\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.repository_public\",\"type\":\"boolean\",\"ecs\":false}],\"id\":\"d9233b2d-a3fb-421d-b6b8-ba55797dce5a\",\"rule_id\":\"1e9b271c-8caa-4e20-aed8-e91e34de9283\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.992Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.710Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.repo:* and github.hashed_token:* and\\ngithub.programmatic_access_type:(\\\"OAuth access token\\\" or \\\"Fine-grained personal access token\\\") and \\ngithub.repository_public:false\\n\",\"new_terms_fields\":[\"github.hashed_token\",\"github.repo\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8e3522ca-1870-436d-a546-723ed270a9a4\",\"rule_id\":\"23f18264-2d6d-11ef-9413-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"8e3522ca-1870-436d-a546-723ed270a9a4\",\"updated_at\":\"2024-12-04T19:46:03.712Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.712Z\",\"created_by\":\"elastic\",\"name\":\"High Number of Okta Device Token Cookies Generated for Authentication\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Credential Access\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when an Okta client address has a certain threshold of Okta user authentication events with multiple device token hashes generated for single user authentication. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating High Number of Okta Device Token Cookies Generated for Authentication\\n\\nThis rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\\n\\n#### Possible investigation steps:\\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.\\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\\n\\n### False positive analysis:\\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\\n - Shared working spaces may have a single endpoint that is used by multiple users.\\n\\n### Response and remediation:\\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the users.\\n- If any of the users are not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\\n - If so, confirm with the user this was a legitimate request.\\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\\n - Reset passwords and reset MFA for the user.\\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\\n - This will prevent future occurrences of this event for this device from triggering the rule.\\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\\n - This should be done with caution as it may prevent legitimate alerts from being generated.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\",\"Shared systems such as Kiosks and conference room computers may be used by multiple users.\"],\"from\":\"now-9m\",\"rule_id\":\"23f18264-2d6d-11ef-9413-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]},{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.004\",\"name\":\"Credential Stuffing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.debug_context.debug_data.request_uri == \\\"/api/v1/authn\\\"\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| STATS\\n source_auth_count = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash)\\n BY okta.client.ip, okta.actor.alternate_id\\n| WHERE\\n source_auth_count >= 30\\n| SORT\\n source_auth_count DESC\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"High Number of Okta Device Token Cookies Generated for Authentication\",\"description\":\"Detects when an Okta client address has a certain threshold of Okta user authentication events with multiple device token hashes generated for single user authentication. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating High Number of Okta Device Token Cookies Generated for Authentication\\n\\nThis rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\\n\\n#### Possible investigation steps:\\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.\\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\\n\\n### False positive analysis:\\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\\n - Shared working spaces may have a single endpoint that is used by multiple users.\\n\\n### Response and remediation:\\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the users.\\n- If any of the users are not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\\n - If so, confirm with the user this was a legitimate request.\\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\\n - Reset passwords and reset MFA for the user.\\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\\n - This will prevent future occurrences of this event for this device from triggering the rule.\\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\\n - This should be done with caution as it may prevent legitimate alerts from being generated.\\n\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Credential Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\",\"Shared systems such as Kiosks and conference room computers may be used by multiple users.\"],\"references\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]},{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.004\",\"name\":\"Credential Stuffing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/004/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"8e3522ca-1870-436d-a546-723ed270a9a4\",\"rule_id\":\"23f18264-2d6d-11ef-9413-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.992Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.712Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.debug_context.debug_data.request_uri == \\\"/api/v1/authn\\\"\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| KEEP event.action, okta.debug_context.debug_data.dt_hash, okta.client.ip, okta.actor.alternate_id, okta.debug_context.debug_data.request_uri, okta.outcome.reason\\n| STATS\\n source_auth_count = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash)\\n BY okta.client.ip, okta.actor.alternate_id\\n| WHERE\\n source_auth_count >= 30\\n| SORT\\n source_auth_count DESC\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\"],\"target_version\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.debug_context.debug_data.request_uri == \\\"/api/v1/authn\\\"\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| STATS\\n source_auth_count = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash)\\n BY okta.client.ip, okta.actor.alternate_id\\n| WHERE\\n source_auth_count >= 30\\n| SORT\\n source_auth_count DESC\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.debug_context.debug_data.request_uri == \\\"/api/v1/authn\\\"\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| KEEP event.action, okta.debug_context.debug_data.dt_hash, okta.client.ip, okta.actor.alternate_id, okta.debug_context.debug_data.request_uri, okta.outcome.reason\\n| STATS\\n source_auth_count = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash)\\n BY okta.client.ip, okta.actor.alternate_id\\n| WHERE\\n source_auth_count >= 30\\n| SORT\\n source_auth_count DESC\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.debug_context.debug_data.request_uri == \\\"/api/v1/authn\\\"\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| KEEP event.action, okta.debug_context.debug_data.dt_hash, okta.client.ip, okta.actor.alternate_id, okta.debug_context.debug_data.request_uri, okta.outcome.reason\\n| STATS\\n source_auth_count = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash)\\n BY okta.client.ip, okta.actor.alternate_id\\n| WHERE\\n source_auth_count >= 30\\n| SORT\\n source_auth_count DESC\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f3437b21-e175-4717-8834-0b374fa19ac9\",\"rule_id\":\"24401eca-ad0b-4ff9-9431-487a8e183af9\",\"revision\":0,\"current_rule\":{\"id\":\"f3437b21-e175-4717-8834-0b374fa19ac9\",\"updated_at\":\"2024-12-04T19:45:44.599Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.599Z\",\"created_by\":\"elastic\",\"name\":\"New GitHub Owner Added\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Persistence\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a new member is added to a GitHub organization as an owner. This role provides admin level privileges. Any new owner roles should be investigated to determine it's validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"24401eca-ad0b-4ff9-9431-487a8e183af9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.003\",\"name\":\"Cloud Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.permission\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"],\"query\":\"iam where event.dataset == \\\"github.audit\\\" and event.action == \\\"org.add_member\\\" and github.permission == \\\"admin\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"New GitHub Owner Added\",\"description\":\"Detects when a new member is added to a GitHub organization as an owner. This role provides admin level privileges. Any new owner roles should be investigated to determine it's validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Persistence\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.003\",\"name\":\"Cloud Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.permission\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"f3437b21-e175-4717-8834-0b374fa19ac9\",\"rule_id\":\"24401eca-ad0b-4ff9-9431-487a8e183af9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.992Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.599Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where event.dataset == \\\"github.audit\\\" and event.action == \\\"org.add_member\\\" and github.permission == \\\"admin\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"44490733-969f-4d75-987b-d121ba47e483\",\"rule_id\":\"260486ee-7d98-11ee-9599-f661ea17fbcd\",\"revision\":0,\"current_rule\":{\"id\":\"44490733-969f-4d75-987b-d121ba47e483\",\"updated_at\":\"2024-12-04T19:45:44.615Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.615Z\",\"created_by\":\"elastic\",\"name\":\"New Okta Authentication Behavior Detected\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Initial Access\",\"Data Source: Okta\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects events where Okta behavior detection has identified a new authentication behavior.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating New Okta Authentication Behavior Detected\\n\\nThis rule detects events where Okta behavior detection has identified a new authentication behavior such as a new device or location.\\n\\n#### Possible investigation steps:\\n- Identify the user involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the authentication anomaly by examining the `okta.debug_context.debug_data.risk_behaviors` and `okta.debug_context.debug_data.flattened` fields.\\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\\n- Review the past activities of the actor involved in this action by checking their previous actions.\\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n\\n### False positive analysis:\\n- A user may be using a new device or location to sign in.\\n- The Okta behavior detection may be incorrectly identifying a new authentication behavior and need adjusted.\\n\\n### Response and remediation:\\n- If the user is legitimate and the authentication behavior is not suspicious, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the user.\\n- If the user is not legitimate, consider deactivating the user's account.\\n- If this is a false positive, consider adjusting the Okta behavior detection settings.\\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-30m\",\"rule_id\":\"260486ee-7d98-11ee-9599-f661ea17fbcd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\",\"https://help.okta.com/oie/en-us/content/topics/security/behavior-detection/about-behavior-detection.htm\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.debug_context.debug_data.risk_behaviors\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:*\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"New Okta Authentication Behavior Detected\",\"description\":\"Detects events where Okta behavior detection has identified a new authentication behavior.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating New Okta Authentication Behavior Detected\\n\\nThis rule detects events where Okta behavior detection has identified a new authentication behavior such as a new device or location.\\n\\n#### Possible investigation steps:\\n- Identify the user involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the authentication anomaly by examining the `okta.debug_context.debug_data.risk_behaviors` and `okta.debug_context.debug_data.flattened` fields.\\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\\n- Review the past activities of the actor involved in this action by checking their previous actions.\\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n\\n### False positive analysis:\\n- A user may be using a new device or location to sign in.\\n- The Okta behavior detection may be incorrectly identifying a new authentication behavior and need adjusted.\\n\\n### Response and remediation:\\n- If the user is legitimate and the authentication behavior is not suspicious, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the user.\\n- If the user is not legitimate, consider deactivating the user's account.\\n- If this is a false positive, consider adjusting the Okta behavior detection settings.\\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Initial Access\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-30m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\",\"https://help.okta.com/oie/en-us/content/topics/security/behavior-detection/about-behavior-detection.htm\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.debug_context.debug_data.risk_behaviors\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"44490733-969f-4d75-987b-d121ba47e483\",\"rule_id\":\"260486ee-7d98-11ee-9599-f661ea17fbcd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.992Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.615Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:*\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\",\"https://help.okta.com/oie/en-us/content/topics/security/behavior-detection/about-behavior-detection.htm\"],\"target_version\":[\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\",\"https://help.okta.com/oie/en-us/content/topics/security/behavior-detection/about-behavior-detection.htm\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\",\"https://help.okta.com/oie/en-us/content/topics/security/behavior-detection/about-behavior-detection.htm\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"604e76aa-ddb0-4135-b60f-93767ce41cda\",\"rule_id\":\"29b53942-7cd4-11ee-b70e-f661ea17fbcd\",\"revision\":0,\"current_rule\":{\"id\":\"604e76aa-ddb0-4135-b60f-93767ce41cda\",\"updated_at\":\"2024-12-04T19:46:03.724Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.724Z\",\"created_by\":\"elastic\",\"name\":\"New Okta Identity Provider (IdP) Added by Admin\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Persistence\",\"Data Source: Okta\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating New Okta Identity Provider (IdP) Added by Admin\\n\\nThis rule detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta.\\n\\n#### Possible investigation steps:\\n- Identify the actor associated with the IdP creation by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Identify the IdP added by reviewing the `okta.target` field and determing if this IdP is authorized.\\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n\\n### False positive analysis:\\n- It might be a false positive if the action was part of a planned activity or performed by an authorized person.\\n- Several unsuccessful attempts prior to this success, may indicate an adversary attempting to add an unauthorized IdP multiple times.\\n\\n### Response and remediation:\\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\\n- If the IdP is authorized, ensure that the actor who created it is authorized to do so.\\n- If the actor is unauthorized, deactivate their account via the Okta console.\\n- If the actor is authorized, ensure that the actor's account is not compromised.\\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- If the deactivated IdP was crucial to the organization, consider adding a new IdP and removing the unauthorized IdP.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-30m\",\"rule_id\":\"29b53942-7cd4-11ee-b70e-f661ea17fbcd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\",\"subtechnique\":[{\"id\":\"T1556.007\",\"name\":\"Hybrid Identity\",\"reference\":\"https://attack.mitre.org/techniques/T1556/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.outcome.result\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset: \\\"okta.system\\\" and event.action: \\\"system.idp.lifecycle.create\\\" and okta.outcome.result: \\\"SUCCESS\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"New Okta Identity Provider (IdP) Added by Admin\",\"description\":\"Detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating New Okta Identity Provider (IdP) Added by Admin\\n\\nThis rule detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta.\\n\\n#### Possible investigation steps:\\n- Identify the actor associated with the IdP creation by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Identify the IdP added by reviewing the `okta.target` field and determing if this IdP is authorized.\\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n\\n### False positive analysis:\\n- It might be a false positive if the action was part of a planned activity or performed by an authorized person.\\n- Several unsuccessful attempts prior to this success, may indicate an adversary attempting to add an unauthorized IdP multiple times.\\n\\n### Response and remediation:\\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\\n- If the IdP is authorized, ensure that the actor who created it is authorized to do so.\\n- If the actor is unauthorized, deactivate their account via the Okta console.\\n- If the actor is authorized, ensure that the actor's account is not compromised.\\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- If the deactivated IdP was crucial to the organization, consider adding a new IdP and removing the unauthorized IdP.\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Persistence\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-30m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\",\"subtechnique\":[{\"id\":\"T1556.007\",\"name\":\"Hybrid Identity\",\"reference\":\"https://attack.mitre.org/techniques/T1556/007/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.outcome.result\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"604e76aa-ddb0-4135-b60f-93767ce41cda\",\"rule_id\":\"29b53942-7cd4-11ee-b70e-f661ea17fbcd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.992Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.724Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset: \\\"okta.system\\\" and event.action: \\\"system.idp.lifecycle.create\\\" and okta.outcome.result: \\\"SUCCESS\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\"],\"target_version\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://unit42.paloaltonetworks.com/muddled-libra/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f35e8057-8356-41cf-917a-e4e64d406ab1\",\"rule_id\":\"2e56e1bc-867a-11ee-b13e-f661ea17fbcd\",\"revision\":0,\"current_rule\":{\"id\":\"f35e8057-8356-41cf-917a-e4e64d406ab1\",\"updated_at\":\"2024-12-04T19:45:44.714Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.714Z\",\"created_by\":\"elastic\",\"name\":\"Okta User Sessions Started from Different Geolocations\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Initial Access\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from different locations.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"\\n## Triage and analysis\\n\\n### Investigating Okta User Sessions Started from Different Geolocations\\n\\nThis rule detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from different locations.\\n\\n#### Possible investigation steps:\\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.id` values can be used to pivot into the raw authentication events related to this alert.\\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\\n\\n### False positive analysis:\\n- It is very rare that a legitimate user would have multiple sessions started from different geo-located countries in a short time frame.\\n\\n### Response and remediation:\\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the users.\\n- If any of the users are not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\\n - If so, confirm with the user this was a legitimate request.\\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\\n - Reset passwords and reset MFA for the user.\\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\\n - This will prevent future occurrences of this event for this device from triggering the rule.\\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\\n - This should be done with caution as it may prevent legitimate alerts from being generated.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-30m\",\"rule_id\":\"2e56e1bc-867a-11ee-b13e-f661ea17fbcd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\"],\"version\":101,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\\n\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.security_context.is_proxy != true and okta.actor.id != \\\"unknown\\\"\\n AND event.outcome == \\\"success\\\"\\n| STATS\\n geo_auth_counts = COUNT_DISTINCT(client.geo.country_name)\\n BY okta.actor.id, okta.actor.alternate_id\\n| WHERE\\n geo_auth_counts >= 2\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Okta User Sessions Started from Different Geolocations\",\"description\":\"Detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from different locations.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\\n## Triage and analysis\\n\\n### Investigating Okta User Sessions Started from Different Geolocations\\n\\nThis rule detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from different locations.\\n\\n#### Possible investigation steps:\\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.id` values can be used to pivot into the raw authentication events related to this alert.\\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\\n\\n### False positive analysis:\\n- It is very rare that a legitimate user would have multiple sessions started from different geo-located countries in a short time frame.\\n\\n### Response and remediation:\\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the users.\\n- If any of the users are not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\\n - If so, confirm with the user this was a legitimate request.\\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\\n - Reset passwords and reset MFA for the user.\\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\\n - This will prevent future occurrences of this event for this device from triggering the rule.\\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\\n - This should be done with caution as it may prevent legitimate alerts from being generated.\\n\",\"output_index\":\"\",\"version\":203,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Initial Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-30m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\\n\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"f35e8057-8356-41cf-917a-e4e64d406ab1\",\"rule_id\":\"2e56e1bc-867a-11ee-b13e-f661ea17fbcd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.993Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.714Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.security_context.is_proxy != true and okta.actor.id != \\\"unknown\\\"\\n AND event.outcome == \\\"success\\\"\\n| KEEP event.action, okta.security_context.is_proxy, okta.actor.id, event.outcome, client.geo.country_name, okta.actor.alternate_id\\n| STATS\\n geo_auth_counts = COUNT_DISTINCT(client.geo.country_name)\\n BY okta.actor.id, okta.actor.alternate_id\\n| WHERE\\n geo_auth_counts >= 2\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":101,\"target_version\":203,\"merged_version\":203,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.security_context.is_proxy != true and okta.actor.id != \\\"unknown\\\"\\n AND event.outcome == \\\"success\\\"\\n| STATS\\n geo_auth_counts = COUNT_DISTINCT(client.geo.country_name)\\n BY okta.actor.id, okta.actor.alternate_id\\n| WHERE\\n geo_auth_counts >= 2\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.security_context.is_proxy != true and okta.actor.id != \\\"unknown\\\"\\n AND event.outcome == \\\"success\\\"\\n| KEEP event.action, okta.security_context.is_proxy, okta.actor.id, event.outcome, client.geo.country_name, okta.actor.alternate_id\\n| STATS\\n geo_auth_counts = COUNT_DISTINCT(client.geo.country_name)\\n BY okta.actor.id, okta.actor.alternate_id\\n| WHERE\\n geo_auth_counts >= 2\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.security_context.is_proxy != true and okta.actor.id != \\\"unknown\\\"\\n AND event.outcome == \\\"success\\\"\\n| KEEP event.action, okta.security_context.is_proxy, okta.actor.id, event.outcome, client.geo.country_name, okta.actor.alternate_id\\n| STATS\\n geo_auth_counts = COUNT_DISTINCT(client.geo.country_name)\\n BY okta.actor.id, okta.actor.alternate_id\\n| WHERE\\n geo_auth_counts >= 2\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"70d77e68-a2c5-4a22-a42a-963b61f938f6\",\"rule_id\":\"3805c3dc-f82c-4f8d-891e-63c24d3102b0\",\"revision\":0,\"current_rule\":{\"id\":\"70d77e68-a2c5-4a22-a42a-963b61f938f6\",\"updated_at\":\"2024-12-04T19:45:45.905Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.905Z\",\"created_by\":\"elastic\",\"name\":\"Attempted Bypass of Okta MFA\",\"tags\":[\"Data Source: Okta\",\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempted Bypass of Okta MFA\\n\\nMulti-factor authentication (MFA) is a crucial security measure in preventing unauthorized access. Okta MFA, like other MFA solutions, requires the user to provide multiple means of identification at login. An adversary might attempt to bypass Okta MFA to gain unauthorized access to an application.\\n\\nThis rule detects attempts to bypass Okta MFA. It might indicate a serious attempt to compromise a user account within the organization's network.\\n\\n#### Possible investigation steps\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the bypass attempt.\\n- Check the `okta.outcome.result` field to confirm the MFA bypass attempt.\\n- Check if there are multiple unsuccessful MFA attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the MFA bypass attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the bypass attempt.\\n\\n### False positive analysis\\n\\n- Check if there were issues with the MFA system at the time of the bypass attempt. This could indicate a system error rather than a genuine bypass attempt.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the login attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's MFA settings to ensure they are correctly configured.\\n\\n### Response and remediation\\n\\n- If unauthorized access is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific MFA bypass technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-6m\",\"rule_id\":\"3805c3dc-f82c-4f8d-891e-63c24d3102b0\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1111\",\"name\":\"Multi-Factor Authentication Interception\",\"reference\":\"https://attack.mitre.org/techniques/T1111/\"}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":207,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:user.mfa.attempt_bypass\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempted Bypass of Okta MFA\",\"description\":\"Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempted Bypass of Okta MFA\\n\\nMulti-factor authentication (MFA) is a crucial security measure in preventing unauthorized access. Okta MFA, like other MFA solutions, requires the user to provide multiple means of identification at login. An adversary might attempt to bypass Okta MFA to gain unauthorized access to an application.\\n\\nThis rule detects attempts to bypass Okta MFA. It might indicate a serious attempt to compromise a user account within the organization's network.\\n\\n#### Possible investigation steps\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the bypass attempt.\\n- Check the `okta.outcome.result` field to confirm the MFA bypass attempt.\\n- Check if there are multiple unsuccessful MFA attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the MFA bypass attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the bypass attempt.\\n\\n### False positive analysis\\n\\n- Check if there were issues with the MFA system at the time of the bypass attempt. This could indicate a system error rather than a genuine bypass attempt.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the login attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's MFA settings to ensure they are correctly configured.\\n\\n### Response and remediation\\n\\n- If unauthorized access is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific MFA bypass technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Data Source: Okta\",\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1111\",\"name\":\"Multi-Factor Authentication Interception\",\"reference\":\"https://attack.mitre.org/techniques/T1111/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"70d77e68-a2c5-4a22-a42a-963b61f938f6\",\"rule_id\":\"3805c3dc-f82c-4f8d-891e-63c24d3102b0\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.993Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.905Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:user.mfa.attempt_bypass\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":207,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6b529744-6ad8-4e6a-a97d-1c34f012a717\",\"rule_id\":\"3af4cb9b-973f-4c54-be2b-7623c0e21b2b\",\"revision\":0,\"current_rule\":{\"id\":\"6b529744-6ad8-4e6a-a97d-1c34f012a717\",\"updated_at\":\"2024-12-04T19:46:03.743Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.743Z\",\"created_by\":\"elastic\",\"name\":\"First Occurrence of IP Address For GitHub User\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Initial Access\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects a new IP address used for a GitHub user not previously seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3af4cb9b-973f-4c54-be2b-7623c0e21b2b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.actor_ip\",\"type\":\"ip\",\"ecs\":false},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.actor_ip:* and user.name:*\\n\",\"new_terms_fields\":[\"user.name\",\"github.actor_ip\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Occurrence of IP Address For GitHub User\",\"description\":\"Detects a new IP address used for a GitHub user not previously seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Initial Access\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.actor_ip\",\"type\":\"ip\",\"ecs\":false},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"6b529744-6ad8-4e6a-a97d-1c34f012a717\",\"rule_id\":\"3af4cb9b-973f-4c54-be2b-7623c0e21b2b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.993Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.743Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.actor_ip:* and user.name:*\\n\",\"new_terms_fields\":[\"user.name\",\"github.actor_ip\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e67da079-7889-404d-84f7-e7e5797194cb\",\"rule_id\":\"4030c951-448a-4017-a2da-ed60f6d14f4f\",\"revision\":0,\"current_rule\":{\"id\":\"e67da079-7889-404d-84f7-e7e5797194cb\",\"updated_at\":\"2024-12-04T19:46:03.748Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.748Z\",\"created_by\":\"elastic\",\"name\":\"GitHub User Blocked From Organization\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Impact\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A GitHub user was blocked from access to an organization.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"4030c951-448a-4017-a2da-ed60f6d14f4f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"],\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and event.action == \\\"org.block_user\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"GitHub User Blocked From Organization\",\"description\":\"A GitHub user was blocked from access to an organization.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Impact\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e67da079-7889-404d-84f7-e7e5797194cb\",\"rule_id\":\"4030c951-448a-4017-a2da-ed60f6d14f4f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.993Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.748Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and event.action == \\\"org.block_user\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2845e1e5-42a7-4752-8fc7-1a781d15d93a\",\"rule_id\":\"41761cd3-380f-4d4d-89f3-46d6853ee35d\",\"revision\":0,\"current_rule\":{\"id\":\"2845e1e5-42a7-4752-8fc7-1a781d15d93a\",\"updated_at\":\"2024-12-04T19:46:03.750Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.750Z\",\"created_by\":\"elastic\",\"name\":\"First Occurrence of User-Agent For a GitHub User\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Initial Access\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects a new user agent used for a GitHub user not previously seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"41761cd3-380f-4d4d-89f3-46d6853ee35d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.user_agent\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.user_agent:* and user.name:*\\n\",\"new_terms_fields\":[\"user.name\",\"github.user_agent\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Occurrence of User-Agent For a GitHub User\",\"description\":\"Detects a new user agent used for a GitHub user not previously seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Initial Access\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.user_agent\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2845e1e5-42a7-4752-8fc7-1a781d15d93a\",\"rule_id\":\"41761cd3-380f-4d4d-89f3-46d6853ee35d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.993Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.750Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.user_agent:* and user.name:*\\n\",\"new_terms_fields\":[\"user.name\",\"github.user_agent\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d2a04698-2f2a-468c-b487-e276cd242ac0\",\"rule_id\":\"42bf698b-4738-445b-8231-c834ddefd8a0\",\"revision\":0,\"current_rule\":{\"id\":\"d2a04698-2f2a-468c-b487-e276cd242ac0\",\"updated_at\":\"2024-12-04T19:45:46.716Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.716Z\",\"created_by\":\"elastic\",\"name\":\"Okta Brute Force or Password Spraying Attack\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Okta Brute Force or Password Spraying Attack\\n\\nThis rule alerts when a high number of failed Okta user authentication attempts occur from a single IP address. This could be indicative of a brute force or password spraying attack, where an adversary may attempt to gain unauthorized access to user accounts by guessing the passwords.\\n\\n#### Possible investigation steps:\\n\\n- Review the `source.ip` field to identify the IP address from which the high volume of failed login attempts originated.\\n- Look into the `event.outcome` field to verify that these are indeed failed authentication attempts.\\n- Determine the `user.name` or `user.email` related to these failed login attempts. If the attempts are spread across multiple accounts, it might indicate a password spraying attack.\\n- Check the timeline of the events. Are the failed attempts spread out evenly, or are there burst periods, which might indicate an automated tool?\\n- Determine the geographical location of the source IP. Is this location consistent with the user's typical login location?\\n- Analyze any previous successful logins from this IP. Was this IP previously associated with successful logins?\\n\\n### False positive analysis:\\n\\n- A single user or automated process that attempts to authenticate using expired or wrong credentials multiple times may trigger a false positive.\\n- Analyze the behavior of the source IP. If the IP is associated with legitimate users or services, it may be a false positive.\\n\\n### Response and remediation:\\n\\n- If you identify unauthorized access attempts, consider blocking the source IP at the firewall level.\\n- Notify the users who are targeted by the attack. Ask them to change their passwords and ensure they use unique, complex passwords.\\n- Enhance monitoring on the affected user accounts for any suspicious activity.\\n- If the attack is persistent, consider implementing CAPTCHA or account lockouts after a certain number of failed login attempts.\\n- If the attack is persistent, consider implementing multi-factor authentication (MFA) for the affected user accounts.\\n- Review and update your security policies based on the findings from the incident.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives.\"],\"from\":\"now-6m\",\"rule_id\":\"42bf698b-4738-445b-8231-c834ddefd8a0\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\"}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":208,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"threshold\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.category:authentication and event.outcome:failure\\n\",\"threshold\":{\"field\":[\"source.ip\"],\"value\":25},\"actions\":[]},\"target_rule\":{\"name\":\"Okta Brute Force or Password Spraying Attack\",\"description\":\"Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Okta Brute Force or Password Spraying Attack\\n\\nThis rule alerts when a high number of failed Okta user authentication attempts occur from a single IP address. This could be indicative of a brute force or password spraying attack, where an adversary may attempt to gain unauthorized access to user accounts by guessing the passwords.\\n\\n#### Possible investigation steps:\\n\\n- Review the `source.ip` field to identify the IP address from which the high volume of failed login attempts originated.\\n- Look into the `event.outcome` field to verify that these are indeed failed authentication attempts.\\n- Determine the `user.name` or `user.email` related to these failed login attempts. If the attempts are spread across multiple accounts, it might indicate a password spraying attack.\\n- Check the timeline of the events. Are the failed attempts spread out evenly, or are there burst periods, which might indicate an automated tool?\\n- Determine the geographical location of the source IP. Is this location consistent with the user's typical login location?\\n- Analyze any previous successful logins from this IP. Was this IP previously associated with successful logins?\\n\\n### False positive analysis:\\n\\n- A single user or automated process that attempts to authenticate using expired or wrong credentials multiple times may trigger a false positive.\\n- Analyze the behavior of the source IP. If the IP is associated with legitimate users or services, it may be a false positive.\\n\\n### Response and remediation:\\n\\n- If you identify unauthorized access attempts, consider blocking the source IP at the firewall level.\\n- Notify the users who are targeted by the attack. Ask them to change their passwords and ensure they use unique, complex passwords.\\n- Enhance monitoring on the affected user accounts for any suspicious activity.\\n- If the attack is persistent, consider implementing CAPTCHA or account lockouts after a certain number of failed login attempts.\\n- If the attack is persistent, consider implementing multi-factor authentication (MFA) for the affected user accounts.\\n- Review and update your security policies based on the findings from the incident.\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives.\"],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d2a04698-2f2a-468c-b487-e276cd242ac0\",\"rule_id\":\"42bf698b-4738-445b-8231-c834ddefd8a0\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.993Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.716Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"threshold\",\"query\":\"event.dataset:okta.system and event.category:authentication and event.outcome:failure\\n\",\"threshold\":{\"field\":[\"source.ip\"],\"value\":25},\"index\":[\"filebeat-*\",\"logs-okta*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":208,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"dc863eae-3f04-4b7a-8446-b7cab69567ab\",\"rule_id\":\"4edd3e1a-3aa0-499b-8147-4d2ea43b1613\",\"revision\":0,\"current_rule\":{\"id\":\"dc863eae-3f04-4b7a-8446-b7cab69567ab\",\"updated_at\":\"2024-12-04T19:45:47.787Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.787Z\",\"created_by\":\"elastic\",\"name\":\"Unauthorized Access to an Okta Application\",\"tags\":[\"Tactic: Initial Access\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies unauthorized access attempts to Okta applications.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[],\"from\":\"now-6m\",\"rule_id\":\"4edd3e1a-3aa0-499b-8147-4d2ea43b1613\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unauthorized Access to an Okta Application\",\"description\":\"Identifies unauthorized access attempts to Okta applications.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Tactic: Initial Access\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"dc863eae-3f04-4b7a-8446-b7cab69567ab\",\"rule_id\":\"4edd3e1a-3aa0-499b-8147-4d2ea43b1613\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.993Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.787Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3b06fdf6-49d3-4dc2-9dc4-8d31fe095377\",\"rule_id\":\"50887ba8-7ff7-11ee-a038-f661ea17fbcd\",\"revision\":0,\"current_rule\":{\"id\":\"3b06fdf6-49d3-4dc2-9dc4-8d31fe095377\",\"updated_at\":\"2024-12-04T19:45:47.792Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.792Z\",\"created_by\":\"elastic\",\"name\":\"Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Credential Access\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy\\n\\nThis rule detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy. This may indicate that a shared device between users, or that a user is using a proxy to access multiple accounts for password spraying.\\n\\n#### Possible investigation steps:\\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n - Since the device is behind a proxy, the `okta.client.ip` field will not be useful for determining the actual device IP address.\\n- Review the `okta.request.ip_chain` field for more information about the geographic location of the proxy.\\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\\n\\n### False positive analysis:\\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\\n - Shared working spaces may have a single endpoint that is used by multiple users.\\n\\n### Response and remediation:\\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the users.\\n- If any of the users are not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\\n - If so, confirm with the user this was a legitimate request.\\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\\n - Reset passwords and reset MFA for the user.\\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\\n - This will prevent future occurrences of this event for this device from triggering the rule.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"An Okta admnistrator may be logged into multiple accounts from the same host for legitimate reasons.\",\"Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\",\"Shared systems such as Kiosks and conference room computers may be used by multiple users.\"],\"from\":\"now-9m\",\"rule_id\":\"50887ba8-7ff7-11ee-a038-f661ea17fbcd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]},{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.004\",\"name\":\"Credential Stuffing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.debug_context.debug_data.dt_hash\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.security_context.is_proxy\",\"type\":\"boolean\",\"ecs\":false}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"threshold\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system\\n and not okta.actor.id:okta* and okta.debug_context.debug_data.dt_hash:*\\n and okta.event_type:user.authentication* and okta.security_context.is_proxy:true\\n\",\"threshold\":{\"field\":[\"okta.debug_context.debug_data.dt_hash\"],\"value\":1,\"cardinality\":[{\"field\":\"okta.actor.id\",\"value\":3}]},\"actions\":[]},\"target_rule\":{\"name\":\"Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy\",\"description\":\"Detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy\\n\\nThis rule detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy. This may indicate that a shared device between users, or that a user is using a proxy to access multiple accounts for password spraying.\\n\\n#### Possible investigation steps:\\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n - Since the device is behind a proxy, the `okta.client.ip` field will not be useful for determining the actual device IP address.\\n- Review the `okta.request.ip_chain` field for more information about the geographic location of the proxy.\\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\\n\\n### False positive analysis:\\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\\n - Shared working spaces may have a single endpoint that is used by multiple users.\\n\\n### Response and remediation:\\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the users.\\n- If any of the users are not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\\n - If so, confirm with the user this was a legitimate request.\\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\\n - Reset passwords and reset MFA for the user.\\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\\n - This will prevent future occurrences of this event for this device from triggering the rule.\\n\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Credential Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"An Okta admnistrator may be logged into multiple accounts from the same host for legitimate reasons.\",\"Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\",\"Shared systems such as Kiosks and conference room computers may be used by multiple users.\"],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]},{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.004\",\"name\":\"Credential Stuffing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/004/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.debug_context.debug_data.dt_hash\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.security_context.is_proxy\",\"type\":\"boolean\",\"ecs\":false}],\"id\":\"3b06fdf6-49d3-4dc2-9dc4-8d31fe095377\",\"rule_id\":\"50887ba8-7ff7-11ee-a038-f661ea17fbcd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.993Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.792Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"threshold\",\"query\":\"event.dataset:okta.system\\n and not okta.actor.id:okta* and okta.debug_context.debug_data.dt_hash:*\\n and okta.event_type:user.authentication* and okta.security_context.is_proxy:true\\n\",\"threshold\":{\"field\":[\"okta.debug_context.debug_data.dt_hash\"],\"value\":1,\"cardinality\":[{\"field\":\"okta.actor.id\",\"value\":3}]},\"index\":[\"filebeat-*\",\"logs-okta*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d7e85031-87f4-4aee-a422-42e8ad170e52\",\"rule_id\":\"5610b192-7f18-11ee-825b-f661ea17fbcd\",\"revision\":0,\"current_rule\":{\"id\":\"d7e85031-87f4-4aee-a422-42e8ad170e52\",\"updated_at\":\"2024-12-04T19:46:03.765Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.765Z\",\"created_by\":\"elastic\",\"name\":\"Stolen Credentials Used to Login to Okta Account After MFA Reset\",\"tags\":[\"Tactic: Persistence\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Data Source: Elastic Defend\",\"Rule Type: Higher-Order Rule\",\"Domain: Endpoint\",\"Domain: Cloud\"],\"interval\":\"6h\",\"enabled\":false,\"revision\":0,\"description\":\"Detects a sequence of suspicious activities on Windows hosts indicative of credential compromise, followed by efforts to undermine multi-factor authentication (MFA) and single sign-on (SSO) mechanisms for an Okta user account.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Stolen Credentials Used to Login to Okta Account After MFA Reset\\n\\nThis rule detects a sequence of suspicious activities on Windows hosts indicative of credential compromise, followed by efforts to undermine multi-factor authentication (MFA) and single sign-on (SSO) mechanisms for an Okta user account.\\n\\nTypically, adversaries initially extract credentials from targeted endpoints through various means. Subsequently, leveraging social engineering, they may seek to reset the MFA credentials associated with an Okta account, especially in scenarios where Active Directory (AD) services are integrated with Okta. Successfully resetting MFA allows the unauthorized use of stolen credentials to gain access to the compromised Okta account. The attacker can then register their own device for MFA, paving the way for unfettered access to the user's Okta account and any associated SaaS applications. This is particularly alarming if the compromised account has administrative rights, as it could lead to widespread access to organizational resources and configurations.\\n\\n#### Possible investigation steps:\\n- Identify the user account associated with the Okta login attempt by examining the `user.name` field.\\n- Identify the endpoint for the Credential Access alert for this user by examining the `host.name` and `host.id` fields from the alert document.\\n- Cross-examine the Okta user and endpoint user to confirm that they are the same person.\\n- Reach out to the user to confirm if they have intentionally reset their MFA credentials recently or asked for help in doing so.\\n- If the user is unaware of the MFA reset, incident response may be required immediately to prevent further compromise.\\n\\n### False positive analysis:\\n- A Windows administrator may have triggered a low-fidelity credential access alert during a legitimate administrative action. Following this, the administrator may have reset the MFA credentials for themselves and then logged into the Okta console for AD directory services integration management.\\n\\n### Response and remediation:\\n- If confirmed that the user did not intentionally have their MFA factor reset, deactivate the user account.\\n- After deactivation, reset the user's password and MFA factor to regain control of the account.\\n - Ensure that all user sessions are stopped during this process.\\n- Immediately reset the user's AD password as well if Okta does not sync back to AD.\\n- Forensic analysis on the user's endpoint may be required to determine the root cause of the compromise and identify the scope of the compromise.\\n- Review Okta system logs to identify any other suspicious activity associated with the user account, such as creation of a backup account.\\n- With the device ID captured from the MFA factor reset, search across all Okta logs for any other activity associated with the device ID.\\n\\n## Setup\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"A Windows administrator may have triggered a low-fidelity credential access alert during a legitimate administrative action. Following this, the administrator may have reset the MFA credentials for themselves and then logged into the Okta console for AD directory services integration management.\"],\"from\":\"now-12h\",\"rule_id\":\"5610b192-7f18-11ee-825b-f661ea17fbcd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\",\"subtechnique\":[{\"id\":\"T1556.006\",\"name\":\"Multi-Factor Authentication\",\"reference\":\"https://attack.mitre.org/techniques/T1556/006/\"}]}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"signal.rule.threat.tactic.name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta and Elastic Defend fleet integration structured data is required to be compatible with this rule. Directory services integration in Okta with AD synced is also required for this rule to be effective as it relies on triaging `user.name` from Okta and Elastic Defend events.\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-okta*\",\".alerts-security.*\",\"logs-endpoint.events.*\"],\"query\":\"sequence by user.name with maxspan=12h\\n [any where host.os.type == \\\"windows\\\" and signal.rule.threat.tactic.name == \\\"Credential Access\\\"]\\n [any where event.dataset == \\\"okta.system\\\" and okta.event_type == \\\"user.mfa.factor.update\\\"]\\n [any where event.dataset == \\\"okta.system\\\" and okta.event_type: (\\\"user.session.start\\\", \\\"user.authentication*\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Stolen Credentials Used to Login to Okta Account After MFA Reset\",\"description\":\"Detects a sequence of suspicious activities on Windows hosts indicative of credential compromise, followed by efforts to undermine multi-factor authentication (MFA) and single sign-on (SSO) mechanisms for an Okta user account.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Stolen Credentials Used to Login to Okta Account After MFA Reset\\n\\nThis rule detects a sequence of suspicious activities on Windows hosts indicative of credential compromise, followed by efforts to undermine multi-factor authentication (MFA) and single sign-on (SSO) mechanisms for an Okta user account.\\n\\nTypically, adversaries initially extract credentials from targeted endpoints through various means. Subsequently, leveraging social engineering, they may seek to reset the MFA credentials associated with an Okta account, especially in scenarios where Active Directory (AD) services are integrated with Okta. Successfully resetting MFA allows the unauthorized use of stolen credentials to gain access to the compromised Okta account. The attacker can then register their own device for MFA, paving the way for unfettered access to the user's Okta account and any associated SaaS applications. This is particularly alarming if the compromised account has administrative rights, as it could lead to widespread access to organizational resources and configurations.\\n\\n#### Possible investigation steps:\\n- Identify the user account associated with the Okta login attempt by examining the `user.name` field.\\n- Identify the endpoint for the Credential Access alert for this user by examining the `host.name` and `host.id` fields from the alert document.\\n- Cross-examine the Okta user and endpoint user to confirm that they are the same person.\\n- Reach out to the user to confirm if they have intentionally reset their MFA credentials recently or asked for help in doing so.\\n- If the user is unaware of the MFA reset, incident response may be required immediately to prevent further compromise.\\n\\n### False positive analysis:\\n- A Windows administrator may have triggered a low-fidelity credential access alert during a legitimate administrative action. Following this, the administrator may have reset the MFA credentials for themselves and then logged into the Okta console for AD directory services integration management.\\n\\n### Response and remediation:\\n- If confirmed that the user did not intentionally have their MFA factor reset, deactivate the user account.\\n- After deactivation, reset the user's password and MFA factor to regain control of the account.\\n - Ensure that all user sessions are stopped during this process.\\n- Immediately reset the user's AD password as well if Okta does not sync back to AD.\\n- Forensic analysis on the user's endpoint may be required to determine the root cause of the compromise and identify the scope of the compromise.\\n- Review Okta system logs to identify any other suspicious activity associated with the user account, such as creation of a backup account.\\n- With the device ID captured from the MFA factor reset, search across all Okta logs for any other activity associated with the device ID.\\n\\n## Setup\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Tactic: Persistence\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Data Source: Elastic Defend\",\"Rule Type: Higher-Order Rule\",\"Domain: Endpoint\",\"Domain: Cloud\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"6h\",\"from\":\"now-12h\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"A Windows administrator may have triggered a low-fidelity credential access alert during a legitimate administrative action. Following this, the administrator may have reset the MFA credentials for themselves and then logged into the Okta console for AD directory services integration management.\"],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\",\"subtechnique\":[{\"id\":\"T1556.006\",\"name\":\"Multi-Factor Authentication\",\"reference\":\"https://attack.mitre.org/techniques/T1556/006/\"}]}]}],\"setup\":\"The Okta and Elastic Defend fleet integration structured data is required to be compatible with this rule. Directory services integration in Okta with AD synced is also required for this rule to be effective as it relies on triaging `user.name` from Okta and Elastic Defend events.\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"signal.rule.threat.tactic.name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d7e85031-87f4-4aee-a422-42e8ad170e52\",\"rule_id\":\"5610b192-7f18-11ee-825b-f661ea17fbcd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.993Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.765Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by user.name with maxspan=12h\\n [any where host.os.type == \\\"windows\\\" and signal.rule.threat.tactic.name == \\\"Credential Access\\\"]\\n [any where event.dataset == \\\"okta.system\\\" and okta.event_type == \\\"user.mfa.factor.update\\\"]\\n [any where event.dataset == \\\"okta.system\\\" and okta.event_type: (\\\"user.session.start\\\", \\\"user.authentication*\\\")]\\n\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-okta*\",\".alerts-security.*\",\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c00f96d2-98fc-47bb-bbcb-a8ea03ca92fb\",\"rule_id\":\"61336fe6-c043-4743-ab6e-41292f439603\",\"revision\":0,\"current_rule\":{\"id\":\"c00f96d2-98fc-47bb-bbcb-a8ea03ca92fb\",\"updated_at\":\"2024-12-04T19:46:03.783Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.783Z\",\"created_by\":\"elastic\",\"name\":\"New User Added To GitHub Organization\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Persistence\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A new user was added to a GitHub organization.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"61336fe6-c043-4743-ab6e-41292f439603\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.001\",\"name\":\"Additional Cloud Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1098/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"],\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and event.action == \\\"org.add_member\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"New User Added To GitHub Organization\",\"description\":\"A new user was added to a GitHub organization.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Persistence\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.001\",\"name\":\"Additional Cloud Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1098/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c00f96d2-98fc-47bb-bbcb-a8ea03ca92fb\",\"rule_id\":\"61336fe6-c043-4743-ab6e-41292f439603\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.993Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.783Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and event.action == \\\"org.add_member\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7b0e7e01-49d7-4532-bd32-4646a28c9840\",\"rule_id\":\"621e92b6-7e54-11ee-bdc0-f661ea17fbcd\",\"revision\":0,\"current_rule\":{\"id\":\"7b0e7e01-49d7-4532-bd32-4646a28c9840\",\"updated_at\":\"2024-12-04T19:45:48.936Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.936Z\",\"created_by\":\"elastic\",\"name\":\"Multiple Okta Sessions Detected for a Single User\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Lateral Movement\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a different location.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"A user may have multiple sessions open at the same time, such as on a mobile device and a laptop.\"],\"from\":\"now-30m\",\"rule_id\":\"621e92b6-7e54-11ee-bdc0-f661ea17fbcd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.004\",\"name\":\"Web Session Cookie\",\"reference\":\"https://attack.mitre.org/techniques/T1550/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.display_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.authentication_context.external_session_id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"threshold\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and okta.event_type:user.session.start and okta.authentication_context.external_session_id:*\\n and not (okta.actor.id: okta* or okta.actor.display_name: okta*)\\n\",\"threshold\":{\"field\":[\"okta.actor.id\"],\"value\":1,\"cardinality\":[{\"field\":\"okta.authentication_context.external_session_id\",\"value\":3}]},\"actions\":[]},\"target_rule\":{\"name\":\"Multiple Okta Sessions Detected for a Single User\",\"description\":\"Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a different location.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Lateral Movement\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-30m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"A user may have multiple sessions open at the same time, such as on a mobile device and a laptop.\"],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.004\",\"name\":\"Web Session Cookie\",\"reference\":\"https://attack.mitre.org/techniques/T1550/004/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.display_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.authentication_context.external_session_id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"7b0e7e01-49d7-4532-bd32-4646a28c9840\",\"rule_id\":\"621e92b6-7e54-11ee-bdc0-f661ea17fbcd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.993Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.936Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"threshold\",\"query\":\"event.dataset:okta.system and okta.event_type:user.session.start and okta.authentication_context.external_session_id:*\\n and not (okta.actor.id: okta* or okta.actor.display_name: okta*)\\n\",\"threshold\":{\"field\":[\"okta.actor.id\"],\"value\":1,\"cardinality\":[{\"field\":\"okta.authentication_context.external_session_id\",\"value\":3}]},\"index\":[\"filebeat-*\",\"logs-okta*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"881421e4-600b-45bb-ad26-3ac89bc9195d\",\"rule_id\":\"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45\",\"revision\":0,\"current_rule\":{\"id\":\"881421e4-600b-45bb-ad26-3ac89bc9195d\",\"updated_at\":\"2024-12-04T19:45:49.946Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.946Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Modify an Okta Policy\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Defense Evasion\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Modify an Okta Policy\\n\\nModifications to Okta policies may indicate attempts to weaken an organization's security controls. If such an attempt is detected, consider the following steps for investigation.\\n\\n#### Possible investigation steps:\\n- Identify the actor associated with the event. Check the fields `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name`.\\n- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.\\n- Check the nature of the policy modification. You can review the `okta.target` field, especially `okta.target.display_name` and `okta.target.id`.\\n- Examine the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the modification attempt.\\n- Check if there have been other similar modification attempts in a short time span from the same actor or IP address.\\n\\n### False positive analysis:\\n- This alert might be a false positive if Okta policies are regularly updated in your organization as a part of normal operations.\\n- Check if the actor associated with the event has legitimate rights to modify the Okta policies.\\n- Verify the actor's geographical location and the time of the modification attempt. If these align with the actor's regular behavior, it could be a false positive.\\n\\n### Response and remediation:\\n- If unauthorized modification is confirmed, initiate the incident response process.\\n- Lock the actor's account and enforce password change as an immediate response.\\n- Reset MFA tokens for the actor and enforce re-enrollment, if applicable.\\n- Review any other actions taken by the actor to assess the overall impact.\\n- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.\\n- Consider a security review of your Okta policies and rules to ensure they follow security best practices.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your organization.\"],\"from\":\"now-6m\",\"rule_id\":\"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.lifecycle.update\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Modify an Okta Policy\",\"description\":\"Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Modify an Okta Policy\\n\\nModifications to Okta policies may indicate attempts to weaken an organization's security controls. If such an attempt is detected, consider the following steps for investigation.\\n\\n#### Possible investigation steps:\\n- Identify the actor associated with the event. Check the fields `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name`.\\n- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.\\n- Check the nature of the policy modification. You can review the `okta.target` field, especially `okta.target.display_name` and `okta.target.id`.\\n- Examine the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the modification attempt.\\n- Check if there have been other similar modification attempts in a short time span from the same actor or IP address.\\n\\n### False positive analysis:\\n- This alert might be a false positive if Okta policies are regularly updated in your organization as a part of normal operations.\\n- Check if the actor associated with the event has legitimate rights to modify the Okta policies.\\n- Verify the actor's geographical location and the time of the modification attempt. If these align with the actor's regular behavior, it could be a false positive.\\n\\n### Response and remediation:\\n- If unauthorized modification is confirmed, initiate the incident response process.\\n- Lock the actor's account and enforce password change as an immediate response.\\n- Reset MFA tokens for the actor and enforce re-enrollment, if applicable.\\n- Review any other actions taken by the actor to assess the overall impact.\\n- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.\\n- Consider a security review of your Okta policies and rules to ensure they follow security best practices.\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your organization.\"],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"881421e4-600b-45bb-ad26-3ac89bc9195d\",\"rule_id\":\"6731fbf2-8f28-49ed-9ab9-9a918ceb5a45\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.993Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.946Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.lifecycle.update\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"19f6e107-fa5f-482c-9040-2bbf0eafa4e9\",\"rule_id\":\"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7\",\"revision\":0,\"current_rule\":{\"id\":\"19f6e107-fa5f-482c-9040-2bbf0eafa4e9\",\"updated_at\":\"2024-12-04T19:45:49.951Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.951Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Revoke Okta API Token\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Impact\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Revoke Okta API Token\\n\\nThe rule alerts when attempts are made to revoke an Okta API token. The API tokens are critical for integration services, and revoking them may lead to disruption in services. Therefore, it's important to validate these activities.\\n\\n#### Possible investigation steps:\\n- Identify the actor associated with the API token revocation attempt. You can use the `okta.actor.alternate_id` field for this purpose.\\n- Determine the client used by the actor. Review the `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context` fields.\\n- Verify if the API token revocation was authorized or part of some planned activity.\\n- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed.\\n- Analyze the past activities of the actor involved in this action. An actor who usually performs such activities may indicate a legitimate reason.\\n- Evaluate the actions that happened just before and after this event. It can help understand the full context of the activity.\\n\\n### False positive analysis:\\n- It might be a false positive if the action was part of a planned activity or was performed by an authorized person.\\n\\n### Response and remediation:\\n- If unauthorized revocation attempts are confirmed, initiate the incident response process.\\n- Block the IP address or device used in the attempts, if they appear suspicious.\\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- If the revoked token was used for critical integrations, coordinate with the relevant team to minimize the impact.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives.\"],\"from\":\"now-6m\",\"rule_id\":\"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:system.api_token.revoke\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Revoke Okta API Token\",\"description\":\"Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Revoke Okta API Token\\n\\nThe rule alerts when attempts are made to revoke an Okta API token. The API tokens are critical for integration services, and revoking them may lead to disruption in services. Therefore, it's important to validate these activities.\\n\\n#### Possible investigation steps:\\n- Identify the actor associated with the API token revocation attempt. You can use the `okta.actor.alternate_id` field for this purpose.\\n- Determine the client used by the actor. Review the `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context` fields.\\n- Verify if the API token revocation was authorized or part of some planned activity.\\n- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed.\\n- Analyze the past activities of the actor involved in this action. An actor who usually performs such activities may indicate a legitimate reason.\\n- Evaluate the actions that happened just before and after this event. It can help understand the full context of the activity.\\n\\n### False positive analysis:\\n- It might be a false positive if the action was part of a planned activity or was performed by an authorized person.\\n\\n### Response and remediation:\\n- If unauthorized revocation attempts are confirmed, initiate the incident response process.\\n- Block the IP address or device used in the attempts, if they appear suspicious.\\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- If the revoked token was used for critical integrations, coordinate with the relevant team to minimize the impact.\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Impact\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives.\"],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"19f6e107-fa5f-482c-9040-2bbf0eafa4e9\",\"rule_id\":\"676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.993Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.951Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:system.api_token.revoke\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8bdda6ef-2a75-441d-acef-e65cdd68f149\",\"rule_id\":\"6885d2ae-e008-4762-b98a-e8e1cd3a81e9\",\"revision\":0,\"current_rule\":{\"id\":\"8bdda6ef-2a75-441d-acef-e65cdd68f149\",\"updated_at\":\"2024-12-04T19:45:49.958Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.958Z\",\"created_by\":\"elastic\",\"name\":\"Okta ThreatInsight Threat Suspected Promotion\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes, which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and other similar threats.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\nThis is a promotion rule for Okta ThreatInsight suspected threat events, which are alertable events per the vendor.\\nConsult vendor documentation on interpreting specific events.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"rule_name_override\":\"okta.display_message\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-6m\",\"rule_id\":\"6885d2ae-e008-4762-b98a-e8e1cd3a81e9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[{\"field\":\"okta.debug_context.debug_data.risk_level\",\"operator\":\"equals\",\"severity\":\"low\",\"value\":\"LOW\"},{\"field\":\"okta.debug_context.debug_data.risk_level\",\"operator\":\"equals\",\"severity\":\"medium\",\"value\":\"MEDIUM\"},{\"field\":\"okta.debug_context.debug_data.risk_level\",\"operator\":\"equals\",\"severity\":\"high\",\"value\":\"HIGH\"}],\"threat\":[],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.debug_context.debug_data.threat_suspected\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Okta ThreatInsight Threat Suspected Promotion\",\"description\":\"Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes, which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and other similar threats.\",\"risk_score\":47,\"severity\":\"medium\",\"rule_name_override\":\"okta.display_message\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\nThis is a promotion rule for Okta ThreatInsight suspected threat events, which are alertable events per the vendor.\\nConsult vendor documentation on interpreting specific events.\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[{\"field\":\"okta.debug_context.debug_data.risk_level\",\"operator\":\"equals\",\"severity\":\"low\",\"value\":\"LOW\"},{\"field\":\"okta.debug_context.debug_data.risk_level\",\"operator\":\"equals\",\"severity\":\"medium\",\"value\":\"MEDIUM\"},{\"field\":\"okta.debug_context.debug_data.risk_level\",\"operator\":\"equals\",\"severity\":\"high\",\"value\":\"HIGH\"}],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[],\"setup\":\"\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.debug_context.debug_data.threat_suspected\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"8bdda6ef-2a75-441d-acef-e65cdd68f149\",\"rule_id\":\"6885d2ae-e008-4762-b98a-e8e1cd3a81e9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.993Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.958Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true)\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"fb166877-c232-4ba3-901b-e0100c7aa9e3\",\"rule_id\":\"6cea88e4-6ce2-4238-9981-a54c140d6336\",\"revision\":0,\"current_rule\":{\"id\":\"fb166877-c232-4ba3-901b-e0100c7aa9e3\",\"updated_at\":\"2024-12-04T19:46:03.790Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.790Z\",\"created_by\":\"elastic\",\"name\":\"GitHub Repo Created\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Execution\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A new GitHub repository was created.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"6cea88e4-6ce2-4238-9981-a54c140d6336\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"],\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and event.action == \\\"repo.create\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"GitHub Repo Created\",\"description\":\"A new GitHub repository was created.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Execution\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"fb166877-c232-4ba3-901b-e0100c7aa9e3\",\"rule_id\":\"6cea88e4-6ce2-4238-9981-a54c140d6336\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.993Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.790Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and event.action == \\\"repo.create\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e354c0c1-ed01-44ca-acfe-41a2c53a5278\",\"rule_id\":\"6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd\",\"revision\":0,\"current_rule\":{\"id\":\"e354c0c1-ed01-44ca-acfe-41a2c53a5278\",\"updated_at\":\"2024-12-04T19:46:03.795Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.795Z\",\"created_by\":\"elastic\",\"name\":\"First Occurrence of Okta User Session Started via Proxy\",\"tags\":[\"Tactic: Initial Access\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the first occurrence of an Okta user session started via a proxy.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating First Occurrence of Okta User Session Started via Proxy\\n\\nThis rule detects the first occurrence of an Okta user session started via a proxy. This rule is designed to help identify suspicious authentication behavior that may be indicative of an attacker attempting to gain access to an Okta account while remaining anonymous. This rule leverages the New Terms rule type feature where the `okta.actor.id` value is checked against the previous 7 days of data to determine if the value has been seen before for this activity.\\n\\n#### Possible investigation steps:\\n- Identify the user involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- Examine the `okta.debug_context.debug_data.flattened` field for more information about the proxy used.\\n- Review the `okta.request.ip_chain` field for more information about the geographic location of the proxy.\\n- Review the past activities of the actor involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n\\n### False positive analysis:\\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\\n\\n### Response and remediation:\\n- Review the profile of the user involved in this action to determine if proxy usage may be expected.\\n- If the user is legitimate and the authentication behavior is not suspicious, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the user.\\n- If the user is not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n\\n## Setup\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-6m\",\"rule_id\":\"6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1133\",\"name\":\"External Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1133/\"}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://developer.okta.com/docs/reference/api/system-log/#issuer-object\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.security_context.is_proxy\",\"type\":\"boolean\",\"ecs\":false}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"new_terms\",\"query\":\"event.dataset:okta.system and okta.event_type: (user.session.start or user.authentication.verify) and okta.security_context.is_proxy:true and not okta.actor.id: okta*\\n\",\"new_terms_fields\":[\"okta.actor.id\",\"cloud.account.id\"],\"history_window_start\":\"now-7d\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Occurrence of Okta User Session Started via Proxy\",\"description\":\"Identifies the first occurrence of an Okta user session started via a proxy.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating First Occurrence of Okta User Session Started via Proxy\\n\\nThis rule detects the first occurrence of an Okta user session started via a proxy. This rule is designed to help identify suspicious authentication behavior that may be indicative of an attacker attempting to gain access to an Okta account while remaining anonymous. This rule leverages the New Terms rule type feature where the `okta.actor.id` value is checked against the previous 7 days of data to determine if the value has been seen before for this activity.\\n\\n#### Possible investigation steps:\\n- Identify the user involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- Examine the `okta.debug_context.debug_data.flattened` field for more information about the proxy used.\\n- Review the `okta.request.ip_chain` field for more information about the geographic location of the proxy.\\n- Review the past activities of the actor involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n\\n### False positive analysis:\\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\\n\\n### Response and remediation:\\n- Review the profile of the user involved in this action to determine if proxy usage may be expected.\\n- If the user is legitimate and the authentication behavior is not suspicious, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the user.\\n- If the user is not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n\\n## Setup\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Tactic: Initial Access\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://developer.okta.com/docs/reference/api/system-log/#issuer-object\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1133\",\"name\":\"External Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1133/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.security_context.is_proxy\",\"type\":\"boolean\",\"ecs\":false}],\"id\":\"e354c0c1-ed01-44ca-acfe-41a2c53a5278\",\"rule_id\":\"6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.993Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.795Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset:okta.system and okta.event_type: (user.session.start or user.authentication.verify) and okta.security_context.is_proxy:true and not okta.actor.id: okta*\\n\",\"new_terms_fields\":[\"okta.actor.id\",\"cloud.account.id\"],\"history_window_start\":\"now-7d\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://developer.okta.com/docs/reference/api/system-log/#issuer-object\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://developer.okta.com/docs/reference/api/system-log/#issuer-object\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://developer.okta.com/docs/reference/api/system-log/#issuer-object\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e0ee9ef6-537a-41b4-9b12-ce5165fd4342\",\"rule_id\":\"729aa18d-06a6-41c7-b175-b65b739b1181\",\"revision\":0,\"current_rule\":{\"id\":\"e0ee9ef6-537a-41b4-9b12-ce5165fd4342\",\"updated_at\":\"2024-12-04T19:45:51.195Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.195Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Reset MFA Factors for an Okta User Account\",\"tags\":[\"Tactic: Persistence\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are regularly reset in your organization.\"],\"from\":\"now-6m\",\"rule_id\":\"729aa18d-06a6-41c7-b175-b65b739b1181\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:user.mfa.factor.reset_all\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Reset MFA Factors for an Okta User Account\",\"description\":\"Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Tactic: Persistence\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are regularly reset in your organization.\"],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\",\"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e0ee9ef6-537a-41b4-9b12-ce5165fd4342\",\"rule_id\":\"729aa18d-06a6-41c7-b175-b65b739b1181\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.994Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.195Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:user.mfa.factor.reset_all\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\",\"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\",\"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a3640331-cce2-4dc5-95d7-1b3b61d1efce\",\"rule_id\":\"8a0fbd26-867f-11ee-947c-f661ea17fbcd\",\"revision\":0,\"current_rule\":{\"id\":\"a3640331-cce2-4dc5-95d7-1b3b61d1efce\",\"updated_at\":\"2024-12-04T19:45:52.121Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.121Z\",\"created_by\":\"elastic\",\"name\":\"Potential Okta MFA Bombing via Push Notifications\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Okta MFA Bombing via Push Notifications\\n\\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\\n\\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\\n\\n#### Possible investigation steps:\\n\\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\\n- Look for any other suspicious activity on the account around the same time.\\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\\n\\n### False positive analysis:\\n\\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\\n- Check if there are known issues with the MFA system causing false denials.\\n\\n### Response and remediation:\\n\\n- If unauthorized access is confirmed, initiate your incident response process.\\n- Alert the user and your IT department immediately.\\n- If possible, isolate the user's account until the issue is resolved.\\n- Investigate the source of the unauthorized access.\\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\\n- Consider enhancing your MFA policy to prevent such incidents in the future.\\n- Encourage users to report any unexpected MFA notifications immediately.\\n- Review and update your incident response plans and security policies based on the findings from the incident.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-6m\",\"rule_id\":\"8a0fbd26-867f-11ee-947c-f661ea17fbcd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1621\",\"name\":\"Multi-Factor Authentication Request Generation\",\"reference\":\"https://attack.mitre.org/techniques/T1621/\"}]}],\"to\":\"now\",\"references\":[\"https://www.mandiant.com/resources/russian-targeting-gov-business\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\"],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.result\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"sequence by okta.actor.id with maxspan=10m\\n [authentication where event.dataset == \\\"okta.system\\\"\\n and okta.event_type == \\\"user.mfa.okta_verify.deny_push\\\"] with runs=5\\n until [authentication where event.dataset == \\\"okta.system\\\"\\n and (okta.event_type: (\\n \\\"user.authentication.sso\\\",\\n \\\"user.authentication.auth_via_mfa\\\",\\n \\\"user.authentication.verify\\\",\\n \\\"user.session.start\\\") and okta.outcome.result == \\\"SUCCESS\\\")]\\n\",\"event_category_override\":\"event.category\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Okta MFA Bombing via Push Notifications\",\"description\":\"Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Okta MFA Bombing via Push Notifications\\n\\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\\n\\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\\n\\n#### Possible investigation steps:\\n\\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\\n- Look for any other suspicious activity on the account around the same time.\\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\\n\\n### False positive analysis:\\n\\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\\n- Check if there are known issues with the MFA system causing false denials.\\n\\n### Response and remediation:\\n\\n- If unauthorized access is confirmed, initiate your incident response process.\\n- Alert the user and your IT department immediately.\\n- If possible, isolate the user's account until the issue is resolved.\\n- Investigate the source of the unauthorized access.\\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\\n- Consider enhancing your MFA policy to prevent such incidents in the future.\\n- Encourage users to report any unexpected MFA notifications immediately.\\n- Review and update your incident response plans and security policies based on the findings from the incident.\\n\",\"output_index\":\"\",\"version\":106,\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.mandiant.com/resources/russian-targeting-gov-business\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1621\",\"name\":\"Multi-Factor Authentication Request Generation\",\"reference\":\"https://attack.mitre.org/techniques/T1621/\"}]}],\"setup\":\"## Setup\\n\\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\\n\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.result\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"a3640331-cce2-4dc5-95d7-1b3b61d1efce\",\"rule_id\":\"8a0fbd26-867f-11ee-947c-f661ea17fbcd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.994Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.121Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by okta.actor.id with maxspan=10m\\n [authentication where event.dataset == \\\"okta.system\\\"\\n and okta.event_type == \\\"user.mfa.okta_verify.deny_push\\\"] with runs=5\\n until [authentication where event.dataset == \\\"okta.system\\\"\\n and (okta.event_type: (\\n \\\"user.authentication.sso\\\",\\n \\\"user.authentication.auth_via_mfa\\\",\\n \\\"user.authentication.verify\\\",\\n \\\"user.session.start\\\") and okta.outcome.result == \\\"SUCCESS\\\")]\\n\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"event_category_override\":\"event.category\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":106,\"merged_version\":106,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.mandiant.com/resources/russian-targeting-gov-business\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\"],\"target_version\":[\"https://www.mandiant.com/resources/russian-targeting-gov-business\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://www.mandiant.com/resources/russian-targeting-gov-business\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f0044f98-c2f7-4957-b329-d10191f08ed7\",\"rule_id\":\"8a0fd93a-7df8-410d-8808-4cc5e340f2b9\",\"revision\":0,\"current_rule\":{\"id\":\"f0044f98-c2f7-4957-b329-d10191f08ed7\",\"updated_at\":\"2024-12-04T19:46:04.713Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.713Z\",\"created_by\":\"elastic\",\"name\":\"GitHub PAT Access Revoked\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Impact\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Access to private GitHub organization resources was revoked for a PAT.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"8a0fd93a-7df8-410d-8808-4cc5e340f2b9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"],\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and event.action == \\\"personal_access_token.access_revoked\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"GitHub PAT Access Revoked\",\"description\":\"Access to private GitHub organization resources was revoked for a PAT.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Impact\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f0044f98-c2f7-4957-b329-d10191f08ed7\",\"rule_id\":\"8a0fd93a-7df8-410d-8808-4cc5e340f2b9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.994Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.713Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and event.action == \\\"personal_access_token.access_revoked\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c9178ef3-a8c2-4b05-b379-dee1fb73a9ef\",\"rule_id\":\"8a5c1e5f-ad63-481e-b53a-ef959230f7f1\",\"revision\":0,\"current_rule\":{\"id\":\"c9178ef3-a8c2-4b05-b379-dee1fb73a9ef\",\"updated_at\":\"2024-12-04T19:45:52.129Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.129Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Deactivate an Okta Network Zone\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Use Case: Network Security Monitoring\",\"Tactic: Defense Evasion\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Deactivate an Okta Network Zone\\n\\nThe Okta network zones can be configured to restrict or limit access to a network based on IP addresses or geolocations. Deactivating a network zone in Okta may remove or weaken the security controls of an organization, which might be an indicator of an adversary's attempt to evade defenses.\\n\\n#### Possible investigation steps\\n\\n- Identify the actor related to the alert by reviewing the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\\n- Examine the `event.action` field to confirm the deactivation of a network zone.\\n- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the network zone that was deactivated.\\n- Investigate the `event.time` field to understand when the event happened.\\n- Review the actor's activities before and after the event to understand the context of this event.\\n\\n### False positive analysis\\n\\n- Check the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. If these match the actor's normal behavior, it might be a false positive.\\n- Check if the actor is a known administrator or part of the IT team who might have a legitimate reason to deactivate a network zone.\\n- Verify the actor's actions with any known planned changes or maintenance activities.\\n\\n### Response and remediation\\n\\n- If unauthorized access or actions are confirmed, immediately lock the affected actor account and require a password change.\\n- Re-enable the deactivated network zone if it was deactivated without authorization.\\n- Review and update the privileges of the actor who initiated the deactivation.\\n- Check the security policies and procedures to identify any gaps and update them as necessary.\\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.\\n- Communicate and train the employees about the importance of following proper procedures for modifying network zone settings.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are regularly modified.\"],\"from\":\"now-6m\",\"rule_id\":\"8a5c1e5f-ad63-481e-b53a-ef959230f7f1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:zone.deactivate\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Deactivate an Okta Network Zone\",\"description\":\"Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Deactivate an Okta Network Zone\\n\\nThe Okta network zones can be configured to restrict or limit access to a network based on IP addresses or geolocations. Deactivating a network zone in Okta may remove or weaken the security controls of an organization, which might be an indicator of an adversary's attempt to evade defenses.\\n\\n#### Possible investigation steps\\n\\n- Identify the actor related to the alert by reviewing the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\\n- Examine the `event.action` field to confirm the deactivation of a network zone.\\n- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the network zone that was deactivated.\\n- Investigate the `event.time` field to understand when the event happened.\\n- Review the actor's activities before and after the event to understand the context of this event.\\n\\n### False positive analysis\\n\\n- Check the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. If these match the actor's normal behavior, it might be a false positive.\\n- Check if the actor is a known administrator or part of the IT team who might have a legitimate reason to deactivate a network zone.\\n- Verify the actor's actions with any known planned changes or maintenance activities.\\n\\n### Response and remediation\\n\\n- If unauthorized access or actions are confirmed, immediately lock the affected actor account and require a password change.\\n- Re-enable the deactivated network zone if it was deactivated without authorization.\\n- Review and update the privileges of the actor who initiated the deactivation.\\n- Check the security policies and procedures to identify any gaps and update them as necessary.\\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.\\n- Communicate and train the employees about the importance of following proper procedures for modifying network zone settings.\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Use Case: Network Security Monitoring\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are regularly modified.\"],\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c9178ef3-a8c2-4b05-b379-dee1fb73a9ef\",\"rule_id\":\"8a5c1e5f-ad63-481e-b53a-ef959230f7f1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.994Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.129Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:zone.deactivate\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"87c5173b-6252-400c-9a2b-28a8b094b261\",\"rule_id\":\"94e734c0-2cda-11ef-84e1-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"87c5173b-6252-400c-9a2b-28a8b094b261\",\"updated_at\":\"2024-12-04T19:46:04.720Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.720Z\",\"created_by\":\"elastic\",\"name\":\"Multiple Okta User Authentication Events with Client Address\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Credential Access\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Multiple Okta User Authentication Events with Client Address\\n\\nThis rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\\n\\n#### Possible investigation steps:\\nSince this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.\\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\\n\\n### False positive analysis:\\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\\n - Shared working spaces may have a single endpoint that is used by multiple users.\\n\\n### Response and remediation:\\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the users.\\n- If any of the users are not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\\n - If so, confirm with the user this was a legitimate request.\\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\\n - Reset passwords and reset MFA for the user.\\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\\n - This will prevent future occurrences of this event for this device from triggering the rule.\\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\\n - This should be done with caution as it may prevent legitimate alerts from being generated.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\",\"Shared systems such as Kiosks and conference room computers may be used by multiple users.\"],\"from\":\"now-9m\",\"rule_id\":\"94e734c0-2cda-11ef-84e1-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]},{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.004\",\"name\":\"Credential Stuffing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action == \\\"user.session.start\\\" OR event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\")\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| STATS\\n source_auth_count = COUNT_DISTINCT(okta.actor.id)\\n BY okta.client.ip, okta.actor.alternate_id\\n| WHERE\\n source_auth_count > 5\\n| SORT\\n source_auth_count DESC\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Multiple Okta User Authentication Events with Client Address\",\"description\":\"Detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Multiple Okta User Authentication Events with Client Address\\n\\nThis rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\\n\\n#### Possible investigation steps:\\nSince this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.\\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\\n\\n### False positive analysis:\\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\\n - Shared working spaces may have a single endpoint that is used by multiple users.\\n\\n### Response and remediation:\\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the users.\\n- If any of the users are not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\\n - If so, confirm with the user this was a legitimate request.\\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\\n - Reset passwords and reset MFA for the user.\\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\\n - This will prevent future occurrences of this event for this device from triggering the rule.\\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\\n - This should be done with caution as it may prevent legitimate alerts from being generated.\\n\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Credential Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\",\"Shared systems such as Kiosks and conference room computers may be used by multiple users.\"],\"references\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]},{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.004\",\"name\":\"Credential Stuffing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/004/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"87c5173b-6252-400c-9a2b-28a8b094b261\",\"rule_id\":\"94e734c0-2cda-11ef-84e1-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.994Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.720Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action == \\\"user.session.start\\\" OR event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\")\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| KEEP okta.client.ip, okta.actor.alternate_id, okta.actor.id, event.action, okta.outcome.reason\\n| STATS\\n source_auth_count = COUNT_DISTINCT(okta.actor.id)\\n BY okta.client.ip, okta.actor.alternate_id\\n| WHERE\\n source_auth_count > 5\\n| SORT\\n source_auth_count DESC\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\"],\"target_version\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action == \\\"user.session.start\\\" OR event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\")\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| STATS\\n source_auth_count = COUNT_DISTINCT(okta.actor.id)\\n BY okta.client.ip, okta.actor.alternate_id\\n| WHERE\\n source_auth_count > 5\\n| SORT\\n source_auth_count DESC\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action == \\\"user.session.start\\\" OR event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\")\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| KEEP okta.client.ip, okta.actor.alternate_id, okta.actor.id, event.action, okta.outcome.reason\\n| STATS\\n source_auth_count = COUNT_DISTINCT(okta.actor.id)\\n BY okta.client.ip, okta.actor.alternate_id\\n| WHERE\\n source_auth_count > 5\\n| SORT\\n source_auth_count DESC\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action == \\\"user.session.start\\\" OR event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\")\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| KEEP okta.client.ip, okta.actor.alternate_id, okta.actor.id, event.action, okta.outcome.reason\\n| STATS\\n source_auth_count = COUNT_DISTINCT(okta.actor.id)\\n BY okta.client.ip, okta.actor.alternate_id\\n| WHERE\\n source_auth_count > 5\\n| SORT\\n source_auth_count DESC\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b5e28543-4187-4f92-ac79-12c57a170ab0\",\"rule_id\":\"95b99adc-2cda-11ef-84e1-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"b5e28543-4187-4f92-ac79-12c57a170ab0\",\"updated_at\":\"2024-12-04T19:46:04.723Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.723Z\",\"created_by\":\"elastic\",\"name\":\"Multiple Okta User Authentication Events with Same Device Token Hash\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Credential Access\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Multiple Okta User Authentication Events with Same Device Token Hash\\n\\nThis rule detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\\n\\n#### Possible investigation steps:\\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.debug_context.debug_data.dt_hash` values can be used to pivot into the raw authentication events related to this activity.\\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\\n\\n### False positive analysis:\\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\\n - Shared working spaces may have a single endpoint that is used by multiple users.\\n\\n### Response and remediation:\\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the users.\\n- If any of the users are not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\\n - If so, confirm with the user this was a legitimate request.\\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\\n - Reset passwords and reset MFA for the user.\\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\\n - This will prevent future occurrences of this event for this device from triggering the rule.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\",\"Shared systems such as Kiosks and conference room computers may be used by multiple users.\"],\"from\":\"now-9m\",\"rule_id\":\"95b99adc-2cda-11ef-84e1-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]},{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.004\",\"name\":\"Credential Stuffing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.debug_context.debug_data.dt_hash != \\\"-\\\"\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| STATS\\n target_auth_count = COUNT_DISTINCT(okta.actor.id)\\n BY okta.debug_context.debug_data.dt_hash, okta.actor.alternate_id\\n| WHERE\\n target_auth_count > 20\\n| SORT\\n target_auth_count DESC\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Multiple Okta User Authentication Events with Same Device Token Hash\",\"description\":\"Detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Multiple Okta User Authentication Events with Same Device Token Hash\\n\\nThis rule detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\\n\\n#### Possible investigation steps:\\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.debug_context.debug_data.dt_hash` values can be used to pivot into the raw authentication events related to this activity.\\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\\n\\n### False positive analysis:\\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\\n - Shared working spaces may have a single endpoint that is used by multiple users.\\n\\n### Response and remediation:\\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the users.\\n- If any of the users are not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\\n - If so, confirm with the user this was a legitimate request.\\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\\n - Reset passwords and reset MFA for the user.\\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\\n - This will prevent future occurrences of this event for this device from triggering the rule.\\n\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Credential Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\",\"Shared systems such as Kiosks and conference room computers may be used by multiple users.\"],\"references\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]},{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.004\",\"name\":\"Credential Stuffing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/004/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"b5e28543-4187-4f92-ac79-12c57a170ab0\",\"rule_id\":\"95b99adc-2cda-11ef-84e1-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.996Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.723Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.debug_context.debug_data.dt_hash != \\\"-\\\"\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| KEEP event.action, okta.debug_context.debug_data.dt_hash, okta.actor.id, okta.actor.alternate_id, okta.outcome.reason\\n| STATS\\n target_auth_count = COUNT_DISTINCT(okta.actor.id)\\n BY okta.debug_context.debug_data.dt_hash, okta.actor.alternate_id\\n| WHERE\\n target_auth_count > 20\\n| SORT\\n target_auth_count DESC\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\"],\"target_version\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.debug_context.debug_data.dt_hash != \\\"-\\\"\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| STATS\\n target_auth_count = COUNT_DISTINCT(okta.actor.id)\\n BY okta.debug_context.debug_data.dt_hash, okta.actor.alternate_id\\n| WHERE\\n target_auth_count > 20\\n| SORT\\n target_auth_count DESC\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.debug_context.debug_data.dt_hash != \\\"-\\\"\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| KEEP event.action, okta.debug_context.debug_data.dt_hash, okta.actor.id, okta.actor.alternate_id, okta.outcome.reason\\n| STATS\\n target_auth_count = COUNT_DISTINCT(okta.actor.id)\\n BY okta.debug_context.debug_data.dt_hash, okta.actor.alternate_id\\n| WHERE\\n target_auth_count > 20\\n| SORT\\n target_auth_count DESC\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n AND (event.action RLIKE \\\"user\\\\\\\\.authentication(.*)\\\" OR event.action == \\\"user.session.start\\\")\\n AND okta.debug_context.debug_data.dt_hash != \\\"-\\\"\\n AND okta.outcome.reason == \\\"INVALID_CREDENTIALS\\\"\\n| KEEP event.action, okta.debug_context.debug_data.dt_hash, okta.actor.id, okta.actor.alternate_id, okta.outcome.reason\\n| STATS\\n target_auth_count = COUNT_DISTINCT(okta.actor.id)\\n BY okta.debug_context.debug_data.dt_hash, okta.actor.alternate_id\\n| WHERE\\n target_auth_count > 20\\n| SORT\\n target_auth_count DESC\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"fc027bdd-32ba-48ca-ada0-c3a0d2af72d6\",\"rule_id\":\"96b9f4ea-0e8c-435b-8d53-2096e75fcac5\",\"revision\":0,\"current_rule\":{\"id\":\"fc027bdd-32ba-48ca-ada0-c3a0d2af72d6\",\"updated_at\":\"2024-12-04T19:45:53.179Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.179Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Create Okta API Token\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Persistence\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"If the behavior of creating Okta API tokens is expected, consider adding exceptions to this rule to filter false positives.\"],\"from\":\"now-6m\",\"rule_id\":\"96b9f4ea-0e8c-435b-8d53-2096e75fcac5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\"}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:system.api_token.create\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Create Okta API Token\",\"description\":\"Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Persistence\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"If the behavior of creating Okta API tokens is expected, consider adding exceptions to this rule to filter false positives.\"],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"fc027bdd-32ba-48ca-ada0-c3a0d2af72d6\",\"rule_id\":\"96b9f4ea-0e8c-435b-8d53-2096e75fcac5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.996Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.179Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:system.api_token.create\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"034405ee-7f05-4cf4-815b-d7582ae381e6\",\"rule_id\":\"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7\",\"revision\":0,\"current_rule\":{\"id\":\"034405ee-7f05-4cf4-815b-d7582ae381e6\",\"updated_at\":\"2024-12-04T19:45:53.195Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.195Z\",\"created_by\":\"elastic\",\"name\":\"Potentially Successful MFA Bombing via Push Notifications\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Abuse of Repeated MFA Push Notifications\\n\\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\\n\\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\\n\\n#### Possible investigation steps:\\n\\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\\n- Look for any other suspicious activity on the account around the same time.\\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\\n\\n### False positive analysis:\\n\\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\\n- Check if there are known issues with the MFA system causing false denials.\\n\\n### Response and remediation:\\n\\n- If unauthorized access is confirmed, initiate your incident response process.\\n- Alert the user and your IT department immediately.\\n- If possible, isolate the user's account until the issue is resolved.\\n- Investigate the source of the unauthorized access.\\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\\n- Consider enhancing your MFA policy to prevent such incidents in the future.\\n- Encourage users to report any unexpected MFA notifications immediately.\\n- Review and update your incident response plans and security policies based on the findings from the incident.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-6m\",\"rule_id\":\"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1621\",\"name\":\"Multi-Factor Authentication Request Generation\",\"reference\":\"https://attack.mitre.org/techniques/T1621/\"}]}],\"to\":\"now\",\"references\":[\"https://www.mandiant.com/resources/russian-targeting-gov-business\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\"],\"version\":209,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.module\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.result\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"sequence by okta.actor.id with maxspan=10m\\n [authentication where event.dataset == \\\"okta.system\\\" and event.module == \\\"okta\\\"\\n and event.action == \\\"user.mfa.okta_verify.deny_push\\\"] with runs=3\\n [authentication where event.dataset == \\\"okta.system\\\" and event.module == \\\"okta\\\"\\n and (event.action : (\\n \\\"user.authentication.sso\\\",\\n \\\"user.authentication.auth_via_mfa\\\",\\n \\\"user.authentication.verify\\\",\\n \\\"user.session.start\\\") and okta.outcome.result == \\\"SUCCESS\\\")]\\n\",\"event_category_override\":\"event.category\",\"actions\":[]},\"target_rule\":{\"name\":\"Potentially Successful MFA Bombing via Push Notifications\",\"description\":\"Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Abuse of Repeated MFA Push Notifications\\n\\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\\n\\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\\n\\n#### Possible investigation steps:\\n\\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\\n- Look for any other suspicious activity on the account around the same time.\\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\\n\\n### False positive analysis:\\n\\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\\n- Check if there are known issues with the MFA system causing false denials.\\n\\n### Response and remediation:\\n\\n- If unauthorized access is confirmed, initiate your incident response process.\\n- Alert the user and your IT department immediately.\\n- If possible, isolate the user's account until the issue is resolved.\\n- Investigate the source of the unauthorized access.\\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\\n- Consider enhancing your MFA policy to prevent such incidents in the future.\\n- Encourage users to report any unexpected MFA notifications immediately.\\n- Review and update your incident response plans and security policies based on the findings from the incident.\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.mandiant.com/resources/russian-targeting-gov-business\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1621\",\"name\":\"Multi-Factor Authentication Request Generation\",\"reference\":\"https://attack.mitre.org/techniques/T1621/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.module\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.result\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"034405ee-7f05-4cf4-815b-d7582ae381e6\",\"rule_id\":\"97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.996Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.195Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by okta.actor.id with maxspan=10m\\n [authentication where event.dataset == \\\"okta.system\\\" and event.module == \\\"okta\\\"\\n and event.action == \\\"user.mfa.okta_verify.deny_push\\\"] with runs=3\\n [authentication where event.dataset == \\\"okta.system\\\" and event.module == \\\"okta\\\"\\n and (event.action : (\\n \\\"user.authentication.sso\\\",\\n \\\"user.authentication.auth_via_mfa\\\",\\n \\\"user.authentication.verify\\\",\\n \\\"user.session.start\\\") and okta.outcome.result == \\\"SUCCESS\\\")]\\n\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"event_category_override\":\"event.category\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":209,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.mandiant.com/resources/russian-targeting-gov-business\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\"],\"target_version\":[\"https://www.mandiant.com/resources/russian-targeting-gov-business\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://www.mandiant.com/resources/russian-targeting-gov-business\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f01d4448-25a6-4be1-b344-53c466e039ee\",\"rule_id\":\"9b343b62-d173-4cfd-bd8b-e6379f964ca4\",\"revision\":0,\"current_rule\":{\"id\":\"f01d4448-25a6-4be1-b344-53c466e039ee\",\"updated_at\":\"2024-12-04T19:45:54.186Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.186Z\",\"created_by\":\"elastic\",\"name\":\"GitHub Owner Role Granted To User\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Persistence\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects when a member is granted the organization owner role of a GitHub organization. This role provides admin level privileges. Any new owner role should be investigated to determine its validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"9b343b62-d173-4cfd-bd8b-e6379f964ca4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.permission\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"],\"query\":\"iam where event.dataset == \\\"github.audit\\\" and event.action == \\\"org.update_member\\\" and github.permission == \\\"admin\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"GitHub Owner Role Granted To User\",\"description\":\"This rule detects when a member is granted the organization owner role of a GitHub organization. This role provides admin level privileges. Any new owner role should be investigated to determine its validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Persistence\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.permission\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"f01d4448-25a6-4be1-b344-53c466e039ee\",\"rule_id\":\"9b343b62-d173-4cfd-bd8b-e6379f964ca4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.996Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.186Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where event.dataset == \\\"github.audit\\\" and event.action == \\\"org.update_member\\\" and github.permission == \\\"admin\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"10b08dad-75f3-4d2c-90e5-572ea0ba3330\",\"rule_id\":\"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9\",\"revision\":0,\"current_rule\":{\"id\":\"10b08dad-75f3-4d2c-90e5-572ea0ba3330\",\"updated_at\":\"2024-12-04T19:45:56.560Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.560Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Delete an Okta Policy\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Defense Evasion\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Delete an Okta Policy\\n\\nOkta policies are critical to managing user access and enforcing security controls within an organization. The deletion of an Okta policy could drastically weaken an organization's security posture by allowing unrestricted access or facilitating other malicious activities.\\n\\nThis rule detects attempts to delete an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. Adversaries may do this to bypass security barriers and enable further malicious activities.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the deletion attempt.\\n- Check the `okta.outcome.result` field to confirm the policy deletion attempt.\\n- Check if there are multiple policy deletion attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the policy deletion attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deletion attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the deletion attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deletion attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized policy deletion is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific deletion technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your organization.\"],\"from\":\"now-6m\",\"rule_id\":\"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.lifecycle.delete\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Delete an Okta Policy\",\"description\":\"Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Delete an Okta Policy\\n\\nOkta policies are critical to managing user access and enforcing security controls within an organization. The deletion of an Okta policy could drastically weaken an organization's security posture by allowing unrestricted access or facilitating other malicious activities.\\n\\nThis rule detects attempts to delete an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. Adversaries may do this to bypass security barriers and enable further malicious activities.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the deletion attempt.\\n- Check the `okta.outcome.result` field to confirm the policy deletion attempt.\\n- Check if there are multiple policy deletion attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the policy deletion attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deletion attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the deletion attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deletion attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized policy deletion is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific deletion technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your organization.\"],\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"10b08dad-75f3-4d2c-90e5-572ea0ba3330\",\"rule_id\":\"b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.996Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.560Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.lifecycle.delete\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1474dc77-c0f8-433e-a134-ab5e2d91e735\",\"rule_id\":\"b719a170-3bdb-4141-b0e3-13e3cf627bfe\",\"revision\":0,\"current_rule\":{\"id\":\"1474dc77-c0f8-433e-a134-ab5e2d91e735\",\"updated_at\":\"2024-12-04T19:45:56.581Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.581Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Deactivate an Okta Policy\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Defense Evasion\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Deactivate an Okta Policy\\n\\nOkta policies define rules to manage user access to resources. Policies such as multi-factor authentication (MFA) are critical for enforcing strong security measures. Deactivation of an Okta policy could potentially weaken the security posture, allowing for unauthorized access or facilitating other malicious activities.\\n\\nThis rule is designed to detect attempts to deactivate an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. For example, disabling an MFA policy could lower the security of user authentication processes.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt.\\n- Check the `okta.outcome.result` field to confirm the policy deactivation attempt.\\n- Check if there are multiple policy deactivation attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the policy deactivation attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized policy deactivation is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false positives.\"],\"from\":\"now-6m\",\"rule_id\":\"b719a170-3bdb-4141-b0e3-13e3cf627bfe\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.lifecycle.deactivate\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Deactivate an Okta Policy\",\"description\":\"Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Deactivate an Okta Policy\\n\\nOkta policies define rules to manage user access to resources. Policies such as multi-factor authentication (MFA) are critical for enforcing strong security measures. Deactivation of an Okta policy could potentially weaken the security posture, allowing for unauthorized access or facilitating other malicious activities.\\n\\nThis rule is designed to detect attempts to deactivate an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. For example, disabling an MFA policy could lower the security of user authentication processes.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt.\\n- Check the `okta.outcome.result` field to confirm the policy deactivation attempt.\\n- Check if there are multiple policy deactivation attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the policy deactivation attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized policy deactivation is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false positives.\"],\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1474dc77-c0f8-433e-a134-ab5e2d91e735\",\"rule_id\":\"b719a170-3bdb-4141-b0e3-13e3cf627bfe\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.996Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.581Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.lifecycle.deactivate\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f38c02b0-4ec9-44af-a9a6-419af96ab91d\",\"rule_id\":\"b8075894-0b62-46e5-977c-31275da34419\",\"revision\":0,\"current_rule\":{\"id\":\"f38c02b0-4ec9-44af-a9a6-419af96ab91d\",\"updated_at\":\"2024-12-04T19:45:56.587Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.587Z\",\"created_by\":\"elastic\",\"name\":\"Administrator Privileges Assigned to an Okta Group\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Persistence\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-6m\",\"rule_id\":\"b8075894-0b62-46e5-977c-31275da34419\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:group.privilege.grant\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Administrator Privileges Assigned to an Okta Group\",\"description\":\"Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Persistence\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f38c02b0-4ec9-44af-a9a6-419af96ab91d\",\"rule_id\":\"b8075894-0b62-46e5-977c-31275da34419\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.996Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.587Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:group.privilege.grant\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"23054cee-c6f1-4fb6-b114-c45d53f5a462\",\"rule_id\":\"c749e367-a069-4a73-b1f2-43a3798153ad\",\"revision\":0,\"current_rule\":{\"id\":\"23054cee-c6f1-4fb6-b114-c45d53f5a462\",\"updated_at\":\"2024-12-04T19:45:57.464Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.464Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Delete an Okta Network Zone\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Use Case: Network Security Monitoring\",\"Tactic: Defense Evasion\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Delete an Okta Network Zone\\n\\nOkta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. Deleting a network zone in Okta might remove or weaken the security controls of an organization, which might be an indicator of an adversary's attempt to evade defenses.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor associated with the alert by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\\n- Examine the `event.action` field to confirm the deletion of a network zone.\\n- Investigate the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` fields to identify the network zone that was deleted.\\n- Review the `event.time` field to understand when the event happened.\\n- Check the actor's activities before and after the event to understand the context of this event.\\n\\n### False positive analysis:\\n\\n- Verify the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. If these match the actor's typical behavior, it might be a false positive.\\n- Check if the actor is a known administrator or a member of the IT team who might have a legitimate reason to delete a network zone.\\n- Cross-verify the actor's actions with any known planned changes or maintenance activities.\\n\\n### Response and remediation:\\n\\n- If unauthorized access or actions are confirmed, immediately lock the affected actor's account and require a password change.\\n- If a network zone was deleted without authorization, create a new network zone with similar settings as the deleted one.\\n- Review and update the privileges of the actor who initiated the deletion.\\n- Identify any gaps in the security policies and procedures and update them as necessary.\\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.\\n- Communicate and train the employees about the importance of following proper procedures for modifying network zone settings.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly deleted.\"],\"from\":\"now-6m\",\"rule_id\":\"c749e367-a069-4a73-b1f2-43a3798153ad\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:zone.delete\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Delete an Okta Network Zone\",\"description\":\"Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Delete an Okta Network Zone\\n\\nOkta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. Deleting a network zone in Okta might remove or weaken the security controls of an organization, which might be an indicator of an adversary's attempt to evade defenses.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor associated with the alert by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\\n- Examine the `event.action` field to confirm the deletion of a network zone.\\n- Investigate the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` fields to identify the network zone that was deleted.\\n- Review the `event.time` field to understand when the event happened.\\n- Check the actor's activities before and after the event to understand the context of this event.\\n\\n### False positive analysis:\\n\\n- Verify the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. If these match the actor's typical behavior, it might be a false positive.\\n- Check if the actor is a known administrator or a member of the IT team who might have a legitimate reason to delete a network zone.\\n- Cross-verify the actor's actions with any known planned changes or maintenance activities.\\n\\n### Response and remediation:\\n\\n- If unauthorized access or actions are confirmed, immediately lock the affected actor's account and require a password change.\\n- If a network zone was deleted without authorization, create a new network zone with similar settings as the deleted one.\\n- Review and update the privileges of the actor who initiated the deletion.\\n- Identify any gaps in the security policies and procedures and update them as necessary.\\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.\\n- Communicate and train the employees about the importance of following proper procedures for modifying network zone settings.\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Use Case: Network Security Monitoring\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly deleted.\"],\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"23054cee-c6f1-4fb6-b114-c45d53f5a462\",\"rule_id\":\"c749e367-a069-4a73-b1f2-43a3798153ad\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.996Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.464Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:zone.delete\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"81d33d7d-8697-40c7-afb6-442cf927690b\",\"rule_id\":\"c74fd275-ab2c-4d49-8890-e2943fa65c09\",\"revision\":0,\"current_rule\":{\"id\":\"81d33d7d-8697-40c7-afb6-442cf927690b\",\"updated_at\":\"2024-12-04T19:45:57.466Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.466Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Modify an Okta Application\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Impact\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly modified and the behavior is expected.\"],\"from\":\"now-6m\",\"rule_id\":\"c74fd275-ab2c-4d49-8890-e2943fa65c09\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:application.lifecycle.update\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Modify an Okta Application\",\"description\":\"Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Impact\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly modified and the behavior is expected.\"],\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"81d33d7d-8697-40c7-afb6-442cf927690b\",\"rule_id\":\"c74fd275-ab2c-4d49-8890-e2943fa65c09\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.996Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.466Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:application.lifecycle.update\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"79cd6398-e415-4fb1-9fba-f3595ba5b7ac\",\"rule_id\":\"cc382a2e-7e52-11ee-9aac-f661ea17fbcd\",\"revision\":0,\"current_rule\":{\"id\":\"79cd6398-e415-4fb1-9fba-f3595ba5b7ac\",\"updated_at\":\"2024-12-04T19:45:58.411Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.411Z\",\"created_by\":\"elastic\",\"name\":\"Multiple Device Token Hashes for Single Okta Session\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Credential Access\",\"Domain: SaaS\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Multiple Device Token Hashes for Single Okta Session\\n\\nThis rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.\\n\\n#### Possible investigation steps:\\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.authentication_context.external_session_id` values can be used to pivot into the raw authentication events related to this alert.\\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\\n - Authentication events have been filtered out to focus on Okta activity via established sessions.\\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\\n- Aggregate by `okta.actor.alternate_id` and `event.action` to determine the type of actions that are being performed by the actor(s) involved in this action.\\n - If various activity is reported that seems to indicate actions from separate users, consider deactivating the user's account temporarily.\\n\\n### False positive analysis:\\n- It is very rare that a legitimate user would have multiple device token hashes for a single Okta session as DT hashes do not change after an authenticated session is established.\\n\\n### Response and remediation:\\n- Consider stopping all sessions for the user(s) involved in this action.\\n- If this does not appear to be a false positive, consider resetting passwords for the users involved and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the users.\\n- If any of the users are not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\\n - If so, confirm with the user this was a legitimate request.\\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\\n - Reset passwords and reset MFA for the user.\\n- Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\\n - This should be done with caution as it may prevent legitimate alerts from being generated.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"cc382a2e-7e52-11ee-9aac-f661ea17fbcd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1539\",\"name\":\"Steal Web Session Cookie\",\"reference\":\"https://attack.mitre.org/techniques/T1539/\"}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://support.okta.com/help/s/article/session-hijacking-attack-definition-damage-defense?language=en_US\"],\"version\":102,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n // ignore authentication events where session and device token hash change often\\n AND NOT event.action IN (\\n \\\"policy.evaluate_sign_on\\\",\\n \\\"user.session.start\\\",\\n \\\"user.authentication.sso\\\"\\n )\\n // ignore Okta system events and only allow registered users\\n AND (\\n okta.actor.alternate_id != \\\"system@okta.com\\\"\\n AND okta.actor.alternate_id RLIKE \\\"[^@\\\\\\\\s]+\\\\\\\\@[^@\\\\\\\\s]+\\\"\\n )\\n AND okta.authentication_context.external_session_id != \\\"unknown\\\"\\n| STATS\\n dt_hash_counts = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash) BY\\n okta.actor.alternate_id,\\n okta.authentication_context.external_session_id\\n| WHERE\\n dt_hash_counts >= 2\\n| SORT\\n dt_hash_counts DESC\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Multiple Device Token Hashes for Single Okta Session\",\"description\":\"This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Multiple Device Token Hashes for Single Okta Session\\n\\nThis rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.\\n\\n#### Possible investigation steps:\\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.authentication_context.external_session_id` values can be used to pivot into the raw authentication events related to this alert.\\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\\n - Authentication events have been filtered out to focus on Okta activity via established sessions.\\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\\n- Aggregate by `okta.actor.alternate_id` and `event.action` to determine the type of actions that are being performed by the actor(s) involved in this action.\\n - If various activity is reported that seems to indicate actions from separate users, consider deactivating the user's account temporarily.\\n\\n### False positive analysis:\\n- It is very rare that a legitimate user would have multiple device token hashes for a single Okta session as DT hashes do not change after an authenticated session is established.\\n\\n### Response and remediation:\\n- Consider stopping all sessions for the user(s) involved in this action.\\n- If this does not appear to be a false positive, consider resetting passwords for the users involved and enabling multi-factor authentication (MFA).\\n - If MFA is already enabled, consider resetting MFA for the users.\\n- If any of the users are not legitimate, consider deactivating the user's account.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\\n - If so, confirm with the user this was a legitimate request.\\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\\n - Reset passwords and reset MFA for the user.\\n- Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\\n - This should be done with caution as it may prevent legitimate alerts from being generated.\\n\",\"output_index\":\"\",\"version\":204,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Credential Access\",\"Domain: SaaS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://support.okta.com/help/s/article/session-hijacking-attack-definition-damage-defense?language=en_US\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1539\",\"name\":\"Steal Web Session Cookie\",\"reference\":\"https://attack.mitre.org/techniques/T1539/\"}]}],\"setup\":\"## Setup\\n\\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"79cd6398-e415-4fb1-9fba-f3595ba5b7ac\",\"rule_id\":\"cc382a2e-7e52-11ee-9aac-f661ea17fbcd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.996Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.411Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n // ignore authentication events where session and device token hash change often\\n AND NOT event.action IN (\\n \\\"policy.evaluate_sign_on\\\",\\n \\\"user.session.start\\\",\\n \\\"user.authentication.sso\\\"\\n )\\n // ignore Okta system events and only allow registered users\\n AND (\\n okta.actor.alternate_id != \\\"system@okta.com\\\"\\n AND okta.actor.alternate_id RLIKE \\\"[^@\\\\\\\\s]+\\\\\\\\@[^@\\\\\\\\s]+\\\"\\n )\\n AND okta.authentication_context.external_session_id != \\\"unknown\\\"\\n| KEEP event.action, okta.actor.alternate_id, okta.authentication_context.external_session_id, okta.debug_context.debug_data.dt_hash\\n| STATS\\n dt_hash_counts = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash) BY\\n okta.actor.alternate_id,\\n okta.authentication_context.external_session_id\\n| WHERE\\n dt_hash_counts >= 2\\n| SORT\\n dt_hash_counts DESC\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":102,\"target_version\":204,\"merged_version\":204,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://support.okta.com/help/s/article/session-hijacking-attack-definition-damage-defense?language=en_US\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://support.okta.com/help/s/article/session-hijacking-attack-definition-damage-defense?language=en_US\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://support.okta.com/help/s/article/session-hijacking-attack-definition-damage-defense?language=en_US\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n // ignore authentication events where session and device token hash change often\\n AND NOT event.action IN (\\n \\\"policy.evaluate_sign_on\\\",\\n \\\"user.session.start\\\",\\n \\\"user.authentication.sso\\\"\\n )\\n // ignore Okta system events and only allow registered users\\n AND (\\n okta.actor.alternate_id != \\\"system@okta.com\\\"\\n AND okta.actor.alternate_id RLIKE \\\"[^@\\\\\\\\s]+\\\\\\\\@[^@\\\\\\\\s]+\\\"\\n )\\n AND okta.authentication_context.external_session_id != \\\"unknown\\\"\\n| STATS\\n dt_hash_counts = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash) BY\\n okta.actor.alternate_id,\\n okta.authentication_context.external_session_id\\n| WHERE\\n dt_hash_counts >= 2\\n| SORT\\n dt_hash_counts DESC\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n // ignore authentication events where session and device token hash change often\\n AND NOT event.action IN (\\n \\\"policy.evaluate_sign_on\\\",\\n \\\"user.session.start\\\",\\n \\\"user.authentication.sso\\\"\\n )\\n // ignore Okta system events and only allow registered users\\n AND (\\n okta.actor.alternate_id != \\\"system@okta.com\\\"\\n AND okta.actor.alternate_id RLIKE \\\"[^@\\\\\\\\s]+\\\\\\\\@[^@\\\\\\\\s]+\\\"\\n )\\n AND okta.authentication_context.external_session_id != \\\"unknown\\\"\\n| KEEP event.action, okta.actor.alternate_id, okta.authentication_context.external_session_id, okta.debug_context.debug_data.dt_hash\\n| STATS\\n dt_hash_counts = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash) BY\\n okta.actor.alternate_id,\\n okta.authentication_context.external_session_id\\n| WHERE\\n dt_hash_counts >= 2\\n| SORT\\n dt_hash_counts DESC\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"FROM logs-okta*\\n| WHERE\\n event.dataset == \\\"okta.system\\\"\\n // ignore authentication events where session and device token hash change often\\n AND NOT event.action IN (\\n \\\"policy.evaluate_sign_on\\\",\\n \\\"user.session.start\\\",\\n \\\"user.authentication.sso\\\"\\n )\\n // ignore Okta system events and only allow registered users\\n AND (\\n okta.actor.alternate_id != \\\"system@okta.com\\\"\\n AND okta.actor.alternate_id RLIKE \\\"[^@\\\\\\\\s]+\\\\\\\\@[^@\\\\\\\\s]+\\\"\\n )\\n AND okta.authentication_context.external_session_id != \\\"unknown\\\"\\n| KEEP event.action, okta.actor.alternate_id, okta.authentication_context.external_session_id, okta.debug_context.debug_data.dt_hash\\n| STATS\\n dt_hash_counts = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash) BY\\n okta.actor.alternate_id,\\n okta.authentication_context.external_session_id\\n| WHERE\\n dt_hash_counts >= 2\\n| SORT\\n dt_hash_counts DESC\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"20603e17-f89f-473c-be26-26a665b73484\",\"rule_id\":\"cc92c835-da92-45c9-9f29-b4992ad621a0\",\"revision\":0,\"current_rule\":{\"id\":\"20603e17-f89f-473c-be26-26a665b73484\",\"updated_at\":\"2024-12-04T19:45:58.421Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.421Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Deactivate an Okta Policy Rule\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Defense Evasion\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Deactivate an Okta Policy Rule\\n\\nIdentity and Access Management (IAM) systems like Okta serve as the first line of defense for an organization's network, and are often targeted by adversaries. By disabling security rules, adversaries can circumvent multi-factor authentication, access controls, or other protective measures enforced by these policies, enabling unauthorized access, privilege escalation, or other malicious activities.\\n\\nThis rule detects attempts to deactivate a rule within an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. A threat actor may do this to remove barriers to their activities or enable future attacks.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt.\\n- Check the `okta.outcome.result` field to confirm the policy rule deactivation attempt.\\n- Check if there are multiple policy rule deactivation attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the policy rule deactivation attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized policy rule deactivation is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization.\"],\"from\":\"now-6m\",\"rule_id\":\"cc92c835-da92-45c9-9f29-b4992ad621a0\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":207,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.rule.deactivate\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Deactivate an Okta Policy Rule\",\"description\":\"Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Deactivate an Okta Policy Rule\\n\\nIdentity and Access Management (IAM) systems like Okta serve as the first line of defense for an organization's network, and are often targeted by adversaries. By disabling security rules, adversaries can circumvent multi-factor authentication, access controls, or other protective measures enforced by these policies, enabling unauthorized access, privilege escalation, or other malicious activities.\\n\\nThis rule detects attempts to deactivate a rule within an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. A threat actor may do this to remove barriers to their activities or enable future attacks.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt.\\n- Check the `okta.outcome.result` field to confirm the policy rule deactivation attempt.\\n- Check if there are multiple policy rule deactivation attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the policy rule deactivation attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized policy rule deactivation is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Defense Evasion\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization.\"],\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"20603e17-f89f-473c-be26-26a665b73484\",\"rule_id\":\"cc92c835-da92-45c9-9f29-b4992ad621a0\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.996Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.421Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.rule.deactivate\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":207,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4941a1db-1078-4c62-8056-2e477d37affe\",\"rule_id\":\"cd16fb10-0261-46e8-9932-a0336278cdbe\",\"revision\":0,\"current_rule\":{\"id\":\"4941a1db-1078-4c62-8056-2e477d37affe\",\"updated_at\":\"2024-12-04T19:45:58.423Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.423Z\",\"created_by\":\"elastic\",\"name\":\"Modification or Removal of an Okta Application Sign-On Policy\",\"tags\":[\"Tactic: Persistence\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are regularly modified or deleted in your organization.\"],\"from\":\"now-6m\",\"rule_id\":\"cd16fb10-0261-46e8-9932-a0336278cdbe\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Modification or Removal of an Okta Application Sign-On Policy\",\"description\":\"Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Tactic: Persistence\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are regularly modified or deleted in your organization.\"],\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"4941a1db-1078-4c62-8056-2e477d37affe\",\"rule_id\":\"cd16fb10-0261-46e8-9932-a0336278cdbe\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.996Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.423Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bcf9f642-e962-46c9-b848-5313354e7f1b\",\"rule_id\":\"cd89602e-9db0-48e3-9391-ae3bf241acd8\",\"revision\":0,\"current_rule\":{\"id\":\"bcf9f642-e962-46c9-b848-5313354e7f1b\",\"updated_at\":\"2024-12-04T19:45:58.436Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.436Z\",\"created_by\":\"elastic\",\"name\":\"MFA Deactivation with no Re-Activation for Okta User Account\",\"tags\":[\"Tactic: Persistence\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Domain: Cloud\"],\"interval\":\"6h\",\"enabled\":false,\"revision\":0,\"description\":\"Detects multi-factor authentication (MFA) deactivation with no subsequent re-activation for an Okta user account. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating MFA Deactivation with no Re-Activation for Okta User Account\\n\\nMFA is used to provide an additional layer of security for user accounts. An adversary may achieve MFA deactivation for an Okta user account to achieve persistence.\\n\\nThis rule fires when an Okta user account has MFA deactivated and no subsequent MFA reactivation is observed within 12 hours.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\\n- Review `okta.target` or `user.target.full_name` fields to determine if deactivation was performed by a se parate user.\\n- Using the `okta.actor.alternate_id` field, search for MFA re-activation events where `okta.event_type` is `user.mfa.factor.activate`.\\n- Review events where `okta.event_type` is `user.authenticate*` to determine if the user account had suspicious login activity.\\n - Geolocation details found in `client.geo*` related fields may be useful in determining if the login activity was suspicious for this user.\\n\\n#### False positive steps:\\n\\n- Determine with the target user if MFA deactivation was expected.\\n- Determine if MFA is required for the target user account.\\n\\n#### Response and remediation:\\n\\n- If the MFA deactivation was not expected, consider deactivating the user\\n - This should be followed by resetting the user's password and re-enabling MFA.\\n- If the MFA deactivation was expected, consider adding an exception to this rule to filter false positives.\\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\\n- Check if the compromised account was used to access or alter any sensitive data, applications or systems.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives.\"],\"from\":\"now-12h\",\"rule_id\":\"cd89602e-9db0-48e3-9391-ae3bf241acd8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\",\"subtechnique\":[{\"id\":\"T1556.006\",\"name\":\"Multi-Factor Authentication\",\"reference\":\"https://attack.mitre.org/techniques/T1556/006/\"}]}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":207,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.client.user_agent.raw_user_agent\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.result\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-okta.system*\"],\"query\":\"sequence by okta.actor.id with maxspan=12h\\n [any where event.dataset == \\\"okta.system\\\" and okta.event_type == \\\"user.mfa.factor.deactivate\\\"\\n and okta.outcome.result == \\\"SUCCESS\\\" and not okta.client.user_agent.raw_user_agent like \\\"SFDC-Callout*\\\"]\\n ![any where event.dataset == \\\"okta.system\\\" and okta.event_type == \\\"user.mfa.factor.activate\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"MFA Deactivation with no Re-Activation for Okta User Account\",\"description\":\"Detects multi-factor authentication (MFA) deactivation with no subsequent re-activation for an Okta user account. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating MFA Deactivation with no Re-Activation for Okta User Account\\n\\nMFA is used to provide an additional layer of security for user accounts. An adversary may achieve MFA deactivation for an Okta user account to achieve persistence.\\n\\nThis rule fires when an Okta user account has MFA deactivated and no subsequent MFA reactivation is observed within 12 hours.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\\n- Review `okta.target` or `user.target.full_name` fields to determine if deactivation was performed by a se parate user.\\n- Using the `okta.actor.alternate_id` field, search for MFA re-activation events where `okta.event_type` is `user.mfa.factor.activate`.\\n- Review events where `okta.event_type` is `user.authenticate*` to determine if the user account had suspicious login activity.\\n - Geolocation details found in `client.geo*` related fields may be useful in determining if the login activity was suspicious for this user.\\n\\n#### False positive steps:\\n\\n- Determine with the target user if MFA deactivation was expected.\\n- Determine if MFA is required for the target user account.\\n\\n#### Response and remediation:\\n\\n- If the MFA deactivation was not expected, consider deactivating the user\\n - This should be followed by resetting the user's password and re-enabling MFA.\\n- If the MFA deactivation was expected, consider adding an exception to this rule to filter false positives.\\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\\n- Check if the compromised account was used to access or alter any sensitive data, applications or systems.\\n- Review the client user-agent to determine if it's a known custom application that can be whitelisted.\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Tactic: Persistence\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Domain: Cloud\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"6h\",\"from\":\"now-12h\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives.\"],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\",\"subtechnique\":[{\"id\":\"T1556.006\",\"name\":\"Multi-Factor Authentication\",\"reference\":\"https://attack.mitre.org/techniques/T1556/006/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\\n\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.reason\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.result\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"bcf9f642-e962-46c9-b848-5313354e7f1b\",\"rule_id\":\"cd89602e-9db0-48e3-9391-ae3bf241acd8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.996Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.436Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by okta.actor.id with maxspan=12h\\n [any where event.dataset == \\\"okta.system\\\" and okta.event_type in (\\\"user.mfa.factor.deactivate\\\", \\\"user.mfa.factor.reset_all\\\")\\n and okta.outcome.reason != \\\"User reset SECURITY_QUESTION factor\\\" and okta.outcome.result == \\\"SUCCESS\\\"]\\n ![any where event.dataset == \\\"okta.system\\\" and okta.event_type == \\\"user.mfa.factor.activate\\\"]\\n\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-okta.system*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":207,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"note\":{\"has_base_version\":false,\"current_version\":\"## Triage and analysis\\n\\n### Investigating MFA Deactivation with no Re-Activation for Okta User Account\\n\\nMFA is used to provide an additional layer of security for user accounts. An adversary may achieve MFA deactivation for an Okta user account to achieve persistence.\\n\\nThis rule fires when an Okta user account has MFA deactivated and no subsequent MFA reactivation is observed within 12 hours.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\\n- Review `okta.target` or `user.target.full_name` fields to determine if deactivation was performed by a se parate user.\\n- Using the `okta.actor.alternate_id` field, search for MFA re-activation events where `okta.event_type` is `user.mfa.factor.activate`.\\n- Review events where `okta.event_type` is `user.authenticate*` to determine if the user account had suspicious login activity.\\n - Geolocation details found in `client.geo*` related fields may be useful in determining if the login activity was suspicious for this user.\\n\\n#### False positive steps:\\n\\n- Determine with the target user if MFA deactivation was expected.\\n- Determine if MFA is required for the target user account.\\n\\n#### Response and remediation:\\n\\n- If the MFA deactivation was not expected, consider deactivating the user\\n - This should be followed by resetting the user's password and re-enabling MFA.\\n- If the MFA deactivation was expected, consider adding an exception to this rule to filter false positives.\\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\\n- Check if the compromised account was used to access or alter any sensitive data, applications or systems.\\n\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating MFA Deactivation with no Re-Activation for Okta User Account\\n\\nMFA is used to provide an additional layer of security for user accounts. An adversary may achieve MFA deactivation for an Okta user account to achieve persistence.\\n\\nThis rule fires when an Okta user account has MFA deactivated and no subsequent MFA reactivation is observed within 12 hours.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\\n- Review `okta.target` or `user.target.full_name` fields to determine if deactivation was performed by a se parate user.\\n- Using the `okta.actor.alternate_id` field, search for MFA re-activation events where `okta.event_type` is `user.mfa.factor.activate`.\\n- Review events where `okta.event_type` is `user.authenticate*` to determine if the user account had suspicious login activity.\\n - Geolocation details found in `client.geo*` related fields may be useful in determining if the login activity was suspicious for this user.\\n\\n#### False positive steps:\\n\\n- Determine with the target user if MFA deactivation was expected.\\n- Determine if MFA is required for the target user account.\\n\\n#### Response and remediation:\\n\\n- If the MFA deactivation was not expected, consider deactivating the user\\n - This should be followed by resetting the user's password and re-enabling MFA.\\n- If the MFA deactivation was expected, consider adding an exception to this rule to filter false positives.\\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\\n- Check if the compromised account was used to access or alter any sensitive data, applications or systems.\\n- Review the client user-agent to determine if it's a known custom application that can be whitelisted.\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating MFA Deactivation with no Re-Activation for Okta User Account\\n\\nMFA is used to provide an additional layer of security for user accounts. An adversary may achieve MFA deactivation for an Okta user account to achieve persistence.\\n\\nThis rule fires when an Okta user account has MFA deactivated and no subsequent MFA reactivation is observed within 12 hours.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\\n- Review `okta.target` or `user.target.full_name` fields to determine if deactivation was performed by a se parate user.\\n- Using the `okta.actor.alternate_id` field, search for MFA re-activation events where `okta.event_type` is `user.mfa.factor.activate`.\\n- Review events where `okta.event_type` is `user.authenticate*` to determine if the user account had suspicious login activity.\\n - Geolocation details found in `client.geo*` related fields may be useful in determining if the login activity was suspicious for this user.\\n\\n#### False positive steps:\\n\\n- Determine with the target user if MFA deactivation was expected.\\n- Determine if MFA is required for the target user account.\\n\\n#### Response and remediation:\\n\\n- If the MFA deactivation was not expected, consider deactivating the user\\n - This should be followed by resetting the user's password and re-enabling MFA.\\n- If the MFA deactivation was expected, consider adding an exception to this rule to filter false positives.\\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\\n- Check if the compromised account was used to access or alter any sensitive data, applications or systems.\\n- Review the client user-agent to determine if it's a known custom application that can be whitelisted.\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.client.user_agent.raw_user_agent\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.result\",\"type\":\"keyword\",\"ecs\":false}],\"target_version\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.reason\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.result\",\"type\":\"keyword\",\"ecs\":false}],\"merged_version\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.actor.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.reason\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.result\",\"type\":\"keyword\",\"ecs\":false}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by okta.actor.id with maxspan=12h\\n [any where event.dataset == \\\"okta.system\\\" and okta.event_type == \\\"user.mfa.factor.deactivate\\\"\\n and okta.outcome.result == \\\"SUCCESS\\\" and not okta.client.user_agent.raw_user_agent like \\\"SFDC-Callout*\\\"]\\n ![any where event.dataset == \\\"okta.system\\\" and okta.event_type == \\\"user.mfa.factor.activate\\\"]\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by okta.actor.id with maxspan=12h\\n [any where event.dataset == \\\"okta.system\\\" and okta.event_type in (\\\"user.mfa.factor.deactivate\\\", \\\"user.mfa.factor.reset_all\\\")\\n and okta.outcome.reason != \\\"User reset SECURITY_QUESTION factor\\\" and okta.outcome.result == \\\"SUCCESS\\\"]\\n ![any where event.dataset == \\\"okta.system\\\" and okta.event_type == \\\"user.mfa.factor.activate\\\"]\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by okta.actor.id with maxspan=12h\\n [any where event.dataset == \\\"okta.system\\\" and okta.event_type in (\\\"user.mfa.factor.deactivate\\\", \\\"user.mfa.factor.reset_all\\\")\\n and okta.outcome.reason != \\\"User reset SECURITY_QUESTION factor\\\" and okta.outcome.result == \\\"SUCCESS\\\"]\\n ![any where event.dataset == \\\"okta.system\\\" and okta.event_type == \\\"user.mfa.factor.activate\\\"]\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3e6bb36c-863f-4066-834a-06b5faec6362\",\"rule_id\":\"cdbebdc1-dc97-43c6-a538-f26a20c0a911\",\"revision\":0,\"current_rule\":{\"id\":\"3e6bb36c-863f-4066-834a-06b5faec6362\",\"updated_at\":\"2024-12-04T19:45:58.439Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.439Z\",\"created_by\":\"elastic\",\"name\":\"Okta User Session Impersonation\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\",\"Data Source: Okta\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Okta User Session Impersonation\\n\\nThe detection of an Okta User Session Impersonation indicates that a user has initiated a session impersonation which grants them access with the permissions of the user they are impersonating. This type of activity typically indicates Okta administrative access and should only ever occur if requested and expected.\\n\\n#### Possible investigation steps\\n\\n- Identify the actor associated with the impersonation event by checking the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\\n- Review the `event.action` field to confirm the initiation of the impersonation event.\\n- Check the `event.time` field to understand the timing of the event.\\n- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the user who was impersonated.\\n- Review any activities that occurred during the impersonation session. Look for any activities related to the impersonated user's account during and after the impersonation event.\\n\\n### False positive analysis\\n\\n- Verify if the session impersonation was part of an approved activity. Check if it was associated with any documented administrative tasks or troubleshooting efforts.\\n- Ensure that the impersonation session was initiated by an authorized individual. You can check this by verifying the `okta.actor.id` or `okta.actor.display_name` against the list of approved administrators.\\n\\n### Response and remediation\\n\\n- If the impersonation was not authorized, consider it as a breach. Suspend the user account of the impersonator immediately.\\n- Reset the user session and invalidate any active sessions related to the impersonated user.\\n- If a specific impersonation technique was used, ensure that systems are patched or configured to prevent such techniques.\\n- Conduct a thorough investigation to understand the extent of the breach and the potential impact on the systems and data.\\n- Review and update your security policies to prevent such incidents in the future.\\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-30m\",\"rule_id\":\"cdbebdc1-dc97-43c6-a538-f26a20c0a911\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":207,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:user.session.impersonation.initiate\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Okta User Session Impersonation\",\"description\":\"A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Okta User Session Impersonation\\n\\nThe detection of an Okta User Session Impersonation indicates that a user has initiated a session impersonation which grants them access with the permissions of the user they are impersonating. This type of activity typically indicates Okta administrative access and should only ever occur if requested and expected.\\n\\n#### Possible investigation steps\\n\\n- Identify the actor associated with the impersonation event by checking the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\\n- Review the `event.action` field to confirm the initiation of the impersonation event.\\n- Check the `event.time` field to understand the timing of the event.\\n- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the user who was impersonated.\\n- Review any activities that occurred during the impersonation session. Look for any activities related to the impersonated user's account during and after the impersonation event.\\n\\n### False positive analysis\\n\\n- Verify if the session impersonation was part of an approved activity. Check if it was associated with any documented administrative tasks or troubleshooting efforts.\\n- Ensure that the impersonation session was initiated by an authorized individual. You can check this by verifying the `okta.actor.id` or `okta.actor.display_name` against the list of approved administrators.\\n\\n### Response and remediation\\n\\n- If the impersonation was not authorized, consider it as a breach. Suspend the user account of the impersonator immediately.\\n- Reset the user session and invalidate any active sessions related to the impersonated user.\\n- If a specific impersonation technique was used, ensure that systems are patched or configured to prevent such techniques.\\n- Conduct a thorough investigation to understand the extent of the breach and the potential impact on the systems and data.\\n- Review and update your security policies to prevent such incidents in the future.\\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-30m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\",\"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3e6bb36c-863f-4066-834a-06b5faec6362\",\"rule_id\":\"cdbebdc1-dc97-43c6-a538-f26a20c0a911\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.996Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.439Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:user.session.impersonation.initiate\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":207,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\",\"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know\"],\"merged_version\":[\"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\",\"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a383a88c-9e58-4053-9d68-779668825790\",\"rule_id\":\"ce08b55a-f67d-4804-92b5-617b0fe5a5b5\",\"revision\":0,\"current_rule\":{\"id\":\"a383a88c-9e58-4053-9d68-779668825790\",\"updated_at\":\"2024-12-04T19:46:04.771Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.771Z\",\"created_by\":\"elastic\",\"name\":\"First Occurrence GitHub Event for a Personal Access Token (PAT)\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Execution\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects a first occurrence event for a personal access token (PAT) not seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ce08b55a-f67d-4804-92b5-617b0fe5a5b5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.hashed_token\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.programmatic_access_type\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\nevent.action:* and github.hashed_token:* and \\ngithub.programmatic_access_type:(\\\"OAuth access token\\\" or \\\"Fine-grained personal access token\\\")\\n\",\"new_terms_fields\":[\"github.hashed_token\",\"event.action\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Occurrence GitHub Event for a Personal Access Token (PAT)\",\"description\":\"Detects a first occurrence event for a personal access token (PAT) not seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Execution\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.hashed_token\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.programmatic_access_type\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"a383a88c-9e58-4053-9d68-779668825790\",\"rule_id\":\"ce08b55a-f67d-4804-92b5-617b0fe5a5b5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.996Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.771Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\nevent.action:* and github.hashed_token:* and \\ngithub.programmatic_access_type:(\\\"OAuth access token\\\" or \\\"Fine-grained personal access token\\\")\\n\",\"new_terms_fields\":[\"github.hashed_token\",\"event.action\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"ba5fdfd8-f7c1-477f-b4ea-1956054ebded\",\"rule_id\":\"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f\",\"revision\":0,\"current_rule\":{\"id\":\"ba5fdfd8-f7c1-477f-b4ea-1956054ebded\",\"updated_at\":\"2024-12-04T19:45:58.485Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.485Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Delete an Okta Application\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Impact\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deleted and the behavior is expected.\"],\"from\":\"now-6m\",\"rule_id\":\"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1489\",\"name\":\"Service Stop\",\"reference\":\"https://attack.mitre.org/techniques/T1489/\"}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:application.lifecycle.delete\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Delete an Okta Application\",\"description\":\"Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Impact\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deleted and the behavior is expected.\"],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1489\",\"name\":\"Service Stop\",\"reference\":\"https://attack.mitre.org/techniques/T1489/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"ba5fdfd8-f7c1-477f-b4ea-1956054ebded\",\"rule_id\":\"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.996Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.485Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:application.lifecycle.delete\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b9f5020f-4a2e-4363-9baa-5006a133e269\",\"rule_id\":\"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd\",\"revision\":0,\"current_rule\":{\"id\":\"b9f5020f-4a2e-4363-9baa-5006a133e269\",\"updated_at\":\"2024-12-04T19:45:58.502Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.502Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Delete an Okta Policy Rule\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Defense Evasion\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Delete an Okta Policy Rule\\n\\nOkta policy rules are integral components of an organization's security controls, as they define how user access to resources is managed. Deletion of a rule within an Okta policy could potentially weaken the organization's security posture, allowing for unauthorized access or facilitating other malicious activities.\\n\\nThis rule detects attempts to delete an Okta policy rule, which could indicate an adversary's attempt to weaken an organization's security controls. Adversaries may do this to circumvent security measures and enable further malicious activities.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the deletion attempt.\\n- Check the `okta.outcome.result` field to confirm the policy rule deletion attempt.\\n- Check if there are multiple policy rule deletion attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the policy rule deletion attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deletion attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the deletion attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deletion attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized policy rule deletion is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific deletion technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization.\"],\"from\":\"now-6m\",\"rule_id\":\"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.rule.delete\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Delete an Okta Policy Rule\",\"description\":\"Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Delete an Okta Policy Rule\\n\\nOkta policy rules are integral components of an organization's security controls, as they define how user access to resources is managed. Deletion of a rule within an Okta policy could potentially weaken the organization's security posture, allowing for unauthorized access or facilitating other malicious activities.\\n\\nThis rule detects attempts to delete an Okta policy rule, which could indicate an adversary's attempt to weaken an organization's security controls. Adversaries may do this to circumvent security measures and enable further malicious activities.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the deletion attempt.\\n- Check the `okta.outcome.result` field to confirm the policy rule deletion attempt.\\n- Check if there are multiple policy rule deletion attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the policy rule deletion attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deletion attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the deletion attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deletion attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized policy rule deletion is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific deletion technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization.\"],\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b9f5020f-4a2e-4363-9baa-5006a133e269\",\"rule_id\":\"d5d86bf5-cf0c-4c06-b688-53fdc072fdfd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.996Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.502Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.rule.delete\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5efaa37e-86c0-42df-8e76-263ce22e768f\",\"rule_id\":\"e08ccd49-0380-4b2b-8d71-8000377d6e49\",\"revision\":0,\"current_rule\":{\"id\":\"5efaa37e-86c0-42df-8e76-263ce22e768f\",\"updated_at\":\"2024-12-04T19:45:59.614Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.614Z\",\"created_by\":\"elastic\",\"name\":\"Attempts to Brute Force an Okta User Account\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempts to Brute Force an Okta User Account\\n\\nBrute force attacks aim to guess user credentials through exhaustive trial-and-error attempts. In this context, Okta accounts are targeted.\\n\\nThis rule fires when an Okta user account has been locked out 3 times within a 3-hour window. This could indicate an attempted brute force or password spraying attack to gain unauthorized access to the user account. Okta's default authentication policy locks a user account after 10 failed authentication attempts.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\\n- Review the `okta.event_type` field to understand the nature of the events that led to the account lockout.\\n- Check the `okta.severity` and `okta.display_message` fields for more context around the lockout events.\\n- Look for correlation of events from the same IP address. Multiple lockouts from the same IP address might indicate a single source for the attack.\\n- If the IP is not familiar, investigate it. The IP could be a proxy, VPN, Tor node, cloud datacenter, or a legitimate IP turned malicious.\\n- Determine if the lockout events occurred during the user's regular activity hours. Unusual timing may indicate malicious activity.\\n- Examine the authentication methods used during the lockout events by checking the `okta.authentication_context.credential_type` field.\\n\\n### False positive analysis:\\n\\n- Determine whether the account owner or an internal user made repeated mistakes in entering their credentials, leading to the account lockout.\\n- Ensure there are no known network or application issues that might cause these events.\\n\\n### Response and remediation:\\n\\n- Alert the user and your IT department immediately.\\n- If unauthorized access is confirmed, initiate your incident response process.\\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\\n- Require the affected user to change their password.\\n- If the attack is ongoing, consider blocking the IP address initiating the brute force attack.\\n- Implement account lockout policies to limit the impact of brute force attacks.\\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"@BenB196\",\"Austin Songer\"],\"false_positives\":[],\"from\":\"now-180m\",\"rule_id\":\"e08ccd49-0380-4b2b-8d71-8000377d6e49\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\"}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":208,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"threshold\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:user.account.lock\\n\",\"threshold\":{\"field\":[\"okta.actor.alternate_id\"],\"value\":3},\"actions\":[]},\"target_rule\":{\"name\":\"Attempts to Brute Force an Okta User Account\",\"description\":\"Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempts to Brute Force an Okta User Account\\n\\nBrute force attacks aim to guess user credentials through exhaustive trial-and-error attempts. In this context, Okta accounts are targeted.\\n\\nThis rule fires when an Okta user account has been locked out 3 times within a 3-hour window. This could indicate an attempted brute force or password spraying attack to gain unauthorized access to the user account. Okta's default authentication policy locks a user account after 10 failed authentication attempts.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\\n- Review the `okta.event_type` field to understand the nature of the events that led to the account lockout.\\n- Check the `okta.severity` and `okta.display_message` fields for more context around the lockout events.\\n- Look for correlation of events from the same IP address. Multiple lockouts from the same IP address might indicate a single source for the attack.\\n- If the IP is not familiar, investigate it. The IP could be a proxy, VPN, Tor node, cloud datacenter, or a legitimate IP turned malicious.\\n- Determine if the lockout events occurred during the user's regular activity hours. Unusual timing may indicate malicious activity.\\n- Examine the authentication methods used during the lockout events by checking the `okta.authentication_context.credential_type` field.\\n\\n### False positive analysis:\\n\\n- Determine whether the account owner or an internal user made repeated mistakes in entering their credentials, leading to the account lockout.\\n- Ensure there are no known network or application issues that might cause these events.\\n\\n### Response and remediation:\\n\\n- Alert the user and your IT department immediately.\\n- If unauthorized access is confirmed, initiate your incident response process.\\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\\n- Require the affected user to change their password.\\n- If the attack is ongoing, consider blocking the IP address initiating the brute force attack.\\n- Implement account lockout policies to limit the impact of brute force attacks.\\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-180m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"@BenB196\",\"Austin Songer\"],\"false_positives\":[],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"5efaa37e-86c0-42df-8e76-263ce22e768f\",\"rule_id\":\"e08ccd49-0380-4b2b-8d71-8000377d6e49\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.997Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.614Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"threshold\",\"query\":\"event.dataset:okta.system and event.action:user.account.lock\\n\",\"threshold\":{\"field\":[\"okta.actor.alternate_id\"],\"value\":3},\"index\":[\"filebeat-*\",\"logs-okta*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":208,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0ce2a323-9a15-45cc-af61-1f71af168a4e\",\"rule_id\":\"e48236ca-b67a-4b4e-840c-fdc7782bc0c3\",\"revision\":0,\"current_rule\":{\"id\":\"0ce2a323-9a15-45cc-af61-1f71af168a4e\",\"updated_at\":\"2024-12-04T19:46:00.565Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.565Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Modify an Okta Network Zone\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Use Case: Network Security Monitoring\",\"Tactic: Defense Evasion\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Modify an Okta Network Zone\\n\\nThe modification of an Okta network zone is a critical event as it could potentially allow an adversary to gain unrestricted access to your network. This rule detects attempts to modify, delete, or deactivate an Okta network zone, which may suggest an attempt to remove or weaken an organization's security controls.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\\n- Check the `okta.outcome.result` field to confirm the network zone modification attempt.\\n- Check if there are multiple network zone modification attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the modification attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized modification is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly modified.\"],\"from\":\"now-6m\",\"rule_id\":\"e48236ca-b67a-4b4e-840c-fdc7782bc0c3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Modify an Okta Network Zone\",\"description\":\"Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Modify an Okta Network Zone\\n\\nThe modification of an Okta network zone is a critical event as it could potentially allow an adversary to gain unrestricted access to your network. This rule detects attempts to modify, delete, or deactivate an Okta network zone, which may suggest an attempt to remove or weaken an organization's security controls.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\\n- Check the `okta.outcome.result` field to confirm the network zone modification attempt.\\n- Check if there are multiple network zone modification attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the modification attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized modification is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Use Case: Network Security Monitoring\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly modified.\"],\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0ce2a323-9a15-45cc-af61-1f71af168a4e\",\"rule_id\":\"e48236ca-b67a-4b4e-840c-fdc7782bc0c3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.997Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.565Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4d582a92-6a39-4e5a-9e79-7afdcdec4f47\",\"rule_id\":\"e6e3ecff-03dd-48ec-acbd-54a04de10c68\",\"revision\":0,\"current_rule\":{\"id\":\"4d582a92-6a39-4e5a-9e79-7afdcdec4f47\",\"updated_at\":\"2024-12-04T19:46:00.580Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.580Z\",\"created_by\":\"elastic\",\"name\":\"Possible Okta DoS Attack\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Impact\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-6m\",\"rule_id\":\"e6e3ecff-03dd-48ec-acbd-54a04de10c68\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1498\",\"name\":\"Network Denial of Service\",\"reference\":\"https://attack.mitre.org/techniques/T1498/\"},{\"id\":\"T1499\",\"name\":\"Endpoint Denial of Service\",\"reference\":\"https://attack.mitre.org/techniques/T1499/\"}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Possible Okta DoS Attack\",\"description\":\"Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Impact\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1498\",\"name\":\"Network Denial of Service\",\"reference\":\"https://attack.mitre.org/techniques/T1498/\"},{\"id\":\"T1499\",\"name\":\"Endpoint Denial of Service\",\"reference\":\"https://attack.mitre.org/techniques/T1499/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"4d582a92-6a39-4e5a-9e79-7afdcdec4f47\",\"rule_id\":\"e6e3ecff-03dd-48ec-acbd-54a04de10c68\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.997Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.580Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"eeb7ff4f-948d-4757-bc6e-7e90f3c207b1\",\"rule_id\":\"e90ee3af-45fc-432e-a850-4a58cf14a457\",\"revision\":0,\"current_rule\":{\"id\":\"eeb7ff4f-948d-4757-bc6e-7e90f3c207b1\",\"updated_at\":\"2024-12-04T19:46:00.616Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.616Z\",\"created_by\":\"elastic\",\"name\":\"High Number of Okta User Password Reset or Unlock Attempts\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Defense Evasion\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating High Number of Okta User Password Reset or Unlock Attempts\\n\\nThis rule is designed to detect a suspiciously high number of password reset or account unlock attempts in Okta. Excessive password resets or account unlocks can be indicative of an attacker's attempt to gain unauthorized access to an account.\\n\\n#### Possible investigation steps:\\n- Identify the actor associated with the excessive attempts. The `okta.actor.alternate_id` field can be used for this purpose.\\n- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.\\n- Review the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the password reset or unlock attempts.\\n- Review the event actions associated with these attempts. Look at the `event.action` field and filter for actions related to password reset and account unlock attempts.\\n- Check for other similar patterns of behavior from the same actor or IP address. If there is a high number of failed login attempts before the password reset or unlock attempts, this may suggest a brute force attack.\\n- Also, look at the times when these attempts were made. If these were made during off-hours, it could further suggest an adversary's activity.\\n\\n### False positive analysis:\\n- This alert might be a false positive if there are legitimate reasons for a high number of password reset or unlock attempts. This could be due to the user forgetting their password or account lockouts due to too many incorrect attempts.\\n- Check the actor's past behavior. If this is their usual behavior and they have a valid reason for it, then it might be a false positive.\\n\\n### Response and remediation:\\n- If unauthorized attempts are confirmed, initiate the incident response process.\\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\\n- Block the IP address or device used in the attempts, if they appear suspicious.\\n- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.\\n- Consider a security review of your Okta policies and rules to ensure they follow security best practices.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"@BenB196\",\"Austin Songer\"],\"false_positives\":[\"The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule.\"],\"from\":\"now-60m\",\"rule_id\":\"e90ee3af-45fc-432e-a850-4a58cf14a457\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":208,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"threshold\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and\\n event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or\\n system.sms.send_account_unlock_message or system.sms.send_password_reset_message or\\n system.voice.send_account_unlock_call or system.voice.send_password_reset_call or\\n user.account.unlock_token)\\n\",\"threshold\":{\"field\":[\"okta.actor.alternate_id\"],\"value\":5},\"actions\":[]},\"target_rule\":{\"name\":\"High Number of Okta User Password Reset or Unlock Attempts\",\"description\":\"Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating High Number of Okta User Password Reset or Unlock Attempts\\n\\nThis rule is designed to detect a suspiciously high number of password reset or account unlock attempts in Okta. Excessive password resets or account unlocks can be indicative of an attacker's attempt to gain unauthorized access to an account.\\n\\n#### Possible investigation steps:\\n- Identify the actor associated with the excessive attempts. The `okta.actor.alternate_id` field can be used for this purpose.\\n- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.\\n- Review the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the password reset or unlock attempts.\\n- Review the event actions associated with these attempts. Look at the `event.action` field and filter for actions related to password reset and account unlock attempts.\\n- Check for other similar patterns of behavior from the same actor or IP address. If there is a high number of failed login attempts before the password reset or unlock attempts, this may suggest a brute force attack.\\n- Also, look at the times when these attempts were made. If these were made during off-hours, it could further suggest an adversary's activity.\\n\\n### False positive analysis:\\n- This alert might be a false positive if there are legitimate reasons for a high number of password reset or unlock attempts. This could be due to the user forgetting their password or account lockouts due to too many incorrect attempts.\\n- Check the actor's past behavior. If this is their usual behavior and they have a valid reason for it, then it might be a false positive.\\n\\n### Response and remediation:\\n- If unauthorized attempts are confirmed, initiate the incident response process.\\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\\n- Block the IP address or device used in the attempts, if they appear suspicious.\\n- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.\\n- Consider a security review of your Okta policies and rules to ensure they follow security best practices.\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-60m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"@BenB196\",\"Austin Songer\"],\"false_positives\":[\"The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule.\"],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"eeb7ff4f-948d-4757-bc6e-7e90f3c207b1\",\"rule_id\":\"e90ee3af-45fc-432e-a850-4a58cf14a457\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.997Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.616Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"threshold\",\"query\":\"event.dataset:okta.system and\\n event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or\\n system.sms.send_account_unlock_message or system.sms.send_password_reset_message or\\n system.voice.send_account_unlock_call or system.voice.send_password_reset_call or\\n user.account.unlock_token)\\n\",\"threshold\":{\"field\":[\"okta.actor.alternate_id\"],\"value\":5},\"index\":[\"filebeat-*\",\"logs-okta*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":208,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"14f20740-2d81-4012-93dc-c7aa5885040f\",\"rule_id\":\"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a\",\"revision\":0,\"current_rule\":{\"id\":\"14f20740-2d81-4012-93dc-c7aa5885040f\",\"updated_at\":\"2024-12-04T19:46:01.688Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.688Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Deactivate an Okta Application\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Impact\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Deactivate an Okta Application\\n\\nThis rule detects attempts to deactivate an Okta application. Unauthorized deactivation could lead to disruption of services and pose a significant risk to the organization.\\n\\n#### Possible investigation steps:\\n- Identify the actor associated with the deactivation attempt by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\\n- Understand the context of the event from the `okta.debug_context.debug_data` and `okta.authentication_context` fields.\\n- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed.\\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\\n- Analyze the `okta.transaction.id` and `okta.transaction.type` fields to understand the context of the transaction.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n\\n### False positive analysis:\\n- It might be a false positive if the action was part of a planned activity, performed by an authorized person, or if the `okta.outcome.result` field shows a failure.\\n- An unsuccessful attempt might also indicate an authorized user having trouble rather than a malicious activity.\\n\\n### Response and remediation:\\n- If unauthorized deactivation attempts are confirmed, initiate the incident response process.\\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- If the deactivated application was crucial for business operations, coordinate with the relevant team to reactivate it and minimize the impact.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deactivated and the behavior is expected.\"],\"from\":\"now-6m\",\"rule_id\":\"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1489\",\"name\":\"Service Stop\",\"reference\":\"https://attack.mitre.org/techniques/T1489/\"}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:application.lifecycle.deactivate\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Deactivate an Okta Application\",\"description\":\"Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Deactivate an Okta Application\\n\\nThis rule detects attempts to deactivate an Okta application. Unauthorized deactivation could lead to disruption of services and pose a significant risk to the organization.\\n\\n#### Possible investigation steps:\\n- Identify the actor associated with the deactivation attempt by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\\n- Understand the context of the event from the `okta.debug_context.debug_data` and `okta.authentication_context` fields.\\n- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed.\\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\\n- Analyze the `okta.transaction.id` and `okta.transaction.type` fields to understand the context of the transaction.\\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\\n\\n### False positive analysis:\\n- It might be a false positive if the action was part of a planned activity, performed by an authorized person, or if the `okta.outcome.result` field shows a failure.\\n- An unsuccessful attempt might also indicate an authorized user having trouble rather than a malicious activity.\\n\\n### Response and remediation:\\n- If unauthorized deactivation attempts are confirmed, initiate the incident response process.\\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\\n- If the deactivated application was crucial for business operations, coordinate with the relevant team to reactivate it and minimize the impact.\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Impact\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deactivated and the behavior is expected.\"],\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1489\",\"name\":\"Service Stop\",\"reference\":\"https://attack.mitre.org/techniques/T1489/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"14f20740-2d81-4012-93dc-c7aa5885040f\",\"rule_id\":\"edb91186-1c7e-4db8-b53e-bfa33a1a0a8a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.997Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.688Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:application.lifecycle.deactivate\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"74a920b4-50ca-4c09-bffc-1466d7230306\",\"rule_id\":\"ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e\",\"revision\":0,\"current_rule\":{\"id\":\"74a920b4-50ca-4c09-bffc-1466d7230306\",\"updated_at\":\"2024-12-04T19:46:01.700Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.700Z\",\"created_by\":\"elastic\",\"name\":\"Okta FastPass Phishing Detection\",\"tags\":[\"Tactic: Initial Access\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when Okta FastPass prevents a user from authenticating to a phishing website.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Austin Songer\"],\"false_positives\":[],\"from\":\"now-6m\",\"rule_id\":\"ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\"}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://sec.okta.com/fastpassphishingdetection\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\"],\"version\":103,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.reason\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\\n\\nThis rule requires Okta to have the following turned on:\\n\\nOkta Identity Engine - select 'Phishing Resistance for FastPass' under Settings > Features in the Admin Console.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.category:authentication and\\n okta.event_type:user.authentication.auth_via_mfa and event.outcome:failure and okta.outcome.reason:\\\"FastPass declined phishing attempt\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Okta FastPass Phishing Detection\",\"description\":\"Detects when Okta FastPass prevents a user from authenticating to a phishing website.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Tactic: Initial Access\",\"Use Case: Identity and Access Audit\",\"Data Source: Okta\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Austin Songer\"],\"false_positives\":[],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://sec.okta.com/fastpassphishingdetection\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\\n\\nThis rule requires Okta to have the following turned on:\\n\\nOkta Identity Engine - select 'Phishing Resistance for FastPass' under Settings > Features in the Admin Console.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"okta.event_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"okta.outcome.reason\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"74a920b4-50ca-4c09-bffc-1466d7230306\",\"rule_id\":\"ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.997Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.700Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.category:authentication and\\n okta.event_type:user.authentication.auth_via_mfa and event.outcome:failure and okta.outcome.reason:\\\"FastPass declined phishing attempt\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":103,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://sec.okta.com/fastpassphishingdetection\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://sec.okta.com/fastpassphishingdetection\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://sec.okta.com/fastpassphishingdetection\",\"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0b919dfb-d75d-42b2-8dc1-9e877ea7f98a\",\"rule_id\":\"f06414a6-f2a4-466d-8eba-10f85e8abf71\",\"revision\":0,\"current_rule\":{\"id\":\"0b919dfb-d75d-42b2-8dc1-9e877ea7f98a\",\"updated_at\":\"2024-12-04T19:46:01.740Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.740Z\",\"created_by\":\"elastic\",\"name\":\"Administrator Role Assigned to an Okta User\",\"tags\":[\"Data Source: Okta\",\"Use Case: Identity and Access Audit\",\"Tactic: Persistence\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's environment.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-6m\",\"rule_id\":\"f06414a6-f2a4-466d-8eba-10f85e8abf71\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:user.account.privilege.grant\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Administrator Role Assigned to an Okta User\",\"description\":\"Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's environment.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Data Source: Okta\",\"Use Case: Identity and Access Audit\",\"Tactic: Persistence\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\",\"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0b919dfb-d75d-42b2-8dc1-9e877ea7f98a\",\"rule_id\":\"f06414a6-f2a4-466d-8eba-10f85e8abf71\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.997Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.740Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:user.account.privilege.grant\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\",\"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know\"],\"merged_version\":[\"https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\",\"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"70ed8b0b-1b3f-47a7-ac6d-32cd3f7b67bd\",\"rule_id\":\"f94e898e-94f1-4545-8923-03e4b2866211\",\"revision\":0,\"current_rule\":{\"id\":\"70ed8b0b-1b3f-47a7-ac6d-32cd3f7b67bd\",\"updated_at\":\"2024-12-04T19:46:04.816Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.816Z\",\"created_by\":\"elastic\",\"name\":\"First Occurrence of Personal Access Token (PAT) Use For a GitHub User\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Persistence\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A new PAT was used for a GitHub user not previously seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f94e898e-94f1-4545-8923-03e4b2866211\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.001\",\"name\":\"Additional Cloud Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1098/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.hashed_token\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.programmatic_access_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.hashed_token:* and user.name:* and\\ngithub.programmatic_access_type:(\\\"OAuth access token\\\" or \\\"Fine-grained personal access token\\\")\\n\",\"new_terms_fields\":[\"user.name\",\"github.hashed_token\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Occurrence of Personal Access Token (PAT) Use For a GitHub User\",\"description\":\"A new PAT was used for a GitHub user not previously seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Persistence\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.001\",\"name\":\"Additional Cloud Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1098/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.hashed_token\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.programmatic_access_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"70ed8b0b-1b3f-47a7-ac6d-32cd3f7b67bd\",\"rule_id\":\"f94e898e-94f1-4545-8923-03e4b2866211\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.997Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.816Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.hashed_token:* and user.name:* and\\ngithub.programmatic_access_type:(\\\"OAuth access token\\\" or \\\"Fine-grained personal access token\\\")\\n\",\"new_terms_fields\":[\"user.name\",\"github.hashed_token\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"dbdbd85c-4fb8-44c8-8894-bac01c5fd1ad\",\"rule_id\":\"f994964f-6fce-4d75-8e79-e16ccc412588\",\"revision\":0,\"current_rule\":{\"id\":\"dbdbd85c-4fb8-44c8-8894-bac01c5fd1ad\",\"updated_at\":\"2024-12-04T19:46:02.674Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.674Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Activity Reported by Okta User\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Initial Access\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"A user may report suspicious activity on their Okta account in error.\"],\"from\":\"now-6m\",\"rule_id\":\"f994964f-6fce-4d75-8e79-e16ccc412588\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]}],\"to\":\"now\",\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Activity Reported by Okta User\",\"description\":\"Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Use Case: Identity and Access Audit\",\"Data Source: Okta\",\"Tactic: Initial Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"A user may report suspicious activity on their Okta account in error.\"],\"references\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"dbdbd85c-4fb8-44c8-8894-bac01c5fd1ad\",\"rule_id\":\"f994964f-6fce-4d75-8e79-e16ccc412588\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.997Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.674Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\"],\"target_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merged_version\":[\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"okta\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merged_version\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a3ec44ed-ea21-4361-a397-112e20e09274\",\"rule_id\":\"fb0afac5-bbd6-49b0-b4f8-44e5381e1587\",\"revision\":0,\"current_rule\":{\"id\":\"a3ec44ed-ea21-4361-a397-112e20e09274\",\"updated_at\":\"2024-12-04T19:46:04.818Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.818Z\",\"created_by\":\"elastic\",\"name\":\"High Number of Cloned GitHub Repos From PAT\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Execution\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects a high number of unique private repo clone events originating from a single personal access token within a short time period.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-6m\",\"rule_id\":\"fb0afac5-bbd6-49b0-b4f8-44e5381e1587\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.programmatic_access_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.repository_public\",\"type\":\"boolean\",\"ecs\":false}],\"setup\":\"\",\"type\":\"threshold\",\"language\":\"kuery\",\"index\":[\"logs-github.audit-*\"],\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and event.action:\\\"git.clone\\\" and \\ngithub.programmatic_access_type:(\\\"OAuth access token\\\" or \\\"Fine-grained personal access token\\\") and \\ngithub.repository_public:false\\n\",\"threshold\":{\"field\":[\"github.hashed_token\"],\"value\":1,\"cardinality\":[{\"field\":\"github.repo\",\"value\":10}]},\"actions\":[]},\"target_rule\":{\"name\":\"High Number of Cloned GitHub Repos From PAT\",\"description\":\"Detects a high number of unique private repo clone events originating from a single personal access token within a short time period.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Execution\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.programmatic_access_type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.repository_public\",\"type\":\"boolean\",\"ecs\":false}],\"id\":\"a3ec44ed-ea21-4361-a397-112e20e09274\",\"rule_id\":\"fb0afac5-bbd6-49b0-b4f8-44e5381e1587\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.997Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.818Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"threshold\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and event.action:\\\"git.clone\\\" and \\ngithub.programmatic_access_type:(\\\"OAuth access token\\\" or \\\"Fine-grained personal access token\\\") and \\ngithub.repository_public:false\\n\",\"threshold\":{\"field\":[\"github.hashed_token\"],\"value\":1,\"cardinality\":[{\"field\":\"github.repo\",\"value\":10}]},\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a5bc9052-5004-4939-a174-cc09a13e6c84\",\"rule_id\":\"fc909baa-fb34-4c46-9691-be276ef4234c\",\"revision\":0,\"current_rule\":{\"id\":\"a5bc9052-5004-4939-a174-cc09a13e6c84\",\"updated_at\":\"2024-12-04T19:46:04.821Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.821Z\",\"created_by\":\"elastic\",\"name\":\"First Occurrence of IP Address For GitHub Personal Access Token (PAT)\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Initial Access\",\"Rule Type: BBR\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects a new IP address used for a GitHub PAT not previously seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"fc909baa-fb34-4c46-9691-be276ef4234c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.actor_ip\",\"type\":\"ip\",\"ecs\":false},{\"name\":\"github.hashed_token\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.programmatic_access_type\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.actor_ip:* and github.hashed_token:* and\\ngithub.programmatic_access_type:(\\\"OAuth access token\\\" or \\\"Fine-grained personal access token\\\")\\n\",\"new_terms_fields\":[\"github.hashed_token\",\"github.actor_ip\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Occurrence of IP Address For GitHub Personal Access Token (PAT)\",\"description\":\"Detects a new IP address used for a GitHub PAT not previously seen in the last 14 days.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Use Case: UEBA\",\"Tactic: Initial Access\",\"Rule Type: BBR\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.actor_ip\",\"type\":\"ip\",\"ecs\":false},{\"name\":\"github.hashed_token\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"github.programmatic_access_type\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"a5bc9052-5004-4939-a174-cc09a13e6c84\",\"rule_id\":\"fc909baa-fb34-4c46-9691-be276ef4234c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.997Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.821Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"github.audit\\\" and event.category:\\\"configuration\\\" and\\ngithub.actor_ip:* and github.hashed_token:* and\\ngithub.programmatic_access_type:(\\\"OAuth access token\\\" or \\\"Fine-grained personal access token\\\")\\n\",\"new_terms_fields\":[\"github.hashed_token\",\"github.actor_ip\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-github.audit-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2c819876-368f-411e-9c8f-87229e54f9b9\",\"rule_id\":\"fd01b949-81be-46d5-bcf8-284395d5f56d\",\"revision\":0,\"current_rule\":{\"id\":\"2c819876-368f-411e-9c8f-87229e54f9b9\",\"updated_at\":\"2024-12-04T19:46:04.823Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.823Z\",\"created_by\":\"elastic\",\"name\":\"GitHub App Deleted\",\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Github\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the deletion of a GitHub app either from a repo or an organization.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"fd01b949-81be-46d5-bcf8-284395d5f56d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.category\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"],\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and github.category == \\\"integration_installation\\\" and event.type == \\\"deletion\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"GitHub App Deleted\",\"description\":\"Detects the deletion of a GitHub app either from a repo or an organization.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Cloud\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Github\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"github.category\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"2c819876-368f-411e-9c8f-87229e54f9b9\",\"rule_id\":\"fd01b949-81be-46d5-bcf8-284395d5f56d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.997Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.823Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"configuration where event.dataset == \\\"github.audit\\\" and github.category == \\\"integration_installation\\\" and event.type == \\\"deletion\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-github.audit-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"github\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"github\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9a415ffd-b6ec-4dca-b9d2-de20bbf22dc9\",\"rule_id\":\"00140285-b827-4aee-aa09-8113f58a08f3\",\"revision\":0,\"current_rule\":{\"id\":\"9a415ffd-b6ec-4dca-b9d2-de20bbf22dc9\",\"updated_at\":\"2024-12-04T19:45:40.286Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.286Z\",\"created_by\":\"elastic\",\"name\":\"Potential Credential Access via Windows Utilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Credential Access via Windows Utilities\\n\\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\\n\\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership.\\n\\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the command line to identify what information was targeted.\\n- Identify the target computer and its role in the IT environment.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If the host is a domain controller (DC):\\n - Activate your incident response plan for total Active Directory compromise.\\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"00140285-b827-4aee-aa09-8113f58a08f3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"},{\"id\":\"T1003.003\",\"name\":\"NTDS\",\"reference\":\"https://attack.mitre.org/techniques/T1003/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]}],\"to\":\"now\",\"references\":[\"https://lolbas-project.github.io/\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (?process.pe.original_file_name : \\\"procdump\\\" or process.name : \\\"procdump.exe\\\") and process.args : \\\"-ma\\\"\\n ) or\\n (\\n process.name : \\\"ProcessDump.exe\\\" and not process.parent.executable regex~ \\\"\\\"\\\"C:\\\\\\\\Program Files( \\\\(x86\\\\))?\\\\\\\\Cisco Systems\\\\\\\\.*\\\"\\\"\\\"\\n ) or\\n (\\n (?process.pe.original_file_name : \\\"WriteMiniDump.exe\\\" or process.name : \\\"WriteMiniDump.exe\\\") and\\n not process.parent.executable regex~ \\\"\\\"\\\"C:\\\\\\\\Program Files( \\\\(x86\\\\))?\\\\\\\\Steam\\\\\\\\.*\\\"\\\"\\\"\\n ) or\\n (\\n (?process.pe.original_file_name : \\\"RUNDLL32.EXE\\\" or process.name : \\\"RUNDLL32.exe\\\") and\\n (process.args : \\\"MiniDump*\\\" or process.command_line : \\\"*comsvcs.dll*#24*\\\")\\n ) or\\n (\\n (?process.pe.original_file_name : \\\"RdrLeakDiag.exe\\\" or process.name : \\\"RdrLeakDiag.exe\\\") and\\n process.args : \\\"/fullmemdmp\\\"\\n ) or\\n (\\n (?process.pe.original_file_name : \\\"SqlDumper.exe\\\" or process.name : \\\"SqlDumper.exe\\\") and\\n process.args : \\\"0x01100*\\\") or\\n (\\n (?process.pe.original_file_name : \\\"TTTracer.exe\\\" or process.name : \\\"TTTracer.exe\\\") and\\n process.args : \\\"-dumpFull\\\" and process.args : \\\"-attach\\\") or\\n (\\n (?process.pe.original_file_name : \\\"ntdsutil.exe\\\" or process.name : \\\"ntdsutil.exe\\\") and\\n process.args : \\\"create*full*\\\") or\\n (\\n (?process.pe.original_file_name : \\\"diskshadow.exe\\\" or process.name : \\\"diskshadow.exe\\\") and process.args : \\\"/s\\\")\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Credential Access via Windows Utilities\",\"description\":\"Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Credential Access via Windows Utilities\\n\\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\\n\\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership.\\n\\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the command line to identify what information was targeted.\\n- Identify the target computer and its role in the IT environment.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If the host is a domain controller (DC):\\n - Activate your incident response plan for total Active Directory compromise.\\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":315,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://lolbas-project.github.io/\",\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"},{\"id\":\"T1003.003\",\"name\":\"NTDS\",\"reference\":\"https://attack.mitre.org/techniques/T1003/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"9a415ffd-b6ec-4dca-b9d2-de20bbf22dc9\",\"rule_id\":\"00140285-b827-4aee-aa09-8113f58a08f3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.997Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.286Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (?process.pe.original_file_name : \\\"procdump\\\" or process.name : \\\"procdump.exe\\\") and process.args : \\\"-ma\\\"\\n ) or\\n (\\n process.name : \\\"ProcessDump.exe\\\" and not process.parent.executable regex~ \\\"\\\"\\\"C:\\\\\\\\Program Files( \\\\(x86\\\\))?\\\\\\\\Cisco Systems\\\\\\\\.*\\\"\\\"\\\"\\n ) or\\n (\\n (?process.pe.original_file_name : \\\"WriteMiniDump.exe\\\" or process.name : \\\"WriteMiniDump.exe\\\") and\\n not process.parent.executable regex~ \\\"\\\"\\\"C:\\\\\\\\Program Files( \\\\(x86\\\\))?\\\\\\\\Steam\\\\\\\\.*\\\"\\\"\\\"\\n ) or\\n (\\n (?process.pe.original_file_name : \\\"RUNDLL32.EXE\\\" or process.name : \\\"RUNDLL32.exe\\\") and\\n (process.args : \\\"MiniDump*\\\" or process.command_line : \\\"*comsvcs.dll*#24*\\\")\\n ) or\\n (\\n (?process.pe.original_file_name : \\\"RdrLeakDiag.exe\\\" or process.name : \\\"RdrLeakDiag.exe\\\") and\\n process.args : \\\"/fullmemdmp\\\"\\n ) or\\n (\\n (?process.pe.original_file_name : \\\"SqlDumper.exe\\\" or process.name : \\\"SqlDumper.exe\\\") and\\n process.args : \\\"0x01100*\\\") or\\n (\\n (?process.pe.original_file_name : \\\"TTTracer.exe\\\" or process.name : \\\"TTTracer.exe\\\") and\\n process.args : \\\"-dumpFull\\\" and process.args : \\\"-attach\\\") or\\n (\\n (?process.pe.original_file_name : \\\"ntdsutil.exe\\\" or process.name : \\\"ntdsutil.exe\\\") and\\n process.args : \\\"create*full*\\\") or\\n (\\n (?process.pe.original_file_name : \\\"diskshadow.exe\\\" or process.name : \\\"diskshadow.exe\\\") and process.args : \\\"/s\\\")\\n)\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":315,\"merged_version\":315,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://lolbas-project.github.io/\"],\"target_version\":[\"https://lolbas-project.github.io/\",\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"merged_version\":[\"https://lolbas-project.github.io/\",\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"84f7ae8d-6af4-4916-9cf3-5a71f5a7b9ac\",\"rule_id\":\"0022d47d-39c7-4f69-a232-4fe9dc7a3acd\",\"revision\":0,\"current_rule\":{\"id\":\"84f7ae8d-6af4-4916-9cf3-5a71f5a7b9ac\",\"updated_at\":\"2024-12-04T19:45:40.289Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.289Z\",\"created_by\":\"elastic\",\"name\":\"System Shells via Services\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating System Shells via Services\\n\\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\\n\\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Check for commands executed under the spawned shell.\\n\\n### False positive analysis\\n\\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service or restore it to the original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"0022d47d-39c7-4f69-a232-4fe9dc7a3acd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":313,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"services.exe\\\" and\\n process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") and\\n\\n /* Third party FP's */\\n not process.args : \\\"NVDisplay.ContainerLocalSystem\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"System Shells via Services\",\"description\":\"Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating System Shells via Services\\n\\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\\n\\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Check for commands executed under the spawned shell.\\n\\n### False positive analysis\\n\\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service or restore it to the original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":415,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"84f7ae8d-6af4-4916-9cf3-5a71f5a7b9ac\",\"rule_id\":\"0022d47d-39c7-4f69-a232-4fe9dc7a3acd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.997Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.289Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"services.exe\\\" and\\n process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") and\\n\\n /* Third party FP's */\\n not process.args : \\\"NVDisplay.ContainerLocalSystem\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":313,\"target_version\":415,\"merged_version\":415,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"cf692437-c9ec-46ec-8377-1b23d2531485\",\"rule_id\":\"00678712-b2df-11ed-afe9-f661ea17fbcc\",\"revision\":0,\"current_rule\":{\"id\":\"cf692437-c9ec-46ec-8377-1b23d2531485\",\"updated_at\":\"2024-12-04T19:45:40.291Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.291Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace Suspended User Account Renewed\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Tactic: Initial Access\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a previously suspended user's account is renewed in Google Workspace. An adversary may renew a suspended user account to maintain access to the Google Workspace organization with a valid account.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Google Workspace administrators may renew a suspended user account if the user is expected to continue employment at the organization after temporary leave. Suspended user accounts are typically used by administrators to remove access to the user while actions is taken to transfer important documents and roles to other users, prior to deleting the user account and removing the license.\"],\"from\":\"now-130m\",\"rule_id\":\"00678712-b2df-11ed-afe9-f661ea17fbcc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/1110339\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace Suspended User Account Renewed\",\"description\":\"Detects when a previously suspended user's account is renewed in Google Workspace. An adversary may renew a suspended user account to maintain access to the Google Workspace organization with a valid account.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Tactic: Initial Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Google Workspace administrators may renew a suspended user account if the user is expected to continue employment at the organization after temporary leave. Suspended user accounts are typically used by administrators to remove access to the user while actions is taken to transfer important documents and roles to other users, prior to deleting the user account and removing the license.\"],\"references\":[\"https://support.google.com/a/answer/1110339\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"cf692437-c9ec-46ec-8377-1b23d2531485\",\"rule_id\":\"00678712-b2df-11ed-afe9-f661ea17fbcc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.997Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.291Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/1110339\"],\"target_version\":[\"https://support.google.com/a/answer/1110339\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/1110339\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5ae670a3-8ade-4d40-96ae-ecb22afe0713\",\"rule_id\":\"0171f283-ade7-4f87-9521-ac346c68cc9b\",\"revision\":0,\"current_rule\":{\"id\":\"5ae670a3-8ade-4d40-96ae-ecb22afe0713\",\"updated_at\":\"2024-12-04T19:45:40.299Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.299Z\",\"created_by\":\"elastic\",\"name\":\"Potential Network Scan Detected\",\"tags\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"0171f283-ade7-4f87-9521-ac346c68cc9b\",\"max_signals\":5,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1046\",\"name\":\"Network Service Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1046/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0043\",\"name\":\"Reconnaissance\",\"reference\":\"https://attack.mitre.org/tactics/TA0043/\"},\"technique\":[{\"id\":\"T1595\",\"name\":\"Active Scanning\",\"reference\":\"https://attack.mitre.org/techniques/T1595/\",\"subtechnique\":[{\"id\":\"T1595.001\",\"name\":\"Scanning IP Blocks\",\"reference\":\"https://attack.mitre.org/techniques/T1595/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"threshold\",\"language\":\"kuery\",\"index\":[\"logs-endpoint.events.network-*\",\"logs-network_traffic.*\",\"packetbeat-*\",\"filebeat-*\",\"auditbeat-*\"],\"query\":\"destination.port : * and event.action : \\\"network_flow\\\" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\\n\",\"threshold\":{\"field\":[\"destination.ip\",\"source.ip\"],\"value\":1,\"cardinality\":[{\"field\":\"destination.port\",\"value\":250}]},\"actions\":[]},\"target_rule\":{\"name\":\"Potential Network Scan Detected\",\"description\":\"This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\",\"Data Source: Elastic Defend\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":5,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1046\",\"name\":\"Network Service Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1046/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0043\",\"name\":\"Reconnaissance\",\"reference\":\"https://attack.mitre.org/tactics/TA0043/\"},\"technique\":[{\"id\":\"T1595\",\"name\":\"Active Scanning\",\"reference\":\"https://attack.mitre.org/techniques/T1595/\",\"subtechnique\":[{\"id\":\"T1595.001\",\"name\":\"Scanning IP Blocks\",\"reference\":\"https://attack.mitre.org/techniques/T1595/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"5ae670a3-8ade-4d40-96ae-ecb22afe0713\",\"rule_id\":\"0171f283-ade7-4f87-9521-ac346c68cc9b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.997Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.299Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"threshold\",\"query\":\"destination.port : * and event.action : \\\"network_flow\\\" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\\n\",\"threshold\":{\"field\":[\"destination.ip\",\"source.ip\"],\"value\":1,\"cardinality\":[{\"field\":\"destination.port\",\"value\":250}]},\"index\":[\"logs-endpoint.events.network-*\",\"logs-network_traffic.*\",\"packetbeat-*\",\"filebeat-*\",\"auditbeat-*\",\"logs-panw.panos*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\"],\"target_version\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\",\"Data Source: Elastic Defend\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\",\"Data Source: Elastic Defend\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"logs-network_traffic.*\",\"packetbeat-*\",\"filebeat-*\",\"auditbeat-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"logs-network_traffic.*\",\"packetbeat-*\",\"filebeat-*\",\"auditbeat-*\",\"logs-panw.panos*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"logs-network_traffic.*\",\"packetbeat-*\",\"filebeat-*\",\"auditbeat-*\",\"logs-panw.panos*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c76f287f-fb13-4d39-a1fd-dc4373e8a9ff\",\"rule_id\":\"027ff9ea-85e7-42e3-99d2-bbb7069e02eb\",\"revision\":0,\"current_rule\":{\"id\":\"c76f287f-fb13-4d39-a1fd-dc4373e8a9ff\",\"updated_at\":\"2024-12-04T19:45:41.399Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.399Z\",\"created_by\":\"elastic\",\"name\":\"Potential Cookies Theft via Browser Debugging\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Developers performing browsers plugin or extension debugging.\"],\"from\":\"now-9m\",\"rule_id\":\"027ff9ea-85e7-42e3-99d2-bbb7069e02eb\",\"max_signals\":33,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1539\",\"name\":\"Steal Web Session Cookie\",\"reference\":\"https://attack.mitre.org/techniques/T1539/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/defaultnamehere/cookie_crimes\",\"https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/\",\"https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md\",\"https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e\"],\"version\":105,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"winlogbeat-*\",\"logs-endpoint.events.*\",\"logs-windows.*\"],\"query\":\"process where event.type in (\\\"start\\\", \\\"process_started\\\", \\\"info\\\") and\\n process.name in (\\n \\\"Microsoft Edge\\\",\\n \\\"chrome.exe\\\",\\n \\\"Google Chrome\\\",\\n \\\"google-chrome-stable\\\",\\n \\\"google-chrome-beta\\\",\\n \\\"google-chrome\\\",\\n \\\"msedge.exe\\\") and\\n process.args : (\\\"--remote-debugging-port=*\\\",\\n \\\"--remote-debugging-targets=*\\\",\\n \\\"--remote-debugging-pipe=*\\\") and\\n process.args : \\\"--user-data-dir=*\\\" and not process.args:\\\"--remote-debugging-port=0\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Cookies Theft via Browser Debugging\",\"description\":\"Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Developers performing browsers plugin or extension debugging.\"],\"references\":[\"https://github.com/defaultnamehere/cookie_crimes\",\"https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/\",\"https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md\",\"https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e\"],\"max_signals\":33,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1539\",\"name\":\"Steal Web Session Cookie\",\"reference\":\"https://attack.mitre.org/techniques/T1539/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c76f287f-fb13-4d39-a1fd-dc4373e8a9ff\",\"rule_id\":\"027ff9ea-85e7-42e3-99d2-bbb7069e02eb\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.998Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.399Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where event.type in (\\\"start\\\", \\\"process_started\\\", \\\"info\\\") and\\n process.name in (\\n \\\"Microsoft Edge\\\",\\n \\\"chrome.exe\\\",\\n \\\"Google Chrome\\\",\\n \\\"google-chrome-stable\\\",\\n \\\"google-chrome-beta\\\",\\n \\\"google-chrome\\\",\\n \\\"msedge.exe\\\") and\\n process.args : (\\\"--remote-debugging-port=*\\\",\\n \\\"--remote-debugging-targets=*\\\",\\n \\\"--remote-debugging-pipe=*\\\") and\\n process.args : \\\"--user-data-dir=*\\\" and not process.args:\\\"--remote-debugging-port=0\\\"\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"winlogbeat-*\",\"logs-endpoint.events.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":105,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"137d0372-612b-4be5-ab72-e9f02c6144e1\",\"rule_id\":\"02a4576a-7480-4284-9327-548a806b5e48\",\"revision\":0,\"current_rule\":{\"id\":\"137d0372-612b-4be5-ab72-e9f02c6144e1\",\"updated_at\":\"2024-12-04T19:45:41.539Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.539Z\",\"created_by\":\"elastic\",\"name\":\"Potential Credential Access via DuplicateHandle in LSASS\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"02a4576a-7480-4284-9327-548a806b5e48\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/CCob/MirrorDump\"],\"version\":208,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallTrace\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.GrantedAccess\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n\\n /* LSASS requesting DuplicateHandle access right to another process */\\n process.name : \\\"lsass.exe\\\" and winlog.event_data.GrantedAccess == \\\"0x40\\\" and\\n\\n /* call is coming from an unknown executable region */\\n winlog.event_data.CallTrace : \\\"*UNKNOWN*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Credential Access via DuplicateHandle in LSASS\",\"description\":\"Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/CCob/MirrorDump\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallTrace\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.GrantedAccess\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"137d0372-612b-4be5-ab72-e9f02c6144e1\",\"rule_id\":\"02a4576a-7480-4284-9327-548a806b5e48\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.998Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.539Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n\\n /* LSASS requesting DuplicateHandle access right to another process */\\n process.name : \\\"lsass.exe\\\" and winlog.event_data.GrantedAccess == \\\"0x40\\\" and\\n\\n /* call is coming from an unknown executable region */\\n winlog.event_data.CallTrace : \\\"*UNKNOWN*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":208,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b69be826-890c-48d3-b55d-e6ff733aa048\",\"rule_id\":\"035889c4-2686-4583-a7df-67f89c292f2c\",\"revision\":0,\"current_rule\":{\"id\":\"b69be826-890c-48d3-b55d-e6ff733aa048\",\"updated_at\":\"2024-12-04T19:45:41.425Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.425Z\",\"created_by\":\"elastic\",\"name\":\"High Number of Process and/or Service Terminations\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating High Number of Process and/or Service Terminations\\n\\nAttackers can stop services and kill processes for a variety of purposes. For example, they can stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted, or stop security and backup solutions, etc.\\n\\nThis rule identifies a high number (10) of service and/or process terminations (stop, delete, or suspend) from the same host within a short time period.\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check if any files on the host machine have been encrypted.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reimage the host operating system or restore it to the operational state.\\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"035889c4-2686-4583-a7df-67f89c292f2c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1489\",\"name\":\"Service Stop\",\"reference\":\"https://attack.mitre.org/techniques/T1489/\"}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/security-labs/luna-ransomware-attack-pattern\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"threshold\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\\n process.args:(stop or pause or delete or \\\"/PID\\\" or \\\"/IM\\\" or \\\"/T\\\" or \\\"/F\\\" or \\\"/t\\\" or \\\"/f\\\" or \\\"/im\\\" or \\\"/pid\\\") and\\n not process.parent.name:osquerybeat.exe\\n\",\"threshold\":{\"field\":[\"host.id\"],\"value\":10},\"actions\":[]},\"target_rule\":{\"name\":\"High Number of Process and/or Service Terminations\",\"description\":\"This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating High Number of Process and/or Service Terminations\\n\\nAttackers can stop services and kill processes for a variety of purposes. For example, they can stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted, or stop security and backup solutions, etc.\\n\\nThis rule identifies a high number (10) of service and/or process terminations (stop, delete, or suspend) from the same host within a short time period.\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check if any files on the host machine have been encrypted.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reimage the host operating system or restore it to the operational state.\\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":212,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/luna-ransomware-attack-pattern\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1489\",\"name\":\"Service Stop\",\"reference\":\"https://attack.mitre.org/techniques/T1489/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b69be826-890c-48d3-b55d-e6ff733aa048\",\"rule_id\":\"035889c4-2686-4583-a7df-67f89c292f2c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.998Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.425Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"threshold\",\"query\":\"event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\\n process.args:(stop or pause or delete or \\\"/PID\\\" or \\\"/IM\\\" or \\\"/T\\\" or \\\"/F\\\" or \\\"/t\\\" or \\\"/f\\\" or \\\"/im\\\" or \\\"/pid\\\") and\\n not process.parent.name:osquerybeat.exe\\n\",\"threshold\":{\"field\":[\"host.id\"],\"value\":10},\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":212,\"merged_version\":212,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8d2c56d4-9ecc-4de5-a1f4-49051213a485\",\"rule_id\":\"035a6f21-4092-471d-9cda-9e379f459b1e\",\"revision\":0,\"current_rule\":{\"id\":\"8d2c56d4-9ecc-4de5-a1f4-49051213a485\",\"updated_at\":\"2024-12-04T19:45:41.427Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.427Z\",\"created_by\":\"elastic\",\"name\":\"Potential Memory Seeking Activity\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Monitors for the execution of Unix utilities that may be leveraged as memory address seekers. Attackers may leverage built-in utilities to seek specific memory addresses, allowing for potential future manipulation/exploitation.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"035a6f21-4092-471d-9cda-9e379f459b1e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1057\",\"name\":\"Process Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1057/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/arget13/DDexec\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and (\\n (process.name == \\\"tail\\\" and process.args == \\\"-c\\\") or\\n (process.name == \\\"cmp\\\" and process.args == \\\"-i\\\") or\\n (process.name in (\\\"hexdump\\\", \\\"xxd\\\") and process.args == \\\"-s\\\") or\\n (process.name == \\\"dd\\\" and process.args : (\\\"skip*\\\", \\\"seek*\\\"))\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Memory Seeking Activity\",\"description\":\"Monitors for the execution of Unix utilities that may be leveraged as memory address seekers. Attackers may leverage built-in utilities to seek specific memory addresses, allowing for potential future manipulation/exploitation.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/arget13/DDexec\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1057\",\"name\":\"Process Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1057/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"8d2c56d4-9ecc-4de5-a1f4-49051213a485\",\"rule_id\":\"035a6f21-4092-471d-9cda-9e379f459b1e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.998Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.427Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and (\\n (process.name == \\\"tail\\\" and process.args in (\\\"-c\\\", \\\"--bytes\\\")) or\\n (process.name == \\\"cmp\\\" and process.args == \\\"-i\\\") or\\n (process.name in (\\\"hexdump\\\", \\\"xxd\\\") and process.args == \\\"-s\\\") or\\n (process.name == \\\"dd\\\" and process.args : (\\\"skip*\\\", \\\"seek*\\\"))\\n) and not (\\n process.parent.args like (\\\"/opt/error_monitor/error_monitor.sh\\\", \\\"printf*\\\") or\\n process.parent.name in (\\\"acme.sh\\\", \\\"dracut\\\", \\\"leapp\\\") or\\n process.parent.executable like (\\n \\\"/bin/cagefs_enter\\\", \\\"/opt/nessus_agent/sbin/nessus-service\\\", \\\"/usr/libexec/platform-python*\\\",\\n \\\"/usr/libexec/vdsm/vdsmd\\\", \\\"/usr/local/bin/docker-entrypoint.sh\\\", \\\"/usr/lib/module-init-tools/lsinitrd-quick\\\"\\n ) or\\n process.parent.command_line like \\\"sh*acme.sh*\\\" or\\n process.args like \\\"/var/tmp/dracut*\\\"\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and (\\n (process.name == \\\"tail\\\" and process.args == \\\"-c\\\") or\\n (process.name == \\\"cmp\\\" and process.args == \\\"-i\\\") or\\n (process.name in (\\\"hexdump\\\", \\\"xxd\\\") and process.args == \\\"-s\\\") or\\n (process.name == \\\"dd\\\" and process.args : (\\\"skip*\\\", \\\"seek*\\\"))\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and (\\n (process.name == \\\"tail\\\" and process.args in (\\\"-c\\\", \\\"--bytes\\\")) or\\n (process.name == \\\"cmp\\\" and process.args == \\\"-i\\\") or\\n (process.name in (\\\"hexdump\\\", \\\"xxd\\\") and process.args == \\\"-s\\\") or\\n (process.name == \\\"dd\\\" and process.args : (\\\"skip*\\\", \\\"seek*\\\"))\\n) and not (\\n process.parent.args like (\\\"/opt/error_monitor/error_monitor.sh\\\", \\\"printf*\\\") or\\n process.parent.name in (\\\"acme.sh\\\", \\\"dracut\\\", \\\"leapp\\\") or\\n process.parent.executable like (\\n \\\"/bin/cagefs_enter\\\", \\\"/opt/nessus_agent/sbin/nessus-service\\\", \\\"/usr/libexec/platform-python*\\\",\\n \\\"/usr/libexec/vdsm/vdsmd\\\", \\\"/usr/local/bin/docker-entrypoint.sh\\\", \\\"/usr/lib/module-init-tools/lsinitrd-quick\\\"\\n ) or\\n process.parent.command_line like \\\"sh*acme.sh*\\\" or\\n process.args like \\\"/var/tmp/dracut*\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and (\\n (process.name == \\\"tail\\\" and process.args in (\\\"-c\\\", \\\"--bytes\\\")) or\\n (process.name == \\\"cmp\\\" and process.args == \\\"-i\\\") or\\n (process.name in (\\\"hexdump\\\", \\\"xxd\\\") and process.args == \\\"-s\\\") or\\n (process.name == \\\"dd\\\" and process.args : (\\\"skip*\\\", \\\"seek*\\\"))\\n) and not (\\n process.parent.args like (\\\"/opt/error_monitor/error_monitor.sh\\\", \\\"printf*\\\") or\\n process.parent.name in (\\\"acme.sh\\\", \\\"dracut\\\", \\\"leapp\\\") or\\n process.parent.executable like (\\n \\\"/bin/cagefs_enter\\\", \\\"/opt/nessus_agent/sbin/nessus-service\\\", \\\"/usr/libexec/platform-python*\\\",\\n \\\"/usr/libexec/vdsm/vdsmd\\\", \\\"/usr/local/bin/docker-entrypoint.sh\\\", \\\"/usr/lib/module-init-tools/lsinitrd-quick\\\"\\n ) or\\n process.parent.command_line like \\\"sh*acme.sh*\\\" or\\n process.args like \\\"/var/tmp/dracut*\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f191dea8-f8b3-45db-a434-e11c4afa9d81\",\"rule_id\":\"0415f22a-2336-45fa-ba07-618a5942e22c\",\"revision\":0,\"current_rule\":{\"id\":\"f191dea8-f8b3-45db-a434-e11c4afa9d81\",\"updated_at\":\"2024-12-04T19:45:41.437Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.437Z\",\"created_by\":\"elastic\",\"name\":\"Modification of OpenSSH Binaries\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Persistence\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Modification of OpenSSH Binaries\\n\\nOpenSSH is a widely used suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides encrypted communication sessions over a computer network.\\n\\nAdversaries may exploit OpenSSH by modifying its binaries, such as `/usr/bin/scp`, `/usr/bin/sftp`, `/usr/bin/ssh`, `/usr/sbin/sshd`, or `libkeyutils.so`, to gain unauthorized access or exfiltrate SSH credentials.\\n\\nThe detection rule 'Modification of OpenSSH Binaries' is designed to identify such abuse by monitoring file changes in the Linux environment. It triggers an alert when a process, modifies any of the specified OpenSSH binaries or libraries. This helps security analysts detect potential malicious activities and take appropriate action.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False positive analysis\\n\\n- Regular users should not need to modify OpenSSH binaries, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes.\"],\"from\":\"now-9m\",\"rule_id\":\"0415f22a-2336-45fa-ba07-618a5942e22c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.004\",\"name\":\"SSH\",\"reference\":\"https://attack.mitre.org/techniques/T1021/004/\"}]},{\"id\":\"T1563\",\"name\":\"Remote Service Session Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/\",\"subtechnique\":[{\"id\":\"T1563.001\",\"name\":\"SSH Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"event.category:file and host.os.type:linux and event.type:change and \\n process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron or platform-python)) and \\n (file.path:(/usr/bin/scp or \\n /usr/bin/sftp or \\n /usr/bin/ssh or \\n /usr/sbin/sshd) or \\n file.name:libkeyutils.so) and\\n not process.executable:/usr/share/elasticsearch/*\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Modification of OpenSSH Binaries\",\"description\":\"Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Modification of OpenSSH Binaries\\n\\nOpenSSH is a widely used suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides encrypted communication sessions over a computer network.\\n\\nAdversaries may exploit OpenSSH by modifying its binaries, such as `/usr/bin/scp`, `/usr/bin/sftp`, `/usr/bin/ssh`, `/usr/sbin/sshd`, or `libkeyutils.so`, to gain unauthorized access or exfiltrate SSH credentials.\\n\\nThe detection rule 'Modification of OpenSSH Binaries' is designed to identify such abuse by monitoring file changes in the Linux environment. It triggers an alert when a process, modifies any of the specified OpenSSH binaries or libraries. This helps security analysts detect potential malicious activities and take appropriate action.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False positive analysis\\n\\n- Regular users should not need to modify OpenSSH binaries, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":110,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Persistence\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes.\"],\"references\":[\"https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.004\",\"name\":\"SSH\",\"reference\":\"https://attack.mitre.org/techniques/T1021/004/\"}]},{\"id\":\"T1563\",\"name\":\"Remote Service Session Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/\",\"subtechnique\":[{\"id\":\"T1563.001\",\"name\":\"SSH Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f191dea8-f8b3-45db-a434-e11c4afa9d81\",\"rule_id\":\"0415f22a-2336-45fa-ba07-618a5942e22c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.998Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.437Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"event.category:file and host.os.type:linux and event.type:change and \\n process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron or platform-python)) and \\n (file.path:(/usr/bin/scp or \\n /usr/bin/sftp or \\n /usr/bin/ssh or \\n /usr/sbin/sshd) or \\n file.name:libkeyutils.so) and\\n not (\\n process.executable:/usr/share/elasticsearch/* or\\n process.name : (apk or ansible-admin or systemd or dnf or python*)\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":110,\"merged_version\":110,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"event.category:file and host.os.type:linux and event.type:change and \\n process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron or platform-python)) and \\n (file.path:(/usr/bin/scp or \\n /usr/bin/sftp or \\n /usr/bin/ssh or \\n /usr/sbin/sshd) or \\n file.name:libkeyutils.so) and\\n not process.executable:/usr/share/elasticsearch/*\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"event.category:file and host.os.type:linux and event.type:change and \\n process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron or platform-python)) and \\n (file.path:(/usr/bin/scp or \\n /usr/bin/sftp or \\n /usr/bin/ssh or \\n /usr/sbin/sshd) or \\n file.name:libkeyutils.so) and\\n not (\\n process.executable:/usr/share/elasticsearch/* or\\n process.name : (apk or ansible-admin or systemd or dnf or python*)\\n )\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"event.category:file and host.os.type:linux and event.type:change and \\n process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron or platform-python)) and \\n (file.path:(/usr/bin/scp or \\n /usr/bin/sftp or \\n /usr/bin/ssh or \\n /usr/sbin/sshd) or \\n file.name:libkeyutils.so) and\\n not (\\n process.executable:/usr/share/elasticsearch/* or\\n process.name : (apk or ansible-admin or systemd or dnf or python*)\\n )\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9bc8c1d6-5a15-4b2d-9a7b-0c02e9ea3ac9\",\"rule_id\":\"053a0387-f3b5-4ba5-8245-8002cca2bd08\",\"revision\":0,\"current_rule\":{\"id\":\"9bc8c1d6-5a15-4b2d-9a7b-0c02e9ea3ac9\",\"updated_at\":\"2024-12-04T19:45:41.442Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.442Z\",\"created_by\":\"elastic\",\"name\":\"Potential DLL Side-Loading via Microsoft Antimalware Service Executable\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Dennis Perto\"],\"false_positives\":[\"Microsoft Antimalware Service Executable installed on non default installation path.\"],\"from\":\"now-9m\",\"rule_id\":\"053a0387-f3b5-4ba5-8245-8002cca2bd08\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.002\",\"name\":\"DLL Side-Loading\",\"reference\":\"https://attack.mitre.org/techniques/T1574/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (process.pe.original_file_name == \\\"MsMpEng.exe\\\" and not process.name : \\\"MsMpEng.exe\\\") or\\n (process.name : \\\"MsMpEng.exe\\\" and not\\n process.executable : (\\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Windows Defender\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Windows Defender\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Security Client\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Security Client\\\\\\\\*.exe\\\"))\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential DLL Side-Loading via Microsoft Antimalware Service Executable\",\"description\":\"Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Dennis Perto\"],\"false_positives\":[\"Microsoft Antimalware Service Executable installed on non default installation path.\"],\"references\":[\"https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.002\",\"name\":\"DLL Side-Loading\",\"reference\":\"https://attack.mitre.org/techniques/T1574/002/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"9bc8c1d6-5a15-4b2d-9a7b-0c02e9ea3ac9\",\"rule_id\":\"053a0387-f3b5-4ba5-8245-8002cca2bd08\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.998Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.442Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (process.pe.original_file_name == \\\"MsMpEng.exe\\\" and not process.name : \\\"MsMpEng.exe\\\") or\\n (process.name : \\\"MsMpEng.exe\\\" and not\\n process.executable : (\\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Windows Defender\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Windows Defender\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Security Client\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Security Client\\\\\\\\*.exe\\\"))\\n)\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4631a486-1704-4014-b895-28d7f23947da\",\"rule_id\":\"054db96b-fd34-43b3-9af2-587b3bd33964\",\"revision\":0,\"current_rule\":{\"id\":\"4631a486-1704-4014-b895-28d7f23947da\",\"updated_at\":\"2024-12-04T19:45:41.444Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.444Z\",\"created_by\":\"elastic\",\"name\":\"Systemd-udevd Rule File Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Monitors for the creation of rule files that are used by systemd-udevd to manage device nodes and handle kernel device events in the Linux operating system. Systemd-udevd can be exploited for persistence by adversaries by creating malicious udev rules that trigger on specific events, executing arbitrary commands or payloads whenever a certain device is plugged in or recognized by the system.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"054db96b-fd34-43b3-9af2-587b3bd33964\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\"},{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\"}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click Add integrations.\\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\\n- Click Add Elastic Defend.\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest to select \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click Save and Continue.\\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and \\nprocess.executable != null and file.extension == \\\"rules\\\" and\\nfile.path : (\\n \\\"/lib/udev/*\\\", \\\"/etc/udev/rules.d/*\\\", \\\"/usr/lib/udev/rules.d/*\\\", \\\"/run/udev/rules.d/*\\\", \\\"/usr/local/lib/udev/rules.d/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/lib/systemd/system-generators/netplan\\\", \\\"/lib/systemd/systemd\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/sbin/sshd\\\",\\n \\\"/kaniko/executor\\\"\\n ) or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\"\\n ) or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Systemd-udevd Rule File Creation\",\"description\":\"Monitors for the creation of rule files that are used by systemd-udevd to manage device nodes and handle kernel device events in the Linux operating system. Systemd-udevd can be exploited for persistence by adversaries by creating malicious udev rules that trigger on specific events, executing arbitrary commands or payloads whenever a certain device is plugged in or recognized by the system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click Add integrations.\\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\\n- Click Add Elastic Defend.\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest to select \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click Save and Continue.\\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"4631a486-1704-4014-b895-28d7f23947da\",\"rule_id\":\"054db96b-fd34-43b3-9af2-587b3bd33964\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.998Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.444Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and \\nprocess.executable != null and file.extension == \\\"rules\\\" and\\nfile.path : (\\n \\\"/lib/udev/*\\\", \\\"/etc/udev/rules.d/*\\\", \\\"/usr/lib/udev/rules.d/*\\\", \\\"/run/udev/rules.d/*\\\", \\\"/usr/local/lib/udev/rules.d/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/lib/systemd/system-generators/netplan\\\", \\\"/lib/systemd/systemd\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/sbin/sshd\\\",\\n \\\"/kaniko/executor\\\"\\n ) or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\"\\n ) or\\n process.name in (\\\"systemd\\\", \\\"netplan\\\", \\\"apt-get\\\", \\\"vmware-config-tools.pl\\\", \\\"systemd-hwdb\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\"},{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\"}]}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\"}]}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\"}]}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and \\nprocess.executable != null and file.extension == \\\"rules\\\" and\\nfile.path : (\\n \\\"/lib/udev/*\\\", \\\"/etc/udev/rules.d/*\\\", \\\"/usr/lib/udev/rules.d/*\\\", \\\"/run/udev/rules.d/*\\\", \\\"/usr/local/lib/udev/rules.d/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/lib/systemd/system-generators/netplan\\\", \\\"/lib/systemd/systemd\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/sbin/sshd\\\",\\n \\\"/kaniko/executor\\\"\\n ) or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\"\\n ) or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and \\nprocess.executable != null and file.extension == \\\"rules\\\" and\\nfile.path : (\\n \\\"/lib/udev/*\\\", \\\"/etc/udev/rules.d/*\\\", \\\"/usr/lib/udev/rules.d/*\\\", \\\"/run/udev/rules.d/*\\\", \\\"/usr/local/lib/udev/rules.d/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/lib/systemd/system-generators/netplan\\\", \\\"/lib/systemd/systemd\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/sbin/sshd\\\",\\n \\\"/kaniko/executor\\\"\\n ) or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\"\\n ) or\\n process.name in (\\\"systemd\\\", \\\"netplan\\\", \\\"apt-get\\\", \\\"vmware-config-tools.pl\\\", \\\"systemd-hwdb\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and \\nprocess.executable != null and file.extension == \\\"rules\\\" and\\nfile.path : (\\n \\\"/lib/udev/*\\\", \\\"/etc/udev/rules.d/*\\\", \\\"/usr/lib/udev/rules.d/*\\\", \\\"/run/udev/rules.d/*\\\", \\\"/usr/local/lib/udev/rules.d/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/lib/systemd/system-generators/netplan\\\", \\\"/lib/systemd/systemd\\\", \\\"/usr/bin/containerd\\\", \\\"/usr/sbin/sshd\\\",\\n \\\"/kaniko/executor\\\"\\n ) or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\"\\n ) or\\n process.name in (\\\"systemd\\\", \\\"netplan\\\", \\\"apt-get\\\", \\\"vmware-config-tools.pl\\\", \\\"systemd-hwdb\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"ae83e68a-0003-4322-8a80-86a0d769ed81\",\"rule_id\":\"0564fb9d-90b9-4234-a411-82a546dc1343\",\"revision\":0,\"current_rule\":{\"id\":\"ae83e68a-0003-4322-8a80-86a0d769ed81\",\"updated_at\":\"2024-12-04T19:45:40.135Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.135Z\",\"created_by\":\"elastic\",\"name\":\"Microsoft IIS Service Account Password Dumped\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"0564fb9d-90b9-4234-a411-82a546dc1343\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"}]}],\"to\":\"now\",\"references\":[\"https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"appcmd.exe\\\" or ?process.pe.original_file_name == \\\"appcmd.exe\\\") and\\n process.args : \\\"list\\\" and process.args : \\\"/text*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Microsoft IIS Service Account Password Dumped\",\"description\":\"Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":214,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"ae83e68a-0003-4322-8a80-86a0d769ed81\",\"rule_id\":\"0564fb9d-90b9-4234-a411-82a546dc1343\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.998Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.135Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"appcmd.exe\\\" or ?process.pe.original_file_name == \\\"appcmd.exe\\\") and\\n process.args : \\\"list\\\" and process.args : \\\"/text*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":214,\"merged_version\":214,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2672992d-ea62-4aef-bebc-b59fdbfcf0eb\",\"rule_id\":\"05b358de-aa6d-4f6c-89e6-78f74018b43b\",\"revision\":0,\"current_rule\":{\"id\":\"2672992d-ea62-4aef-bebc-b59fdbfcf0eb\",\"updated_at\":\"2024-12-04T19:45:41.447Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.447Z\",\"created_by\":\"elastic\",\"name\":\"Conhost Spawned By Suspicious Parent Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Conhost Spawned By Suspicious Parent Process\\n\\nThe Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as the classic Windows user interface for working with command-line applications.\\n\\nAttackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and `PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into legitimate system processes.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Retrieve the parent process executable and determine if it is malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26\\n- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"05b358de-aa6d-4f6c-89e6-78f74018b43b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]}],\"to\":\"now\",\"references\":[\"https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"conhost.exe\\\" and\\n process.parent.name : (\\\"lsass.exe\\\", \\\"services.exe\\\", \\\"smss.exe\\\", \\\"winlogon.exe\\\", \\\"explorer.exe\\\", \\\"dllhost.exe\\\", \\\"rundll32.exe\\\",\\n \\\"regsvr32.exe\\\", \\\"userinit.exe\\\", \\\"wininit.exe\\\", \\\"spoolsv.exe\\\", \\\"ctfmon.exe\\\") and\\n not (process.parent.name : \\\"rundll32.exe\\\" and\\n process.parent.args : (\\\"?:\\\\\\\\Windows\\\\\\\\Installer\\\\\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\PcaSvc.dll,PcaPatchSdbTask\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\davclnt.dll,DavSetCookie\\\"))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Conhost Spawned By Suspicious Parent Process\",\"description\":\"Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Conhost Spawned By Suspicious Parent Process\\n\\nThe Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as the classic Windows user interface for working with command-line applications.\\n\\nAttackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and `PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into legitimate system processes.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Retrieve the parent process executable and determine if it is malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26\\n- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2672992d-ea62-4aef-bebc-b59fdbfcf0eb\",\"rule_id\":\"05b358de-aa6d-4f6c-89e6-78f74018b43b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.998Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.447Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"conhost.exe\\\" and\\n process.parent.name : (\\\"lsass.exe\\\", \\\"services.exe\\\", \\\"smss.exe\\\", \\\"winlogon.exe\\\", \\\"explorer.exe\\\", \\\"dllhost.exe\\\", \\\"rundll32.exe\\\",\\n \\\"regsvr32.exe\\\", \\\"userinit.exe\\\", \\\"wininit.exe\\\", \\\"spoolsv.exe\\\", \\\"ctfmon.exe\\\") and\\n not (process.parent.name : \\\"rundll32.exe\\\" and\\n process.parent.args : (\\\"?:\\\\\\\\Windows\\\\\\\\Installer\\\\\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\PcaSvc.dll,PcaPatchSdbTask\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\davclnt.dll,DavSetCookie\\\"))\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f415a032-ac47-40d6-b9da-69574b7c6851\",\"rule_id\":\"0635c542-1b96-4335-9b47-126582d2c19a\",\"revision\":0,\"current_rule\":{\"id\":\"f415a032-ac47-40d6-b9da-69574b7c6851\",\"updated_at\":\"2024-12-04T19:45:41.458Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.458Z\",\"created_by\":\"elastic\",\"name\":\"Remote System Discovery Commands\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Discovery of remote system information using built-in commands, which may be used to move laterally.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote System Discovery Commands\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment, which is useful for attackers to identify lateral movement targets.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"0635c542-1b96-4335-9b47-126582d2c19a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1016\",\"name\":\"System Network Configuration Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1016/\"},{\"id\":\"T1018\",\"name\":\"Remote System Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1018/\"}]}],\"to\":\"now\",\"references\":[],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n ((process.name : \\\"nbtstat.exe\\\" and process.args : (\\\"-n\\\", \\\"-s\\\")) or\\n (process.name : \\\"arp.exe\\\" and process.args : \\\"-a\\\") or\\n (process.name : \\\"nltest.exe\\\" and process.args : (\\\"/dclist\\\", \\\"/dsgetdc\\\")) or\\n (process.name : \\\"nslookup.exe\\\" and process.args : \\\"*_ldap._tcp.dc.*\\\") or\\n (process.name: (\\\"dsquery.exe\\\", \\\"dsget.exe\\\") and process.args: \\\"subnet\\\") or\\n ((((process.name : \\\"net.exe\\\" or process.pe.original_file_name == \\\"net.exe\\\") or\\n ((process.name : \\\"net1.exe\\\" or process.pe.original_file_name == \\\"net1.exe\\\") and not \\n process.parent.name : \\\"net.exe\\\")) and \\n process.args : \\\"group\\\" and process.args : \\\"/domain\\\" and not process.args : \\\"/add\\\"))) and\\n not\\n (\\n (\\n process.name : \\\"arp.exe\\\" and\\n process.parent.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\CentraStage\\\\\\\\AEMAgent\\\\\\\\AEMAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Citrix\\\\\\\\Workspace Environment Management Agent\\\\\\\\Citrix.Wem.Agent.Service.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Lansweeper\\\\\\\\Service\\\\\\\\LansweeperService.exe\\\"\\n )\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Remote System Discovery Commands\",\"description\":\"Discovery of remote system information using built-in commands, which may be used to move laterally.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote System Discovery Commands\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment, which is useful for attackers to identify lateral movement targets.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":214,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1016\",\"name\":\"System Network Configuration Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1016/\"},{\"id\":\"T1018\",\"name\":\"Remote System Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1018/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f415a032-ac47-40d6-b9da-69574b7c6851\",\"rule_id\":\"0635c542-1b96-4335-9b47-126582d2c19a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.998Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.458Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n ((process.name : \\\"nbtstat.exe\\\" and process.args : (\\\"-n\\\", \\\"-s\\\")) or\\n (process.name : \\\"arp.exe\\\" and process.args : \\\"-a\\\") or\\n (process.name : \\\"nltest.exe\\\" and process.args : (\\\"/dclist\\\", \\\"/dsgetdc\\\")) or\\n (process.name : \\\"nslookup.exe\\\" and process.args : \\\"*_ldap._tcp.dc.*\\\") or\\n (process.name: (\\\"dsquery.exe\\\", \\\"dsget.exe\\\") and process.args: \\\"subnet\\\") or\\n ((((process.name : \\\"net.exe\\\" or process.pe.original_file_name == \\\"net.exe\\\") or\\n ((process.name : \\\"net1.exe\\\" or process.pe.original_file_name == \\\"net1.exe\\\") and not \\n process.parent.name : \\\"net.exe\\\")) and \\n process.args : \\\"group\\\" and process.args : \\\"/domain\\\" and not process.args : \\\"/add\\\"))) and\\n not\\n (\\n (\\n process.name : \\\"arp.exe\\\" and\\n process.parent.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\CentraStage\\\\\\\\AEMAgent\\\\\\\\AEMAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Citrix\\\\\\\\Workspace Environment Management Agent\\\\\\\\Citrix.Wem.Agent.Service.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Lansweeper\\\\\\\\Service\\\\\\\\LansweeperService.exe\\\"\\n )\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":214,\"merged_version\":214,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9fed4dda-8f21-43ea-881f-8b8403db53b2\",\"rule_id\":\"06568a02-af29-4f20-929c-f3af281e41aa\",\"revision\":0,\"current_rule\":{\"id\":\"9fed4dda-8f21-43ea-881f-8b8403db53b2\",\"updated_at\":\"2024-12-04T19:45:41.460Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.460Z\",\"created_by\":\"elastic\",\"name\":\"System Time Discovery\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"06568a02-af29-4f20-929c-f3af281e41aa\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1124\",\"name\":\"System Time Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1124/\"}]}],\"to\":\"now\",\"references\":[],\"version\":7,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (process.name: \\\"net.exe\\\" or (process.name : \\\"net1.exe\\\" and not process.parent.name : \\\"net.exe\\\")) and \\n process.args : \\\"time\\\" and not process.args : \\\"/set\\\"\\n ) or \\n (process.name: \\\"w32tm.exe\\\" and process.args: \\\"/tz\\\") or \\n (process.name: \\\"tzutil.exe\\\" and process.args: \\\"/g\\\")\\n) and not user.id : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"System Time Discovery\",\"description\":\"Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":110,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1124\",\"name\":\"System Time Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1124/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"9fed4dda-8f21-43ea-881f-8b8403db53b2\",\"rule_id\":\"06568a02-af29-4f20-929c-f3af281e41aa\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.998Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.460Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (process.name: \\\"net.exe\\\" or (process.name : \\\"net1.exe\\\" and not process.parent.name : \\\"net.exe\\\")) and \\n process.args : \\\"time\\\" and not process.args : \\\"/set\\\"\\n ) or \\n (process.name: \\\"w32tm.exe\\\" and process.args: \\\"/tz\\\") or \\n (process.name: \\\"tzutil.exe\\\" and process.args: \\\"/g\\\")\\n) and not user.id : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":7,\"target_version\":110,\"merged_version\":110,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b8381fae-148c-4ea3-a416-30558979f2a6\",\"rule_id\":\"06a7a03c-c735-47a6-a313-51c354aef6c3\",\"revision\":0,\"current_rule\":{\"id\":\"b8381fae-148c-4ea3-a416-30558979f2a6\",\"updated_at\":\"2024-12-04T19:45:41.463Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.463Z\",\"created_by\":\"elastic\",\"name\":\"Enumerating Domain Trusts via DSQUERY.EXE\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Enumerating Domain Trusts via DSQUERY.EXE\\n\\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \\\"trusting\\\" domain permits users from a \\\"trusted\\\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\\n\\nThis rule identifies the usage of the `dsquery.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Related rules\\n\\n- Enumerating Domain Trusts via NLTEST.EXE - 84da2554-e12a-11ec-b896-f661ea17fbcd\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Domain administrators may use this command-line utility for legitimate information gathering purposes.\"],\"from\":\"now-9m\",\"rule_id\":\"06a7a03c-c735-47a6-a313-51c354aef6c3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1018\",\"name\":\"Remote System Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1018/\"},{\"id\":\"T1482\",\"name\":\"Domain Trust Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1482/\"}]}],\"to\":\"now\",\"references\":[\"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)\",\"https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944\"],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"dsquery.exe\\\" or ?process.pe.original_file_name: \\\"dsquery.exe\\\") and \\n process.args : \\\"*objectClass=trustedDomain*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Enumerating Domain Trusts via DSQUERY.EXE\",\"description\":\"Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Enumerating Domain Trusts via DSQUERY.EXE\\n\\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \\\"trusting\\\" domain permits users from a \\\"trusted\\\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\\n\\nThis rule identifies the usage of the `dsquery.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Related rules\\n\\n- Enumerating Domain Trusts via NLTEST.EXE - 84da2554-e12a-11ec-b896-f661ea17fbcd\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Domain administrators may use this command-line utility for legitimate information gathering purposes.\"],\"references\":[\"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)\",\"https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1018\",\"name\":\"Remote System Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1018/\"},{\"id\":\"T1482\",\"name\":\"Domain Trust Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1482/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b8381fae-148c-4ea3-a416-30558979f2a6\",\"rule_id\":\"06a7a03c-c735-47a6-a313-51c354aef6c3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.998Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.463Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"dsquery.exe\\\" or ?process.pe.original_file_name: \\\"dsquery.exe\\\") and \\n process.args : \\\"*objectClass=trustedDomain*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3a17b463-4fba-4c30-8eee-5a8a2ba57017\",\"rule_id\":\"06dceabf-adca-48af-ac79-ffdf4c3b1e9a\",\"revision\":0,\"current_rule\":{\"id\":\"3a17b463-4fba-4c30-8eee-5a8a2ba57017\",\"updated_at\":\"2024-12-04T19:45:41.465Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.465Z\",\"created_by\":\"elastic\",\"name\":\"Potential Evasion via Filter Manager\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Evasion via Filter Manager\\n\\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\\n\\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\\n\\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Examine the command line event to identify the target driver.\\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Observe and collect information about the following activities in the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"06dceabf-adca-48af-ac79-ffdf4c3b1e9a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"fltMC.exe\\\" and process.args : \\\"unload\\\" and\\n not\\n (\\n (\\n process.executable : \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\ManageEngine\\\\\\\\UEMS_Agent\\\\\\\\bin\\\\\\\\DCFAService64.exe\\\" and\\n process.args : (\\\"DFMFilter\\\", \\\"DRMFilter\\\")\\n ) or\\n (\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\" and\\n process.args : (\\\"BrFilter_*\\\", \\\"BrCow_*\\\") and\\n user.id : \\\"S-1-5-18\\\"\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Evasion via Filter Manager\",\"description\":\"The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Evasion via Filter Manager\\n\\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\\n\\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\\n\\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Examine the command line event to identify the target driver.\\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Observe and collect information about the following activities in the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3a17b463-4fba-4c30-8eee-5a8a2ba57017\",\"rule_id\":\"06dceabf-adca-48af-ac79-ffdf4c3b1e9a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.998Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.465Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"fltMC.exe\\\" and process.args : \\\"unload\\\" and\\n not\\n (\\n (\\n process.executable : \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\ManageEngine\\\\\\\\UEMS_Agent\\\\\\\\bin\\\\\\\\DCFAService64.exe\\\" and\\n process.args : (\\\"DFMFilter\\\", \\\"DRMFilter\\\")\\n ) or\\n (\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\" and\\n process.args : (\\\"BrFilter_*\\\", \\\"BrCow_*\\\") and\\n user.id : \\\"S-1-5-18\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c8b9365c-ff0a-4d57-95b8-1f46f3f94241\",\"rule_id\":\"074464f9-f30d-4029-8c03-0ed237fffec7\",\"revision\":0,\"current_rule\":{\"id\":\"c8b9365c-ff0a-4d57-95b8-1f46f3f94241\",\"updated_at\":\"2024-12-04T19:45:41.467Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.467Z\",\"created_by\":\"elastic\",\"name\":\"Remote Desktop Enabled in Windows Firewall by Netsh\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote Desktop Enabled in Windows Firewall by Netsh\\n\\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\\n\\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\\n\\nThis rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the `netsh.exe` utility.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the user to check if they are aware of the operation.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\\n- Check if the host is directly exposed to the internet.\\n- Check whether privileged accounts accessed the host shortly after the modification.\\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\\n\\n### False positive analysis\\n\\n- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If RDP is needed, make sure to secure it:\\n - Allowlist RDP traffic to specific trusted hosts.\\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"074464f9-f30d-4029-8c03-0ed237fffec7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.004\",\"name\":\"Disable or Modify System Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"netsh.exe\\\" or ?process.pe.original_file_name == \\\"netsh.exe\\\") and\\n process.args : (\\\"localport=3389\\\", \\\"RemoteDesktop\\\", \\\"group=\\\\\\\"remote desktop\\\\\\\"\\\") and\\n process.args : (\\\"action=allow\\\", \\\"enable=Yes\\\", \\\"enable\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Remote Desktop Enabled in Windows Firewall by Netsh\",\"description\":\"Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote Desktop Enabled in Windows Firewall by Netsh\\n\\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\\n\\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\\n\\nThis rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the `netsh.exe` utility.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the user to check if they are aware of the operation.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\\n- Check if the host is directly exposed to the internet.\\n- Check whether privileged accounts accessed the host shortly after the modification.\\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\\n\\n### False positive analysis\\n\\n- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If RDP is needed, make sure to secure it:\\n - Allowlist RDP traffic to specific trusted hosts.\\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.004\",\"name\":\"Disable or Modify System Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c8b9365c-ff0a-4d57-95b8-1f46f3f94241\",\"rule_id\":\"074464f9-f30d-4029-8c03-0ed237fffec7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.998Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.467Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"netsh.exe\\\" or ?process.pe.original_file_name == \\\"netsh.exe\\\") and\\n process.args : (\\\"localport=3389\\\", \\\"RemoteDesktop\\\", \\\"group=\\\\\\\"remote desktop\\\\\\\"\\\") and\\n process.args : (\\\"action=allow\\\", \\\"enable=Yes\\\", \\\"enable\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d6b16bf6-ea56-4ea1-baf8-fcee5070ed25\",\"rule_id\":\"07b1ef73-1fde-4a49-a34a-5dd40011b076\",\"revision\":0,\"current_rule\":{\"id\":\"d6b16bf6-ea56-4ea1-baf8-fcee5070ed25\",\"updated_at\":\"2024-12-04T19:45:40.165Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.165Z\",\"created_by\":\"elastic\",\"name\":\"Local Account TokenFilter Policy Disabled\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"07b1ef73-1fde-4a49-a34a-5dd40011b076\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.002\",\"name\":\"Pass the Hash\",\"reference\":\"https://attack.mitre.org/techniques/T1550/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439\",\"https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167\",\"https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf\"],\"version\":212,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : \\\"LocalAccountTokenFilterPolicy\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\*\\\\\\\\LocalAccountTokenFilterPolicy\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\*\\\\\\\\LocalAccountTokenFilterPolicy\\\",\\n \\\"MACHINE\\\\\\\\*\\\\\\\\LocalAccountTokenFilterPolicy\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Local Account TokenFilter Policy Disabled\",\"description\":\"Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439\",\"https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167\",\"https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.002\",\"name\":\"Pass the Hash\",\"reference\":\"https://attack.mitre.org/techniques/T1550/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d6b16bf6-ea56-4ea1-baf8-fcee5070ed25\",\"rule_id\":\"07b1ef73-1fde-4a49-a34a-5dd40011b076\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.998Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.165Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : \\\"LocalAccountTokenFilterPolicy\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\*\\\\\\\\LocalAccountTokenFilterPolicy\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\*\\\\\\\\LocalAccountTokenFilterPolicy\\\",\\n \\\"MACHINE\\\\\\\\*\\\\\\\\LocalAccountTokenFilterPolicy\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":212,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"20e5c9ba-a2fb-402b-bcaa-3e53020cdf53\",\"rule_id\":\"07b5f85a-240f-11ed-b3d9-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"20e5c9ba-a2fb-402b-bcaa-3e53020cdf53\",\"updated_at\":\"2024-12-04T19:45:41.475Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.475Z\",\"created_by\":\"elastic\",\"name\":\"Google Drive Ownership Transferred via Google Workspace\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Tactic: Collection\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Drive and Docs is a Google Workspace service that allows users to leverage Google Drive and Google Docs. Access to files is based on inherited permissions from the child organizational unit the user belongs to which is scoped by administrators. Typically if a user is removed, their files can be transferred to another user by the administrator. This service can also be abused by adversaries to transfer files to an adversary account for potential exfiltration.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Drive Ownership Transferred via Google Workspace\\n\\nGoogle Drive is a cloud storage service that allows users to store and access files. It is available to users with a Google Workspace account.\\n\\nGoogle Workspace administrators consider users' roles and organizational units when assigning permissions to files or shared drives. Owners of sensitive files and folders can grant permissions to users who make internal or external access requests. Adversaries abuse this trust system by accessing Google Drive resources with improperly scoped permissions and shared settings. Distributing phishing emails is another common approach to sharing malicious Google Drive documents. With this approach, adversaries aim to inherit the recipient's Google Workspace privileges when an external entity grants ownership.\\n\\nThis rule identifies when the ownership of a shared drive within a Google Workspace organization is transferred to another internal user.\\n\\n#### Possible investigation steps\\n\\n- From the admin console, review admin logs for involved user accounts. To find admin logs, go to `Security > Reporting > Audit and investigation > Admin log events`.\\n- Determine if involved user accounts are active. To view user activity, go to `Directory > Users`.\\n- Check if the involved user accounts were recently disabled, then re-enabled.\\n- Review involved user accounts for potentially misconfigured permissions or roles.\\n- Review the involved shared drive or files and related policies to determine if this action was expected and appropriate.\\n- If a shared drive, access requirements based on Organizational Units in `Apps > Google Workspace > Drive and Docs > Manage shared drives`.\\n- Triage potentially related alerts based on the users involved. To find alerts, go to `Security > Alerts`.\\n\\n### False positive analysis\\n\\n- Transferring drives requires Google Workspace administration permissions related to Google Drive. Check if this action was planned/expected from the requester and is appropriately targeting the correct receiver.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may transfer file ownership during employee leave or absence to ensure continued operations by a new or existing employee.\"],\"from\":\"now-130m\",\"rule_id\":\"07b5f85a-240f-11ed-b3d9-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1074\",\"name\":\"Data Staged\",\"reference\":\"https://attack.mitre.org/techniques/T1074/\",\"subtechnique\":[{\"id\":\"T1074.002\",\"name\":\"Remote Data Staging\",\"reference\":\"https://attack.mitre.org/techniques/T1074/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/1247799?hl=en\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.application.name\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.action:\\\"CREATE_DATA_TRANSFER_REQUEST\\\"\\n and event.category:\\\"iam\\\" and google_workspace.admin.application.name:Drive*\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Drive Ownership Transferred via Google Workspace\",\"description\":\"Drive and Docs is a Google Workspace service that allows users to leverage Google Drive and Google Docs. Access to files is based on inherited permissions from the child organizational unit the user belongs to which is scoped by administrators. Typically if a user is removed, their files can be transferred to another user by the administrator. This service can also be abused by adversaries to transfer files to an adversary account for potential exfiltration.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Drive Ownership Transferred via Google Workspace\\n\\nGoogle Drive is a cloud storage service that allows users to store and access files. It is available to users with a Google Workspace account.\\n\\nGoogle Workspace administrators consider users' roles and organizational units when assigning permissions to files or shared drives. Owners of sensitive files and folders can grant permissions to users who make internal or external access requests. Adversaries abuse this trust system by accessing Google Drive resources with improperly scoped permissions and shared settings. Distributing phishing emails is another common approach to sharing malicious Google Drive documents. With this approach, adversaries aim to inherit the recipient's Google Workspace privileges when an external entity grants ownership.\\n\\nThis rule identifies when the ownership of a shared drive within a Google Workspace organization is transferred to another internal user.\\n\\n#### Possible investigation steps\\n\\n- From the admin console, review admin logs for involved user accounts. To find admin logs, go to `Security > Reporting > Audit and investigation > Admin log events`.\\n- Determine if involved user accounts are active. To view user activity, go to `Directory > Users`.\\n- Check if the involved user accounts were recently disabled, then re-enabled.\\n- Review involved user accounts for potentially misconfigured permissions or roles.\\n- Review the involved shared drive or files and related policies to determine if this action was expected and appropriate.\\n- If a shared drive, access requirements based on Organizational Units in `Apps > Google Workspace > Drive and Docs > Manage shared drives`.\\n- Triage potentially related alerts based on the users involved. To find alerts, go to `Security > Alerts`.\\n\\n### False positive analysis\\n\\n- Transferring drives requires Google Workspace administration permissions related to Google Drive. Check if this action was planned/expected from the requester and is appropriately targeting the correct receiver.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Tactic: Collection\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may transfer file ownership during employee leave or absence to ensure continued operations by a new or existing employee.\"],\"references\":[\"https://support.google.com/a/answer/1247799?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1074\",\"name\":\"Data Staged\",\"reference\":\"https://attack.mitre.org/techniques/T1074/\",\"subtechnique\":[{\"id\":\"T1074.002\",\"name\":\"Remote Data Staging\",\"reference\":\"https://attack.mitre.org/techniques/T1074/002/\"}]}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.application.name\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"20e5c9ba-a2fb-402b-bcaa-3e53020cdf53\",\"rule_id\":\"07b5f85a-240f-11ed-b3d9-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.999Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.475Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.action:\\\"CREATE_DATA_TRANSFER_REQUEST\\\"\\n and event.category:\\\"iam\\\" and google_workspace.admin.application.name:Drive*\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/1247799?hl=en\"],\"target_version\":[\"https://support.google.com/a/answer/1247799?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/1247799?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"51928ae5-4532-4c66-86b0-c5ba3ff74fce\",\"rule_id\":\"0859355c-0f08-4b43-8ff5-7d2a4789fc08\",\"revision\":0,\"current_rule\":{\"id\":\"51928ae5-4532-4c66-86b0-c5ba3ff74fce\",\"updated_at\":\"2024-12-04T19:45:41.484Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.484Z\",\"created_by\":\"elastic\",\"name\":\"First Time Seen Removable Device\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"0859355c-0f08-4b43-8ff5-7d2a4789fc08\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1091\",\"name\":\"Replication Through Removable Media\",\"reference\":\"https://attack.mitre.org/techniques/T1091/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1052\",\"name\":\"Exfiltration Over Physical Medium\",\"reference\":\"https://attack.mitre.org/techniques/T1052/\",\"subtechnique\":[{\"id\":\"T1052.001\",\"name\":\"Exfiltration over USB\",\"reference\":\"https://attack.mitre.org/techniques/T1052/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html\",\"https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings\"],\"version\":4,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.category:\\\"registry\\\" and host.os.type:\\\"windows\\\" and registry.value:\\\"FriendlyName\\\" and registry.path:*USBSTOR*\\n\",\"new_terms_fields\":[\"registry.path\"],\"history_window_start\":\"now-7d\",\"index\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Time Seen Removable Device\",\"description\":\"Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html\",\"https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1091\",\"name\":\"Replication Through Removable Media\",\"reference\":\"https://attack.mitre.org/techniques/T1091/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1052\",\"name\":\"Exfiltration Over Physical Medium\",\"reference\":\"https://attack.mitre.org/techniques/T1052/\",\"subtechnique\":[{\"id\":\"T1052.001\",\"name\":\"Exfiltration over USB\",\"reference\":\"https://attack.mitre.org/techniques/T1052/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"51928ae5-4532-4c66-86b0-c5ba3ff74fce\",\"rule_id\":\"0859355c-0f08-4b43-8ff5-7d2a4789fc08\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.999Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.484Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.category:\\\"registry\\\" and host.os.type:\\\"windows\\\" and registry.value:\\\"FriendlyName\\\" and registry.path:*USBSTOR*\\n\",\"new_terms_fields\":[\"registry.path\"],\"history_window_start\":\"now-7d\",\"index\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":4,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3db66c3c-e156-4acc-b305-6b84ddd9508c\",\"rule_id\":\"09443c92-46b3-45a4-8f25-383b028b258d\",\"revision\":0,\"current_rule\":{\"id\":\"3db66c3c-e156-4acc-b305-6b84ddd9508c\",\"updated_at\":\"2024-12-04T19:45:41.496Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.496Z\",\"created_by\":\"elastic\",\"name\":\"Process Termination followed by Deletion\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Process Termination followed by Deletion\\n\\nThis rule identifies an unsigned process termination event quickly followed by the deletion of its executable file. Attackers can delete programs after their execution in an attempt to cover their tracks in a host.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately, as programs that exhibit this behavior, such as installers and similar utilities, should be signed. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"09443c92-46b3-45a4-8f25-383b028b258d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.001\",\"name\":\"Invalid Code Signature\",\"reference\":\"https://attack.mitre.org/techniques/T1036/001/\"}]},{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.004\",\"name\":\"File Deletion\",\"reference\":\"https://attack.mitre.org/techniques/T1070/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\",\"endgame-*\"],\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"end\\\" and\\n process.code_signature.trusted != true and\\n not process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\*.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*.exe\\\")\\n ] by process.executable\\n [file where host.os.type == \\\"windows\\\" and event.type == \\\"deletion\\\" and file.extension : (\\\"exe\\\", \\\"scr\\\", \\\"com\\\") and\\n not process.executable :\\n (\\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drvinst.exe\\\") and\\n not file.path : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Work\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\$WinREAgent\\\\\\\\Scratch\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\tenable_mw_scan_*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\LogiUI\\\\\\\\Pak\\\\\\\\uninstall.exe\\\"\\n )\\n ] by file.path\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Process Termination followed by Deletion\",\"description\":\"Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Process Termination followed by Deletion\\n\\nThis rule identifies an unsigned process termination event quickly followed by the deletion of its executable file. Attackers can delete programs after their execution in an attempt to cover their tracks in a host.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately, as programs that exhibit this behavior, such as installers and similar utilities, should be signed. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":110,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.001\",\"name\":\"Invalid Code Signature\",\"reference\":\"https://attack.mitre.org/techniques/T1036/001/\"}]},{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.004\",\"name\":\"File Deletion\",\"reference\":\"https://attack.mitre.org/techniques/T1070/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3db66c3c-e156-4acc-b305-6b84ddd9508c\",\"rule_id\":\"09443c92-46b3-45a4-8f25-383b028b258d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.999Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.496Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"end\\\" and\\n process.code_signature.trusted != true and\\n not process.executable like\\n (\\\"C:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Postillion\\\\\\\\Office\\\\\\\\*.exe\\\") and\\n not (\\n process.name : \\\"infinst.exe\\\" and process.parent.name: \\\"dxsetup.exe\\\" and\\n process.parent.code_signature.subject_name == \\\"NVIDIA Corporation\\\" and\\n process.parent.code_signature.status == \\\"trusted\\\"\\n )\\n ] by process.executable\\n [file where host.os.type == \\\"windows\\\" and event.type == \\\"deletion\\\" and file.extension in~ (\\\"exe\\\", \\\"scr\\\", \\\"com\\\") and\\n not process.executable like\\n (\\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drvinst.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Postillion\\\\\\\\Office\\\\\\\\*.exe\\\") and\\n not file.path like (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Work\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\$WinREAgent\\\\\\\\Scratch\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\tenable_mw_scan_*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\LogiUI\\\\\\\\Pak\\\\\\\\uninstall.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\chocolatey\\\\\\\\*.exe\\\"\\n ) and\\n not (process.name : \\\"OktaVerifySetup-*.exe\\\" and process.code_signature.subject_name == \\\"Okta, Inc.\\\") and\\n not (\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\Citrix\\\\\\\\UpdaterBinaries\\\\\\\\CitrixReceiver\\\\\\\\*\\\" and\\n process.code_signature.subject_name == \\\"Citrix Systems, Inc.\\\" and\\n file.path : \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\Citrix\\\\\\\\UpdaterBinaries\\\\\\\\CitrixReceiver\\\\\\\\*\\\\\\\\bootstrapperhelper.exe\\\"\\n )\\n ] by file.path\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":110,\"merged_version\":110,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"end\\\" and\\n process.code_signature.trusted != true and\\n not process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\*.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*.exe\\\")\\n ] by process.executable\\n [file where host.os.type == \\\"windows\\\" and event.type == \\\"deletion\\\" and file.extension : (\\\"exe\\\", \\\"scr\\\", \\\"com\\\") and\\n not process.executable :\\n (\\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drvinst.exe\\\") and\\n not file.path : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Work\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\$WinREAgent\\\\\\\\Scratch\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\tenable_mw_scan_*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\LogiUI\\\\\\\\Pak\\\\\\\\uninstall.exe\\\"\\n )\\n ] by file.path\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"end\\\" and\\n process.code_signature.trusted != true and\\n not process.executable like\\n (\\\"C:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Postillion\\\\\\\\Office\\\\\\\\*.exe\\\") and\\n not (\\n process.name : \\\"infinst.exe\\\" and process.parent.name: \\\"dxsetup.exe\\\" and\\n process.parent.code_signature.subject_name == \\\"NVIDIA Corporation\\\" and\\n process.parent.code_signature.status == \\\"trusted\\\"\\n )\\n ] by process.executable\\n [file where host.os.type == \\\"windows\\\" and event.type == \\\"deletion\\\" and file.extension in~ (\\\"exe\\\", \\\"scr\\\", \\\"com\\\") and\\n not process.executable like\\n (\\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drvinst.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Postillion\\\\\\\\Office\\\\\\\\*.exe\\\") and\\n not file.path like (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Work\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\$WinREAgent\\\\\\\\Scratch\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\tenable_mw_scan_*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\LogiUI\\\\\\\\Pak\\\\\\\\uninstall.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\chocolatey\\\\\\\\*.exe\\\"\\n ) and\\n not (process.name : \\\"OktaVerifySetup-*.exe\\\" and process.code_signature.subject_name == \\\"Okta, Inc.\\\") and\\n not (\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\Citrix\\\\\\\\UpdaterBinaries\\\\\\\\CitrixReceiver\\\\\\\\*\\\" and\\n process.code_signature.subject_name == \\\"Citrix Systems, Inc.\\\" and\\n file.path : \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\Citrix\\\\\\\\UpdaterBinaries\\\\\\\\CitrixReceiver\\\\\\\\*\\\\\\\\bootstrapperhelper.exe\\\"\\n )\\n ] by file.path\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"end\\\" and\\n process.code_signature.trusted != true and\\n not process.executable like\\n (\\\"C:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Postillion\\\\\\\\Office\\\\\\\\*.exe\\\") and\\n not (\\n process.name : \\\"infinst.exe\\\" and process.parent.name: \\\"dxsetup.exe\\\" and\\n process.parent.code_signature.subject_name == \\\"NVIDIA Corporation\\\" and\\n process.parent.code_signature.status == \\\"trusted\\\"\\n )\\n ] by process.executable\\n [file where host.os.type == \\\"windows\\\" and event.type == \\\"deletion\\\" and file.extension in~ (\\\"exe\\\", \\\"scr\\\", \\\"com\\\") and\\n not process.executable like\\n (\\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drvinst.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Postillion\\\\\\\\Office\\\\\\\\*.exe\\\") and\\n not file.path like (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Work\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\$WinREAgent\\\\\\\\Scratch\\\\\\\\*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\tenable_mw_scan_*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\LogiUI\\\\\\\\Pak\\\\\\\\uninstall.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\chocolatey\\\\\\\\*.exe\\\"\\n ) and\\n not (process.name : \\\"OktaVerifySetup-*.exe\\\" and process.code_signature.subject_name == \\\"Okta, Inc.\\\") and\\n not (\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\Citrix\\\\\\\\UpdaterBinaries\\\\\\\\CitrixReceiver\\\\\\\\*\\\" and\\n process.code_signature.subject_name == \\\"Citrix Systems, Inc.\\\" and\\n file.path : \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\Citrix\\\\\\\\UpdaterBinaries\\\\\\\\CitrixReceiver\\\\\\\\*\\\\\\\\bootstrapperhelper.exe\\\"\\n )\\n ] by file.path\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f505cd07-0989-42ed-b6ad-9c24ce7245f6\",\"rule_id\":\"09bc6c90-7501-494d-b015-5d988dc3f233\",\"revision\":0,\"current_rule\":{\"id\":\"f505cd07-0989-42ed-b6ad-9c24ce7245f6\",\"updated_at\":\"2024-12-04T19:45:41.498Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.498Z\",\"created_by\":\"elastic\",\"name\":\"File Creation, Execution and Self-Deletion in Suspicious Directory\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute malicious code and delete itself to hide its tracks.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"09bc6c90-7501-494d-b015-5d988dc3f233\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":4,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"sequence by host.id, user.id with maxspan=1m\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and \\n process.name in (\\\"curl\\\", \\\"wget\\\", \\\"fetch\\\", \\\"ftp\\\", \\\"sftp\\\", \\\"scp\\\", \\\"rsync\\\", \\\"ld\\\") and \\n file.path : (\\\"/dev/shm/*\\\", \\\"/run/shm/*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\",\\n \\\"/run/*\\\", \\\"/var/run/*\\\", \\\"/var/www/*\\\", \\\"/proc/*/fd/*\\\")] by file.name\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")] by process.name\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"deletion\\\" and not process.name in (\\\"rm\\\", \\\"ld\\\") and \\n file.path : (\\\"/dev/shm/*\\\", \\\"/run/shm/*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\",\\n \\\"/run/*\\\", \\\"/var/run/*\\\", \\\"/var/www/*\\\", \\\"/proc/*/fd/*\\\")] by file.name\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"File Creation, Execution and Self-Deletion in Suspicious Directory\",\"description\":\"This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute malicious code and delete itself to hide its tracks.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":5,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f505cd07-0989-42ed-b6ad-9c24ce7245f6\",\"rule_id\":\"09bc6c90-7501-494d-b015-5d988dc3f233\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.999Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.498Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id, user.id with maxspan=1m\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and \\n process.name in (\\\"curl\\\", \\\"wget\\\", \\\"fetch\\\", \\\"ftp\\\", \\\"sftp\\\", \\\"scp\\\", \\\"rsync\\\", \\\"ld\\\") and \\n file.path : (\\\"/dev/shm/*\\\", \\\"/run/shm/*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\",\\n \\\"/run/*\\\", \\\"/var/run/*\\\", \\\"/var/www/*\\\", \\\"/proc/*/fd/*\\\")] by file.name\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") and\\n not process.parent.executable like (\\n \\\"/tmp/VeeamApp*\\\", \\\"/tmp/rajh/spack-stage/*\\\", \\\"plz-out/bin/vault/bridge/test/e2e/base/bridge-dev\\\",\\n \\\"/usr/bin/ranlib\\\", \\\"/usr/bin/ar\\\", \\\"plz-out/bin/vault/bridge/test/e2e/base/local-k8s\\\" \\n )] by process.name\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"deletion\\\" and not process.name in (\\\"rm\\\", \\\"ld\\\") and \\n file.path : (\\\"/dev/shm/*\\\", \\\"/run/shm/*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\",\\n \\\"/run/*\\\", \\\"/var/run/*\\\", \\\"/var/www/*\\\", \\\"/proc/*/fd/*\\\")] by file.name\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":4,\"target_version\":5,\"merged_version\":5,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by host.id, user.id with maxspan=1m\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and \\n process.name in (\\\"curl\\\", \\\"wget\\\", \\\"fetch\\\", \\\"ftp\\\", \\\"sftp\\\", \\\"scp\\\", \\\"rsync\\\", \\\"ld\\\") and \\n file.path : (\\\"/dev/shm/*\\\", \\\"/run/shm/*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\",\\n \\\"/run/*\\\", \\\"/var/run/*\\\", \\\"/var/www/*\\\", \\\"/proc/*/fd/*\\\")] by file.name\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")] by process.name\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"deletion\\\" and not process.name in (\\\"rm\\\", \\\"ld\\\") and \\n file.path : (\\\"/dev/shm/*\\\", \\\"/run/shm/*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\",\\n \\\"/run/*\\\", \\\"/var/run/*\\\", \\\"/var/www/*\\\", \\\"/proc/*/fd/*\\\")] by file.name\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by host.id, user.id with maxspan=1m\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and \\n process.name in (\\\"curl\\\", \\\"wget\\\", \\\"fetch\\\", \\\"ftp\\\", \\\"sftp\\\", \\\"scp\\\", \\\"rsync\\\", \\\"ld\\\") and \\n file.path : (\\\"/dev/shm/*\\\", \\\"/run/shm/*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\",\\n \\\"/run/*\\\", \\\"/var/run/*\\\", \\\"/var/www/*\\\", \\\"/proc/*/fd/*\\\")] by file.name\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") and\\n not process.parent.executable like (\\n \\\"/tmp/VeeamApp*\\\", \\\"/tmp/rajh/spack-stage/*\\\", \\\"plz-out/bin/vault/bridge/test/e2e/base/bridge-dev\\\",\\n \\\"/usr/bin/ranlib\\\", \\\"/usr/bin/ar\\\", \\\"plz-out/bin/vault/bridge/test/e2e/base/local-k8s\\\" \\n )] by process.name\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"deletion\\\" and not process.name in (\\\"rm\\\", \\\"ld\\\") and \\n file.path : (\\\"/dev/shm/*\\\", \\\"/run/shm/*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\",\\n \\\"/run/*\\\", \\\"/var/run/*\\\", \\\"/var/www/*\\\", \\\"/proc/*/fd/*\\\")] by file.name\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by host.id, user.id with maxspan=1m\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and \\n process.name in (\\\"curl\\\", \\\"wget\\\", \\\"fetch\\\", \\\"ftp\\\", \\\"sftp\\\", \\\"scp\\\", \\\"rsync\\\", \\\"ld\\\") and \\n file.path : (\\\"/dev/shm/*\\\", \\\"/run/shm/*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\",\\n \\\"/run/*\\\", \\\"/var/run/*\\\", \\\"/var/www/*\\\", \\\"/proc/*/fd/*\\\")] by file.name\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") and\\n not process.parent.executable like (\\n \\\"/tmp/VeeamApp*\\\", \\\"/tmp/rajh/spack-stage/*\\\", \\\"plz-out/bin/vault/bridge/test/e2e/base/bridge-dev\\\",\\n \\\"/usr/bin/ranlib\\\", \\\"/usr/bin/ar\\\", \\\"plz-out/bin/vault/bridge/test/e2e/base/local-k8s\\\" \\n )] by process.name\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"deletion\\\" and not process.name in (\\\"rm\\\", \\\"ld\\\") and \\n file.path : (\\\"/dev/shm/*\\\", \\\"/run/shm/*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\",\\n \\\"/run/*\\\", \\\"/var/run/*\\\", \\\"/var/www/*\\\", \\\"/proc/*/fd/*\\\")] by file.name\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e68c7236-77a0-48ee-a499-67b62a1ad070\",\"rule_id\":\"0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83\",\"revision\":0,\"current_rule\":{\"id\":\"e68c7236-77a0-48ee-a499-67b62a1ad070\",\"updated_at\":\"2024-12-04T19:45:41.508Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.508Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Script with Remote Execution Capabilities via WinRM\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Execution\",\"Data Source: PowerShell Logs\",\"Rule Type: BBR\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.006\",\"name\":\"Windows Remote Management\",\"reference\":\"https://attack.mitre.org/techniques/T1021/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://attack.mitre.org/techniques/T1021/006/\",\"https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/LateralMovement/PowerShellRemoting.cs\",\"https://github.com/BC-SECURITY/Empire/blob/main/empire/server/modules/powershell/lateral_movement/invoke_psremoting.py\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\\"Invoke-WmiMethod\\\" or \\\"Invoke-Command\\\" or \\\"Enter-PSSession\\\") and \\\"ComputerName\\\"\\n ) and\\n not user.id : \\\"S-1-5-18\\\" and\\n not file.directory : (\\n \\\"C:\\\\\\\\Program Files\\\\\\\\LogicMonitor\\\\\\\\Agent\\\\\\\\tmp\\\"\\n ) and not\\n powershell.file.script_block_text : (\\n \\\"Export-ModuleMember -Function @('Invoke-Expression''Invoke-Command')\\\" and\\n \\\"function Invoke-Command {\\\"\\n )\\n\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\dbatools\\\\\\\\*\\\\\\\\allcommands.ps1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.directory\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\*\\\\\\\\bin\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.directory\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ExchangeServer\\\\\\\\bin*\"}}}}],\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Script with Remote Execution Capabilities via WinRM\",\"description\":\"Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Execution\",\"Data Source: PowerShell Logs\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://attack.mitre.org/techniques/T1021/006/\",\"https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/LateralMovement/PowerShellRemoting.cs\",\"https://github.com/BC-SECURITY/Empire/blob/main/empire/server/modules/powershell/lateral_movement/invoke_psremoting.py\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.006\",\"name\":\"Windows Remote Management\",\"reference\":\"https://attack.mitre.org/techniques/T1021/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e68c7236-77a0-48ee-a499-67b62a1ad070\",\"rule_id\":\"0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.999Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.508Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\dbatools\\\\\\\\*\\\\\\\\allcommands.ps1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.directory\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\*\\\\\\\\bin\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.directory\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ExchangeServer\\\\\\\\bin*\"}}}}],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\\"Invoke-WmiMethod\\\" or \\\"Invoke-Command\\\" or \\\"Enter-PSSession\\\") and \\\"ComputerName\\\"\\n ) and\\n not user.id : \\\"S-1-5-18\\\" and\\n not file.directory : (\\n \\\"C:\\\\\\\\Program Files\\\\\\\\LogicMonitor\\\\\\\\Agent\\\\\\\\tmp\\\"\\n ) and not\\n powershell.file.script_block_text : (\\n \\\"Export-ModuleMember -Function @('Invoke-Expression''Invoke-Command')\\\" and\\n \\\"function Invoke-Command {\\\"\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c37a5ef2-b664-40d9-beb7-8e817009f21d\",\"rule_id\":\"0b15bcad-aff1-4250-a5be-5d1b7eb56d07\",\"revision\":0,\"current_rule\":{\"id\":\"c37a5ef2-b664-40d9-beb7-8e817009f21d\",\"updated_at\":\"2024-12-04T19:45:41.510Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.510Z\",\"created_by\":\"elastic\",\"name\":\"Yum Package Manager Plugin File Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects file creation events in the plugin directories for the Yum package manager. In Linux, Yum (Yellowdog Updater, Modified) is a command-line utility used for handling packages on (by default) Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor Yum to gain persistence by injecting malicious code into plugins that Yum runs, thereby ensuring continued unauthorized access or control each time Yum is used for package management.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"0b15bcad-aff1-4250-a5be-5d1b7eb56d07\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : (\\\"/usr/lib/yum-plugins/*\\\", \\\"/etc/yum/pluginconf.d/*\\\") and not (\\n process.executable in (\\n \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\", \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\",\\n \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\", \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\",\\n \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\", \\\"/bin/puppet\\\",\\n \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\", \\\"/bin/autossl_check\\\",\\n \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\",\\n \\\"/usr/libexec/netplan/generate\\\"\\n ) or\\n process.name == \\\"yumBackend.py\\\" or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\") or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\",\\n \\\"/etc/kernel/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Yum Package Manager Plugin File Creation\",\"description\":\"Detects file creation events in the plugin directories for the Yum package manager. In Linux, Yum (Yellowdog Updater, Modified) is a command-line utility used for handling packages on (by default) Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor Yum to gain persistence by injecting malicious code into plugins that Yum runs, thereby ensuring continued unauthorized access or control each time Yum is used for package management.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c37a5ef2-b664-40d9-beb7-8e817009f21d\",\"rule_id\":\"0b15bcad-aff1-4250-a5be-5d1b7eb56d07\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.999Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.510Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : (\\\"/usr/lib/yum-plugins/*\\\", \\\"/etc/yum/pluginconf.d/*\\\") and not (\\n process.executable in (\\n \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\", \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\",\\n \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\", \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\",\\n \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\", \\\"/bin/puppet\\\",\\n \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\", \\\"/bin/autossl_check\\\",\\n \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\",\\n \\\"/usr/libexec/netplan/generate\\\"\\n ) or\\n process.name == \\\"yumBackend.py\\\" or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\") or\\n file.Ext.original.name like \\\".ansible*\\\" or\\n file.name like \\\".ansible_tmp*\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\",\\n \\\"/etc/kernel/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"description\":{\"has_base_version\":false,\"current_version\":\"Detects file creation events in the plugin directories for the Yum package manager. In Linux, Yum (Yellowdog Updater, Modified) is a command-line utility used for handling packages on (by default) Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor Yum to gain persistence by injecting malicious code into plugins that Yum runs, thereby ensuring continued unauthorized access or control each time Yum is used for package management.\",\"target_version\":\"Detects file creation events in the plugin directories for the Yum package manager. In Linux, Yum (Yellowdog Updater, Modified) is a command-line utility used for handling packages on (by default) Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor Yum to gain persistence by injecting malicious code into plugins that Yum runs, thereby ensuring continued unauthorized access or control each time Yum is used for package management.\",\"merged_version\":\"Detects file creation events in the plugin directories for the Yum package manager. In Linux, Yum (Yellowdog Updater, Modified) is a command-line utility used for handling packages on (by default) Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor Yum to gain persistence by injecting malicious code into plugins that Yum runs, thereby ensuring continued unauthorized access or control each time Yum is used for package management.\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb\"],\"target_version\":[\"https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : (\\\"/usr/lib/yum-plugins/*\\\", \\\"/etc/yum/pluginconf.d/*\\\") and not (\\n process.executable in (\\n \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\", \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\",\\n \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\", \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\",\\n \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\", \\\"/bin/puppet\\\",\\n \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\", \\\"/bin/autossl_check\\\",\\n \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\",\\n \\\"/usr/libexec/netplan/generate\\\"\\n ) or\\n process.name == \\\"yumBackend.py\\\" or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\") or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\",\\n \\\"/etc/kernel/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : (\\\"/usr/lib/yum-plugins/*\\\", \\\"/etc/yum/pluginconf.d/*\\\") and not (\\n process.executable in (\\n \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\", \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\",\\n \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\", \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\",\\n \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\", \\\"/bin/puppet\\\",\\n \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\", \\\"/bin/autossl_check\\\",\\n \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\",\\n \\\"/usr/libexec/netplan/generate\\\"\\n ) or\\n process.name == \\\"yumBackend.py\\\" or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\") or\\n file.Ext.original.name like \\\".ansible*\\\" or\\n file.name like \\\".ansible_tmp*\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\",\\n \\\"/etc/kernel/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : (\\\"/usr/lib/yum-plugins/*\\\", \\\"/etc/yum/pluginconf.d/*\\\") and not (\\n process.executable in (\\n \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\", \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\",\\n \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\", \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\",\\n \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\", \\\"/bin/puppet\\\",\\n \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\", \\\"/bin/autossl_check\\\",\\n \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\",\\n \\\"/usr/libexec/netplan/generate\\\"\\n ) or\\n process.name == \\\"yumBackend.py\\\" or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\") or\\n file.Ext.original.name like \\\".ansible*\\\" or\\n file.name like \\\".ansible_tmp*\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\",\\n \\\"/etc/kernel/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"581a371e-4041-4cd7-a1a2-69a4070e7ddc\",\"rule_id\":\"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5\",\"revision\":0,\"current_rule\":{\"id\":\"581a371e-4041-4cd7-a1a2-69a4070e7ddc\",\"updated_at\":\"2024-12-04T19:45:41.670Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.670Z\",\"created_by\":\"elastic\",\"name\":\"Anomalous Windows Process Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Anomalous Windows Process Creation\\n\\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\\n\\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\\n - Investigate the process metadata — such as the digital signature, directory, etc. — to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Retrieve Service Unisgned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert.\"],\"from\":\"now-45m\",\"rule_id\":\"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_process_creation\"],\"actions\":[]},\"target_rule\":{\"name\":\"Anomalous Windows Process Creation\",\"description\":\"Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Anomalous Windows Process Creation\\n\\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\\n\\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\\n - Investigate the process metadata — such as the digital signature, directory, etc. — to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Retrieve Service Unisgned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert.\"],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"581a371e-4041-4cd7-a1a2-69a4070e7ddc\",\"rule_id\":\"0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.999Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.670Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_process_creation\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"31e1c05e-bfbe-4f0c-8a11-7f648a54a461\",\"rule_id\":\"0b2f3da5-b5ec-47d1-908b-6ebb74814289\",\"revision\":0,\"current_rule\":{\"id\":\"31e1c05e-bfbe-4f0c-8a11-7f648a54a461\",\"updated_at\":\"2024-12-04T19:45:41.513Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.513Z\",\"created_by\":\"elastic\",\"name\":\"User account exposed to Kerberoasting\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating User account exposed to Kerberoasting\\n\\nService Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target computers.\\n\\nBy default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making them invulnerable to Kerberoasting.\\n\\nA user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this information, as the human-defined password is likely to be less complex.\\n\\nFor scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that account passwords are robust and changed regularly and automatically. More information can be found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).\\n\\nAttackers can also perform \\\"Targeted Kerberoasting\\\", which consists of adding fake SPNs to user accounts that they have write privileges to, making them potentially vulnerable to Kerberoasting.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.).\\n- Investigate if tickets have been requested for the target account.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged. Domain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same security standards as computer accounts (which have long, complex, random passwords that change frequently), exposing them to credential cracking attacks (Kerberoasting, brute force, etc.).\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"0b2f3da5-b5ec-47d1-908b-6ebb74814289\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\",\"subtechnique\":[{\"id\":\"T1558.003\",\"name\":\"Kerberoasting\",\"reference\":\"https://attack.mitre.org/techniques/T1558/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting\",\"https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/\",\"https://www.thehacker.recipes/ad/movement/kerberos/kerberoast\",\"https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting\",\"https://adsecurity.org/?p=280\",\"https://github.com/OTRF/Set-AuditRule\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ObjectClass\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.OperationType\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\\n\\n```\\nSet-AuditRule -AdObjectPath 'AD:\\\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:(\\\"Directory Service Changes\\\" or \\\"directory-service-object-modified\\\") and event.code:5136 and\\n winlog.event_data.OperationType:\\\"%%14674\\\" and\\n winlog.event_data.ObjectClass:\\\"user\\\" and\\n winlog.event_data.AttributeLDAPDisplayName:\\\"servicePrincipalName\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"User account exposed to Kerberoasting\",\"description\":\"Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating User account exposed to Kerberoasting\\n\\nService Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target computers.\\n\\nBy default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making them invulnerable to Kerberoasting.\\n\\nA user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this information, as the human-defined password is likely to be less complex.\\n\\nFor scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that account passwords are robust and changed regularly and automatically. More information can be found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).\\n\\nAttackers can also perform \\\"Targeted Kerberoasting\\\", which consists of adding fake SPNs to user accounts that they have write privileges to, making them potentially vulnerable to Kerberoasting.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.).\\n- Investigate if tickets have been requested for the target account.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged. Domain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same security standards as computer accounts (which have long, complex, random passwords that change frequently), exposing them to credential cracking attacks (Kerberoasting, brute force, etc.).\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting\",\"https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/\",\"https://www.thehacker.recipes/ad/movement/kerberos/kerberoast\",\"https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting\",\"https://adsecurity.org/?p=280\",\"https://github.com/OTRF/Set-AuditRule\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\",\"subtechnique\":[{\"id\":\"T1558.003\",\"name\":\"Kerberoasting\",\"reference\":\"https://attack.mitre.org/techniques/T1558/003/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\\n\\n```\\nSet-AuditRule -AdObjectPath 'AD:\\\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ObjectClass\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.OperationType\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"31e1c05e-bfbe-4f0c-8a11-7f648a54a461\",\"rule_id\":\"0b2f3da5-b5ec-47d1-908b-6ebb74814289\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.999Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.513Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:(\\\"Directory Service Changes\\\" or \\\"directory-service-object-modified\\\") and event.code:5136 and\\n winlog.event_data.OperationType:\\\"%%14674\\\" and\\n winlog.event_data.ObjectClass:\\\"user\\\" and\\n winlog.event_data.AttributeLDAPDisplayName:\\\"servicePrincipalName\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"90b9f570-4c70-4dcf-8bb9-5232e0cca496\",\"rule_id\":\"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4\",\"revision\":0,\"current_rule\":{\"id\":\"90b9f570-4c70-4dcf-8bb9-5232e0cca496\",\"updated_at\":\"2024-12-04T19:45:41.522Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.522Z\",\"created_by\":\"elastic\",\"name\":\"Peripheral Device Discovery\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Peripheral Device Discovery\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to the computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable media. These devices can contain valuable information for attackers.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage services.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1120\",\"name\":\"Peripheral Device Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1120/\"}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"fsutil.exe\\\" or ?process.pe.original_file_name == \\\"fsutil.exe\\\") and\\n process.args : \\\"fsinfo\\\" and process.args : \\\"drives\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Peripheral Device Discovery\",\"description\":\"Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Peripheral Device Discovery\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to the computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable media. These devices can contain valuable information for attackers.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage services.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1120\",\"name\":\"Peripheral Device Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1120/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"90b9f570-4c70-4dcf-8bb9-5232e0cca496\",\"rule_id\":\"0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.999Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.522Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"fsutil.exe\\\" or ?process.pe.original_file_name == \\\"fsutil.exe\\\") and\\n process.args : \\\"fsinfo\\\" and process.args : \\\"drives\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7c55bad8-7ad6-4f39-9739-0202c143e6fb\",\"rule_id\":\"0cd2f3e6-41da-40e6-b28b-466f688f00a6\",\"revision\":0,\"current_rule\":{\"id\":\"7c55bad8-7ad6-4f39-9739-0202c143e6fb\",\"updated_at\":\"2024-12-04T19:46:03.687Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.687Z\",\"created_by\":\"elastic\",\"name\":\"AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session\",\"tags\":[\"Domain: LLM\",\"Data Source: AWS Bedrock\",\"Data Source: AWS S3\",\"Resources: Investigation Guide\",\"Use Case: Policy Violation\",\"Mitre Atlas: T0051\",\"Mitre Atlas: T0054\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies multiple violations of AWS Bedrock guardrails by the same user in the same account over a session. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate misunderstanding by users or overly strict policies\"],\"from\":\"now-60m\",\"rule_id\":\"0cd2f3e6-41da-40e6-b28b-466f688f00a6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html\",\"https://atlas.mitre.org/techniques/AML.T0051\",\"https://atlas.mitre.org/techniques/AML.T0054\",\"https://www.elastic.co/security-labs/elastic-advances-llm-security\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\\n\\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\\n\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.compliance.violation_detected\\n| stats violations = count(*) by user.id, gen_ai.model.id, cloud.account.id\\n| where violations > 1\\n| sort violations desc\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session\",\"description\":\"Identifies multiple violations of AWS Bedrock guardrails by the same user in the same account over a session. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Amazon Bedrock Guardrail Multiple Policy Violations by a Single User Over a Session.\\n\\nAmazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.\\n\\nIt enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.\\n\\nThrough Guardrail, organizations can define \\\"denied topics\\\" to prevent the model from generating content on specific, undesired subjects,\\nand they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that caused multiple policy violations over a session and whether it should perform this kind of action.\\n- Investigate the user activity that might indicate a potential brute force attack.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's prompts and responses in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that caused multiple policy violations by a single user over session, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: LLM\",\"Data Source: AWS Bedrock\",\"Data Source: AWS S3\",\"Resources: Investigation Guide\",\"Use Case: Policy Violation\",\"Mitre Atlas: T0051\",\"Mitre Atlas: T0054\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-60m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate misunderstanding by users or overly strict policies\"],\"references\":[\"https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html\",\"https://atlas.mitre.org/techniques/AML.T0051\",\"https://atlas.mitre.org/techniques/AML.T0054\",\"https://www.elastic.co/security-labs/elastic-advances-llm-security\"],\"max_signals\":100,\"threat\":[],\"setup\":\"## Setup\\n\\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\\n\\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\\n\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"7c55bad8-7ad6-4f39-9739-0202c143e6fb\",\"rule_id\":\"0cd2f3e6-41da-40e6-b28b-466f688f00a6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.999Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.687Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.compliance.violation_detected\\n| keep user.id, gen_ai.request.model.id, cloud.account.id\\n| stats violations = count(*) by user.id, gen_ai.request.model.id, cloud.account.id\\n| where violations > 1\\n| sort violations desc\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"note\":{\"has_base_version\":false,\"current_version\":\"\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating Amazon Bedrock Guardrail Multiple Policy Violations by a Single User Over a Session.\\n\\nAmazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.\\n\\nIt enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.\\n\\nThrough Guardrail, organizations can define \\\"denied topics\\\" to prevent the model from generating content on specific, undesired subjects,\\nand they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that caused multiple policy violations over a session and whether it should perform this kind of action.\\n- Investigate the user activity that might indicate a potential brute force attack.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's prompts and responses in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that caused multiple policy violations by a single user over session, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating Amazon Bedrock Guardrail Multiple Policy Violations by a Single User Over a Session.\\n\\nAmazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.\\n\\nIt enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.\\n\\nThrough Guardrail, organizations can define \\\"denied topics\\\" to prevent the model from generating content on specific, undesired subjects,\\nand they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that caused multiple policy violations over a session and whether it should perform this kind of action.\\n- Investigate the user activity that might indicate a potential brute force attack.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's prompts and responses in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that caused multiple policy violations by a single user over session, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.compliance.violation_detected\\n| stats violations = count(*) by user.id, gen_ai.model.id, cloud.account.id\\n| where violations > 1\\n| sort violations desc\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.compliance.violation_detected\\n| keep user.id, gen_ai.request.model.id, cloud.account.id\\n| stats violations = count(*) by user.id, gen_ai.request.model.id, cloud.account.id\\n| where violations > 1\\n| sort violations desc\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.compliance.violation_detected\\n| keep user.id, gen_ai.request.model.id, cloud.account.id\\n| stats violations = count(*) by user.id, gen_ai.request.model.id, cloud.account.id\\n| where violations > 1\\n| sort violations desc\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"36ccce83-e8dd-487b-aac1-782aa889b48d\",\"rule_id\":\"0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5\",\"revision\":0,\"current_rule\":{\"id\":\"36ccce83-e8dd-487b-aac1-782aa889b48d\",\"updated_at\":\"2024-12-04T19:45:41.536Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.536Z\",\"created_by\":\"elastic\",\"name\":\"Execution of File Written or Modified by Microsoft Office\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Execution of File Written or Modified by Microsoft Office\\n\\nMicrosoft Office, a widely used suite of productivity applications, is frequently targeted by attackers due to its popularity in corporate environments. Attackers exploit its extensive capabilities, like macro scripts in Word and Excel, to gain initial access to systems. They often use Office documents as delivery mechanisms for malware or phishing attempts, taking advantage of their trusted status in professional settings.\\n\\nThis rule searches for executable files written by MS Office applications executed in sequence. This is most likely the result of the execution of malicious documents or exploitation for initial access or privilege escalation. This rule can also detect suspicious processes masquerading as the MS Office applications.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\\n- Determine if the collected files are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-120m\",\"rule_id\":\"0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\",\"endgame-*\"],\"query\":\"sequence with maxspan=2h\\n [file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.extension : \\\"exe\\\" and\\n (process.name : \\\"WINWORD.EXE\\\" or\\n process.name : \\\"EXCEL.EXE\\\" or\\n process.name : \\\"OUTLOOK.EXE\\\" or\\n process.name : \\\"POWERPNT.EXE\\\" or\\n process.name : \\\"eqnedt32.exe\\\" or\\n process.name : \\\"fltldr.exe\\\" or\\n process.name : \\\"MSPUB.EXE\\\" or\\n process.name : \\\"MSACCESS.EXE\\\")\\n ] by host.id, file.path\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n not (process.name : \\\"NewOutlookInstaller.exe\\\" and process.code_signature.subject_name : \\\"Microsoft Corporation\\\" and process.code_signature.trusted == true)\\n ] by host.id, process.executable\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Execution of File Written or Modified by Microsoft Office\",\"description\":\"Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Execution of File Written or Modified by Microsoft Office\\n\\nMicrosoft Office, a widely used suite of productivity applications, is frequently targeted by attackers due to its popularity in corporate environments. Attackers exploit its extensive capabilities, like macro scripts in Word and Excel, to gain initial access to systems. They often use Office documents as delivery mechanisms for malware or phishing attempts, taking advantage of their trusted status in professional settings.\\n\\nThis rule searches for executable files written by MS Office applications executed in sequence. This is most likely the result of the execution of malicious documents or exploitation for initial access or privilege escalation. This rule can also detect suspicious processes masquerading as the MS Office applications.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\\n- Determine if the collected files are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":111,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-120m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"36ccce83-e8dd-487b-aac1-782aa889b48d\",\"rule_id\":\"0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.999Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:41.536Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence with maxspan=2h\\n [file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.extension : \\\"exe\\\" and\\n (process.name : \\\"WINWORD.EXE\\\" or\\n process.name : \\\"EXCEL.EXE\\\" or\\n process.name : \\\"OUTLOOK.EXE\\\" or\\n process.name : \\\"POWERPNT.EXE\\\" or\\n process.name : \\\"eqnedt32.exe\\\" or\\n process.name : \\\"fltldr.exe\\\" or\\n process.name : \\\"MSPUB.EXE\\\" or\\n process.name : \\\"MSACCESS.EXE\\\")\\n ] by host.id, file.path\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n not (process.name : \\\"NewOutlookInstaller.exe\\\" and process.code_signature.subject_name : \\\"Microsoft Corporation\\\" and process.code_signature.trusted == true) and \\n not (process.name : \\\"ShareFileForOutlook-v*.exe\\\" and process.code_signature.subject_name : \\\"Citrix Systems, Inc.\\\" and process.code_signature.trusted == true)\\n ] by host.id, process.executable\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":111,\"merged_version\":111,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence with maxspan=2h\\n [file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.extension : \\\"exe\\\" and\\n (process.name : \\\"WINWORD.EXE\\\" or\\n process.name : \\\"EXCEL.EXE\\\" or\\n process.name : \\\"OUTLOOK.EXE\\\" or\\n process.name : \\\"POWERPNT.EXE\\\" or\\n process.name : \\\"eqnedt32.exe\\\" or\\n process.name : \\\"fltldr.exe\\\" or\\n process.name : \\\"MSPUB.EXE\\\" or\\n process.name : \\\"MSACCESS.EXE\\\")\\n ] by host.id, file.path\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n not (process.name : \\\"NewOutlookInstaller.exe\\\" and process.code_signature.subject_name : \\\"Microsoft Corporation\\\" and process.code_signature.trusted == true)\\n ] by host.id, process.executable\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence with maxspan=2h\\n [file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.extension : \\\"exe\\\" and\\n (process.name : \\\"WINWORD.EXE\\\" or\\n process.name : \\\"EXCEL.EXE\\\" or\\n process.name : \\\"OUTLOOK.EXE\\\" or\\n process.name : \\\"POWERPNT.EXE\\\" or\\n process.name : \\\"eqnedt32.exe\\\" or\\n process.name : \\\"fltldr.exe\\\" or\\n process.name : \\\"MSPUB.EXE\\\" or\\n process.name : \\\"MSACCESS.EXE\\\")\\n ] by host.id, file.path\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n not (process.name : \\\"NewOutlookInstaller.exe\\\" and process.code_signature.subject_name : \\\"Microsoft Corporation\\\" and process.code_signature.trusted == true) and \\n not (process.name : \\\"ShareFileForOutlook-v*.exe\\\" and process.code_signature.subject_name : \\\"Citrix Systems, Inc.\\\" and process.code_signature.trusted == true)\\n ] by host.id, process.executable\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence with maxspan=2h\\n [file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.extension : \\\"exe\\\" and\\n (process.name : \\\"WINWORD.EXE\\\" or\\n process.name : \\\"EXCEL.EXE\\\" or\\n process.name : \\\"OUTLOOK.EXE\\\" or\\n process.name : \\\"POWERPNT.EXE\\\" or\\n process.name : \\\"eqnedt32.exe\\\" or\\n process.name : \\\"fltldr.exe\\\" or\\n process.name : \\\"MSPUB.EXE\\\" or\\n process.name : \\\"MSACCESS.EXE\\\")\\n ] by host.id, file.path\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n not (process.name : \\\"NewOutlookInstaller.exe\\\" and process.code_signature.subject_name : \\\"Microsoft Corporation\\\" and process.code_signature.trusted == true) and \\n not (process.name : \\\"ShareFileForOutlook-v*.exe\\\" and process.code_signature.subject_name : \\\"Citrix Systems, Inc.\\\" and process.code_signature.trusted == true)\\n ] by host.id, process.executable\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7e31faaf-6df5-4841-abc3-d7a3dfe59fbc\",\"rule_id\":\"0e79980b-4250-4a50-a509-69294c14e84b\",\"revision\":0,\"current_rule\":{\"id\":\"7e31faaf-6df5-4841-abc3-d7a3dfe59fbc\",\"updated_at\":\"2024-12-04T19:45:42.480Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.480Z\",\"created_by\":\"elastic\",\"name\":\"MsBuild Making Network Connections\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating MsBuild Making Network Connections\\n\\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\\n\\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\\n\\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\\n- Investigate the target host that the signed binary is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of destination IP address and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"0e79980b-4250-4a50-a509-69294c14e84b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and process.name : \\\"MSBuild.exe\\\" and event.type == \\\"start\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"MSBuild.exe\\\" and\\n not cidrmatch(destination.ip, \\\"127.0.0.1\\\", \\\"::1\\\") and\\n not dns.question.name : \\\"localhost\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"MsBuild Making Network Connections\",\"description\":\"Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Performance\\n\\nThe performance impact of this rule is expected to be low to medium because of the first sequence, which looks for MsBuild.exe process execution. The events for this first sequence may be noisy, consider adding exceptions.\\n\\n### Investigating MsBuild Making Network Connections\\n\\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\\n\\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\\n\\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\\n- Investigate the target host that the signed binary is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of destination IP address and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://riccardoancarani.github.io/2019-10-19-hunting-covenant-msbuild/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"7e31faaf-6df5-4841-abc3-d7a3dfe59fbc\",\"rule_id\":\"0e79980b-4250-4a50-a509-69294c14e84b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.999Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.480Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id with maxspan=30s\\n\\n /* Look for MSBuild.exe process execution */\\n /* The events for this first sequence may be noisy, consider adding exceptions */\\n [process where host.os.type == \\\"windows\\\"\\n and (\\n process.pe.original_file_name: \\\"MSBuild.exe\\\" or\\n process.name: \\\"MSBuild.exe\\\"\\n )\\n and event.type == \\\"start\\\" and user.id != \\\"S-1-5-18\\\"]\\n\\n /* Followed by a network connection to an external address */\\n /* Exclude domains that are known to be benign */\\n [network where host.os.type == \\\"windows\\\"\\n and event.action: (\\\"connection_attempted\\\", \\\"lookup_requested\\\")\\n and (\\n process.pe.original_file_name: \\\"MSBuild.exe\\\" or\\n process.name: \\\"MSBuild.exe\\\"\\n )\\n and not user.id != \\\"S-1-5-18\\\" and\\n not cidrmatch(destination.ip, \\\"127.0.0.1\\\", \\\"::1\\\") and\\n not dns.question.name : (\\n \\\"localhost\\\",\\n \\\"dc.services.visualstudio.com\\\",\\n \\\"vortex.data.microsoft.com\\\",\\n \\\"api.nuget.org\\\")]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://riccardoancarani.github.io/2019-10-19-hunting-covenant-msbuild/\"],\"merged_version\":[\"https://riccardoancarani.github.io/2019-10-19-hunting-covenant-msbuild/\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"note\":{\"has_base_version\":false,\"current_version\":\"## Triage and analysis\\n\\n### Investigating MsBuild Making Network Connections\\n\\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\\n\\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\\n\\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\\n- Investigate the target host that the signed binary is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of destination IP address and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"target_version\":\"## Triage and analysis\\n\\n### Performance\\n\\nThe performance impact of this rule is expected to be low to medium because of the first sequence, which looks for MsBuild.exe process execution. The events for this first sequence may be noisy, consider adding exceptions.\\n\\n### Investigating MsBuild Making Network Connections\\n\\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\\n\\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\\n\\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\\n- Investigate the target host that the signed binary is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of destination IP address and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Performance\\n\\nThe performance impact of this rule is expected to be low to medium because of the first sequence, which looks for MsBuild.exe process execution. The events for this first sequence may be noisy, consider adding exceptions.\\n\\n### Investigating MsBuild Making Network Connections\\n\\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\\n\\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\\n\\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\\n- Investigate the target host that the signed binary is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of destination IP address and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and process.name : \\\"MSBuild.exe\\\" and event.type == \\\"start\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"MSBuild.exe\\\" and\\n not cidrmatch(destination.ip, \\\"127.0.0.1\\\", \\\"::1\\\") and\\n not dns.question.name : \\\"localhost\\\"]\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by process.entity_id with maxspan=30s\\n\\n /* Look for MSBuild.exe process execution */\\n /* The events for this first sequence may be noisy, consider adding exceptions */\\n [process where host.os.type == \\\"windows\\\"\\n and (\\n process.pe.original_file_name: \\\"MSBuild.exe\\\" or\\n process.name: \\\"MSBuild.exe\\\"\\n )\\n and event.type == \\\"start\\\" and user.id != \\\"S-1-5-18\\\"]\\n\\n /* Followed by a network connection to an external address */\\n /* Exclude domains that are known to be benign */\\n [network where host.os.type == \\\"windows\\\"\\n and event.action: (\\\"connection_attempted\\\", \\\"lookup_requested\\\")\\n and (\\n process.pe.original_file_name: \\\"MSBuild.exe\\\" or\\n process.name: \\\"MSBuild.exe\\\"\\n )\\n and not user.id != \\\"S-1-5-18\\\" and\\n not cidrmatch(destination.ip, \\\"127.0.0.1\\\", \\\"::1\\\") and\\n not dns.question.name : (\\n \\\"localhost\\\",\\n \\\"dc.services.visualstudio.com\\\",\\n \\\"vortex.data.microsoft.com\\\",\\n \\\"api.nuget.org\\\")]\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by process.entity_id with maxspan=30s\\n\\n /* Look for MSBuild.exe process execution */\\n /* The events for this first sequence may be noisy, consider adding exceptions */\\n [process where host.os.type == \\\"windows\\\"\\n and (\\n process.pe.original_file_name: \\\"MSBuild.exe\\\" or\\n process.name: \\\"MSBuild.exe\\\"\\n )\\n and event.type == \\\"start\\\" and user.id != \\\"S-1-5-18\\\"]\\n\\n /* Followed by a network connection to an external address */\\n /* Exclude domains that are known to be benign */\\n [network where host.os.type == \\\"windows\\\"\\n and event.action: (\\\"connection_attempted\\\", \\\"lookup_requested\\\")\\n and (\\n process.pe.original_file_name: \\\"MSBuild.exe\\\" or\\n process.name: \\\"MSBuild.exe\\\"\\n )\\n and not user.id != \\\"S-1-5-18\\\" and\\n not cidrmatch(destination.ip, \\\"127.0.0.1\\\", \\\"::1\\\") and\\n not dns.question.name : (\\n \\\"localhost\\\",\\n \\\"dc.services.visualstudio.com\\\",\\n \\\"vortex.data.microsoft.com\\\",\\n \\\"api.nuget.org\\\")]\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"703aee5f-7d82-466a-b39f-1f9937f9fc35\",\"rule_id\":\"0f4d35e4-925e-4959-ab24-911be207ee6f\",\"revision\":0,\"current_rule\":{\"id\":\"703aee5f-7d82-466a-b39f-1f9937f9fc35\",\"updated_at\":\"2024-12-04T19:45:42.482Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.482Z\",\"created_by\":\"elastic\",\"name\":\"rc.local/rc.common File Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors the creation/alteration of the rc.local/rc.common file. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the \\\"systemd-rc-local-generator\\\", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local/rc.common to execute malicious code at start-up, and gain persistence onto the system.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating rc.local/rc.common File Creation\\n\\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution.\\n\\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital.\\n\\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve rc-local.service File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path =\\\\n'/run/systemd/generator/multi-user.target.wants/rc-local.service')\\\\n\\\"}}\\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \\\"rc-local.service|/etc/rc.local Compatibility\\\"` can be executed to check for the execution of the service.\\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system.\\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account.\\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the `service/rc.local` files or restore their original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"0f4d35e4-925e-4959-ab24-911be207ee6f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\"],\"version\":113,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path in (\\\"/etc/rc.local\\\", \\\"/etc/rc.common\\\") and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/platform-python\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"rc.local/rc.common File Creation\",\"description\":\"This rule monitors the creation/alteration of the rc.local/rc.common file. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the \\\"systemd-rc-local-generator\\\", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local/rc.common to execute malicious code at start-up, and gain persistence onto the system.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating rc.local/rc.common File Creation\\n\\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution.\\n\\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital.\\n\\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve rc-local.service File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path =\\\\n'/run/systemd/generator/multi-user.target.wants/rc-local.service')\\\\n\\\"}}\\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \\\"rc-local.service|/etc/rc.local Compatibility\\\"` can be executed to check for the execution of the service.\\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system.\\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account.\\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the `service/rc.local` files or restore their original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":114,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"703aee5f-7d82-466a-b39f-1f9937f9fc35\",\"rule_id\":\"0f4d35e4-925e-4959-ab24-911be207ee6f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.999Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.482Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path in (\\\"/etc/rc.local\\\", \\\"/etc/rc.common\\\") and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/platform-python\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":113,\"target_version\":114,\"merged_version\":114,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\"],\"target_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c3bb0aec-5e4e-4a9f-a6f6-38b0ad0eed2c\",\"rule_id\":\"0f93cb9a-1931-48c2-8cd0-f173fd3e5283\",\"revision\":0,\"current_rule\":{\"id\":\"c3bb0aec-5e4e-4a9f-a6f6-38b0ad0eed2c\",\"updated_at\":\"2024-12-04T19:45:42.487Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.487Z\",\"created_by\":\"elastic\",\"name\":\"Potential LSASS Memory Dump via PssCaptureSnapShot\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"0f93cb9a-1931-48c2-8cd0-f173fd3e5283\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/\",\"https://twitter.com/sbousseaden/status/1280619931516747777?lang=en\"],\"version\":208,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.TargetImage\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThis is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold\\nrule cardinality feature.\\n\",\"type\":\"threshold\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"event.category:process and host.os.type:windows and event.code:10 and\\n winlog.event_data.TargetImage:(\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\lsass.exe\\\" or\\n \\\"c:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\lsass.exe\\\" or\\n \\\"c:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\")\\n\",\"threshold\":{\"field\":[\"process.entity_id\"],\"value\":2,\"cardinality\":[{\"field\":\"winlog.event_data.TargetProcessId\",\"value\":2}]},\"actions\":[]},\"target_rule\":{\"name\":\"Potential LSASS Memory Dump via PssCaptureSnapShot\",\"description\":\"Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/\",\"https://twitter.com/sbousseaden/status/1280619931516747777?lang=en\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold\\nrule cardinality feature.\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.TargetImage\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"c3bb0aec-5e4e-4a9f-a6f6-38b0ad0eed2c\",\"rule_id\":\"0f93cb9a-1931-48c2-8cd0-f173fd3e5283\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.999Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.487Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"threshold\",\"query\":\"event.category:process and host.os.type:windows and event.code:10 and\\n winlog.event_data.TargetImage:(\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\lsass.exe\\\" or\\n \\\"c:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\lsass.exe\\\" or\\n \\\"c:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\")\\n\",\"threshold\":{\"field\":[\"process.entity_id\"],\"value\":2,\"cardinality\":[{\"field\":\"winlog.event_data.TargetProcessId\",\"value\":2}]},\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":208,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"157ce65b-90f2-4df8-8e48-4f17e0ba56ba\",\"rule_id\":\"1160dcdb-0a0a-4a79-91d8-9b84616edebd\",\"revision\":0,\"current_rule\":{\"id\":\"157ce65b-90f2-4df8-8e48-4f17e0ba56ba\",\"updated_at\":\"2024-12-04T19:45:42.503Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.503Z\",\"created_by\":\"elastic\",\"name\":\"Potential DLL Side-Loading via Trusted Microsoft Programs\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1160dcdb-0a0a-4a79-91d8-9b84616edebd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.002\",\"name\":\"DLL Side-Loading\",\"reference\":\"https://attack.mitre.org/techniques/T1574/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.pe.original_file_name in (\\\"WinWord.exe\\\", \\\"EXPLORER.EXE\\\", \\\"w3wp.exe\\\", \\\"DISM.EXE\\\") and\\n not (process.name : (\\\"winword.exe\\\", \\\"explorer.exe\\\", \\\"w3wp.exe\\\", \\\"Dism.exe\\\") or\\n process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\Office*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Program Files?(x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\Office*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Dism.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\Dism.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\")\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential DLL Side-Loading via Trusted Microsoft Programs\",\"description\":\"Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.002\",\"name\":\"DLL Side-Loading\",\"reference\":\"https://attack.mitre.org/techniques/T1574/002/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"157ce65b-90f2-4df8-8e48-4f17e0ba56ba\",\"rule_id\":\"1160dcdb-0a0a-4a79-91d8-9b84616edebd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:20.999Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.503Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.pe.original_file_name in (\\\"WinWord.exe\\\", \\\"EXPLORER.EXE\\\", \\\"w3wp.exe\\\", \\\"DISM.EXE\\\") and\\n not (process.name : (\\\"winword.exe\\\", \\\"explorer.exe\\\", \\\"w3wp.exe\\\", \\\"Dism.exe\\\") or\\n process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\Office*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Program Files?(x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\Office*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Dism.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\Dism.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\")\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"706abc92-9b47-4671-825a-d656da598f2f\",\"rule_id\":\"1178ae09-5aff-460a-9f2f-455cd0ac4d8e\",\"revision\":0,\"current_rule\":{\"id\":\"706abc92-9b47-4671-825a-d656da598f2f\",\"updated_at\":\"2024-12-04T19:45:42.506Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.506Z\",\"created_by\":\"elastic\",\"name\":\"UAC Bypass via Windows Firewall Snap-In Hijack\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\\n\\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\\n\\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\\n\\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1178ae09-5aff-460a-9f2f-455cd0ac4d8e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.014\",\"name\":\"MMC\",\"reference\":\"https://attack.mitre.org/techniques/T1218/014/\"}]},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/AzAgarampur/byeintegrity-uac\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name == \\\"mmc.exe\\\" and\\n /* process.Ext.token.integrity_level_name == \\\"high\\\" can be added in future for tuning */\\n /* args of the Windows Firewall SnapIn */\\n process.parent.args == \\\"WF.msc\\\" and process.name != \\\"WerFault.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"UAC Bypass via Windows Firewall Snap-In Hijack\",\"description\":\"Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\\n\\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\\n\\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\\n\\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/AzAgarampur/byeintegrity-uac\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.014\",\"name\":\"MMC\",\"reference\":\"https://attack.mitre.org/techniques/T1218/014/\"}]},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"706abc92-9b47-4671-825a-d656da598f2f\",\"rule_id\":\"1178ae09-5aff-460a-9f2f-455cd0ac4d8e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.000Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.506Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name == \\\"mmc.exe\\\" and\\n /* process.Ext.token.integrity_level_name == \\\"high\\\" can be added in future for tuning */\\n /* args of the Windows Firewall SnapIn */\\n process.parent.args == \\\"WF.msc\\\" and process.name != \\\"WerFault.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"51186120-2a29-4ab8-ba4c-20948d60b1c5\",\"rule_id\":\"11dd9713-0ec6-4110-9707-32daae1ee68c\",\"revision\":0,\"current_rule\":{\"id\":\"51186120-2a29-4ab8-ba4c-20948d60b1c5\",\"updated_at\":\"2024-12-04T19:45:42.510Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.510Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Script with Token Impersonation Capabilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Script with Token Impersonation Capabilities\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAdversaries can abuse PowerShell to perform token impersonation, which involves duplicating and impersonating another user's token to escalate privileges and bypass access controls. This rule identifies scripts containing PowerShell functions, structures, or Windows API functions related to token impersonation/theft.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine PowerShell process creation and script block logs to identify command line arguments or hardcoded information that can indicate which user was the target of the impersonation.\\n- Investigate any abnormal behavior by the subject process (PowerShell), such as network connections, registry or file modifications, and any spawned child processes.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- Regular users should not need to impersonate other users, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Related Rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"11dd9713-0ec6-4110-9707-32daae1ee68c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\",\"subtechnique\":[{\"id\":\"T1134.001\",\"name\":\"Token Impersonation/Theft\",\"reference\":\"https://attack.mitre.org/techniques/T1134/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/decoder-it/psgetsystem\",\"https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1\",\"https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1\",\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"version\":12,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\\n\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text:(\\n \\\"Invoke-TokenManipulation\\\" or\\n \\\"ImpersonateNamedPipeClient\\\" or\\n \\\"NtImpersonateThread\\\" or\\n (\\n \\\"STARTUPINFOEX\\\" and\\n \\\"UpdateProcThreadAttribute\\\"\\n ) or\\n (\\n \\\"AdjustTokenPrivileges\\\" and\\n \\\"SeDebugPrivilege\\\"\\n ) or\\n (\\n (\\\"DuplicateToken\\\" or\\n \\\"DuplicateTokenEx\\\") and\\n (\\\"SetThreadToken\\\" or\\n \\\"ImpersonateLoggedOnUser\\\" or\\n \\\"CreateProcessWithTokenW\\\" or\\n \\\"CreatePRocessAsUserW\\\" or\\n \\\"CreateProcessAsUserA\\\")\\n ) \\n ) and\\n not (\\n user.id:(\\\"S-1-5-18\\\" or \\\"S-1-5-19\\\" or \\\"S-1-5-20\\\") and\\n file.directory: \\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\Downloads\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\" and \\\"PowerSploitIndicators\\\"\\n ) and\\n not (\\n powershell.file.script_block_text : \\\"New-HPPrivateToastNotificationLogo\\\" and\\n file.path : \\\"C:\\\\Program Files\\\\HPConnect\\\\hp-cmsl-wl\\\\modules\\\\HP.Notifications\\\\HP.Notifications.psm1\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Script with Token Impersonation Capabilities\",\"description\":\"Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Script with Token Impersonation Capabilities\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAdversaries can abuse PowerShell to perform token impersonation, which involves duplicating and impersonating another user's token to escalate privileges and bypass access controls. This rule identifies scripts containing PowerShell functions, structures, or Windows API functions related to token impersonation/theft.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine PowerShell process creation and script block logs to identify command line arguments or hardcoded information that can indicate which user was the target of the impersonation.\\n- Investigate any abnormal behavior by the subject process (PowerShell), such as network connections, registry or file modifications, and any spawned child processes.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- Regular users should not need to impersonate other users, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Related Rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"output_index\":\"\",\"version\":114,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/decoder-it/psgetsystem\",\"https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1\",\"https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1\",\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\",\"subtechnique\":[{\"id\":\"T1134.001\",\"name\":\"Token Impersonation/Theft\",\"reference\":\"https://attack.mitre.org/techniques/T1134/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"setup\":\"The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\\n\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"51186120-2a29-4ab8-ba4c-20948d60b1c5\",\"rule_id\":\"11dd9713-0ec6-4110-9707-32daae1ee68c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.000Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.510Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text:(\\n \\\"Invoke-TokenManipulation\\\" or\\n \\\"ImpersonateNamedPipeClient\\\" or\\n \\\"NtImpersonateThread\\\" or\\n (\\n \\\"STARTUPINFOEX\\\" and\\n \\\"UpdateProcThreadAttribute\\\"\\n ) or\\n (\\n \\\"AdjustTokenPrivileges\\\" and\\n \\\"SeDebugPrivilege\\\"\\n ) or\\n (\\n (\\\"DuplicateToken\\\" or\\n \\\"DuplicateTokenEx\\\") and\\n (\\\"SetThreadToken\\\" or\\n \\\"ImpersonateLoggedOnUser\\\" or\\n \\\"CreateProcessWithTokenW\\\" or\\n \\\"CreatePRocessAsUserW\\\" or\\n \\\"CreateProcessAsUserA\\\")\\n ) \\n ) and\\n not (\\n user.id:(\\\"S-1-5-18\\\" or \\\"S-1-5-19\\\" or \\\"S-1-5-20\\\") and\\n file.directory: \\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\Downloads\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\" and \\\"PowerSploitIndicators\\\"\\n ) and\\n not (\\n powershell.file.script_block_text : \\\"New-HPPrivateToastNotificationLogo\\\" and\\n file.path : \\\"C:\\\\Program Files\\\\HPConnect\\\\hp-cmsl-wl\\\\modules\\\\HP.Notifications\\\\HP.Notifications.psm1\\\"\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":12,\"target_version\":114,\"merged_version\":114,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bfabdb4d-2468-45d2-b62e-34111882d6dc\",\"rule_id\":\"11ea6bec-ebde-4d71-a8e9-784948f8e3e9\",\"revision\":0,\"current_rule\":{\"id\":\"bfabdb4d-2468-45d2-b62e-34111882d6dc\",\"updated_at\":\"2024-12-04T19:45:42.513Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.513Z\",\"created_by\":\"elastic\",\"name\":\"Third-party Backup Files Deleted via Unexpected Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Third-party Backup Files Deleted via Unexpected Process\\n\\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target.\\n\\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom.\\n\\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check if any files on the host machine have been encrypted.\\n\\n### False positive analysis\\n\\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\\n\\n### Related rules\\n\\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Certain utilities that delete files for disk cleanup or Administrators manually removing backup files.\"],\"from\":\"now-9m\",\"rule_id\":\"11ea6bec-ebde-4d71-a8e9-784948f8e3e9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1485\",\"name\":\"Data Destruction\",\"reference\":\"https://attack.mitre.org/techniques/T1485/\"},{\"id\":\"T1490\",\"name\":\"Inhibit System Recovery\",\"reference\":\"https://attack.mitre.org/techniques/T1490/\"}]}],\"to\":\"now\",\"references\":[\"https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love\"],\"version\":113,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"deletion\\\" and\\n (\\n /* Veeam Related Backup Files */\\n (\\n file.extension : (\\\"VBK\\\", \\\"VIB\\\", \\\"VBM\\\") and\\n not (\\n process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\") and\\n (process.code_signature.trusted == true and process.code_signature.subject_name : (\\\"Veeam Software Group GmbH\\\", \\\"Veeam Software AG\\\"))\\n )\\n ) or\\n /* Veritas Backup Exec Related Backup File */\\n (\\n file.extension : \\\"BKF\\\" and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Veritas\\\\\\\\Backup Exec\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Veritas\\\\\\\\Backup Exec\\\\\\\\*\\\"\\n )\\n )\\n ) and\\n not (\\n process.name : (\\\"MSExchangeMailboxAssistants.exe\\\", \\\"Microsoft.PowerBI.EnterpriseGateway.exe\\\") and\\n (process.code_signature.subject_name : \\\"Microsoft Corporation\\\" and process.code_signature.trusted == true)\\n ) and\\n not file.path : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Trend Micro\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\$RECYCLE.BIN\\\\\\\\*\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Third-party Backup Files Deleted via Unexpected Process\",\"description\":\"Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Third-party Backup Files Deleted via Unexpected Process\\n\\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target.\\n\\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom.\\n\\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check if any files on the host machine have been encrypted.\\n\\n### False positive analysis\\n\\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\\n\\n### Related rules\\n\\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Certain utilities that delete files for disk cleanup or Administrators manually removing backup files.\"],\"references\":[\"https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1485\",\"name\":\"Data Destruction\",\"reference\":\"https://attack.mitre.org/techniques/T1485/\"},{\"id\":\"T1490\",\"name\":\"Inhibit System Recovery\",\"reference\":\"https://attack.mitre.org/techniques/T1490/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"bfabdb4d-2468-45d2-b62e-34111882d6dc\",\"rule_id\":\"11ea6bec-ebde-4d71-a8e9-784948f8e3e9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.000Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.513Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"deletion\\\" and\\n (\\n /* Veeam Related Backup Files */\\n (\\n file.extension : (\\\"VBK\\\", \\\"VIB\\\", \\\"VBM\\\") and\\n not (\\n process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\") and\\n (process.code_signature.trusted == true and process.code_signature.subject_name : (\\\"Veeam Software Group GmbH\\\", \\\"Veeam Software AG\\\"))\\n )\\n ) or\\n /* Veritas Backup Exec Related Backup File */\\n (\\n file.extension : \\\"BKF\\\" and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Veritas\\\\\\\\Backup Exec\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Veritas\\\\\\\\Backup Exec\\\\\\\\*\\\"\\n )\\n )\\n ) and\\n not (\\n process.name : (\\\"MSExchangeMailboxAssistants.exe\\\", \\\"Microsoft.PowerBI.EnterpriseGateway.exe\\\") and\\n (process.code_signature.subject_name : \\\"Microsoft Corporation\\\" and process.code_signature.trusted == true)\\n ) and\\n not file.path : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Trend Micro\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\$RECYCLE.BIN\\\\\\\\*\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":113,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"16b58dfa-aa25-48fd-874e-6502dc83247e\",\"rule_id\":\"1224da6c-0326-4b4f-8454-68cdc5ae542b\",\"revision\":0,\"current_rule\":{\"id\":\"16b58dfa-aa25-48fd-874e-6502dc83247e\",\"updated_at\":\"2024-12-04T19:45:42.518Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.518Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Windows Process Cluster Spawned by a User\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-45m\",\"rule_id\":\"1224da6c-0326-4b4f-8454-68cdc5ae542b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"problem_child_high_sum_by_user\"],\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Windows Process Cluster Spawned by a User\",\"description\":\"A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\\n\",\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"16b58dfa-aa25-48fd-874e-6502dc83247e\",\"rule_id\":\"1224da6c-0326-4b4f-8454-68cdc5ae542b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.000Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.518Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"problem_child_high_sum_by_user\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"69c5b255-338b-4798-b84b-9e261d2b377f\",\"rule_id\":\"1251b98a-ff45-11ee-89a1-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"69c5b255-338b-4798-b84b-9e261d2b377f\",\"updated_at\":\"2024-12-04T19:46:03.692Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.692Z\",\"created_by\":\"elastic\",\"name\":\"AWS Lambda Function Created or Updated\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS Lambda\",\"Use Case: Asset Visibility\",\"Tactic: Execution\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies when an AWS Lambda function is created or updated. AWS Lambda lets you run code without provisioning or managing servers. Adversaries can create or update Lambda functions to execute malicious code, exfiltrate data, or escalate privileges. This is a [building block rule](https://www.elastic.co/guide/en/security/current/building-block-rule.html) that does not generate alerts, but signals when a Lambda function is created or updated that matches the rule's conditions. To generate alerts, create a rule that uses this signal as a building block.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate changes to Lambda functions can trigger this signal. Ensure that the changes are authorized and align with your organization's policies.\"],\"from\":\"now-60m\",\"rule_id\":\"1251b98a-ff45-11ee-89a1-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"to\":\"now\",\"references\":[\"https://mattslifebytes.com/2023/04/14/from-rebuilds-to-reloads-hacking-aws-lambda-to-enable-instant-code-updates/\",\"https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-overwrite-code/\",\"https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionCode.html\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"lambda.amazonaws.com\\\"\\n and event.outcome: \\\"success\\\"\\n and event.action: (CreateFunction* or UpdateFunctionCode*)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS Lambda Function Created or Updated\",\"description\":\"Identifies when an AWS Lambda function is created or updated. AWS Lambda lets you run code without provisioning or managing servers. Adversaries can create or update Lambda functions to execute malicious code, exfiltrate data, or escalate privileges. This is a [building block rule](https://www.elastic.co/guide/en/security/current/building-block-rule.html) that does not generate alerts, but signals when a Lambda function is created or updated that matches the rule's conditions. To generate alerts, create a rule that uses this signal as a building block.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS Lambda\",\"Use Case: Asset Visibility\",\"Tactic: Execution\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-60m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate changes to Lambda functions can trigger this signal. Ensure that the changes are authorized and align with your organization's policies.\"],\"references\":[\"https://mattslifebytes.com/2023/04/14/from-rebuilds-to-reloads-hacking-aws-lambda-to-enable-instant-code-updates/\",\"https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-overwrite-code/\",\"https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionCode.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1648\",\"name\":\"Serverless Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1648/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"69c5b255-338b-4798-b84b-9e261d2b377f\",\"rule_id\":\"1251b98a-ff45-11ee-89a1-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.000Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.692Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"lambda.amazonaws.com\\\"\\n and event.outcome: \\\"success\\\"\\n and event.action: (CreateFunction* or UpdateFunctionCode*)\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS Lambda\",\"Use Case: Asset Visibility\",\"Tactic: Execution\"],\"target_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS Lambda\",\"Use Case: Asset Visibility\",\"Tactic: Execution\",\"Rule Type: BBR\"],\"merged_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS Lambda\",\"Use Case: Asset Visibility\",\"Tactic: Execution\",\"Rule Type: BBR\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4553ffb4-6844-41f2-b071-a3b0f0daaa28\",\"rule_id\":\"128468bf-cab1-4637-99ea-fdf3780a4609\",\"revision\":0,\"current_rule\":{\"id\":\"4553ffb4-6844-41f2-b071-a3b0f0daaa28\",\"updated_at\":\"2024-12-04T19:45:42.520Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.520Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Lsass Process Access\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"128468bf-cab1-4637-99ea-fdf3780a4609\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallTrace\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.GrantedAccess\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetImage\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n winlog.event_data.TargetImage : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\lsass.exe\\\" and\\n not winlog.event_data.GrantedAccess :\\n (\\\"0x1000\\\", \\\"0x1400\\\", \\\"0x101400\\\", \\\"0x101000\\\", \\\"0x101001\\\", \\\"0x100000\\\", \\\"0x100040\\\", \\\"0x3200\\\", \\\"0x40\\\", \\\"0x3200\\\") and\\n not process.name : (\\\"procexp64.exe\\\", \\\"procmon.exe\\\", \\\"procexp.exe\\\", \\\"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\platform\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\WebEx\\\\\\\\webex\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LTSvc\\\\\\\\LTSVC.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\csrss.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsm.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\MRT.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\wmiprvse.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wininit.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SystemTemp\\\\\\\\GUM*.tmp\\\\\\\\GoogleUpdate.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\sysWOW64\\\\\\\\wbem\\\\\\\\wmiprvse.exe\\\"\\n ) and\\n not winlog.event_data.CallTrace : (\\\"*mpengine.dll*\\\", \\\"*appresolver.dll*\\\", \\\"*sysmain.dll*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Lsass Process Access\",\"description\":\"Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallTrace\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.GrantedAccess\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetImage\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"4553ffb4-6844-41f2-b071-a3b0f0daaa28\",\"rule_id\":\"128468bf-cab1-4637-99ea-fdf3780a4609\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.000Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.520Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n winlog.event_data.TargetImage : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\lsass.exe\\\" and\\n not winlog.event_data.GrantedAccess :\\n (\\\"0x1000\\\", \\\"0x1400\\\", \\\"0x101400\\\", \\\"0x101000\\\", \\\"0x101001\\\", \\\"0x100000\\\", \\\"0x100040\\\", \\\"0x3200\\\", \\\"0x40\\\", \\\"0x3200\\\") and\\n not process.name : (\\\"procexp64.exe\\\", \\\"procmon.exe\\\", \\\"procexp.exe\\\", \\\"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\platform\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\WebEx\\\\\\\\webex\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LTSvc\\\\\\\\LTSVC.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\CynetMS.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\csrss.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsm.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\MRT.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\wmiprvse.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wininit.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SystemTemp\\\\\\\\GUM*.tmp\\\\\\\\GoogleUpdate.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\sysWOW64\\\\\\\\wbem\\\\\\\\wmiprvse.exe\\\", \\n \\\"C:\\\\\\\\oracle\\\\\\\\64\\\\\\\\02\\\\\\\\instantclient_19_13\\\\\\\\sqlplus.exe\\\", \\n \\\"C:\\\\\\\\oracle\\\\\\\\64\\\\\\\\02\\\\\\\\instantclient_19_13\\\\\\\\sqlldr.exe\\\",\\n \\\"d:\\\\\\\\oracle\\\\\\\\product\\\\\\\\19\\\\\\\\dbhome1\\\\\\\\bin\\\\\\\\ORACLE.EXE\\\",\\n \\\"C:\\\\\\\\wamp\\\\\\\\bin\\\\\\\\apache\\\\\\\\apache*\\\\\\\\bin\\\\\\\\httpd.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\netstat.exe\\\", \\n \\\"C:\\\\\\\\PROGRA~1\\\\\\\\INFORM~1\\\\\\\\apps\\\\\\\\jdk\\\\\\\\*\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\", \\n \\\"C:\\\\\\\\PROGRA~2\\\\\\\\CyberCNSAgentV2\\\\\\\\osqueryi.exe\\\",\\n \\\"C:\\\\\\\\Utilityw2k19\\\\\\\\packetbeat\\\\\\\\packetbeat.exe\\\",\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Cisco\\\\\\\\Cisco AnyConnect Secure Mobility Client\\\\\\\\Temp\\\\\\\\CloudUpdate\\\\\\\\vpndownloader.exe\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Cisco\\\\\\\\Cisco Secure Client\\\\\\\\Temp\\\\\\\\CloudUpdate\\\\\\\\vpndownloader.exe\\\"\\n ) and\\n not winlog.event_data.CallTrace : (\\\"*mpengine.dll*\\\", \\\"*appresolver.dll*\\\", \\\"*sysmain.dll*\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n winlog.event_data.TargetImage : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\lsass.exe\\\" and\\n not winlog.event_data.GrantedAccess :\\n (\\\"0x1000\\\", \\\"0x1400\\\", \\\"0x101400\\\", \\\"0x101000\\\", \\\"0x101001\\\", \\\"0x100000\\\", \\\"0x100040\\\", \\\"0x3200\\\", \\\"0x40\\\", \\\"0x3200\\\") and\\n not process.name : (\\\"procexp64.exe\\\", \\\"procmon.exe\\\", \\\"procexp.exe\\\", \\\"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\platform\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\WebEx\\\\\\\\webex\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LTSvc\\\\\\\\LTSVC.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\csrss.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsm.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\MRT.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\wmiprvse.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wininit.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SystemTemp\\\\\\\\GUM*.tmp\\\\\\\\GoogleUpdate.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\sysWOW64\\\\\\\\wbem\\\\\\\\wmiprvse.exe\\\"\\n ) and\\n not winlog.event_data.CallTrace : (\\\"*mpengine.dll*\\\", \\\"*appresolver.dll*\\\", \\\"*sysmain.dll*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n winlog.event_data.TargetImage : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\lsass.exe\\\" and\\n not winlog.event_data.GrantedAccess :\\n (\\\"0x1000\\\", \\\"0x1400\\\", \\\"0x101400\\\", \\\"0x101000\\\", \\\"0x101001\\\", \\\"0x100000\\\", \\\"0x100040\\\", \\\"0x3200\\\", \\\"0x40\\\", \\\"0x3200\\\") and\\n not process.name : (\\\"procexp64.exe\\\", \\\"procmon.exe\\\", \\\"procexp.exe\\\", \\\"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\platform\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\WebEx\\\\\\\\webex\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LTSvc\\\\\\\\LTSVC.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\CynetMS.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\csrss.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsm.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\MRT.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\wmiprvse.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wininit.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SystemTemp\\\\\\\\GUM*.tmp\\\\\\\\GoogleUpdate.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\sysWOW64\\\\\\\\wbem\\\\\\\\wmiprvse.exe\\\", \\n \\\"C:\\\\\\\\oracle\\\\\\\\64\\\\\\\\02\\\\\\\\instantclient_19_13\\\\\\\\sqlplus.exe\\\", \\n \\\"C:\\\\\\\\oracle\\\\\\\\64\\\\\\\\02\\\\\\\\instantclient_19_13\\\\\\\\sqlldr.exe\\\",\\n \\\"d:\\\\\\\\oracle\\\\\\\\product\\\\\\\\19\\\\\\\\dbhome1\\\\\\\\bin\\\\\\\\ORACLE.EXE\\\",\\n \\\"C:\\\\\\\\wamp\\\\\\\\bin\\\\\\\\apache\\\\\\\\apache*\\\\\\\\bin\\\\\\\\httpd.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\netstat.exe\\\", \\n \\\"C:\\\\\\\\PROGRA~1\\\\\\\\INFORM~1\\\\\\\\apps\\\\\\\\jdk\\\\\\\\*\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\", \\n \\\"C:\\\\\\\\PROGRA~2\\\\\\\\CyberCNSAgentV2\\\\\\\\osqueryi.exe\\\",\\n \\\"C:\\\\\\\\Utilityw2k19\\\\\\\\packetbeat\\\\\\\\packetbeat.exe\\\",\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Cisco\\\\\\\\Cisco AnyConnect Secure Mobility Client\\\\\\\\Temp\\\\\\\\CloudUpdate\\\\\\\\vpndownloader.exe\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Cisco\\\\\\\\Cisco Secure Client\\\\\\\\Temp\\\\\\\\CloudUpdate\\\\\\\\vpndownloader.exe\\\"\\n ) and\\n not winlog.event_data.CallTrace : (\\\"*mpengine.dll*\\\", \\\"*appresolver.dll*\\\", \\\"*sysmain.dll*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n winlog.event_data.TargetImage : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\lsass.exe\\\" and\\n not winlog.event_data.GrantedAccess :\\n (\\\"0x1000\\\", \\\"0x1400\\\", \\\"0x101400\\\", \\\"0x101000\\\", \\\"0x101001\\\", \\\"0x100000\\\", \\\"0x100040\\\", \\\"0x3200\\\", \\\"0x40\\\", \\\"0x3200\\\") and\\n not process.name : (\\\"procexp64.exe\\\", \\\"procmon.exe\\\", \\\"procexp.exe\\\", \\\"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\platform\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\WebEx\\\\\\\\webex\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LTSvc\\\\\\\\LTSVC.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\CynetMS.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\csrss.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsm.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\MRT.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\wmiprvse.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wininit.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SystemTemp\\\\\\\\GUM*.tmp\\\\\\\\GoogleUpdate.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\sysWOW64\\\\\\\\wbem\\\\\\\\wmiprvse.exe\\\", \\n \\\"C:\\\\\\\\oracle\\\\\\\\64\\\\\\\\02\\\\\\\\instantclient_19_13\\\\\\\\sqlplus.exe\\\", \\n \\\"C:\\\\\\\\oracle\\\\\\\\64\\\\\\\\02\\\\\\\\instantclient_19_13\\\\\\\\sqlldr.exe\\\",\\n \\\"d:\\\\\\\\oracle\\\\\\\\product\\\\\\\\19\\\\\\\\dbhome1\\\\\\\\bin\\\\\\\\ORACLE.EXE\\\",\\n \\\"C:\\\\\\\\wamp\\\\\\\\bin\\\\\\\\apache\\\\\\\\apache*\\\\\\\\bin\\\\\\\\httpd.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\netstat.exe\\\", \\n \\\"C:\\\\\\\\PROGRA~1\\\\\\\\INFORM~1\\\\\\\\apps\\\\\\\\jdk\\\\\\\\*\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\", \\n \\\"C:\\\\\\\\PROGRA~2\\\\\\\\CyberCNSAgentV2\\\\\\\\osqueryi.exe\\\",\\n \\\"C:\\\\\\\\Utilityw2k19\\\\\\\\packetbeat\\\\\\\\packetbeat.exe\\\",\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Cisco\\\\\\\\Cisco AnyConnect Secure Mobility Client\\\\\\\\Temp\\\\\\\\CloudUpdate\\\\\\\\vpndownloader.exe\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Cisco\\\\\\\\Cisco Secure Client\\\\\\\\Temp\\\\\\\\CloudUpdate\\\\\\\\vpndownloader.exe\\\"\\n ) and\\n not winlog.event_data.CallTrace : (\\\"*mpengine.dll*\\\", \\\"*appresolver.dll*\\\", \\\"*sysmain.dll*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e0eb3f0c-56de-49d9-b38d-90393b463a46\",\"rule_id\":\"12de29d4-bbb0-4eef-b687-857e8a163870\",\"revision\":0,\"current_rule\":{\"id\":\"e0eb3f0c-56de-49d9-b38d-90393b463a46\",\"updated_at\":\"2024-12-04T19:45:42.527Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.527Z\",\"created_by\":\"elastic\",\"name\":\"Potential Exploitation of an Unquoted Service Path Vulnerability\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Adversaries may leverage unquoted service path vulnerabilities to escalate privileges. By placing an executable in a higher-level directory within the path of an unquoted service executable, Windows will natively launch this executable from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"12de29d4-bbb0-4eef-b687-857e8a163870\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.009\",\"name\":\"Path Interception by Unquoted Path\",\"reference\":\"https://attack.mitre.org/techniques/T1574/009/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n (\\n process.executable : \\\"?:\\\\\\\\Program.exe\\\" or \\n process.executable regex \\\"\\\"\\\"(C:\\\\\\\\Program Files \\\\(x86\\\\)\\\\\\\\|C:\\\\\\\\Program Files\\\\\\\\)\\\\w+.exe\\\"\\\"\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Exploitation of an Unquoted Service Path Vulnerability\",\"description\":\"Adversaries may leverage unquoted service path vulnerabilities to escalate privileges. By placing an executable in a higher-level directory within the path of an unquoted service executable, Windows will natively launch this executable from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":203,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.009\",\"name\":\"Path Interception by Unquoted Path\",\"reference\":\"https://attack.mitre.org/techniques/T1574/009/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e0eb3f0c-56de-49d9-b38d-90393b463a46\",\"rule_id\":\"12de29d4-bbb0-4eef-b687-857e8a163870\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.000Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.527Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n (\\n process.executable : \\\"?:\\\\\\\\Program.exe\\\" or \\n process.executable regex \\\"\\\"\\\"(C:\\\\\\\\Program Files \\\\(x86\\\\)\\\\\\\\|C:\\\\\\\\Program Files\\\\\\\\)\\\\w+.exe\\\"\\\"\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"logs-system.security-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":203,\"merged_version\":203,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"logs-system.security-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"logs-system.security-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"13fb823c-6a8a-4316-80d4-c455df743efa\",\"rule_id\":\"12f07955-1674-44f7-86b5-c35da0a6f41a\",\"revision\":0,\"current_rule\":{\"id\":\"13fb823c-6a8a-4316-80d4-c455df743efa\",\"updated_at\":\"2024-12-04T19:45:42.530Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.530Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Cmd Execution via WMI\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"12f07955-1674-44f7-86b5-c35da0a6f41a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"},{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"WmiPrvSE.exe\\\" and process.name : \\\"cmd.exe\\\" and\\n process.args : \\\"\\\\\\\\\\\\\\\\127.0.0.1\\\\\\\\*\\\" and process.args : (\\\"2>&1\\\", \\\"1>\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Cmd Execution via WMI\",\"description\":\"Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\",\"https://www.elastic.co/security-labs/operation-bleeding-bear\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"},{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"13fb823c-6a8a-4316-80d4-c455df743efa\",\"rule_id\":\"12f07955-1674-44f7-86b5-c35da0a6f41a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.000Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.530Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"WmiPrvSE.exe\\\" and process.name : \\\"cmd.exe\\\" and\\n process.args : \\\"\\\\\\\\\\\\\\\\127.0.0.1\\\\\\\\*\\\" and process.args : (\\\"2>&1\\\", \\\"1>\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\",\"https://www.elastic.co/security-labs/operation-bleeding-bear\"],\"merged_version\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\",\"https://www.elastic.co/security-labs/operation-bleeding-bear\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"df001b51-0c86-4f1a-93f6-5d68fabb3bc5\",\"rule_id\":\"1327384f-00f3-44d5-9a8c-2373ba071e92\",\"revision\":0,\"current_rule\":{\"id\":\"df001b51-0c86-4f1a-93f6-5d68fabb3bc5\",\"updated_at\":\"2024-12-04T19:45:42.536Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.536Z\",\"created_by\":\"elastic\",\"name\":\"Persistence via Scheduled Job Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled jobs may be created during installation of new software.\"],\"from\":\"now-9m\",\"rule_id\":\"1327384f-00f3-44d5-9a8c-2373ba071e92\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":310,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.path : \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\" and file.extension : \\\"job\\\" and\\n not (\\n (\\n process.executable : \\\"?:\\\\\\\\Program Files\\\\\\\\CCleaner\\\\\\\\CCleaner64.exe\\\" and\\n file.path : \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\CCleanerCrashReporting.job\\\"\\n ) or\\n (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\ManageEngine\\\\\\\\UEMS_Agent\\\\\\\\bin\\\\\\\\dcagentregister.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\DesktopCentral_Agent\\\\\\\\bin\\\\\\\\dcagentregister.exe\\\"\\n ) and\\n file.path : \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\DCAgentUpdater.job\\\"\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Persistence via Scheduled Job Creation\",\"description\":\"A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":411,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled jobs may be created during installation of new software.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"df001b51-0c86-4f1a-93f6-5d68fabb3bc5\",\"rule_id\":\"1327384f-00f3-44d5-9a8c-2373ba071e92\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.000Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.536Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.path : \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\" and file.extension : \\\"job\\\" and\\n not (\\n (\\n process.executable : \\\"?:\\\\\\\\Program Files\\\\\\\\CCleaner\\\\\\\\CCleaner64.exe\\\" and\\n file.path : \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\CCleanerCrashReporting.job\\\"\\n ) or\\n (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\ManageEngine\\\\\\\\UEMS_Agent\\\\\\\\bin\\\\\\\\dcagentregister.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\DesktopCentral_Agent\\\\\\\\bin\\\\\\\\dcagentregister.exe\\\"\\n ) and\\n file.path : \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\DCAgentUpdater.job\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":310,\"target_version\":411,\"merged_version\":411,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"40120176-f00f-469a-bc8a-27a401034c4d\",\"rule_id\":\"1397e1b9-0c90-4d24-8d7b-80598eb9bc9a\",\"revision\":0,\"current_rule\":{\"id\":\"40120176-f00f-469a-bc8a-27a401034c4d\",\"updated_at\":\"2024-12-04T19:45:42.541Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.541Z\",\"created_by\":\"elastic\",\"name\":\"Potential Ransomware Behavior - High count of Readme files by System\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule identifies a high number (20) of file creation event by the System virtual process from the same host and with same file name containing keywords similar to ransomware note files and all within a short time period.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n#### Possible investigation steps\\n\\n- Investigate the content of the readme files.\\n- Investigate any file names with unusual extensions.\\n- Investigate any incoming network connection to port 445 on this host.\\n- Investigate any network logon events to this host.\\n- Identify the total number and type of modified files by pid 4.\\n- If the number of files is too high and source.ip connecting over SMB is unusual isolate the host and block the used credentials.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Local file modification from a Kernel mode driver.\\n\\n### Related rules\\n\\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\\n- Potential Ransomware Note File Dropped via SMB - 02bab13d-fb14-4d7c-b6fe-4a28874d37c5\\n- Suspicious File Renamed via SMB - 78e9b5d5-7c07-40a7-a591-3dbbf464c386\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\\n- If any backups were affected:\\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1397e1b9-0c90-4d24-8d7b-80598eb9bc9a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1485\",\"name\":\"Data Destruction\",\"reference\":\"https://attack.mitre.org/techniques/T1485/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"\",\"type\":\"threshold\",\"language\":\"kuery\",\"index\":[\"logs-endpoint.events.file-*\"],\"query\":\"event.category:file and host.os.type:windows and process.pid:4 and event.action:creation and\\n file.name:(*read*me* or *README* or *lock* or *LOCK* or *how*to* or *HOW*TO* or *@* or *recover* or *RECOVER* or *decrypt* or *DECRYPT* or *restore* or *RESTORE* or *FILES_BACK* or *files_back*)\\n\",\"threshold\":{\"field\":[\"host.id\",\"file.name\"],\"value\":20},\"actions\":[]},\"target_rule\":{\"name\":\"Potential Ransomware Behavior - High count of Readme files by System\",\"description\":\"This rule identifies a high number (20) of file creation event by the System virtual process from the same host and with same file name containing keywords similar to ransomware note files and all within a short time period.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n#### Possible investigation steps\\n\\n- Investigate the content of the readme files.\\n- Investigate any file names with unusual extensions.\\n- Investigate any incoming network connection to port 445 on this host.\\n- Investigate any network logon events to this host.\\n- Identify the total number and type of modified files by pid 4.\\n- If the number of files is too high and source.ip connecting over SMB is unusual isolate the host and block the used credentials.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Local file modification from a Kernel mode driver.\\n\\n### Related rules\\n\\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\\n- Potential Ransomware Note File Dropped via SMB - 02bab13d-fb14-4d7c-b6fe-4a28874d37c5\\n- Suspicious File Renamed via SMB - 78e9b5d5-7c07-40a7-a591-3dbbf464c386\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\\n- If any backups were affected:\\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1485\",\"name\":\"Data Destruction\",\"reference\":\"https://attack.mitre.org/techniques/T1485/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"id\":\"40120176-f00f-469a-bc8a-27a401034c4d\",\"rule_id\":\"1397e1b9-0c90-4d24-8d7b-80598eb9bc9a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.000Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.541Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"threshold\",\"query\":\"event.category:file and host.os.type:windows and process.pid:4 and event.action:creation and\\n file.name:(*read*me* or *README* or *lock* or *LOCK* or *how*to* or *HOW*TO* or *@* or *recover* or *RECOVER* or *decrypt* or *DECRYPT* or *restore* or *RESTORE* or *FILES_BACK* or *files_back*)\\n\",\"threshold\":{\"field\":[\"host.id\",\"file.name\"],\"value\":20},\"index\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"896545e6-f2a2-4f84-b1c7-ece87e236a9a\",\"rule_id\":\"13e908b9-7bf0-4235-abc9-b5deb500d0ad\",\"revision\":0,\"current_rule\":{\"id\":\"896545e6-f2a2-4f84-b1c7-ece87e236a9a\",\"updated_at\":\"2024-12-04T19:45:42.543Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.543Z\",\"created_by\":\"elastic\",\"name\":\"Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity\",\"tags\":[\"OS: Windows\",\"Data Source: Elastic Endgame\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-10m\",\"rule_id\":\"13e908b9-7bf0-4235-abc9-b5deb500d0ad\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.004\",\"name\":\"Masquerade Task or Service\",\"reference\":\"https://attack.mitre.org/techniques/T1036/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"blocklist_label\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"problemchild.prediction\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"endgame-*\",\"logs-endpoint.events.process-*\",\"winlogbeat-*\"],\"query\":\"process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : (\\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.txt*\\\", \\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.tmp*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score\",\"description\":\"A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with low probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":8,\"tags\":[\"OS: Windows\",\"Data Source: Elastic Endgame\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-10m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.004\",\"name\":\"Masquerade Task or Service\",\"reference\":\"https://attack.mitre.org/techniques/T1036/004/\"}]}]}],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\\n\",\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"blocklist_label\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"problemchild.prediction\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"problemchild.prediction_probability\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"896545e6-f2a2-4f84-b1c7-ece87e236a9a\",\"rule_id\":\"13e908b9-7bf0-4235-abc9-b5deb500d0ad\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.000Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.543Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where ((problemchild.prediction == 1 and problemchild.prediction_probability <= 0.98) or\\nblocklist_label == 1) and not process.args : (\\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.txt*\\\", \\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.tmp*\\\")\\n\",\"language\":\"eql\",\"index\":[\"endgame-*\",\"logs-endpoint.events.process-*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":8,\"merged_version\":8,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"name\":{\"has_base_version\":false,\"current_version\":\"Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity\",\"target_version\":\"Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score\",\"merged_version\":\"Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"OS: Windows\",\"Data Source: Elastic Endgame\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"target_version\":[\"OS: Windows\",\"Data Source: Elastic Endgame\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"merged_version\":[\"OS: Windows\",\"Data Source: Elastic Endgame\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"description\":{\"has_base_version\":false,\"current_version\":\"A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.\",\"target_version\":\"A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with low probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.\",\"merged_version\":\"A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with low probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"blocklist_label\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"problemchild.prediction\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"blocklist_label\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"problemchild.prediction\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"problemchild.prediction_probability\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"blocklist_label\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"problemchild.prediction\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"problemchild.prediction_probability\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : (\\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.txt*\\\", \\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.tmp*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where ((problemchild.prediction == 1 and problemchild.prediction_probability <= 0.98) or\\nblocklist_label == 1) and not process.args : (\\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.txt*\\\", \\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.tmp*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where ((problemchild.prediction == 1 and problemchild.prediction_probability <= 0.98) or\\nblocklist_label == 1) and not process.args : (\\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.txt*\\\", \\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.tmp*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"067c8ad5-e283-4697-b1a6-c95ef3c10993\",\"rule_id\":\"143cb236-0956-4f42-a706-814bcaa0cf5a\",\"revision\":0,\"current_rule\":{\"id\":\"067c8ad5-e283-4697-b1a6-c95ef3c10993\",\"updated_at\":\"2024-12-04T19:45:42.548Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.548Z\",\"created_by\":\"elastic\",\"name\":\"RPC (Remote Procedure Call) from the Internet\",\"tags\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"143cb236-0956-4f42-a706-814bcaa0cf5a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]}],\"to\":\"now\",\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"version\":103,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\\n network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\\n not source.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n ) and\\n destination.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"RPC (Remote Procedure Call) from the Internet\",\"description\":\"This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"067c8ad5-e283-4697-b1a6-c95ef3c10993\",\"rule_id\":\"143cb236-0956-4f42-a706-814bcaa0cf5a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.000Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.548Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\\n network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\\n not source.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n ) and\\n destination.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":103,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"target_version\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"target_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merged_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"fc41eb45-a989-437e-b12a-bb349d601860\",\"rule_id\":\"14dab405-5dd9-450c-8106-72951af2391f\",\"revision\":0,\"current_rule\":{\"id\":\"fc41eb45-a989-437e-b12a-bb349d601860\",\"updated_at\":\"2024-12-04T19:45:42.550Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.550Z\",\"created_by\":\"elastic\",\"name\":\"Office Test Registry Persistence\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the modification of the Microsoft Office \\\"Office Test\\\" Registry key, a registry location that can be used to specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain persistence on a compromised host.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"14dab405-5dd9-450c-8106-72951af2391f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1137\",\"name\":\"Office Application Startup\",\"reference\":\"https://attack.mitre.org/techniques/T1137/\",\"subtechnique\":[{\"id\":\"T1137.002\",\"name\":\"Office Test\",\"reference\":\"https://attack.mitre.org/techniques/T1137/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[\"https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/\"],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and\\n registry.path : \\\"*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Office Test\\\\\\\\Special\\\\\\\\Perf\\\\\\\\*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Office Test Registry Persistence\",\"description\":\"Identifies the modification of the Microsoft Office \\\"Office Test\\\" Registry key, a registry location that can be used to specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain persistence on a compromised host.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1137\",\"name\":\"Office Application Startup\",\"reference\":\"https://attack.mitre.org/techniques/T1137/\",\"subtechnique\":[{\"id\":\"T1137.002\",\"name\":\"Office Test\",\"reference\":\"https://attack.mitre.org/techniques/T1137/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"fc41eb45-a989-437e-b12a-bb349d601860\",\"rule_id\":\"14dab405-5dd9-450c-8106-72951af2391f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.000Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.550Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and\\n registry.path : \\\"*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Office Test\\\\\\\\Special\\\\\\\\Perf\\\\\\\\*\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"logs-m365_defender.event-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"logs-m365_defender.event-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"logs-m365_defender.event-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"50a7093c-9d61-4337-9770-c025f4abcc07\",\"rule_id\":\"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204\",\"revision\":0,\"current_rule\":{\"id\":\"50a7093c-9d61-4337-9770-c025f4abcc07\",\"updated_at\":\"2024-12-04T19:45:40.147Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.147Z\",\"created_by\":\"elastic\",\"name\":\"Potential Persistence via Time Provider Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Persistence via Time Provider Modification\\n\\nThe Time Provider architecture in Windows is responsible for obtaining accurate timestamps from network devices or clients. It is implemented as a DLL file in the System32 folder and is initiated by the W32Time service during Windows startup. Adversaries may exploit this by registering and enabling a malicious DLL as a time provider to establish persistence. \\n\\nThis rule identifies changes in the registry paths associated with Time Providers, specifically targeting the addition of new DLL files.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine whether the DLL is signed.\\n- Retrieve the DLL and determine if it is malicious:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restore Time Provider settings to the desired state.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.003\",\"name\":\"Time Providers\",\"reference\":\"https://attack.mitre.org/techniques/T1547/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.003\",\"name\":\"Time Providers\",\"reference\":\"https://attack.mitre.org/techniques/T1547/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://pentestlab.blog/2019/10/22/persistence-time-providers/\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path: (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\TimeProviders\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\TimeProviders\\\\\\\\*\\\"\\n ) and\\n registry.data.strings:\\\"*.dll\\\" and\\n not\\n (\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\" and\\n registry.data.strings : \\\"?:\\\\\\\\Program Files\\\\\\\\VMware\\\\\\\\VMware Tools\\\\\\\\vmwTimeProvider\\\\\\\\vmwTimeProvider.dll\\\"\\n ) and\\n not registry.data.strings : \\\"C:\\\\\\\\Windows\\\\\\\\SYSTEM32\\\\\\\\w32time.DLL\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Persistence via Time Provider Modification\",\"description\":\"Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Persistence via Time Provider Modification\\n\\nThe Time Provider architecture in Windows is responsible for obtaining accurate timestamps from network devices or clients. It is implemented as a DLL file in the System32 folder and is initiated by the W32Time service during Windows startup. Adversaries may exploit this by registering and enabling a malicious DLL as a time provider to establish persistence. \\n\\nThis rule identifies changes in the registry paths associated with Time Providers, specifically targeting the addition of new DLL files.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine whether the DLL is signed.\\n- Retrieve the DLL and determine if it is malicious:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restore Time Provider settings to the desired state.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://pentestlab.blog/2019/10/22/persistence-time-providers/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.003\",\"name\":\"Time Providers\",\"reference\":\"https://attack.mitre.org/techniques/T1547/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.003\",\"name\":\"Time Providers\",\"reference\":\"https://attack.mitre.org/techniques/T1547/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"50a7093c-9d61-4337-9770-c025f4abcc07\",\"rule_id\":\"14ed1aa9-ebfd-4cf9-a463-0ac59ec55204\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.000Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.147Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path: (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\TimeProviders\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\TimeProviders\\\\\\\\*\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\TimeProviders\\\\\\\\*\\\"\\n ) and\\n registry.data.strings:\\\"*.dll\\\" and\\n not\\n (\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\" and\\n registry.data.strings : \\\"?:\\\\\\\\Program Files\\\\\\\\VMware\\\\\\\\VMware Tools\\\\\\\\vmwTimeProvider\\\\\\\\vmwTimeProvider.dll\\\"\\n ) and\\n not registry.data.strings : \\\"C:\\\\\\\\Windows\\\\\\\\SYSTEM32\\\\\\\\w32time.DLL\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path: (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\TimeProviders\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\TimeProviders\\\\\\\\*\\\"\\n ) and\\n registry.data.strings:\\\"*.dll\\\" and\\n not\\n (\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\" and\\n registry.data.strings : \\\"?:\\\\\\\\Program Files\\\\\\\\VMware\\\\\\\\VMware Tools\\\\\\\\vmwTimeProvider\\\\\\\\vmwTimeProvider.dll\\\"\\n ) and\\n not registry.data.strings : \\\"C:\\\\\\\\Windows\\\\\\\\SYSTEM32\\\\\\\\w32time.DLL\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path: (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\TimeProviders\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\TimeProviders\\\\\\\\*\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\TimeProviders\\\\\\\\*\\\"\\n ) and\\n registry.data.strings:\\\"*.dll\\\" and\\n not\\n (\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\" and\\n registry.data.strings : \\\"?:\\\\\\\\Program Files\\\\\\\\VMware\\\\\\\\VMware Tools\\\\\\\\vmwTimeProvider\\\\\\\\vmwTimeProvider.dll\\\"\\n ) and\\n not registry.data.strings : \\\"C:\\\\\\\\Windows\\\\\\\\SYSTEM32\\\\\\\\w32time.DLL\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path: (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\TimeProviders\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\TimeProviders\\\\\\\\*\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\W32Time\\\\\\\\TimeProviders\\\\\\\\*\\\"\\n ) and\\n registry.data.strings:\\\"*.dll\\\" and\\n not\\n (\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\" and\\n registry.data.strings : \\\"?:\\\\\\\\Program Files\\\\\\\\VMware\\\\\\\\VMware Tools\\\\\\\\vmwTimeProvider\\\\\\\\vmwTimeProvider.dll\\\"\\n ) and\\n not registry.data.strings : \\\"C:\\\\\\\\Windows\\\\\\\\SYSTEM32\\\\\\\\w32time.DLL\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b3cea5d7-8bcb-45c4-b15d-8fd5e521e251\",\"rule_id\":\"15a8ba77-1c13-4274-88fe-6bd14133861e\",\"revision\":0,\"current_rule\":{\"id\":\"b3cea5d7-8bcb-45c4-b15d-8fd5e521e251\",\"updated_at\":\"2024-12-04T19:45:42.557Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.557Z\",\"created_by\":\"elastic\",\"name\":\"Scheduled Task Execution at Scale via GPO\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Lateral Movement\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Scheduled Task Execution at Scale via GPO\\n\\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\\\\Machine\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml` file.\\n\\n#### Possible investigation steps\\n\\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\\n\\n### False positive analysis\\n\\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\\n\\n### Related rules\\n\\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\\n- Remove the script from the GPO.\\n- Check if other GPOs have suspicious scheduled tasks attached.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-6m\",\"rule_id\":\"15a8ba77-1c13-4274-88fe-6bd14133861e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]},{\"id\":\"T1484\",\"name\":\"Domain or Tenant Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/\",\"subtechnique\":[{\"id\":\"T1484.001\",\"name\":\"Group Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1570\",\"name\":\"Lateral Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1570/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md\",\"https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md\",\"https://labs.f-secure.com/tools/sharpgpoabuse\",\"https://twitter.com/menasec1/status/1106899890377052160\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"message\",\"type\":\"match_only_text\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessList\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.RelativeTargetName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ShareName\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nObject Access >\\nAudit Detailed File Share (Success,Failure)\\n```\\n\\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"(event.code: \\\"5136\\\" and winlog.event_data.AttributeLDAPDisplayName:(\\\"gPCMachineExtensionNames\\\" or \\\"gPCUserExtensionNames\\\") and\\n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))\\nor\\n(event.code: \\\"5145\\\" and winlog.event_data.ShareName: \\\"\\\\\\\\\\\\\\\\*\\\\\\\\SYSVOL\\\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Scheduled Task Execution at Scale via GPO\",\"description\":\"Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Scheduled Task Execution at Scale via GPO\\n\\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\\\\Machine\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml` file.\\n\\n#### Possible investigation steps\\n\\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\\n\\n### False positive analysis\\n\\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\\n\\n### Related rules\\n\\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\\n- Remove the script from the GPO.\\n- Check if other GPOs have suspicious scheduled tasks attached.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":212,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Lateral Movement\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md\",\"https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md\",\"https://labs.f-secure.com/tools/sharpgpoabuse\",\"https://twitter.com/menasec1/status/1106899890377052160\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]},{\"id\":\"T1484\",\"name\":\"Domain or Tenant Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/\",\"subtechnique\":[{\"id\":\"T1484.001\",\"name\":\"Group Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1570\",\"name\":\"Lateral Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1570/\"}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nObject Access >\\nAudit Detailed File Share (Success,Failure)\\n```\\n\\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessList\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.RelativeTargetName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ShareName\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"b3cea5d7-8bcb-45c4-b15d-8fd5e521e251\",\"rule_id\":\"15a8ba77-1c13-4274-88fe-6bd14133861e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.000Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.557Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and event.code in (\\\"5136\\\", \\\"5145\\\") and\\n(\\n (\\n winlog.event_data.AttributeLDAPDisplayName : (\\n \\\"gPCMachineExtensionNames\\\",\\n \\\"gPCUserExtensionNames\\\"\\n ) and\\n winlog.event_data.AttributeValue : \\\"*CAB54552-DEEA-4691-817E-ED4A4D1AFC72*\\\" and\\n winlog.event_data.AttributeValue : \\\"*AADCED64-746C-4633-A97C-D61349046527*\\\"\\n ) or\\n (\\n winlog.event_data.ShareName : \\\"\\\\\\\\\\\\\\\\*\\\\\\\\SYSVOL\\\" and\\n winlog.event_data.RelativeTargetName : \\\"*ScheduledTasks.xml\\\" and\\n winlog.event_data.AccessList:\\\"*%%4417*\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":212,\"merged_version\":212,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Lateral Movement\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Lateral Movement\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Lateral Movement\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"message\",\"type\":\"match_only_text\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessList\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.RelativeTargetName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ShareName\",\"type\":\"unknown\",\"ecs\":false}],\"target_version\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessList\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.RelativeTargetName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ShareName\",\"type\":\"unknown\",\"ecs\":false}],\"merged_version\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessList\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.RelativeTargetName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ShareName\",\"type\":\"unknown\",\"ecs\":false}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"type\":{\"has_base_version\":false,\"current_version\":\"query\",\"target_version\":\"eql\",\"merged_version\":\"eql\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NON_SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"(event.code: \\\"5136\\\" and winlog.event_data.AttributeLDAPDisplayName:(\\\"gPCMachineExtensionNames\\\" or \\\"gPCUserExtensionNames\\\") and\\n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))\\nor\\n(event.code: \\\"5145\\\" and winlog.event_data.ShareName: \\\"\\\\\\\\\\\\\\\\*\\\\\\\\SYSVOL\\\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"target_version\":{\"query\":\"any where host.os.type == \\\"windows\\\" and event.code in (\\\"5136\\\", \\\"5145\\\") and\\n(\\n (\\n winlog.event_data.AttributeLDAPDisplayName : (\\n \\\"gPCMachineExtensionNames\\\",\\n \\\"gPCUserExtensionNames\\\"\\n ) and\\n winlog.event_data.AttributeValue : \\\"*CAB54552-DEEA-4691-817E-ED4A4D1AFC72*\\\" and\\n winlog.event_data.AttributeValue : \\\"*AADCED64-746C-4633-A97C-D61349046527*\\\"\\n ) or\\n (\\n winlog.event_data.ShareName : \\\"\\\\\\\\\\\\\\\\*\\\\\\\\SYSVOL\\\" and\\n winlog.event_data.RelativeTargetName : \\\"*ScheduledTasks.xml\\\" and\\n winlog.event_data.AccessList:\\\"*%%4417*\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"any where host.os.type == \\\"windows\\\" and event.code in (\\\"5136\\\", \\\"5145\\\") and\\n(\\n (\\n winlog.event_data.AttributeLDAPDisplayName : (\\n \\\"gPCMachineExtensionNames\\\",\\n \\\"gPCUserExtensionNames\\\"\\n ) and\\n winlog.event_data.AttributeValue : \\\"*CAB54552-DEEA-4691-817E-ED4A4D1AFC72*\\\" and\\n winlog.event_data.AttributeValue : \\\"*AADCED64-746C-4633-A97C-D61349046527*\\\"\\n ) or\\n (\\n winlog.event_data.ShareName : \\\"\\\\\\\\\\\\\\\\*\\\\\\\\SYSVOL\\\" and\\n winlog.event_data.RelativeTargetName : \\\"*ScheduledTasks.xml\\\" and\\n winlog.event_data.AccessList:\\\"*%%4417*\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":1}},{\"id\":\"f61e3fd4-7dee-4e57-b654-968c07e660b7\",\"rule_id\":\"15c0b7a7-9c34-4869-b25b-fa6518414899\",\"revision\":0,\"current_rule\":{\"id\":\"f61e3fd4-7dee-4e57-b654-968c07e660b7\",\"updated_at\":\"2024-12-04T19:45:42.560Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.560Z\",\"created_by\":\"elastic\",\"name\":\"Remote File Download via Desktopimgdownldr Utility\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote File Download via Desktopimgdownldr Utility\\n\\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\\n\\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the user in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"user.id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{user.id}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the host in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"host.name\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{host.name}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - !{investigate{\\\"label\\\":\\\"Investigate the Subject Process Network Events\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"process.entity_id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{process.entity_id}}\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"event.category\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"network\\\",\\\"valueType\\\":\\\"string\\\"}]]}}\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"15c0b7a7-9c34-4869-b25b-fa6518414899\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"to\":\"now\",\"references\":[\"https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"desktopimgdownldr.exe\\\" or ?process.pe.original_file_name == \\\"desktopimgdownldr.exe\\\") and\\n process.args : \\\"/lockscreenurl:http*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Remote File Download via Desktopimgdownldr Utility\",\"description\":\"Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote File Download via Desktopimgdownldr Utility\\n\\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\\n\\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the user in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"user.id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{user.id}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the host in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"host.name\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{host.name}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - !{investigate{\\\"label\\\":\\\"Investigate the Subject Process Network Events\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"process.entity_id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{process.entity_id}}\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"event.category\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"network\\\",\\\"valueType\\\":\\\"string\\\"}]]}}\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f61e3fd4-7dee-4e57-b654-968c07e660b7\",\"rule_id\":\"15c0b7a7-9c34-4869-b25b-fa6518414899\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.000Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.560Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"desktopimgdownldr.exe\\\" or ?process.pe.original_file_name == \\\"desktopimgdownldr.exe\\\") and\\n process.args : \\\"/lockscreenurl:http*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bf90f0a8-8fb9-4e5f-be0c-a4010716f41b\",\"rule_id\":\"166727ab-6768-4e26-b80c-948b228ffc06\",\"revision\":0,\"current_rule\":{\"id\":\"bf90f0a8-8fb9-4e5f-be0c-a4010716f41b\",\"updated_at\":\"2024-12-04T19:45:42.571Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.571Z\",\"created_by\":\"elastic\",\"name\":\"File Creation Time Changed\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"166727ab-6768-4e26-b80c-948b228ffc06\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.006\",\"name\":\"Timestomp\",\"reference\":\"https://attack.mitre.org/techniques/T1070/006/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.code : \\\"2\\\" and\\n\\n /* Requires Sysmon EventID 2 - File creation time change */\\n event.action : \\\"File creation time changed*\\\" and \\n \\n not process.executable : \\n (\\\"?:\\\\\\\\Program Files\\\\\\\\*\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\cleanmgr.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\msiexec.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\syswow64\\\\\\\\msiexec.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\", \\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\backgroundTaskHost.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\", \\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Mozilla Firefox\\\\\\\\firefox.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\slack\\\\\\\\app-*\\\\\\\\slack.exe\\\", \\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\GitHubDesktop\\\\\\\\app-*\\\\\\\\GitHubDesktop.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Teams\\\\\\\\current\\\\\\\\Teams.exe\\\", \\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\OneDrive.exe\\\") and \\n not file.extension : (\\\"temp\\\", \\\"tmp\\\", \\\"~tmp\\\", \\\"xml\\\", \\\"newcfg\\\") and not user.name : (\\\"SYSTEM\\\", \\\"Local Service\\\", \\\"Network Service\\\") and\\n not file.name : (\\\"LOG\\\", \\\"temp-index\\\", \\\"license.rtf\\\", \\\"iconcache_*.db\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"File Creation Time Changed\",\"description\":\"Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.006\",\"name\":\"Timestomp\",\"reference\":\"https://attack.mitre.org/techniques/T1070/006/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"bf90f0a8-8fb9-4e5f-be0c-a4010716f41b\",\"rule_id\":\"166727ab-6768-4e26-b80c-948b228ffc06\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.001Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.571Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.code : \\\"2\\\" and\\n\\n /* Requires Sysmon EventID 2 - File creation time change */\\n event.action : \\\"File creation time changed*\\\" and \\n \\n not process.executable : \\n (\\\"?:\\\\\\\\Program Files\\\\\\\\*\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\cleanmgr.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\msiexec.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\syswow64\\\\\\\\msiexec.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\", \\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\backgroundTaskHost.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\", \\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Mozilla Firefox\\\\\\\\firefox.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\slack\\\\\\\\app-*\\\\\\\\slack.exe\\\", \\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\GitHubDesktop\\\\\\\\app-*\\\\\\\\GitHubDesktop.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Teams\\\\\\\\current\\\\\\\\Teams.exe\\\", \\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\OneDrive.exe\\\") and \\n not file.extension : (\\\"temp\\\", \\\"tmp\\\", \\\"~tmp\\\", \\\"xml\\\", \\\"newcfg\\\") and not user.name : (\\\"SYSTEM\\\", \\\"Local Service\\\", \\\"Network Service\\\") and\\n not file.name : (\\\"LOG\\\", \\\"temp-index\\\", \\\"license.rtf\\\", \\\"iconcache_*.db\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"31d14300-cbb9-4f8c-a0f0-d563ae855d6d\",\"rule_id\":\"16fac1a1-21ee-4ca6-b720-458e3855d046\",\"revision\":0,\"current_rule\":{\"id\":\"31d14300-cbb9-4f8c-a0f0-d563ae855d6d\",\"updated_at\":\"2024-12-04T19:45:42.578Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.578Z\",\"created_by\":\"elastic\",\"name\":\"Startup/Logon Script added to Group Policy Object\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Startup/Logon Script added to Group Policy Object\\n\\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\\n - `\\\\Machine\\\\Scripts\\\\`\\n - `\\\\User\\\\Scripts\\\\`\\n\\n#### Possible investigation steps\\n\\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\\n\\n### False positive analysis\\n\\n- Verify if the execution is legitimately authorized and executed under a change management process.\\n\\n### Related rules\\n\\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\\n- Remove the script from the GPO.\\n- Check if other GPOs have suspicious scripts attached.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate Administrative Activity\"],\"from\":\"now-6m\",\"rule_id\":\"16fac1a1-21ee-4ca6-b720-458e3855d046\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1484\",\"name\":\"Domain or Tenant Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/\",\"subtechnique\":[{\"id\":\"T1484.001\",\"name\":\"Group Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/001/\"}]},{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md\",\"https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md\",\"https://labs.f-secure.com/tools/sharpgpoabuse\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"message\",\"type\":\"match_only_text\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessList\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.RelativeTargetName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ShareName\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nObject Access >\\nAudit Detailed File Share (Success,Failure)\\n```\\n\\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"(\\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\\n winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\\n (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\\n)\\nor\\n(\\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\\\\\\\\\*\\\\\\\\SYSVOL and\\n winlog.event_data.RelativeTargetName:(*\\\\\\\\scripts.ini or *\\\\\\\\psscripts.ini) and\\n (message:WriteData or winlog.event_data.AccessList:*%%4417*)\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Startup/Logon Script added to Group Policy Object\",\"description\":\"Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Startup/Logon Script added to Group Policy Object\\n\\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\\n - `\\\\Machine\\\\Scripts\\\\`\\n - `\\\\User\\\\Scripts\\\\`\\n\\n#### Possible investigation steps\\n\\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\\n\\n### False positive analysis\\n\\n- Verify if the execution is legitimately authorized and executed under a change management process.\\n\\n### Related rules\\n\\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\\n- Remove the script from the GPO.\\n- Check if other GPOs have suspicious scripts attached.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate Administrative Activity\"],\"references\":[\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md\",\"https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md\",\"https://labs.f-secure.com/tools/sharpgpoabuse\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1484\",\"name\":\"Domain or Tenant Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/\",\"subtechnique\":[{\"id\":\"T1484.001\",\"name\":\"Group Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/001/\"}]},{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\"}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nObject Access >\\nAudit Detailed File Share (Success,Failure)\\n```\\n\\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessList\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.RelativeTargetName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ShareName\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"31d14300-cbb9-4f8c-a0f0-d563ae855d6d\",\"rule_id\":\"16fac1a1-21ee-4ca6-b720-458e3855d046\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.001Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.578Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and event.code in (\\\"5136\\\", \\\"5145\\\") and\\n(\\n (\\n winlog.event_data.AttributeLDAPDisplayName : (\\n \\\"gPCMachineExtensionNames\\\",\\n \\\"gPCUserExtensionNames\\\"\\n ) and\\n winlog.event_data.AttributeValue : \\\"*42B5FAAE-6536-11D2-AE5A-0000F87571E3*\\\" and\\n winlog.event_data.AttributeValue : (\\n \\\"*40B66650-4972-11D1-A7CA-0000F87571E3*\\\",\\n \\\"*40B6664F-4972-11D1-A7CA-0000F87571E3*\\\"\\n )\\n ) or\\n (\\n winlog.event_data.ShareName : \\\"\\\\\\\\\\\\\\\\*\\\\\\\\SYSVOL\\\" and\\n winlog.event_data.RelativeTargetName : (\\\"*\\\\\\\\scripts.ini\\\", \\\"*\\\\\\\\psscripts.ini\\\") and\\n winlog.event_data.AccessList:\\\"*%%4417*\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"message\",\"type\":\"match_only_text\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessList\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.RelativeTargetName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ShareName\",\"type\":\"unknown\",\"ecs\":false}],\"target_version\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessList\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.RelativeTargetName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ShareName\",\"type\":\"unknown\",\"ecs\":false}],\"merged_version\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessList\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.RelativeTargetName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ShareName\",\"type\":\"unknown\",\"ecs\":false}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"type\":{\"has_base_version\":false,\"current_version\":\"query\",\"target_version\":\"eql\",\"merged_version\":\"eql\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NON_SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"(\\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\\n winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\\n (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\\n)\\nor\\n(\\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\\\\\\\\\*\\\\\\\\SYSVOL and\\n winlog.event_data.RelativeTargetName:(*\\\\\\\\scripts.ini or *\\\\\\\\psscripts.ini) and\\n (message:WriteData or winlog.event_data.AccessList:*%%4417*)\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"target_version\":{\"query\":\"any where host.os.type == \\\"windows\\\" and event.code in (\\\"5136\\\", \\\"5145\\\") and\\n(\\n (\\n winlog.event_data.AttributeLDAPDisplayName : (\\n \\\"gPCMachineExtensionNames\\\",\\n \\\"gPCUserExtensionNames\\\"\\n ) and\\n winlog.event_data.AttributeValue : \\\"*42B5FAAE-6536-11D2-AE5A-0000F87571E3*\\\" and\\n winlog.event_data.AttributeValue : (\\n \\\"*40B66650-4972-11D1-A7CA-0000F87571E3*\\\",\\n \\\"*40B6664F-4972-11D1-A7CA-0000F87571E3*\\\"\\n )\\n ) or\\n (\\n winlog.event_data.ShareName : \\\"\\\\\\\\\\\\\\\\*\\\\\\\\SYSVOL\\\" and\\n winlog.event_data.RelativeTargetName : (\\\"*\\\\\\\\scripts.ini\\\", \\\"*\\\\\\\\psscripts.ini\\\") and\\n winlog.event_data.AccessList:\\\"*%%4417*\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"any where host.os.type == \\\"windows\\\" and event.code in (\\\"5136\\\", \\\"5145\\\") and\\n(\\n (\\n winlog.event_data.AttributeLDAPDisplayName : (\\n \\\"gPCMachineExtensionNames\\\",\\n \\\"gPCUserExtensionNames\\\"\\n ) and\\n winlog.event_data.AttributeValue : \\\"*42B5FAAE-6536-11D2-AE5A-0000F87571E3*\\\" and\\n winlog.event_data.AttributeValue : (\\n \\\"*40B66650-4972-11D1-A7CA-0000F87571E3*\\\",\\n \\\"*40B6664F-4972-11D1-A7CA-0000F87571E3*\\\"\\n )\\n ) or\\n (\\n winlog.event_data.ShareName : \\\"\\\\\\\\\\\\\\\\*\\\\\\\\SYSVOL\\\" and\\n winlog.event_data.RelativeTargetName : (\\\"*\\\\\\\\scripts.ini\\\", \\\"*\\\\\\\\psscripts.ini\\\") and\\n winlog.event_data.AccessList:\\\"*%%4417*\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":1}},{\"id\":\"fddccc1e-7f40-4904-9629-36d701ba9e04\",\"rule_id\":\"17261da3-a6d0-463c-aac8-ea1718afcd20\",\"revision\":0,\"current_rule\":{\"id\":\"fddccc1e-7f40-4904-9629-36d701ba9e04\",\"updated_at\":\"2024-12-04T19:46:03.699Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.699Z\",\"created_by\":\"elastic\",\"name\":\"AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User\",\"tags\":[\"Domain: LLM\",\"Data Source: AWS Bedrock\",\"Data Source: AWS S3\",\"Resources: Investigation Guide\",\"Use Case: Policy Violation\",\"Mitre Atlas: T0015\",\"Mitre Atlas: T0034\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies multiple successive failed attempts to use denied model resources within AWS Bedrock. This could indicated attempts to bypass limitations of other approved models, or to force an impact on the environment by incurring exhorbitant costs.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate misunderstanding by users or overly strict policies\"],\"from\":\"now-60m\",\"rule_id\":\"17261da3-a6d0-463c-aac8-ea1718afcd20\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html\",\"https://atlas.mitre.org/techniques/AML.T0015\",\"https://atlas.mitre.org/techniques/AML.T0034\",\"https://www.elastic.co/security-labs/elastic-advances-llm-security\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\\n\\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\\n\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.response.error_code == \\\"AccessDeniedException\\\"\\n| stats total_denials = count(*) by user.id, gen_ai.request.model.id, cloud.account.id\\n| where total_denials > 3\\n| sort total_denials desc\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User\",\"description\":\"Identifies multiple successive failed attempts to use denied model resources within AWS Bedrock. This could indicated attempts to bypass limitations of other approved models, or to force an impact on the environment by incurring exhorbitant costs.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to use Denied Amazon Bedrock Models.\\n\\nAmazon Bedrock is AWS’s managed service that enables developers to build and scale generative AI applications using large foundation models (FMs) from top providers.\\n\\nBedrock offers a variety of pretrained models from Amazon (such as the Titan series), as well as models from providers like Anthropic, Meta, Cohere, and AI21 Labs.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that attempted to use denied models.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's attempts to access Amazon Bedrock models in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that attempted to use denied models, is a legitimate misunderstanding by users or overly strict policies.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"investigation_fields\":{\"field_names\":[\"user.id\",\"cloud.account.id\",\"gen_ai.request.model.id\",\"total_denials\"]},\"version\":3,\"tags\":[\"Domain: LLM\",\"Data Source: AWS Bedrock\",\"Data Source: AWS S3\",\"Resources: Investigation Guide\",\"Use Case: Policy Violation\",\"Mitre Atlas: T0015\",\"Mitre Atlas: T0034\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-60m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate misunderstanding by users or overly strict policies\"],\"references\":[\"https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html\",\"https://atlas.mitre.org/techniques/AML.T0015\",\"https://atlas.mitre.org/techniques/AML.T0034\",\"https://www.elastic.co/security-labs/elastic-advances-llm-security\"],\"max_signals\":100,\"threat\":[],\"setup\":\"## Setup\\n\\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\\n\\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\\n\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"fddccc1e-7f40-4904-9629-36d701ba9e04\",\"rule_id\":\"17261da3-a6d0-463c-aac8-ea1718afcd20\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.001Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.699Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.response.error_code == \\\"AccessDeniedException\\\"\\n| keep user.id, gen_ai.request.model.id, cloud.account.id, gen_ai.response.error_code\\n| stats total_denials = count(*) by user.id, gen_ai.request.model.id, cloud.account.id\\n| where total_denials > 3\\n| sort total_denials desc\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"note\":{\"has_base_version\":false,\"current_version\":\"\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating Attempt to use Denied Amazon Bedrock Models.\\n\\nAmazon Bedrock is AWS’s managed service that enables developers to build and scale generative AI applications using large foundation models (FMs) from top providers.\\n\\nBedrock offers a variety of pretrained models from Amazon (such as the Titan series), as well as models from providers like Anthropic, Meta, Cohere, and AI21 Labs.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that attempted to use denied models.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's attempts to access Amazon Bedrock models in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that attempted to use denied models, is a legitimate misunderstanding by users or overly strict policies.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating Attempt to use Denied Amazon Bedrock Models.\\n\\nAmazon Bedrock is AWS’s managed service that enables developers to build and scale generative AI applications using large foundation models (FMs) from top providers.\\n\\nBedrock offers a variety of pretrained models from Amazon (such as the Titan series), as well as models from providers like Anthropic, Meta, Cohere, and AI21 Labs.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that attempted to use denied models.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's attempts to access Amazon Bedrock models in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that attempted to use denied models, is a legitimate misunderstanding by users or overly strict policies.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"investigation_fields\":{\"has_base_version\":false,\"target_version\":{\"field_names\":[\"user.id\",\"cloud.account.id\",\"gen_ai.request.model.id\",\"total_denials\"]},\"merged_version\":{\"field_names\":[\"user.id\",\"cloud.account.id\",\"gen_ai.request.model.id\",\"total_denials\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.response.error_code == \\\"AccessDeniedException\\\"\\n| stats total_denials = count(*) by user.id, gen_ai.request.model.id, cloud.account.id\\n| where total_denials > 3\\n| sort total_denials desc\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.response.error_code == \\\"AccessDeniedException\\\"\\n| keep user.id, gen_ai.request.model.id, cloud.account.id, gen_ai.response.error_code\\n| stats total_denials = count(*) by user.id, gen_ai.request.model.id, cloud.account.id\\n| where total_denials > 3\\n| sort total_denials desc\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.response.error_code == \\\"AccessDeniedException\\\"\\n| keep user.id, gen_ai.request.model.id, cloud.account.id, gen_ai.response.error_code\\n| stats total_denials = count(*) by user.id, gen_ai.request.model.id, cloud.account.id\\n| where total_denials > 3\\n| sort total_denials desc\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9c3f9a14-fe2f-4e5c-adb1-39d0c97b3606\",\"rule_id\":\"1781d055-5c66-4adf-9c59-fc0fa58336a5\",\"revision\":0,\"current_rule\":{\"id\":\"9c3f9a14-fe2f-4e5c-adb1-39d0c97b3606\",\"updated_at\":\"2024-12-04T19:45:42.581Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.581Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Windows Username\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Initial Access\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating an Unusual Windows User\\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration.\"],\"from\":\"now-45m\",\"rule_id\":\"1781d055-5c66-4adf-9c59-fc0fa58336a5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"},{\"id\":\"T1078.003\",\"name\":\"Local Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"version\":105,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_user_name\"],\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Windows Username\",\"description\":\"A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating an Unusual Windows User\\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Initial Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration.\"],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"},{\"id\":\"T1078.003\",\"name\":\"Local Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/003/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"9c3f9a14-fe2f-4e5c-adb1-39d0c97b3606\",\"rule_id\":\"1781d055-5c66-4adf-9c59-fc0fa58336a5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.001Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.581Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_user_name\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":105,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"55a25dfb-97b4-4776-b4ba-4b399b2c62f2\",\"rule_id\":\"1781d055-5c66-4adf-9c71-fc0fa58338c7\",\"revision\":0,\"current_rule\":{\"id\":\"55a25dfb-97b4-4776-b4ba-4b399b2c62f2\",\"updated_at\":\"2024-12-04T19:45:42.583Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.583Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Windows Service\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Persistence\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert.\"],\"from\":\"now-45m\",\"rule_id\":\"1781d055-5c66-4adf-9c71-fc0fa58338c7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"version\":104,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_service\"],\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Windows Service\",\"description\":\"A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Persistence\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert.\"],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"55a25dfb-97b4-4776-b4ba-4b399b2c62f2\",\"rule_id\":\"1781d055-5c66-4adf-9c71-fc0fa58338c7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.001Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.583Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_service\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":104,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8c945e82-cbc0-45f4-b962-4e0121a8369f\",\"rule_id\":\"1781d055-5c66-4adf-9d60-fc0fa58337b6\",\"revision\":0,\"current_rule\":{\"id\":\"8c945e82-cbc0-45f4-b962-4e0121a8369f\",\"updated_at\":\"2024-12-04T19:45:42.585Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.585Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Powershell Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Execution\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert.\"],\"from\":\"now-45m\",\"rule_id\":\"1781d055-5c66-4adf-9d60-fc0fa58337b6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"version\":105,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_script\"],\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Powershell Script\",\"description\":\"A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Execution\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert.\"],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"8c945e82-cbc0-45f4-b962-4e0121a8369f\",\"rule_id\":\"1781d055-5c66-4adf-9d60-fc0fa58337b6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.001Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.585Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_script\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":105,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f72a3fb8-7235-4d9b-9a61-9777360e9be9\",\"rule_id\":\"1781d055-5c66-4adf-9d82-fc0fa58449c8\",\"revision\":0,\"current_rule\":{\"id\":\"f72a3fb8-7235-4d9b-9a61-9777360e9be9\",\"updated_at\":\"2024-12-04T19:45:42.588Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.588Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Windows User Privilege Elevation Activity\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Privilege Escalation\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration.\"],\"from\":\"now-45m\",\"rule_id\":\"1781d055-5c66-4adf-9d82-fc0fa58449c8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"version\":104,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_rare_user_runas_event\"],\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Windows User Privilege Elevation Activity\",\"description\":\"A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Privilege Escalation\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration.\"],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"f72a3fb8-7235-4d9b-9a61-9777360e9be9\",\"rule_id\":\"1781d055-5c66-4adf-9d82-fc0fa58449c8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.001Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.588Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_rare_user_runas_event\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":104,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"fe32705e-9bef-4c3d-8331-6048b12f8134\",\"rule_id\":\"1781d055-5c66-4adf-9e93-fc0fa69550c9\",\"revision\":0,\"current_rule\":{\"id\":\"fe32705e-9bef-4c3d-8331-6048b12f8134\",\"updated_at\":\"2024-12-04T19:45:42.590Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.590Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Windows Remote User\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Initial Access\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating an Unusual Windows User\\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.\"],\"from\":\"now-45m\",\"rule_id\":\"1781d055-5c66-4adf-9e93-fc0fa69550c9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"version\":104,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_rare_user_type10_remote_login\"],\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Windows Remote User\",\"description\":\"A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating an Unusual Windows User\\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Initial Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration.\"],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"fe32705e-9bef-4c3d-8331-6048b12f8134\",\"rule_id\":\"1781d055-5c66-4adf-9e93-fc0fa69550c9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.001Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.590Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_rare_user_type10_remote_login\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":104,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"dd89ad2a-3105-4a03-9486-75c4122ec40f\",\"rule_id\":\"17b0a495-4d9f-414c-8ad0-92f018b8e001\",\"revision\":0,\"current_rule\":{\"id\":\"dd89ad2a-3105-4a03-9486-75c4122ec40f\",\"updated_at\":\"2024-12-04T19:45:42.593Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.593Z\",\"created_by\":\"elastic\",\"name\":\"Systemd Service Created\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects the creation or renaming of a new Systemd file in all of the common Systemd service locations for both root and regular users. Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying services to execute malicious commands or payloads during system startup or at a predefined interval by adding a systemd timer. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Systemd Service Created\\n\\nSystemd service files are configuration files in Linux systems used to define and manage system services.\\n\\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\\n\\nThis rule monitors the creation of new systemd service files, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the systemd service file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%'\\\\nOR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%'\\\\nOR path LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\\n- Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"17b0a495-4d9f-414c-8ad0-92f018b8e001\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\"],\"version\":13,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/systemd/system/*\\\", \\\"/etc/systemd/user/*\\\", \\\"/usr/local/lib/systemd/system/*\\\",\\n \\\"/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/user/*\\\",\\n \\\"/home/*/.config/systemd/user/*\\\", \\\"/home/*/.local/share/systemd/user/*\\\",\\n \\\"/root/.config/systemd/user/*\\\", \\\"/root/.local/share/systemd/user/*\\\"\\n) and file.extension == \\\"service\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/crio\\\", \\\"/usr/sbin/crond\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/kaniko/kaniko-executor\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/podman\\\", \\\"/bin/install\\\", \\\"/proc/self/exe\\\", \\\"/usr/lib/systemd/systemd\\\",\\n \\\"/usr/sbin/sshd\\\", \\\"/usr/bin/gitlab-runner\\\", \\\"/opt/gitlab/embedded/bin/ruby\\\", \\\"/usr/sbin/gdm\\\", \\\"/usr/bin/install\\\",\\n \\\"/usr/local/manageengine/uems_agent/bin/dcregister\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Systemd Service Created\",\"description\":\"This rule detects the creation or renaming of a new Systemd file in all of the common Systemd service locations for both root and regular users. Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying services to execute malicious commands or payloads during system startup or at a predefined interval by adding a systemd timer. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Systemd Service Created\\n\\nSystemd service files are configuration files in Linux systems used to define and manage system services.\\n\\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\\n\\nThis rule monitors the creation of new systemd service files, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the systemd service file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE\\\\n'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE\\\\n'/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path LIKE\\\\n'/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%' OR\\\\npath LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path\\\\nLIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%'\\\\nOR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\\n- Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":15,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"dd89ad2a-3105-4a03-9486-75c4122ec40f\",\"rule_id\":\"17b0a495-4d9f-414c-8ad0-92f018b8e001\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.001Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.593Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/systemd/system/*\\\", \\\"/etc/systemd/user/*\\\", \\\"/usr/local/lib/systemd/system/*\\\",\\n \\\"/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/user/*\\\",\\n \\\"/home/*/.config/systemd/user/*\\\", \\\"/home/*/.local/share/systemd/user/*\\\",\\n \\\"/root/.config/systemd/user/*\\\", \\\"/root/.local/share/systemd/user/*\\\"\\n) and file.extension == \\\"service\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/crio\\\", \\\"/usr/sbin/crond\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/kaniko/kaniko-executor\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/podman\\\", \\\"/bin/install\\\", \\\"/proc/self/exe\\\", \\\"/usr/lib/systemd/systemd\\\",\\n \\\"/usr/sbin/sshd\\\", \\\"/usr/bin/gitlab-runner\\\", \\\"/opt/gitlab/embedded/bin/ruby\\\", \\\"/usr/sbin/gdm\\\", \\\"/usr/bin/install\\\",\\n \\\"/usr/local/manageengine/uems_agent/bin/dcregister\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n process.name like (\\n \\\"ssm-agent-worker\\\", \\\"python*\\\", \\\"platform-python*\\\", \\\"dnf_install\\\", \\\"cloudflared\\\", \\\"lxc-pve-prestart-hook\\\",\\n \\\"convert-usrmerge\\\", \\\"elastic-agent\\\", \\\"google_metadata_script_runner\\\", \\\"update-alternatives\\\", \\\"gitlab-runner\\\",\\n \\\"install\\\", \\\"crio\\\", \\\"apt-get\\\", \\\"package-cleanup\\\", \\\"dcservice\\\", \\\"dcregister\\\", \\\"jumpcloud-agent\\\", \\\"executor\\\"\\n ) or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":13,\"target_version\":15,\"merged_version\":15,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\"],\"target_version\":[\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"note\":{\"has_base_version\":false,\"current_version\":\"## Triage and analysis\\n\\n### Investigating Systemd Service Created\\n\\nSystemd service files are configuration files in Linux systems used to define and manage system services.\\n\\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\\n\\nThis rule monitors the creation of new systemd service files, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the systemd service file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%'\\\\nOR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%'\\\\nOR path LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\\n- Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating Systemd Service Created\\n\\nSystemd service files are configuration files in Linux systems used to define and manage system services.\\n\\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\\n\\nThis rule monitors the creation of new systemd service files, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the systemd service file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE\\\\n'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE\\\\n'/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path LIKE\\\\n'/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%' OR\\\\npath LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path\\\\nLIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%'\\\\nOR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\\n- Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating Systemd Service Created\\n\\nSystemd service files are configuration files in Linux systems used to define and manage system services.\\n\\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\\n\\nThis rule monitors the creation of new systemd service files, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the systemd service file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE\\\\n'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE\\\\n'/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path LIKE\\\\n'/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%' OR\\\\npath LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path\\\\nLIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%'\\\\nOR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\\n- Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/systemd/system/*\\\", \\\"/etc/systemd/user/*\\\", \\\"/usr/local/lib/systemd/system/*\\\",\\n \\\"/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/user/*\\\",\\n \\\"/home/*/.config/systemd/user/*\\\", \\\"/home/*/.local/share/systemd/user/*\\\",\\n \\\"/root/.config/systemd/user/*\\\", \\\"/root/.local/share/systemd/user/*\\\"\\n) and file.extension == \\\"service\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/crio\\\", \\\"/usr/sbin/crond\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/kaniko/kaniko-executor\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/podman\\\", \\\"/bin/install\\\", \\\"/proc/self/exe\\\", \\\"/usr/lib/systemd/systemd\\\",\\n \\\"/usr/sbin/sshd\\\", \\\"/usr/bin/gitlab-runner\\\", \\\"/opt/gitlab/embedded/bin/ruby\\\", \\\"/usr/sbin/gdm\\\", \\\"/usr/bin/install\\\",\\n \\\"/usr/local/manageengine/uems_agent/bin/dcregister\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/systemd/system/*\\\", \\\"/etc/systemd/user/*\\\", \\\"/usr/local/lib/systemd/system/*\\\",\\n \\\"/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/user/*\\\",\\n \\\"/home/*/.config/systemd/user/*\\\", \\\"/home/*/.local/share/systemd/user/*\\\",\\n \\\"/root/.config/systemd/user/*\\\", \\\"/root/.local/share/systemd/user/*\\\"\\n) and file.extension == \\\"service\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/crio\\\", \\\"/usr/sbin/crond\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/kaniko/kaniko-executor\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/podman\\\", \\\"/bin/install\\\", \\\"/proc/self/exe\\\", \\\"/usr/lib/systemd/systemd\\\",\\n \\\"/usr/sbin/sshd\\\", \\\"/usr/bin/gitlab-runner\\\", \\\"/opt/gitlab/embedded/bin/ruby\\\", \\\"/usr/sbin/gdm\\\", \\\"/usr/bin/install\\\",\\n \\\"/usr/local/manageengine/uems_agent/bin/dcregister\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n process.name like (\\n \\\"ssm-agent-worker\\\", \\\"python*\\\", \\\"platform-python*\\\", \\\"dnf_install\\\", \\\"cloudflared\\\", \\\"lxc-pve-prestart-hook\\\",\\n \\\"convert-usrmerge\\\", \\\"elastic-agent\\\", \\\"google_metadata_script_runner\\\", \\\"update-alternatives\\\", \\\"gitlab-runner\\\",\\n \\\"install\\\", \\\"crio\\\", \\\"apt-get\\\", \\\"package-cleanup\\\", \\\"dcservice\\\", \\\"dcregister\\\", \\\"jumpcloud-agent\\\", \\\"executor\\\"\\n ) or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/systemd/system/*\\\", \\\"/etc/systemd/user/*\\\", \\\"/usr/local/lib/systemd/system/*\\\",\\n \\\"/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/user/*\\\",\\n \\\"/home/*/.config/systemd/user/*\\\", \\\"/home/*/.local/share/systemd/user/*\\\",\\n \\\"/root/.config/systemd/user/*\\\", \\\"/root/.local/share/systemd/user/*\\\"\\n) and file.extension == \\\"service\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/crio\\\", \\\"/usr/sbin/crond\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/kaniko/kaniko-executor\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/podman\\\", \\\"/bin/install\\\", \\\"/proc/self/exe\\\", \\\"/usr/lib/systemd/systemd\\\",\\n \\\"/usr/sbin/sshd\\\", \\\"/usr/bin/gitlab-runner\\\", \\\"/opt/gitlab/embedded/bin/ruby\\\", \\\"/usr/sbin/gdm\\\", \\\"/usr/bin/install\\\",\\n \\\"/usr/local/manageengine/uems_agent/bin/dcregister\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n process.name like (\\n \\\"ssm-agent-worker\\\", \\\"python*\\\", \\\"platform-python*\\\", \\\"dnf_install\\\", \\\"cloudflared\\\", \\\"lxc-pve-prestart-hook\\\",\\n \\\"convert-usrmerge\\\", \\\"elastic-agent\\\", \\\"google_metadata_script_runner\\\", \\\"update-alternatives\\\", \\\"gitlab-runner\\\",\\n \\\"install\\\", \\\"crio\\\", \\\"apt-get\\\", \\\"package-cleanup\\\", \\\"dcservice\\\", \\\"dcregister\\\", \\\"jumpcloud-agent\\\", \\\"executor\\\"\\n ) or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bfee78e3-7aeb-414c-aeba-ed7eecda83f9\",\"rule_id\":\"17c7f6a5-5bc9-4e1f-92bf-13632d24384d\",\"revision\":0,\"current_rule\":{\"id\":\"bfee78e3-7aeb-414c-aeba-ed7eecda83f9\",\"updated_at\":\"2024-12-04T19:45:42.595Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.595Z\",\"created_by\":\"elastic\",\"name\":\"Renamed Utility Executed with Short Program Name\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Renamed Utility Executed with Short Program Name\\n\\nIdentifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"17c7f6a5-5bc9-4e1f-92bf-13632d24384d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.003\",\"name\":\"Rename System Utilities\",\"reference\":\"https://attack.mitre.org/techniques/T1036/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and length(process.name) > 0 and\\n length(process.name) == 5 and length(process.pe.original_file_name) > 5\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Renamed Utility Executed with Short Program Name\",\"description\":\"Identifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Renamed Utility Executed with Short Program Name\\n\\nIdentifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.003\",\"name\":\"Rename System Utilities\",\"reference\":\"https://attack.mitre.org/techniques/T1036/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"bfee78e3-7aeb-414c-aeba-ed7eecda83f9\",\"rule_id\":\"17c7f6a5-5bc9-4e1f-92bf-13632d24384d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.001Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.595Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and length(process.name) > 0 and\\n length(process.name) == 5 and length(process.pe.original_file_name) > 5\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2e3ec3e9-0fb6-49ca-9d46-45950c04b9c1\",\"rule_id\":\"192657ba-ab0e-4901-89a2-911d611eee98\",\"revision\":0,\"current_rule\":{\"id\":\"2e3ec3e9-0fb6-49ca-9d46-45950c04b9c1\",\"updated_at\":\"2024-12-04T19:45:42.609Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.609Z\",\"created_by\":\"elastic\",\"name\":\"Potential Persistence via File Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: File Integrity Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths specified in the query need to be added to the FIM policy in the Elastic Security app.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"192657ba-ab0e-4901-89a2-911d611eee98\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]},{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.006\",\"name\":\"Dynamic Linker Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1574/006/\"}]},{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.003\",\"name\":\"Sudo and Sudo Caching\",\"reference\":\"https://attack.mitre.org/techniques/T1548/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"fim\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from the Elastic File Integrity Monitoring (FIM) integration.\\n\\n### Elastic FIM Integration Setup\\nTo configure the Elastic FIM integration, follow these steps:\\n\\n1. Install and configure the Elastic Agent on your Linux system. You can refer to the [Elastic Agent documentation](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html) for detailed instructions.\\n2. Once the Elastic Agent is installed, navigate to the Elastic Security app in Kibana.\\n3. In the Kibana home page, click on \\\"Integrations\\\" in the left sidebar.\\n4. Search for \\\"File Integrity Monitoring\\\" in the search bar and select the integration.\\n5. Provide a name and optional description for the integration.\\n6. Select the appropriate agent policy for your Linux system or create a new one.\\n7. Configure the FIM policy by specifying the paths that you want to monitor for file modifications. You can use the same paths mentioned in the `query` field of the rule. Note that FIM does not accept wildcards in the paths, so you need to specify the exact paths you want to monitor.\\n8. Save the configuration and the Elastic Agent will start monitoring the specified paths for file modifications.\\n\\nFor more details on configuring the Elastic FIM integration, you can refer to the [Elastic FIM documentation](https://docs.elastic.co/integrations/fim).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-fim.event-*\",\"auditbeat-*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.dataset == \\\"fim.event\\\" and event.action == \\\"updated\\\" and\\nfile.path : (\\n // cron, anacron & at\\n \\\"/etc/cron.d/*\\\", \\\"/etc/cron.daily/*\\\", \\\"/etc/cron.hourly/*\\\", \\\"/etc/cron.monthly/*\\\",\\n \\\"/etc/cron.weekly/*\\\", \\\"/etc/crontab\\\", \\\"/var/spool/cron/crontabs/*\\\", \\\"/etc/cron.allow\\\",\\n \\\"/etc/cron.deny\\\", \\\"/var/spool/anacron/*\\\", \\\"/var/spool/cron/atjobs/*\\\",\\n\\n // systemd services & timers\\n \\\"/etc/systemd/system/*\\\", \\\"/usr/local/lib/systemd/system/*\\\", \\\"/lib/systemd/system/*\\\",\\n \\\"/usr/lib/systemd/system/*\\\", \\\"/home/*/.config/systemd/user/*\\\", \\\"/home/*/.local/share/systemd/user/*\\\",\\n \\\"/root/.config/systemd/user/*\\\", \\\"/root/.local/share/systemd/user/*\\\",\\n\\n // LD_PRELOAD\\n \\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf.d/*\\\", \\\"/etc/ld.so.conf\\\",\\n\\n // message-of-the-day (MOTD)\\n \\\"/etc/update-motd.d/*\\\",\\n\\n // SSH\\n \\\"/home/*/.ssh/*\\\", \\\"/root/.ssh/*\\\", \\\"/etc/ssh/*\\\",\\n\\n // system-wide shell configurations\\n \\\"/etc/profile\\\", \\\"/etc/profile.d/*\\\", \\\"/etc/bash.bashrc\\\", \\\"/etc/zsh/*\\\", \\\"/etc/csh.cshrc\\\",\\n \\\"/etc/csh.login\\\", \\\"/etc/fish/config.fish\\\", \\\"/etc/ksh.kshrc\\\",\\n\\n // root and user shell configurations\\n \\\"/home/*/.profile\\\", \\\"/home/*/.bashrc\\\", \\\"/home/*/.bash_login\\\", \\\"/home/*/.bash_logout\\\",\\n \\\"/root/.profile\\\", \\\"/root/.bashrc\\\", \\\"/root/.bash_login\\\", \\\"/root/.bash_logout\\\",\\n \\\"/home/*/.zprofile\\\", \\\"/home/*/.zshrc\\\", \\\"/root/.zprofile\\\", \\\"/root/.zshrc\\\",\\n \\\"/home/*/.cshrc\\\", \\\"/home/*/.login\\\", \\\"/home/*/.logout\\\", \\\"/root/.cshrc\\\", \\\"/root/.login\\\", \\\"/root/.logout\\\",\\n \\\"/home/*/.config/fish/config.fish\\\", \\\"/root/.config/fish/config.fish\\\",\\n \\\"/home/*/.kshrc\\\", \\\"/root/.kshrc\\\",\\n\\n // runtime control\\n \\\"/etc/rc.common\\\", \\\"/etc/rc.local\\\",\\n\\n // System V init/Upstart\\n \\\"/etc/init.d/*\\\", \\\"/etc/init/*\\\",\\n\\n // passwd/sudoers/shadow\\n \\\"/etc/passwd\\\", \\\"/etc/shadow\\\", \\\"/etc/sudoers\\\", \\\"/etc/sudoers.d/*\\\",\\n\\n // Systemd udevd\\n \\\"/lib/udev/*\\\", \\\"/etc/udev/rules.d/*\\\", \\\"/usr/lib/udev/rules.d/*\\\", \\\"/run/udev/rules.d/*\\\", \\\"/usr/local/lib/udev/rules.d/*\\\",\\n\\n // XDG/KDE autostart entries\\n \\\"/home/*/.config/autostart/*\\\", \\\"/root/.config/autostart/*\\\", \\\"/etc/xdg/autostart/*\\\", \\\"/usr/share/autostart/*\\\",\\n \\\"/home/*/.kde/Autostart/*\\\", \\\"/root/.kde/Autostart/*\\\",\\n \\\"/home/*/.kde4/Autostart/*\\\", \\\"/root/.kde4/Autostart/*\\\",\\n \\\"/home/*/.kde/share/autostart/*\\\", \\\"/root/.kde/share/autostart/*\\\",\\n \\\"/home/*/.kde4/share/autostart/*\\\", \\\"/root/.kde4/share/autostart/*\\\",\\n \\\"/home/*/.local/share/autostart/*\\\", \\\"/root/.local/share/autostart/*\\\",\\n \\\"/home/*/.config/autostart-scripts/*\\\", \\\"/root/.config/autostart-scripts/*\\\"\\n) and not (\\n file.path : (\\n \\\"/var/spool/cron/crontabs/tmp.*\\\", \\\"/run/udev/rules.d/*rules.*\\\", \\\"/home/*/.ssh/known_hosts.*\\\", \\\"/root/.ssh/known_hosts.*\\\"\\n ) or\\n file.extension in (\\\"dpkg-new\\\", \\\"dpkg-remove\\\", \\\"SEQ\\\")\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Persistence via File Modification\",\"description\":\"This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths specified in the query need to be added to the FIM policy in the Elastic Security app.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: File Integrity Monitoring\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]},{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]},{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.006\",\"name\":\"Dynamic Linker Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1574/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.003\",\"name\":\"Sudo and Sudo Caching\",\"reference\":\"https://attack.mitre.org/techniques/T1548/003/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from the Elastic File Integrity Monitoring (FIM) integration.\\n\\n### Elastic FIM Integration Setup\\nTo configure the Elastic FIM integration, follow these steps:\\n\\n1. Install and configure the Elastic Agent on your Linux system. You can refer to the [Elastic Agent documentation](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html) for detailed instructions.\\n2. Once the Elastic Agent is installed, navigate to the Elastic Security app in Kibana.\\n3. In the Kibana home page, click on \\\"Integrations\\\" in the left sidebar.\\n4. Search for \\\"File Integrity Monitoring\\\" in the search bar and select the integration.\\n5. Provide a name and optional description for the integration.\\n6. Select the appropriate agent policy for your Linux system or create a new one.\\n7. Configure the FIM policy by specifying the paths that you want to monitor for file modifications. You can use the same paths mentioned in the `query` field of the rule. Note that FIM does not accept wildcards in the paths, so you need to specify the exact paths you want to monitor.\\n8. Save the configuration and the Elastic Agent will start monitoring the specified paths for file modifications.\\n\\nFor more details on configuring the Elastic FIM integration, you can refer to the [Elastic FIM documentation](https://docs.elastic.co/integrations/fim).\\n\",\"related_integrations\":[{\"package\":\"fim\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2e3ec3e9-0fb6-49ca-9d46-45950c04b9c1\",\"rule_id\":\"192657ba-ab0e-4901-89a2-911d611eee98\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.001Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:42.609Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.dataset == \\\"fim.event\\\" and event.action == \\\"updated\\\" and\\nfile.path : (\\n // cron, anacron & at\\n \\\"/etc/cron.d/*\\\", \\\"/etc/cron.daily/*\\\", \\\"/etc/cron.hourly/*\\\", \\\"/etc/cron.monthly/*\\\",\\n \\\"/etc/cron.weekly/*\\\", \\\"/etc/crontab\\\", \\\"/var/spool/cron/crontabs/*\\\", \\\"/etc/cron.allow\\\",\\n \\\"/etc/cron.deny\\\", \\\"/var/spool/anacron/*\\\", \\\"/var/spool/cron/atjobs/*\\\",\\n\\n // systemd services & timers\\n \\\"/etc/systemd/system/*\\\", \\\"/usr/local/lib/systemd/system/*\\\", \\\"/lib/systemd/system/*\\\",\\n \\\"/usr/lib/systemd/system/*\\\", \\\"/home/*/.config/systemd/user/*\\\", \\\"/home/*/.local/share/systemd/user/*\\\",\\n \\\"/root/.config/systemd/user/*\\\", \\\"/root/.local/share/systemd/user/*\\\",\\n\\n // LD_PRELOAD\\n \\\"/etc/ld.so.preload\\\", \\\"/etc/ld.so.conf.d/*\\\", \\\"/etc/ld.so.conf\\\",\\n\\n // message-of-the-day (MOTD)\\n \\\"/etc/update-motd.d/*\\\",\\n\\n // SSH\\n \\\"/home/*/.ssh/*\\\", \\\"/root/.ssh/*\\\", \\\"/etc/ssh/*\\\",\\n\\n // system-wide shell configurations\\n \\\"/etc/profile\\\", \\\"/etc/profile.d/*\\\", \\\"/etc/bash.bashrc\\\", \\\"/etc/zsh/*\\\", \\\"/etc/csh.cshrc\\\",\\n \\\"/etc/csh.login\\\", \\\"/etc/fish/config.fish\\\", \\\"/etc/ksh.kshrc\\\",\\n\\n // root and user shell configurations\\n \\\"/home/*/.profile\\\", \\\"/home/*/.bashrc\\\", \\\"/home/*/.bash_login\\\", \\\"/home/*/.bash_logout\\\",\\n \\\"/root/.profile\\\", \\\"/root/.bashrc\\\", \\\"/root/.bash_login\\\", \\\"/root/.bash_logout\\\",\\n \\\"/home/*/.zprofile\\\", \\\"/home/*/.zshrc\\\", \\\"/root/.zprofile\\\", \\\"/root/.zshrc\\\",\\n \\\"/home/*/.cshrc\\\", \\\"/home/*/.login\\\", \\\"/home/*/.logout\\\", \\\"/root/.cshrc\\\", \\\"/root/.login\\\", \\\"/root/.logout\\\",\\n \\\"/home/*/.config/fish/config.fish\\\", \\\"/root/.config/fish/config.fish\\\",\\n \\\"/home/*/.kshrc\\\", \\\"/root/.kshrc\\\",\\n\\n // runtime control\\n \\\"/etc/rc.common\\\", \\\"/etc/rc.local\\\",\\n\\n // System V init/Upstart\\n \\\"/etc/init.d/*\\\", \\\"/etc/init/*\\\",\\n\\n // passwd/sudoers/shadow\\n \\\"/etc/passwd\\\", \\\"/etc/shadow\\\", \\\"/etc/sudoers\\\", \\\"/etc/sudoers.d/*\\\",\\n\\n // Systemd udevd\\n \\\"/lib/udev/*\\\", \\\"/etc/udev/rules.d/*\\\", \\\"/usr/lib/udev/rules.d/*\\\", \\\"/run/udev/rules.d/*\\\", \\\"/usr/local/lib/udev/rules.d/*\\\",\\n\\n // XDG/KDE autostart entries\\n \\\"/home/*/.config/autostart/*\\\", \\\"/root/.config/autostart/*\\\", \\\"/etc/xdg/autostart/*\\\", \\\"/usr/share/autostart/*\\\",\\n \\\"/home/*/.kde/Autostart/*\\\", \\\"/root/.kde/Autostart/*\\\",\\n \\\"/home/*/.kde4/Autostart/*\\\", \\\"/root/.kde4/Autostart/*\\\",\\n \\\"/home/*/.kde/share/autostart/*\\\", \\\"/root/.kde/share/autostart/*\\\",\\n \\\"/home/*/.kde4/share/autostart/*\\\", \\\"/root/.kde4/share/autostart/*\\\",\\n \\\"/home/*/.local/share/autostart/*\\\", \\\"/root/.local/share/autostart/*\\\",\\n \\\"/home/*/.config/autostart-scripts/*\\\", \\\"/root/.config/autostart-scripts/*\\\"\\n) and not (\\n file.path : (\\n \\\"/var/spool/cron/crontabs/tmp.*\\\", \\\"/run/udev/rules.d/*rules.*\\\", \\\"/home/*/.ssh/known_hosts.*\\\", \\\"/root/.ssh/known_hosts.*\\\"\\n ) or\\n file.extension in (\\\"dpkg-new\\\", \\\"dpkg-remove\\\", \\\"SEQ\\\")\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-fim.event-*\",\"auditbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]},{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.006\",\"name\":\"Dynamic Linker Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1574/006/\"}]},{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.003\",\"name\":\"Sudo and Sudo Caching\",\"reference\":\"https://attack.mitre.org/techniques/T1548/003/\"}]}]}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]},{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]},{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.006\",\"name\":\"Dynamic Linker Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1574/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.003\",\"name\":\"Sudo and Sudo Caching\",\"reference\":\"https://attack.mitre.org/techniques/T1548/003/\"}]}]}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]},{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]},{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.006\",\"name\":\"Dynamic Linker Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1574/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.003\",\"name\":\"Sudo and Sudo Caching\",\"reference\":\"https://attack.mitre.org/techniques/T1548/003/\"}]}]}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"53e1e301-edec-439c-91e9-d35234266ab9\",\"rule_id\":\"1a6075b0-7479-450e-8fe7-b8b8438ac570\",\"revision\":0,\"current_rule\":{\"id\":\"53e1e301-edec-439c-91e9-d35234266ab9\",\"updated_at\":\"2024-12-04T19:45:43.549Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.549Z\",\"created_by\":\"elastic\",\"name\":\"Execution of COM object via Xwizard\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1a6075b0-7479-450e-8fe7-b8b8438ac570\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1559\",\"name\":\"Inter-Process Communication\",\"reference\":\"https://attack.mitre.org/techniques/T1559/\",\"subtechnique\":[{\"id\":\"T1559.001\",\"name\":\"Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1559/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://lolbas-project.github.io/lolbas/Binaries/Xwizard/\",\"http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"xwizard.exe\\\" or ?process.pe.original_file_name : \\\"xwizard.exe\\\") and\\n (\\n (process.args : \\\"RunWizard\\\" and process.args : \\\"{*}\\\") or\\n (process.executable != null and\\n not process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\xwizard.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\xwizard.exe\\\")\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Execution of COM object via Xwizard\",\"description\":\"Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://lolbas-project.github.io/lolbas/Binaries/Xwizard/\",\"http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1559\",\"name\":\"Inter-Process Communication\",\"reference\":\"https://attack.mitre.org/techniques/T1559/\",\"subtechnique\":[{\"id\":\"T1559.001\",\"name\":\"Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1559/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"53e1e301-edec-439c-91e9-d35234266ab9\",\"rule_id\":\"1a6075b0-7479-450e-8fe7-b8b8438ac570\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.001Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.549Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"xwizard.exe\\\" or ?process.pe.original_file_name : \\\"xwizard.exe\\\") and\\n (\\n (process.args : \\\"RunWizard\\\" and process.args : \\\"{*}\\\") or\\n (process.executable != null and\\n not process.executable : (\\n \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\xwizard.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\xwizard.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\xwizard.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\xwizard.exe\\\"\\n )\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"xwizard.exe\\\" or ?process.pe.original_file_name : \\\"xwizard.exe\\\") and\\n (\\n (process.args : \\\"RunWizard\\\" and process.args : \\\"{*}\\\") or\\n (process.executable != null and\\n not process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\xwizard.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\xwizard.exe\\\")\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"xwizard.exe\\\" or ?process.pe.original_file_name : \\\"xwizard.exe\\\") and\\n (\\n (process.args : \\\"RunWizard\\\" and process.args : \\\"{*}\\\") or\\n (process.executable != null and\\n not process.executable : (\\n \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\xwizard.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\xwizard.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\xwizard.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\xwizard.exe\\\"\\n )\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"xwizard.exe\\\" or ?process.pe.original_file_name : \\\"xwizard.exe\\\") and\\n (\\n (process.args : \\\"RunWizard\\\" and process.args : \\\"{*}\\\") or\\n (process.executable != null and\\n not process.executable : (\\n \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\xwizard.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\xwizard.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\xwizard.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\xwizard.exe\\\"\\n )\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"af519c67-fa8a-4ffb-bd26-15ee3304be2b\",\"rule_id\":\"1aa9181a-492b-4c01-8b16-fa0735786b2b\",\"revision\":0,\"current_rule\":{\"id\":\"af519c67-fa8a-4ffb-bd26-15ee3304be2b\",\"updated_at\":\"2024-12-04T19:45:43.553Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.553Z\",\"created_by\":\"elastic\",\"name\":\"User Account Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to create new users. This is sometimes done by attackers to increase access or establish persistence on a system or domain.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating User Account Creation\\n\\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\\n\\nThis rule identifies the usage of `net.exe` to create new accounts.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\\n\\n### Related rules\\n\\n- Creation of a Hidden Local User Account - 2edc8076-291e-41e9-81e4-e3fcbc97ae5e\\n- Windows User Account Creation - 38e17753-f581-4644-84da-0d60a8318694\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Delete the created account.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1aa9181a-492b-4c01-8b16-fa0735786b2b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"net.exe\\\", \\\"net1.exe\\\") and\\n not process.parent.name : \\\"net.exe\\\" and\\n (process.args : \\\"user\\\" and process.args : (\\\"/ad\\\", \\\"/add\\\"))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"User Account Creation\",\"description\":\"Identifies attempts to create new users. This is sometimes done by attackers to increase access or establish persistence on a system or domain.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating User Account Creation\\n\\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\\n\\nThis rule identifies the usage of `net.exe` to create new accounts.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\\n\\n### Related rules\\n\\n- Creation of a Hidden Local User Account - 2edc8076-291e-41e9-81e4-e3fcbc97ae5e\\n- Windows User Account Creation - 38e17753-f581-4644-84da-0d60a8318694\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Delete the created account.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"af519c67-fa8a-4ffb-bd26-15ee3304be2b\",\"rule_id\":\"1aa9181a-492b-4c01-8b16-fa0735786b2b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.001Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.553Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"net.exe\\\", \\\"net1.exe\\\") and not process.parent.name : \\\"net.exe\\\") and\\n (process.args : \\\"user\\\" and process.args : (\\\"/ad\\\", \\\"/add\\\"))\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"net.exe\\\", \\\"net1.exe\\\") and\\n not process.parent.name : \\\"net.exe\\\" and\\n (process.args : \\\"user\\\" and process.args : (\\\"/ad\\\", \\\"/add\\\"))\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"net.exe\\\", \\\"net1.exe\\\") and not process.parent.name : \\\"net.exe\\\") and\\n (process.args : \\\"user\\\" and process.args : (\\\"/ad\\\", \\\"/add\\\"))\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"net.exe\\\", \\\"net1.exe\\\") and not process.parent.name : \\\"net.exe\\\") and\\n (process.args : \\\"user\\\" and process.args : (\\\"/ad\\\", \\\"/add\\\"))\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b103cf61-88ca-42e0-b6a5-9dd64d93ef98\",\"rule_id\":\"1c84dd64-7e6c-4bad-ac73-a5014ee37042\",\"revision\":0,\"current_rule\":{\"id\":\"b103cf61-88ca-42e0-b6a5-9dd64d93ef98\",\"updated_at\":\"2024-12-04T19:45:43.574Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.574Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious File Creation in /etc for Persistence\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Threat: Orbit\",\"Threat: Lightning Framework\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious File Creation in /etc for Persistence\\n\\nThe /etc/ directory in Linux is used to store system-wide configuration files and scripts.\\n\\nBy creating or modifying specific system-wide configuration files, attackers can leverage system services to execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\\n\\nThis rule monitors for the creation of the most common system-wide configuration files and scripts abused by attackers for persistence. \\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the file that was created or modified.\\n- Investigate whether any other files in any of the commonly abused directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%'\\\\nOR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/lib/systemd/system/%' )\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE\\\\n'/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%' OR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE\\\\n'/etc/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' )\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Cron Job Created or Changed by Previously Unknown Process - ff10d4d8-fea7-422d-afb1-e5a2702369a9\\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1c84dd64-7e6c-4bad-ac73-a5014ee37042\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.006\",\"name\":\"Dynamic Linker Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1574/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.003\",\"name\":\"Sudo and Sudo Caching\",\"reference\":\"https://attack.mitre.org/techniques/T1548/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/\",\"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\"],\"version\":115,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.type in (\\\"creation\\\", \\\"file_create_event\\\") and user.id == \\\"0\\\" and\\nfile.path : (\\\"/etc/ld.so.conf.d/*\\\", \\\"/etc/cron.d/*\\\", \\\"/etc/sudoers.d/*\\\", \\\"/etc/init.d/*\\\", \\\"/etc/systemd/system/*\\\",\\n\\\"/usr/lib/systemd/system/*\\\") and not (\\n (process.name : (\\n \\\"chef-client\\\", \\\"ruby\\\", \\\"pacman\\\", \\\"packagekitd\\\", \\\"python*\\\", \\\"platform-python\\\", \\\"dpkg\\\", \\\"yum\\\", \\\"apt\\\", \\\"dnf\\\", \\\"rpm\\\",\\n \\\"systemd\\\", \\\"snapd\\\", \\\"dnf-automatic\\\", \\\"yum-cron\\\", \\\"elastic-agent\\\", \\\"dnfdaemon-system\\\", \\\"dockerd\\\", \\\"executor\\\",\\n \\\"rhn_check\\\"\\n )\\n ) or \\n (file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"tmp\\\"))\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious File Creation in /etc for Persistence\",\"description\":\"Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious File Creation in /etc for Persistence\\n\\nThe /etc/ directory in Linux is used to store system-wide configuration files and scripts.\\n\\nBy creating or modifying specific system-wide configuration files, attackers can leverage system services to execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\\n\\nThis rule monitors for the creation of the most common system-wide configuration files and scripts abused by attackers for persistence. \\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the file that was created or modified.\\n- Investigate whether any other files in any of the commonly abused directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%'\\\\nOR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/lib/systemd/system/%' )\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE\\\\n'/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%' OR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE\\\\n'/etc/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' )\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Cron Job Created or Changed by Previously Unknown Process - ff10d4d8-fea7-422d-afb1-e5a2702369a9\\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":116,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Threat: Orbit\",\"Threat: Lightning Framework\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/\",\"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.006\",\"name\":\"Dynamic Linker Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1574/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.003\",\"name\":\"Sudo and Sudo Caching\",\"reference\":\"https://attack.mitre.org/techniques/T1548/003/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b103cf61-88ca-42e0-b6a5-9dd64d93ef98\",\"rule_id\":\"1c84dd64-7e6c-4bad-ac73-a5014ee37042\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.001Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.574Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.type in (\\\"creation\\\", \\\"file_create_event\\\") and user.id == \\\"0\\\" and\\nfile.path : (\\\"/etc/ld.so.conf.d/*\\\", \\\"/etc/cron.d/*\\\", \\\"/etc/sudoers.d/*\\\", \\\"/etc/init.d/*\\\", \\\"/etc/systemd/system/*\\\",\\n\\\"/usr/lib/systemd/system/*\\\") and not (\\n (process.name : (\\n \\\"chef-client\\\", \\\"ruby\\\", \\\"pacman\\\", \\\"packagekitd\\\", \\\"python*\\\", \\\"platform-python\\\", \\\"dpkg\\\", \\\"yum\\\", \\\"apt\\\", \\\"dnf\\\", \\\"rpm\\\",\\n \\\"systemd\\\", \\\"snapd\\\", \\\"dnf-automatic\\\", \\\"yum-cron\\\", \\\"elastic-agent\\\", \\\"dnfdaemon-system\\\", \\\"dockerd\\\", \\\"executor\\\",\\n \\\"rhn_check\\\"\\n )\\n ) or \\n (file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"tmp\\\"))\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":115,\"target_version\":116,\"merged_version\":116,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/\",\"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\"],\"target_version\":[\"https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/\",\"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/\",\"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"883cb7de-f7cc-44b1-87fb-5faa303a6c61\",\"rule_id\":\"1cd01db9-be24-4bef-8e7c-e923f0ff78ab\",\"revision\":0,\"current_rule\":{\"id\":\"883cb7de-f7cc-44b1-87fb-5faa303a6c61\",\"updated_at\":\"2024-12-04T19:45:43.579Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.579Z\",\"created_by\":\"elastic\",\"name\":\"Incoming Execution via WinRM Remote Shell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"WinRM is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool.\"],\"from\":\"now-9m\",\"rule_id\":\"1cd01db9-be24-4bef-8e7c-e923f0ff78ab\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.006\",\"name\":\"Windows Remote Management\",\"reference\":\"https://attack.mitre.org/techniques/T1021/006/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by host.id with maxspan=30s\\n [network where host.os.type == \\\"windows\\\" and process.pid == 4 and network.direction : (\\\"incoming\\\", \\\"ingress\\\") and\\n destination.port in (5985, 5986) and network.protocol == \\\"http\\\" and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"]\\n [process where host.os.type == \\\"windows\\\" and \\n event.type == \\\"start\\\" and process.parent.name : \\\"winrshost.exe\\\" and not process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Incoming Execution via WinRM Remote Shell\",\"description\":\"Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"WinRM is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.006\",\"name\":\"Windows Remote Management\",\"reference\":\"https://attack.mitre.org/techniques/T1021/006/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"883cb7de-f7cc-44b1-87fb-5faa303a6c61\",\"rule_id\":\"1cd01db9-be24-4bef-8e7c-e923f0ff78ab\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.001Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.579Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=30s\\n [network where host.os.type == \\\"windows\\\" and process.pid == 4 and network.direction : (\\\"incoming\\\", \\\"ingress\\\") and\\n destination.port in (5985, 5986) and network.protocol == \\\"http\\\" and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"]\\n [process where host.os.type == \\\"windows\\\" and \\n event.type == \\\"start\\\" and process.parent.name : \\\"winrshost.exe\\\" and not process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\\\"]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"19b22f37-3d44-45c9-8c3e-84b08dca7b4d\",\"rule_id\":\"1d276579-3380-4095-ad38-e596a01bc64f\",\"revision\":0,\"current_rule\":{\"id\":\"19b22f37-3d44-45c9-8c3e-84b08dca7b4d\",\"updated_at\":\"2024-12-04T19:45:43.584Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.584Z\",\"created_by\":\"elastic\",\"name\":\"Remote File Download via Script Interpreter\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote File Download via Script Interpreter\\n\\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\\n\\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\\n\\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1d276579-3380-4095-ad38-e596a01bc64f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.network-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by host.id, process.entity_id\\n [network where host.os.type == \\\"windows\\\" and process.name : (\\\"wscript.exe\\\", \\\"cscript.exe\\\") and network.protocol != \\\"dns\\\" and\\n network.direction : (\\\"outgoing\\\", \\\"egress\\\") and network.type == \\\"ipv4\\\" and destination.ip != \\\"127.0.0.1\\\"\\n ]\\n [file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and file.extension : (\\\"exe\\\", \\\"dll\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Remote File Download via Script Interpreter\",\"description\":\"Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote File Download via Script Interpreter\\n\\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\\n\\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\\n\\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"19b22f37-3d44-45c9-8c3e-84b08dca7b4d\",\"rule_id\":\"1d276579-3380-4095-ad38-e596a01bc64f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.001Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.584Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id, process.entity_id\\n [network where host.os.type == \\\"windows\\\" and process.name : (\\\"wscript.exe\\\", \\\"cscript.exe\\\") and network.protocol != \\\"dns\\\" and\\n network.direction : (\\\"outgoing\\\", \\\"egress\\\") and network.type == \\\"ipv4\\\" and destination.ip != \\\"127.0.0.1\\\"\\n ]\\n [file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and file.extension : (\\\"exe\\\", \\\"dll\\\")]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.network-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5057442d-19d1-4c2d-a20c-a4820424f0af\",\"rule_id\":\"1d9aeb0b-9549-46f6-a32d-05e2a001b7fd\",\"revision\":0,\"current_rule\":{\"id\":\"5057442d-19d1-4c2d-a20c-a4820424f0af\",\"updated_at\":\"2024-12-04T19:45:43.591Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.591Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Script with Encryption/Decryption Capabilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: PowerShell Logs\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of Cmdlets and methods related to encryption/decryption of files in PowerShell scripts, which malware and offensive security tools can abuse to encrypt data or decrypt payloads to bypass security solutions.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Script with Encryption/Decryption Capabilities\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\\n\\nPowerShell offers encryption and decryption functionalities that attackers can abuse for various purposes, such as concealing payloads, C2 communications, and encrypting data as part of ransomware operations.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n\\n### False positive analysis\\n\\n- This is a dual-use mechanism, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the script doesn't contain malicious functions or potential for abuse, no other suspicious activity was identified, and there are justifications for the execution.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate PowerShell Scripts which makes use of encryption.\"],\"from\":\"now-9m\",\"rule_id\":\"1d9aeb0b-9549-46f6-a32d-05e2a001b7fd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1027\",\"name\":\"Obfuscated Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1027/\"},{\"id\":\"T1140\",\"name\":\"Deobfuscate/Decode Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1140/\"}]}],\"to\":\"now\",\"references\":[],\"version\":7,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\n \\\"Cryptography.AESManaged\\\" or\\n \\\"Cryptography.RijndaelManaged\\\" or\\n \\\"Cryptography.SHA1Managed\\\" or\\n \\\"Cryptography.SHA256Managed\\\" or\\n \\\"Cryptography.SHA384Managed\\\" or\\n \\\"Cryptography.SHA512Managed\\\" or\\n \\\"Cryptography.SymmetricAlgorithm\\\" or\\n \\\"PasswordDeriveBytes\\\" or\\n \\\"Rfc2898DeriveBytes\\\"\\n ) and\\n (\\n CipherMode and PaddingMode\\n ) and\\n (\\n \\\".CreateEncryptor\\\" or\\n \\\".CreateDecryptor\\\"\\n )\\n ) and\\n not user.id : \\\"S-1-5-18\\\" and\\n not (\\n file.name : \\\"Bootstrap.Octopus.FunctionAppenderContext.ps1\\\" and\\n powershell.file.script_block_text : (\\\"function Decrypt-Variables\\\" or \\\"github.com/OctopusDeploy\\\")\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Script with Encryption/Decryption Capabilities\",\"description\":\"Identifies the use of Cmdlets and methods related to encryption/decryption of files in PowerShell scripts, which malware and offensive security tools can abuse to encrypt data or decrypt payloads to bypass security solutions.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Script with Encryption/Decryption Capabilities\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\\n\\nPowerShell offers encryption and decryption functionalities that attackers can abuse for various purposes, such as concealing payloads, C2 communications, and encrypting data as part of ransomware operations.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n\\n### False positive analysis\\n\\n- This is a dual-use mechanism, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the script doesn't contain malicious functions or potential for abuse, no other suspicious activity was identified, and there are justifications for the execution.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":109,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: PowerShell Logs\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate PowerShell Scripts which makes use of encryption.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1027\",\"name\":\"Obfuscated Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1027/\"},{\"id\":\"T1140\",\"name\":\"Deobfuscate/Decode Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1140/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"5057442d-19d1-4c2d-a20c-a4820424f0af\",\"rule_id\":\"1d9aeb0b-9549-46f6-a32d-05e2a001b7fd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.001Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.591Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\n \\\"Cryptography.AESManaged\\\" or\\n \\\"Cryptography.RijndaelManaged\\\" or\\n \\\"Cryptography.SHA1Managed\\\" or\\n \\\"Cryptography.SHA256Managed\\\" or\\n \\\"Cryptography.SHA384Managed\\\" or\\n \\\"Cryptography.SHA512Managed\\\" or\\n \\\"Cryptography.SymmetricAlgorithm\\\" or\\n \\\"PasswordDeriveBytes\\\" or\\n \\\"Rfc2898DeriveBytes\\\"\\n ) and\\n (\\n CipherMode and PaddingMode\\n ) and\\n (\\n \\\".CreateEncryptor\\\" or\\n \\\".CreateDecryptor\\\"\\n )\\n ) and\\n not user.id : \\\"S-1-5-18\\\" and\\n not (\\n file.name : \\\"Bootstrap.Octopus.FunctionAppenderContext.ps1\\\" and\\n powershell.file.script_block_text : (\\\"function Decrypt-Variables\\\" or \\\"github.com/OctopusDeploy\\\")\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":7,\"target_version\":109,\"merged_version\":109,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"cefa3616-9844-4566-941e-1b876167d874\",\"rule_id\":\"1dcc51f6-ba26-49e7-9ef4-2655abb2361e\",\"revision\":0,\"current_rule\":{\"id\":\"cefa3616-9844-4566-941e-1b876167d874\",\"updated_at\":\"2024-12-04T19:45:43.593Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.593Z\",\"created_by\":\"elastic\",\"name\":\"UAC Bypass via DiskCleanup Scheduled Task Hijack\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1dcc51f6-ba26-49e7-9ef4-2655abb2361e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.args : \\\"/autoclean\\\" and process.args : \\\"/d\\\" and process.executable != null and \\n not process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cleanmgr.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cleanmgr.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"UAC Bypass via DiskCleanup Scheduled Task Hijack\",\"description\":\"Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"cefa3616-9844-4566-941e-1b876167d874\",\"rule_id\":\"1dcc51f6-ba26-49e7-9ef4-2655abb2361e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.002Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.593Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.args : \\\"/autoclean\\\" and process.args : \\\"/d\\\" and process.executable != null and \\n not process.executable : (\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cleanmgr.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cleanmgr.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cleanmgr.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cleanmgr.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\"\\n)\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.args : \\\"/autoclean\\\" and process.args : \\\"/d\\\" and process.executable != null and \\n not process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cleanmgr.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cleanmgr.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.args : \\\"/autoclean\\\" and process.args : \\\"/d\\\" and process.executable != null and \\n not process.executable : (\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cleanmgr.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cleanmgr.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cleanmgr.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cleanmgr.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.args : \\\"/autoclean\\\" and process.args : \\\"/d\\\" and process.executable != null and \\n not process.executable : (\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cleanmgr.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cleanmgr.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cleanmgr.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cleanmgr.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e740e6a7-d20d-4a5d-a991-d04cbea2a771\",\"rule_id\":\"1defdd62-cd8d-426e-a246-81a37751bb2b\",\"revision\":0,\"current_rule\":{\"id\":\"e740e6a7-d20d-4a5d-a991-d04cbea2a771\",\"updated_at\":\"2024-12-04T19:45:43.603Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.603Z\",\"created_by\":\"elastic\",\"name\":\"Execution of File Written or Modified by PDF Reader\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Execution of File Written or Modified by PDF Reader\\n\\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\\n\\nThis rule searches for executable files written by PDF reader software and executed in sequence. This is most likely the result of exploitation for privilege escalation or initial access. This rule can also detect suspicious processes masquerading as PDF readers.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve the PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\\n- Determine if the collected files are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-120m\",\"rule_id\":\"1defdd62-cd8d-426e-a246-81a37751bb2b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"sequence with maxspan=2h\\n [file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.extension : \\\"exe\\\" and\\n (process.name : \\\"AcroRd32.exe\\\" or\\n process.name : \\\"rdrcef.exe\\\" or\\n process.name : \\\"FoxitPhantomPDF.exe\\\" or\\n process.name : \\\"FoxitReader.exe\\\") and\\n not (file.name : \\\"FoxitPhantomPDF.exe\\\" or\\n file.name : \\\"FoxitPhantomPDFUpdater.exe\\\" or\\n file.name : \\\"FoxitReader.exe\\\" or\\n file.name : \\\"FoxitReaderUpdater.exe\\\" or\\n file.name : \\\"AcroRd32.exe\\\" or\\n file.name : \\\"rdrcef.exe\\\")\\n ] by host.id, file.path\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\"] by host.id, process.executable\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Execution of File Written or Modified by PDF Reader\",\"description\":\"Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Execution of File Written or Modified by PDF Reader\\n\\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\\n\\nThis rule searches for executable files written by PDF reader software and executed in sequence. This is most likely the result of exploitation for privilege escalation or initial access. This rule can also detect suspicious processes masquerading as PDF readers.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve the PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\\n- Determine if the collected files are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-120m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e740e6a7-d20d-4a5d-a991-d04cbea2a771\",\"rule_id\":\"1defdd62-cd8d-426e-a246-81a37751bb2b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.002Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.603Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence with maxspan=2h\\n [file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.extension : \\\"exe\\\" and\\n (process.name : \\\"AcroRd32.exe\\\" or\\n process.name : \\\"rdrcef.exe\\\" or\\n process.name : \\\"FoxitPhantomPDF.exe\\\" or\\n process.name : \\\"FoxitReader.exe\\\") and\\n not (file.name : \\\"FoxitPhantomPDF.exe\\\" or\\n file.name : \\\"FoxitPhantomPDFUpdater.exe\\\" or\\n file.name : \\\"FoxitReader.exe\\\" or\\n file.name : \\\"FoxitReaderUpdater.exe\\\" or\\n file.name : \\\"AcroRd32.exe\\\" or\\n file.name : \\\"rdrcef.exe\\\")\\n ] by host.id, file.path\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\"] by host.id, process.executable\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9fa2cd9f-343d-4410-90c7-7f106b3f7938\",\"rule_id\":\"1df1152b-610a-4f48-9d7a-504f6ee5d9da\",\"revision\":0,\"current_rule\":{\"id\":\"9fa2cd9f-343d-4410-90c7-7f106b3f7938\",\"updated_at\":\"2024-12-04T19:45:43.605Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.605Z\",\"created_by\":\"elastic\",\"name\":\"Potential Linux Hack Tool Launched\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from this rule should be investigated further, as hack tools are commonly used by blue teamers and system administrators as well.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1df1152b-610a-4f48-9d7a-504f6ee5d9da\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest to select \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name in (\\n // exploitation frameworks\\n \\\"crackmapexec\\\", \\\"msfconsole\\\", \\\"msfvenom\\\", \\\"sliver-client\\\", \\\"sliver-server\\\", \\\"havoc\\\",\\n // network scanners (nmap left out to reduce noise)\\n \\\"zenmap\\\", \\\"nuclei\\\", \\\"netdiscover\\\", \\\"legion\\\",\\n // web enumeration\\n \\\"gobuster\\\", \\\"dirbuster\\\", \\\"dirb\\\", \\\"wfuzz\\\", \\\"ffuf\\\", \\\"whatweb\\\", \\\"eyewitness\\\",\\n // web vulnerability scanning\\n \\\"wpscan\\\", \\\"joomscan\\\", \\\"droopescan\\\", \\\"nikto\\\", \\n // exploitation tools\\n \\\"sqlmap\\\", \\\"commix\\\", \\\"yersinia\\\",\\n // cracking and brute forcing\\n \\\"john\\\", \\\"hashcat\\\", \\\"hydra\\\", \\\"ncrack\\\", \\\"cewl\\\", \\\"fcrackzip\\\", \\\"rainbowcrack\\\",\\n // host and network\\n \\\"linenum.sh\\\", \\\"linpeas.sh\\\", \\\"pspy32\\\", \\\"pspy32s\\\", \\\"pspy64\\\", \\\"pspy64s\\\", \\\"binwalk\\\", \\\"evil-winrm\\\"\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Linux Hack Tool Launched\",\"description\":\"Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from this rule should be investigated further, as hack tools are commonly used by blue teamers and system administrators as well.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest to select \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"9fa2cd9f-343d-4410-90c7-7f106b3f7938\",\"rule_id\":\"1df1152b-610a-4f48-9d7a-504f6ee5d9da\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.002Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.605Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and\\nprocess.name in~ (\\n // exploitation frameworks\\n \\\"crackmapexec\\\", \\\"msfconsole\\\", \\\"msfvenom\\\", \\\"sliver-client\\\", \\\"sliver-server\\\", \\\"havoc\\\",\\n // network scanners (nmap left out to reduce noise)\\n \\\"zenmap\\\", \\\"nuclei\\\", \\\"netdiscover\\\", \\\"legion\\\",\\n // web enumeration\\n \\\"gobuster\\\", \\\"dirbuster\\\", \\\"dirb\\\", \\\"wfuzz\\\", \\\"ffuf\\\", \\\"whatweb\\\", \\\"eyewitness\\\",\\n // web vulnerability scanning\\n \\\"wpscan\\\", \\\"joomscan\\\", \\\"droopescan\\\", \\\"nikto\\\", \\n // exploitation tools\\n \\\"sqlmap\\\", \\\"commix\\\", \\\"yersinia\\\",\\n // cracking and brute forcing\\n \\\"john\\\", \\\"hashcat\\\", \\\"hydra\\\", \\\"ncrack\\\", \\\"cewl\\\", \\\"fcrackzip\\\", \\\"rainbowcrack\\\",\\n // host and network\\n \\\"linenum.sh\\\", \\\"linpeas.sh\\\", \\\"pspy32\\\", \\\"pspy32s\\\", \\\"pspy64\\\", \\\"pspy64s\\\", \\\"binwalk\\\", \\\"evil-winrm\\\",\\n \\\"linux-exploit-suggester-2.pl\\\", \\\"linux-exploit-suggester.sh\\\", \\\"panix.sh\\\"\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name in (\\n // exploitation frameworks\\n \\\"crackmapexec\\\", \\\"msfconsole\\\", \\\"msfvenom\\\", \\\"sliver-client\\\", \\\"sliver-server\\\", \\\"havoc\\\",\\n // network scanners (nmap left out to reduce noise)\\n \\\"zenmap\\\", \\\"nuclei\\\", \\\"netdiscover\\\", \\\"legion\\\",\\n // web enumeration\\n \\\"gobuster\\\", \\\"dirbuster\\\", \\\"dirb\\\", \\\"wfuzz\\\", \\\"ffuf\\\", \\\"whatweb\\\", \\\"eyewitness\\\",\\n // web vulnerability scanning\\n \\\"wpscan\\\", \\\"joomscan\\\", \\\"droopescan\\\", \\\"nikto\\\", \\n // exploitation tools\\n \\\"sqlmap\\\", \\\"commix\\\", \\\"yersinia\\\",\\n // cracking and brute forcing\\n \\\"john\\\", \\\"hashcat\\\", \\\"hydra\\\", \\\"ncrack\\\", \\\"cewl\\\", \\\"fcrackzip\\\", \\\"rainbowcrack\\\",\\n // host and network\\n \\\"linenum.sh\\\", \\\"linpeas.sh\\\", \\\"pspy32\\\", \\\"pspy32s\\\", \\\"pspy64\\\", \\\"pspy64s\\\", \\\"binwalk\\\", \\\"evil-winrm\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and\\nprocess.name in~ (\\n // exploitation frameworks\\n \\\"crackmapexec\\\", \\\"msfconsole\\\", \\\"msfvenom\\\", \\\"sliver-client\\\", \\\"sliver-server\\\", \\\"havoc\\\",\\n // network scanners (nmap left out to reduce noise)\\n \\\"zenmap\\\", \\\"nuclei\\\", \\\"netdiscover\\\", \\\"legion\\\",\\n // web enumeration\\n \\\"gobuster\\\", \\\"dirbuster\\\", \\\"dirb\\\", \\\"wfuzz\\\", \\\"ffuf\\\", \\\"whatweb\\\", \\\"eyewitness\\\",\\n // web vulnerability scanning\\n \\\"wpscan\\\", \\\"joomscan\\\", \\\"droopescan\\\", \\\"nikto\\\", \\n // exploitation tools\\n \\\"sqlmap\\\", \\\"commix\\\", \\\"yersinia\\\",\\n // cracking and brute forcing\\n \\\"john\\\", \\\"hashcat\\\", \\\"hydra\\\", \\\"ncrack\\\", \\\"cewl\\\", \\\"fcrackzip\\\", \\\"rainbowcrack\\\",\\n // host and network\\n \\\"linenum.sh\\\", \\\"linpeas.sh\\\", \\\"pspy32\\\", \\\"pspy32s\\\", \\\"pspy64\\\", \\\"pspy64s\\\", \\\"binwalk\\\", \\\"evil-winrm\\\",\\n \\\"linux-exploit-suggester-2.pl\\\", \\\"linux-exploit-suggester.sh\\\", \\\"panix.sh\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and\\nprocess.name in~ (\\n // exploitation frameworks\\n \\\"crackmapexec\\\", \\\"msfconsole\\\", \\\"msfvenom\\\", \\\"sliver-client\\\", \\\"sliver-server\\\", \\\"havoc\\\",\\n // network scanners (nmap left out to reduce noise)\\n \\\"zenmap\\\", \\\"nuclei\\\", \\\"netdiscover\\\", \\\"legion\\\",\\n // web enumeration\\n \\\"gobuster\\\", \\\"dirbuster\\\", \\\"dirb\\\", \\\"wfuzz\\\", \\\"ffuf\\\", \\\"whatweb\\\", \\\"eyewitness\\\",\\n // web vulnerability scanning\\n \\\"wpscan\\\", \\\"joomscan\\\", \\\"droopescan\\\", \\\"nikto\\\", \\n // exploitation tools\\n \\\"sqlmap\\\", \\\"commix\\\", \\\"yersinia\\\",\\n // cracking and brute forcing\\n \\\"john\\\", \\\"hashcat\\\", \\\"hydra\\\", \\\"ncrack\\\", \\\"cewl\\\", \\\"fcrackzip\\\", \\\"rainbowcrack\\\",\\n // host and network\\n \\\"linenum.sh\\\", \\\"linpeas.sh\\\", \\\"pspy32\\\", \\\"pspy32s\\\", \\\"pspy64\\\", \\\"pspy64s\\\", \\\"binwalk\\\", \\\"evil-winrm\\\",\\n \\\"linux-exploit-suggester-2.pl\\\", \\\"linux-exploit-suggester.sh\\\", \\\"panix.sh\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2c3724e3-7466-4231-ac84-46760b8fb35d\",\"rule_id\":\"1e0a3f7c-21e7-4bb1-98c7-2036612fb1be\",\"revision\":0,\"current_rule\":{\"id\":\"2c3724e3-7466-4231-ac84-46760b8fb35d\",\"updated_at\":\"2024-12-04T19:45:43.608Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.608Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Script with Discovery Capabilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Tactic: Discovery\",\"Data Source: PowerShell Logs\",\"Rule Type: BBR\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of Cmdlets and methods related to discovery activities. Attackers can use these to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"1e0a3f7c-21e7-4bb1-98c7-2036612fb1be\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\",\"subtechnique\":[{\"id\":\"T1087.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/001/\"},{\"id\":\"T1087.002\",\"name\":\"Domain Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/002/\"}]},{\"id\":\"T1482\",\"name\":\"Domain Trust Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1482/\"},{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"},{\"id\":\"T1083\",\"name\":\"File and Directory Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1083/\"},{\"id\":\"T1615\",\"name\":\"Group Policy Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1615/\"},{\"id\":\"T1135\",\"name\":\"Network Share Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1135/\"},{\"id\":\"T1201\",\"name\":\"Password Policy Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1201/\"},{\"id\":\"T1057\",\"name\":\"Process Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1057/\"},{\"id\":\"T1518\",\"name\":\"Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/\",\"subtechnique\":[{\"id\":\"T1518.001\",\"name\":\"Security Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/001/\"}]},{\"id\":\"T1012\",\"name\":\"Query Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1012/\"},{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"},{\"id\":\"T1049\",\"name\":\"System Network Connections Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1049/\"},{\"id\":\"T1007\",\"name\":\"System Service Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1007/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\n \\\"Get-ADDefaultDomainPasswordPolicy\\\" or\\n \\\"Get-ADDomain\\\" or \\\"Get-ComputerInfo\\\" or\\n \\\"Get-Disk\\\" or \\\"Get-DnsClientCache\\\" or\\n \\\"Get-GPOReport\\\" or \\\"Get-HotFix\\\" or\\n \\\"Get-LocalUser\\\" or \\\"Get-NetFirewallProfile\\\" or\\n \\\"get-nettcpconnection\\\" or \\\"Get-NetAdapter\\\" or\\n \\\"Get-PhysicalDisk\\\" or \\\"Get-Process\\\" or\\n \\\"Get-PSDrive\\\" or \\\"Get-Service\\\" or\\n \\\"Get-SmbShare\\\" or \\\"Get-WinEvent\\\"\\n ) or\\n (\\n (\\\"Get-WmiObject\\\" or \\\"gwmi\\\" or \\\"Get-CimInstance\\\" or\\n \\\"gcim\\\" or \\\"Management.ManagementObjectSearcher\\\" or\\n \\\"System.Management.ManagementClass\\\" or\\n \\\"[WmiClass]\\\" or \\\"[WMI]\\\") and\\n (\\n \\\"AntiVirusProduct\\\" or \\\"CIM_BIOSElement\\\" or \\\"CIM_ComputerSystem\\\" or \\\"CIM_Product\\\" or \\\"CIM_DiskDrive\\\" or\\n \\\"CIM_LogicalDisk\\\" or \\\"CIM_NetworkAdapter\\\" or \\\"CIM_StorageVolume\\\" or \\\"CIM_OperatingSystem\\\" or\\n \\\"CIM_Process\\\" or \\\"CIM_Service\\\" or \\\"MSFT_DNSClientCache\\\" or \\\"Win32_BIOS\\\" or \\\"Win32_ComputerSystem\\\" or\\n \\\"Win32_ComputerSystemProduct\\\" or \\\"Win32_DiskDrive\\\" or \\\"win32_environment\\\" or \\\"Win32_Group\\\" or\\n \\\"Win32_groupuser\\\" or \\\"Win32_IP4RouteTable\\\" or \\\"Win32_logicaldisk\\\" or \\\"Win32_MappedLogicalDisk\\\" or\\n \\\"Win32_NetworkAdapterConfiguration\\\" or \\\"win32_ntdomain\\\" or \\\"Win32_OperatingSystem\\\" or\\n \\\"Win32_PnPEntity\\\" or \\\"Win32_Process\\\" or \\\"Win32_Product\\\" or \\\"Win32_quickfixengineering\\\" or\\n \\\"win32_service\\\" or \\\"Win32_Share\\\" or \\\"Win32_UserAccount\\\"\\n )\\n ) or\\n (\\n (\\\"ADSI\\\" and \\\"WinNT\\\") or\\n (\\\"Get-ChildItem\\\" and \\\"sysmondrv.sys\\\") or\\n (\\\"::GetIPGlobalProperties()\\\" and \\\"GetActiveTcpConnections()\\\") or\\n (\\\"ServiceProcess.ServiceController\\\" and \\\"::GetServices\\\") or\\n (\\\"Diagnostics.Process\\\" and \\\"::GetProcesses\\\") or\\n (\\\"DirectoryServices.Protocols.GroupPolicy\\\" and \\\".GetGPOReport()\\\") or\\n (\\\"DirectoryServices.AccountManagement\\\" and \\\"PrincipalSearcher\\\") or\\n (\\\"NetFwTypeLib.NetFwMgr\\\" and \\\"CurrentProfile\\\") or\\n (\\\"NetworkInformation.NetworkInterface\\\" and \\\"GetAllNetworkInterfaces\\\") or\\n (\\\"Automation.PSDriveInfo\\\") or\\n (\\\"Microsoft.Win32.RegistryHive\\\")\\n ) or\\n (\\n \\\"Get-ItemProperty\\\" and\\n (\\n \\\"\\\\Control\\\\SecurityProviders\\\\WDigest\\\" or\\n \\\"\\\\microsoft\\\\windows\\\\currentversion\\\\explorer\\\\runmru\\\" or\\n \\\"\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Kerberos\\\\Parameters\\\" or\\n \\\"\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\" or\\n \\\"\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\" or\\n \\\"Policies\\\\Microsoft\\\\Windows\\\\Installer\\\" or\\n \\\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\" or\\n (\\\"\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\" and \\\"EnableFirewall\\\") or\\n (\\\"Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\" and \\\"proxyEnable\\\")\\n )\\n ) or\\n (\\n (\\\"Directoryservices.Activedirectory\\\" or\\n \\\"DirectoryServices.AccountManagement\\\") and \\n (\\n \\\"Domain Admins\\\" or \\\"DomainControllers\\\" or\\n \\\"FindAllGlobalCatalogs\\\" or \\\"GetAllTrustRelationships\\\" or\\n \\\"GetCurrentDomain\\\" or \\\"GetCurrentForest\\\"\\n ) or\\n \\\"DirectoryServices.DirectorySearcher\\\" and\\n (\\n \\\"samAccountType=805306368\\\" or\\n \\\"samAccountType=805306369\\\" or\\n \\\"objectCategory=group\\\" or\\n \\\"objectCategory=groupPolicyContainer\\\" or\\n \\\"objectCategory=site\\\" or\\n \\\"objectCategory=subnet\\\" or\\n \\\"objectClass=trustedDomain\\\"\\n )\\n ) or\\n (\\n \\\"Get-Process\\\" and\\n (\\n \\\"mcshield\\\" or \\\"windefend\\\" or \\\"savservice\\\" or\\n \\\"TMCCSF\\\" or \\\"symantec antivirus\\\" or\\n \\\"CSFalcon\\\" or \\\"TmPfw\\\" or \\\"kvoop\\\"\\n )\\n )\\n ) and\\n not powershell.file.script_block_text : (\\n (\\n \\\"__cmdletization_BindCommonParameters\\\" and\\n \\\"Microsoft.PowerShell.Core\\\\Export-ModuleMember\\\" and\\n \\\"Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter\\\"\\n ) or\\n \\\"CmdletsToExport=@(\\\\\\\"Add-Content\\\\\\\",\\\"\\n ) and\\n not user.id : (\\\"S-1-5-18\\\" or \\\"S-1-5-19\\\" or \\\"S-1-5-20\\\")\\n\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.ps?1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Azure AD Sync\\\\\\\\Extensions\\\\\\\\AADConnector.psm1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"*ServiceNow MID Server*\\\\\\\\agent\\\\\\\\scripts\\\\\\\\PowerShell\\\\\\\\*.psm1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\IMECache\\\\\\\\HealthScripts\\\\\\\\*\\\\\\\\detect.ps1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\TEMP\\\\\\\\SDIAG*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Temp\\\\\\\\SDIAG*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\SDIAG*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\Monitoring Host Temporary Files*\"}}}}],\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Script with Discovery Capabilities\",\"description\":\"Identifies the use of Cmdlets and methods related to discovery activities. Attackers can use these to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Tactic: Discovery\",\"Data Source: PowerShell Logs\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\",\"subtechnique\":[{\"id\":\"T1087.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/001/\"},{\"id\":\"T1087.002\",\"name\":\"Domain Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/002/\"}]},{\"id\":\"T1482\",\"name\":\"Domain Trust Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1482/\"},{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"},{\"id\":\"T1083\",\"name\":\"File and Directory Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1083/\"},{\"id\":\"T1615\",\"name\":\"Group Policy Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1615/\"},{\"id\":\"T1135\",\"name\":\"Network Share Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1135/\"},{\"id\":\"T1201\",\"name\":\"Password Policy Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1201/\"},{\"id\":\"T1057\",\"name\":\"Process Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1057/\"},{\"id\":\"T1518\",\"name\":\"Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/\",\"subtechnique\":[{\"id\":\"T1518.001\",\"name\":\"Security Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/001/\"}]},{\"id\":\"T1012\",\"name\":\"Query Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1012/\"},{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"},{\"id\":\"T1049\",\"name\":\"System Network Connections Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1049/\"},{\"id\":\"T1007\",\"name\":\"System Service Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1007/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2c3724e3-7466-4231-ac84-46760b8fb35d\",\"rule_id\":\"1e0a3f7c-21e7-4bb1-98c7-2036612fb1be\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.002Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.608Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.ps?1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Azure AD Sync\\\\\\\\Extensions\\\\\\\\AADConnector.psm1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"*ServiceNow MID Server*\\\\\\\\agent\\\\\\\\scripts\\\\\\\\PowerShell\\\\\\\\*.psm1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\IMECache\\\\\\\\HealthScripts\\\\\\\\*\\\\\\\\detect.ps1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\TEMP\\\\\\\\SDIAG*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Temp\\\\\\\\SDIAG*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\SDIAG*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\Monitoring Host Temporary Files*\"}}}}],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\n \\\"Get-ADDefaultDomainPasswordPolicy\\\" or\\n \\\"Get-ADDomain\\\" or \\\"Get-ComputerInfo\\\" or\\n \\\"Get-Disk\\\" or \\\"Get-DnsClientCache\\\" or\\n \\\"Get-GPOReport\\\" or \\\"Get-HotFix\\\" or\\n \\\"Get-LocalUser\\\" or \\\"Get-NetFirewallProfile\\\" or\\n \\\"get-nettcpconnection\\\" or \\\"Get-NetAdapter\\\" or\\n \\\"Get-PhysicalDisk\\\" or \\\"Get-Process\\\" or\\n \\\"Get-PSDrive\\\" or \\\"Get-Service\\\" or\\n \\\"Get-SmbShare\\\" or \\\"Get-WinEvent\\\"\\n ) or\\n (\\n (\\\"Get-WmiObject\\\" or \\\"gwmi\\\" or \\\"Get-CimInstance\\\" or\\n \\\"gcim\\\" or \\\"Management.ManagementObjectSearcher\\\" or\\n \\\"System.Management.ManagementClass\\\" or\\n \\\"[WmiClass]\\\" or \\\"[WMI]\\\") and\\n (\\n \\\"AntiVirusProduct\\\" or \\\"CIM_BIOSElement\\\" or \\\"CIM_ComputerSystem\\\" or \\\"CIM_Product\\\" or \\\"CIM_DiskDrive\\\" or\\n \\\"CIM_LogicalDisk\\\" or \\\"CIM_NetworkAdapter\\\" or \\\"CIM_StorageVolume\\\" or \\\"CIM_OperatingSystem\\\" or\\n \\\"CIM_Process\\\" or \\\"CIM_Service\\\" or \\\"MSFT_DNSClientCache\\\" or \\\"Win32_BIOS\\\" or \\\"Win32_ComputerSystem\\\" or\\n \\\"Win32_ComputerSystemProduct\\\" or \\\"Win32_DiskDrive\\\" or \\\"win32_environment\\\" or \\\"Win32_Group\\\" or\\n \\\"Win32_groupuser\\\" or \\\"Win32_IP4RouteTable\\\" or \\\"Win32_logicaldisk\\\" or \\\"Win32_MappedLogicalDisk\\\" or\\n \\\"Win32_NetworkAdapterConfiguration\\\" or \\\"win32_ntdomain\\\" or \\\"Win32_OperatingSystem\\\" or\\n \\\"Win32_PnPEntity\\\" or \\\"Win32_Process\\\" or \\\"Win32_Product\\\" or \\\"Win32_quickfixengineering\\\" or\\n \\\"win32_service\\\" or \\\"Win32_Share\\\" or \\\"Win32_UserAccount\\\"\\n )\\n ) or\\n (\\n (\\\"ADSI\\\" and \\\"WinNT\\\") or\\n (\\\"Get-ChildItem\\\" and \\\"sysmondrv.sys\\\") or\\n (\\\"::GetIPGlobalProperties()\\\" and \\\"GetActiveTcpConnections()\\\") or\\n (\\\"ServiceProcess.ServiceController\\\" and \\\"::GetServices\\\") or\\n (\\\"Diagnostics.Process\\\" and \\\"::GetProcesses\\\") or\\n (\\\"DirectoryServices.Protocols.GroupPolicy\\\" and \\\".GetGPOReport()\\\") or\\n (\\\"DirectoryServices.AccountManagement\\\" and \\\"PrincipalSearcher\\\") or\\n (\\\"NetFwTypeLib.NetFwMgr\\\" and \\\"CurrentProfile\\\") or\\n (\\\"NetworkInformation.NetworkInterface\\\" and \\\"GetAllNetworkInterfaces\\\") or\\n (\\\"Automation.PSDriveInfo\\\") or\\n (\\\"Microsoft.Win32.RegistryHive\\\")\\n ) or\\n (\\n \\\"Get-ItemProperty\\\" and\\n (\\n \\\"\\\\Control\\\\SecurityProviders\\\\WDigest\\\" or\\n \\\"\\\\microsoft\\\\windows\\\\currentversion\\\\explorer\\\\runmru\\\" or\\n \\\"\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Kerberos\\\\Parameters\\\" or\\n \\\"\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\" or\\n \\\"\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\" or\\n \\\"Policies\\\\Microsoft\\\\Windows\\\\Installer\\\" or\\n \\\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\" or\\n (\\\"\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\" and \\\"EnableFirewall\\\") or\\n (\\\"Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\" and \\\"proxyEnable\\\")\\n )\\n ) or\\n (\\n (\\\"Directoryservices.Activedirectory\\\" or\\n \\\"DirectoryServices.AccountManagement\\\") and \\n (\\n \\\"Domain Admins\\\" or \\\"DomainControllers\\\" or\\n \\\"FindAllGlobalCatalogs\\\" or \\\"GetAllTrustRelationships\\\" or\\n \\\"GetCurrentDomain\\\" or \\\"GetCurrentForest\\\"\\n ) or\\n \\\"DirectoryServices.DirectorySearcher\\\" and\\n (\\n \\\"samAccountType=805306368\\\" or\\n \\\"samAccountType=805306369\\\" or\\n \\\"objectCategory=group\\\" or\\n \\\"objectCategory=groupPolicyContainer\\\" or\\n \\\"objectCategory=site\\\" or\\n \\\"objectCategory=subnet\\\" or\\n \\\"objectClass=trustedDomain\\\"\\n )\\n ) or\\n (\\n \\\"Get-Process\\\" and\\n (\\n \\\"mcshield\\\" or \\\"windefend\\\" or \\\"savservice\\\" or\\n \\\"TMCCSF\\\" or \\\"symantec antivirus\\\" or\\n \\\"CSFalcon\\\" or \\\"TmPfw\\\" or \\\"kvoop\\\"\\n )\\n )\\n ) and\\n not powershell.file.script_block_text : (\\n (\\n \\\"__cmdletization_BindCommonParameters\\\" and\\n \\\"Microsoft.PowerShell.Core\\\\Export-ModuleMember\\\" and\\n \\\"Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter\\\"\\n ) or\\n \\\"CmdletsToExport=@(\\\\\\\"Add-Content\\\\\\\",\\\"\\n ) and\\n not user.id : (\\\"S-1-5-18\\\" or \\\"S-1-5-19\\\" or \\\"S-1-5-20\\\")\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bf1bdcab-e727-4ee1-be5b-6896e67ece0a\",\"rule_id\":\"1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc\",\"revision\":0,\"current_rule\":{\"id\":\"bf1bdcab-e727-4ee1-be5b-6896e67ece0a\",\"updated_at\":\"2024-12-04T19:45:43.613Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.613Z\",\"created_by\":\"elastic\",\"name\":\"Creation of a DNS-Named Record\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues because of the default permission (Any authenticated users) to create DNS-named records. Attackers can perform Dynamic Spoofing attacks, where they monitor LLMNR/NBT-NS requests and create DNS-named records to target systems that are requested from multiple systems. They can also create specific records to target specific services, such as wpad, for spoofing attacks.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1557\",\"name\":\"Adversary-in-the-Middle\",\"reference\":\"https://attack.mitre.org/techniques/T1557/\"}]}],\"to\":\"now\",\"references\":[\"https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/\",\"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wpad-spoofing\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ObjectClass\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\\n\\n```\\nSet-AuditRule -AdObjectPath 'AD:\\\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\\n```\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"any where host.os.type == \\\"windows\\\" and event.action in (\\\"Directory Service Changes\\\", \\\"directory-service-object-modified\\\") and\\n event.code == \\\"5137\\\" and winlog.event_data.ObjectClass == \\\"dnsNode\\\" and\\n not winlog.event_data.SubjectUserName : \\\"*$\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Creation of a DNS-Named Record\",\"description\":\"Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues because of the default permission (Any authenticated users) to create DNS-named records. Attackers can perform Dynamic Spoofing attacks, where they monitor LLMNR/NBT-NS requests and create DNS-named records to target systems that are requested from multiple systems. They can also create specific records to target specific services, such as wpad, for spoofing attacks.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/\",\"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wpad-spoofing\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1557\",\"name\":\"Adversary-in-the-Middle\",\"reference\":\"https://attack.mitre.org/techniques/T1557/\"}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\\n\\n```\\nSet-AuditRule -AdObjectPath 'AD:\\\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ObjectClass\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"bf1bdcab-e727-4ee1-be5b-6896e67ece0a\",\"rule_id\":\"1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.002Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.613Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and event.action in (\\\"Directory Service Changes\\\", \\\"directory-service-object-modified\\\") and\\n event.code == \\\"5137\\\" and winlog.event_data.ObjectClass == \\\"dnsNode\\\" and\\n not winlog.event_data.SubjectUserName : \\\"*$\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1914d8d9-cc68-44f8-a340-3e160d0d35a7\",\"rule_id\":\"1e6363a6-3af5-41d4-b7ea-d475389c0ceb\",\"revision\":0,\"current_rule\":{\"id\":\"1914d8d9-cc68-44f8-a340-3e160d0d35a7\",\"updated_at\":\"2024-12-04T19:45:43.615Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.615Z\",\"created_by\":\"elastic\",\"name\":\"Creation of SettingContent-ms Files\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the suspicious creation of SettingContents-ms files, which have been used in attacks to achieve code execution while evading defenses.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1e6363a6-3af5-41d4-b7ea-d475389c0ceb\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39\"],\"version\":4,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n file.extension : \\\"settingcontent-ms\\\" and\\n not file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Packages\\\\\\\\windows.immersivecontrolpanel_*\\\\\\\\LocalState\\\\\\\\Indexed\\\\\\\\Settings\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume*\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\amd64_microsoft-windows-s..*\\\\\\\\*.settingcontent-ms\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Creation of SettingContent-ms Files\",\"description\":\"Identifies the suspicious creation of SettingContents-ms files, which have been used in attacks to achieve code execution while evading defenses.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":106,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1914d8d9-cc68-44f8-a340-3e160d0d35a7\",\"rule_id\":\"1e6363a6-3af5-41d4-b7ea-d475389c0ceb\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.002Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.615Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n file.extension : \\\"settingcontent-ms\\\" and\\n not file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Packages\\\\\\\\windows.immersivecontrolpanel_*\\\\\\\\LocalState\\\\\\\\Indexed\\\\\\\\Settings\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume*\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\amd64_microsoft-windows-s..*\\\\\\\\*.settingcontent-ms\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":4,\"target_version\":106,\"merged_version\":106,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0d766c09-97b6-401b-805e-bd98f732633f\",\"rule_id\":\"1f0a69c0-3392-4adf-b7d5-6012fd292da8\",\"revision\":0,\"current_rule\":{\"id\":\"0d766c09-97b6-401b-805e-bd98f732633f\",\"updated_at\":\"2024-12-04T19:45:43.620Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.620Z\",\"created_by\":\"elastic\",\"name\":\"Potential Antimalware Scan Interface Bypass via PowerShell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: PowerShell Logs\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses. An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\\n\\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate commands and scripts executed after this activity was observed.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\\n - Observe and collect information about the following activities in the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1f0a69c0-3392-4adf-b7d5-6012fd292da8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell\"],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:\\\"process\\\" and host.os.type:windows and\\n (\\n powershell.file.script_block_text : (\\n \\\"System.Management.Automation.AmsiUtils\\\" or\\n\\t\\t\\tamsiInitFailed or \\n\\t\\t\\t\\\"Invoke-AmsiBypass\\\" or \\n\\t\\t\\t\\\"Bypass.AMSI\\\" or \\n\\t\\t\\t\\\"amsi.dll\\\" or \\n\\t\\t\\tAntimalwareProvider or \\n\\t\\t\\tamsiSession or \\n\\t\\t\\tamsiContext or\\n\\t\\t\\tAmsiInitialize or \\n\\t\\t\\tunloadobfuscated or \\n\\t\\t\\tunloadsilent or \\n\\t\\t\\tAmsiX64 or \\n\\t\\t\\tAmsiX32 or \\n\\t\\t\\tFindAmsiFun\\n ) or\\n powershell.file.script_block_text:(\\\"[System.Runtime.InteropServices.Marshal]::Copy\\\" and \\\"VirtualProtect\\\") or\\n powershell.file.script_block_text:(\\\"[Ref].Assembly.GetType(('System.Management.Automation\\\" and \\\".SetValue(\\\")\\n ) and\\n not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Antimalware Scan Interface Bypass via PowerShell\",\"description\":\"Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses. An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\\n\\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate commands and scripts executed after this activity was observed.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\\n - Observe and collect information about the following activities in the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":110,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: PowerShell Logs\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"0d766c09-97b6-401b-805e-bd98f732633f\",\"rule_id\":\"1f0a69c0-3392-4adf-b7d5-6012fd292da8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.002Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.620Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:\\\"process\\\" and host.os.type:windows and\\n (\\n powershell.file.script_block_text : (\\n \\\"System.Management.Automation.AmsiUtils\\\" or\\n\\t\\t\\tamsiInitFailed or \\n\\t\\t\\t\\\"Invoke-AmsiBypass\\\" or \\n\\t\\t\\t\\\"Bypass.AMSI\\\" or \\n\\t\\t\\t\\\"amsi.dll\\\" or \\n\\t\\t\\tAntimalwareProvider or \\n\\t\\t\\tamsiSession or \\n\\t\\t\\tamsiContext or\\n\\t\\t\\tAmsiInitialize or \\n\\t\\t\\tunloadobfuscated or \\n\\t\\t\\tunloadsilent or \\n\\t\\t\\tAmsiX64 or \\n\\t\\t\\tAmsiX32 or \\n\\t\\t\\tFindAmsiFun\\n ) or\\n powershell.file.script_block_text:(\\\"[System.Runtime.InteropServices.Marshal]::Copy\\\" and \\\"VirtualProtect\\\") or\\n powershell.file.script_block_text:(\\\"[Ref].Assembly.GetType(('System.Management.Automation\\\" and \\\".SetValue(\\\")\\n ) and\\n not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\"\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":110,\"merged_version\":110,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"031732c5-13e3-4e6e-842a-9a42e0a12fe1\",\"rule_id\":\"1f460f12-a3cf-4105-9ebb-f788cc63f365\",\"revision\":0,\"current_rule\":{\"id\":\"031732c5-13e3-4e6e-842a-9a42e0a12fe1\",\"updated_at\":\"2024-12-04T19:45:43.623Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.623Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Process Execution on WBEM Path\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies unusual processes running from the WBEM path, uncommon outside WMI-related Windows processes.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"1f460f12-a3cf-4105-9ebb-f788cc63f365\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-system.security*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\*\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWow64\\\\\\\\wbem\\\\\\\\*\\\") and\\n not process.name : (\\n \\\"mofcomp.exe\\\",\\n \\\"scrcons.exe\\\",\\n \\\"unsecapp.exe\\\",\\n \\\"wbemtest.exe\\\",\\n \\\"winmgmt.exe\\\",\\n \\\"wmiadap.exe\\\",\\n \\\"wmiapsrv.exe\\\",\\n \\\"wmic.exe\\\",\\n \\\"wmiprvse.exe\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Process Execution on WBEM Path\",\"description\":\"Identifies unusual processes running from the WBEM path, uncommon outside WMI-related Windows processes.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"031732c5-13e3-4e6e-842a-9a42e0a12fe1\",\"rule_id\":\"1f460f12-a3cf-4105-9ebb-f788cc63f365\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.002Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.623Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\*\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWow64\\\\\\\\wbem\\\\\\\\*\\\") and\\n not process.name : (\\n \\\"mofcomp.exe\\\",\\n \\\"scrcons.exe\\\",\\n \\\"unsecapp.exe\\\",\\n \\\"wbemtest.exe\\\",\\n \\\"winmgmt.exe\\\",\\n \\\"wmiadap.exe\\\",\\n \\\"wmiapsrv.exe\\\",\\n \\\"wmic.exe\\\",\\n \\\"wmiprvse.exe\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-system.security*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d527a474-80a9-4d9d-8350-d6d12b513d68\",\"rule_id\":\"1fe3b299-fbb5-4657-a937-1d746f2c711a\",\"revision\":0,\"current_rule\":{\"id\":\"d527a474-80a9-4d9d-8350-d6d12b513d68\",\"updated_at\":\"2024-12-04T19:45:43.628Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.628Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Network Activity from a Windows System Binary\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Network Activity from a Windows System Binary\\n\\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\\n\\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"1fe3b299-fbb5-4657-a937-1d746f2c711a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]},{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"},{\"id\":\"T1218.005\",\"name\":\"Mshta\",\"reference\":\"https://attack.mitre.org/techniques/T1218/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id with maxspan=5m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n\\n /* known applocker bypasses */\\n (process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"control.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"installutil.exe\\\" or\\n process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n process.name : \\\"MSBuild.exe\\\" or\\n process.name : \\\"msdt.exe\\\" or\\n process.name : \\\"mshta.exe\\\" or\\n process.name : \\\"msiexec.exe\\\" or\\n process.name : \\\"msxsl.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"regsvr32.exe\\\" or\\n process.name : \\\"xwizard.exe\\\")]\\n [network where\\n (process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"control.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"installutil.exe\\\" or\\n process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n (\\n process.name : \\\"msbuild.exe\\\" and\\n destination.ip != \\\"127.0.0.1\\\"\\n ) or\\n process.name : \\\"msdt.exe\\\" or\\n process.name : \\\"mshta.exe\\\" or\\n (\\n process.name : \\\"msiexec.exe\\\" and not\\n dns.question.name : (\\n \\\"ocsp.digicert.com\\\", \\\"ocsp.verisign.com\\\", \\\"ocsp.comodoca.com\\\", \\\"ocsp.entrust.net\\\", \\\"ocsp.usertrust.com\\\",\\n \\\"ocsp.godaddy.com\\\", \\\"ocsp.camerfirma.com\\\", \\\"ocsp.globalsign.com\\\", \\\"ocsp.sectigo.com\\\", \\\"*.local\\\"\\n ) and\\n /* Localhost, DigiCert and Comodo CA IP addresses */\\n not cidrmatch(destination.ip, \\\"127.0.0.1\\\", \\\"192.229.211.108/32\\\", \\\"192.229.221.95/32\\\",\\n \\\"152.195.38.76/32\\\", \\\"104.18.14.101/32\\\")\\n ) or\\n process.name : \\\"msxsl.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"regsvr32.exe\\\" or\\n process.name : \\\"xwizard.exe\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Network Activity from a Windows System Binary\",\"description\":\"Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Network Activity from a Windows System Binary\\n\\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\\n\\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]},{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"},{\"id\":\"T1218.005\",\"name\":\"Mshta\",\"reference\":\"https://attack.mitre.org/techniques/T1218/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d527a474-80a9-4d9d-8350-d6d12b513d68\",\"rule_id\":\"1fe3b299-fbb5-4657-a937-1d746f2c711a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.002Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.628Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id with maxspan=5m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n\\n /* known applocker bypasses */\\n (process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"control.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"installutil.exe\\\" or\\n process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n process.name : \\\"MSBuild.exe\\\" or\\n process.name : \\\"msdt.exe\\\" or\\n process.name : \\\"mshta.exe\\\" or\\n process.name : \\\"msiexec.exe\\\" or\\n process.name : \\\"msxsl.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"regsvr32.exe\\\" or\\n process.name : \\\"xwizard.exe\\\")]\\n [network where\\n (process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"control.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"installutil.exe\\\" or\\n process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n (\\n process.name : \\\"msbuild.exe\\\" and\\n destination.ip != \\\"127.0.0.1\\\"\\n ) or\\n process.name : \\\"msdt.exe\\\" or\\n process.name : \\\"mshta.exe\\\" or\\n (\\n process.name : \\\"msiexec.exe\\\" and not\\n dns.question.name : (\\n \\\"ocsp.digicert.com\\\", \\\"ocsp.verisign.com\\\", \\\"ocsp.comodoca.com\\\", \\\"ocsp.entrust.net\\\", \\\"ocsp.usertrust.com\\\",\\n \\\"ocsp.godaddy.com\\\", \\\"ocsp.camerfirma.com\\\", \\\"ocsp.globalsign.com\\\", \\\"ocsp.sectigo.com\\\", \\\"*.local\\\"\\n ) and\\n /* Localhost, DigiCert and Comodo CA IP addresses */\\n not cidrmatch(destination.ip, \\\"127.0.0.1\\\", \\\"192.229.211.108/32\\\", \\\"192.229.221.95/32\\\",\\n \\\"152.195.38.76/32\\\", \\\"104.18.14.101/32\\\")\\n ) or\\n process.name : \\\"msxsl.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"regsvr32.exe\\\" or\\n process.name : \\\"xwizard.exe\\\") and \\n \\n not dns.question.name : (\\\"localhost\\\", \\\"setup.officetimeline.com\\\", \\\"us.deployment.endpoint.ingress.rapid7.com\\\", \\n \\\"ctldl.windowsupdate.com\\\", \\\"crl?.digicert.com\\\", \\\"ocsp.digicert.com\\\", \\\"addon-cms-asl.eu.goskope.com\\\", \\\"crls.ssl.com\\\", \\n \\\"evcs-ocsp.ws.symantec.com\\\", \\\"s.symcd.com\\\", \\\"s?.symcb.com\\\", \\\"crl.verisign.com\\\", \\\"oneocsp.microsoft.com\\\", \\\"crl.verisign.com\\\", \\n \\\"aka.ms\\\", \\\"crl.comodoca.com\\\", \\\"acroipm2.adobe.com\\\", \\\"sv.symcd.com\\\") and \\n\\n /* host query itself */\\n not startswith~(dns.question.name, host.name)\\n ]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by process.entity_id with maxspan=5m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n\\n /* known applocker bypasses */\\n (process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"control.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"installutil.exe\\\" or\\n process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n process.name : \\\"MSBuild.exe\\\" or\\n process.name : \\\"msdt.exe\\\" or\\n process.name : \\\"mshta.exe\\\" or\\n process.name : \\\"msiexec.exe\\\" or\\n process.name : \\\"msxsl.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"regsvr32.exe\\\" or\\n process.name : \\\"xwizard.exe\\\")]\\n [network where\\n (process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"control.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"installutil.exe\\\" or\\n process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n (\\n process.name : \\\"msbuild.exe\\\" and\\n destination.ip != \\\"127.0.0.1\\\"\\n ) or\\n process.name : \\\"msdt.exe\\\" or\\n process.name : \\\"mshta.exe\\\" or\\n (\\n process.name : \\\"msiexec.exe\\\" and not\\n dns.question.name : (\\n \\\"ocsp.digicert.com\\\", \\\"ocsp.verisign.com\\\", \\\"ocsp.comodoca.com\\\", \\\"ocsp.entrust.net\\\", \\\"ocsp.usertrust.com\\\",\\n \\\"ocsp.godaddy.com\\\", \\\"ocsp.camerfirma.com\\\", \\\"ocsp.globalsign.com\\\", \\\"ocsp.sectigo.com\\\", \\\"*.local\\\"\\n ) and\\n /* Localhost, DigiCert and Comodo CA IP addresses */\\n not cidrmatch(destination.ip, \\\"127.0.0.1\\\", \\\"192.229.211.108/32\\\", \\\"192.229.221.95/32\\\",\\n \\\"152.195.38.76/32\\\", \\\"104.18.14.101/32\\\")\\n ) or\\n process.name : \\\"msxsl.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"regsvr32.exe\\\" or\\n process.name : \\\"xwizard.exe\\\")]\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by process.entity_id with maxspan=5m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n\\n /* known applocker bypasses */\\n (process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"control.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"installutil.exe\\\" or\\n process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n process.name : \\\"MSBuild.exe\\\" or\\n process.name : \\\"msdt.exe\\\" or\\n process.name : \\\"mshta.exe\\\" or\\n process.name : \\\"msiexec.exe\\\" or\\n process.name : \\\"msxsl.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"regsvr32.exe\\\" or\\n process.name : \\\"xwizard.exe\\\")]\\n [network where\\n (process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"control.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"installutil.exe\\\" or\\n process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n (\\n process.name : \\\"msbuild.exe\\\" and\\n destination.ip != \\\"127.0.0.1\\\"\\n ) or\\n process.name : \\\"msdt.exe\\\" or\\n process.name : \\\"mshta.exe\\\" or\\n (\\n process.name : \\\"msiexec.exe\\\" and not\\n dns.question.name : (\\n \\\"ocsp.digicert.com\\\", \\\"ocsp.verisign.com\\\", \\\"ocsp.comodoca.com\\\", \\\"ocsp.entrust.net\\\", \\\"ocsp.usertrust.com\\\",\\n \\\"ocsp.godaddy.com\\\", \\\"ocsp.camerfirma.com\\\", \\\"ocsp.globalsign.com\\\", \\\"ocsp.sectigo.com\\\", \\\"*.local\\\"\\n ) and\\n /* Localhost, DigiCert and Comodo CA IP addresses */\\n not cidrmatch(destination.ip, \\\"127.0.0.1\\\", \\\"192.229.211.108/32\\\", \\\"192.229.221.95/32\\\",\\n \\\"152.195.38.76/32\\\", \\\"104.18.14.101/32\\\")\\n ) or\\n process.name : \\\"msxsl.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"regsvr32.exe\\\" or\\n process.name : \\\"xwizard.exe\\\") and \\n \\n not dns.question.name : (\\\"localhost\\\", \\\"setup.officetimeline.com\\\", \\\"us.deployment.endpoint.ingress.rapid7.com\\\", \\n \\\"ctldl.windowsupdate.com\\\", \\\"crl?.digicert.com\\\", \\\"ocsp.digicert.com\\\", \\\"addon-cms-asl.eu.goskope.com\\\", \\\"crls.ssl.com\\\", \\n \\\"evcs-ocsp.ws.symantec.com\\\", \\\"s.symcd.com\\\", \\\"s?.symcb.com\\\", \\\"crl.verisign.com\\\", \\\"oneocsp.microsoft.com\\\", \\\"crl.verisign.com\\\", \\n \\\"aka.ms\\\", \\\"crl.comodoca.com\\\", \\\"acroipm2.adobe.com\\\", \\\"sv.symcd.com\\\") and \\n\\n /* host query itself */\\n not startswith~(dns.question.name, host.name)\\n ]\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by process.entity_id with maxspan=5m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n\\n /* known applocker bypasses */\\n (process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"control.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"installutil.exe\\\" or\\n process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n process.name : \\\"MSBuild.exe\\\" or\\n process.name : \\\"msdt.exe\\\" or\\n process.name : \\\"mshta.exe\\\" or\\n process.name : \\\"msiexec.exe\\\" or\\n process.name : \\\"msxsl.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"regsvr32.exe\\\" or\\n process.name : \\\"xwizard.exe\\\")]\\n [network where\\n (process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"control.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"installutil.exe\\\" or\\n process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n (\\n process.name : \\\"msbuild.exe\\\" and\\n destination.ip != \\\"127.0.0.1\\\"\\n ) or\\n process.name : \\\"msdt.exe\\\" or\\n process.name : \\\"mshta.exe\\\" or\\n (\\n process.name : \\\"msiexec.exe\\\" and not\\n dns.question.name : (\\n \\\"ocsp.digicert.com\\\", \\\"ocsp.verisign.com\\\", \\\"ocsp.comodoca.com\\\", \\\"ocsp.entrust.net\\\", \\\"ocsp.usertrust.com\\\",\\n \\\"ocsp.godaddy.com\\\", \\\"ocsp.camerfirma.com\\\", \\\"ocsp.globalsign.com\\\", \\\"ocsp.sectigo.com\\\", \\\"*.local\\\"\\n ) and\\n /* Localhost, DigiCert and Comodo CA IP addresses */\\n not cidrmatch(destination.ip, \\\"127.0.0.1\\\", \\\"192.229.211.108/32\\\", \\\"192.229.221.95/32\\\",\\n \\\"152.195.38.76/32\\\", \\\"104.18.14.101/32\\\")\\n ) or\\n process.name : \\\"msxsl.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"regsvr32.exe\\\" or\\n process.name : \\\"xwizard.exe\\\") and \\n \\n not dns.question.name : (\\\"localhost\\\", \\\"setup.officetimeline.com\\\", \\\"us.deployment.endpoint.ingress.rapid7.com\\\", \\n \\\"ctldl.windowsupdate.com\\\", \\\"crl?.digicert.com\\\", \\\"ocsp.digicert.com\\\", \\\"addon-cms-asl.eu.goskope.com\\\", \\\"crls.ssl.com\\\", \\n \\\"evcs-ocsp.ws.symantec.com\\\", \\\"s.symcd.com\\\", \\\"s?.symcb.com\\\", \\\"crl.verisign.com\\\", \\\"oneocsp.microsoft.com\\\", \\\"crl.verisign.com\\\", \\n \\\"aka.ms\\\", \\\"crl.comodoca.com\\\", \\\"acroipm2.adobe.com\\\", \\\"sv.symcd.com\\\") and \\n\\n /* host query itself */\\n not startswith~(dns.question.name, host.name)\\n ]\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"cc69d8a0-e387-4ce0-9145-c902988cb3e7\",\"rule_id\":\"201200f1-a99b-43fb-88ed-f65a45c4972c\",\"revision\":0,\"current_rule\":{\"id\":\"cc69d8a0-e387-4ce0-9145-c902988cb3e7\",\"updated_at\":\"2024-12-04T19:45:43.637Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.637Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious .NET Code Compilation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to compile code after delivery in order to bypass security mechanisms.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"201200f1-a99b-43fb-88ed-f65a45c4972c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1027\",\"name\":\"Obfuscated Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1027/\",\"subtechnique\":[{\"id\":\"T1027.004\",\"name\":\"Compile After Delivery\",\"reference\":\"https://attack.mitre.org/techniques/T1027/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"csc.exe\\\", \\\"vbc.exe\\\") and\\n process.parent.name : (\\\"wscript.exe\\\", \\\"mshta.exe\\\", \\\"cscript.exe\\\", \\\"wmic.exe\\\", \\\"svchost.exe\\\", \\\"rundll32.exe\\\", \\\"cmstp.exe\\\", \\\"regsvr32.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious .NET Code Compilation\",\"description\":\"Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to compile code after delivery in order to bypass security mechanisms.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1027\",\"name\":\"Obfuscated Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1027/\",\"subtechnique\":[{\"id\":\"T1027.004\",\"name\":\"Compile After Delivery\",\"reference\":\"https://attack.mitre.org/techniques/T1027/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"cc69d8a0-e387-4ce0-9145-c902988cb3e7\",\"rule_id\":\"201200f1-a99b-43fb-88ed-f65a45c4972c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.002Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.637Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"csc.exe\\\", \\\"vbc.exe\\\") and\\n process.parent.name : (\\\"wscript.exe\\\", \\\"mshta.exe\\\", \\\"cscript.exe\\\", \\\"wmic.exe\\\", \\\"svchost.exe\\\", \\\"rundll32.exe\\\", \\\"cmstp.exe\\\", \\\"regsvr32.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"144bc0c3-c4d4-4150-8be0-58a7a10570b0\",\"rule_id\":\"203ab79b-239b-4aa5-8e54-fc50623ee8e4\",\"revision\":0,\"current_rule\":{\"id\":\"144bc0c3-c4d4-4150-8be0-58a7a10570b0\",\"updated_at\":\"2024-12-04T19:45:40.141Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.141Z\",\"created_by\":\"elastic\",\"name\":\"Creation or Modification of Root Certificate\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Creation or Modification of Root Certificate\\n\\nRoot certificates are the primary level of certifications that tell a browser that the communication is trusted and legitimate. This verification is based upon the identification of a certification authority. Windows adds several trusted root certificates so browsers can use them to communicate with websites.\\n\\n[Check out this post](https://www.thewindowsclub.com/what-are-root-certificates-windows) for more details on root certificates and the involved cryptography.\\n\\nThis rule identifies the creation or modification of a root certificate by monitoring registry modifications. The installation of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate abnormal behaviors observed by the subject process such as network connections, other registry or file modifications, and any spawned child processes.\\n- If one of the processes is suspicious, retrieve it and determine if it is malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove the malicious certificate from the root certificate store.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Certain applications may install root certificates for the purpose of inspecting SSL traffic.\"],\"from\":\"now-9m\",\"rule_id\":\"203ab79b-239b-4aa5-8e54-fc50623ee8e4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1553\",\"name\":\"Subvert Trust Controls\",\"reference\":\"https://attack.mitre.org/techniques/T1553/\",\"subtechnique\":[{\"id\":\"T1553.004\",\"name\":\"Install Root Certificate\",\"reference\":\"https://attack.mitre.org/techniques/T1553/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec\",\"https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Blob\\\" and\\n registry.path :\\n (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\"\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Lenovo\\\\\\\\Vantage\\\\\\\\Addins\\\\\\\\LenovoHardwareScanAddin\\\\\\\\*\\\\\\\\LdeApi.Server.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Logishrd\\\\\\\\LogiOptionsPlus\\\\\\\\Plugins\\\\\\\\64\\\\\\\\certmgr.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MpDefenderCoreService.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Quest\\\\\\\\KACE\\\\\\\\modules\\\\\\\\clientidentifier\\\\\\\\clientidentifier.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Sophos\\\\\\\\AutoUpdate\\\\\\\\Cache\\\\\\\\sophos_autoupdate1.dir\\\\\\\\SophosUpdate.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ccmsetup\\\\\\\\cache\\\\\\\\ccmsetup.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Cluster\\\\\\\\clussvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Lenovo\\\\\\\\ImController\\\\\\\\PluginHost86\\\\\\\\Lenovo.Modern.ImController.PluginHost.Device.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Lenovo\\\\\\\\ImController\\\\\\\\Service\\\\\\\\Lenovo.Modern.ImController.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\UUS\\\\\\\\amd64\\\\\\\\MoUsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*.exe\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Creation or Modification of Root Certificate\",\"description\":\"Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Creation or Modification of Root Certificate\\n\\nRoot certificates are the primary level of certifications that tell a browser that the communication is trusted and legitimate. This verification is based upon the identification of a certification authority. Windows adds several trusted root certificates so browsers can use them to communicate with websites.\\n\\n[Check out this post](https://www.thewindowsclub.com/what-are-root-certificates-windows) for more details on root certificates and the involved cryptography.\\n\\nThis rule identifies the creation or modification of a root certificate by monitoring registry modifications. The installation of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate abnormal behaviors observed by the subject process such as network connections, other registry or file modifications, and any spawned child processes.\\n- If one of the processes is suspicious, retrieve it and determine if it is malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove the malicious certificate from the root certificate store.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Certain applications may install root certificates for the purpose of inspecting SSL traffic.\"],\"references\":[\"https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec\",\"https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1553\",\"name\":\"Subvert Trust Controls\",\"reference\":\"https://attack.mitre.org/techniques/T1553/\",\"subtechnique\":[{\"id\":\"T1553.004\",\"name\":\"Install Root Certificate\",\"reference\":\"https://attack.mitre.org/techniques/T1553/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"144bc0c3-c4d4-4150-8be0-58a7a10570b0\",\"rule_id\":\"203ab79b-239b-4aa5-8e54-fc50623ee8e4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.002Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.141Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Blob\\\" and\\n registry.path :\\n (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\"\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Lenovo\\\\\\\\Vantage\\\\\\\\Addins\\\\\\\\LenovoHardwareScanAddin\\\\\\\\*\\\\\\\\LdeApi.Server.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Logishrd\\\\\\\\LogiOptionsPlus\\\\\\\\Plugins\\\\\\\\64\\\\\\\\certmgr.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MpDefenderCoreService.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Quest\\\\\\\\KACE\\\\\\\\modules\\\\\\\\clientidentifier\\\\\\\\clientidentifier.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Sophos\\\\\\\\AutoUpdate\\\\\\\\Cache\\\\\\\\sophos_autoupdate1.dir\\\\\\\\SophosUpdate.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ccmsetup\\\\\\\\cache\\\\\\\\ccmsetup.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Cluster\\\\\\\\clussvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Lenovo\\\\\\\\ImController\\\\\\\\PluginHost86\\\\\\\\Lenovo.Modern.ImController.PluginHost.Device.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Lenovo\\\\\\\\ImController\\\\\\\\Service\\\\\\\\Lenovo.Modern.ImController.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\UUS\\\\\\\\amd64\\\\\\\\MoUsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*.exe\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Blob\\\" and\\n registry.path :\\n (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\"\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Lenovo\\\\\\\\Vantage\\\\\\\\Addins\\\\\\\\LenovoHardwareScanAddin\\\\\\\\*\\\\\\\\LdeApi.Server.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Logishrd\\\\\\\\LogiOptionsPlus\\\\\\\\Plugins\\\\\\\\64\\\\\\\\certmgr.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MpDefenderCoreService.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Quest\\\\\\\\KACE\\\\\\\\modules\\\\\\\\clientidentifier\\\\\\\\clientidentifier.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Sophos\\\\\\\\AutoUpdate\\\\\\\\Cache\\\\\\\\sophos_autoupdate1.dir\\\\\\\\SophosUpdate.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ccmsetup\\\\\\\\cache\\\\\\\\ccmsetup.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Cluster\\\\\\\\clussvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Lenovo\\\\\\\\ImController\\\\\\\\PluginHost86\\\\\\\\Lenovo.Modern.ImController.PluginHost.Device.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Lenovo\\\\\\\\ImController\\\\\\\\Service\\\\\\\\Lenovo.Modern.ImController.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\UUS\\\\\\\\amd64\\\\\\\\MoUsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Blob\\\" and\\n registry.path :\\n (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\"\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Lenovo\\\\\\\\Vantage\\\\\\\\Addins\\\\\\\\LenovoHardwareScanAddin\\\\\\\\*\\\\\\\\LdeApi.Server.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Logishrd\\\\\\\\LogiOptionsPlus\\\\\\\\Plugins\\\\\\\\64\\\\\\\\certmgr.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MpDefenderCoreService.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Quest\\\\\\\\KACE\\\\\\\\modules\\\\\\\\clientidentifier\\\\\\\\clientidentifier.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Sophos\\\\\\\\AutoUpdate\\\\\\\\Cache\\\\\\\\sophos_autoupdate1.dir\\\\\\\\SophosUpdate.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ccmsetup\\\\\\\\cache\\\\\\\\ccmsetup.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Cluster\\\\\\\\clussvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Lenovo\\\\\\\\ImController\\\\\\\\PluginHost86\\\\\\\\Lenovo.Modern.ImController.PluginHost.Device.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Lenovo\\\\\\\\ImController\\\\\\\\Service\\\\\\\\Lenovo.Modern.ImController.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\UUS\\\\\\\\amd64\\\\\\\\MoUsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Blob\\\" and\\n registry.path :\\n (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\Root\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\SystemCertificates\\\\\\\\AuthRoot\\\\\\\\Certificates\\\\\\\\*\\\\\\\\Blob\\\"\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Lenovo\\\\\\\\Vantage\\\\\\\\Addins\\\\\\\\LenovoHardwareScanAddin\\\\\\\\*\\\\\\\\LdeApi.Server.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Logishrd\\\\\\\\LogiOptionsPlus\\\\\\\\Plugins\\\\\\\\64\\\\\\\\certmgr.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MpDefenderCoreService.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Quest\\\\\\\\KACE\\\\\\\\modules\\\\\\\\clientidentifier\\\\\\\\clientidentifier.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Sophos\\\\\\\\AutoUpdate\\\\\\\\Cache\\\\\\\\sophos_autoupdate1.dir\\\\\\\\SophosUpdate.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ccmsetup\\\\\\\\cache\\\\\\\\ccmsetup.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Cluster\\\\\\\\clussvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Lenovo\\\\\\\\ImController\\\\\\\\PluginHost86\\\\\\\\Lenovo.Modern.ImController.PluginHost.Device.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Lenovo\\\\\\\\ImController\\\\\\\\Service\\\\\\\\Lenovo.Modern.ImController.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\UUS\\\\\\\\amd64\\\\\\\\MoUsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8a588033-cac4-431c-a10b-cb80c50eb82d\",\"rule_id\":\"20457e4f-d1de-4b92-ae69-142e27a4342a\",\"revision\":0,\"current_rule\":{\"id\":\"8a588033-cac4-431c-a10b-cb80c50eb82d\",\"updated_at\":\"2024-12-04T19:45:43.645Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.645Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Web Browser Sensitive File Access\",\"tags\":[\"Domain: Endpoint\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the access or file open of web browser sensitive files by an untrusted/unsigned process or osascript. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"20457e4f-d1de-4b92-ae69-142e27a4342a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1539\",\"name\":\"Steal Web Session Cookie\",\"reference\":\"https://attack.mitre.org/techniques/T1539/\"},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\",\"subtechnique\":[{\"id\":\"T1555.003\",\"name\":\"Credentials from Web Browsers\",\"reference\":\"https://attack.mitre.org/techniques/T1555/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://securelist.com/calisto-trojan-for-macos/86543/\"],\"version\":208,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.effective_parent.executable\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.code_signature.exists\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.code_signature.signing_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, for MacOS it is recommended to select \\\"Traditional Endpoints\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\"],\"query\":\"file where event.action == \\\"open\\\" and host.os.type == \\\"macos\\\" and process.executable != null and\\n file.name : (\\\"cookies.sqlite\\\", \\n \\\"key?.db\\\", \\n \\\"logins.json\\\", \\n \\\"Cookies\\\", \\n \\\"Cookies.binarycookies\\\", \\n \\\"Login Data\\\") and \\n ((process.code_signature.trusted == false or process.code_signature.exists == false) or process.name : \\\"osascript\\\") and \\n not process.code_signature.signing_id : \\\"org.mozilla.firefox\\\" and\\n not process.Ext.effective_parent.executable : \\\"/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Web Browser Sensitive File Access\",\"description\":\"Identifies the access or file open of web browser sensitive files by an untrusted/unsigned process or osascript. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://securelist.com/calisto-trojan-for-macos/86543/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1539\",\"name\":\"Steal Web Session Cookie\",\"reference\":\"https://attack.mitre.org/techniques/T1539/\"},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\",\"subtechnique\":[{\"id\":\"T1555.003\",\"name\":\"Credentials from Web Browsers\",\"reference\":\"https://attack.mitre.org/techniques/T1555/003/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, for MacOS it is recommended to select \\\"Traditional Endpoints\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"Effective_process.executable\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.exists\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.code_signature.signing_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"8a588033-cac4-431c-a10b-cb80c50eb82d\",\"rule_id\":\"20457e4f-d1de-4b92-ae69-142e27a4342a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.002Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.645Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where event.action == \\\"open\\\" and host.os.type == \\\"macos\\\" and process.executable != null and\\n file.name : (\\\"cookies.sqlite\\\", \\n \\\"key?.db\\\", \\n \\\"logins.json\\\", \\n \\\"Cookies\\\", \\n \\\"Cookies.binarycookies\\\", \\n \\\"Login Data\\\") and \\n ((process.code_signature.trusted == false or process.code_signature.exists == false) or process.name : \\\"osascript\\\") and \\n not process.code_signature.signing_id : \\\"org.mozilla.firefox\\\" and\\n not Effective_process.executable : \\\"/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":208,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.effective_parent.executable\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.code_signature.exists\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.code_signature.signing_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"Effective_process.executable\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.exists\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.code_signature.signing_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"Effective_process.executable\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.exists\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.code_signature.signing_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where event.action == \\\"open\\\" and host.os.type == \\\"macos\\\" and process.executable != null and\\n file.name : (\\\"cookies.sqlite\\\", \\n \\\"key?.db\\\", \\n \\\"logins.json\\\", \\n \\\"Cookies\\\", \\n \\\"Cookies.binarycookies\\\", \\n \\\"Login Data\\\") and \\n ((process.code_signature.trusted == false or process.code_signature.exists == false) or process.name : \\\"osascript\\\") and \\n not process.code_signature.signing_id : \\\"org.mozilla.firefox\\\" and\\n not process.Ext.effective_parent.executable : \\\"/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where event.action == \\\"open\\\" and host.os.type == \\\"macos\\\" and process.executable != null and\\n file.name : (\\\"cookies.sqlite\\\", \\n \\\"key?.db\\\", \\n \\\"logins.json\\\", \\n \\\"Cookies\\\", \\n \\\"Cookies.binarycookies\\\", \\n \\\"Login Data\\\") and \\n ((process.code_signature.trusted == false or process.code_signature.exists == false) or process.name : \\\"osascript\\\") and \\n not process.code_signature.signing_id : \\\"org.mozilla.firefox\\\" and\\n not Effective_process.executable : \\\"/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where event.action == \\\"open\\\" and host.os.type == \\\"macos\\\" and process.executable != null and\\n file.name : (\\\"cookies.sqlite\\\", \\n \\\"key?.db\\\", \\n \\\"logins.json\\\", \\n \\\"Cookies\\\", \\n \\\"Cookies.binarycookies\\\", \\n \\\"Login Data\\\") and \\n ((process.code_signature.trusted == false or process.code_signature.exists == false) or process.name : \\\"osascript\\\") and \\n not process.code_signature.signing_id : \\\"org.mozilla.firefox\\\" and\\n not Effective_process.executable : \\\"/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"38659c39-880a-4769-9a3b-c9dd17885063\",\"rule_id\":\"205b52c4-9c28-4af4-8979-935f3278d61a\",\"revision\":0,\"current_rule\":{\"id\":\"38659c39-880a-4769-9a3b-c9dd17885063\",\"updated_at\":\"2024-12-04T19:45:43.648Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.648Z\",\"created_by\":\"elastic\",\"name\":\"Werfault ReflectDebugger Persistence\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the registration of a Werfault Debugger. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed with the \\\"-pr\\\" parameter.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"205b52c4-9c28-4af4-8979-935f3278d61a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[\"https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\Hangs\\\\\\\\ReflectDebugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\Hangs\\\\\\\\ReflectDebugger\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Werfault ReflectDebugger Persistence\",\"description\":\"Identifies the registration of a Werfault Debugger. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed with the \\\"-pr\\\" parameter.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":202,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"38659c39-880a-4769-9a3b-c9dd17885063\",\"rule_id\":\"205b52c4-9c28-4af4-8979-935f3278d61a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.002Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.648Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\Hangs\\\\\\\\ReflectDebugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\Hangs\\\\\\\\ReflectDebugger\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\Hangs\\\\\\\\ReflectDebugger\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":202,\"merged_version\":202,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\Hangs\\\\\\\\ReflectDebugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\Hangs\\\\\\\\ReflectDebugger\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\Hangs\\\\\\\\ReflectDebugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\Hangs\\\\\\\\ReflectDebugger\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\Hangs\\\\\\\\ReflectDebugger\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\Hangs\\\\\\\\ReflectDebugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\Hangs\\\\\\\\ReflectDebugger\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\Hangs\\\\\\\\ReflectDebugger\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-windows.sysmon_operational-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-windows.sysmon_operational-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"688fae9b-c7c9-4bcd-aae4-7be9ec4565a0\",\"rule_id\":\"208dbe77-01ed-4954-8d44-1e5751cb20de\",\"revision\":0,\"current_rule\":{\"id\":\"688fae9b-c7c9-4bcd-aae4-7be9ec4565a0\",\"updated_at\":\"2024-12-04T19:45:43.650Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.650Z\",\"created_by\":\"elastic\",\"name\":\"LSASS Memory Dump Handle Access\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating LSASS Memory Dump Handle Access\\n\\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\\n\\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn’t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Scope compromised credentials and disable the accounts.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"208dbe77-01ed-4954-8d44-1e5751cb20de\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656\",\"https://twitter.com/jsecurity101/status/1227987828534956033?s=20\",\"https://attack.mitre.org/techniques/T1003/001/\",\"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html\",\"http://findingbad.blogspot.com/2017/\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessMask\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AccessMaskDescription\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ObjectName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ProcessName\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nEnsure advanced audit policies for Windows are enabled, specifically:\\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nSystem Audit Policies >\\nObject Access >\\nAudit File System (Success,Failure)\\nAudit Handle Manipulation (Success,Failure)\\n```\\n\\nAlso, this event generates only if the object’s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"any where event.action == \\\"File System\\\" and event.code == \\\"4656\\\" and\\n\\n winlog.event_data.ObjectName : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume??\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\") and\\n\\n /* The right to perform an operation controlled by an extended access right. */\\n\\n (winlog.event_data.AccessMask : (\\\"0x1fffff\\\" , \\\"0x1010\\\", \\\"0x120089\\\", \\\"0x1F3FFF\\\") or\\n winlog.event_data.AccessMaskDescription : (\\\"READ_CONTROL\\\", \\\"Read from process memory\\\"))\\n\\n /* Common Noisy False Positives */\\n\\n and not winlog.event_data.ProcessName : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\poqexec.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"LSASS Memory Dump Handle Access\",\"description\":\"Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating LSASS Memory Dump Handle Access\\n\\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\\n\\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn’t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Scope compromised credentials and disable the accounts.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656\",\"https://twitter.com/jsecurity101/status/1227987828534956033?s=20\",\"https://attack.mitre.org/techniques/T1003/001/\",\"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html\",\"http://findingbad.blogspot.com/2017/\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"setup\":\"## Setup\\n\\nEnsure advanced audit policies for Windows are enabled, specifically:\\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nSystem Audit Policies >\\nObject Access >\\nAudit File System (Success,Failure)\\nAudit Handle Manipulation (Success,Failure)\\n```\\n\\nAlso, this event generates only if the object’s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessMask\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AccessMaskDescription\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ObjectName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ProcessName\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"688fae9b-c7c9-4bcd-aae4-7be9ec4565a0\",\"rule_id\":\"208dbe77-01ed-4954-8d44-1e5751cb20de\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.002Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.650Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where event.action == \\\"File System\\\" and event.code == \\\"4656\\\" and\\n\\n winlog.event_data.ObjectName : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume??\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\") and\\n\\n /* The right to perform an operation controlled by an extended access right. */\\n\\n (winlog.event_data.AccessMask : (\\\"0x1fffff\\\" , \\\"0x1010\\\", \\\"0x120089\\\", \\\"0x1F3FFF\\\") or\\n winlog.event_data.AccessMaskDescription : (\\\"READ_CONTROL\\\", \\\"Read from process memory\\\"))\\n\\n /* Common Noisy False Positives */\\n\\n and not winlog.event_data.ProcessName : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\poqexec.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f4dee06f-3709-4a09-b2ee-7adb357c26a6\",\"rule_id\":\"210d4430-b371-470e-b879-80b7182aa75e\",\"revision\":0,\"current_rule\":{\"id\":\"f4dee06f-3709-4a09-b2ee-7adb357c26a6\",\"updated_at\":\"2024-12-04T19:45:43.652Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.652Z\",\"created_by\":\"elastic\",\"name\":\"Mofcomp Activity\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Managed Object Format (MOF) files can be compiled locally or remotely through mofcomp.exe. Attackers may leverage MOF files to build their own namespaces and classes into the Windows Management Instrumentation (WMI) repository, or establish persistence using WMI Event Subscription.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"210d4430-b371-470e-b879-80b7182aa75e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.003\",\"name\":\"Windows Management Instrumentation Event Subscription\",\"reference\":\"https://attack.mitre.org/techniques/T1546/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"mofcomp.exe\\\" and process.args : \\\"*.mof\\\" and\\n not user.id : \\\"S-1-5-18\\\" and\\n not\\n (\\n process.parent.name : \\\"ScenarioEngine.exe\\\" and\\n process.args : (\\n \\\"*\\\\\\\\MSSQL\\\\\\\\Binn\\\\\\\\*.mof\\\",\\n \\\"*\\\\\\\\Microsoft SQL Server\\\\\\\\???\\\\\\\\Shared\\\\\\\\*.mof\\\",\\n \\\"*\\\\\\\\OLAP\\\\\\\\bin\\\\\\\\*.mof\\\"\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Mofcomp Activity\",\"description\":\"Managed Object Format (MOF) files can be compiled locally or remotely through mofcomp.exe. Attackers may leverage MOF files to build their own namespaces and classes into the Windows Management Instrumentation (WMI) repository, or establish persistence using WMI Event Subscription.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Elastic Endgame\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.003\",\"name\":\"Windows Management Instrumentation Event Subscription\",\"reference\":\"https://attack.mitre.org/techniques/T1546/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f4dee06f-3709-4a09-b2ee-7adb357c26a6\",\"rule_id\":\"210d4430-b371-470e-b879-80b7182aa75e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.002Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.652Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"mofcomp.exe\\\" and process.args : \\\"*.mof\\\" and\\n not user.id : \\\"S-1-5-18\\\" and\\n not\\n (\\n process.parent.name : \\\"ScenarioEngine.exe\\\" and\\n process.args : (\\n \\\"*\\\\\\\\MSSQL\\\\\\\\Binn\\\\\\\\*.mof\\\",\\n \\\"*\\\\\\\\Microsoft SQL Server\\\\\\\\???\\\\\\\\Shared\\\\\\\\*.mof\\\",\\n \\\"*\\\\\\\\OLAP\\\\\\\\bin\\\\\\\\*.mof\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-m365_defender.event-*\",\"endgame-*\",\"logs-system.security-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Elastic Endgame\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Elastic Endgame\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-m365_defender.event-*\",\"endgame-*\",\"logs-system.security-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-m365_defender.event-*\",\"endgame-*\",\"logs-system.security-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2346e1b5-bead-4815-bb09-44ffca9dfe36\",\"rule_id\":\"21bafdf0-cf17-11ed-bd57-f661ea17fbcc\",\"revision\":0,\"current_rule\":{\"id\":\"2346e1b5-bead-4815-bb09-44ffca9dfe36\",\"updated_at\":\"2024-12-04T19:45:43.657Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.657Z\",\"created_by\":\"elastic\",\"name\":\"First Time Seen Google Workspace OAuth Login from Third-Party Application\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Tactic: Defense Evasion\",\"Tactic: Initial Access\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Setup\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Developers may leverage third-party applications for legitimate purposes in Google Workspace such as for administrative tasks.\"],\"from\":\"now-130m\",\"rule_id\":\"21bafdf0-cf17-11ed-bd57-f661ea17fbcc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.001\",\"name\":\"Application Access Token\",\"reference\":\"https://attack.mitre.org/techniques/T1550/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://developers.google.com/apps-script/guides/bound\",\"https://developers.google.com/identity/protocols/oauth2\"],\"version\":4,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.token.client.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.token.scope.data\",\"type\":\"flattened\",\"ecs\":false}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"new_terms\",\"query\":\"event.dataset: \\\"google_workspace.token\\\" and event.action: \\\"authorize\\\" and\\ngoogle_workspace.token.scope.data: *Login and google_workspace.token.client.id: *apps.googleusercontent.com\\n\",\"new_terms_fields\":[\"google_workspace.token.client.id\"],\"history_window_start\":\"now-15d\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Time Seen Google Workspace OAuth Login from Third-Party Application\",\"description\":\"Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Setup\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":5,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Tactic: Defense Evasion\",\"Tactic: Initial Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Developers may leverage third-party applications for legitimate purposes in Google Workspace such as for administrative tasks.\"],\"references\":[\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\",\"https://developers.google.com/apps-script/guides/bound\",\"https://developers.google.com/identity/protocols/oauth2\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.001\",\"name\":\"Application Access Token\",\"reference\":\"https://attack.mitre.org/techniques/T1550/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.token.client.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.token.scope.data\",\"type\":\"flattened\",\"ecs\":false}],\"id\":\"2346e1b5-bead-4815-bb09-44ffca9dfe36\",\"rule_id\":\"21bafdf0-cf17-11ed-bd57-f661ea17fbcc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.002Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.657Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset: \\\"google_workspace.token\\\" and event.action: \\\"authorize\\\" and\\ngoogle_workspace.token.scope.data: *Login and google_workspace.token.client.id: *apps.googleusercontent.com\\n\",\"new_terms_fields\":[\"google_workspace.token.client.id\"],\"history_window_start\":\"now-15d\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":4,\"target_version\":5,\"merged_version\":5,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://developers.google.com/apps-script/guides/bound\",\"https://developers.google.com/identity/protocols/oauth2\"],\"target_version\":[\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\",\"https://developers.google.com/apps-script/guides/bound\",\"https://developers.google.com/identity/protocols/oauth2\"],\"merged_version\":[\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\",\"https://developers.google.com/apps-script/guides/bound\",\"https://developers.google.com/identity/protocols/oauth2\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0d88bd09-e03a-4869-96ef-648aa0fac805\",\"rule_id\":\"220be143-5c67-4fdb-b6ce-dd6826d024fd\",\"revision\":0,\"current_rule\":{\"id\":\"0d88bd09-e03a-4869-96ef-648aa0fac805\",\"updated_at\":\"2024-12-04T19:45:43.660Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.660Z\",\"created_by\":\"elastic\",\"name\":\"Full User-Mode Dumps Enabled System-Wide\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the enable of the full user-mode dumps feature system-wide. This feature allows Windows Error Reporting (WER) to collect data after an application crashes. This setting is a requirement for the LSASS Shtinkering attack, which fakes the communication of a crash on LSASS, generating a dump of the process memory, which gives the attacker access to the credentials present on the system without having to bring malware to the system. This setting is not enabled by default, and applications must create their registry subkeys to hold settings that enable them to collect dumps.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"220be143-5c67-4fdb-b6ce-dd6826d024fd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps\",\"https://github.com/deepinstinct/Lsass-Shtinkering\",\"https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf\"],\"version\":7,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\LocalDumps\\\\\\\\DumpType\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\LocalDumps\\\\\\\\DumpType\\\"\\n ) and\\n registry.data.strings : (\\\"2\\\", \\\"0x00000002\\\") and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\" and user.id : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Full User-Mode Dumps Enabled System-Wide\",\"description\":\"Identifies the enable of the full user-mode dumps feature system-wide. This feature allows Windows Error Reporting (WER) to collect data after an application crashes. This setting is a requirement for the LSASS Shtinkering attack, which fakes the communication of a crash on LSASS, generating a dump of the process memory, which gives the attacker access to the credentials present on the system without having to bring malware to the system. This setting is not enabled by default, and applications must create their registry subkeys to hold settings that enable them to collect dumps.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":108,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps\",\"https://github.com/deepinstinct/Lsass-Shtinkering\",\"https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0d88bd09-e03a-4869-96ef-648aa0fac805\",\"rule_id\":\"220be143-5c67-4fdb-b6ce-dd6826d024fd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.003Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:43.660Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\LocalDumps\\\\\\\\DumpType\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Windows Error Reporting\\\\\\\\LocalDumps\\\\\\\\DumpType\\\"\\n ) and\\n registry.data.strings : (\\\"2\\\", \\\"0x00000002\\\") and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\" and user.id : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\"))\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":7,\"target_version\":108,\"merged_version\":108,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"76f06403-4a80-46c9-aa25-2abdbbe6ef74\",\"rule_id\":\"2339f03c-f53f-40fa-834b-40c5983fc41f\",\"revision\":0,\"current_rule\":{\"id\":\"76f06403-4a80-46c9-aa25-2abdbbe6ef74\",\"updated_at\":\"2024-12-04T19:45:44.732Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.732Z\",\"created_by\":\"elastic\",\"name\":\"Kernel Module Load via insmod\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Threat: Rootkit\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Kernel module load via insmod\\n\\nThe insmod binary is a Linux utility that allows users with root privileges to load kernel modules, which are object files that extend the functionality of the kernel. \\n\\nThreat actors can abuse this utility to load rootkits, granting them full control over the system and the ability to evade security products.\\n\\nThe detection rule 'Kernel module load via insmod' is designed to identify instances where the insmod binary is used to load a kernel object file (with a .ko extension) on a Linux system. This activity is uncommon and may indicate suspicious or malicious behavior.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n### Possible investigation steps\\n\\n- Investigate the kernel object file that was loaded via insmod.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n- Investigate the kernel ring buffer for any warnings or messages, such as tainted or out-of-tree kernel module loads through `dmesg`.\\n- Investigate syslog for any unusual segfaults or other messages. Rootkits may be installed on targets with different architecture as expected, and could potentially cause segmentation faults. \\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - $osquery_6\\n\\n### False positive analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Kernel Driver Load - 3e12a439-d002-4944-bc42-171c0dcb9b96\\n- Tainted Out-Of-Tree Kernel Module Load - 51a09737-80f7-4551-a3be-dac8ef5d181a\\n- Tainted Kernel Module Load - 05cad2fb-200c-407f-b472-02ea8c9e5e4a\\n- Attempt to Clear Kernel Ring Buffer - 2724808c-ba5d-48b2-86d2-0002103df753\\n- Enumeration of Kernel Modules via Proc - 80084fa9-8677-4453-8680-b891d3c0c778\\n- Suspicious Modprobe File Event - 40ddbcc8-6561-44d9-afc8-eefdbfe0cccd\\n- Kernel Module Removal - cd66a5af-e34b-4bb0-8931-57d0a043f2ef\\n- Enumeration of Kernel Modules - 2d8043ed-5bda-4caf-801c-c1feb7410504\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2339f03c-f53f-40fa-834b-40c5983fc41f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.006\",\"name\":\"Kernel Modules and Extensions\",\"reference\":\"https://attack.mitre.org/techniques/T1547/006/\"}]}]}],\"to\":\"now\",\"references\":[\"https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and process.name == \\\"insmod\\\" and process.args : \\\"*.ko\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Kernel Module Load via insmod\",\"description\":\"Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Kernel module load via insmod\\n\\nThe insmod binary is a Linux utility that allows users with root privileges to load kernel modules, which are object files that extend the functionality of the kernel. \\n\\nThreat actors can abuse this utility to load rootkits, granting them full control over the system and the ability to evade security products.\\n\\nThe detection rule 'Kernel module load via insmod' is designed to identify instances where the insmod binary is used to load a kernel object file (with a .ko extension) on a Linux system. This activity is uncommon and may indicate suspicious or malicious behavior.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n### Possible investigation steps\\n\\n- Investigate the kernel object file that was loaded via insmod.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n- Investigate the kernel ring buffer for any warnings or messages, such as tainted or out-of-tree kernel module loads through `dmesg`.\\n- Investigate syslog for any unusual segfaults or other messages. Rootkits may be installed on targets with different architecture as expected, and could potentially cause segmentation faults. \\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - $osquery_6\\n\\n### False positive analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Kernel Driver Load - 3e12a439-d002-4944-bc42-171c0dcb9b96\\n- Tainted Out-Of-Tree Kernel Module Load - 51a09737-80f7-4551-a3be-dac8ef5d181a\\n- Tainted Kernel Module Load - 05cad2fb-200c-407f-b472-02ea8c9e5e4a\\n- Attempt to Clear Kernel Ring Buffer - 2724808c-ba5d-48b2-86d2-0002103df753\\n- Enumeration of Kernel Modules via Proc - 80084fa9-8677-4453-8680-b891d3c0c778\\n- Suspicious Modprobe File Event - 40ddbcc8-6561-44d9-afc8-eefdbfe0cccd\\n- Kernel Module Removal - cd66a5af-e34b-4bb0-8931-57d0a043f2ef\\n- Enumeration of Kernel Modules - 2d8043ed-5bda-4caf-801c-c1feb7410504\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":110,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Threat: Rootkit\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.006\",\"name\":\"Kernel Modules and Extensions\",\"reference\":\"https://attack.mitre.org/techniques/T1547/006/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"76f06403-4a80-46c9-aa25-2abdbbe6ef74\",\"rule_id\":\"2339f03c-f53f-40fa-834b-40c5983fc41f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.003Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.732Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and process.name == \\\"insmod\\\" and process.args : \\\"*.ko\\\" and\\nnot process.parent.executable like (\\n \\\"/opt/ds_agent/*\\\", \\\"/usr/sbin/veeamsnap-loader\\\", \\\"/opt/TrendMicro/vls_agent/*\\\", \\\"/opt/intel/oneapi/*\\\",\\n \\\"/opt/commvault/Base/linux_drv\\\", \\\"/bin/falcoctl\\\"\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":110,\"merged_version\":110,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and process.name == \\\"insmod\\\" and process.args : \\\"*.ko\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and process.name == \\\"insmod\\\" and process.args : \\\"*.ko\\\" and\\nnot process.parent.executable like (\\n \\\"/opt/ds_agent/*\\\", \\\"/usr/sbin/veeamsnap-loader\\\", \\\"/opt/TrendMicro/vls_agent/*\\\", \\\"/opt/intel/oneapi/*\\\",\\n \\\"/opt/commvault/Base/linux_drv\\\", \\\"/bin/falcoctl\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and process.name == \\\"insmod\\\" and process.args : \\\"*.ko\\\" and\\nnot process.parent.executable like (\\n \\\"/opt/ds_agent/*\\\", \\\"/usr/sbin/veeamsnap-loader\\\", \\\"/opt/TrendMicro/vls_agent/*\\\", \\\"/opt/intel/oneapi/*\\\",\\n \\\"/opt/commvault/Base/linux_drv\\\", \\\"/bin/falcoctl\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"64fa1743-d12c-466e-a576-c21ded5afdf7\",\"rule_id\":\"23bcd283-2bc0-4db2-81d4-273fc051e5c0\",\"revision\":0,\"current_rule\":{\"id\":\"64fa1743-d12c-466e-a576-c21ded5afdf7\",\"updated_at\":\"2024-12-04T19:45:44.596Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.596Z\",\"created_by\":\"elastic\",\"name\":\"Unknown Execution of Binary with RWX Memory Region\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Monitors for the execution of a previously unknown unix binary with read, write and execute memory region permissions. The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases overly permissive, and should be analyzed thoroughly.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"23bcd283-2bc0-4db2-81d4-273fc051e5c0\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://man7.org/linux/man-pages/man2/mprotect.2.html\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"auditd.data.a2\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.syscall\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\\n```\\nKibana -->\\nManagement -->\\nIntegrations -->\\nAuditd Manager -->\\nAdd Auditd Manager\\n```\\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\\n```\\n-a always,exit -F arch=b64 -S mprotect\\n```\\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n\",\"type\":\"new_terms\",\"query\":\"event.category:process and host.os.type:linux and auditd.data.syscall:mprotect and auditd.data.a2:7 and not (\\n process.executable:(\\n \\\"/usr/share/kibana/node/bin/node\\\" or \\\"/usr/share/elasticsearch/jdk/bin/java\\\" or \\\"/usr/sbin/apache2\\\"\\n ) or\\n process.name:httpd\\n)\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-7d\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Unknown Execution of Binary with RWX Memory Region\",\"description\":\"Monitors for the execution of a previously unknown unix binary with read, write and execute memory region permissions. The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases overly permissive, and should be analyzed thoroughly.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://man7.org/linux/man-pages/man2/mprotect.2.html\",\"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\\n```\\nKibana -->\\nManagement -->\\nIntegrations -->\\nAuditd Manager -->\\nAdd Auditd Manager\\n```\\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\\n```\\n-a always,exit -F arch=b64 -S mprotect\\n```\\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n\",\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"auditd.data.a2\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.syscall\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"64fa1743-d12c-466e-a576-c21ded5afdf7\",\"rule_id\":\"23bcd283-2bc0-4db2-81d4-273fc051e5c0\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.003Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.596Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.category:process and host.os.type:linux and auditd.data.syscall:mprotect and auditd.data.a2:7 and not (\\n process.executable:(\\n \\\"/usr/share/kibana/node/bin/node\\\" or \\\"/usr/share/elasticsearch/jdk/bin/java\\\" or \\\"/usr/sbin/apache2\\\"\\n ) or\\n process.name:httpd\\n)\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-7d\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://man7.org/linux/man-pages/man2/mprotect.2.html\"],\"target_version\":[\"https://man7.org/linux/man-pages/man2/mprotect.2.html\",\"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd\"],\"merged_version\":[\"https://man7.org/linux/man-pages/man2/mprotect.2.html\",\"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5860dbca-8ca4-4fbe-89ea-91642cc91291\",\"rule_id\":\"25224a80-5a4a-4b8a-991e-6ab390465c4f\",\"revision\":0,\"current_rule\":{\"id\":\"5860dbca-8ca4-4fbe-89ea-91642cc91291\",\"updated_at\":\"2024-12-04T19:45:44.601Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.601Z\",\"created_by\":\"elastic\",\"name\":\"Lateral Movement via Startup Folder\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"25224a80-5a4a-4b8a-991e-6ab390465c4f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.mdsec.co.uk/2017/06/rdpinception/\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type in (\\\"creation\\\", \\\"change\\\") and\\n\\n /* via RDP TSClient mounted share or SMB */\\n (process.name : \\\"mstsc.exe\\\" or process.pid == 4) and\\n\\n file.path : (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Lateral Movement via Startup Folder\",\"description\":\"Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.mdsec.co.uk/2017/06/rdpinception/\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"id\":\"5860dbca-8ca4-4fbe-89ea-91642cc91291\",\"rule_id\":\"25224a80-5a4a-4b8a-991e-6ab390465c4f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.003Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.601Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type in (\\\"creation\\\", \\\"change\\\") and\\n\\n /* via RDP TSClient mounted share or SMB */\\n (process.name : \\\"mstsc.exe\\\" or process.pid == 4) and\\n\\n file.path : (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.mdsec.co.uk/2017/06/rdpinception/\"],\"target_version\":[\"https://www.mdsec.co.uk/2017/06/rdpinception/\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merged_version\":[\"https://www.mdsec.co.uk/2017/06/rdpinception/\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"ad957cdd-3ff6-4163-b3ad-14b1827919c2\",\"rule_id\":\"2553a9af-52a4-4a05-bb03-85b2a479a0a0\",\"revision\":0,\"current_rule\":{\"id\":\"ad957cdd-3ff6-4163-b3ad-14b1827919c2\",\"updated_at\":\"2024-12-04T19:45:44.604Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.604Z\",\"created_by\":\"elastic\",\"name\":\"Potential PowerShell HackTool Script by Author\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects known PowerShell offensive tooling author's name in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code, which may still contain the author artifacts. This rule identifies common author handles found in popular PowerShell scripts used for red team exercises.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2553a9af-52a4-4a05-bb03-85b2a479a0a0\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"host.os.type:windows and event.category:process and\\n powershell.file.script_block_text : (\\n \\\"mattifestation\\\" or \\\"JosephBialek\\\" or\\n \\\"harmj0y\\\" or \\\"ukstufus\\\" or\\n \\\"SecureThisShit\\\" or \\\"Matthew Graeber\\\" or\\n \\\"secabstraction\\\" or \\\"mgeeky\\\" or\\n \\\"oddvarmoe\\\" or \\\"am0nsec\\\" or\\n \\\"obscuresec\\\" or \\\"sixdub\\\" or\\n \\\"darkoperator\\\" or \\\"funoverip\\\" or\\n \\\"rvrsh3ll\\\" or \\\"kevin_robertson\\\" or\\n \\\"dafthack\\\" or \\\"r4wd3r\\\" or\\n \\\"danielhbohannon\\\" or \\\"OneLogicalMyth\\\" or\\n \\\"cobbr_io\\\" or \\\"xorrior\\\" or\\n \\\"PetrMedonos\\\" or \\\"citronneur\\\" or\\n \\\"eladshamir\\\" or \\\"RastaMouse\\\" or\\n \\\"enigma0x3\\\" or \\\"FuzzySec\\\" or\\n \\\"424f424f\\\" or \\\"jaredhaight\\\" or\\n \\\"fullmetalcache\\\" or \\\"Hubbl3\\\" or\\n \\\"curi0usJack\\\" or \\\"Cx01N\\\" or\\n \\\"itm4n\\\" or \\\"nurfed1\\\" or\\n \\\"cfalta\\\" or \\\"Scott Sutherland\\\" or\\n \\\"_nullbind\\\" or \\\"_tmenochet\\\" or\\n \\\"jaredcatkinson\\\" or \\\"ChrisTruncer\\\" or\\n \\\"monoxgas\\\" or \\\"TheRealWover\\\" or\\n \\\"splinter_code\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential PowerShell HackTool Script by Author\",\"description\":\"Detects known PowerShell offensive tooling author's name in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code, which may still contain the author artifacts. This rule identifies common author handles found in popular PowerShell scripts used for red team exercises.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"ad957cdd-3ff6-4163-b3ad-14b1827919c2\",\"rule_id\":\"2553a9af-52a4-4a05-bb03-85b2a479a0a0\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.003Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.604Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"host.os.type:windows and event.category:process and\\n powershell.file.script_block_text : (\\n \\\"mattifestation\\\" or \\\"JosephBialek\\\" or\\n \\\"harmj0y\\\" or \\\"ukstufus\\\" or\\n \\\"SecureThisShit\\\" or \\\"Matthew Graeber\\\" or\\n \\\"secabstraction\\\" or \\\"mgeeky\\\" or\\n \\\"oddvarmoe\\\" or \\\"am0nsec\\\" or\\n \\\"obscuresec\\\" or \\\"sixdub\\\" or\\n \\\"darkoperator\\\" or \\\"funoverip\\\" or\\n \\\"rvrsh3ll\\\" or \\\"kevin_robertson\\\" or\\n \\\"dafthack\\\" or \\\"r4wd3r\\\" or\\n \\\"danielhbohannon\\\" or \\\"OneLogicalMyth\\\" or\\n \\\"cobbr_io\\\" or \\\"xorrior\\\" or\\n \\\"PetrMedonos\\\" or \\\"citronneur\\\" or\\n \\\"eladshamir\\\" or \\\"RastaMouse\\\" or\\n \\\"enigma0x3\\\" or \\\"FuzzySec\\\" or\\n \\\"424f424f\\\" or \\\"jaredhaight\\\" or\\n \\\"fullmetalcache\\\" or \\\"Hubbl3\\\" or\\n \\\"curi0usJack\\\" or \\\"Cx01N\\\" or\\n \\\"itm4n\\\" or \\\"nurfed1\\\" or\\n \\\"cfalta\\\" or \\\"Scott Sutherland\\\" or\\n \\\"_nullbind\\\" or \\\"_tmenochet\\\" or\\n \\\"jaredcatkinson\\\" or \\\"ChrisTruncer\\\" or\\n \\\"monoxgas\\\" or \\\"TheRealWover\\\" or\\n \\\"splinter_code\\\"\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d7177e24-d781-46c7-8b51-b3e5cc9f16e5\",\"rule_id\":\"25d917c4-aa3c-4111-974c-286c0312ff95\",\"revision\":0,\"current_rule\":{\"id\":\"d7177e24-d781-46c7-8b51-b3e5cc9f16e5\",\"updated_at\":\"2024-12-04T19:45:44.608Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.608Z\",\"created_by\":\"elastic\",\"name\":\"Network Activity Detected via Kworker\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"25d917c4-aa3c-4111-974c-286c0312ff95\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1014\",\"name\":\"Rootkit\",\"reference\":\"https://attack.mitre.org/techniques/T1014/\"},{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1041\",\"name\":\"Exfiltration Over C2 Channel\",\"reference\":\"https://attack.mitre.org/techniques/T1041/\"}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest to select \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and \\nprocess.name:kworker* and not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16 or\\n 224.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n) and not destination.port:2049\\n\",\"new_terms_fields\":[\"process.name\",\"destination.ip\",\"destination.port\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Network Activity Detected via Kworker\",\"description\":\"This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":6,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1014\",\"name\":\"Rootkit\",\"reference\":\"https://attack.mitre.org/techniques/T1014/\"},{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1041\",\"name\":\"Exfiltration Over C2 Channel\",\"reference\":\"https://attack.mitre.org/techniques/T1041/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest to select \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d7177e24-d781-46c7-8b51-b3e5cc9f16e5\",\"rule_id\":\"25d917c4-aa3c-4111-974c-286c0312ff95\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.003Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.608Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and \\nprocess.name:kworker* and not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16 or\\n 224.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n) and not destination.port:(\\\"2049\\\" or \\\"111\\\" or \\\"892\\\" or \\\"597\\\")\\n\",\"new_terms_fields\":[\"process.name\",\"host.id\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":6,\"merged_version\":6,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and \\nprocess.name:kworker* and not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16 or\\n 224.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n) and not destination.port:2049\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and \\nprocess.name:kworker* and not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16 or\\n 224.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n) and not destination.port:(\\\"2049\\\" or \\\"111\\\" or \\\"892\\\" or \\\"597\\\")\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and \\nprocess.name:kworker* and not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16 or\\n 224.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n) and not destination.port:(\\\"2049\\\" or \\\"111\\\" or \\\"892\\\" or \\\"597\\\")\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"new_terms_fields\":{\"has_base_version\":false,\"current_version\":[\"process.name\",\"destination.ip\",\"destination.port\"],\"target_version\":[\"process.name\",\"host.id\"],\"merged_version\":[\"process.name\",\"host.id\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b3558f16-aa94-41fe-9a47-e53f67a87dac\",\"rule_id\":\"263481c8-1e9b-492e-912d-d1760707f810\",\"revision\":0,\"current_rule\":{\"id\":\"b3558f16-aa94-41fe-9a47-e53f67a87dac\",\"updated_at\":\"2024-12-04T19:46:03.717Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.717Z\",\"created_by\":\"elastic\",\"name\":\"Potential Relay Attack against a Domain Controller\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies potential relay attacks against a domain controller (DC) by identifying authentication events using the domain controller computer account coming from other hosts to the DC that owns the account. Attackers may relay the DC hash after capturing it using forced authentication.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"263481c8-1e9b-492e-912d-d1760707f810\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1187\",\"name\":\"Forced Authentication\",\"reference\":\"https://attack.mitre.org/techniques/T1187/\"},{\"id\":\"T1557\",\"name\":\"Adversary-in-the-Middle\",\"reference\":\"https://attack.mitre.org/techniques/T1557/\",\"subtechnique\":[{\"id\":\"T1557.001\",\"name\":\"LLMNR/NBT-NS Poisoning and SMB Relay\",\"reference\":\"https://attack.mitre.org/techniques/T1557/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/p0dalirius/windows-coerced-authentication-methods\",\"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications\",\"https://attack.mitre.org/techniques/T1187/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"host.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AuthenticationPackageName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-system.security-*\",\"logs-windows.forwarded*\"],\"query\":\"authentication where host.os.type == \\\"windows\\\" and event.code in (\\\"4624\\\", \\\"4625\\\") and endswith~(user.name, \\\"$\\\") and\\n winlog.event_data.AuthenticationPackageName : \\\"NTLM\\\" and winlog.logon.type : \\\"network\\\" and\\n\\n /* Filter for a machine account that matches the hostname */\\n startswith~(host.name, substring(user.name, 0, -1)) and\\n \\n /* Verify if the Source IP belongs to the host */\\n not endswith(string(source.ip), string(host.ip)) and\\n source.ip != null and source.ip != \\\"::1\\\" and source.ip != \\\"127.0.0.1\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Relay Attack against a Domain Controller\",\"description\":\"Identifies potential relay attacks against a domain controller (DC) by identifying authentication events using the domain controller computer account coming from other hosts to the DC that owns the account. Attackers may relay the DC hash after capturing it using forced authentication.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":102,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/p0dalirius/windows-coerced-authentication-methods\",\"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications\",\"https://attack.mitre.org/techniques/T1187/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1187\",\"name\":\"Forced Authentication\",\"reference\":\"https://attack.mitre.org/techniques/T1187/\"},{\"id\":\"T1557\",\"name\":\"Adversary-in-the-Middle\",\"reference\":\"https://attack.mitre.org/techniques/T1557/\",\"subtechnique\":[{\"id\":\"T1557.001\",\"name\":\"LLMNR/NBT-NS Poisoning and SMB Relay\",\"reference\":\"https://attack.mitre.org/techniques/T1557/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"host.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AuthenticationPackageName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"b3558f16-aa94-41fe-9a47-e53f67a87dac\",\"rule_id\":\"263481c8-1e9b-492e-912d-d1760707f810\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.003Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.717Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"authentication where host.os.type == \\\"windows\\\" and event.code in (\\\"4624\\\", \\\"4625\\\") and endswith~(user.name, \\\"$\\\") and\\n winlog.event_data.AuthenticationPackageName : \\\"NTLM\\\" and winlog.logon.type : \\\"network\\\" and\\n\\n /* Filter for a machine account that matches the hostname */\\n startswith~(host.name, substring(user.name, 0, -1)) and\\n \\n /* Verify if the Source IP belongs to the host */\\n not endswith(string(source.ip), string(host.ip)) and\\n source.ip != null and source.ip != \\\"::1\\\" and source.ip != \\\"127.0.0.1\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-system.security-*\",\"logs-windows.forwarded*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":102,\"merged_version\":102,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"host.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AuthenticationPackageName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"target_version\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"host.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AuthenticationPackageName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"merged_version\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"host.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AuthenticationPackageName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-system.security-*\",\"logs-windows.forwarded*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-system.security-*\",\"logs-windows.forwarded*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-system.security-*\",\"logs-windows.forwarded*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"664e3f24-cf84-43b0-affe-4046801910cd\",\"rule_id\":\"265db8f5-fc73-4d0d-b434-6483b56372e2\",\"revision\":0,\"current_rule\":{\"id\":\"664e3f24-cf84-43b0-affe-4046801910cd\",\"updated_at\":\"2024-12-04T19:45:44.621Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.621Z\",\"created_by\":\"elastic\",\"name\":\"Persistence via Update Orchestrator Service Hijack\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Use Case: Vulnerability\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Persistence via Update Orchestrator Service Hijack\\n\\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\\n\\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"265db8f5-fc73-4d0d-b434-6483b56372e2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/irsl/CVE-2020-1313\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.executable : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\" and\\n process.parent.args : \\\"UsoSvc\\\" and\\n not process.executable :\\n (\\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UUS\\\\\\\\Packages\\\\\\\\*\\\\\\\\amd64\\\\\\\\MoUsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\UsoClient.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MusNotification.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MusNotificationUx.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MusNotifyIcon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerMgr.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\UUS\\\\\\\\amd64\\\\\\\\MoUsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MoUsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\UUS\\\\\\\\amd64\\\\\\\\UsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\UsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Common Files\\\\\\\\microsoft shared\\\\\\\\ClickToRun\\\\\\\\OfficeC2RClient.exe\\\") and\\n not process.name : (\\\"MoUsoCoreWorker.exe\\\", \\\"OfficeC2RClient.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Persistence via Update Orchestrator Service Hijack\",\"description\":\"Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Persistence via Update Orchestrator Service Hijack\\n\\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\\n\\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Use Case: Vulnerability\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/irsl/CVE-2020-1313\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"664e3f24-cf84-43b0-affe-4046801910cd\",\"rule_id\":\"265db8f5-fc73-4d0d-b434-6483b56372e2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.003Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.621Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.executable : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\" and\\n process.parent.args : \\\"UsoSvc\\\" and\\n not process.executable :\\n (\\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UUS\\\\\\\\Packages\\\\\\\\*\\\\\\\\amd64\\\\\\\\MoUsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\UsoClient.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MusNotification.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MusNotificationUx.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MusNotifyIcon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerMgr.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\UUS\\\\\\\\amd64\\\\\\\\MoUsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MoUsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\UUS\\\\\\\\amd64\\\\\\\\UsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\UsoCoreWorker.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Common Files\\\\\\\\microsoft shared\\\\\\\\ClickToRun\\\\\\\\OfficeC2RClient.exe\\\") and\\n not process.name : (\\\"MoUsoCoreWorker.exe\\\", \\\"OfficeC2RClient.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Use Case: Vulnerability\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Use Case: Vulnerability\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Use Case: Vulnerability\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d3dbe85f-b9ca-4d8b-b073-693aa6ab13f4\",\"rule_id\":\"26f68dba-ce29-497b-8e13-b4fde1db5a2d\",\"revision\":0,\"current_rule\":{\"id\":\"d3dbe85f-b9ca-4d8b-b073-693aa6ab13f4\",\"updated_at\":\"2024-12-04T19:45:44.628Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.628Z\",\"created_by\":\"elastic\",\"name\":\"Attempts to Brute Force a Microsoft 365 User Account\",\"tags\":[\"Domain: Cloud\",\"Domain: SaaS\",\"Data Source: Microsoft 365\",\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Willem D'Haese\",\"Austin Songer\"],\"false_positives\":[\"Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives.\"],\"from\":\"now-9m\",\"rule_id\":\"26f68dba-ce29-497b-8e13-b4fde1db5a2d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\"}]}],\"to\":\"now\",\"references\":[\"https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem\",\"https://learn.microsoft.com/en-us/purview/audit-log-detailed-properties\"],\"version\":209,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-o365.audit-*\\n| MV_EXPAND event.category\\n| WHERE event.dataset == \\\"o365.audit\\\"\\n AND event.category == \\\"authentication\\\"\\n\\n // filter only on Entra ID or Exchange audit logs in O365 integration\\n AND event.provider in (\\\"AzureActiveDirectory\\\", \\\"Exchange\\\")\\n\\n // filter only for UserLoginFailed or partial failures\\n AND event.action in (\\\"UserLoginFailed\\\", \\\"PasswordLogonInitialAuthUsingPassword\\\")\\n\\n // ignore specific logon errors\\n AND not o365.audit.LogonError in (\\n \\\"EntitlementGrantsNotFound\\\",\\n \\\"UserStrongAuthEnrollmentRequired\\\",\\n \\\"UserStrongAuthClientAuthNRequired\\\",\\n \\\"InvalidReplyTo\\\",\\n \\\"SsoArtifactExpiredDueToConditionalAccess\\\",\\n \\\"PasswordResetRegistrationRequiredInterrupt\\\",\\n \\\"SsoUserAccountNotFoundInResourceTenant\\\",\\n \\\"UserStrongAuthExpired\\\",\\n \\\"CmsiInterrupt\\\"\\n)\\n // filters out non user or application logins based on target\\n AND o365.audit.Target.Type in (\\\"0\\\", \\\"2\\\", \\\"3\\\", \\\"5\\\", \\\"6\\\", \\\"10\\\")\\n\\n // filters only for logins from user or application, ignoring oauth:token\\n AND to_lower(o365.audit.ExtendedProperties.RequestType) rlike \\\"(.*)login(.*)\\\"\\n\\n| STATS\\n // count the number of failed login attempts target per user\\n login_attempt_counts = COUNT(*) by o365.audit.Target.ID, o365.audit.LogonError\\n\\n| WHERE login_attempt_counts > 10\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempts to Brute Force a Microsoft 365 User Account\",\"description\":\"Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed login attempts or login sources within a 30-minute window. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Cloud\",\"Domain: SaaS\",\"Data Source: Microsoft 365\",\"Use Case: Identity and Access Audit\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Willem D'Haese\",\"Austin Songer\"],\"false_positives\":[\"Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives.\"],\"references\":[\"https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem\",\"https://learn.microsoft.com/en-us/purview/audit-log-detailed-properties\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\"}]}],\"setup\":\"\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"d3dbe85f-b9ca-4d8b-b073-693aa6ab13f4\",\"rule_id\":\"26f68dba-ce29-497b-8e13-b4fde1db5a2d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.003Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.628Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-o365.audit-*\\n// truncate the timestamp to a 30-minute window\\n| eval target_time_window = DATE_TRUNC(30 minutes, @timestamp)\\n| mv_expand event.category\\n| where event.dataset == \\\"o365.audit\\\"\\n and event.category == \\\"authentication\\\"\\n\\n // filter only on Entra ID or Exchange audit logs in O365 integration\\n and event.provider in (\\\"AzureActiveDirectory\\\", \\\"Exchange\\\")\\n\\n // filter only for UserLoginFailed or partial failures\\n and event.action in (\\\"UserLoginFailed\\\", \\\"PasswordLogonInitialAuthUsingPassword\\\")\\n\\n // ignore specific logon errors\\n and not o365.audit.LogonError in (\\n \\\"EntitlementGrantsNotFound\\\",\\n \\\"UserStrongAuthEnrollmentRequired\\\",\\n \\\"UserStrongAuthClientAuthNRequired\\\",\\n \\\"InvalidReplyTo\\\",\\n \\\"SsoArtifactExpiredDueToConditionalAccess\\\",\\n \\\"PasswordResetRegistrationRequiredInterrupt\\\",\\n \\\"SsoUserAccountNotFoundInResourceTenant\\\",\\n \\\"UserStrongAuthExpired\\\",\\n \\\"CmsiInterrupt\\\"\\n)\\n\\n // ignore unavailable\\n and o365.audit.UserId != \\\"Not Available\\\"\\n\\n // filters out non user or application logins based on target\\n and o365.audit.Target.Type in (\\\"0\\\", \\\"2\\\", \\\"3\\\", \\\"5\\\", \\\"6\\\", \\\"10\\\")\\n\\n // filters only for logins from user or application, ignoring oauth:token\\n and to_lower(o365.audit.ExtendedProperties.RequestType) rlike \\\"(.*)login(.*)\\\"\\n\\n// keep only relevant fields\\n| keep event.provider, event.dataset, event.category, o365.audit.UserId, event.action, source.ip, o365.audit.LogonError, o365.audit.ExtendedProperties.RequestType, o365.audit.Target.Type, target_time_window\\n\\n// count the number of login sources and failed login attempts\\n| stats\\n login_source_count = count(source.ip),\\n failed_login_count = count(*) by target_time_window, o365.audit.UserId\\n\\n// filter for users with more than 20 login sources or failed login attempts\\n| where (login_source_count >= 20 or failed_login_count >= 20)\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":209,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Cloud\",\"Domain: SaaS\",\"Data Source: Microsoft 365\",\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\"],\"target_version\":[\"Domain: Cloud\",\"Domain: SaaS\",\"Data Source: Microsoft 365\",\"Use Case: Identity and Access Audit\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\"],\"merged_version\":[\"Domain: Cloud\",\"Domain: SaaS\",\"Data Source: Microsoft 365\",\"Use Case: Identity and Access Audit\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"description\":{\"has_base_version\":false,\"current_version\":\"Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.\",\"target_version\":\"Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed login attempts or login sources within a 30-minute window. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services.\",\"merged_version\":\"Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed login attempts or login sources within a 30-minute window. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services.\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-o365.audit-*\\n| MV_EXPAND event.category\\n| WHERE event.dataset == \\\"o365.audit\\\"\\n AND event.category == \\\"authentication\\\"\\n\\n // filter only on Entra ID or Exchange audit logs in O365 integration\\n AND event.provider in (\\\"AzureActiveDirectory\\\", \\\"Exchange\\\")\\n\\n // filter only for UserLoginFailed or partial failures\\n AND event.action in (\\\"UserLoginFailed\\\", \\\"PasswordLogonInitialAuthUsingPassword\\\")\\n\\n // ignore specific logon errors\\n AND not o365.audit.LogonError in (\\n \\\"EntitlementGrantsNotFound\\\",\\n \\\"UserStrongAuthEnrollmentRequired\\\",\\n \\\"UserStrongAuthClientAuthNRequired\\\",\\n \\\"InvalidReplyTo\\\",\\n \\\"SsoArtifactExpiredDueToConditionalAccess\\\",\\n \\\"PasswordResetRegistrationRequiredInterrupt\\\",\\n \\\"SsoUserAccountNotFoundInResourceTenant\\\",\\n \\\"UserStrongAuthExpired\\\",\\n \\\"CmsiInterrupt\\\"\\n)\\n // filters out non user or application logins based on target\\n AND o365.audit.Target.Type in (\\\"0\\\", \\\"2\\\", \\\"3\\\", \\\"5\\\", \\\"6\\\", \\\"10\\\")\\n\\n // filters only for logins from user or application, ignoring oauth:token\\n AND to_lower(o365.audit.ExtendedProperties.RequestType) rlike \\\"(.*)login(.*)\\\"\\n\\n| STATS\\n // count the number of failed login attempts target per user\\n login_attempt_counts = COUNT(*) by o365.audit.Target.ID, o365.audit.LogonError\\n\\n| WHERE login_attempt_counts > 10\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-o365.audit-*\\n// truncate the timestamp to a 30-minute window\\n| eval target_time_window = DATE_TRUNC(30 minutes, @timestamp)\\n| mv_expand event.category\\n| where event.dataset == \\\"o365.audit\\\"\\n and event.category == \\\"authentication\\\"\\n\\n // filter only on Entra ID or Exchange audit logs in O365 integration\\n and event.provider in (\\\"AzureActiveDirectory\\\", \\\"Exchange\\\")\\n\\n // filter only for UserLoginFailed or partial failures\\n and event.action in (\\\"UserLoginFailed\\\", \\\"PasswordLogonInitialAuthUsingPassword\\\")\\n\\n // ignore specific logon errors\\n and not o365.audit.LogonError in (\\n \\\"EntitlementGrantsNotFound\\\",\\n \\\"UserStrongAuthEnrollmentRequired\\\",\\n \\\"UserStrongAuthClientAuthNRequired\\\",\\n \\\"InvalidReplyTo\\\",\\n \\\"SsoArtifactExpiredDueToConditionalAccess\\\",\\n \\\"PasswordResetRegistrationRequiredInterrupt\\\",\\n \\\"SsoUserAccountNotFoundInResourceTenant\\\",\\n \\\"UserStrongAuthExpired\\\",\\n \\\"CmsiInterrupt\\\"\\n)\\n\\n // ignore unavailable\\n and o365.audit.UserId != \\\"Not Available\\\"\\n\\n // filters out non user or application logins based on target\\n and o365.audit.Target.Type in (\\\"0\\\", \\\"2\\\", \\\"3\\\", \\\"5\\\", \\\"6\\\", \\\"10\\\")\\n\\n // filters only for logins from user or application, ignoring oauth:token\\n and to_lower(o365.audit.ExtendedProperties.RequestType) rlike \\\"(.*)login(.*)\\\"\\n\\n// keep only relevant fields\\n| keep event.provider, event.dataset, event.category, o365.audit.UserId, event.action, source.ip, o365.audit.LogonError, o365.audit.ExtendedProperties.RequestType, o365.audit.Target.Type, target_time_window\\n\\n// count the number of login sources and failed login attempts\\n| stats\\n login_source_count = count(source.ip),\\n failed_login_count = count(*) by target_time_window, o365.audit.UserId\\n\\n// filter for users with more than 20 login sources or failed login attempts\\n| where (login_source_count >= 20 or failed_login_count >= 20)\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-o365.audit-*\\n// truncate the timestamp to a 30-minute window\\n| eval target_time_window = DATE_TRUNC(30 minutes, @timestamp)\\n| mv_expand event.category\\n| where event.dataset == \\\"o365.audit\\\"\\n and event.category == \\\"authentication\\\"\\n\\n // filter only on Entra ID or Exchange audit logs in O365 integration\\n and event.provider in (\\\"AzureActiveDirectory\\\", \\\"Exchange\\\")\\n\\n // filter only for UserLoginFailed or partial failures\\n and event.action in (\\\"UserLoginFailed\\\", \\\"PasswordLogonInitialAuthUsingPassword\\\")\\n\\n // ignore specific logon errors\\n and not o365.audit.LogonError in (\\n \\\"EntitlementGrantsNotFound\\\",\\n \\\"UserStrongAuthEnrollmentRequired\\\",\\n \\\"UserStrongAuthClientAuthNRequired\\\",\\n \\\"InvalidReplyTo\\\",\\n \\\"SsoArtifactExpiredDueToConditionalAccess\\\",\\n \\\"PasswordResetRegistrationRequiredInterrupt\\\",\\n \\\"SsoUserAccountNotFoundInResourceTenant\\\",\\n \\\"UserStrongAuthExpired\\\",\\n \\\"CmsiInterrupt\\\"\\n)\\n\\n // ignore unavailable\\n and o365.audit.UserId != \\\"Not Available\\\"\\n\\n // filters out non user or application logins based on target\\n and o365.audit.Target.Type in (\\\"0\\\", \\\"2\\\", \\\"3\\\", \\\"5\\\", \\\"6\\\", \\\"10\\\")\\n\\n // filters only for logins from user or application, ignoring oauth:token\\n and to_lower(o365.audit.ExtendedProperties.RequestType) rlike \\\"(.*)login(.*)\\\"\\n\\n// keep only relevant fields\\n| keep event.provider, event.dataset, event.category, o365.audit.UserId, event.action, source.ip, o365.audit.LogonError, o365.audit.ExtendedProperties.RequestType, o365.audit.Target.Type, target_time_window\\n\\n// count the number of login sources and failed login attempts\\n| stats\\n login_source_count = count(source.ip),\\n failed_login_count = count(*) by target_time_window, o365.audit.UserId\\n\\n// filter for users with more than 20 login sources or failed login attempts\\n| where (login_source_count >= 20 or failed_login_count >= 20)\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"08cdc5b4-74c2-4364-9e64-2b7d9cc839b3\",\"rule_id\":\"27071ea3-e806-4697-8abc-e22c92aa4293\",\"revision\":0,\"current_rule\":{\"id\":\"08cdc5b4-74c2-4364-9e64-2b7d9cc839b3\",\"updated_at\":\"2024-12-04T19:45:44.630Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.630Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Script with Archive Compression Capabilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: PowerShell Logs\",\"Rule Type: BBR\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of Cmdlets and methods related to archive compression activities. Adversaries will often compress and encrypt data in preparation for exfiltration.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"27071ea3-e806-4697-8abc-e22c92aa4293\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1560\",\"name\":\"Archive Collected Data\",\"reference\":\"https://attack.mitre.org/techniques/T1560/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n(\\n powershell.file.script_block_text : (\\n \\\"IO.Compression.ZipFile\\\" or\\n \\\"IO.Compression.ZipArchive\\\" or\\n \\\"ZipFile.CreateFromDirectory\\\" or\\n \\\"IO.Compression.BrotliStream\\\" or\\n \\\"IO.Compression.DeflateStream\\\" or\\n \\\"IO.Compression.GZipStream\\\" or\\n \\\"IO.Compression.ZLibStream\\\"\\n ) and \\n powershell.file.script_block_text : (\\n \\\"CompressionLevel\\\" or\\n \\\"CompressionMode\\\" or\\n \\\"ZipArchiveMode\\\"\\n ) or\\n powershell.file.script_block_text : \\\"Compress-Archive\\\"\\n) and\\nnot powershell.file.script_block_text : (\\n \\\"Compress-Archive -Path 'C:\\\\ProgramData\\\\Lenovo\\\\Udc\\\\diagnostics\\\\latest\\\" or\\n (\\\"Copyright: (c) 2017, Ansible Project\\\" and \\\"Ansible.ModuleUtils.Backup\\\")\\n) and\\nnot file.directory : \\\"C:\\\\Program Files\\\\Microsoft Dependency Agent\\\\plugins\\\\lib\\\"\\n\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\Downloads\\\\\\\\*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\DataCollection\\\\\\\\*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\dbatools\\\\\\\\*\\\\\\\\optional\\\\\\\\Expand-Archive.ps1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\dbatools\\\\\\\\*\\\\\\\\optional\\\\\\\\Compress-Archive.ps1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\Azure\\\\\\\\StorageSyncAgent\\\\\\\\AFSDiag.ps1\"}}}}],\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Script with Archive Compression Capabilities\",\"description\":\"Identifies the use of Cmdlets and methods related to archive compression activities. Adversaries will often compress and encrypt data in preparation for exfiltration.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: PowerShell Logs\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1560\",\"name\":\"Archive Collected Data\",\"reference\":\"https://attack.mitre.org/techniques/T1560/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"08cdc5b4-74c2-4364-9e64-2b7d9cc839b3\",\"rule_id\":\"27071ea3-e806-4697-8abc-e22c92aa4293\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.003Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.630Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\Downloads\\\\\\\\*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\DataCollection\\\\\\\\*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\dbatools\\\\\\\\*\\\\\\\\optional\\\\\\\\Expand-Archive.ps1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\dbatools\\\\\\\\*\\\\\\\\optional\\\\\\\\Compress-Archive.ps1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\Azure\\\\\\\\StorageSyncAgent\\\\\\\\AFSDiag.ps1\"}}}}],\"query\":\"event.category:process and host.os.type:windows and\\n(\\n powershell.file.script_block_text : (\\n \\\"IO.Compression.ZipFile\\\" or\\n \\\"IO.Compression.ZipArchive\\\" or\\n \\\"ZipFile.CreateFromDirectory\\\" or\\n \\\"IO.Compression.BrotliStream\\\" or\\n \\\"IO.Compression.DeflateStream\\\" or\\n \\\"IO.Compression.GZipStream\\\" or\\n \\\"IO.Compression.ZLibStream\\\"\\n ) and \\n powershell.file.script_block_text : (\\n \\\"CompressionLevel\\\" or\\n \\\"CompressionMode\\\" or\\n \\\"ZipArchiveMode\\\"\\n ) or\\n powershell.file.script_block_text : \\\"Compress-Archive\\\"\\n) and\\nnot powershell.file.script_block_text : (\\n \\\"Compress-Archive -Path 'C:\\\\ProgramData\\\\Lenovo\\\\Udc\\\\diagnostics\\\\latest\\\" or\\n (\\\"Copyright: (c) 2017, Ansible Project\\\" and \\\"Ansible.ModuleUtils.Backup\\\")\\n) and\\nnot file.directory : \\\"C:\\\\Program Files\\\\Microsoft Dependency Agent\\\\plugins\\\\lib\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e715bb9b-6d49-41bd-b45c-bc25d8285feb\",\"rule_id\":\"2772264c-6fb9-4d9d-9014-b416eed21254\",\"revision\":0,\"current_rule\":{\"id\":\"e715bb9b-6d49-41bd-b45c-bc25d8285feb\",\"updated_at\":\"2024-12-04T19:45:44.637Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.637Z\",\"created_by\":\"elastic\",\"name\":\"Incoming Execution via PowerShell Remoting\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool.\"],\"from\":\"now-9m\",\"rule_id\":\"2772264c-6fb9-4d9d-9014-b416eed21254\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.006\",\"name\":\"Windows Remote Management\",\"reference\":\"https://attack.mitre.org/techniques/T1021/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by host.id with maxspan = 30s\\n [network where host.os.type == \\\"windows\\\" and network.direction : (\\\"incoming\\\", \\\"ingress\\\") and destination.port in (5985, 5986) and\\n network.protocol == \\\"http\\\" and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"]\\n [process where host.os.type == \\\"windows\\\" and \\n event.type == \\\"start\\\" and process.parent.name : \\\"wsmprovhost.exe\\\" and not process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Incoming Execution via PowerShell Remoting\",\"description\":\"Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool.\"],\"references\":[\"https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.006\",\"name\":\"Windows Remote Management\",\"reference\":\"https://attack.mitre.org/techniques/T1021/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"e715bb9b-6d49-41bd-b45c-bc25d8285feb\",\"rule_id\":\"2772264c-6fb9-4d9d-9014-b416eed21254\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.003Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.637Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan = 30s\\n [network where host.os.type == \\\"windows\\\" and network.direction : (\\\"incoming\\\", \\\"ingress\\\") and destination.port in (5985, 5986) and\\n network.protocol == \\\"http\\\" and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"]\\n [process where host.os.type == \\\"windows\\\" and \\n event.type == \\\"start\\\" and process.parent.name : \\\"wsmprovhost.exe\\\" and not process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\\\"]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a654633e-73bf-4c1e-923c-71ecba4d8964\",\"rule_id\":\"2820c9c2-bcd7-4d6e-9eba-faf3891ba450\",\"revision\":0,\"current_rule\":{\"id\":\"a654633e-73bf-4c1e-923c-71ecba4d8964\",\"updated_at\":\"2024-12-04T19:45:44.645Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.645Z\",\"created_by\":\"elastic\",\"name\":\"Account Password Reset Remotely\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Impact\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Performance\\nThis rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate remote account administration.\"],\"from\":\"now-9m\",\"rule_id\":\"2820c9c2-bcd7-4d6e-9eba-faf3891ba450\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724\",\"https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/\",\"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"version\":115,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetLogonId\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetSid\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetUserName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"],\"query\":\"sequence by winlog.computer_name with maxspan=1m\\n [authentication where event.action == \\\"logged-in\\\" and\\n /* event 4624 need to be logged */\\n winlog.logon.type : \\\"Network\\\" and event.outcome == \\\"success\\\" and source.ip != null and\\n source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and\\n not winlog.event_data.TargetUserName : (\\\"svc*\\\", \\\"PIM_*\\\", \\\"_*_\\\", \\\"*-*-*\\\", \\\"*$\\\")] by winlog.event_data.TargetLogonId\\n /* event 4724 need to be logged */\\n [iam where event.action == \\\"reset-password\\\" and\\n (\\n /*\\n This rule is very noisy if not scoped to privileged accounts, duplicate the\\n rule and add your own naming convention and accounts of interest here.\\n */\\n winlog.event_data.TargetUserName: (\\\"*Admin*\\\", \\\"*super*\\\", \\\"*SVC*\\\", \\\"*DC0*\\\", \\\"*service*\\\", \\\"*DMZ*\\\", \\\"*ADM*\\\") or\\n winlog.event_data.TargetSid : (\\\"S-1-5-21-*-500\\\", \\\"S-1-12-1-*-500\\\")\\n )\\n ] by winlog.event_data.SubjectLogonId\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Account Password Reset Remotely\",\"description\":\"Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Performance\\nThis rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity.\\n\",\"output_index\":\"\",\"version\":216,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Impact\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate remote account administration.\"],\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724\",\"https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/\",\"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetLogonId\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetSid\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetUserName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"a654633e-73bf-4c1e-923c-71ecba4d8964\",\"rule_id\":\"2820c9c2-bcd7-4d6e-9eba-faf3891ba450\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.003Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.645Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by winlog.computer_name with maxspan=1m\\n [authentication where event.action == \\\"logged-in\\\" and\\n /* event 4624 need to be logged */\\n winlog.logon.type : \\\"Network\\\" and event.outcome == \\\"success\\\" and source.ip != null and\\n source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and\\n not winlog.event_data.TargetUserName : (\\\"svc*\\\", \\\"PIM_*\\\", \\\"_*_\\\", \\\"*-*-*\\\", \\\"*$\\\")] by winlog.event_data.TargetLogonId\\n /* event 4724 need to be logged */\\n [iam where event.action == \\\"reset-password\\\" and\\n (\\n /*\\n This rule is very noisy if not scoped to privileged accounts, duplicate the\\n rule and add your own naming convention and accounts of interest here.\\n */\\n winlog.event_data.TargetUserName: (\\\"*Admin*\\\", \\\"*super*\\\", \\\"*SVC*\\\", \\\"*DC0*\\\", \\\"*service*\\\", \\\"*DMZ*\\\", \\\"*ADM*\\\") or\\n winlog.event_data.TargetSid : (\\\"S-1-5-21-*-500\\\", \\\"S-1-12-1-*-500\\\")\\n )\\n ] by winlog.event_data.SubjectLogonId\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":115,\"target_version\":216,\"merged_version\":216,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Impact\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Impact\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Impact\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3555dcf0-856e-4ef3-994d-429670d9466d\",\"rule_id\":\"28371aa1-14ed-46cf-ab5b-2fc7d1942278\",\"revision\":0,\"current_rule\":{\"id\":\"3555dcf0-856e-4ef3-994d-429670d9466d\",\"updated_at\":\"2024-12-04T19:46:03.720Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.720Z\",\"created_by\":\"elastic\",\"name\":\"Potential Widespread Malware Infection Across Multiple Hosts\",\"tags\":[\"Domain: Endpoint\",\"Data Source: Elastic Defend\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Rule Type: Higher-Order Rule\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule uses alert data to determine when a malware signature is triggered in multiple hosts. Analysts can use this to prioritize triage and response, as this can potentially indicate a widespread malware infection.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"28371aa1-14ed-46cf-ab5b-2fc7d1942278\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/elastic/protections-artifacts/tree/main/yara/rules\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-endpoint.alerts-*\\n| where event.code in (\\\"malicious_file\\\", \\\"memory_signature\\\", \\\"shellcode_thread\\\") and rule.name is not null\\n| stats hosts = count_distinct(host.id) by rule.name, event.code\\n| where hosts >= 3\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Widespread Malware Infection Across Multiple Hosts\",\"description\":\"This rule uses alert data to determine when a malware signature is triggered in multiple hosts. Analysts can use this to prioritize triage and response, as this can potentially indicate a widespread malware infection.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"Data Source: Elastic Defend\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Rule Type: Higher-Order Rule\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/elastic/protections-artifacts/tree/main/yara/rules\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"3555dcf0-856e-4ef3-994d-429670d9466d\",\"rule_id\":\"28371aa1-14ed-46cf-ab5b-2fc7d1942278\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.003Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.720Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-endpoint.alerts-*\\n| where event.code in (\\\"malicious_file\\\", \\\"memory_signature\\\", \\\"shellcode_thread\\\") and rule.name is not null\\n| keep host.id, rule.name, event.code\\n| stats hosts = count_distinct(host.id) by rule.name, event.code\\n| where hosts >= 3\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-endpoint.alerts-*\\n| where event.code in (\\\"malicious_file\\\", \\\"memory_signature\\\", \\\"shellcode_thread\\\") and rule.name is not null\\n| stats hosts = count_distinct(host.id) by rule.name, event.code\\n| where hosts >= 3\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-endpoint.alerts-*\\n| where event.code in (\\\"malicious_file\\\", \\\"memory_signature\\\", \\\"shellcode_thread\\\") and rule.name is not null\\n| keep host.id, rule.name, event.code\\n| stats hosts = count_distinct(host.id) by rule.name, event.code\\n| where hosts >= 3\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-endpoint.alerts-*\\n| where event.code in (\\\"malicious_file\\\", \\\"memory_signature\\\", \\\"shellcode_thread\\\") and rule.name is not null\\n| keep host.id, rule.name, event.code\\n| stats hosts = count_distinct(host.id) by rule.name, event.code\\n| where hosts >= 3\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bb9cdb83-a773-4ee7-91d4-ee0869c2a702\",\"rule_id\":\"2856446a-34e6-435b-9fb5-f8f040bfa7ed\",\"revision\":0,\"current_rule\":{\"id\":\"bb9cdb83-a773-4ee7-91d4-ee0869c2a702\",\"updated_at\":\"2024-12-04T19:45:44.647Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.647Z\",\"created_by\":\"elastic\",\"name\":\"Account Discovery Command via SYSTEM Account\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Account Discovery Command via SYSTEM Account\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed after attackers successfully perform privilege escalation or exploit web applications.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike, investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential webshell backdoor.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system shell using Windows services, scheduled tasks or other third party utilities.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n- Use the data collected through the analysis to investigate other machines affected in the environment.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2856446a-34e6-435b-9fb5-f8f040bfa7ed\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1033\",\"name\":\"System Owner/User Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1033/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.003\",\"name\":\"Local Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.token.integrity_level_name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (?process.Ext.token.integrity_level_name : \\\"System\\\" or\\n ?winlog.event_data.IntegrityLevel : \\\"System\\\") and\\n (\\n process.name : \\\"whoami.exe\\\" or\\n (\\n process.name : \\\"net1.exe\\\" and not process.parent.name : \\\"net.exe\\\" and not process.args : (\\\"start\\\", \\\"stop\\\", \\\"/active:*\\\")\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Account Discovery Command via SYSTEM Account\",\"description\":\"Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Account Discovery Command via SYSTEM Account\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed after attackers successfully perform privilege escalation or exploit web applications.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike, investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential webshell backdoor.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system shell using Windows services, scheduled tasks or other third party utilities.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n- Use the data collected through the analysis to investigate other machines affected in the environment.\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1033\",\"name\":\"System Owner/User Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1033/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.003\",\"name\":\"Local Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/003/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.token.integrity_level_name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"bb9cdb83-a773-4ee7-91d4-ee0869c2a702\",\"rule_id\":\"2856446a-34e6-435b-9fb5-f8f040bfa7ed\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.003Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.647Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (?process.Ext.token.integrity_level_name : \\\"System\\\" or\\n ?winlog.event_data.IntegrityLevel : \\\"System\\\") and\\n (\\n process.name : \\\"whoami.exe\\\" or\\n (\\n process.name : \\\"net1.exe\\\" and not process.parent.name : \\\"net.exe\\\" and not process.args : (\\\"start\\\", \\\"stop\\\", \\\"/active:*\\\")\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"04fa4f8c-e6ca-442b-adec-76ea39f2a595\",\"rule_id\":\"28d39238-0c01-420a-b77a-24e5a7378663\",\"revision\":0,\"current_rule\":{\"id\":\"04fa4f8c-e6ca-442b-adec-76ea39f2a595\",\"updated_at\":\"2024-12-04T19:45:44.658Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.658Z\",\"created_by\":\"elastic\",\"name\":\"Sudo Command Enumeration Detected\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions, potentially allowing to escalate privileges to root.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"28d39238-0c01-420a-b77a-24e5a7378663\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1033\",\"name\":\"System Owner/User Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1033/\"}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.Ext.real.id\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.Ext.real.id\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\nprocess.name == \\\"sudo\\\" and process.args == \\\"-l\\\" and process.args_count == 2 and\\nprocess.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") and \\nnot group.Ext.real.id : \\\"0\\\" and not user.Ext.real.id : \\\"0\\\" and not process.args == \\\"dpkg\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Sudo Command Enumeration Detected\",\"description\":\"This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions, potentially allowing to escalate privileges to root.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":6,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1033\",\"name\":\"System Owner/User Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1033/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"04fa4f8c-e6ca-442b-adec-76ea39f2a595\",\"rule_id\":\"28d39238-0c01-420a-b77a-24e5a7378663\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.003Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.658Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\nprocess.name == \\\"sudo\\\" and process.args == \\\"-l\\\" and process.args_count == 2 and\\nprocess.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") and \\nnot process.args == \\\"dpkg\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":6,\"merged_version\":6,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.Ext.real.id\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.Ext.real.id\",\"type\":\"unknown\",\"ecs\":false}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\nprocess.name == \\\"sudo\\\" and process.args == \\\"-l\\\" and process.args_count == 2 and\\nprocess.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") and \\nnot group.Ext.real.id : \\\"0\\\" and not user.Ext.real.id : \\\"0\\\" and not process.args == \\\"dpkg\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\nprocess.name == \\\"sudo\\\" and process.args == \\\"-l\\\" and process.args_count == 2 and\\nprocess.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") and \\nnot process.args == \\\"dpkg\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\nprocess.name == \\\"sudo\\\" and process.args == \\\"-l\\\" and process.args_count == 2 and\\nprocess.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") and \\nnot process.args == \\\"dpkg\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"99f4031d-00eb-472b-bf90-4deb722aab8a\",\"rule_id\":\"28eb3afe-131d-48b0-a8fc-9784f3d54f3c\",\"revision\":0,\"current_rule\":{\"id\":\"99f4031d-00eb-472b-bf90-4deb722aab8a\",\"updated_at\":\"2024-12-04T19:46:03.722Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.722Z\",\"created_by\":\"elastic\",\"name\":\"Privilege Escalation via SUID/SGID\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies instances where a process is executed with user/group ID 0 (root), and a real user/group ID that is not 0. This is indicative of a process that has been granted SUID/SGID permissions, allowing it to run with elevated privileges. Attackers may leverage a misconfiguration for exploitation in order to escalate their privileges to root, or establish a backdoor for persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"28eb3afe-131d-48b0-a8fc-9784f3d54f3c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.001\",\"name\":\"Setuid and Setgid\",\"reference\":\"https://attack.mitre.org/techniques/T1548/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://gtfobins.github.io/#+suid\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.group.id\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.real_group.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.real_user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and (\\n (process.user.id == \\\"0\\\" and process.real_user.id != \\\"0\\\") or \\n (process.group.id == \\\"0\\\" and process.real_group.id != \\\"0\\\")\\n) and (\\n process.name in (\\n \\\"aa-exec\\\", \\\"ab\\\", \\\"agetty\\\", \\\"alpine\\\", \\\"ar\\\", \\\"arj\\\", \\\"arp\\\", \\\"as\\\", \\\"ascii-xfr\\\", \\\"ash\\\", \\\"aspell\\\",\\n \\\"atobm\\\", \\\"awk\\\", \\\"base32\\\", \\\"base64\\\", \\\"basenc\\\", \\\"basez\\\", \\\"bash\\\", \\\"bc\\\", \\\"bridge\\\", \\\"busctl\\\",\\n \\\"busybox\\\", \\\"bzip2\\\", \\\"cabal\\\", \\\"capsh\\\", \\\"cat\\\", \\\"choom\\\", \\\"chown\\\", \\\"chroot\\\", \\\"clamscan\\\", \\\"cmp\\\",\\n \\\"column\\\", \\\"comm\\\", \\\"cp\\\", \\\"cpio\\\", \\\"cpulimit\\\", \\\"csh\\\", \\\"csplit\\\", \\\"csvtool\\\", \\\"cupsfilter\\\", \\\"curl\\\",\\n \\\"cut\\\", \\\"dash\\\", \\\"date\\\", \\\"dd\\\", \\\"debugfs\\\", \\\"dialog\\\", \\\"diff\\\", \\\"dig\\\", \\\"distcc\\\", \\\"dmsetup\\\", \\\"docker\\\",\\n \\\"dosbox\\\", \\\"ed\\\", \\\"efax\\\", \\\"elvish\\\", \\\"emacs\\\", \\\"env\\\", \\\"eqn\\\", \\\"espeak\\\", \\\"expand\\\", \\\"expect\\\", \\\"file\\\",\\n \\\"find\\\", \\\"fish\\\", \\\"flock\\\", \\\"fmt\\\", \\\"fold\\\", \\\"gawk\\\", \\\"gcore\\\", \\\"gdb\\\", \\\"genie\\\", \\\"genisoimage\\\", \\\"gimp\\\",\\n \\\"grep\\\", \\\"gtester\\\", \\\"gzip\\\", \\\"hd\\\", \\\"head\\\", \\\"hexdump\\\", \\\"highlight\\\", \\\"hping3\\\", \\\"iconv\\\", \\\"install\\\",\\n \\\"ionice\\\", \\\"ispell\\\", \\\"jjs\\\", \\\"join\\\", \\\"jq\\\", \\\"jrunscript\\\", \\\"julia\\\", \\\"ksh\\\", \\\"ksshell\\\", \\\"kubectl\\\",\\n \\\"ld.so\\\", \\\"less\\\", \\\"links\\\", \\\"logsave\\\", \\\"look\\\", \\\"lua\\\", \\\"make\\\", \\\"mawk\\\", \\\"minicom\\\", \\\"more\\\",\\n \\\"mosquitto\\\", \\\"msgattrib\\\", \\\"msgcat\\\", \\\"msgconv\\\", \\\"msgfilter\\\", \\\"msgmerge\\\", \\\"msguniq\\\", \\\"multitime\\\",\\n \\\"mv\\\", \\\"nasm\\\", \\\"nawk\\\", \\\"ncftp\\\", \\\"nft\\\", \\\"nice\\\", \\\"nl\\\", \\\"nm\\\", \\\"nmap\\\", \\\"node\\\", \\\"nohup\\\", \\\"ntpdate\\\",\\n \\\"od\\\", \\\"openssl\\\", \\\"openvpn\\\", \\\"pandoc\\\", \\\"paste\\\", \\\"perf\\\", \\\"perl\\\", \\\"pexec\\\", \\\"pg\\\", \\\"php\\\", \\\"pidstat\\\",\\n \\\"pr\\\", \\\"ptx\\\", \\\"python\\\", \\\"rc\\\", \\\"readelf\\\", \\\"restic\\\", \\\"rev\\\", \\\"rlwrap\\\", \\\"rsync\\\", \\\"rtorrent\\\",\\n \\\"run-parts\\\", \\\"rview\\\", \\\"rvim\\\", \\\"sash\\\", \\\"scanmem\\\", \\\"sed\\\", \\\"setarch\\\", \\\"setfacl\\\", \\\"setlock\\\", \\\"shuf\\\",\\n \\\"soelim\\\", \\\"softlimit\\\", \\\"sort\\\", \\\"sqlite3\\\", \\\"ss\\\", \\\"ssh-agent\\\", \\\"ssh-keygen\\\", \\\"ssh-keyscan\\\",\\n \\\"sshpass\\\", \\\"start-stop-daemon\\\", \\\"stdbuf\\\", \\\"strace\\\", \\\"strings\\\", \\\"sysctl\\\", \\\"systemctl\\\", \\\"tac\\\",\\n \\\"tail\\\", \\\"taskset\\\", \\\"tbl\\\", \\\"tclsh\\\", \\\"tee\\\", \\\"terraform\\\", \\\"tftp\\\", \\\"tic\\\", \\\"time\\\", \\\"timeout\\\", \\\"troff\\\",\\n \\\"ul\\\", \\\"unexpand\\\", \\\"uniq\\\", \\\"unshare\\\", \\\"unsquashfs\\\", \\\"unzip\\\", \\\"update-alternatives\\\", \\\"uudecode\\\",\\n \\\"uuencode\\\", \\\"vagrant\\\", \\\"varnishncsa\\\", \\\"view\\\", \\\"vigr\\\", \\\"vim\\\", \\\"vimdiff\\\", \\\"vipw\\\", \\\"w3m\\\", \\\"watch\\\",\\n \\\"wc\\\", \\\"wget\\\", \\\"whiptail\\\", \\\"xargs\\\", \\\"xdotool\\\", \\\"xmodmap\\\", \\\"xmore\\\", \\\"xxd\\\", \\\"xz\\\", \\\"yash\\\", \\\"zsh\\\",\\n \\\"zsoelim\\\"\\n ) or \\n process.name == \\\"ip\\\" and (\\n (process.args == \\\"-force\\\" and process.args in (\\\"-batch\\\", \\\"-b\\\")) or (process.args == \\\"exec\\\")\\n )\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Privilege Escalation via SUID/SGID\",\"description\":\"Identifies instances where a process is executed with user/group ID 0 (root), and a real user/group ID that is not 0. This is indicative of a process that has been granted SUID/SGID permissions, allowing it to run with elevated privileges. Attackers may leverage a misconfiguration for exploitation in order to escalate their privileges to root, or establish a backdoor for persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://gtfobins.github.io/#+suid\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.001\",\"name\":\"Setuid and Setgid\",\"reference\":\"https://attack.mitre.org/techniques/T1548/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.group.id\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.real_group.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.real_user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"99f4031d-00eb-472b-bf90-4deb722aab8a\",\"rule_id\":\"28eb3afe-131d-48b0-a8fc-9784f3d54f3c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.003Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.722Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and (\\n (process.user.id == \\\"0\\\" and process.real_user.id != \\\"0\\\") or \\n (process.group.id == \\\"0\\\" and process.real_group.id != \\\"0\\\")\\n) and (\\n process.name in (\\n \\\"aa-exec\\\", \\\"ab\\\", \\\"agetty\\\", \\\"alpine\\\", \\\"ar\\\", \\\"arj\\\", \\\"arp\\\", \\\"as\\\", \\\"ascii-xfr\\\", \\\"ash\\\", \\\"aspell\\\",\\n \\\"atobm\\\", \\\"awk\\\", \\\"base32\\\", \\\"base64\\\", \\\"basenc\\\", \\\"basez\\\", \\\"bash\\\", \\\"bc\\\", \\\"bridge\\\", \\\"busctl\\\",\\n \\\"busybox\\\", \\\"bzip2\\\", \\\"cabal\\\", \\\"capsh\\\", \\\"cat\\\", \\\"choom\\\", \\\"chown\\\", \\\"chroot\\\", \\\"clamscan\\\", \\\"cmp\\\",\\n \\\"column\\\", \\\"comm\\\", \\\"cp\\\", \\\"cpio\\\", \\\"cpulimit\\\", \\\"csh\\\", \\\"csplit\\\", \\\"csvtool\\\", \\\"cupsfilter\\\", \\\"curl\\\",\\n \\\"cut\\\", \\\"dash\\\", \\\"date\\\", \\\"dd\\\", \\\"debugfs\\\", \\\"dialog\\\", \\\"diff\\\", \\\"dig\\\", \\\"distcc\\\", \\\"dmsetup\\\", \\\"docker\\\",\\n \\\"dosbox\\\", \\\"ed\\\", \\\"efax\\\", \\\"elvish\\\", \\\"emacs\\\", \\\"env\\\", \\\"eqn\\\", \\\"espeak\\\", \\\"expand\\\", \\\"expect\\\", \\\"file\\\",\\n \\\"find\\\", \\\"fish\\\", \\\"flock\\\", \\\"fmt\\\", \\\"fold\\\", \\\"gawk\\\", \\\"gcore\\\", \\\"gdb\\\", \\\"genie\\\", \\\"genisoimage\\\", \\\"gimp\\\",\\n \\\"grep\\\", \\\"gtester\\\", \\\"gzip\\\", \\\"hd\\\", \\\"head\\\", \\\"hexdump\\\", \\\"highlight\\\", \\\"hping3\\\", \\\"iconv\\\", \\\"install\\\",\\n \\\"ionice\\\", \\\"ispell\\\", \\\"jjs\\\", \\\"join\\\", \\\"jq\\\", \\\"jrunscript\\\", \\\"julia\\\", \\\"ksh\\\", \\\"ksshell\\\", \\\"kubectl\\\",\\n \\\"ld.so\\\", \\\"less\\\", \\\"links\\\", \\\"logsave\\\", \\\"look\\\", \\\"lua\\\", \\\"make\\\", \\\"mawk\\\", \\\"minicom\\\", \\\"more\\\",\\n \\\"mosquitto\\\", \\\"msgattrib\\\", \\\"msgcat\\\", \\\"msgconv\\\", \\\"msgfilter\\\", \\\"msgmerge\\\", \\\"msguniq\\\", \\\"multitime\\\",\\n \\\"mv\\\", \\\"nasm\\\", \\\"nawk\\\", \\\"ncftp\\\", \\\"nft\\\", \\\"nice\\\", \\\"nl\\\", \\\"nm\\\", \\\"nmap\\\", \\\"node\\\", \\\"nohup\\\", \\\"ntpdate\\\",\\n \\\"od\\\", \\\"openssl\\\", \\\"openvpn\\\", \\\"pandoc\\\", \\\"paste\\\", \\\"perf\\\", \\\"perl\\\", \\\"pexec\\\", \\\"pg\\\", \\\"php\\\", \\\"pidstat\\\",\\n \\\"pr\\\", \\\"ptx\\\", \\\"python\\\", \\\"rc\\\", \\\"readelf\\\", \\\"restic\\\", \\\"rev\\\", \\\"rlwrap\\\", \\\"rsync\\\", \\\"rtorrent\\\",\\n \\\"run-parts\\\", \\\"rview\\\", \\\"rvim\\\", \\\"sash\\\", \\\"scanmem\\\", \\\"sed\\\", \\\"setarch\\\", \\\"setfacl\\\", \\\"setlock\\\", \\\"shuf\\\",\\n \\\"soelim\\\", \\\"softlimit\\\", \\\"sort\\\", \\\"sqlite3\\\", \\\"ss\\\", \\\"ssh-agent\\\", \\\"ssh-keygen\\\", \\\"ssh-keyscan\\\",\\n \\\"sshpass\\\", \\\"start-stop-daemon\\\", \\\"stdbuf\\\", \\\"strace\\\", \\\"strings\\\", \\\"sysctl\\\", \\\"systemctl\\\", \\\"tac\\\",\\n \\\"tail\\\", \\\"taskset\\\", \\\"tbl\\\", \\\"tclsh\\\", \\\"tee\\\", \\\"terraform\\\", \\\"tftp\\\", \\\"tic\\\", \\\"time\\\", \\\"timeout\\\", \\\"troff\\\",\\n \\\"ul\\\", \\\"unexpand\\\", \\\"uniq\\\", \\\"unshare\\\", \\\"unsquashfs\\\", \\\"unzip\\\", \\\"update-alternatives\\\", \\\"uudecode\\\",\\n \\\"uuencode\\\", \\\"vagrant\\\", \\\"varnishncsa\\\", \\\"view\\\", \\\"vigr\\\", \\\"vim\\\", \\\"vimdiff\\\", \\\"vipw\\\", \\\"w3m\\\", \\\"watch\\\",\\n \\\"wc\\\", \\\"wget\\\", \\\"whiptail\\\", \\\"xargs\\\", \\\"xdotool\\\", \\\"xmodmap\\\", \\\"xmore\\\", \\\"xxd\\\", \\\"xz\\\", \\\"yash\\\", \\\"zsh\\\",\\n \\\"zsoelim\\\"\\n ) or \\n process.name == \\\"ip\\\" and (\\n (process.args == \\\"-force\\\" and process.args in (\\\"-batch\\\", \\\"-b\\\")) or (process.args == \\\"exec\\\")\\n )\\n) and not process.parent.name == \\\"spine\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://gtfobins.github.io/#+suid\"],\"target_version\":[\"https://gtfobins.github.io/#+suid\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://gtfobins.github.io/#+suid\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.group.id\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.real_group.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.real_user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.user.id\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.group.id\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.real_group.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.real_user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.group.id\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.real_group.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.real_user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and (\\n (process.user.id == \\\"0\\\" and process.real_user.id != \\\"0\\\") or \\n (process.group.id == \\\"0\\\" and process.real_group.id != \\\"0\\\")\\n) and (\\n process.name in (\\n \\\"aa-exec\\\", \\\"ab\\\", \\\"agetty\\\", \\\"alpine\\\", \\\"ar\\\", \\\"arj\\\", \\\"arp\\\", \\\"as\\\", \\\"ascii-xfr\\\", \\\"ash\\\", \\\"aspell\\\",\\n \\\"atobm\\\", \\\"awk\\\", \\\"base32\\\", \\\"base64\\\", \\\"basenc\\\", \\\"basez\\\", \\\"bash\\\", \\\"bc\\\", \\\"bridge\\\", \\\"busctl\\\",\\n \\\"busybox\\\", \\\"bzip2\\\", \\\"cabal\\\", \\\"capsh\\\", \\\"cat\\\", \\\"choom\\\", \\\"chown\\\", \\\"chroot\\\", \\\"clamscan\\\", \\\"cmp\\\",\\n \\\"column\\\", \\\"comm\\\", \\\"cp\\\", \\\"cpio\\\", \\\"cpulimit\\\", \\\"csh\\\", \\\"csplit\\\", \\\"csvtool\\\", \\\"cupsfilter\\\", \\\"curl\\\",\\n \\\"cut\\\", \\\"dash\\\", \\\"date\\\", \\\"dd\\\", \\\"debugfs\\\", \\\"dialog\\\", \\\"diff\\\", \\\"dig\\\", \\\"distcc\\\", \\\"dmsetup\\\", \\\"docker\\\",\\n \\\"dosbox\\\", \\\"ed\\\", \\\"efax\\\", \\\"elvish\\\", \\\"emacs\\\", \\\"env\\\", \\\"eqn\\\", \\\"espeak\\\", \\\"expand\\\", \\\"expect\\\", \\\"file\\\",\\n \\\"find\\\", \\\"fish\\\", \\\"flock\\\", \\\"fmt\\\", \\\"fold\\\", \\\"gawk\\\", \\\"gcore\\\", \\\"gdb\\\", \\\"genie\\\", \\\"genisoimage\\\", \\\"gimp\\\",\\n \\\"grep\\\", \\\"gtester\\\", \\\"gzip\\\", \\\"hd\\\", \\\"head\\\", \\\"hexdump\\\", \\\"highlight\\\", \\\"hping3\\\", \\\"iconv\\\", \\\"install\\\",\\n \\\"ionice\\\", \\\"ispell\\\", \\\"jjs\\\", \\\"join\\\", \\\"jq\\\", \\\"jrunscript\\\", \\\"julia\\\", \\\"ksh\\\", \\\"ksshell\\\", \\\"kubectl\\\",\\n \\\"ld.so\\\", \\\"less\\\", \\\"links\\\", \\\"logsave\\\", \\\"look\\\", \\\"lua\\\", \\\"make\\\", \\\"mawk\\\", \\\"minicom\\\", \\\"more\\\",\\n \\\"mosquitto\\\", \\\"msgattrib\\\", \\\"msgcat\\\", \\\"msgconv\\\", \\\"msgfilter\\\", \\\"msgmerge\\\", \\\"msguniq\\\", \\\"multitime\\\",\\n \\\"mv\\\", \\\"nasm\\\", \\\"nawk\\\", \\\"ncftp\\\", \\\"nft\\\", \\\"nice\\\", \\\"nl\\\", \\\"nm\\\", \\\"nmap\\\", \\\"node\\\", \\\"nohup\\\", \\\"ntpdate\\\",\\n \\\"od\\\", \\\"openssl\\\", \\\"openvpn\\\", \\\"pandoc\\\", \\\"paste\\\", \\\"perf\\\", \\\"perl\\\", \\\"pexec\\\", \\\"pg\\\", \\\"php\\\", \\\"pidstat\\\",\\n \\\"pr\\\", \\\"ptx\\\", \\\"python\\\", \\\"rc\\\", \\\"readelf\\\", \\\"restic\\\", \\\"rev\\\", \\\"rlwrap\\\", \\\"rsync\\\", \\\"rtorrent\\\",\\n \\\"run-parts\\\", \\\"rview\\\", \\\"rvim\\\", \\\"sash\\\", \\\"scanmem\\\", \\\"sed\\\", \\\"setarch\\\", \\\"setfacl\\\", \\\"setlock\\\", \\\"shuf\\\",\\n \\\"soelim\\\", \\\"softlimit\\\", \\\"sort\\\", \\\"sqlite3\\\", \\\"ss\\\", \\\"ssh-agent\\\", \\\"ssh-keygen\\\", \\\"ssh-keyscan\\\",\\n \\\"sshpass\\\", \\\"start-stop-daemon\\\", \\\"stdbuf\\\", \\\"strace\\\", \\\"strings\\\", \\\"sysctl\\\", \\\"systemctl\\\", \\\"tac\\\",\\n \\\"tail\\\", \\\"taskset\\\", \\\"tbl\\\", \\\"tclsh\\\", \\\"tee\\\", \\\"terraform\\\", \\\"tftp\\\", \\\"tic\\\", \\\"time\\\", \\\"timeout\\\", \\\"troff\\\",\\n \\\"ul\\\", \\\"unexpand\\\", \\\"uniq\\\", \\\"unshare\\\", \\\"unsquashfs\\\", \\\"unzip\\\", \\\"update-alternatives\\\", \\\"uudecode\\\",\\n \\\"uuencode\\\", \\\"vagrant\\\", \\\"varnishncsa\\\", \\\"view\\\", \\\"vigr\\\", \\\"vim\\\", \\\"vimdiff\\\", \\\"vipw\\\", \\\"w3m\\\", \\\"watch\\\",\\n \\\"wc\\\", \\\"wget\\\", \\\"whiptail\\\", \\\"xargs\\\", \\\"xdotool\\\", \\\"xmodmap\\\", \\\"xmore\\\", \\\"xxd\\\", \\\"xz\\\", \\\"yash\\\", \\\"zsh\\\",\\n \\\"zsoelim\\\"\\n ) or \\n process.name == \\\"ip\\\" and (\\n (process.args == \\\"-force\\\" and process.args in (\\\"-batch\\\", \\\"-b\\\")) or (process.args == \\\"exec\\\")\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and (\\n (process.user.id == \\\"0\\\" and process.real_user.id != \\\"0\\\") or \\n (process.group.id == \\\"0\\\" and process.real_group.id != \\\"0\\\")\\n) and (\\n process.name in (\\n \\\"aa-exec\\\", \\\"ab\\\", \\\"agetty\\\", \\\"alpine\\\", \\\"ar\\\", \\\"arj\\\", \\\"arp\\\", \\\"as\\\", \\\"ascii-xfr\\\", \\\"ash\\\", \\\"aspell\\\",\\n \\\"atobm\\\", \\\"awk\\\", \\\"base32\\\", \\\"base64\\\", \\\"basenc\\\", \\\"basez\\\", \\\"bash\\\", \\\"bc\\\", \\\"bridge\\\", \\\"busctl\\\",\\n \\\"busybox\\\", \\\"bzip2\\\", \\\"cabal\\\", \\\"capsh\\\", \\\"cat\\\", \\\"choom\\\", \\\"chown\\\", \\\"chroot\\\", \\\"clamscan\\\", \\\"cmp\\\",\\n \\\"column\\\", \\\"comm\\\", \\\"cp\\\", \\\"cpio\\\", \\\"cpulimit\\\", \\\"csh\\\", \\\"csplit\\\", \\\"csvtool\\\", \\\"cupsfilter\\\", \\\"curl\\\",\\n \\\"cut\\\", \\\"dash\\\", \\\"date\\\", \\\"dd\\\", \\\"debugfs\\\", \\\"dialog\\\", \\\"diff\\\", \\\"dig\\\", \\\"distcc\\\", \\\"dmsetup\\\", \\\"docker\\\",\\n \\\"dosbox\\\", \\\"ed\\\", \\\"efax\\\", \\\"elvish\\\", \\\"emacs\\\", \\\"env\\\", \\\"eqn\\\", \\\"espeak\\\", \\\"expand\\\", \\\"expect\\\", \\\"file\\\",\\n \\\"find\\\", \\\"fish\\\", \\\"flock\\\", \\\"fmt\\\", \\\"fold\\\", \\\"gawk\\\", \\\"gcore\\\", \\\"gdb\\\", \\\"genie\\\", \\\"genisoimage\\\", \\\"gimp\\\",\\n \\\"grep\\\", \\\"gtester\\\", \\\"gzip\\\", \\\"hd\\\", \\\"head\\\", \\\"hexdump\\\", \\\"highlight\\\", \\\"hping3\\\", \\\"iconv\\\", \\\"install\\\",\\n \\\"ionice\\\", \\\"ispell\\\", \\\"jjs\\\", \\\"join\\\", \\\"jq\\\", \\\"jrunscript\\\", \\\"julia\\\", \\\"ksh\\\", \\\"ksshell\\\", \\\"kubectl\\\",\\n \\\"ld.so\\\", \\\"less\\\", \\\"links\\\", \\\"logsave\\\", \\\"look\\\", \\\"lua\\\", \\\"make\\\", \\\"mawk\\\", \\\"minicom\\\", \\\"more\\\",\\n \\\"mosquitto\\\", \\\"msgattrib\\\", \\\"msgcat\\\", \\\"msgconv\\\", \\\"msgfilter\\\", \\\"msgmerge\\\", \\\"msguniq\\\", \\\"multitime\\\",\\n \\\"mv\\\", \\\"nasm\\\", \\\"nawk\\\", \\\"ncftp\\\", \\\"nft\\\", \\\"nice\\\", \\\"nl\\\", \\\"nm\\\", \\\"nmap\\\", \\\"node\\\", \\\"nohup\\\", \\\"ntpdate\\\",\\n \\\"od\\\", \\\"openssl\\\", \\\"openvpn\\\", \\\"pandoc\\\", \\\"paste\\\", \\\"perf\\\", \\\"perl\\\", \\\"pexec\\\", \\\"pg\\\", \\\"php\\\", \\\"pidstat\\\",\\n \\\"pr\\\", \\\"ptx\\\", \\\"python\\\", \\\"rc\\\", \\\"readelf\\\", \\\"restic\\\", \\\"rev\\\", \\\"rlwrap\\\", \\\"rsync\\\", \\\"rtorrent\\\",\\n \\\"run-parts\\\", \\\"rview\\\", \\\"rvim\\\", \\\"sash\\\", \\\"scanmem\\\", \\\"sed\\\", \\\"setarch\\\", \\\"setfacl\\\", \\\"setlock\\\", \\\"shuf\\\",\\n \\\"soelim\\\", \\\"softlimit\\\", \\\"sort\\\", \\\"sqlite3\\\", \\\"ss\\\", \\\"ssh-agent\\\", \\\"ssh-keygen\\\", \\\"ssh-keyscan\\\",\\n \\\"sshpass\\\", \\\"start-stop-daemon\\\", \\\"stdbuf\\\", \\\"strace\\\", \\\"strings\\\", \\\"sysctl\\\", \\\"systemctl\\\", \\\"tac\\\",\\n \\\"tail\\\", \\\"taskset\\\", \\\"tbl\\\", \\\"tclsh\\\", \\\"tee\\\", \\\"terraform\\\", \\\"tftp\\\", \\\"tic\\\", \\\"time\\\", \\\"timeout\\\", \\\"troff\\\",\\n \\\"ul\\\", \\\"unexpand\\\", \\\"uniq\\\", \\\"unshare\\\", \\\"unsquashfs\\\", \\\"unzip\\\", \\\"update-alternatives\\\", \\\"uudecode\\\",\\n \\\"uuencode\\\", \\\"vagrant\\\", \\\"varnishncsa\\\", \\\"view\\\", \\\"vigr\\\", \\\"vim\\\", \\\"vimdiff\\\", \\\"vipw\\\", \\\"w3m\\\", \\\"watch\\\",\\n \\\"wc\\\", \\\"wget\\\", \\\"whiptail\\\", \\\"xargs\\\", \\\"xdotool\\\", \\\"xmodmap\\\", \\\"xmore\\\", \\\"xxd\\\", \\\"xz\\\", \\\"yash\\\", \\\"zsh\\\",\\n \\\"zsoelim\\\"\\n ) or \\n process.name == \\\"ip\\\" and (\\n (process.args == \\\"-force\\\" and process.args in (\\\"-batch\\\", \\\"-b\\\")) or (process.args == \\\"exec\\\")\\n )\\n) and not process.parent.name == \\\"spine\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and (\\n (process.user.id == \\\"0\\\" and process.real_user.id != \\\"0\\\") or \\n (process.group.id == \\\"0\\\" and process.real_group.id != \\\"0\\\")\\n) and (\\n process.name in (\\n \\\"aa-exec\\\", \\\"ab\\\", \\\"agetty\\\", \\\"alpine\\\", \\\"ar\\\", \\\"arj\\\", \\\"arp\\\", \\\"as\\\", \\\"ascii-xfr\\\", \\\"ash\\\", \\\"aspell\\\",\\n \\\"atobm\\\", \\\"awk\\\", \\\"base32\\\", \\\"base64\\\", \\\"basenc\\\", \\\"basez\\\", \\\"bash\\\", \\\"bc\\\", \\\"bridge\\\", \\\"busctl\\\",\\n \\\"busybox\\\", \\\"bzip2\\\", \\\"cabal\\\", \\\"capsh\\\", \\\"cat\\\", \\\"choom\\\", \\\"chown\\\", \\\"chroot\\\", \\\"clamscan\\\", \\\"cmp\\\",\\n \\\"column\\\", \\\"comm\\\", \\\"cp\\\", \\\"cpio\\\", \\\"cpulimit\\\", \\\"csh\\\", \\\"csplit\\\", \\\"csvtool\\\", \\\"cupsfilter\\\", \\\"curl\\\",\\n \\\"cut\\\", \\\"dash\\\", \\\"date\\\", \\\"dd\\\", \\\"debugfs\\\", \\\"dialog\\\", \\\"diff\\\", \\\"dig\\\", \\\"distcc\\\", \\\"dmsetup\\\", \\\"docker\\\",\\n \\\"dosbox\\\", \\\"ed\\\", \\\"efax\\\", \\\"elvish\\\", \\\"emacs\\\", \\\"env\\\", \\\"eqn\\\", \\\"espeak\\\", \\\"expand\\\", \\\"expect\\\", \\\"file\\\",\\n \\\"find\\\", \\\"fish\\\", \\\"flock\\\", \\\"fmt\\\", \\\"fold\\\", \\\"gawk\\\", \\\"gcore\\\", \\\"gdb\\\", \\\"genie\\\", \\\"genisoimage\\\", \\\"gimp\\\",\\n \\\"grep\\\", \\\"gtester\\\", \\\"gzip\\\", \\\"hd\\\", \\\"head\\\", \\\"hexdump\\\", \\\"highlight\\\", \\\"hping3\\\", \\\"iconv\\\", \\\"install\\\",\\n \\\"ionice\\\", \\\"ispell\\\", \\\"jjs\\\", \\\"join\\\", \\\"jq\\\", \\\"jrunscript\\\", \\\"julia\\\", \\\"ksh\\\", \\\"ksshell\\\", \\\"kubectl\\\",\\n \\\"ld.so\\\", \\\"less\\\", \\\"links\\\", \\\"logsave\\\", \\\"look\\\", \\\"lua\\\", \\\"make\\\", \\\"mawk\\\", \\\"minicom\\\", \\\"more\\\",\\n \\\"mosquitto\\\", \\\"msgattrib\\\", \\\"msgcat\\\", \\\"msgconv\\\", \\\"msgfilter\\\", \\\"msgmerge\\\", \\\"msguniq\\\", \\\"multitime\\\",\\n \\\"mv\\\", \\\"nasm\\\", \\\"nawk\\\", \\\"ncftp\\\", \\\"nft\\\", \\\"nice\\\", \\\"nl\\\", \\\"nm\\\", \\\"nmap\\\", \\\"node\\\", \\\"nohup\\\", \\\"ntpdate\\\",\\n \\\"od\\\", \\\"openssl\\\", \\\"openvpn\\\", \\\"pandoc\\\", \\\"paste\\\", \\\"perf\\\", \\\"perl\\\", \\\"pexec\\\", \\\"pg\\\", \\\"php\\\", \\\"pidstat\\\",\\n \\\"pr\\\", \\\"ptx\\\", \\\"python\\\", \\\"rc\\\", \\\"readelf\\\", \\\"restic\\\", \\\"rev\\\", \\\"rlwrap\\\", \\\"rsync\\\", \\\"rtorrent\\\",\\n \\\"run-parts\\\", \\\"rview\\\", \\\"rvim\\\", \\\"sash\\\", \\\"scanmem\\\", \\\"sed\\\", \\\"setarch\\\", \\\"setfacl\\\", \\\"setlock\\\", \\\"shuf\\\",\\n \\\"soelim\\\", \\\"softlimit\\\", \\\"sort\\\", \\\"sqlite3\\\", \\\"ss\\\", \\\"ssh-agent\\\", \\\"ssh-keygen\\\", \\\"ssh-keyscan\\\",\\n \\\"sshpass\\\", \\\"start-stop-daemon\\\", \\\"stdbuf\\\", \\\"strace\\\", \\\"strings\\\", \\\"sysctl\\\", \\\"systemctl\\\", \\\"tac\\\",\\n \\\"tail\\\", \\\"taskset\\\", \\\"tbl\\\", \\\"tclsh\\\", \\\"tee\\\", \\\"terraform\\\", \\\"tftp\\\", \\\"tic\\\", \\\"time\\\", \\\"timeout\\\", \\\"troff\\\",\\n \\\"ul\\\", \\\"unexpand\\\", \\\"uniq\\\", \\\"unshare\\\", \\\"unsquashfs\\\", \\\"unzip\\\", \\\"update-alternatives\\\", \\\"uudecode\\\",\\n \\\"uuencode\\\", \\\"vagrant\\\", \\\"varnishncsa\\\", \\\"view\\\", \\\"vigr\\\", \\\"vim\\\", \\\"vimdiff\\\", \\\"vipw\\\", \\\"w3m\\\", \\\"watch\\\",\\n \\\"wc\\\", \\\"wget\\\", \\\"whiptail\\\", \\\"xargs\\\", \\\"xdotool\\\", \\\"xmodmap\\\", \\\"xmore\\\", \\\"xxd\\\", \\\"xz\\\", \\\"yash\\\", \\\"zsh\\\",\\n \\\"zsoelim\\\"\\n ) or \\n process.name == \\\"ip\\\" and (\\n (process.args == \\\"-force\\\" and process.args in (\\\"-batch\\\", \\\"-b\\\")) or (process.args == \\\"exec\\\")\\n )\\n) and not process.parent.name == \\\"spine\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f18d3558-22cd-455d-af16-999cf08e9f92\",\"rule_id\":\"28f6f34b-8e16-487a-b5fd-9d22eb903db8\",\"revision\":0,\"current_rule\":{\"id\":\"f18d3558-22cd-455d-af16-999cf08e9f92\",\"updated_at\":\"2024-12-04T19:45:44.661Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.661Z\",\"created_by\":\"elastic\",\"name\":\"Shell Configuration Creation or Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors the creation/alteration of a shell configuration file. Unix systems use shell configuration files to set environment variables, create aliases, and customize the user's environment. Adversaries may modify or add a shell configuration file to execute malicious code and gain persistence in the system. This behavior is consistent with the Kaiji malware family.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate user shell modification activity.\"],\"from\":\"now-9m\",\"rule_id\":\"28f6f34b-8e16-487a-b5fd-9d22eb903db8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.004\",\"name\":\"Unix Shell Configuration Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1546/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\"],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n // system-wide configurations\\n \\\"/etc/profile\\\", \\\"/etc/profile.d/*\\\", \\\"/etc/bash.bashrc\\\", \\\"/etc/bash.bash_logout\\\", \\\"/etc/zsh/*\\\",\\n \\\"/etc/csh.cshrc\\\", \\\"/etc/csh.login\\\", \\\"/etc/fish/config.fish\\\", \\\"/etc/ksh.kshrc\\\",\\n // root and user configurations\\n \\\"/home/*/.profile\\\", \\\"/home/*/.bashrc\\\", \\\"/home/*/.bash_login\\\", \\\"/home/*/.bash_logout\\\", \\\"/home/*/.bash_profile\\\",\\n \\\"/root/.profile\\\", \\\"/root/.bashrc\\\", \\\"/root/.bash_login\\\", \\\"/root/.bash_logout\\\", \\\"/root/.bash_profile\\\",\\n \\\"/home/*/.zprofile\\\", \\\"/home/*/.zshrc\\\", \\\"/root/.zprofile\\\", \\\"/root/.zshrc\\\",\\n \\\"/home/*/.cshrc\\\", \\\"/home/*/.login\\\", \\\"/home/*/.logout\\\", \\\"/root/.cshrc\\\", \\\"/root/.login\\\", \\\"/root/.logout\\\",\\n \\\"/home/*/.config/fish/config.fish\\\", \\\"/root/.config/fish/config.fish\\\",\\n \\\"/home/*/.kshrc\\\", \\\"/root/.kshrc\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/sbin/adduser\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/local/bin/dockerd\\\",\\n \\\"/usr/sbin/gdm\\\", \\\"/usr/bin/unzip\\\", \\\"/usr/bin/gnome-shell\\\", \\\"/sbin/mkhomedir_helper\\\", \\\"/usr/sbin/sshd\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/bin/xfce4-session\\\", \\\"/usr/libexec/oddjob/mkhomedir\\\", \\\"/sbin/useradd\\\",\\n \\\"/usr/lib/systemd/systemd\\\", \\\"/usr/sbin/crond\\\", \\\"/usr/bin/pamac-daemon\\\", \\\"/usr/sbin/mkhomedir_helper\\\",\\n \\\"/opt/pbis/sbin/lwsmd\\\", \\\"/usr/sbin/oddjobd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\",\\n \\\"/usr/libexec/platform-python*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Shell Configuration Creation or Modification\",\"description\":\"This rule monitors the creation/alteration of a shell configuration file. Unix systems use shell configuration files to set environment variables, create aliases, and customize the user's environment. Adversaries may modify or add a shell configuration file to execute malicious code and gain persistence in the system. This behavior is consistent with the Kaiji malware family.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":5,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate user shell modification activity.\"],\"references\":[\"https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.004\",\"name\":\"Unix Shell Configuration Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1546/004/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f18d3558-22cd-455d-af16-999cf08e9f92\",\"rule_id\":\"28f6f34b-8e16-487a-b5fd-9d22eb903db8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.003Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.661Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n // system-wide configurations\\n \\\"/etc/profile\\\", \\\"/etc/profile.d/*\\\", \\\"/etc/bash.bashrc\\\", \\\"/etc/bash.bash_logout\\\", \\\"/etc/zsh/*\\\",\\n \\\"/etc/csh.cshrc\\\", \\\"/etc/csh.login\\\", \\\"/etc/fish/config.fish\\\", \\\"/etc/ksh.kshrc\\\",\\n // root and user configurations\\n \\\"/home/*/.profile\\\", \\\"/home/*/.bashrc\\\", \\\"/home/*/.bash_login\\\", \\\"/home/*/.bash_logout\\\", \\\"/home/*/.bash_profile\\\",\\n \\\"/root/.profile\\\", \\\"/root/.bashrc\\\", \\\"/root/.bash_login\\\", \\\"/root/.bash_logout\\\", \\\"/root/.bash_profile\\\",\\n \\\"/home/*/.zprofile\\\", \\\"/home/*/.zshrc\\\", \\\"/root/.zprofile\\\", \\\"/root/.zshrc\\\",\\n \\\"/home/*/.cshrc\\\", \\\"/home/*/.login\\\", \\\"/home/*/.logout\\\", \\\"/root/.cshrc\\\", \\\"/root/.login\\\", \\\"/root/.logout\\\",\\n \\\"/home/*/.config/fish/config.fish\\\", \\\"/root/.config/fish/config.fish\\\",\\n \\\"/home/*/.kshrc\\\", \\\"/root/.kshrc\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/sbin/adduser\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/local/bin/dockerd\\\",\\n \\\"/usr/sbin/gdm\\\", \\\"/usr/bin/unzip\\\", \\\"/usr/bin/gnome-shell\\\", \\\"/sbin/mkhomedir_helper\\\", \\\"/usr/sbin/sshd\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/bin/xfce4-session\\\", \\\"/usr/libexec/oddjob/mkhomedir\\\", \\\"/sbin/useradd\\\",\\n \\\"/usr/lib/systemd/systemd\\\", \\\"/usr/sbin/crond\\\", \\\"/usr/bin/pamac-daemon\\\", \\\"/usr/sbin/mkhomedir_helper\\\",\\n \\\"/opt/pbis/sbin/lwsmd\\\", \\\"/usr/sbin/oddjobd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\",\\n \\\"/usr/libexec/platform-python*\\\"\\n ) or\\n process.executable == null or\\n process.name in (\\\"adclient\\\", \\\"mkhomedir_helper\\\", \\\"teleport\\\", \\\"mkhomedir\\\", \\\"adduser\\\", \\\"desktopDaemon\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":5,\"merged_version\":5,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\"],\"target_version\":[\"https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n // system-wide configurations\\n \\\"/etc/profile\\\", \\\"/etc/profile.d/*\\\", \\\"/etc/bash.bashrc\\\", \\\"/etc/bash.bash_logout\\\", \\\"/etc/zsh/*\\\",\\n \\\"/etc/csh.cshrc\\\", \\\"/etc/csh.login\\\", \\\"/etc/fish/config.fish\\\", \\\"/etc/ksh.kshrc\\\",\\n // root and user configurations\\n \\\"/home/*/.profile\\\", \\\"/home/*/.bashrc\\\", \\\"/home/*/.bash_login\\\", \\\"/home/*/.bash_logout\\\", \\\"/home/*/.bash_profile\\\",\\n \\\"/root/.profile\\\", \\\"/root/.bashrc\\\", \\\"/root/.bash_login\\\", \\\"/root/.bash_logout\\\", \\\"/root/.bash_profile\\\",\\n \\\"/home/*/.zprofile\\\", \\\"/home/*/.zshrc\\\", \\\"/root/.zprofile\\\", \\\"/root/.zshrc\\\",\\n \\\"/home/*/.cshrc\\\", \\\"/home/*/.login\\\", \\\"/home/*/.logout\\\", \\\"/root/.cshrc\\\", \\\"/root/.login\\\", \\\"/root/.logout\\\",\\n \\\"/home/*/.config/fish/config.fish\\\", \\\"/root/.config/fish/config.fish\\\",\\n \\\"/home/*/.kshrc\\\", \\\"/root/.kshrc\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/sbin/adduser\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/local/bin/dockerd\\\",\\n \\\"/usr/sbin/gdm\\\", \\\"/usr/bin/unzip\\\", \\\"/usr/bin/gnome-shell\\\", \\\"/sbin/mkhomedir_helper\\\", \\\"/usr/sbin/sshd\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/bin/xfce4-session\\\", \\\"/usr/libexec/oddjob/mkhomedir\\\", \\\"/sbin/useradd\\\",\\n \\\"/usr/lib/systemd/systemd\\\", \\\"/usr/sbin/crond\\\", \\\"/usr/bin/pamac-daemon\\\", \\\"/usr/sbin/mkhomedir_helper\\\",\\n \\\"/opt/pbis/sbin/lwsmd\\\", \\\"/usr/sbin/oddjobd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\",\\n \\\"/usr/libexec/platform-python*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n // system-wide configurations\\n \\\"/etc/profile\\\", \\\"/etc/profile.d/*\\\", \\\"/etc/bash.bashrc\\\", \\\"/etc/bash.bash_logout\\\", \\\"/etc/zsh/*\\\",\\n \\\"/etc/csh.cshrc\\\", \\\"/etc/csh.login\\\", \\\"/etc/fish/config.fish\\\", \\\"/etc/ksh.kshrc\\\",\\n // root and user configurations\\n \\\"/home/*/.profile\\\", \\\"/home/*/.bashrc\\\", \\\"/home/*/.bash_login\\\", \\\"/home/*/.bash_logout\\\", \\\"/home/*/.bash_profile\\\",\\n \\\"/root/.profile\\\", \\\"/root/.bashrc\\\", \\\"/root/.bash_login\\\", \\\"/root/.bash_logout\\\", \\\"/root/.bash_profile\\\",\\n \\\"/home/*/.zprofile\\\", \\\"/home/*/.zshrc\\\", \\\"/root/.zprofile\\\", \\\"/root/.zshrc\\\",\\n \\\"/home/*/.cshrc\\\", \\\"/home/*/.login\\\", \\\"/home/*/.logout\\\", \\\"/root/.cshrc\\\", \\\"/root/.login\\\", \\\"/root/.logout\\\",\\n \\\"/home/*/.config/fish/config.fish\\\", \\\"/root/.config/fish/config.fish\\\",\\n \\\"/home/*/.kshrc\\\", \\\"/root/.kshrc\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/sbin/adduser\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/local/bin/dockerd\\\",\\n \\\"/usr/sbin/gdm\\\", \\\"/usr/bin/unzip\\\", \\\"/usr/bin/gnome-shell\\\", \\\"/sbin/mkhomedir_helper\\\", \\\"/usr/sbin/sshd\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/bin/xfce4-session\\\", \\\"/usr/libexec/oddjob/mkhomedir\\\", \\\"/sbin/useradd\\\",\\n \\\"/usr/lib/systemd/systemd\\\", \\\"/usr/sbin/crond\\\", \\\"/usr/bin/pamac-daemon\\\", \\\"/usr/sbin/mkhomedir_helper\\\",\\n \\\"/opt/pbis/sbin/lwsmd\\\", \\\"/usr/sbin/oddjobd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\",\\n \\\"/usr/libexec/platform-python*\\\"\\n ) or\\n process.executable == null or\\n process.name in (\\\"adclient\\\", \\\"mkhomedir_helper\\\", \\\"teleport\\\", \\\"mkhomedir\\\", \\\"adduser\\\", \\\"desktopDaemon\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n // system-wide configurations\\n \\\"/etc/profile\\\", \\\"/etc/profile.d/*\\\", \\\"/etc/bash.bashrc\\\", \\\"/etc/bash.bash_logout\\\", \\\"/etc/zsh/*\\\",\\n \\\"/etc/csh.cshrc\\\", \\\"/etc/csh.login\\\", \\\"/etc/fish/config.fish\\\", \\\"/etc/ksh.kshrc\\\",\\n // root and user configurations\\n \\\"/home/*/.profile\\\", \\\"/home/*/.bashrc\\\", \\\"/home/*/.bash_login\\\", \\\"/home/*/.bash_logout\\\", \\\"/home/*/.bash_profile\\\",\\n \\\"/root/.profile\\\", \\\"/root/.bashrc\\\", \\\"/root/.bash_login\\\", \\\"/root/.bash_logout\\\", \\\"/root/.bash_profile\\\",\\n \\\"/home/*/.zprofile\\\", \\\"/home/*/.zshrc\\\", \\\"/root/.zprofile\\\", \\\"/root/.zshrc\\\",\\n \\\"/home/*/.cshrc\\\", \\\"/home/*/.login\\\", \\\"/home/*/.logout\\\", \\\"/root/.cshrc\\\", \\\"/root/.login\\\", \\\"/root/.logout\\\",\\n \\\"/home/*/.config/fish/config.fish\\\", \\\"/root/.config/fish/config.fish\\\",\\n \\\"/home/*/.kshrc\\\", \\\"/root/.kshrc\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/sbin/adduser\\\", \\\"/usr/sbin/useradd\\\", \\\"/usr/local/bin/dockerd\\\",\\n \\\"/usr/sbin/gdm\\\", \\\"/usr/bin/unzip\\\", \\\"/usr/bin/gnome-shell\\\", \\\"/sbin/mkhomedir_helper\\\", \\\"/usr/sbin/sshd\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/bin/xfce4-session\\\", \\\"/usr/libexec/oddjob/mkhomedir\\\", \\\"/sbin/useradd\\\",\\n \\\"/usr/lib/systemd/systemd\\\", \\\"/usr/sbin/crond\\\", \\\"/usr/bin/pamac-daemon\\\", \\\"/usr/sbin/mkhomedir_helper\\\",\\n \\\"/opt/pbis/sbin/lwsmd\\\", \\\"/usr/sbin/oddjobd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\",\\n \\\"/usr/libexec/platform-python*\\\"\\n ) or\\n process.executable == null or\\n process.name in (\\\"adclient\\\", \\\"mkhomedir_helper\\\", \\\"teleport\\\", \\\"mkhomedir\\\", \\\"adduser\\\", \\\"desktopDaemon\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6ede564e-4077-4802-a4b4-350ee7d9307f\",\"rule_id\":\"29052c19-ff3e-42fd-8363-7be14d7c5469\",\"revision\":0,\"current_rule\":{\"id\":\"6ede564e-4077-4802-a4b4-350ee7d9307f\",\"updated_at\":\"2024-12-04T19:45:44.663Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.663Z\",\"created_by\":\"elastic\",\"name\":\"AWS Security Group Configuration Change Detection\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS EC2\",\"Use Case: Network Security Monitoring\",\"Tactic: Persistence\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[\"A security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\"],\"from\":\"now-30m\",\"rule_id\":\"29052c19-ff3e-42fd-8363-7be14d7c5469\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"query\":\"event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or\\nCreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or\\nRevokeSecurityGroupIngress) and event.outcome:success\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS EC2 Security Group Configuration Change\",\"description\":\"Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"### Investigating AWS EC2 Security Group Configuration Change\\n\\nThis rule identifies any changes to an AWS Security Group, which functions as a virtual firewall controlling inbound and outbound traffic for resources like EC2 instances. Modifications to a security group configuration could expose critical assets to unauthorized access. Threat actors may exploit such changes to establish persistence, exfiltrate data, or pivot within an AWS environment.\\n\\n#### Possible Investigation Steps\\n\\n1. **Identify the Modified Security Group**:\\n - **Security Group ID**: Check the `aws.cloudtrail.flattened.request_parameters.groupId` field to identify the specific security group affected.\\n - **Rule Changes**: Review `aws.cloudtrail.flattened.response_elements.securityGroupRuleSet` to determine the new rules or configurations, including any added or removed IP ranges, protocol changes, and port specifications.\\n\\n2. **Review User Context**:\\n - **User Identity**: Inspect the `aws.cloudtrail.user_identity.arn` field to determine which user or role made the modification. Verify if this is an authorized administrator or a potentially compromised account.\\n - **Access Patterns**: Analyze whether this user regularly interacts with security group configurations or if this event is out of the ordinary for their account.\\n\\n3. **Analyze the Configuration Change**:\\n - **Egress vs. Ingress**: Determine if the change affected inbound (ingress) or outbound (egress) traffic by reviewing fields like `isEgress` in the `securityGroupRuleSet`. Unauthorized changes to outbound traffic can indicate data exfiltration attempts.\\n - **IP Ranges and Ports**: Assess any added IP ranges, especially `0.0.0.0/0`, which exposes resources to the internet. Port changes should also be evaluated to ensure only necessary ports are open.\\n\\n4. **Check User Agent and Source IP**:\\n - **User Agent Analysis**: Examine the `user_agent.original` field to identify the tool or application used, such as `AWS Console` or `Terraform`, which may reveal if the action was automated or manual.\\n - **Source IP and Geolocation**: Use `source.address` and `source.geo` fields to verify if the IP address and geolocation match expected locations for your organization. Unexpected IPs or regions may indicate unauthorized access.\\n\\n5. **Evaluate for Persistence Indicators**:\\n - **Repeated Changes**: Investigate if similar changes were recently made across multiple security groups, which may suggest an attempt to maintain or expand access.\\n - **Permissions Review**: Confirm that the user’s IAM policies are configured to limit changes to security groups only as necessary.\\n\\n6. **Correlate with Other CloudTrail Events**:\\n - **Cross-Reference Other Security Events**: Look for related actions like `AuthorizeSecurityGroupIngress`, `CreateSecurityGroup`, or `RevokeSecurityGroupIngress` that may indicate additional or preparatory steps for unauthorized access.\\n - **Monitor for IAM or Network Changes**: Check for IAM modifications, network interface changes, or other configuration updates in the same timeframe to detect broader malicious activities.\\n\\n### False Positive Analysis\\n\\n- **Routine Security Changes**: Security group modifications may be part of regular infrastructure maintenance. Verify if this action aligns with known, scheduled administrative activities.\\n- **Automated Configuration Management**: If you are using automated tools like `Terraform` or `CloudFormation`, confirm if the change matches expected configuration drift corrections or deployments.\\n\\n### Response and Remediation\\n\\n- **Revert Unauthorized Changes**: If unauthorized, revert the security group configuration to its previous state to secure the environment.\\n- **Restrict Security Group Permissions**: Remove permissions to modify security groups from any compromised or unnecessary accounts to limit future access.\\n- **Quarantine Affected Resources**: If necessary, isolate any affected instances or resources to prevent further unauthorized activity.\\n- **Audit IAM and Security Group Policies**: Regularly review permissions related to security groups to ensure least privilege access and prevent excessive access.\\n\\n### Additional Information\\n\\nFor more details on managing AWS Security Groups and best practices, refer to the [AWS EC2 Security Groups Documentation](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html) and AWS security best practices.\\n\",\"output_index\":\"\",\"investigation_fields\":{\"field_names\":[\"@timestamp\",\"user.name\",\"aws.cloudtrail.user_identity.arn\",\"aws.cloudtrail.user_identity.type\",\"user_agent.original\",\"aws.cloudtrail.flattened.request_parameters.instanceId\",\"event.action\",\"event.outcome\",\"cloud.region\",\"event.provider\",\"aws.cloudtrail.request_parameters\",\"aws.cloudtrail.response_elements\"]},\"version\":207,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS EC2\",\"Use Case: Network Security Monitoring\",\"Resources: Investigation Guide\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[\"A security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\"],\"references\":[\"https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"6ede564e-4077-4802-a4b4-350ee7d9307f\",\"rule_id\":\"29052c19-ff3e-42fd-8363-7be14d7c5469\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.004Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.663Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"ec2.amazonaws.com\\\"\\n and event.action:(\\n \\\"AuthorizeSecurityGroupEgress\\\" or\\n \\\"CreateSecurityGroup\\\" or\\n \\\"ModifyInstanceAttribute\\\" or\\n \\\"ModifySecurityGroupRules\\\" or\\n \\\"RevokeSecurityGroupEgress\\\" or\\n \\\"RevokeSecurityGroupIngress\\\")\\n and event.outcome: \\\"success\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"name\":{\"has_base_version\":false,\"current_version\":\"AWS Security Group Configuration Change Detection\",\"target_version\":\"AWS EC2 Security Group Configuration Change\",\"merged_version\":\"AWS EC2 Security Group Configuration Change\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS EC2\",\"Use Case: Network Security Monitoring\",\"Tactic: Persistence\"],\"target_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS EC2\",\"Use Case: Network Security Monitoring\",\"Resources: Investigation Guide\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\"],\"merged_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS EC2\",\"Use Case: Network Security Monitoring\",\"Resources: Investigation Guide\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"note\":{\"has_base_version\":false,\"current_version\":\"\",\"target_version\":\"### Investigating AWS EC2 Security Group Configuration Change\\n\\nThis rule identifies any changes to an AWS Security Group, which functions as a virtual firewall controlling inbound and outbound traffic for resources like EC2 instances. Modifications to a security group configuration could expose critical assets to unauthorized access. Threat actors may exploit such changes to establish persistence, exfiltrate data, or pivot within an AWS environment.\\n\\n#### Possible Investigation Steps\\n\\n1. **Identify the Modified Security Group**:\\n - **Security Group ID**: Check the `aws.cloudtrail.flattened.request_parameters.groupId` field to identify the specific security group affected.\\n - **Rule Changes**: Review `aws.cloudtrail.flattened.response_elements.securityGroupRuleSet` to determine the new rules or configurations, including any added or removed IP ranges, protocol changes, and port specifications.\\n\\n2. **Review User Context**:\\n - **User Identity**: Inspect the `aws.cloudtrail.user_identity.arn` field to determine which user or role made the modification. Verify if this is an authorized administrator or a potentially compromised account.\\n - **Access Patterns**: Analyze whether this user regularly interacts with security group configurations or if this event is out of the ordinary for their account.\\n\\n3. **Analyze the Configuration Change**:\\n - **Egress vs. Ingress**: Determine if the change affected inbound (ingress) or outbound (egress) traffic by reviewing fields like `isEgress` in the `securityGroupRuleSet`. Unauthorized changes to outbound traffic can indicate data exfiltration attempts.\\n - **IP Ranges and Ports**: Assess any added IP ranges, especially `0.0.0.0/0`, which exposes resources to the internet. Port changes should also be evaluated to ensure only necessary ports are open.\\n\\n4. **Check User Agent and Source IP**:\\n - **User Agent Analysis**: Examine the `user_agent.original` field to identify the tool or application used, such as `AWS Console` or `Terraform`, which may reveal if the action was automated or manual.\\n - **Source IP and Geolocation**: Use `source.address` and `source.geo` fields to verify if the IP address and geolocation match expected locations for your organization. Unexpected IPs or regions may indicate unauthorized access.\\n\\n5. **Evaluate for Persistence Indicators**:\\n - **Repeated Changes**: Investigate if similar changes were recently made across multiple security groups, which may suggest an attempt to maintain or expand access.\\n - **Permissions Review**: Confirm that the user’s IAM policies are configured to limit changes to security groups only as necessary.\\n\\n6. **Correlate with Other CloudTrail Events**:\\n - **Cross-Reference Other Security Events**: Look for related actions like `AuthorizeSecurityGroupIngress`, `CreateSecurityGroup`, or `RevokeSecurityGroupIngress` that may indicate additional or preparatory steps for unauthorized access.\\n - **Monitor for IAM or Network Changes**: Check for IAM modifications, network interface changes, or other configuration updates in the same timeframe to detect broader malicious activities.\\n\\n### False Positive Analysis\\n\\n- **Routine Security Changes**: Security group modifications may be part of regular infrastructure maintenance. Verify if this action aligns with known, scheduled administrative activities.\\n- **Automated Configuration Management**: If you are using automated tools like `Terraform` or `CloudFormation`, confirm if the change matches expected configuration drift corrections or deployments.\\n\\n### Response and Remediation\\n\\n- **Revert Unauthorized Changes**: If unauthorized, revert the security group configuration to its previous state to secure the environment.\\n- **Restrict Security Group Permissions**: Remove permissions to modify security groups from any compromised or unnecessary accounts to limit future access.\\n- **Quarantine Affected Resources**: If necessary, isolate any affected instances or resources to prevent further unauthorized activity.\\n- **Audit IAM and Security Group Policies**: Regularly review permissions related to security groups to ensure least privilege access and prevent excessive access.\\n\\n### Additional Information\\n\\nFor more details on managing AWS Security Groups and best practices, refer to the [AWS EC2 Security Groups Documentation](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html) and AWS security best practices.\\n\",\"merged_version\":\"### Investigating AWS EC2 Security Group Configuration Change\\n\\nThis rule identifies any changes to an AWS Security Group, which functions as a virtual firewall controlling inbound and outbound traffic for resources like EC2 instances. Modifications to a security group configuration could expose critical assets to unauthorized access. Threat actors may exploit such changes to establish persistence, exfiltrate data, or pivot within an AWS environment.\\n\\n#### Possible Investigation Steps\\n\\n1. **Identify the Modified Security Group**:\\n - **Security Group ID**: Check the `aws.cloudtrail.flattened.request_parameters.groupId` field to identify the specific security group affected.\\n - **Rule Changes**: Review `aws.cloudtrail.flattened.response_elements.securityGroupRuleSet` to determine the new rules or configurations, including any added or removed IP ranges, protocol changes, and port specifications.\\n\\n2. **Review User Context**:\\n - **User Identity**: Inspect the `aws.cloudtrail.user_identity.arn` field to determine which user or role made the modification. Verify if this is an authorized administrator or a potentially compromised account.\\n - **Access Patterns**: Analyze whether this user regularly interacts with security group configurations or if this event is out of the ordinary for their account.\\n\\n3. **Analyze the Configuration Change**:\\n - **Egress vs. Ingress**: Determine if the change affected inbound (ingress) or outbound (egress) traffic by reviewing fields like `isEgress` in the `securityGroupRuleSet`. Unauthorized changes to outbound traffic can indicate data exfiltration attempts.\\n - **IP Ranges and Ports**: Assess any added IP ranges, especially `0.0.0.0/0`, which exposes resources to the internet. Port changes should also be evaluated to ensure only necessary ports are open.\\n\\n4. **Check User Agent and Source IP**:\\n - **User Agent Analysis**: Examine the `user_agent.original` field to identify the tool or application used, such as `AWS Console` or `Terraform`, which may reveal if the action was automated or manual.\\n - **Source IP and Geolocation**: Use `source.address` and `source.geo` fields to verify if the IP address and geolocation match expected locations for your organization. Unexpected IPs or regions may indicate unauthorized access.\\n\\n5. **Evaluate for Persistence Indicators**:\\n - **Repeated Changes**: Investigate if similar changes were recently made across multiple security groups, which may suggest an attempt to maintain or expand access.\\n - **Permissions Review**: Confirm that the user’s IAM policies are configured to limit changes to security groups only as necessary.\\n\\n6. **Correlate with Other CloudTrail Events**:\\n - **Cross-Reference Other Security Events**: Look for related actions like `AuthorizeSecurityGroupIngress`, `CreateSecurityGroup`, or `RevokeSecurityGroupIngress` that may indicate additional or preparatory steps for unauthorized access.\\n - **Monitor for IAM or Network Changes**: Check for IAM modifications, network interface changes, or other configuration updates in the same timeframe to detect broader malicious activities.\\n\\n### False Positive Analysis\\n\\n- **Routine Security Changes**: Security group modifications may be part of regular infrastructure maintenance. Verify if this action aligns with known, scheduled administrative activities.\\n- **Automated Configuration Management**: If you are using automated tools like `Terraform` or `CloudFormation`, confirm if the change matches expected configuration drift corrections or deployments.\\n\\n### Response and Remediation\\n\\n- **Revert Unauthorized Changes**: If unauthorized, revert the security group configuration to its previous state to secure the environment.\\n- **Restrict Security Group Permissions**: Remove permissions to modify security groups from any compromised or unnecessary accounts to limit future access.\\n- **Quarantine Affected Resources**: If necessary, isolate any affected instances or resources to prevent further unauthorized activity.\\n- **Audit IAM and Security Group Policies**: Regularly review permissions related to security groups to ensure least privilege access and prevent excessive access.\\n\\n### Additional Information\\n\\nFor more details on managing AWS Security Groups and best practices, refer to the [AWS EC2 Security Groups Documentation](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html) and AWS security best practices.\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"rule_schedule\":{\"has_base_version\":false,\"current_version\":{\"interval\":\"10m\",\"lookback\":\"1200s\"},\"target_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merged_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"investigation_fields\":{\"has_base_version\":false,\"target_version\":{\"field_names\":[\"@timestamp\",\"user.name\",\"aws.cloudtrail.user_identity.arn\",\"aws.cloudtrail.user_identity.type\",\"user_agent.original\",\"aws.cloudtrail.flattened.request_parameters.instanceId\",\"event.action\",\"event.outcome\",\"cloud.region\",\"event.provider\",\"aws.cloudtrail.request_parameters\",\"aws.cloudtrail.response_elements\"]},\"merged_version\":{\"field_names\":[\"@timestamp\",\"user.name\",\"aws.cloudtrail.user_identity.arn\",\"aws.cloudtrail.user_identity.type\",\"user_agent.original\",\"aws.cloudtrail.flattened.request_parameters.instanceId\",\"event.action\",\"event.outcome\",\"cloud.region\",\"event.provider\",\"aws.cloudtrail.request_parameters\",\"aws.cloudtrail.response_elements\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or\\nCreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or\\nRevokeSecurityGroupIngress) and event.outcome:success\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"ec2.amazonaws.com\\\"\\n and event.action:(\\n \\\"AuthorizeSecurityGroupEgress\\\" or\\n \\\"CreateSecurityGroup\\\" or\\n \\\"ModifyInstanceAttribute\\\" or\\n \\\"ModifySecurityGroupRules\\\" or\\n \\\"RevokeSecurityGroupEgress\\\" or\\n \\\"RevokeSecurityGroupIngress\\\")\\n and event.outcome: \\\"success\\\"\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"ec2.amazonaws.com\\\"\\n and event.action:(\\n \\\"AuthorizeSecurityGroupEgress\\\" or\\n \\\"CreateSecurityGroup\\\" or\\n \\\"ModifyInstanceAttribute\\\" or\\n \\\"ModifySecurityGroupRules\\\" or\\n \\\"RevokeSecurityGroupEgress\\\" or\\n \\\"RevokeSecurityGroupIngress\\\")\\n and event.outcome: \\\"success\\\"\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":8,\"num_fields_with_conflicts\":7,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0c39a617-df81-419d-a503-2aaa8fa2f6cd\",\"rule_id\":\"290aca65-e94d-403b-ba0f-62f320e63f51\",\"revision\":0,\"current_rule\":{\"id\":\"0c39a617-df81-419d-a503-2aaa8fa2f6cd\",\"updated_at\":\"2024-12-04T19:45:44.665Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.665Z\",\"created_by\":\"elastic\",\"name\":\"UAC Bypass Attempt via Windows Directory Masquerading\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\\n\\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\\n\\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\\n\\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"290aca65-e94d-403b-ba0f-62f320e63f51\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e\"],\"version\":113,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.args : (\\\"C:\\\\\\\\Windows \\\\\\\\system32\\\\\\\\*.exe\\\", \\\"C:\\\\\\\\Windows \\\\\\\\SysWOW64\\\\\\\\*.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"UAC Bypass Attempt via Windows Directory Masquerading\",\"description\":\"Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\\n\\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\\n\\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\\n\\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":315,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0c39a617-df81-419d-a503-2aaa8fa2f6cd\",\"rule_id\":\"290aca65-e94d-403b-ba0f-62f320e63f51\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.004Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.665Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.args : (\\\"C:\\\\\\\\Windows \\\\\\\\system32\\\\\\\\*.exe\\\", \\\"C:\\\\\\\\Windows \\\\\\\\SysWOW64\\\\\\\\*.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":113,\"target_version\":315,\"merged_version\":315,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0bd729c7-d2df-40c5-aa37-ae29f985dc0a\",\"rule_id\":\"2917d495-59bd-4250-b395-c29409b76086\",\"revision\":0,\"current_rule\":{\"id\":\"0bd729c7-d2df-40c5-aa37-ae29f985dc0a\",\"updated_at\":\"2024-12-04T19:45:44.668Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.668Z\",\"created_by\":\"elastic\",\"name\":\"Web Shell Detection: Script Process Child of Common Web Processes\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Web Shell Detection: Script Process Child of Common Web Processes\\n\\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server.\\n\\nThis rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell.\\n\\n#### Possible investigation steps\\n\\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes.\\n- Examine the command line to determine which commands or scripts were executed.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes.\"],\"from\":\"now-9m\",\"rule_id\":\"2917d495-59bd-4250-b395-c29409b76086\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1505\",\"name\":\"Server Software Component\",\"reference\":\"https://attack.mitre.org/techniques/T1505/\",\"subtechnique\":[{\"id\":\"T1505.003\",\"name\":\"Web Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1505/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"},{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]},{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"to\":\"now\",\"references\":[\"https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/\",\"https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965\",\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\"],\"version\":313,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"w3wp.exe\\\", \\\"httpd.exe\\\", \\\"nginx.exe\\\", \\\"php.exe\\\", \\\"php-cgi.exe\\\", \\\"tomcat.exe\\\") and\\n process.name : (\\\"cmd.exe\\\", \\\"cscript.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\", \\\"wmic.exe\\\", \\\"wscript.exe\\\") and\\n not\\n (\\n process.parent.name : (\\\"php.exe\\\", \\\"httpd.exe\\\") and process.name : \\\"cmd.exe\\\" and\\n process.command_line : (\\n \\\"cmd.exe /c mode CON\\\",\\n \\\"cmd.exe /s /c \\\\\\\"mode CON\\\\\\\"\\\",\\n \\\"cmd.exe /c \\\\\\\"mode\\\\\\\"\\\",\\n \\\"cmd.exe /s /c \\\\\\\"tput colors 2>&1\\\\\\\"\\\"\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Web Shell Detection: Script Process Child of Common Web Processes\",\"description\":\"Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Web Shell Detection: Script Process Child of Common Web Processes\\n\\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server.\\n\\nThis rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell.\\n\\n#### Possible investigation steps\\n\\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes.\\n- Examine the command line to determine which commands or scripts were executed.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":416,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes.\"],\"references\":[\"https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/\",\"https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965\",\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1505\",\"name\":\"Server Software Component\",\"reference\":\"https://attack.mitre.org/techniques/T1505/\",\"subtechnique\":[{\"id\":\"T1505.003\",\"name\":\"Web Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1505/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"},{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]},{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0bd729c7-d2df-40c5-aa37-ae29f985dc0a\",\"rule_id\":\"2917d495-59bd-4250-b395-c29409b76086\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.004Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.668Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"w3wp.exe\\\", \\\"httpd.exe\\\", \\\"nginx.exe\\\", \\\"php.exe\\\", \\\"php-cgi.exe\\\", \\\"tomcat.exe\\\") and\\n process.name : (\\\"cmd.exe\\\", \\\"cscript.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\", \\\"wmic.exe\\\", \\\"wscript.exe\\\") and\\n not\\n (\\n process.parent.name : (\\\"php.exe\\\", \\\"httpd.exe\\\") and process.name : \\\"cmd.exe\\\" and\\n process.command_line : (\\n \\\"cmd.exe /c mode CON\\\",\\n \\\"cmd.exe /s /c \\\\\\\"mode CON\\\\\\\"\\\",\\n \\\"cmd.exe /c \\\\\\\"mode\\\\\\\"\\\",\\n \\\"cmd.exe /s /c \\\\\\\"tput colors 2>&1\\\\\\\"\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":313,\"target_version\":416,\"merged_version\":416,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2deea678-620c-444e-b280-958e0c1945d0\",\"rule_id\":\"291a0de9-937a-4189-94c0-3e847c8b13e4\",\"revision\":0,\"current_rule\":{\"id\":\"2deea678-620c-444e-b280-958e0c1945d0\",\"updated_at\":\"2024-12-04T19:45:44.670Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.670Z\",\"created_by\":\"elastic\",\"name\":\"Enumeration of Privileged Local Groups Membership\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Enumeration of Privileged Local Groups Membership\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the process, host and user involved on the event.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"291a0de9-937a-4189-94c0-3e847c8b13e4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1069\",\"name\":\"Permission Groups Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1069/\",\"subtechnique\":[{\"id\":\"T1069.001\",\"name\":\"Local Groups\",\"reference\":\"https://attack.mitre.org/techniques/T1069/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":311,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallerProcessName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetSid\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Security Group Management' audit policy must be configured (Success).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nAccount Management >\\nAudit Security Group Management (Success)\\n```\\n\\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:windows and event.category:iam and event.action:user-member-enumerated and \\n (\\n group.name:(*Admin* or \\\"RemoteDesktopUsers\\\") or\\n winlog.event_data.TargetSid:(\\\"S-1-5-32-544\\\" or \\\"S-1-5-32-555\\\")\\n ) and \\n not (\\n winlog.event_data.SubjectUserName: *$ or\\n winlog.event_data.SubjectUserSid: (\\\"S-1-5-19\\\" or \\\"S-1-5-20\\\") or \\n winlog.event_data.CallerProcessName:(\\\"-\\\" or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VSSVC.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchIndexer.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CompatTelRunner.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\oobe\\\\\\\\msoobe.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\net1.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Netplwiz.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CloudExperienceHostBroker.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RuntimeBroker.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SrTasks.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\diskshadow.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dfsrs.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vssadmin.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SettingSyncHost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wsmprovhost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\esentutl.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RecoveryDrive.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\rubrik_vmware*\\\\\\\\snaptool.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe or\\n C\\\\:\\\\\\\\WindowsAzure\\\\\\\\*WaAppAgent.exe or\\n C\\\\:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\*.exe\\n )\\n )\\n\",\"new_terms_fields\":[\"host.id\",\"winlog.event_data.SubjectUserName\",\"winlog.event_data.CallerProcessName\"],\"history_window_start\":\"now-14d\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"winlog.event_data.CallerProcessName\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"winlog.event_data.CallerProcessName\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files\\\\\\\\*.exe\"}}}}],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Enumeration of Privileged Local Groups Membership\",\"description\":\"Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Enumeration of Privileged Local Groups Membership\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the process, host and user involved on the event.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":415,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1069\",\"name\":\"Permission Groups Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1069/\",\"subtechnique\":[{\"id\":\"T1069.001\",\"name\":\"Local Groups\",\"reference\":\"https://attack.mitre.org/techniques/T1069/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Security Group Management' audit policy must be configured (Success).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nAccount Management >\\nAudit Security Group Management (Success)\\n```\\n\\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallerProcessName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetSid\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"2deea678-620c-444e-b280-958e0c1945d0\",\"rule_id\":\"291a0de9-937a-4189-94c0-3e847c8b13e4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.004Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.670Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:windows and event.category:iam and event.action:user-member-enumerated and \\n (\\n group.name:(*Admin* or \\\"RemoteDesktopUsers\\\") or\\n winlog.event_data.TargetSid:(\\\"S-1-5-32-544\\\" or \\\"S-1-5-32-555\\\")\\n ) and \\n not (\\n winlog.event_data.SubjectUserName: *$ or\\n winlog.event_data.SubjectUserSid: (\\\"S-1-5-19\\\" or \\\"S-1-5-20\\\") or \\n winlog.event_data.CallerProcessName:(\\\"-\\\" or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VSSVC.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchIndexer.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CompatTelRunner.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\oobe\\\\\\\\msoobe.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\net1.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Netplwiz.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CloudExperienceHostBroker.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RuntimeBroker.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SrTasks.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\diskshadow.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dfsrs.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vssadmin.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SettingSyncHost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wsmprovhost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\esentutl.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RecoveryDrive.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\rubrik_vmware*\\\\\\\\snaptool.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe or\\n C\\\\:\\\\\\\\WindowsAzure\\\\\\\\*WaAppAgent.exe or\\n C\\\\:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\*.exe\\n )\\n )\\n\",\"new_terms_fields\":[\"host.id\",\"winlog.event_data.SubjectUserName\",\"winlog.event_data.CallerProcessName\"],\"history_window_start\":\"now-14d\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"winlog.event_data.CallerProcessName\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"winlog.event_data.CallerProcessName\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files\\\\\\\\*.exe\"}}}}],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":311,\"target_version\":415,\"merged_version\":415,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:windows and event.category:iam and event.action:user-member-enumerated and \\n (\\n group.name:(*Admin* or \\\"RemoteDesktopUsers\\\") or\\n winlog.event_data.TargetSid:(\\\"S-1-5-32-544\\\" or \\\"S-1-5-32-555\\\")\\n ) and \\n not (\\n winlog.event_data.SubjectUserName: *$ or\\n winlog.event_data.SubjectUserSid: (\\\"S-1-5-19\\\" or \\\"S-1-5-20\\\") or \\n winlog.event_data.CallerProcessName:(\\\"-\\\" or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VSSVC.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchIndexer.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CompatTelRunner.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\oobe\\\\\\\\msoobe.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\net1.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Netplwiz.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CloudExperienceHostBroker.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RuntimeBroker.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SrTasks.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\diskshadow.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dfsrs.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vssadmin.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SettingSyncHost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wsmprovhost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\esentutl.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RecoveryDrive.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\rubrik_vmware*\\\\\\\\snaptool.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe or\\n C\\\\:\\\\\\\\WindowsAzure\\\\\\\\*WaAppAgent.exe or\\n C\\\\:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\*.exe\\n )\\n )\\n\",\"language\":\"kuery\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"winlog.event_data.CallerProcessName\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"winlog.event_data.CallerProcessName\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files\\\\\\\\*.exe\"}}}}]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:windows and event.category:iam and event.action:user-member-enumerated and \\n (\\n group.name:(*Admin* or \\\"RemoteDesktopUsers\\\") or\\n winlog.event_data.TargetSid:(\\\"S-1-5-32-544\\\" or \\\"S-1-5-32-555\\\")\\n ) and \\n not (\\n winlog.event_data.SubjectUserName: *$ or\\n winlog.event_data.SubjectUserSid: (\\\"S-1-5-19\\\" or \\\"S-1-5-20\\\") or \\n winlog.event_data.CallerProcessName:(\\\"-\\\" or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VSSVC.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchIndexer.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CompatTelRunner.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\oobe\\\\\\\\msoobe.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\net1.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Netplwiz.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CloudExperienceHostBroker.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RuntimeBroker.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SrTasks.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\diskshadow.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dfsrs.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vssadmin.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SettingSyncHost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wsmprovhost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\esentutl.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RecoveryDrive.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\rubrik_vmware*\\\\\\\\snaptool.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe or\\n C\\\\:\\\\\\\\WindowsAzure\\\\\\\\*WaAppAgent.exe or\\n C\\\\:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\*.exe\\n )\\n )\\n\",\"language\":\"kuery\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"winlog.event_data.CallerProcessName\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"winlog.event_data.CallerProcessName\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files\\\\\\\\*.exe\"}}}}]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:windows and event.category:iam and event.action:user-member-enumerated and \\n (\\n group.name:(*Admin* or \\\"RemoteDesktopUsers\\\") or\\n winlog.event_data.TargetSid:(\\\"S-1-5-32-544\\\" or \\\"S-1-5-32-555\\\")\\n ) and \\n not (\\n winlog.event_data.SubjectUserName: *$ or\\n winlog.event_data.SubjectUserSid: (\\\"S-1-5-19\\\" or \\\"S-1-5-20\\\") or \\n winlog.event_data.CallerProcessName:(\\\"-\\\" or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VSSVC.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchIndexer.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CompatTelRunner.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\oobe\\\\\\\\msoobe.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\net1.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Netplwiz.exe or \\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CloudExperienceHostBroker.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RuntimeBroker.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SrTasks.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\diskshadow.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dfsrs.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vssadmin.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SettingSyncHost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wsmprovhost.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\esentutl.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RecoveryDrive.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\rubrik_vmware*\\\\\\\\snaptool.exe or\\n C\\\\:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe or\\n C\\\\:\\\\\\\\WindowsAzure\\\\\\\\*WaAppAgent.exe or\\n C\\\\:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\*.exe\\n )\\n )\\n\",\"language\":\"kuery\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"winlog.event_data.CallerProcessName\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"winlog.event_data.CallerProcessName\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files\\\\\\\\*.exe\"}}}}]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"17f29e1c-3e56-4c2f-80b8-70b3c32e87fc\",\"rule_id\":\"29f0cf93-d17c-4b12-b4f3-a433800539fa\",\"revision\":0,\"current_rule\":{\"id\":\"17f29e1c-3e56-4c2f-80b8-70b3c32e87fc\",\"updated_at\":\"2024-12-04T19:45:44.673Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.673Z\",\"created_by\":\"elastic\",\"name\":\"Potential Linux SSH X11 Forwarding\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for X11 forwarding via SSH. X11 forwarding is a feature that allows users to run graphical applications on a remote server and display the application's graphical user interface on their local machine. Attackers can abuse X11 forwarding for tunneling their GUI-based tools, pivot through compromised systems, and create covert communication channels, enabling lateral movement and facilitating remote control of systems within a network.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Linux SSH X11 Forwarding\\n\\nAttackers can leverage SSH X11 forwarding to capture a user's graphical desktop session and potentially execute unauthorized GUI applications remotely.\\n\\nThis rule looks for the execution of SSH in conjunction with command line arguments that are capable of setting up X11 forwarding. \\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n\\n- Identify any signs of suspicious network activity or anomalies that may indicate network forwarding activity. This could include unexpected traffic patterns or unusual network behavior.\\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Process Info\\\",\\\"query\\\":\\\"SELECT name, cmdline, parent, path, uid FROM processes\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n\\n### Related rules\\n\\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\\n\\n### False positive analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator or developer who uses port tunneling/forwarding for benign purposes, consider adding exceptions for specific user accounts or hosts. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"29f0cf93-d17c-4b12-b4f3-a433800539fa\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1572\",\"name\":\"Protocol Tunneling\",\"reference\":\"https://attack.mitre.org/techniques/T1572/\"}]}],\"to\":\"now\",\"references\":[\"https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding\"],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\nprocess.name in (\\\"ssh\\\", \\\"sshd\\\") and process.args in (\\\"-X\\\", \\\"-Y\\\") and process.args_count >= 3 and \\nprocess.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Linux SSH X11 Forwarding\",\"description\":\"This rule monitors for X11 forwarding via SSH. X11 forwarding is a feature that allows users to run graphical applications on a remote server and display the application's graphical user interface on their local machine. Attackers can abuse X11 forwarding for tunneling their GUI-based tools, pivot through compromised systems, and create covert communication channels, enabling lateral movement and facilitating remote control of systems within a network.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Linux SSH X11 Forwarding\\n\\nAttackers can leverage SSH X11 forwarding to capture a user's graphical desktop session and potentially execute unauthorized GUI applications remotely.\\n\\nThis rule looks for the execution of SSH in conjunction with command line arguments that are capable of setting up X11 forwarding. \\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n\\n- Identify any signs of suspicious network activity or anomalies that may indicate network forwarding activity. This could include unexpected traffic patterns or unusual network behavior.\\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Process Info\\\",\\\"query\\\":\\\"SELECT name, cmdline, parent, path, uid FROM processes\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n\\n### Related rules\\n\\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\\n\\n### False positive analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator or developer who uses port tunneling/forwarding for benign purposes, consider adding exceptions for specific user accounts or hosts. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1572\",\"name\":\"Protocol Tunneling\",\"reference\":\"https://attack.mitre.org/techniques/T1572/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"17f29e1c-3e56-4c2f-80b8-70b3c32e87fc\",\"rule_id\":\"29f0cf93-d17c-4b12-b4f3-a433800539fa\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.004Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.673Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\nprocess.name in (\\\"ssh\\\", \\\"sshd\\\") and process.args in (\\\"-X\\\", \\\"-Y\\\") and process.args_count >= 3 and \\nprocess.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"name\":{\"has_base_version\":false,\"current_version\":\"Potential Linux SSH X11 Forwarding\",\"target_version\":\"Linux SSH X11 Forwarding\",\"merged_version\":\"Linux SSH X11 Forwarding\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"rule_schedule\":{\"has_base_version\":false,\"current_version\":{\"interval\":\"60m\",\"lookback\":\"3540s\"},\"target_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merged_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"building_block\":{\"has_base_version\":false,\"current_version\":{\"type\":\"default\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"79f40013-80c2-488b-8927-23c1e4ecde65\",\"rule_id\":\"2a692072-d78d-42f3-a48a-775677d79c4e\",\"revision\":0,\"current_rule\":{\"id\":\"79f40013-80c2-488b-8927-23c1e4ecde65\",\"updated_at\":\"2024-12-04T19:45:44.675Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.675Z\",\"created_by\":\"elastic\",\"name\":\"Potential Code Execution via Postgresql\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2a692072-d78d-42f3-a48a-775677d79c4e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"fork\\\", \\\"fork_event\\\") and \\nuser.name == \\\"postgres\\\" and (\\n (process.parent.args : \\\"*sh\\\" and process.parent.args : \\\"echo*\\\") or \\n (process.args : \\\"*sh\\\" and process.args : \\\"echo*\\\")\\n) and not process.parent.name : \\\"puppet\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Code Execution via Postgresql\",\"description\":\"This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"79f40013-80c2-488b-8927-23c1e4ecde65\",\"rule_id\":\"2a692072-d78d-42f3-a48a-775677d79c4e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.004Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.675Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"fork\\\", \\\"fork_event\\\") and user.name == \\\"postgres\\\" and (\\n (process.parent.args : \\\"*sh\\\" and process.parent.args : \\\"echo*\\\") or \\n (process.args : \\\"*sh\\\" and process.args : \\\"echo*\\\")\\n) and not (\\n process.parent.name == \\\"puppet\\\" or\\n process.command_line like \\\"*BECOME-SUCCESS-*\\\" or\\n process.parent.command_line like \\\"*BECOME-SUCCESS-*\\\"\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"fork\\\", \\\"fork_event\\\") and \\nuser.name == \\\"postgres\\\" and (\\n (process.parent.args : \\\"*sh\\\" and process.parent.args : \\\"echo*\\\") or \\n (process.args : \\\"*sh\\\" and process.args : \\\"echo*\\\")\\n) and not process.parent.name : \\\"puppet\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"fork\\\", \\\"fork_event\\\") and user.name == \\\"postgres\\\" and (\\n (process.parent.args : \\\"*sh\\\" and process.parent.args : \\\"echo*\\\") or \\n (process.args : \\\"*sh\\\" and process.args : \\\"echo*\\\")\\n) and not (\\n process.parent.name == \\\"puppet\\\" or\\n process.command_line like \\\"*BECOME-SUCCESS-*\\\" or\\n process.parent.command_line like \\\"*BECOME-SUCCESS-*\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"fork\\\", \\\"fork_event\\\") and user.name == \\\"postgres\\\" and (\\n (process.parent.args : \\\"*sh\\\" and process.parent.args : \\\"echo*\\\") or \\n (process.args : \\\"*sh\\\" and process.args : \\\"echo*\\\")\\n) and not (\\n process.parent.name == \\\"puppet\\\" or\\n process.command_line like \\\"*BECOME-SUCCESS-*\\\" or\\n process.parent.command_line like \\\"*BECOME-SUCCESS-*\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bffbd534-d1fa-4e06-80ed-a91c9ce4a0cc\",\"rule_id\":\"2b662e21-dc6e-461e-b5cf-a6eb9b235ec4\",\"revision\":0,\"current_rule\":{\"id\":\"bffbd534-d1fa-4e06-80ed-a91c9ce4a0cc\",\"updated_at\":\"2024-12-04T19:45:44.680Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.680Z\",\"created_by\":\"elastic\",\"name\":\"ESXI Discovery via Grep\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments related to virtual machine (VM) files, such as \\\"vmdk\\\", \\\"vmx\\\", \\\"vmxf\\\", \\\"vmsd\\\", \\\"vmsn\\\", \\\"vswp\\\", \\\"vmss\\\", \\\"nvram\\\", or \\\"vmem\\\". These file extensions are associated with VM-related file formats, and their presence in grep command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2b662e21-dc6e-461e-b5cf-a6eb9b235ec4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1518\",\"name\":\"Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/\"}]}],\"to\":\"now\",\"references\":[\"https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/\"],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name in (\\\"grep\\\", \\\"egrep\\\", \\\"pgrep\\\") and process.args in (\\n \\\"vmdk\\\", \\\"vmx\\\", \\\"vmxf\\\", \\\"vmsd\\\", \\\"vmsn\\\", \\\"vswp\\\", \\\"vmss\\\", \\\"nvram\\\", \\\"vmem\\\"\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"ESXI Discovery via Grep\",\"description\":\"Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments related to virtual machine (VM) files, such as \\\"vmdk\\\", \\\"vmx\\\", \\\"vmxf\\\", \\\"vmsd\\\", \\\"vmsn\\\", \\\"vswp\\\", \\\"vmss\\\", \\\"nvram\\\", or \\\"vmem\\\". These file extensions are associated with VM-related file formats, and their presence in grep command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1518\",\"name\":\"Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"bffbd534-d1fa-4e06-80ed-a91c9ce4a0cc\",\"rule_id\":\"2b662e21-dc6e-461e-b5cf-a6eb9b235ec4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.004Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.680Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and\\nprocess.name in (\\\"grep\\\", \\\"egrep\\\", \\\"pgrep\\\") and\\nprocess.args in (\\\"vmdk\\\", \\\"vmx\\\", \\\"vmxf\\\", \\\"vmsd\\\", \\\"vmsn\\\", \\\"vswp\\\", \\\"vmss\\\", \\\"nvram\\\", \\\"vmem\\\") and\\nnot process.parent.executable == \\\"/usr/share/qemu/init/qemu-kvm-init\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name in (\\\"grep\\\", \\\"egrep\\\", \\\"pgrep\\\") and process.args in (\\n \\\"vmdk\\\", \\\"vmx\\\", \\\"vmxf\\\", \\\"vmsd\\\", \\\"vmsn\\\", \\\"vswp\\\", \\\"vmss\\\", \\\"nvram\\\", \\\"vmem\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and\\nprocess.name in (\\\"grep\\\", \\\"egrep\\\", \\\"pgrep\\\") and\\nprocess.args in (\\\"vmdk\\\", \\\"vmx\\\", \\\"vmxf\\\", \\\"vmsd\\\", \\\"vmsn\\\", \\\"vswp\\\", \\\"vmss\\\", \\\"nvram\\\", \\\"vmem\\\") and\\nnot process.parent.executable == \\\"/usr/share/qemu/init/qemu-kvm-init\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and\\nprocess.name in (\\\"grep\\\", \\\"egrep\\\", \\\"pgrep\\\") and\\nprocess.args in (\\\"vmdk\\\", \\\"vmx\\\", \\\"vmxf\\\", \\\"vmsd\\\", \\\"vmsn\\\", \\\"vswp\\\", \\\"vmss\\\", \\\"nvram\\\", \\\"vmem\\\") and\\nnot process.parent.executable == \\\"/usr/share/qemu/init/qemu-kvm-init\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9a3f0ba6-fa6e-445a-8282-e250e3ee2616\",\"rule_id\":\"2bf78aa2-9c56-48de-b139-f169bf99cf86\",\"revision\":0,\"current_rule\":{\"id\":\"9a3f0ba6-fa6e-445a-8282-e250e3ee2616\",\"updated_at\":\"2024-12-04T19:45:44.682Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.682Z\",\"created_by\":\"elastic\",\"name\":\"Adobe Hijack Persistence\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects writing executable files that will be automatically launched by Adobe on launch.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Adobe Hijack Persistence\\n\\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2bf78aa2-9c56-48de-b139-f169bf99cf86\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.010\",\"name\":\"Services File Permissions Weakness\",\"reference\":\"https://attack.mitre.org/techniques/T1574/010/\"}]},{\"id\":\"T1554\",\"name\":\"Compromise Host Software Binary\",\"reference\":\"https://attack.mitre.org/techniques/T1554/\"}]}],\"to\":\"now\",\"references\":[\"https://twitter.com/pabraeken/status/997997818362155008\"],\"version\":314,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n file.path : (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Adobe\\\\\\\\Acrobat Reader DC\\\\\\\\Reader\\\\\\\\AcroCEF\\\\\\\\RdrCEF.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Adobe\\\\\\\\Acrobat Reader DC\\\\\\\\Reader\\\\\\\\AcroCEF\\\\\\\\RdrCEF.exe\\\") and\\n not process.name : \\\"msiexec.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Adobe Hijack Persistence\",\"description\":\"Detects writing executable files that will be automatically launched by Adobe on launch.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Adobe Hijack Persistence\\n\\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":414,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://twitter.com/pabraeken/status/997997818362155008\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.010\",\"name\":\"Services File Permissions Weakness\",\"reference\":\"https://attack.mitre.org/techniques/T1574/010/\"}]},{\"id\":\"T1554\",\"name\":\"Compromise Host Software Binary\",\"reference\":\"https://attack.mitre.org/techniques/T1554/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"9a3f0ba6-fa6e-445a-8282-e250e3ee2616\",\"rule_id\":\"2bf78aa2-9c56-48de-b139-f169bf99cf86\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.004Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.682Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n file.path : (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Adobe\\\\\\\\Acrobat Reader DC\\\\\\\\Reader\\\\\\\\AcroCEF\\\\\\\\RdrCEF.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Adobe\\\\\\\\Acrobat Reader DC\\\\\\\\Reader\\\\\\\\AcroCEF\\\\\\\\RdrCEF.exe\\\") and\\n not process.name : \\\"msiexec.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":314,\"target_version\":414,\"merged_version\":414,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"169c8cd2-358b-4bc1-a969-89ed1b50f8e0\",\"rule_id\":\"2c17e5d7-08b9-43b2-b58a-0270d65ac85b\",\"revision\":0,\"current_rule\":{\"id\":\"169c8cd2-358b-4bc1-a969-89ed1b50f8e0\",\"updated_at\":\"2024-12-04T19:45:44.689Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.689Z\",\"created_by\":\"elastic\",\"name\":\"Windows Defender Exclusions Added via PowerShell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Defender Exclusions Added via PowerShell\\n\\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows. Since this software product is used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Examine the exclusion in order to determine the intent behind it.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- If the exclusion specifies a suspicious file or path, retrieve the file(s) and determine if malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This rule has a high chance to produce false positives due to how often network administrators legitimately configure exclusions. In order to validate the activity further, review the specific exclusion and its intent. There are many legitimate reasons for exclusions, so it's important to gain context.\\n\\n### Related rules\\n\\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2c17e5d7-08b9-43b2-b58a-0270d65ac85b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"},{\"id\":\"T1562.006\",\"name\":\"Indicator Blocking\",\"reference\":\"https://attack.mitre.org/techniques/T1562/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or ?process.pe.original_file_name in (\\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\")) and\\n process.args : (\\\"*Add-MpPreference*\\\", \\\"*Set-MpPreference*\\\") and\\n process.args : (\\\"*-Exclusion*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Windows Defender Exclusions Added via PowerShell\",\"description\":\"Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Defender Exclusions Added via PowerShell\\n\\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows. Since this software product is used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Examine the exclusion in order to determine the intent behind it.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- If the exclusion specifies a suspicious file or path, retrieve the file(s) and determine if malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This rule has a high chance to produce false positives due to how often network administrators legitimately configure exclusions. In order to validate the activity further, review the specific exclusion and its intent. There are many legitimate reasons for exclusions, so it's important to gain context.\\n\\n### Related rules\\n\\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf\",\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\",\"https://www.elastic.co/security-labs/operation-bleeding-bear\",\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"},{\"id\":\"T1562.006\",\"name\":\"Indicator Blocking\",\"reference\":\"https://attack.mitre.org/techniques/T1562/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"169c8cd2-358b-4bc1-a969-89ed1b50f8e0\",\"rule_id\":\"2c17e5d7-08b9-43b2-b58a-0270d65ac85b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.006Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.689Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or ?process.pe.original_file_name in (\\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\")) and\\n process.args : (\\\"*Add-MpPreference*\\\", \\\"*Set-MpPreference*\\\") and\\n process.args : (\\\"*-Exclusion*\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf\"],\"target_version\":[\"https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf\",\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\",\"https://www.elastic.co/security-labs/operation-bleeding-bear\",\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"merged_version\":[\"https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf\",\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\",\"https://www.elastic.co/security-labs/operation-bleeding-bear\",\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"16fc5aba-c692-46fb-8887-407e2ac99c42\",\"rule_id\":\"2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a\",\"revision\":0,\"current_rule\":{\"id\":\"16fc5aba-c692-46fb-8887-407e2ac99c42\",\"updated_at\":\"2024-12-04T19:45:44.692Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.692Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Microsoft Diagnostics Wizard Execution\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"to\":\"now\",\"references\":[\"https://twitter.com/nao_sec/status/1530196847679401984\",\"https://lolbas-project.github.io/lolbas/Binaries/Msdt/\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.pe.original_file_name == \\\"msdt.exe\\\" or process.name : \\\"msdt.exe\\\") and\\n (\\n process.args : (\\\"IT_RebrowseForFile=*\\\", \\\"ms-msdt:/id\\\", \\\"ms-msdt:-id\\\", \\\"*FromBase64*\\\") or\\n\\n (process.args : \\\"-af\\\" and process.args : \\\"/skip\\\" and\\n process.parent.name : (\\\"explorer.exe\\\", \\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"mshta.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\") and\\n process.args : (\\\"?:\\\\\\\\WINDOWS\\\\\\\\diagnostics\\\\\\\\index\\\\\\\\PCWDiagnostic.xml\\\", \\\"PCWDiagnostic.xml\\\", \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\")) or\\n\\n (process.pe.original_file_name == \\\"msdt.exe\\\" and not process.name : \\\"msdt.exe\\\" and process.name != null) or\\n\\n (process.pe.original_file_name == \\\"msdt.exe\\\" and not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\msdt.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msdt.exe\\\"))\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Microsoft Diagnostics Wizard Execution\",\"description\":\"Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://twitter.com/nao_sec/status/1530196847679401984\",\"https://lolbas-project.github.io/lolbas/Binaries/Msdt/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"16fc5aba-c692-46fb-8887-407e2ac99c42\",\"rule_id\":\"2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.006Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.692Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.pe.original_file_name == \\\"msdt.exe\\\" or process.name : \\\"msdt.exe\\\") and\\n (\\n process.args : (\\\"IT_RebrowseForFile=*\\\", \\\"ms-msdt:/id\\\", \\\"ms-msdt:-id\\\", \\\"*FromBase64*\\\") or\\n\\n (process.args : \\\"-af\\\" and process.args : \\\"/skip\\\" and\\n process.parent.name : (\\\"explorer.exe\\\", \\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"mshta.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\") and\\n process.args : (\\\"?:\\\\\\\\WINDOWS\\\\\\\\diagnostics\\\\\\\\index\\\\\\\\PCWDiagnostic.xml\\\", \\\"PCWDiagnostic.xml\\\", \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\")) or\\n\\n (process.pe.original_file_name == \\\"msdt.exe\\\" and not process.name : \\\"msdt.exe\\\" and process.name != null) or\\n\\n (process.pe.original_file_name == \\\"msdt.exe\\\" and not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\msdt.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msdt.exe\\\"))\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3e31fd30-0851-4ef6-9053-5a7bc93938e1\",\"rule_id\":\"2d8043ed-5bda-4caf-801c-c1feb7410504\",\"revision\":0,\"current_rule\":{\"id\":\"3e31fd30-0851-4ef6-9053-5a7bc93938e1\",\"updated_at\":\"2024-12-04T19:45:44.694Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.694Z\",\"created_by\":\"elastic\",\"name\":\"Enumeration of Kernel Modules\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username.\"],\"from\":\"now-9m\",\"rule_id\":\"2d8043ed-5bda-4caf-801c-c1feb7410504\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"to\":\"now\",\"references\":[],\"version\":209,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"new_terms\",\"query\":\"event.category:process and host.os.type:linux and event.type:start and event.action:(exec or exec_event) and (\\n (process.name:(lsmod or modinfo)) or \\n (process.name:kmod and process.args:list) or \\n (process.name:depmod and process.args:(--all or -a))\\n) and not process.parent.name:(mkinitramfs or cryptroot or framebuffer or dracut or jem or thin-provisioning-tools\\nor readykernel or lvm2 or vz-start or iscsi or mdadm or ovalprobes or bcache or plymouth or dkms or overlayroot or \\nweak-modules or zfs)\\n\",\"new_terms_fields\":[\"process.parent.command_line\",\"process.command_line\",\"host.id\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Enumeration of Kernel Modules\",\"description\":\"Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3e31fd30-0851-4ef6-9053-5a7bc93938e1\",\"rule_id\":\"2d8043ed-5bda-4caf-801c-c1feb7410504\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.006Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.694Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.category:process and host.os.type:linux and event.type:start and event.action:(exec or exec_event) and (\\n (process.name:(lsmod or modinfo)) or \\n (process.name:kmod and process.args:list) or \\n (process.name:depmod and process.args:(--all or -a))\\n) and\\nnot (\\n process.parent.name:(\\n mkinitramfs or cryptroot or framebuffer or dracut or jem or thin-provisioning-tools or readykernel or lvm2 or\\n vz-start or iscsi or mdadm or ovalprobes or bcache or plymouth or dkms or overlayroot or weak-modules or zfs or\\n systemd or whoopsie-upload-all or kdumpctl or apport-gtk or casper or rear or kernel-install\\n )\\n)\\n\",\"new_terms_fields\":[\"process.executable\",\"process.parent.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":209,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"event.category:process and host.os.type:linux and event.type:start and event.action:(exec or exec_event) and (\\n (process.name:(lsmod or modinfo)) or \\n (process.name:kmod and process.args:list) or \\n (process.name:depmod and process.args:(--all or -a))\\n) and not process.parent.name:(mkinitramfs or cryptroot or framebuffer or dracut or jem or thin-provisioning-tools\\nor readykernel or lvm2 or vz-start or iscsi or mdadm or ovalprobes or bcache or plymouth or dkms or overlayroot or \\nweak-modules or zfs)\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"event.category:process and host.os.type:linux and event.type:start and event.action:(exec or exec_event) and (\\n (process.name:(lsmod or modinfo)) or \\n (process.name:kmod and process.args:list) or \\n (process.name:depmod and process.args:(--all or -a))\\n) and\\nnot (\\n process.parent.name:(\\n mkinitramfs or cryptroot or framebuffer or dracut or jem or thin-provisioning-tools or readykernel or lvm2 or\\n vz-start or iscsi or mdadm or ovalprobes or bcache or plymouth or dkms or overlayroot or weak-modules or zfs or\\n systemd or whoopsie-upload-all or kdumpctl or apport-gtk or casper or rear or kernel-install\\n )\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"event.category:process and host.os.type:linux and event.type:start and event.action:(exec or exec_event) and (\\n (process.name:(lsmod or modinfo)) or \\n (process.name:kmod and process.args:list) or \\n (process.name:depmod and process.args:(--all or -a))\\n) and\\nnot (\\n process.parent.name:(\\n mkinitramfs or cryptroot or framebuffer or dracut or jem or thin-provisioning-tools or readykernel or lvm2 or\\n vz-start or iscsi or mdadm or ovalprobes or bcache or plymouth or dkms or overlayroot or weak-modules or zfs or\\n systemd or whoopsie-upload-all or kdumpctl or apport-gtk or casper or rear or kernel-install\\n )\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"new_terms_fields\":{\"has_base_version\":false,\"current_version\":[\"process.parent.command_line\",\"process.command_line\",\"host.id\"],\"target_version\":[\"process.executable\",\"process.parent.executable\"],\"merged_version\":[\"process.executable\",\"process.parent.executable\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2ed42379-4757-484a-a6e0-6ac4df45a282\",\"rule_id\":\"2dd480be-1263-4d9c-8672-172928f6789a\",\"revision\":0,\"current_rule\":{\"id\":\"2ed42379-4757-484a-a6e0-6ac4df45a282\",\"updated_at\":\"2024-12-04T19:45:44.697Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.697Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Process Access via Direct System Call\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Process Access via Direct System Call\\n\\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\\n\\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\\n\\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove the malicious certificate from the root certificate store.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2dd480be-1263-4d9c-8672-172928f6789a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"to\":\"now\",\"references\":[\"https://twitter.com/SBousseaden/status/1278013896440324096\",\"https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs\"],\"version\":211,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallTrace\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetImage\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n length(winlog.event_data.CallTrace) > 0 and\\n\\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\\n not winlog.event_data.CallTrace :\\n (\\\"?:\\\\\\\\WINDOWS\\\\\\\\SYSTEM32\\\\\\\\ntdll.dll*\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\SysWOW64\\\\\\\\ntdll.dll*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wow64cpu.dll*\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\System32\\\\\\\\wow64win.dll*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\win32u.dll*\\\") and\\n\\n not winlog.event_data.TargetImage :\\n (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Malwarebytes Anti-Exploit\\\\\\\\mbae-svc.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Cisco\\\\\\\\AMP\\\\\\\\*\\\\\\\\sfc.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\EdgeWebView\\\\\\\\Application\\\\\\\\*\\\\\\\\msedgewebview2.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Adobe\\\\\\\\Acrobat DC\\\\\\\\Acrobat\\\\\\\\*\\\\\\\\AcroCEF.exe\\\") and\\n\\n not (process.executable : (\\\"?:\\\\\\\\Program Files\\\\\\\\Adobe\\\\\\\\Acrobat DC\\\\\\\\Acrobat\\\\\\\\Acrobat.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\World of Warcraft\\\\\\\\_classic_\\\\\\\\WowClassic.exe\\\") and\\n not winlog.event_data.TargetImage : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\lsass.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Process Access via Direct System Call\",\"description\":\"Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Process Access via Direct System Call\\n\\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\\n\\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\\n\\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove the malicious certificate from the root certificate store.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://twitter.com/SBousseaden/status/1278013896440324096\",\"https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallTrace\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetImage\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"2ed42379-4757-484a-a6e0-6ac4df45a282\",\"rule_id\":\"2dd480be-1263-4d9c-8672-172928f6789a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.006Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.697Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n length(winlog.event_data.CallTrace) > 0 and\\n\\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\\n not winlog.event_data.CallTrace :\\n (\\\"?:\\\\\\\\WINDOWS\\\\\\\\SYSTEM32\\\\\\\\ntdll.dll*\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\SysWOW64\\\\\\\\ntdll.dll*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wow64cpu.dll*\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\System32\\\\\\\\wow64win.dll*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\win32u.dll*\\\") and\\n\\n not winlog.event_data.TargetImage :\\n (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Malwarebytes Anti-Exploit\\\\\\\\mbae-svc.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Cisco\\\\\\\\AMP\\\\\\\\*\\\\\\\\sfc.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\EdgeWebView\\\\\\\\Application\\\\\\\\*\\\\\\\\msedgewebview2.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Adobe\\\\\\\\Acrobat DC\\\\\\\\Acrobat\\\\\\\\*\\\\\\\\AcroCEF.exe\\\") and\\n\\n not (process.executable : (\\\"?:\\\\\\\\Program Files\\\\\\\\Adobe\\\\\\\\Acrobat DC\\\\\\\\Acrobat\\\\\\\\Acrobat.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\World of Warcraft\\\\\\\\_classic_\\\\\\\\WowClassic.exe\\\") and\\n not winlog.event_data.TargetImage : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\lsass.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":211,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e2da6171-c7a5-4b16-8c1e-5bc1553a1119\",\"rule_id\":\"2de87d72-ee0c-43e2-b975-5f0b029ac600\",\"revision\":0,\"current_rule\":{\"id\":\"e2da6171-c7a5-4b16-8c1e-5bc1553a1119\",\"updated_at\":\"2024-12-04T19:45:44.704Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.704Z\",\"created_by\":\"elastic\",\"name\":\"Wireless Credential Dumping using Netsh Command\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Wireless Credential Dumping using Netsh Command\\n\\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\\n\\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\\n - Observe and collect information about the following activities in the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2de87d72-ee0c-43e2-b975-5f0b029ac600\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"to\":\"now\",\"references\":[\"https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts\",\"https://www.geeksforgeeks.org/how-to-find-the-wi-fi-password-using-cmd-in-windows/\"],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"netsh.exe\\\" or ?process.pe.original_file_name == \\\"netsh.exe\\\") and\\n process.args : \\\"wlan\\\" and process.args : \\\"key*clear\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Wireless Credential Dumping using Netsh Command\",\"description\":\"Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Wireless Credential Dumping using Netsh Command\\n\\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\\n\\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\\n - Observe and collect information about the following activities in the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts\",\"https://www.geeksforgeeks.org/how-to-find-the-wi-fi-password-using-cmd-in-windows/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e2da6171-c7a5-4b16-8c1e-5bc1553a1119\",\"rule_id\":\"2de87d72-ee0c-43e2-b975-5f0b029ac600\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.006Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.704Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"netsh.exe\\\" or ?process.pe.original_file_name == \\\"netsh.exe\\\") and\\n process.args : \\\"wlan\\\" and process.args : \\\"key*clear\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"07c1e43e-9e38-4a68-959f-8365095626b8\",\"rule_id\":\"2e1e835d-01e5-48ca-b9fc-7a61f7f11902\",\"revision\":0,\"current_rule\":{\"id\":\"07c1e43e-9e38-4a68-959f-8365095626b8\",\"updated_at\":\"2024-12-04T19:45:44.706Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.706Z\",\"created_by\":\"elastic\",\"name\":\"Renamed AutoIt Scripts Interpreter\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Renamed AutoIt Scripts Interpreter\\n\\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\\n\\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\\n\\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2e1e835d-01e5-48ca-b9fc-7a61f7f11902\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.003\",\"name\":\"Rename System Utilities\",\"reference\":\"https://attack.mitre.org/techniques/T1036/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.pe.original_file_name : \\\"AutoIt*.exe\\\" and not process.name : \\\"AutoIt*.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Renamed AutoIt Scripts Interpreter\",\"description\":\"Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Renamed AutoIt Scripts Interpreter\\n\\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\\n\\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\\n\\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.003\",\"name\":\"Rename System Utilities\",\"reference\":\"https://attack.mitre.org/techniques/T1036/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"07c1e43e-9e38-4a68-959f-8365095626b8\",\"rule_id\":\"2e1e835d-01e5-48ca-b9fc-7a61f7f11902\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.006Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.706Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.pe.original_file_name : \\\"AutoIt*.exe\\\" and not process.name : \\\"AutoIt*.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8bba526e-b48f-4e4e-be60-d5543c6267ed\",\"rule_id\":\"2e29e96a-b67c-455a-afe4-de6183431d0d\",\"revision\":0,\"current_rule\":{\"id\":\"8bba526e-b48f-4e4e-be60-d5543c6267ed\",\"updated_at\":\"2024-12-04T19:45:44.709Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.709Z\",\"created_by\":\"elastic\",\"name\":\"Potential Process Injection via PowerShell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Process Injection via PowerShell\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nPowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, like the execution of inline C# code, PSReflect, Get-ProcAddress, etc.\\n\\nRed Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject payloads directly into the memory without touching the disk to circumvent file-based security protections.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Check if the imported function was executed and which process it targeted.\\n- Check if the injected code can be retrieved (hardcoded in the script or on command line logs).\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate PowerShell scripts that make use of these functions.\"],\"from\":\"now-9m\",\"rule_id\":\"2e29e96a-b67c-455a-afe4-de6183431d0d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\",\"subtechnique\":[{\"id\":\"T1055.001\",\"name\":\"Dynamic-link Library Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/001/\"},{\"id\":\"T1055.002\",\"name\":\"Portable Executable Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1\",\"https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1\",\"https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\\n LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\\n (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\\n SuspendThread or ResumeThread or GetDelegateForFunctionPointer)\\n ) and not \\n file.directory: (\\n \\\"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\SenseCM\\\" or\\n \\\"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Process Injection via PowerShell\",\"description\":\"Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Process Injection via PowerShell\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nPowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, like the execution of inline C# code, PSReflect, Get-ProcAddress, etc.\\n\\nRed Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject payloads directly into the memory without touching the disk to circumvent file-based security protections.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Check if the imported function was executed and which process it targeted.\\n- Check if the injected code can be retrieved (hardcoded in the script or on command line logs).\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate PowerShell scripts that make use of these functions.\"],\"references\":[\"https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1\",\"https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1\",\"https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\",\"subtechnique\":[{\"id\":\"T1055.001\",\"name\":\"Dynamic-link Library Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/001/\"},{\"id\":\"T1055.002\",\"name\":\"Portable Executable Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"8bba526e-b48f-4e4e-be60-d5543c6267ed\",\"rule_id\":\"2e29e96a-b67c-455a-afe4-de6183431d0d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.006Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.709Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\\n LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\\n (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\\n SuspendThread or ResumeThread or GetDelegateForFunctionPointer)\\n ) and not \\n file.directory: (\\n \\\"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\SenseCM\\\" or\\n \\\"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\"\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"29788b1a-42b1-4dd1-9486-f7f808407a63\",\"rule_id\":\"2e311539-cd88-4a85-a301-04f38795007c\",\"revision\":0,\"current_rule\":{\"id\":\"29788b1a-42b1-4dd1-9486-f7f808407a63\",\"updated_at\":\"2024-12-04T19:45:44.711Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.711Z\",\"created_by\":\"elastic\",\"name\":\"Accessing Outlook Data Files\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies commands containing references to Outlook data files extensions, which can potentially indicate the search, access, or modification of these files.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"2e311539-cd88-4a85-a301-04f38795007c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1114\",\"name\":\"Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/\",\"subtechnique\":[{\"id\":\"T1114.001\",\"name\":\"Local Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.args : (\\\"*.ost\\\", \\\"*.pst\\\") and\\n not process.name : \\\"outlook.exe\\\" and\\n not (\\n process.name : \\\"rundll32.exe\\\" and\\n process.args : \\\"*davclnt.dll,DavSetCookie*\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Accessing Outlook Data Files\",\"description\":\"Identifies commands containing references to Outlook data files extensions, which can potentially indicate the search, access, or modification of these files.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1114\",\"name\":\"Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/\",\"subtechnique\":[{\"id\":\"T1114.001\",\"name\":\"Local Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"29788b1a-42b1-4dd1-9486-f7f808407a63\",\"rule_id\":\"2e311539-cd88-4a85-a301-04f38795007c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.006Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.711Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.args : (\\\"*.ost\\\", \\\"*.pst\\\") and\\n not process.name : \\\"outlook.exe\\\" and\\n not (\\n process.name : \\\"rundll32.exe\\\" and\\n process.args : \\\"*davclnt.dll,DavSetCookie*\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"884e84dd-9194-4a31-9196-f285d1204b12\",\"rule_id\":\"2edc8076-291e-41e9-81e4-e3fcbc97ae5e\",\"revision\":0,\"current_rule\":{\"id\":\"884e84dd-9194-4a31-9196-f285d1204b12\",\"updated_at\":\"2024-12-04T19:45:40.144Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.144Z\",\"created_by\":\"elastic\",\"name\":\"Creation of a Hidden Local User Account\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Creation of a Hidden Local User Account\\n\\nAttackers can create accounts ending with a `$` symbol to make the account hidden to user enumeration utilities and bypass detections that identify computer accounts by this pattern to apply filters.\\n\\nThis rule uses registry events to identify the creation of local hidden accounts.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positive (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Delete the hidden account.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2edc8076-291e-41e9-81e4-e3fcbc97ae5e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"to\":\"now\",\"references\":[\"http://web.archive.org/web/20230329153858/https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html\",\"https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\\\\\\\Names\\\\\\\\*$\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\\\\\\\Names\\\\\\\\*$\\\\\\\\\\\"\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Creation of a Hidden Local User Account\",\"description\":\"Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Creation of a Hidden Local User Account\\n\\nAttackers can create accounts ending with a `$` symbol to make the account hidden to user enumeration utilities and bypass detections that identify computer accounts by this pattern to apply filters.\\n\\nThis rule uses registry events to identify the creation of local hidden accounts.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positive (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Delete the hidden account.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"http://web.archive.org/web/20230329153858/https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html\",\"https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"884e84dd-9194-4a31-9196-f285d1204b12\",\"rule_id\":\"2edc8076-291e-41e9-81e4-e3fcbc97ae5e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.006Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.144Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\\\\\\\Names\\\\\\\\*$\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\\\\\\\Names\\\\\\\\*$\\\\\\\\\\\",\\n \\\"MACHINE\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\\\\\\\Names\\\\\\\\*$\\\\\\\\\\\"\\n)\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\\\\\\\Names\\\\\\\\*$\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\\\\\\\Names\\\\\\\\*$\\\\\\\\\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\\\\\\\Names\\\\\\\\*$\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\\\\\\\Names\\\\\\\\*$\\\\\\\\\\\",\\n \\\"MACHINE\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\\\\\\\Names\\\\\\\\*$\\\\\\\\\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\\\\\\\Names\\\\\\\\*$\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\\\\\\\Names\\\\\\\\*$\\\\\\\\\\\",\\n \\\"MACHINE\\\\\\\\SAM\\\\\\\\SAM\\\\\\\\Domains\\\\\\\\Account\\\\\\\\Users\\\\\\\\Names\\\\\\\\*$\\\\\\\\\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1a9c38ac-2dd6-4bc4-bce6-40bb7e30b07d\",\"rule_id\":\"2f2f4939-0b34-40c2-a0a3-844eb7889f43\",\"revision\":0,\"current_rule\":{\"id\":\"1a9c38ac-2dd6-4bc4-bce6-40bb7e30b07d\",\"updated_at\":\"2024-12-04T19:45:44.718Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.718Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Suspicious Script with Audio Capture Capabilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can use PowerShell to interact with the Windows API with the intent of capturing audio from input devices connected to the victim's computer.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Investigate if the script stores the recorded data locally and determine if anything was recorded.\\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\\n- Assess network data to determine if the host communicated with the exfiltration server.\\n\\n### False positive analysis\\n\\n- Regular users should not need scripts to capture audio, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2f2f4939-0b34-40c2-a0a3-844eb7889f43\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1123\",\"name\":\"Audio Capture\",\"reference\":\"https://attack.mitre.org/techniques/T1123/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"Get-MicrophoneAudio\\\" or\\n \\\"WindowsAudioDevice-Powershell-Cmdlet\\\" or\\n (waveInGetNumDevs and mciSendStringA)\\n )\\n and not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\" and \\\"PowerSploitIndicators\\\"\\n )\\n and not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Suspicious Script with Audio Capture Capabilities\",\"description\":\"Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can use PowerShell to interact with the Windows API with the intent of capturing audio from input devices connected to the victim's computer.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Investigate if the script stores the recorded data locally and determine if anything was recorded.\\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\\n- Assess network data to determine if the host communicated with the exfiltration server.\\n\\n### False positive analysis\\n\\n- Regular users should not need scripts to capture audio, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":212,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1123\",\"name\":\"Audio Capture\",\"reference\":\"https://attack.mitre.org/techniques/T1123/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1a9c38ac-2dd6-4bc4-bce6-40bb7e30b07d\",\"rule_id\":\"2f2f4939-0b34-40c2-a0a3-844eb7889f43\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.006Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.718Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"Get-MicrophoneAudio\\\" or\\n \\\"WindowsAudioDevice-Powershell-Cmdlet\\\" or\\n (waveInGetNumDevs and mciSendStringA)\\n )\\n and not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\" and \\\"PowerSploitIndicators\\\"\\n )\\n and not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":212,\"merged_version\":212,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5e6ce03a-3ed9-4b59-93b6-d2d56d78d741\",\"rule_id\":\"2f8a1226-5720-437d-9c20-e0029deb6194\",\"revision\":0,\"current_rule\":{\"id\":\"5e6ce03a-3ed9-4b59-93b6-d2d56d78d741\",\"updated_at\":\"2024-12-04T19:45:44.721Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.721Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Disable Syslog Service\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2f8a1226-5720-437d-9c20-e0029deb6194\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\n ( (process.name == \\\"service\\\" and process.args == \\\"stop\\\") or\\n (process.name == \\\"chkconfig\\\" and process.args == \\\"off\\\") or\\n (process.name == \\\"systemctl\\\" and process.args in (\\\"disable\\\", \\\"stop\\\", \\\"kill\\\"))\\n ) and process.args in (\\\"syslog\\\", \\\"rsyslog\\\", \\\"syslog-ng\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Disable Syslog Service\",\"description\":\"Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":110,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"5e6ce03a-3ed9-4b59-93b6-d2d56d78d741\",\"rule_id\":\"2f8a1226-5720-437d-9c20-e0029deb6194\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.006Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:44.721Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\n ( (process.name == \\\"service\\\" and process.args == \\\"stop\\\") or\\n (process.name == \\\"chkconfig\\\" and process.args == \\\"off\\\") or\\n (process.name == \\\"systemctl\\\" and process.args in (\\\"disable\\\", \\\"stop\\\", \\\"kill\\\"))\\n ) and process.args in (\\\"syslog\\\", \\\"rsyslog\\\", \\\"syslog-ng\\\")\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":110,\"merged_version\":110,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"merged_version\":[\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"022aa806-2ecc-429c-bc1c-11bcde789ef1\",\"rule_id\":\"2ffa1f1e-b6db-47fa-994b-1512743847eb\",\"revision\":0,\"current_rule\":{\"id\":\"022aa806-2ecc-429c-bc1c-11bcde789ef1\",\"updated_at\":\"2024-12-04T19:45:40.150Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.150Z\",\"created_by\":\"elastic\",\"name\":\"Windows Defender Disabled via Registry Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Defender Disabled via Registry Modification\\n\\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\\n\\nThis rule monitors the registry for configurations that disable Windows Defender or the start of its service.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check if this operation was approved and performed according to the organization's change management policy.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\\n\\n### Related rules\\n\\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Re-enable Windows Defender and restore the service configurations to automatic start.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"2ffa1f1e-b6db-47fa-994b-1512743847eb\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"},{\"id\":\"T1562.006\",\"name\":\"Indicator Blocking\",\"reference\":\"https://attack.mitre.org/techniques/T1562/006/\"}]}]}],\"to\":\"now\",\"references\":[\"https://thedfirreport.com/2020/12/13/defender-control/\"],\"version\":113,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n (\\n (\\n registry.path: (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\DisableAntiSpyware\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\DisableAntiSpyware\\\"\\n ) and\\n registry.data.strings: (\\\"1\\\", \\\"0x00000001\\\")\\n ) or\\n (\\n registry.path: (\\n \\\"HKLM\\\\\\\\System\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\WinDefend\\\\\\\\Start\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\System\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\WinDefend\\\\\\\\Start\\\"\\n ) and\\n registry.data.strings in (\\\"3\\\", \\\"4\\\", \\\"0x00000003\\\", \\\"0x00000004\\\")\\n )\\n ) and\\n\\n not\\n (\\n process.executable : (\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\services.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\Security Agent\\\\\\\\NTRmv.exe\\\"\\n ) and user.id : \\\"S-1-5-18\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Windows Defender Disabled via Registry Modification\",\"description\":\"Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Defender Disabled via Registry Modification\\n\\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\\n\\nThis rule monitors the registry for configurations that disable Windows Defender or the start of its service.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check if this operation was approved and performed according to the organization's change management policy.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\\n\\n### Related rules\\n\\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Re-enable Windows Defender and restore the service configurations to automatic start.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":215,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://thedfirreport.com/2020/12/13/defender-control/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"},{\"id\":\"T1562.006\",\"name\":\"Indicator Blocking\",\"reference\":\"https://attack.mitre.org/techniques/T1562/006/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"022aa806-2ecc-429c-bc1c-11bcde789ef1\",\"rule_id\":\"2ffa1f1e-b6db-47fa-994b-1512743847eb\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.007Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.150Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n (\\n (\\n registry.path: (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\DisableAntiSpyware\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\DisableAntiSpyware\\\"\\n ) and\\n registry.data.strings: (\\\"1\\\", \\\"0x00000001\\\")\\n ) or\\n (\\n registry.path: (\\n \\\"HKLM\\\\\\\\System\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\WinDefend\\\\\\\\Start\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\System\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\WinDefend\\\\\\\\Start\\\"\\n ) and\\n registry.data.strings in (\\\"3\\\", \\\"4\\\", \\\"0x00000003\\\", \\\"0x00000004\\\")\\n )\\n ) and\\n\\n not\\n (\\n process.executable : (\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\services.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\Security Agent\\\\\\\\NTRmv.exe\\\"\\n ) and user.id : \\\"S-1-5-18\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":113,\"target_version\":215,\"merged_version\":215,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"92625dbe-14e3-4b8d-b7ed-6c455ac05dde\",\"rule_id\":\"30fbf4db-c502-4e68-a239-2e99af0f70da\",\"revision\":0,\"current_rule\":{\"id\":\"92625dbe-14e3-4b8d-b7ed-6c455ac05dde\",\"updated_at\":\"2024-12-04T19:46:03.729Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.729Z\",\"created_by\":\"elastic\",\"name\":\"AWS STS GetCallerIdentity API Called for the First Time\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS STS\",\"Use Case: Identity and Access Audit\",\"Tactic: Discovery\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"An adversary with access to a set of compromised credentials may attempt to verify that the credentials are valid and determine what account they are using. This rule looks for the first time an identity has called the STS `GetCallerIdentity` API operation in the last 15 days, which may be an indicator of compromised credentials. A legitimate user would not need to call this operation as they should know the account they are using.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS GetCallerIdentity API Called for the First Time\\n\\nAWS Security Token Service (AWS STS) is a service that enables you to request temporary, limited-privilege credentials for users.\\nThe `GetCallerIdentity` function returns details about the IAM user or role owning the credentials used to call the operation. \\nNo permissions are required to run this operation and the same information is returned even when access is denied.\\nThis rule looks for use of the `GetCallerIdentity` operation. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has called this operation within the last 15 days.\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment, a role belonging to a service like Lambda or an EC2 instance would be highly suspicious.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- Review IAM permission policies for the user identity.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions — preferably with a combination of user agent and IP address conditions.\\n- Automation workflows that rely on the results from this API request may also generate false-positives. We recommend adding exceptions related to the `user.name` or `aws.cloudtrail.user_identity.arn` values to ignore these.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Verify whether the user identity should be using the STS `GetCallerIdentity` API operation. If known behavior is causing false positives, it can be exempted from the rule.\"],\"from\":\"now-60m\",\"rule_id\":\"30fbf4db-c502-4e68-a239-2e99af0f70da\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\",\"subtechnique\":[{\"id\":\"T1087.004\",\"name\":\"Cloud Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html\",\"https://www.secureworks.com/research/detecting-the-use-of-stolen-aws-lambda-credentials\",\"https://detectioninthe.cloud/ttps/discovery/get_caller_identity/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.dataset:\\\"aws.cloudtrail\\\" and event.provider:\\\"sts.amazonaws.com\\\" and event.action:\\\"GetCallerIdentity\\\"\\n\",\"new_terms_fields\":[\"aws.cloudtrail.user_identity.arn\"],\"history_window_start\":\"now-10d\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS STS GetCallerIdentity API Called for the First Time\",\"description\":\"An adversary with access to a set of compromised credentials may attempt to verify that the credentials are valid and determine what account they are using. This rule looks for the first time an identity has called the STS `GetCallerIdentity` API operation in the last 15 days, which may be an indicator of compromised credentials. A legitimate user would not need to call this operation as they should know the account they are using.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS GetCallerIdentity API Called for the First Time\\n\\nAWS Security Token Service (AWS STS) is a service that enables you to request temporary, limited-privilege credentials for users.\\nThe `GetCallerIdentity` function returns details about the IAM user or role owning the credentials used to call the operation.\\nNo permissions are required to run this operation and the same information is returned even when access is denied.\\nThis rule looks for use of the `GetCallerIdentity` operation. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has called this operation within the last 15 days.\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment, a role belonging to a service like Lambda or an EC2 instance would be highly suspicious.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- Review IAM permission policies for the user identity.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions — preferably with a combination of user agent and IP address conditions.\\n- Automation workflows that rely on the results from this API request may also generate false-positives. We recommend adding exceptions related to the `user.name` or `aws.cloudtrail.user_identity.arn` values to ignore these.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"investigation_fields\":{\"field_names\":[\"@timestamp\",\"user.name\",\"source.address\",\"aws.cloudtrail.user_identity.type\",\"aws.cloudtrail.user_identity.arn\",\"user_agent.original\",\"event.action\",\"event.outcome\",\"cloud.region\",\"aws.cloudtrail.request_parameters\"]},\"version\":3,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS STS\",\"Use Case: Identity and Access Audit\",\"Tactic: Discovery\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-60m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Verify whether the user identity should be using the STS `GetCallerIdentity` API operation. If known behavior is causing false positives, it can be exempted from the rule.\"],\"references\":[\"https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html\",\"https://www.secureworks.com/research/detecting-the-use-of-stolen-aws-lambda-credentials\",\"https://detectioninthe.cloud/ttps/discovery/get_caller_identity/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\",\"subtechnique\":[{\"id\":\"T1087.004\",\"name\":\"Cloud Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"aws.cloudtrail.user_identity.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"92625dbe-14e3-4b8d-b7ed-6c455ac05dde\",\"rule_id\":\"30fbf4db-c502-4e68-a239-2e99af0f70da\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.007Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.729Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"sts.amazonaws.com\\\"\\n and event.action: \\\"GetCallerIdentity\\\"\\n and event.outcome: \\\"success\\\"\\n and not aws.cloudtrail.user_identity.type: \\\"AssumedRole\\\"\\n\",\"new_terms_fields\":[\"aws.cloudtrail.user_identity.arn\"],\"history_window_start\":\"now-10d\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"note\":{\"has_base_version\":false,\"current_version\":\"## Triage and analysis\\n\\n### Investigating AWS GetCallerIdentity API Called for the First Time\\n\\nAWS Security Token Service (AWS STS) is a service that enables you to request temporary, limited-privilege credentials for users.\\nThe `GetCallerIdentity` function returns details about the IAM user or role owning the credentials used to call the operation. \\nNo permissions are required to run this operation and the same information is returned even when access is denied.\\nThis rule looks for use of the `GetCallerIdentity` operation. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has called this operation within the last 15 days.\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment, a role belonging to a service like Lambda or an EC2 instance would be highly suspicious.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- Review IAM permission policies for the user identity.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions — preferably with a combination of user agent and IP address conditions.\\n- Automation workflows that rely on the results from this API request may also generate false-positives. We recommend adding exceptions related to the `user.name` or `aws.cloudtrail.user_identity.arn` values to ignore these.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating AWS GetCallerIdentity API Called for the First Time\\n\\nAWS Security Token Service (AWS STS) is a service that enables you to request temporary, limited-privilege credentials for users.\\nThe `GetCallerIdentity` function returns details about the IAM user or role owning the credentials used to call the operation.\\nNo permissions are required to run this operation and the same information is returned even when access is denied.\\nThis rule looks for use of the `GetCallerIdentity` operation. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has called this operation within the last 15 days.\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment, a role belonging to a service like Lambda or an EC2 instance would be highly suspicious.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- Review IAM permission policies for the user identity.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions — preferably with a combination of user agent and IP address conditions.\\n- Automation workflows that rely on the results from this API request may also generate false-positives. We recommend adding exceptions related to the `user.name` or `aws.cloudtrail.user_identity.arn` values to ignore these.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating AWS GetCallerIdentity API Called for the First Time\\n\\nAWS Security Token Service (AWS STS) is a service that enables you to request temporary, limited-privilege credentials for users.\\nThe `GetCallerIdentity` function returns details about the IAM user or role owning the credentials used to call the operation.\\nNo permissions are required to run this operation and the same information is returned even when access is denied.\\nThis rule looks for use of the `GetCallerIdentity` operation. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has called this operation within the last 15 days.\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment, a role belonging to a service like Lambda or an EC2 instance would be highly suspicious.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- Review IAM permission policies for the user identity.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions — preferably with a combination of user agent and IP address conditions.\\n- Automation workflows that rely on the results from this API request may also generate false-positives. We recommend adding exceptions related to the `user.name` or `aws.cloudtrail.user_identity.arn` values to ignore these.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"aws.cloudtrail.user_identity.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"aws.cloudtrail.user_identity.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"investigation_fields\":{\"has_base_version\":false,\"target_version\":{\"field_names\":[\"@timestamp\",\"user.name\",\"source.address\",\"aws.cloudtrail.user_identity.type\",\"aws.cloudtrail.user_identity.arn\",\"user_agent.original\",\"event.action\",\"event.outcome\",\"cloud.region\",\"aws.cloudtrail.request_parameters\"]},\"merged_version\":{\"field_names\":[\"@timestamp\",\"user.name\",\"source.address\",\"aws.cloudtrail.user_identity.type\",\"aws.cloudtrail.user_identity.arn\",\"user_agent.original\",\"event.action\",\"event.outcome\",\"cloud.region\",\"aws.cloudtrail.request_parameters\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset:\\\"aws.cloudtrail\\\" and event.provider:\\\"sts.amazonaws.com\\\" and event.action:\\\"GetCallerIdentity\\\"\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"sts.amazonaws.com\\\"\\n and event.action: \\\"GetCallerIdentity\\\"\\n and event.outcome: \\\"success\\\"\\n and not aws.cloudtrail.user_identity.type: \\\"AssumedRole\\\"\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"sts.amazonaws.com\\\"\\n and event.action: \\\"GetCallerIdentity\\\"\\n and event.outcome: \\\"success\\\"\\n and not aws.cloudtrail.user_identity.type: \\\"AssumedRole\\\"\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e3273e1b-7942-4b0f-a143-4b138a4868dc\",\"rule_id\":\"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62\",\"revision\":0,\"current_rule\":{\"id\":\"e3273e1b-7942-4b0f-a143-4b138a4868dc\",\"updated_at\":\"2024-12-04T19:45:45.844Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.844Z\",\"created_by\":\"elastic\",\"name\":\"Bypass UAC via Event Viewer\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Bypass UAC via Event Viewer\\n\\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\\n\\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\\n\\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\\\Software\\\\Classes\\\\mscfile\\\\shell\\\\open\\\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":113,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"eventvwr.exe\\\" and\\n not process.executable :\\n (\\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Bypass UAC via Event Viewer\",\"description\":\"Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Bypass UAC via Event Viewer\\n\\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\\n\\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\\n\\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\\\Software\\\\Classes\\\\mscfile\\\\shell\\\\open\\\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":315,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e3273e1b-7942-4b0f-a143-4b138a4868dc\",\"rule_id\":\"31b4c719-f2b4-41f6-a9bd-fce93c2eaf62\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.007Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.844Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"eventvwr.exe\\\" and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\mmc.exe\\\",\\n \\\"?\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\WerFault.exe\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":113,\"target_version\":315,\"merged_version\":315,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"eventvwr.exe\\\" and\\n not process.executable :\\n (\\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"eventvwr.exe\\\" and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\mmc.exe\\\",\\n \\\"?\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\WerFault.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"eventvwr.exe\\\" and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\mmc.exe\\\",\\n \\\"?\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\WerFault.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"967e9395-3053-4020-9e86-e4a3a4ee8481\",\"rule_id\":\"32300431-c2d5-432d-8ec8-0e03f9924756\",\"revision\":0,\"current_rule\":{\"id\":\"967e9395-3053-4020-9e86-e4a3a4ee8481\",\"updated_at\":\"2024-12-04T19:46:03.732Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.732Z\",\"created_by\":\"elastic\",\"name\":\"Network Connection from Binary with RWX Memory Region\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Monitors for the execution of a unix binary with read, write and execute memory region permissions, followed by a network connection. The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases overly permissive, and should (especially in conjunction with an outbound network connection) be analyzed thoroughly.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"32300431-c2d5-432d-8ec8-0e03f9924756\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\"}]}],\"to\":\"now\",\"references\":[\"https://man7.org/linux/man-pages/man2/mprotect.2.html\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"auditd.data.a2\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.syscall\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\\n```\\nKibana -->\\nManagement -->\\nIntegrations -->\\nAuditd Manager -->\\nAdd Auditd Manager\\n```\\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\\n```\\n-a always,exit -F arch=b64 -S mprotect\\n```\\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"sample by host.id, process.pid, process.name\\n /* auditd.data.a2 == \\\"7\\\" translates to RWX memory region protection (PROT_READ | PROT_WRITE | PROT_EXEC) */\\n [process where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"mprotect\\\" and auditd.data.a2 == \\\"7\\\"]\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and\\n not cidrmatch(destination.ip, \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"224.0.0.0/4\\\", \\\"::1\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Network Connection from Binary with RWX Memory Region\",\"description\":\"Monitors for the execution of a unix binary with read, write and execute memory region permissions, followed by a network connection. The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases overly permissive, and should (especially in conjunction with an outbound network connection) be analyzed thoroughly.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://man7.org/linux/man-pages/man2/mprotect.2.html\",\"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\\n```\\nKibana -->\\nManagement -->\\nIntegrations -->\\nAuditd Manager -->\\nAdd Auditd Manager\\n```\\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\\n```\\n-a always,exit -F arch=b64 -S mprotect\\n```\\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n\",\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"auditd.data.a2\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.syscall\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"id\":\"967e9395-3053-4020-9e86-e4a3a4ee8481\",\"rule_id\":\"32300431-c2d5-432d-8ec8-0e03f9924756\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.007Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.732Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sample by host.id, process.pid, process.name\\n /* auditd.data.a2 == \\\"7\\\" translates to RWX memory region protection (PROT_READ | PROT_WRITE | PROT_EXEC) */\\n [process where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"mprotect\\\" and auditd.data.a2 == \\\"7\\\" and\\n not process.name == \\\"httpd\\\"]\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and\\n not cidrmatch(destination.ip, \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"224.0.0.0/4\\\", \\\"::1\\\")]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://man7.org/linux/man-pages/man2/mprotect.2.html\"],\"target_version\":[\"https://man7.org/linux/man-pages/man2/mprotect.2.html\",\"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd\"],\"merged_version\":[\"https://man7.org/linux/man-pages/man2/mprotect.2.html\",\"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sample by host.id, process.pid, process.name\\n /* auditd.data.a2 == \\\"7\\\" translates to RWX memory region protection (PROT_READ | PROT_WRITE | PROT_EXEC) */\\n [process where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"mprotect\\\" and auditd.data.a2 == \\\"7\\\"]\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and\\n not cidrmatch(destination.ip, \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"224.0.0.0/4\\\", \\\"::1\\\")]\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sample by host.id, process.pid, process.name\\n /* auditd.data.a2 == \\\"7\\\" translates to RWX memory region protection (PROT_READ | PROT_WRITE | PROT_EXEC) */\\n [process where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"mprotect\\\" and auditd.data.a2 == \\\"7\\\" and\\n not process.name == \\\"httpd\\\"]\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and\\n not cidrmatch(destination.ip, \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"224.0.0.0/4\\\", \\\"::1\\\")]\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sample by host.id, process.pid, process.name\\n /* auditd.data.a2 == \\\"7\\\" translates to RWX memory region protection (PROT_READ | PROT_WRITE | PROT_EXEC) */\\n [process where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"mprotect\\\" and auditd.data.a2 == \\\"7\\\" and\\n not process.name == \\\"httpd\\\"]\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and\\n not cidrmatch(destination.ip, \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"224.0.0.0/4\\\", \\\"::1\\\")]\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"59ef5e4c-a5c2-4878-acd8-425d021ab442\",\"rule_id\":\"32923416-763a-4531-bb35-f33b9232ecdb\",\"revision\":0,\"current_rule\":{\"id\":\"59ef5e4c-a5c2-4878-acd8-425d021ab442\",\"updated_at\":\"2024-12-04T19:45:45.856Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.856Z\",\"created_by\":\"elastic\",\"name\":\"RPC (Remote Procedure Call) to the Internet\",\"tags\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"32923416-763a-4531-bb35-f33b9232ecdb\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]}],\"to\":\"now\",\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"version\":103,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\\n network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\\n source.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n ) and\\n not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"RPC (Remote Procedure Call) to the Internet\",\"description\":\"This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"59ef5e4c-a5c2-4878-acd8-425d021ab442\",\"rule_id\":\"32923416-763a-4531-bb35-f33b9232ecdb\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.007Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.856Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\\n network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\\n source.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n ) and\\n not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":103,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"target_version\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"target_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merged_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"72ad354e-db78-4093-8735-62b38bebdc18\",\"rule_id\":\"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14\",\"revision\":0,\"current_rule\":{\"id\":\"72ad354e-db78-4093-8735-62b38bebdc18\",\"updated_at\":\"2024-12-04T19:45:45.858Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.858Z\",\"created_by\":\"elastic\",\"name\":\"Program Files Directory Masquerading\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : \\\"C:\\\\\\\\*Program*Files*\\\\\\\\*.exe\\\" and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Downloaded Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?FilesOpera*\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?Files?(x86)Opera*\\\\\\\\*.exe\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Program Files Directory Masquerading\",\"description\":\"Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"72ad354e-db78-4093-8735-62b38bebdc18\",\"rule_id\":\"32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.007Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.858Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : (\\n \\\"C:\\\\\\\\*Program*Files*\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\*Program*Files*\\\\\\\\*.exe\\\"\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Downloaded Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?FilesOpera*\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?Files?(x86)Opera*\\\\\\\\*.exe\\\"\\n ) and\\n not (\\n event.dataset == \\\"crowdstrike.fdr\\\" and\\n process.executable : (\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Users\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\ProgramData\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Downloaded Program Files\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?FilesOpera*\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?Files?(x86)Opera*\\\\\\\\*.exe\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : \\\"C:\\\\\\\\*Program*Files*\\\\\\\\*.exe\\\" and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Downloaded Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?FilesOpera*\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?Files?(x86)Opera*\\\\\\\\*.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : (\\n \\\"C:\\\\\\\\*Program*Files*\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\*Program*Files*\\\\\\\\*.exe\\\"\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Downloaded Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?FilesOpera*\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?Files?(x86)Opera*\\\\\\\\*.exe\\\"\\n ) and\\n not (\\n event.dataset == \\\"crowdstrike.fdr\\\" and\\n process.executable : (\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Users\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\ProgramData\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Downloaded Program Files\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?FilesOpera*\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?Files?(x86)Opera*\\\\\\\\*.exe\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : (\\n \\\"C:\\\\\\\\*Program*Files*\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\*Program*Files*\\\\\\\\*.exe\\\"\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Downloaded Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?FilesOpera*\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?Files?(x86)Opera*\\\\\\\\*.exe\\\"\\n ) and\\n not (\\n event.dataset == \\\"crowdstrike.fdr\\\" and\\n process.executable : (\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Users\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\ProgramData\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Downloaded Program Files\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?FilesOpera*\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\.opera\\\\\\\\????????????\\\\\\\\CProgram?Files?(x86)Opera*\\\\\\\\*.exe\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f3def219-2078-49f0-8097-4a966d572bd7\",\"rule_id\":\"32f4675e-6c49-4ace-80f9-97c9259dca2e\",\"revision\":0,\"current_rule\":{\"id\":\"f3def219-2078-49f0-8097-4a966d572bd7\",\"updated_at\":\"2024-12-04T19:45:45.861Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.861Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious MS Outlook Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious MS Outlook Child Process\\n\\nMicrosoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite.\\n\\nThis rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client.\\n- Determine if the collected files are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"32f4675e-6c49-4ace-80f9-97c9259dca2e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"to\":\"now\",\"references\":[],\"version\":314,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"outlook.exe\\\" and\\n process.name : (\\\"Microsoft.Workflow.Compiler.exe\\\", \\\"arp.exe\\\", \\\"atbroker.exe\\\", \\\"bginfo.exe\\\", \\\"bitsadmin.exe\\\",\\n \\\"cdb.exe\\\", \\\"certutil.exe\\\", \\\"cmd.exe\\\", \\\"cmstp.exe\\\", \\\"cscript.exe\\\", \\\"csi.exe\\\", \\\"dnx.exe\\\", \\\"dsget.exe\\\",\\n \\\"dsquery.exe\\\", \\\"forfiles.exe\\\", \\\"fsi.exe\\\", \\\"ftp.exe\\\", \\\"gpresult.exe\\\", \\\"hostname.exe\\\", \\\"ieexec.exe\\\",\\n \\\"iexpress.exe\\\", \\\"installutil.exe\\\", \\\"ipconfig.exe\\\", \\\"mshta.exe\\\", \\\"msxsl.exe\\\", \\\"nbtstat.exe\\\", \\\"net.exe\\\",\\n \\\"net1.exe\\\", \\\"netsh.exe\\\", \\\"netstat.exe\\\", \\\"nltest.exe\\\", \\\"odbcconf.exe\\\", \\\"ping.exe\\\", \\\"powershell.exe\\\",\\n \\\"pwsh.exe\\\", \\\"qprocess.exe\\\", \\\"quser.exe\\\", \\\"qwinsta.exe\\\", \\\"rcsi.exe\\\", \\\"reg.exe\\\", \\\"regasm.exe\\\",\\n \\\"regsvcs.exe\\\", \\\"regsvr32.exe\\\", \\\"sc.exe\\\", \\\"schtasks.exe\\\", \\\"systeminfo.exe\\\", \\\"tasklist.exe\\\",\\n \\\"tracert.exe\\\", \\\"whoami.exe\\\", \\\"wmic.exe\\\", \\\"wscript.exe\\\", \\\"xwizard.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious MS Outlook Child Process\",\"description\":\"Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious MS Outlook Child Process\\n\\nMicrosoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite.\\n\\nThis rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client.\\n- Determine if the collected files are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":416,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f3def219-2078-49f0-8097-4a966d572bd7\",\"rule_id\":\"32f4675e-6c49-4ace-80f9-97c9259dca2e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.007Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.861Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"outlook.exe\\\" and\\n process.name : (\\\"Microsoft.Workflow.Compiler.exe\\\", \\\"arp.exe\\\", \\\"atbroker.exe\\\", \\\"bginfo.exe\\\", \\\"bitsadmin.exe\\\",\\n \\\"cdb.exe\\\", \\\"certutil.exe\\\", \\\"cmd.exe\\\", \\\"cmstp.exe\\\", \\\"cscript.exe\\\", \\\"csi.exe\\\", \\\"dnx.exe\\\", \\\"dsget.exe\\\",\\n \\\"dsquery.exe\\\", \\\"forfiles.exe\\\", \\\"fsi.exe\\\", \\\"ftp.exe\\\", \\\"gpresult.exe\\\", \\\"hostname.exe\\\", \\\"ieexec.exe\\\",\\n \\\"iexpress.exe\\\", \\\"installutil.exe\\\", \\\"ipconfig.exe\\\", \\\"mshta.exe\\\", \\\"msxsl.exe\\\", \\\"nbtstat.exe\\\", \\\"net.exe\\\",\\n \\\"net1.exe\\\", \\\"netsh.exe\\\", \\\"netstat.exe\\\", \\\"nltest.exe\\\", \\\"odbcconf.exe\\\", \\\"ping.exe\\\", \\\"powershell.exe\\\",\\n \\\"pwsh.exe\\\", \\\"qprocess.exe\\\", \\\"quser.exe\\\", \\\"qwinsta.exe\\\", \\\"rcsi.exe\\\", \\\"reg.exe\\\", \\\"regasm.exe\\\",\\n \\\"regsvcs.exe\\\", \\\"regsvr32.exe\\\", \\\"sc.exe\\\", \\\"schtasks.exe\\\", \\\"systeminfo.exe\\\", \\\"tasklist.exe\\\",\\n \\\"tracert.exe\\\", \\\"whoami.exe\\\", \\\"wmic.exe\\\", \\\"wscript.exe\\\", \\\"xwizard.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":314,\"target_version\":416,\"merged_version\":416,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f8070f29-22d8-4345-ba1d-2cf6ff5e75f9\",\"rule_id\":\"33a6752b-da5e-45f8-b13a-5f094c09522f\",\"revision\":0,\"current_rule\":{\"id\":\"f8070f29-22d8-4345-ba1d-2cf6ff5e75f9\",\"updated_at\":\"2024-12-04T19:45:45.865Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.865Z\",\"created_by\":\"elastic\",\"name\":\"ESXI Discovery via Find\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies instances where the 'find' command is started on a Linux system with arguments targeting specific VM-related paths, such as \\\"/etc/vmware/\\\", \\\"/usr/lib/vmware/\\\", or \\\"/vmfs/*\\\". These paths are associated with VMware virtualization software, and their presence in the find command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files and configurations on the system.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"33a6752b-da5e-45f8-b13a-5f094c09522f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1518\",\"name\":\"Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/\"}]}],\"to\":\"now\",\"references\":[\"https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/\"],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name == \\\"find\\\" and process.args : (\\\"/etc/vmware/*\\\", \\\"/usr/lib/vmware/*\\\", \\\"/vmfs/*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"ESXI Discovery via Find\",\"description\":\"Identifies instances where the 'find' command is started on a Linux system with arguments targeting specific VM-related paths, such as \\\"/etc/vmware/\\\", \\\"/usr/lib/vmware/\\\", or \\\"/vmfs/*\\\". These paths are associated with VMware virtualization software, and their presence in the find command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files and configurations on the system.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1518\",\"name\":\"Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f8070f29-22d8-4345-ba1d-2cf6ff5e75f9\",\"rule_id\":\"33a6752b-da5e-45f8-b13a-5f094c09522f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.007Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.865Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and process.name == \\\"find\\\" and\\nprocess.args : (\\\"/etc/vmware/*\\\", \\\"/usr/lib/vmware/*\\\", \\\"/vmfs/*\\\") and \\nnot process.parent.executable == \\\"/usr/lib/vmware/viewagent/bin/uninstall_viewagent.sh\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name == \\\"find\\\" and process.args : (\\\"/etc/vmware/*\\\", \\\"/usr/lib/vmware/*\\\", \\\"/vmfs/*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and process.name == \\\"find\\\" and\\nprocess.args : (\\\"/etc/vmware/*\\\", \\\"/usr/lib/vmware/*\\\", \\\"/vmfs/*\\\") and \\nnot process.parent.executable == \\\"/usr/lib/vmware/viewagent/bin/uninstall_viewagent.sh\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and process.name == \\\"find\\\" and\\nprocess.args : (\\\"/etc/vmware/*\\\", \\\"/usr/lib/vmware/*\\\", \\\"/vmfs/*\\\") and \\nnot process.parent.executable == \\\"/usr/lib/vmware/viewagent/bin/uninstall_viewagent.sh\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"424f39d3-c2b5-471b-9e78-301b96708483\",\"rule_id\":\"34fde489-94b0-4500-a76f-b8a157cf9269\",\"revision\":0,\"current_rule\":{\"id\":\"424f39d3-c2b5-471b-9e78-301b96708483\",\"updated_at\":\"2024-12-04T19:45:40.178Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.178Z\",\"created_by\":\"elastic\",\"name\":\"Accepted Default Telnet Port Connection\",\"tags\":[\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Lateral Movement\",\"Tactic: Initial Access\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timeline_id\":\"300afc76-072d-4261-864d-4149714bf3f1\",\"timeline_title\":\"Comprehensive Network Timeline\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious.\"],\"from\":\"now-9m\",\"rule_id\":\"34fde489-94b0-4500-a76f-b8a157cf9269\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]}],\"to\":\"now\",\"references\":[],\"version\":105,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"],\"query\":\"(event.dataset:network_traffic.flow or event.category:(network or network_traffic))\\n and event.type:connection and not event.action:(\\n flow_dropped or flow_denied or denied or deny or\\n flow_terminated or timeout or Reject or network_flow)\\n and destination.port:23\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Accepted Default Telnet Port Connection\",\"description\":\"This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"timeline_id\":\"300afc76-072d-4261-864d-4149714bf3f1\",\"timeline_title\":\"Comprehensive Network Timeline\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":106,\"tags\":[\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Lateral Movement\",\"Tactic: Initial Access\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"424f39d3-c2b5-471b-9e78-301b96708483\",\"rule_id\":\"34fde489-94b0-4500-a76f-b8a157cf9269\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.007Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.178Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"],\"query\":\"(event.dataset:network_traffic.flow or event.category:(network or network_traffic))\\n and event.type:connection and not event.action:(\\n flow_dropped or flow_denied or denied or deny or\\n flow_terminated or timeout or Reject or network_flow)\\n and destination.port:23\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":105,\"target_version\":106,\"merged_version\":106,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Lateral Movement\",\"Tactic: Initial Access\"],\"target_version\":[\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Lateral Movement\",\"Tactic: Initial Access\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Lateral Movement\",\"Tactic: Initial Access\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"target_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merged_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3120e238-ac07-4320-a9f4-6d46ff2a101a\",\"rule_id\":\"3535c8bb-3bd5-40f4-ae32-b7cd589d5372\",\"revision\":0,\"current_rule\":{\"id\":\"3120e238-ac07-4320-a9f4-6d46ff2a101a\",\"updated_at\":\"2024-12-04T19:45:45.875Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.875Z\",\"created_by\":\"elastic\",\"name\":\"Port Forwarding Rule Addition\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Port Forwarding Rule Addition\\n\\nNetwork port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to any other port number, or even to a port on a remote computer.\\n\\nAttackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box to access previously unreachable systems.\\n\\nThis rule monitors the modifications to the `HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\` subkeys.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Identify the target host IP address, check the connections originating from the host where the modification occurred, and inspect the credentials used.\\n - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Delete the port forwarding rule.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3535c8bb-3bd5-40f4-ae32-b7cd589d5372\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1572\",\"name\":\"Protocol Tunneling\",\"reference\":\"https://attack.mitre.org/techniques/T1572/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[\"https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html\"],\"version\":312,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\PortProxy\\\\\\\\v4tov4\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\PortProxy\\\\\\\\v4tov4\\\\\\\\*\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\PortProxy\\\\\\\\v4tov4\\\\\\\\*\\\"\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Port Forwarding Rule Addition\",\"description\":\"Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Port Forwarding Rule Addition\\n\\nNetwork port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to any other port number, or even to a port on a remote computer.\\n\\nAttackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box to access previously unreachable systems.\\n\\nThis rule monitors the modifications to the `HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\` subkeys.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Identify the target host IP address, check the connections originating from the host where the modification occurred, and inspect the credentials used.\\n - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Delete the port forwarding rule.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":413,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1572\",\"name\":\"Protocol Tunneling\",\"reference\":\"https://attack.mitre.org/techniques/T1572/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3120e238-ac07-4320-a9f4-6d46ff2a101a\",\"rule_id\":\"3535c8bb-3bd5-40f4-ae32-b7cd589d5372\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.007Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.875Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\PortProxy\\\\\\\\v4tov4\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\PortProxy\\\\\\\\v4tov4\\\\\\\\*\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\PortProxy\\\\\\\\v4tov4\\\\\\\\*\\\"\\n)\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":312,\"target_version\":413,\"merged_version\":413,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f58aa97a-ef4b-41a1-bab2-ae4e2dd6c593\",\"rule_id\":\"35df0dd8-092d-4a83-88c1-5151a804f31b\",\"revision\":0,\"current_rule\":{\"id\":\"f58aa97a-ef4b-41a1-bab2-ae4e2dd6c593\",\"updated_at\":\"2024-12-04T19:45:45.880Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.880Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Parent-Child Relationship\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Parent-Child Relationship\\n\\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\\n\\nThis rule uses this information to spot suspicious parent and child processes.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"35df0dd8-092d-4a83-88c1-5151a804f31b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\",\"subtechnique\":[{\"id\":\"T1055.012\",\"name\":\"Process Hollowing\",\"reference\":\"https://attack.mitre.org/techniques/T1055/012/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png\",\"https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\nprocess.parent.name != null and\\n (\\n /* suspicious parent processes */\\n (process.name:\\\"autochk.exe\\\" and not process.parent.name:\\\"smss.exe\\\") or\\n (process.name:(\\\"fontdrvhost.exe\\\", \\\"dwm.exe\\\") and not process.parent.name:(\\\"wininit.exe\\\", \\\"winlogon.exe\\\")) or\\n (process.name:(\\\"consent.exe\\\", \\\"RuntimeBroker.exe\\\", \\\"TiWorker.exe\\\") and not process.parent.name:\\\"svchost.exe\\\") or\\n (process.name:\\\"SearchIndexer.exe\\\" and not process.parent.name:\\\"services.exe\\\") or\\n (process.name:\\\"SearchProtocolHost.exe\\\" and not process.parent.name:(\\\"SearchIndexer.exe\\\", \\\"dllhost.exe\\\")) or\\n (process.name:\\\"dllhost.exe\\\" and not process.parent.name:(\\\"services.exe\\\", \\\"svchost.exe\\\")) or\\n (process.name:\\\"smss.exe\\\" and not process.parent.name:(\\\"System\\\", \\\"smss.exe\\\")) or\\n (process.name:\\\"csrss.exe\\\" and not process.parent.name:(\\\"smss.exe\\\", \\\"svchost.exe\\\")) or\\n (process.name:\\\"wininit.exe\\\" and not process.parent.name:\\\"smss.exe\\\") or\\n (process.name:\\\"winlogon.exe\\\" and not process.parent.name:\\\"smss.exe\\\") or\\n (process.name:(\\\"lsass.exe\\\", \\\"LsaIso.exe\\\") and not process.parent.name:\\\"wininit.exe\\\") or\\n (process.name:\\\"LogonUI.exe\\\" and not process.parent.name:(\\\"wininit.exe\\\", \\\"winlogon.exe\\\")) or\\n (process.name:\\\"services.exe\\\" and not process.parent.name:\\\"wininit.exe\\\") or\\n (process.name:\\\"svchost.exe\\\" and not process.parent.name:(\\\"MsMpEng.exe\\\", \\\"services.exe\\\", \\\"svchost.exe\\\")) or\\n (process.name:\\\"spoolsv.exe\\\" and not process.parent.name:\\\"services.exe\\\") or\\n (process.name:\\\"taskhost.exe\\\" and not process.parent.name:(\\\"services.exe\\\", \\\"svchost.exe\\\", \\\"ngentask.exe\\\")) or\\n (process.name:\\\"taskhostw.exe\\\" and not process.parent.name:(\\\"services.exe\\\", \\\"svchost.exe\\\")) or\\n (process.name:\\\"userinit.exe\\\" and not process.parent.name:(\\\"dwm.exe\\\", \\\"winlogon.exe\\\")) or\\n (process.name:(\\\"wmiprvse.exe\\\", \\\"wsmprovhost.exe\\\", \\\"winrshost.exe\\\") and not process.parent.name:\\\"svchost.exe\\\") or\\n /* suspicious child processes */\\n (process.parent.name:(\\\"SearchProtocolHost.exe\\\", \\\"taskhost.exe\\\", \\\"csrss.exe\\\") and not process.name:(\\\"werfault.exe\\\", \\\"wermgr.exe\\\", \\\"WerFaultSecure.exe\\\", \\\"conhost.exe\\\")) or\\n (process.parent.name:\\\"autochk.exe\\\" and not process.name:(\\\"chkdsk.exe\\\", \\\"doskey.exe\\\", \\\"WerFault.exe\\\")) or\\n (process.parent.name:\\\"smss.exe\\\" and not process.name:(\\\"autochk.exe\\\", \\\"smss.exe\\\", \\\"csrss.exe\\\", \\\"wininit.exe\\\", \\\"winlogon.exe\\\", \\\"setupcl.exe\\\", \\\"WerFault.exe\\\")) or\\n (process.parent.name:\\\"wermgr.exe\\\" and not process.name:(\\\"WerFaultSecure.exe\\\", \\\"wermgr.exe\\\", \\\"WerFault.exe\\\")) or\\n (process.parent.name:\\\"conhost.exe\\\" and not process.name:(\\\"mscorsvw.exe\\\", \\\"wermgr.exe\\\", \\\"WerFault.exe\\\", \\\"WerFaultSecure.exe\\\"))\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Parent-Child Relationship\",\"description\":\"Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Parent-Child Relationship\\n\\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\\n\\nThis rule uses this information to spot suspicious parent and child processes.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png\",\"https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/\",\"https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\",\"subtechnique\":[{\"id\":\"T1055.012\",\"name\":\"Process Hollowing\",\"reference\":\"https://attack.mitre.org/techniques/T1055/012/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f58aa97a-ef4b-41a1-bab2-ae4e2dd6c593\",\"rule_id\":\"35df0dd8-092d-4a83-88c1-5151a804f31b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.007Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.880Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\nprocess.parent.name != null and\\n (\\n /* suspicious parent processes */\\n (process.name:\\\"autochk.exe\\\" and not process.parent.name:\\\"smss.exe\\\") or\\n (process.name:(\\\"fontdrvhost.exe\\\", \\\"dwm.exe\\\") and not process.parent.name:(\\\"wininit.exe\\\", \\\"winlogon.exe\\\")) or\\n (process.name:(\\\"consent.exe\\\", \\\"RuntimeBroker.exe\\\", \\\"TiWorker.exe\\\") and not process.parent.name:\\\"svchost.exe\\\") or\\n (process.name:\\\"SearchIndexer.exe\\\" and not process.parent.name:\\\"services.exe\\\") or\\n (process.name:\\\"SearchProtocolHost.exe\\\" and not process.parent.name:(\\\"SearchIndexer.exe\\\", \\\"dllhost.exe\\\")) or\\n (process.name:\\\"dllhost.exe\\\" and not process.parent.name:(\\\"services.exe\\\", \\\"svchost.exe\\\")) or\\n (process.name:\\\"smss.exe\\\" and not process.parent.name:(\\\"System\\\", \\\"smss.exe\\\")) or\\n (process.name:\\\"csrss.exe\\\" and not process.parent.name:(\\\"smss.exe\\\", \\\"svchost.exe\\\")) or\\n (process.name:\\\"wininit.exe\\\" and not process.parent.name:\\\"smss.exe\\\") or\\n (process.name:\\\"winlogon.exe\\\" and not process.parent.name:\\\"smss.exe\\\") or\\n (process.name:(\\\"lsass.exe\\\", \\\"LsaIso.exe\\\") and not process.parent.name:\\\"wininit.exe\\\") or\\n (process.name:\\\"LogonUI.exe\\\" and not process.parent.name:(\\\"wininit.exe\\\", \\\"winlogon.exe\\\")) or\\n (process.name:\\\"services.exe\\\" and not process.parent.name:\\\"wininit.exe\\\") or\\n (process.name:\\\"svchost.exe\\\" and not process.parent.name:(\\\"MsMpEng.exe\\\", \\\"services.exe\\\", \\\"svchost.exe\\\")) or\\n (process.name:\\\"spoolsv.exe\\\" and not process.parent.name:\\\"services.exe\\\") or\\n (process.name:\\\"taskhost.exe\\\" and not process.parent.name:(\\\"services.exe\\\", \\\"svchost.exe\\\", \\\"ngentask.exe\\\")) or\\n (process.name:\\\"taskhostw.exe\\\" and not process.parent.name:(\\\"services.exe\\\", \\\"svchost.exe\\\")) or\\n (process.name:\\\"userinit.exe\\\" and not process.parent.name:(\\\"dwm.exe\\\", \\\"winlogon.exe\\\")) or\\n (process.name:(\\\"wmiprvse.exe\\\", \\\"wsmprovhost.exe\\\", \\\"winrshost.exe\\\") and not process.parent.name:\\\"svchost.exe\\\") or\\n /* suspicious child processes */\\n (process.parent.name:(\\\"SearchProtocolHost.exe\\\", \\\"taskhost.exe\\\", \\\"csrss.exe\\\") and not process.name:(\\\"werfault.exe\\\", \\\"wermgr.exe\\\", \\\"WerFaultSecure.exe\\\", \\\"conhost.exe\\\")) or\\n (process.parent.name:\\\"autochk.exe\\\" and not process.name:(\\\"chkdsk.exe\\\", \\\"doskey.exe\\\", \\\"WerFault.exe\\\")) or\\n (process.parent.name:\\\"smss.exe\\\" and not process.name:(\\\"autochk.exe\\\", \\\"smss.exe\\\", \\\"csrss.exe\\\", \\\"wininit.exe\\\", \\\"winlogon.exe\\\", \\\"setupcl.exe\\\", \\\"WerFault.exe\\\")) or\\n (process.parent.name:\\\"wermgr.exe\\\" and not process.name:(\\\"WerFaultSecure.exe\\\", \\\"wermgr.exe\\\", \\\"WerFault.exe\\\")) or\\n (process.parent.name:\\\"conhost.exe\\\" and not process.name:(\\\"mscorsvw.exe\\\", \\\"wermgr.exe\\\", \\\"WerFault.exe\\\", \\\"WerFaultSecure.exe\\\"))\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png\",\"https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/\"],\"target_version\":[\"https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png\",\"https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/\",\"https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit\"],\"merged_version\":[\"https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png\",\"https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/\",\"https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a1336dc0-681c-473f-b209-11408786f6fc\",\"rule_id\":\"36a8e048-d888-4f61-a8b9-0f9e2e40f317\",\"revision\":0,\"current_rule\":{\"id\":\"a1336dc0-681c-473f-b209-11408786f6fc\",\"updated_at\":\"2024-12-04T19:45:40.175Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.175Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious ImagePath Service Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"36a8e048-d888-4f61-a8b9-0f9e2e40f317\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : \\\"ImagePath\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\"\\n ) and\\n /* add suspicious registry ImagePath values here */\\n registry.data.strings : (\\\"%COMSPEC%*\\\", \\\"*\\\\\\\\.\\\\\\\\pipe\\\\\\\\*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious ImagePath Service Creation\",\"description\":\"Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a1336dc0-681c-473f-b209-11408786f6fc\",\"rule_id\":\"36a8e048-d888-4f61-a8b9-0f9e2e40f317\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.007Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.175Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : \\\"ImagePath\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\"\\n ) and\\n /* add suspicious registry ImagePath values here */\\n registry.data.strings : (\\\"%COMSPEC%*\\\", \\\"*\\\\\\\\.\\\\\\\\pipe\\\\\\\\*\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f6f7e469-f668-45ff-bba9-64a1601ce543\",\"rule_id\":\"37b211e8-4e2f-440f-86d8-06cc8f158cfa\",\"revision\":0,\"current_rule\":{\"id\":\"f6f7e469-f668-45ff-bba9-64a1601ce543\",\"updated_at\":\"2024-12-04T19:45:45.901Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.901Z\",\"created_by\":\"elastic\",\"name\":\"AWS Execution via System Manager\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS SSM\",\"Use Case: Log Auditing\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS Execution via System Manager\\n\\nAmazon EC2 Systems Manager is a management service designed to help users automatically collect software inventory, apply operating system patches, create system images, and configure Windows and Linux operating systems.\\n\\nThis rule looks for the execution of commands and scripts using System Manager. Note that the actual contents of these scripts and commands are not included in the event, so analysts must gain visibility using an host-level security product.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate the commands or scripts using host-level visibility.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Check if this operation was approved and performed according to the organization's change management policy.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and IP address conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suspicious commands from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\"],\"from\":\"now-60m\",\"rule_id\":\"37b211e8-4e2f-440f-86d8-06cc8f158cfa\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html\"],\"version\":209,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"query\":\"event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS SSM `SendCommand` Execution by Rare User\",\"description\":\"Detects the execution of commands or scripts on EC2 instances using AWS Systems Manager (SSM), such as `RunShellScript`, `RunPowerShellScript` or custom documents. While legitimate users may employ these commands for management tasks, they can also be exploited by attackers with credentials to establish persistence, install malware, or execute reverse shells for further access to compromised instances. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that looks for the first instance of this behavior by the `aws.cloudtrail.user_identity.arn` field in the last 7 days.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and Analysis\\n\\n### Investigating AWS SSM `SendCommand` Execution by Rare User\\n\\nThis rule detects the execution of commands or scripts on EC2 instances using AWS Systems Manager (SSM) by an unexpected or new user. The SSM `SendCommand` action can enable remote command execution, which adversaries may exploit to install backdoors, deploy malware, or interact with compromised instances through reverse shells.\\n\\n#### Possible Investigation Steps\\n\\n- **Identify the Target Instance**:\\n - **Instance ID**: Review the `aws.cloudtrail.flattened.request_parameters.targets` field to identify which EC2 instances were targeted by this command. Confirm if these instances are expected to be managed through SSM.\\n - **Document Used**: Check the `aws.cloudtrail.flattened.request_parameters.documentName` field, which specifies the document or script being executed. Commands such as `RunShellScript` or `RunPowerShellScript` can indicate interactive sessions or script-based interactions.\\n\\n- **Review User Context**:\\n - **User Identity**: Inspect the `aws.cloudtrail.user_identity.arn` field to determine the user or role executing the `SendCommand`. If this user is not typically involved in EC2 or SSM interactions, this could indicate unauthorized access.\\n - **Access Patterns**: Validate whether the user typically has permissions to perform `SendCommand` operations on instances and whether the frequency of this action matches expected behavior.\\n\\n- **Analyze Command Parameters**:\\n - **Document Contents**: While the exact command may not be visible in CloudTrail, use logs to determine the purpose of the script, especially if the document name suggests encryption, data transfer, or reverse shell capabilities.\\n - **Timing and Context**: Compare this command execution with other recent SSM actions in your environment. A single `SendCommand` event by an unusual user can indicate an early stage of a larger attack.\\n\\n- **Check User Agent and Source IP**:\\n - **User Agent Analysis**: Review the `user_agent.original` field to verify the tool or client used (e.g., `aws-cli`). This can provide insight into whether this action was automated, scripted, or executed manually.\\n - **Source IP and Geolocation**: Use `source.address` and `source.geo` fields to check if the IP address and geolocation align with expected regions for your organization. Unusual IP addresses or locations can indicate external adversaries.\\n\\n- **Evaluate for Persistence Indicators**:\\n - **Command Consistency**: Investigate if this action is part of a recurring pattern, such as repeated command executions across instances, which may suggest an attempt to maintain access.\\n - **Permissions**: Ensure that the IAM policies associated with the user limit `SendCommand` actions to necessary use cases. Consider adding alerts for commands executed by users with minimal roles or permissions.\\n\\n- **Correlate with Other CloudTrail Events**:\\n - **Cross-Reference SSM Actions**: Look for other recent SSM actions like `CreateDocument`, `UpdateDocument`, or additional `SendCommand` events that could indicate preparation for further exploitation.\\n - **Monitor Data Access or Modification**: Correlate with `S3` access patterns, IAM changes, or EC2 modifications in recent events to detect broader malicious activities.\\n\\n### False Positive Analysis\\n\\n- **Routine Automation**: SSM `SendCommand` may be used by automation scripts or management tools. Verify if this event aligns with known, routine automated workflows.\\n- **Maintenance Activity**: Confirm if legitimate administrative activities, such as patching or updates, are expected at this time, which may involve similar commands executed on multiple instances.\\n\\n### Response and Remediation\\n\\n- **Limit SSM Permissions**: If unauthorized, immediately revoke `SendCommand` permissions from the user or role to prevent further access.\\n- **Quarantine Target Instance**: If malicious behavior is confirmed, isolate the affected EC2 instance(s) to limit lateral movement or data exfiltration.\\n- **Investigate and Contain User Account**: If the action was performed by a compromised account, review recent activity and reset access credentials as necessary.\\n- **Audit SSM and IAM Configurations**: Periodically review permissions associated with SSM usage and ensure least privilege access principles are in place.\\n\\n### Additional Information\\n\\nFor further details on managing AWS SSM and security best practices for EC2 instances, refer to the [AWS Systems Manager Documentation](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html) and AWS best practices.\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS SSM\",\"Use Case: Log Auditing\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suspicious commands from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\"],\"references\":[\"https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1651\",\"name\":\"Cloud Administration Command\",\"reference\":\"https://attack.mitre.org/techniques/T1651/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"aws.cloudtrail.user_identity.arn\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f6f7e469-f668-45ff-bba9-64a1601ce543\",\"rule_id\":\"37b211e8-4e2f-440f-86d8-06cc8f158cfa\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.007Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.901Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"ssm.amazonaws.com\\\"\\n and event.action: \\\"SendCommand\\\"\\n and event.outcome: \\\"success\\\"\\n and not aws.cloudtrail.user_identity.arn: *AWSServiceRoleForAmazonSSM/StateManagerService*\\n\",\"new_terms_fields\":[\"aws.cloudtrail.user_identity.arn\"],\"history_window_start\":\"now-7d\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":209,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"name\":{\"has_base_version\":false,\"current_version\":\"AWS Execution via System Manager\",\"target_version\":\"AWS SSM `SendCommand` Execution by Rare User\",\"merged_version\":\"AWS SSM `SendCommand` Execution by Rare User\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS SSM\",\"Use Case: Log Auditing\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\"],\"target_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS SSM\",\"Use Case: Log Auditing\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\"],\"merged_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS SSM\",\"Use Case: Log Auditing\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"description\":{\"has_base_version\":false,\"current_version\":\"Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.\",\"target_version\":\"Detects the execution of commands or scripts on EC2 instances using AWS Systems Manager (SSM), such as `RunShellScript`, `RunPowerShellScript` or custom documents. While legitimate users may employ these commands for management tasks, they can also be exploited by attackers with credentials to establish persistence, install malware, or execute reverse shells for further access to compromised instances. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that looks for the first instance of this behavior by the `aws.cloudtrail.user_identity.arn` field in the last 7 days.\",\"merged_version\":\"Detects the execution of commands or scripts on EC2 instances using AWS Systems Manager (SSM), such as `RunShellScript`, `RunPowerShellScript` or custom documents. While legitimate users may employ these commands for management tasks, they can also be exploited by attackers with credentials to establish persistence, install malware, or execute reverse shells for further access to compromised instances. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that looks for the first instance of this behavior by the `aws.cloudtrail.user_identity.arn` field in the last 7 days.\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1651\",\"name\":\"Cloud Administration Command\",\"reference\":\"https://attack.mitre.org/techniques/T1651/\"}]}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1651\",\"name\":\"Cloud Administration Command\",\"reference\":\"https://attack.mitre.org/techniques/T1651/\"}]}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"note\":{\"has_base_version\":false,\"current_version\":\"## Triage and analysis\\n\\n### Investigating AWS Execution via System Manager\\n\\nAmazon EC2 Systems Manager is a management service designed to help users automatically collect software inventory, apply operating system patches, create system images, and configure Windows and Linux operating systems.\\n\\nThis rule looks for the execution of commands and scripts using System Manager. Note that the actual contents of these scripts and commands are not included in the event, so analysts must gain visibility using an host-level security product.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate the commands or scripts using host-level visibility.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Check if this operation was approved and performed according to the organization's change management policy.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and IP address conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"target_version\":\"## Triage and Analysis\\n\\n### Investigating AWS SSM `SendCommand` Execution by Rare User\\n\\nThis rule detects the execution of commands or scripts on EC2 instances using AWS Systems Manager (SSM) by an unexpected or new user. The SSM `SendCommand` action can enable remote command execution, which adversaries may exploit to install backdoors, deploy malware, or interact with compromised instances through reverse shells.\\n\\n#### Possible Investigation Steps\\n\\n- **Identify the Target Instance**:\\n - **Instance ID**: Review the `aws.cloudtrail.flattened.request_parameters.targets` field to identify which EC2 instances were targeted by this command. Confirm if these instances are expected to be managed through SSM.\\n - **Document Used**: Check the `aws.cloudtrail.flattened.request_parameters.documentName` field, which specifies the document or script being executed. Commands such as `RunShellScript` or `RunPowerShellScript` can indicate interactive sessions or script-based interactions.\\n\\n- **Review User Context**:\\n - **User Identity**: Inspect the `aws.cloudtrail.user_identity.arn` field to determine the user or role executing the `SendCommand`. If this user is not typically involved in EC2 or SSM interactions, this could indicate unauthorized access.\\n - **Access Patterns**: Validate whether the user typically has permissions to perform `SendCommand` operations on instances and whether the frequency of this action matches expected behavior.\\n\\n- **Analyze Command Parameters**:\\n - **Document Contents**: While the exact command may not be visible in CloudTrail, use logs to determine the purpose of the script, especially if the document name suggests encryption, data transfer, or reverse shell capabilities.\\n - **Timing and Context**: Compare this command execution with other recent SSM actions in your environment. A single `SendCommand` event by an unusual user can indicate an early stage of a larger attack.\\n\\n- **Check User Agent and Source IP**:\\n - **User Agent Analysis**: Review the `user_agent.original` field to verify the tool or client used (e.g., `aws-cli`). This can provide insight into whether this action was automated, scripted, or executed manually.\\n - **Source IP and Geolocation**: Use `source.address` and `source.geo` fields to check if the IP address and geolocation align with expected regions for your organization. Unusual IP addresses or locations can indicate external adversaries.\\n\\n- **Evaluate for Persistence Indicators**:\\n - **Command Consistency**: Investigate if this action is part of a recurring pattern, such as repeated command executions across instances, which may suggest an attempt to maintain access.\\n - **Permissions**: Ensure that the IAM policies associated with the user limit `SendCommand` actions to necessary use cases. Consider adding alerts for commands executed by users with minimal roles or permissions.\\n\\n- **Correlate with Other CloudTrail Events**:\\n - **Cross-Reference SSM Actions**: Look for other recent SSM actions like `CreateDocument`, `UpdateDocument`, or additional `SendCommand` events that could indicate preparation for further exploitation.\\n - **Monitor Data Access or Modification**: Correlate with `S3` access patterns, IAM changes, or EC2 modifications in recent events to detect broader malicious activities.\\n\\n### False Positive Analysis\\n\\n- **Routine Automation**: SSM `SendCommand` may be used by automation scripts or management tools. Verify if this event aligns with known, routine automated workflows.\\n- **Maintenance Activity**: Confirm if legitimate administrative activities, such as patching or updates, are expected at this time, which may involve similar commands executed on multiple instances.\\n\\n### Response and Remediation\\n\\n- **Limit SSM Permissions**: If unauthorized, immediately revoke `SendCommand` permissions from the user or role to prevent further access.\\n- **Quarantine Target Instance**: If malicious behavior is confirmed, isolate the affected EC2 instance(s) to limit lateral movement or data exfiltration.\\n- **Investigate and Contain User Account**: If the action was performed by a compromised account, review recent activity and reset access credentials as necessary.\\n- **Audit SSM and IAM Configurations**: Periodically review permissions associated with SSM usage and ensure least privilege access principles are in place.\\n\\n### Additional Information\\n\\nFor further details on managing AWS SSM and security best practices for EC2 instances, refer to the [AWS Systems Manager Documentation](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html) and AWS best practices.\\n\",\"merged_version\":\"## Triage and Analysis\\n\\n### Investigating AWS SSM `SendCommand` Execution by Rare User\\n\\nThis rule detects the execution of commands or scripts on EC2 instances using AWS Systems Manager (SSM) by an unexpected or new user. The SSM `SendCommand` action can enable remote command execution, which adversaries may exploit to install backdoors, deploy malware, or interact with compromised instances through reverse shells.\\n\\n#### Possible Investigation Steps\\n\\n- **Identify the Target Instance**:\\n - **Instance ID**: Review the `aws.cloudtrail.flattened.request_parameters.targets` field to identify which EC2 instances were targeted by this command. Confirm if these instances are expected to be managed through SSM.\\n - **Document Used**: Check the `aws.cloudtrail.flattened.request_parameters.documentName` field, which specifies the document or script being executed. Commands such as `RunShellScript` or `RunPowerShellScript` can indicate interactive sessions or script-based interactions.\\n\\n- **Review User Context**:\\n - **User Identity**: Inspect the `aws.cloudtrail.user_identity.arn` field to determine the user or role executing the `SendCommand`. If this user is not typically involved in EC2 or SSM interactions, this could indicate unauthorized access.\\n - **Access Patterns**: Validate whether the user typically has permissions to perform `SendCommand` operations on instances and whether the frequency of this action matches expected behavior.\\n\\n- **Analyze Command Parameters**:\\n - **Document Contents**: While the exact command may not be visible in CloudTrail, use logs to determine the purpose of the script, especially if the document name suggests encryption, data transfer, or reverse shell capabilities.\\n - **Timing and Context**: Compare this command execution with other recent SSM actions in your environment. A single `SendCommand` event by an unusual user can indicate an early stage of a larger attack.\\n\\n- **Check User Agent and Source IP**:\\n - **User Agent Analysis**: Review the `user_agent.original` field to verify the tool or client used (e.g., `aws-cli`). This can provide insight into whether this action was automated, scripted, or executed manually.\\n - **Source IP and Geolocation**: Use `source.address` and `source.geo` fields to check if the IP address and geolocation align with expected regions for your organization. Unusual IP addresses or locations can indicate external adversaries.\\n\\n- **Evaluate for Persistence Indicators**:\\n - **Command Consistency**: Investigate if this action is part of a recurring pattern, such as repeated command executions across instances, which may suggest an attempt to maintain access.\\n - **Permissions**: Ensure that the IAM policies associated with the user limit `SendCommand` actions to necessary use cases. Consider adding alerts for commands executed by users with minimal roles or permissions.\\n\\n- **Correlate with Other CloudTrail Events**:\\n - **Cross-Reference SSM Actions**: Look for other recent SSM actions like `CreateDocument`, `UpdateDocument`, or additional `SendCommand` events that could indicate preparation for further exploitation.\\n - **Monitor Data Access or Modification**: Correlate with `S3` access patterns, IAM changes, or EC2 modifications in recent events to detect broader malicious activities.\\n\\n### False Positive Analysis\\n\\n- **Routine Automation**: SSM `SendCommand` may be used by automation scripts or management tools. Verify if this event aligns with known, routine automated workflows.\\n- **Maintenance Activity**: Confirm if legitimate administrative activities, such as patching or updates, are expected at this time, which may involve similar commands executed on multiple instances.\\n\\n### Response and Remediation\\n\\n- **Limit SSM Permissions**: If unauthorized, immediately revoke `SendCommand` permissions from the user or role to prevent further access.\\n- **Quarantine Target Instance**: If malicious behavior is confirmed, isolate the affected EC2 instance(s) to limit lateral movement or data exfiltration.\\n- **Investigate and Contain User Account**: If the action was performed by a compromised account, review recent activity and reset access credentials as necessary.\\n- **Audit SSM and IAM Configurations**: Periodically review permissions associated with SSM usage and ensure least privilege access principles are in place.\\n\\n### Additional Information\\n\\nFor further details on managing AWS SSM and security best practices for EC2 instances, refer to the [AWS Systems Manager Documentation](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html) and AWS best practices.\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"aws.cloudtrail.user_identity.arn\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"aws.cloudtrail.user_identity.arn\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"rule_schedule\":{\"has_base_version\":false,\"current_version\":{\"interval\":\"10m\",\"lookback\":\"3000s\"},\"target_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merged_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"type\":{\"has_base_version\":false,\"current_version\":\"query\",\"target_version\":\"new_terms\",\"merged_version\":\"new_terms\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NON_SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"ssm.amazonaws.com\\\"\\n and event.action: \\\"SendCommand\\\"\\n and event.outcome: \\\"success\\\"\\n and not aws.cloudtrail.user_identity.arn: *AWSServiceRoleForAmazonSSM/StateManagerService*\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"ssm.amazonaws.com\\\"\\n and event.action: \\\"SendCommand\\\"\\n and event.outcome: \\\"success\\\"\\n and not aws.cloudtrail.user_identity.arn: *AWSServiceRoleForAmazonSSM/StateManagerService*\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"new_terms_fields\":{\"has_base_version\":false,\"target_version\":[\"aws.cloudtrail.user_identity.arn\"],\"merged_version\":[\"aws.cloudtrail.user_identity.arn\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"history_window_start\":{\"has_base_version\":false,\"target_version\":\"now-7d\",\"merged_version\":\"now-7d\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":13,\"num_fields_with_conflicts\":12,\"num_fields_with_non_solvable_conflicts\":1}},{\"id\":\"a57bc828-3b6e-4515-8720-2798c6d405f4\",\"rule_id\":\"3838e0e3-1850-4850-a411-2e8c5ba40ba8\",\"revision\":0,\"current_rule\":{\"id\":\"a57bc828-3b6e-4515-8720-2798c6d405f4\",\"updated_at\":\"2024-12-04T19:45:45.908Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.908Z\",\"created_by\":\"elastic\",\"name\":\"Network Connection via Certutil\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"note\":\"## Triage and analysis\\n\\n### Investigating Network Connection via Certutil\\n\\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\\n\\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the user in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"user.id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{user.id}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the host in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"host.name\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{host.name}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n- Investigate if the downloaded file was executed.\\n- Determine the context in which `certutil.exe` and the file were run.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the downloaded file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - !{investigate{\\\"label\\\":\\\"Investigate the Subject Process Network Events\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"process.entity_id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{process.entity_id}}\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"event.category\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"network\\\",\\\"valueType\\\":\\\"string\\\"}]]}}\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3838e0e3-1850-4850-a411-2e8c5ba40ba8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"to\":\"now\",\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\",\"https://frsecure.com/malware-incident-response-playbook/\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"network where host.os.type == \\\"windows\\\" and process.name : \\\"certutil.exe\\\" and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\",\\n \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\",\\n \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\n \\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\",\\n \\\"FE80::/10\\\", \\\"FF00::/8\\\") and\\n not dns.question.name in (\\\"localhost\\\", \\\"*.digicert.com\\\", \\\"ctldl.windowsupdate.com\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Network Connection via Certutil\",\"description\":\"Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Network Connection via Certutil\\n\\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\\n\\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the user in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"user.id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{user.id}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the host in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"host.name\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{host.name}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n- Investigate if the downloaded file was executed.\\n- Determine the context in which `certutil.exe` and the file were run.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the downloaded file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - !{investigate{\\\"label\\\":\\\"Investigate the Subject Process Network Events\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"process.entity_id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{process.entity_id}}\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"event.category\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"network\\\",\\\"valueType\\\":\\\"string\\\"}]]}}\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":215,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\",\"https://frsecure.com/malware-incident-response-playbook/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a57bc828-3b6e-4515-8720-2798c6d405f4\",\"rule_id\":\"3838e0e3-1850-4850-a411-2e8c5ba40ba8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.007Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.908Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"network where host.os.type == \\\"windows\\\" and process.name : \\\"certutil.exe\\\" and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\",\\n \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\",\\n \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\n \\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\",\\n \\\"FE80::/10\\\", \\\"FF00::/8\\\") and\\n not dns.question.name in (\\\"localhost\\\", \\\"*.digicert.com\\\", \\\"ctldl.windowsupdate.com\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":215,\"merged_version\":215,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"985db3a5-2aae-4172-9688-5ef3fb056822\",\"rule_id\":\"38f384e0-aef8-11ed-9a38-f661ea17fbcc\",\"revision\":0,\"current_rule\":{\"id\":\"985db3a5-2aae-4172-9688-5ef3fb056822\",\"updated_at\":\"2024-12-04T19:45:45.915Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.915Z\",\"created_by\":\"elastic\",\"name\":\"External User Added to Google Workspace Group\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects an external Google Workspace user account being added to an existing group. Adversaries may add external user accounts as a means to intercept shared files or emails with that specific group.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating External User Added to Google Workspace Group\\n\\nGoogle Workspace groups allow organizations to assign specific users to a group that can share resources. Application specific roles can be manually set for each group, but if not inherit permissions from the top-level organizational unit.\\n\\nThreat actors may use phishing techniques and container-bound scripts to add external Google accounts to an organization's groups with editorial privileges. As a result, the user account is unable to manually access the organization's resources, settings and files, but will receive anything shared to the group. As a result, confidential information could be leaked or perhaps documents shared with editorial privileges be weaponized for further intrusion.\\n\\nThis rule identifies when an external user account is added to an organization's groups where the domain name of the target does not match the Google Workspace domain.\\n\\n#### Possible investigation steps\\n- Identify user account(s) associated by reviewing `user.name` or `user.email` in the alert\\n - The `user.target.email` field contains the user added to the groups\\n - The `group.name` field contains the group the target user was added to\\n- Identify specific application settings given to the group which may indicate motive for the external user joining a particular group\\n- With the user identified, verify administrative privileges are scoped properly to add external users to the group\\n - Unauthorized actions may indicate the `user.email` account has been compromised or leveraged to add an external user\\n- To identify other users in this group, search for `event.action: \\\"ADD_GROUP_MEMBER\\\"`\\n - It is important to understand if external users with `@gmail.com` are expected to be added to this group based on historical references\\n- Review Gmail logs where emails were sent to and from the `group.name` value\\n - This may indicate potential internal spearphishing\\n\\n### False positive analysis\\n- With the user account whom added the new user, verify this action was intentional\\n- Verify that the target whom was added to the group is expected to have access to the organization's resources and data\\n- If other members have been added to groups that are external, this may indicate historically that this action is expected\\n\\n### Response and remediation\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Reactivate multi-factor authentication for the user.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may add external users to groups to share files and communication with them via the intended recipient be the group they are added to. It is unlikely an external user account would be added to an organization's group where administrators should create a new user account.\"],\"from\":\"now-130m\",\"rule_id\":\"38f384e0-aef8-11ed-9a38-f661ea17fbcc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/33329\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.target.email\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.target.group.domain\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"iam where event.dataset == \\\"google_workspace.admin\\\" and event.action == \\\"ADD_GROUP_MEMBER\\\" and\\n not endsWith(user.target.email, user.target.group.domain)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"External User Added to Google Workspace Group\",\"description\":\"Detects an external Google Workspace user account being added to an existing group. Adversaries may add external user accounts as a means to intercept shared files or emails with that specific group.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating External User Added to Google Workspace Group\\n\\nGoogle Workspace groups allow organizations to assign specific users to a group that can share resources. Application specific roles can be manually set for each group, but if not inherit permissions from the top-level organizational unit.\\n\\nThreat actors may use phishing techniques and container-bound scripts to add external Google accounts to an organization's groups with editorial privileges. As a result, the user account is unable to manually access the organization's resources, settings and files, but will receive anything shared to the group. As a result, confidential information could be leaked or perhaps documents shared with editorial privileges be weaponized for further intrusion.\\n\\nThis rule identifies when an external user account is added to an organization's groups where the domain name of the target does not match the Google Workspace domain.\\n\\n#### Possible investigation steps\\n- Identify user account(s) associated by reviewing `user.name` or `user.email` in the alert\\n - The `user.target.email` field contains the user added to the groups\\n - The `group.name` field contains the group the target user was added to\\n- Identify specific application settings given to the group which may indicate motive for the external user joining a particular group\\n- With the user identified, verify administrative privileges are scoped properly to add external users to the group\\n - Unauthorized actions may indicate the `user.email` account has been compromised or leveraged to add an external user\\n- To identify other users in this group, search for `event.action: \\\"ADD_GROUP_MEMBER\\\"`\\n - It is important to understand if external users with `@gmail.com` are expected to be added to this group based on historical references\\n- Review Gmail logs where emails were sent to and from the `group.name` value\\n - This may indicate potential internal spearphishing\\n\\n### False positive analysis\\n- With the user account whom added the new user, verify this action was intentional\\n- Verify that the target whom was added to the group is expected to have access to the organization's resources and data\\n- If other members have been added to groups that are external, this may indicate historically that this action is expected\\n\\n### Response and remediation\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Reactivate multi-factor authentication for the user.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may add external users to groups to share files and communication with them via the intended recipient be the group they are added to. It is unlikely an external user account would be added to an organization's group where administrators should create a new user account.\"],\"references\":[\"https://support.google.com/a/answer/33329\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.target.email\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.target.group.domain\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"985db3a5-2aae-4172-9688-5ef3fb056822\",\"rule_id\":\"38f384e0-aef8-11ed-9a38-f661ea17fbcc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.007Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.915Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where event.dataset == \\\"google_workspace.admin\\\" and event.action == \\\"ADD_GROUP_MEMBER\\\" and\\n not endsWith(user.target.email, user.target.group.domain)\\n\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/33329\"],\"target_version\":[\"https://support.google.com/a/answer/33329\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/33329\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1db06b17-0b99-4714-a6a0-92b044c2009a\",\"rule_id\":\"39157d52-4035-44a8-9d1a-6f8c5f580a07\",\"revision\":0,\"current_rule\":{\"id\":\"1db06b17-0b99-4714-a6a0-92b044c2009a\",\"updated_at\":\"2024-12-04T19:45:45.924Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.924Z\",\"created_by\":\"elastic\",\"name\":\"Downloaded Shortcut Files\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies .lnk shortcut file downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"39157d52-4035-44a8-9d1a-6f8c5f580a07\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.windows.zone_identifier\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and file.extension == \\\"lnk\\\" and file.Ext.windows.zone_identifier > 1\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Downloaded Shortcut Files\",\"description\":\"Identifies .lnk shortcut file downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.windows.zone_identifier\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1db06b17-0b99-4714-a6a0-92b044c2009a\",\"rule_id\":\"39157d52-4035-44a8-9d1a-6f8c5f580a07\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.007Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.924Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and file.extension == \\\"lnk\\\" and file.Ext.windows.zone_identifier > 1\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"severity\":{\"has_base_version\":false,\"current_version\":\"low\",\"target_version\":\"medium\",\"merged_version\":\"medium\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"risk_score\":{\"has_base_version\":false,\"current_version\":21,\"target_version\":47,\"merged_version\":47,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"17eabcd5-ccaf-426a-ae51-0d43609f6f70\",\"rule_id\":\"397945f3-d39a-4e6f-8bcb-9656c2031438\",\"revision\":0,\"current_rule\":{\"id\":\"17eabcd5-ccaf-426a-ae51-0d43609f6f70\",\"updated_at\":\"2024-12-04T19:45:45.927Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.927Z\",\"created_by\":\"elastic\",\"name\":\"Persistence via Microsoft Outlook VBA\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"A legitimate VBA for Outlook is usually configured interactively via OUTLOOK.EXE.\"],\"from\":\"now-9m\",\"rule_id\":\"397945f3-d39a-4e6f-8bcb-9656c2031438\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1137\",\"name\":\"Office Application Startup\",\"reference\":\"https://attack.mitre.org/techniques/T1137/\"}]}],\"to\":\"now\",\"references\":[\"https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/\",\"https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.path : \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Outlook\\\\\\\\VbaProject.OTM\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Persistence via Microsoft Outlook VBA\",\"description\":\"Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":307,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"A legitimate VBA for Outlook is usually configured interactively via OUTLOOK.EXE.\"],\"references\":[\"https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/\",\"https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1137\",\"name\":\"Office Application Startup\",\"reference\":\"https://attack.mitre.org/techniques/T1137/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"17eabcd5-ccaf-426a-ae51-0d43609f6f70\",\"rule_id\":\"397945f3-d39a-4e6f-8bcb-9656c2031438\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.008Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.927Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.path : \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Outlook\\\\\\\\VbaProject.OTM\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":307,\"merged_version\":307,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"21dd78ef-2eb5-4cd3-814c-cbb253d00468\",\"rule_id\":\"39c06367-b700-4380-848a-cab06e7afede\",\"revision\":0,\"current_rule\":{\"id\":\"21dd78ef-2eb5-4cd3-814c-cbb253d00468\",\"updated_at\":\"2024-12-04T19:46:03.736Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.736Z\",\"created_by\":\"elastic\",\"name\":\"Systemd Generator Created\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects the creation of a systemd generator file. Generators are small executables executed by systemd at bootup and during configuration reloads. Their main role is to convert non-native configuration and execution parameters into dynamically generated unit files, symlinks, or drop-ins, extending the unit file hierarchy for the service manager. Systemd generators can be used to execute arbitrary code at boot time, which can be leveraged by attackers to maintain persistence on a Linux system.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"39c06367-b700-4380-848a-cab06e7afede\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n\\\"/run/systemd/system-generators/*\\\", \\\"/etc/systemd/system-generators/*\\\",\\n\\\"/usr/local/lib/systemd/system-generators/*\\\", \\\"/lib/systemd/system-generators/*\\\",\\n\\\"/usr/lib/systemd/system-generators/*\\\", \\\"/etc/systemd/user-generators/*\\\",\\n\\\"/usr/local/lib/systemd/user-generators/*\\\", \\\"/usr/lib/systemd/user-generators/*\\\",\\n\\\"/lib/systemd/user-generators/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable == null\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Systemd Generator Created\",\"description\":\"This rule detects the creation of a systemd generator file. Generators are small executables executed by systemd at bootup and during configuration reloads. Their main role is to convert non-native configuration and execution parameters into dynamically generated unit files, symlinks, or drop-ins, extending the unit file hierarchy for the service manager. Systemd generators can be used to execute arbitrary code at boot time, which can be leveraged by attackers to maintain persistence on a Linux system.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"21dd78ef-2eb5-4cd3-814c-cbb253d00468\",\"rule_id\":\"39c06367-b700-4380-848a-cab06e7afede\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.008Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.736Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n\\\"/run/systemd/system-generators/*\\\", \\\"/etc/systemd/system-generators/*\\\",\\n\\\"/usr/local/lib/systemd/system-generators/*\\\", \\\"/lib/systemd/system-generators/*\\\",\\n\\\"/usr/lib/systemd/system-generators/*\\\", \\\"/etc/systemd/user-generators/*\\\",\\n\\\"/usr/local/lib/systemd/user-generators/*\\\", \\\"/usr/lib/systemd/user-generators/*\\\",\\n\\\"/lib/systemd/user-generators/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\", \\\"/usr/sbin/sshd\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/platform-python\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable == null\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/\"],\"target_version\":[\"https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n\\\"/run/systemd/system-generators/*\\\", \\\"/etc/systemd/system-generators/*\\\",\\n\\\"/usr/local/lib/systemd/system-generators/*\\\", \\\"/lib/systemd/system-generators/*\\\",\\n\\\"/usr/lib/systemd/system-generators/*\\\", \\\"/etc/systemd/user-generators/*\\\",\\n\\\"/usr/local/lib/systemd/user-generators/*\\\", \\\"/usr/lib/systemd/user-generators/*\\\",\\n\\\"/lib/systemd/user-generators/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable == null\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n\\\"/run/systemd/system-generators/*\\\", \\\"/etc/systemd/system-generators/*\\\",\\n\\\"/usr/local/lib/systemd/system-generators/*\\\", \\\"/lib/systemd/system-generators/*\\\",\\n\\\"/usr/lib/systemd/system-generators/*\\\", \\\"/etc/systemd/user-generators/*\\\",\\n\\\"/usr/local/lib/systemd/user-generators/*\\\", \\\"/usr/lib/systemd/user-generators/*\\\",\\n\\\"/lib/systemd/user-generators/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\", \\\"/usr/sbin/sshd\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/platform-python\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable == null\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n\\\"/run/systemd/system-generators/*\\\", \\\"/etc/systemd/system-generators/*\\\",\\n\\\"/usr/local/lib/systemd/system-generators/*\\\", \\\"/lib/systemd/system-generators/*\\\",\\n\\\"/usr/lib/systemd/system-generators/*\\\", \\\"/etc/systemd/user-generators/*\\\",\\n\\\"/usr/local/lib/systemd/user-generators/*\\\", \\\"/usr/lib/systemd/user-generators/*\\\",\\n\\\"/lib/systemd/user-generators/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\", \\\"/usr/sbin/sshd\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/platform-python\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable == null\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a5bfc3f7-c7be-4e10-8c61-8656870a58b9\",\"rule_id\":\"3a59fc81-99d3-47ea-8cd6-d48d561fca20\",\"revision\":0,\"current_rule\":{\"id\":\"a5bfc3f7-c7be-4e10-8c61-8656870a58b9\",\"updated_at\":\"2024-12-04T19:45:45.929Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.929Z\",\"created_by\":\"elastic\",\"name\":\"Potential DNS Tunneling via NsLookup\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential DNS Tunneling via NsLookup\\n\\nAttackers can abuse existing network rules that allow DNS communication with external resources to use the protocol as their command and control and/or exfiltration channel.\\n\\nDNS queries can be used to infiltrate data such as commands to be run, malicious files, etc., and also for exfiltration, since queries can be used to send data to the attacker-controlled DNS server. This process is commonly known as DNS tunneling.\\n\\nMore information on how tunneling works and how it can be abused can be found on [Palo Alto Unit42 Research](https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors).\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the DNS query and identify the information sent.\\n- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially compromised hosts.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. If the parent process is trusted and the data sent is not sensitive nor command and control related, this alert can be closed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Immediately block the identified indicators of compromise (IoCs).\\n- Implement any temporary network rules, procedures, and segmentation required to contain the attack.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Update firewall rules to be more restrictive.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3a59fc81-99d3-47ea-8cd6-d48d561fca20\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\",\"subtechnique\":[{\"id\":\"T1071.004\",\"name\":\"DNS\",\"reference\":\"https://attack.mitre.org/techniques/T1071/004/\"}]},{\"id\":\"T1572\",\"name\":\"Protocol Tunneling\",\"reference\":\"https://attack.mitre.org/techniques/T1572/\"}]}],\"to\":\"now\",\"references\":[\"https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"sequence by host.id with maxspan=5m\\n[process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"nslookup.exe\\\" and process.args:(\\\"-querytype=*\\\", \\\"-qt=*\\\", \\\"-q=*\\\", \\\"-type=*\\\")] with runs = 10\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential DNS Tunneling via NsLookup\",\"description\":\"This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential DNS Tunneling via NsLookup\\n\\nAttackers can abuse existing network rules that allow DNS communication with external resources to use the protocol as their command and control and/or exfiltration channel.\\n\\nDNS queries can be used to infiltrate data such as commands to be run, malicious files, etc., and also for exfiltration, since queries can be used to send data to the attacker-controlled DNS server. This process is commonly known as DNS tunneling.\\n\\nMore information on how tunneling works and how it can be abused can be found on [Palo Alto Unit42 Research](https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors).\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the DNS query and identify the information sent.\\n- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially compromised hosts.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. If the parent process is trusted and the data sent is not sensitive nor command and control related, this alert can be closed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Immediately block the identified indicators of compromise (IoCs).\\n- Implement any temporary network rules, procedures, and segmentation required to contain the attack.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Update firewall rules to be more restrictive.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\",\"subtechnique\":[{\"id\":\"T1071.004\",\"name\":\"DNS\",\"reference\":\"https://attack.mitre.org/techniques/T1071/004/\"}]},{\"id\":\"T1572\",\"name\":\"Protocol Tunneling\",\"reference\":\"https://attack.mitre.org/techniques/T1572/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a5bfc3f7-c7be-4e10-8c61-8656870a58b9\",\"rule_id\":\"3a59fc81-99d3-47ea-8cd6-d48d561fca20\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.008Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.929Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=5m\\n[process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"nslookup.exe\\\" and process.args:(\\\"-querytype=*\\\", \\\"-qt=*\\\", \\\"-q=*\\\", \\\"-type=*\\\")] with runs = 10\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7ed04db2-5ea7-47f5-abe7-86c1798bd9f7\",\"rule_id\":\"3a6001a0-0939-4bbe-86f4-47d8faeb7b97\",\"revision\":0,\"current_rule\":{\"id\":\"7ed04db2-5ea7-47f5-abe7-86c1798bd9f7\",\"updated_at\":\"2024-12-04T19:45:45.932Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.932Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Module Loaded by LSASS\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3a6001a0-0939-4bbe-86f4-47d8faeb7b97\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://blog.xpnsec.com/exploring-mimikatz-part-2/\",\"https://github.com/jas502n/mimikat_ssp\"],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"dll.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.hash.sha256\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.library-*\"],\"query\":\"library where host.os.type == \\\"windows\\\" and process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and\\n not (dll.code_signature.subject_name :\\n (\\\"Microsoft Windows\\\",\\n \\\"Microsoft Corporation\\\",\\n \\\"Microsoft Windows Publisher\\\",\\n \\\"Microsoft Windows Software Compatibility Publisher\\\",\\n \\\"Microsoft Windows Hardware Compatibility Publisher\\\",\\n \\\"McAfee, Inc.\\\",\\n \\\"SecMaker AB\\\",\\n \\\"HID Global Corporation\\\",\\n \\\"HID Global\\\",\\n \\\"Apple Inc.\\\",\\n \\\"Citrix Systems, Inc.\\\",\\n \\\"Dell Inc\\\",\\n \\\"Hewlett-Packard Company\\\",\\n \\\"Symantec Corporation\\\",\\n \\\"National Instruments Corporation\\\",\\n \\\"DigitalPersona, Inc.\\\",\\n \\\"Novell, Inc.\\\",\\n \\\"gemalto\\\",\\n \\\"EasyAntiCheat Oy\\\",\\n \\\"Entrust Datacard Corporation\\\",\\n \\\"AuriStor, Inc.\\\",\\n \\\"LogMeIn, Inc.\\\",\\n \\\"VMware, Inc.\\\",\\n \\\"Istituto Poligrafico e Zecca dello Stato S.p.A.\\\",\\n \\\"Nubeva Technologies Ltd\\\",\\n \\\"Micro Focus (US), Inc.\\\",\\n \\\"Yubico AB\\\",\\n \\\"GEMALTO SA\\\",\\n \\\"Secure Endpoints, Inc.\\\",\\n \\\"Sophos Ltd\\\",\\n \\\"Morphisec Information Security 2014 Ltd\\\",\\n \\\"Entrust, Inc.\\\",\\n \\\"Nubeva Technologies Ltd\\\",\\n \\\"Micro Focus (US), Inc.\\\",\\n \\\"F5 Networks Inc\\\",\\n \\\"Bit4id\\\",\\n \\\"Thales DIS CPL USA, Inc.\\\",\\n \\\"Micro Focus International plc\\\",\\n \\\"HYPR Corp\\\",\\n \\\"Intel(R) Software Development Products\\\",\\n \\\"PGP Corporation\\\",\\n \\\"Parallels International GmbH\\\",\\n \\\"FrontRange Solutions Deutschland GmbH\\\",\\n \\\"SecureLink, Inc.\\\",\\n \\\"Tidexa OU\\\",\\n \\\"Amazon Web Services, Inc.\\\",\\n \\\"SentryBay Limited\\\",\\n \\\"Audinate Pty Ltd\\\",\\n \\\"CyberArk Software Ltd.\\\",\\n \\\"McAfeeSysPrep\\\",\\n \\\"NVIDIA Corporation PE Sign v2016\\\",\\n \\\"Trend Micro, Inc.\\\",\\n \\\"Fortinet Technologies (Canada) Inc.\\\",\\n \\\"Carbon Black, Inc.\\\") and\\n dll.code_signature.status : (\\\"trusted\\\", \\\"errorExpired\\\", \\\"errorCode_endpoint*\\\", \\\"errorChaining\\\")) and\\n\\n not dll.hash.sha256 :\\n (\\\"811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c\\\",\\n \\\"1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1\\\",\\n \\\"ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3\\\",\\n \\\"26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12\\\",\\n \\\"9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa\\\",\\n \\\"d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b\\\",\\n \\\"0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61\\\",\\n \\\"4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb\\\",\\n \\\"86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Module Loaded by LSASS\",\"description\":\"Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":9,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blog.xpnsec.com/exploring-mimikatz-part-2/\",\"https://github.com/jas502n/mimikat_ssp\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"dll.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.hash.sha256\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"7ed04db2-5ea7-47f5-abe7-86c1798bd9f7\",\"rule_id\":\"3a6001a0-0939-4bbe-86f4-47d8faeb7b97\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.008Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.932Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where event.category in (\\\"library\\\", \\\"driver\\\") and host.os.type == \\\"windows\\\" and\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and\\n not (dll.code_signature.subject_name :\\n (\\\"Microsoft Windows\\\",\\n \\\"Microsoft Corporation\\\",\\n \\\"Microsoft Windows Publisher\\\",\\n \\\"Microsoft Windows Software Compatibility Publisher\\\",\\n \\\"Microsoft Windows Hardware Compatibility Publisher\\\",\\n \\\"McAfee, Inc.\\\",\\n \\\"SecMaker AB\\\",\\n \\\"HID Global Corporation\\\",\\n \\\"HID Global\\\",\\n \\\"Apple Inc.\\\",\\n \\\"Citrix Systems, Inc.\\\",\\n \\\"Dell Inc\\\",\\n \\\"Hewlett-Packard Company\\\",\\n \\\"Symantec Corporation\\\",\\n \\\"National Instruments Corporation\\\",\\n \\\"DigitalPersona, Inc.\\\",\\n \\\"Novell, Inc.\\\",\\n \\\"gemalto\\\",\\n \\\"EasyAntiCheat Oy\\\",\\n \\\"Entrust Datacard Corporation\\\",\\n \\\"AuriStor, Inc.\\\",\\n \\\"LogMeIn, Inc.\\\",\\n \\\"VMware, Inc.\\\",\\n \\\"Istituto Poligrafico e Zecca dello Stato S.p.A.\\\",\\n \\\"Nubeva Technologies Ltd\\\",\\n \\\"Micro Focus (US), Inc.\\\",\\n \\\"Yubico AB\\\",\\n \\\"GEMALTO SA\\\",\\n \\\"Secure Endpoints, Inc.\\\",\\n \\\"Sophos Ltd\\\",\\n \\\"Morphisec Information Security 2014 Ltd\\\",\\n \\\"Entrust, Inc.\\\",\\n \\\"Nubeva Technologies Ltd\\\",\\n \\\"Micro Focus (US), Inc.\\\",\\n \\\"F5 Networks Inc\\\",\\n \\\"Bit4id\\\",\\n \\\"Thales DIS CPL USA, Inc.\\\",\\n \\\"Micro Focus International plc\\\",\\n \\\"HYPR Corp\\\",\\n \\\"Intel(R) Software Development Products\\\",\\n \\\"PGP Corporation\\\",\\n \\\"Parallels International GmbH\\\",\\n \\\"FrontRange Solutions Deutschland GmbH\\\",\\n \\\"SecureLink, Inc.\\\",\\n \\\"Tidexa OU\\\",\\n \\\"Amazon Web Services, Inc.\\\",\\n \\\"SentryBay Limited\\\",\\n \\\"Audinate Pty Ltd\\\",\\n \\\"CyberArk Software Ltd.\\\",\\n \\\"McAfeeSysPrep\\\",\\n \\\"NVIDIA Corporation PE Sign v2016\\\",\\n \\\"Trend Micro, Inc.\\\",\\n \\\"Fortinet Technologies (Canada) Inc.\\\",\\n \\\"Carbon Black, Inc.\\\") and\\n dll.code_signature.status : (\\\"trusted\\\", \\\"errorExpired\\\", \\\"errorCode_endpoint*\\\", \\\"errorChaining\\\")) and\\n\\n not dll.hash.sha256 :\\n (\\\"811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c\\\",\\n \\\"1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1\\\",\\n \\\"ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3\\\",\\n \\\"26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12\\\",\\n \\\"9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa\\\",\\n \\\"d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b\\\",\\n \\\"0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61\\\",\\n \\\"4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb\\\",\\n \\\"86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.library-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":9,\"merged_version\":9,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"dll.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.hash.sha256\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"dll.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.hash.sha256\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"dll.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.hash.sha256\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"library where host.os.type == \\\"windows\\\" and process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and\\n not (dll.code_signature.subject_name :\\n (\\\"Microsoft Windows\\\",\\n \\\"Microsoft Corporation\\\",\\n \\\"Microsoft Windows Publisher\\\",\\n \\\"Microsoft Windows Software Compatibility Publisher\\\",\\n \\\"Microsoft Windows Hardware Compatibility Publisher\\\",\\n \\\"McAfee, Inc.\\\",\\n \\\"SecMaker AB\\\",\\n \\\"HID Global Corporation\\\",\\n \\\"HID Global\\\",\\n \\\"Apple Inc.\\\",\\n \\\"Citrix Systems, Inc.\\\",\\n \\\"Dell Inc\\\",\\n \\\"Hewlett-Packard Company\\\",\\n \\\"Symantec Corporation\\\",\\n \\\"National Instruments Corporation\\\",\\n \\\"DigitalPersona, Inc.\\\",\\n \\\"Novell, Inc.\\\",\\n \\\"gemalto\\\",\\n \\\"EasyAntiCheat Oy\\\",\\n \\\"Entrust Datacard Corporation\\\",\\n \\\"AuriStor, Inc.\\\",\\n \\\"LogMeIn, Inc.\\\",\\n \\\"VMware, Inc.\\\",\\n \\\"Istituto Poligrafico e Zecca dello Stato S.p.A.\\\",\\n \\\"Nubeva Technologies Ltd\\\",\\n \\\"Micro Focus (US), Inc.\\\",\\n \\\"Yubico AB\\\",\\n \\\"GEMALTO SA\\\",\\n \\\"Secure Endpoints, Inc.\\\",\\n \\\"Sophos Ltd\\\",\\n \\\"Morphisec Information Security 2014 Ltd\\\",\\n \\\"Entrust, Inc.\\\",\\n \\\"Nubeva Technologies Ltd\\\",\\n \\\"Micro Focus (US), Inc.\\\",\\n \\\"F5 Networks Inc\\\",\\n \\\"Bit4id\\\",\\n \\\"Thales DIS CPL USA, Inc.\\\",\\n \\\"Micro Focus International plc\\\",\\n \\\"HYPR Corp\\\",\\n \\\"Intel(R) Software Development Products\\\",\\n \\\"PGP Corporation\\\",\\n \\\"Parallels International GmbH\\\",\\n \\\"FrontRange Solutions Deutschland GmbH\\\",\\n \\\"SecureLink, Inc.\\\",\\n \\\"Tidexa OU\\\",\\n \\\"Amazon Web Services, Inc.\\\",\\n \\\"SentryBay Limited\\\",\\n \\\"Audinate Pty Ltd\\\",\\n \\\"CyberArk Software Ltd.\\\",\\n \\\"McAfeeSysPrep\\\",\\n \\\"NVIDIA Corporation PE Sign v2016\\\",\\n \\\"Trend Micro, Inc.\\\",\\n \\\"Fortinet Technologies (Canada) Inc.\\\",\\n \\\"Carbon Black, Inc.\\\") and\\n dll.code_signature.status : (\\\"trusted\\\", \\\"errorExpired\\\", \\\"errorCode_endpoint*\\\", \\\"errorChaining\\\")) and\\n\\n not dll.hash.sha256 :\\n (\\\"811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c\\\",\\n \\\"1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1\\\",\\n \\\"ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3\\\",\\n \\\"26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12\\\",\\n \\\"9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa\\\",\\n \\\"d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b\\\",\\n \\\"0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61\\\",\\n \\\"4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb\\\",\\n \\\"86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"any where event.category in (\\\"library\\\", \\\"driver\\\") and host.os.type == \\\"windows\\\" and\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and\\n not (dll.code_signature.subject_name :\\n (\\\"Microsoft Windows\\\",\\n \\\"Microsoft Corporation\\\",\\n \\\"Microsoft Windows Publisher\\\",\\n \\\"Microsoft Windows Software Compatibility Publisher\\\",\\n \\\"Microsoft Windows Hardware Compatibility Publisher\\\",\\n \\\"McAfee, Inc.\\\",\\n \\\"SecMaker AB\\\",\\n \\\"HID Global Corporation\\\",\\n \\\"HID Global\\\",\\n \\\"Apple Inc.\\\",\\n \\\"Citrix Systems, Inc.\\\",\\n \\\"Dell Inc\\\",\\n \\\"Hewlett-Packard Company\\\",\\n \\\"Symantec Corporation\\\",\\n \\\"National Instruments Corporation\\\",\\n \\\"DigitalPersona, Inc.\\\",\\n \\\"Novell, Inc.\\\",\\n \\\"gemalto\\\",\\n \\\"EasyAntiCheat Oy\\\",\\n \\\"Entrust Datacard Corporation\\\",\\n \\\"AuriStor, Inc.\\\",\\n \\\"LogMeIn, Inc.\\\",\\n \\\"VMware, Inc.\\\",\\n \\\"Istituto Poligrafico e Zecca dello Stato S.p.A.\\\",\\n \\\"Nubeva Technologies Ltd\\\",\\n \\\"Micro Focus (US), Inc.\\\",\\n \\\"Yubico AB\\\",\\n \\\"GEMALTO SA\\\",\\n \\\"Secure Endpoints, Inc.\\\",\\n \\\"Sophos Ltd\\\",\\n \\\"Morphisec Information Security 2014 Ltd\\\",\\n \\\"Entrust, Inc.\\\",\\n \\\"Nubeva Technologies Ltd\\\",\\n \\\"Micro Focus (US), Inc.\\\",\\n \\\"F5 Networks Inc\\\",\\n \\\"Bit4id\\\",\\n \\\"Thales DIS CPL USA, Inc.\\\",\\n \\\"Micro Focus International plc\\\",\\n \\\"HYPR Corp\\\",\\n \\\"Intel(R) Software Development Products\\\",\\n \\\"PGP Corporation\\\",\\n \\\"Parallels International GmbH\\\",\\n \\\"FrontRange Solutions Deutschland GmbH\\\",\\n \\\"SecureLink, Inc.\\\",\\n \\\"Tidexa OU\\\",\\n \\\"Amazon Web Services, Inc.\\\",\\n \\\"SentryBay Limited\\\",\\n \\\"Audinate Pty Ltd\\\",\\n \\\"CyberArk Software Ltd.\\\",\\n \\\"McAfeeSysPrep\\\",\\n \\\"NVIDIA Corporation PE Sign v2016\\\",\\n \\\"Trend Micro, Inc.\\\",\\n \\\"Fortinet Technologies (Canada) Inc.\\\",\\n \\\"Carbon Black, Inc.\\\") and\\n dll.code_signature.status : (\\\"trusted\\\", \\\"errorExpired\\\", \\\"errorCode_endpoint*\\\", \\\"errorChaining\\\")) and\\n\\n not dll.hash.sha256 :\\n (\\\"811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c\\\",\\n \\\"1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1\\\",\\n \\\"ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3\\\",\\n \\\"26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12\\\",\\n \\\"9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa\\\",\\n \\\"d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b\\\",\\n \\\"0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61\\\",\\n \\\"4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb\\\",\\n \\\"86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"any where event.category in (\\\"library\\\", \\\"driver\\\") and host.os.type == \\\"windows\\\" and\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and\\n not (dll.code_signature.subject_name :\\n (\\\"Microsoft Windows\\\",\\n \\\"Microsoft Corporation\\\",\\n \\\"Microsoft Windows Publisher\\\",\\n \\\"Microsoft Windows Software Compatibility Publisher\\\",\\n \\\"Microsoft Windows Hardware Compatibility Publisher\\\",\\n \\\"McAfee, Inc.\\\",\\n \\\"SecMaker AB\\\",\\n \\\"HID Global Corporation\\\",\\n \\\"HID Global\\\",\\n \\\"Apple Inc.\\\",\\n \\\"Citrix Systems, Inc.\\\",\\n \\\"Dell Inc\\\",\\n \\\"Hewlett-Packard Company\\\",\\n \\\"Symantec Corporation\\\",\\n \\\"National Instruments Corporation\\\",\\n \\\"DigitalPersona, Inc.\\\",\\n \\\"Novell, Inc.\\\",\\n \\\"gemalto\\\",\\n \\\"EasyAntiCheat Oy\\\",\\n \\\"Entrust Datacard Corporation\\\",\\n \\\"AuriStor, Inc.\\\",\\n \\\"LogMeIn, Inc.\\\",\\n \\\"VMware, Inc.\\\",\\n \\\"Istituto Poligrafico e Zecca dello Stato S.p.A.\\\",\\n \\\"Nubeva Technologies Ltd\\\",\\n \\\"Micro Focus (US), Inc.\\\",\\n \\\"Yubico AB\\\",\\n \\\"GEMALTO SA\\\",\\n \\\"Secure Endpoints, Inc.\\\",\\n \\\"Sophos Ltd\\\",\\n \\\"Morphisec Information Security 2014 Ltd\\\",\\n \\\"Entrust, Inc.\\\",\\n \\\"Nubeva Technologies Ltd\\\",\\n \\\"Micro Focus (US), Inc.\\\",\\n \\\"F5 Networks Inc\\\",\\n \\\"Bit4id\\\",\\n \\\"Thales DIS CPL USA, Inc.\\\",\\n \\\"Micro Focus International plc\\\",\\n \\\"HYPR Corp\\\",\\n \\\"Intel(R) Software Development Products\\\",\\n \\\"PGP Corporation\\\",\\n \\\"Parallels International GmbH\\\",\\n \\\"FrontRange Solutions Deutschland GmbH\\\",\\n \\\"SecureLink, Inc.\\\",\\n \\\"Tidexa OU\\\",\\n \\\"Amazon Web Services, Inc.\\\",\\n \\\"SentryBay Limited\\\",\\n \\\"Audinate Pty Ltd\\\",\\n \\\"CyberArk Software Ltd.\\\",\\n \\\"McAfeeSysPrep\\\",\\n \\\"NVIDIA Corporation PE Sign v2016\\\",\\n \\\"Trend Micro, Inc.\\\",\\n \\\"Fortinet Technologies (Canada) Inc.\\\",\\n \\\"Carbon Black, Inc.\\\") and\\n dll.code_signature.status : (\\\"trusted\\\", \\\"errorExpired\\\", \\\"errorCode_endpoint*\\\", \\\"errorChaining\\\")) and\\n\\n not dll.hash.sha256 :\\n (\\\"811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c\\\",\\n \\\"1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1\\\",\\n \\\"ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3\\\",\\n \\\"26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12\\\",\\n \\\"9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa\\\",\\n \\\"d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b\\\",\\n \\\"0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61\\\",\\n \\\"4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb\\\",\\n \\\"86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.library-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.library-*\",\"endgame-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.library-*\",\"endgame-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6de37c81-9085-43b0-b00f-12b6ed2c4106\",\"rule_id\":\"3ad49c61-7adc-42c1-b788-732eda2f5abf\",\"revision\":0,\"current_rule\":{\"id\":\"6de37c81-9085-43b0-b00f-12b6ed2c4106\",\"updated_at\":\"2024-12-04T19:45:45.934Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.934Z\",\"created_by\":\"elastic\",\"name\":\"VNC (Virtual Network Computing) to the Internet\",\"tags\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious.\"],\"from\":\"now-9m\",\"rule_id\":\"3ad49c61-7adc-42c1-b788-732eda2f5abf\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1219\",\"name\":\"Remote Access Software\",\"reference\":\"https://attack.mitre.org/techniques/T1219/\"}]}],\"to\":\"now\",\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"version\":104,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\\n network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\\n source.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n ) and\\n not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"VNC (Virtual Network Computing) to the Internet\",\"description\":\"This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious.\"],\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1219\",\"name\":\"Remote Access Software\",\"reference\":\"https://attack.mitre.org/techniques/T1219/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"6de37c81-9085-43b0-b00f-12b6ed2c4106\",\"rule_id\":\"3ad49c61-7adc-42c1-b788-732eda2f5abf\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.008Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.934Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\\n network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\\n source.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n ) and\\n not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":104,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"target_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"target_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merged_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b54825ba-28f7-4928-9978-6016c6ff0fc7\",\"rule_id\":\"3b47900d-e793-49e8-968f-c90dc3526aa1\",\"revision\":0,\"current_rule\":{\"id\":\"b54825ba-28f7-4928-9978-6016c6ff0fc7\",\"updated_at\":\"2024-12-04T19:45:45.941Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.941Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Parent Process for cmd.exe\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3b47900d-e793-49e8-968f-c90dc3526aa1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\"}]}],\"to\":\"now\",\"references\":[],\"version\":313,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"cmd.exe\\\" and\\n process.parent.name : (\\\"lsass.exe\\\",\\n \\\"csrss.exe\\\",\\n \\\"epad.exe\\\",\\n \\\"regsvr32.exe\\\",\\n \\\"dllhost.exe\\\",\\n \\\"LogonUI.exe\\\",\\n \\\"wermgr.exe\\\",\\n \\\"spoolsv.exe\\\",\\n \\\"jucheck.exe\\\",\\n \\\"jusched.exe\\\",\\n \\\"ctfmon.exe\\\",\\n \\\"taskhostw.exe\\\",\\n \\\"GoogleUpdate.exe\\\",\\n \\\"sppsvc.exe\\\",\\n \\\"sihost.exe\\\",\\n \\\"slui.exe\\\",\\n \\\"SIHClient.exe\\\",\\n \\\"SearchIndexer.exe\\\",\\n \\\"SearchProtocolHost.exe\\\",\\n \\\"FlashPlayerUpdateService.exe\\\",\\n \\\"WerFault.exe\\\",\\n \\\"WUDFHost.exe\\\",\\n \\\"unsecapp.exe\\\",\\n \\\"wlanext.exe\\\" ) and\\n not (process.parent.name : \\\"dllhost.exe\\\" and process.parent.args : \\\"/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Parent Process for cmd.exe\",\"description\":\"Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":413,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b54825ba-28f7-4928-9978-6016c6ff0fc7\",\"rule_id\":\"3b47900d-e793-49e8-968f-c90dc3526aa1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.008Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.941Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"cmd.exe\\\" and\\n process.parent.name : (\\\"lsass.exe\\\",\\n \\\"csrss.exe\\\",\\n \\\"epad.exe\\\",\\n \\\"regsvr32.exe\\\",\\n \\\"dllhost.exe\\\",\\n \\\"LogonUI.exe\\\",\\n \\\"wermgr.exe\\\",\\n \\\"spoolsv.exe\\\",\\n \\\"jucheck.exe\\\",\\n \\\"jusched.exe\\\",\\n \\\"ctfmon.exe\\\",\\n \\\"taskhostw.exe\\\",\\n \\\"GoogleUpdate.exe\\\",\\n \\\"sppsvc.exe\\\",\\n \\\"sihost.exe\\\",\\n \\\"slui.exe\\\",\\n \\\"SIHClient.exe\\\",\\n \\\"SearchIndexer.exe\\\",\\n \\\"SearchProtocolHost.exe\\\",\\n \\\"FlashPlayerUpdateService.exe\\\",\\n \\\"WerFault.exe\\\",\\n \\\"WUDFHost.exe\\\",\\n \\\"unsecapp.exe\\\",\\n \\\"wlanext.exe\\\" ) and\\n not (process.parent.name : \\\"dllhost.exe\\\" and process.parent.args : \\\"/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":313,\"target_version\":413,\"merged_version\":413,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"cba2d4de-5a9b-49ac-9dba-6d3bc473b1d3\",\"rule_id\":\"3bc6deaa-fbd4-433a-ae21-3e892f95624f\",\"revision\":0,\"current_rule\":{\"id\":\"cba2d4de-5a9b-49ac-9dba-6d3bc473b1d3\",\"updated_at\":\"2024-12-04T19:45:45.944Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.944Z\",\"created_by\":\"elastic\",\"name\":\"NTDS or SAM Database File Copied\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating NTDS or SAM Database File Copied\\n\\nThe Active Directory Domain Database (ntds.dit) and Security Account Manager (SAM) files are critical components in Windows environments, containing sensitive information such as hashed domain and local credentials.\\n\\nThis rule identifies copy operations of these files using specific command-line tools, such as Cmd.Exe, PowerShell.EXE, XCOPY.EXE, and esentutl.exe. By monitoring for the presence of these tools and their associated arguments, the rule aims to detect potential credential access activities.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, command lines, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check for any recent changes in user account privileges or group memberships that may have allowed the unauthorized access.\\n- Determine whether the file was potentially exfiltrated from the subject host.\\n- Scope compromised credentials and disable the accounts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3bc6deaa-fbd4-433a-ae21-3e892f95624f\",\"max_signals\":33,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"},{\"id\":\"T1003.003\",\"name\":\"NTDS\",\"reference\":\"https://attack.mitre.org/techniques/T1003/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\",\"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n ((?process.pe.original_file_name in (\\\"Cmd.Exe\\\", \\\"PowerShell.EXE\\\", \\\"XCOPY.EXE\\\") or process.name : (\\\"Cmd.Exe\\\", \\\"PowerShell.EXE\\\", \\\"XCOPY.EXE\\\")) and\\n process.args : (\\\"copy\\\", \\\"xcopy\\\", \\\"Copy-Item\\\", \\\"move\\\", \\\"cp\\\", \\\"mv\\\")\\n ) or\\n ((?process.pe.original_file_name : \\\"esentutl.exe\\\" or process.name : \\\"esentutl.exe\\\") and process.args : (\\\"*/y*\\\", \\\"*/vss*\\\", \\\"*/d*\\\"))\\n ) and\\n process.command_line : (\\\"*\\\\\\\\ntds.dit*\\\", \\\"*\\\\\\\\config\\\\\\\\SAM*\\\", \\\"*\\\\\\\\*\\\\\\\\GLOBALROOT\\\\\\\\Device\\\\\\\\HarddiskVolumeShadowCopy*\\\\\\\\*\\\", \\\"*/system32/config/SAM*\\\", \\\"*\\\\\\\\User Data\\\\\\\\*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"NTDS or SAM Database File Copied\",\"description\":\"Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating NTDS or SAM Database File Copied\\n\\nThe Active Directory Domain Database (ntds.dit) and Security Account Manager (SAM) files are critical components in Windows environments, containing sensitive information such as hashed domain and local credentials.\\n\\nThis rule identifies copy operations of these files using specific command-line tools, such as Cmd.Exe, PowerShell.EXE, XCOPY.EXE, and esentutl.exe. By monitoring for the presence of these tools and their associated arguments, the rule aims to detect potential credential access activities.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, command lines, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check for any recent changes in user account privileges or group memberships that may have allowed the unauthorized access.\\n- Determine whether the file was potentially exfiltrated from the subject host.\\n- Scope compromised credentials and disable the accounts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":315,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[],\"references\":[\"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\",\"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy\",\"https://www.elastic.co/security-labs/detect-credential-access\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"max_signals\":33,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"},{\"id\":\"T1003.003\",\"name\":\"NTDS\",\"reference\":\"https://attack.mitre.org/techniques/T1003/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"cba2d4de-5a9b-49ac-9dba-6d3bc473b1d3\",\"rule_id\":\"3bc6deaa-fbd4-433a-ae21-3e892f95624f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.008Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.944Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n ((?process.pe.original_file_name in (\\\"Cmd.Exe\\\", \\\"PowerShell.EXE\\\", \\\"XCOPY.EXE\\\") or process.name : (\\\"Cmd.Exe\\\", \\\"PowerShell.EXE\\\", \\\"XCOPY.EXE\\\")) and\\n process.args : (\\\"copy\\\", \\\"xcopy\\\", \\\"Copy-Item\\\", \\\"move\\\", \\\"cp\\\", \\\"mv\\\")\\n ) or\\n ((?process.pe.original_file_name : \\\"esentutl.exe\\\" or process.name : \\\"esentutl.exe\\\") and process.args : (\\\"*/y*\\\", \\\"*/vss*\\\", \\\"*/d*\\\"))\\n ) and\\n process.command_line : (\\\"*\\\\\\\\ntds.dit*\\\", \\\"*\\\\\\\\config\\\\\\\\SAM*\\\", \\\"*\\\\\\\\*\\\\\\\\GLOBALROOT\\\\\\\\Device\\\\\\\\HarddiskVolumeShadowCopy*\\\\\\\\*\\\", \\\"*/system32/config/SAM*\\\", \\\"*\\\\\\\\User Data\\\\\\\\*\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":315,\"merged_version\":315,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\",\"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"target_version\":[\"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\",\"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy\",\"https://www.elastic.co/security-labs/detect-credential-access\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merged_version\":[\"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\",\"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy\",\"https://www.elastic.co/security-labs/detect-credential-access\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2a693101-4227-4177-a0f1-709c3cfba820\",\"rule_id\":\"3d00feab-e203-4acc-a463-c3e15b7e9a73\",\"revision\":0,\"current_rule\":{\"id\":\"2a693101-4227-4177-a0f1-709c3cfba820\",\"updated_at\":\"2024-12-04T19:46:03.745Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.745Z\",\"created_by\":\"elastic\",\"name\":\"ScreenConnect Server Spawning Suspicious Processes\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This activity may indicate exploitation activity or access to an existing web shell backdoor.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3d00feab-e203-4acc-a463-c3e15b7e9a73\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://blackpointcyber.com/resources/blog/breaking-through-the-screen/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"logs-system.security*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"ScreenConnect.Service.exe\\\" and\\n (process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\", \\\"csc.exe\\\") or\\n ?process.pe.original_file_name in (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\"))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"ScreenConnect Server Spawning Suspicious Processes\",\"description\":\"Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This activity may indicate exploitation activity or access to an existing web shell backdoor.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":203,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blackpointcyber.com/resources/blog/breaking-through-the-screen/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2a693101-4227-4177-a0f1-709c3cfba820\",\"rule_id\":\"3d00feab-e203-4acc-a463-c3e15b7e9a73\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.008Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.745Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"ScreenConnect.Service.exe\\\" and\\n (process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\", \\\"csc.exe\\\") or\\n ?process.pe.original_file_name in (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\"))\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":203,\"merged_version\":203,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"logs-system.security*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"81c0120d-5eb1-43a9-a77c-6a04b463a21d\",\"rule_id\":\"3d3aa8f9-12af-441f-9344-9f31053e316d\",\"revision\":0,\"current_rule\":{\"id\":\"81c0120d-5eb1-43a9-a77c-6a04b463a21d\",\"updated_at\":\"2024-12-04T19:45:45.948Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.948Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Script with Log Clear Capabilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: PowerShell Logs\",\"Rule Type: BBR\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of Cmdlets and methods related to Windows event log deletion activities. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"3d3aa8f9-12af-441f-9344-9f31053e316d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.001\",\"name\":\"Clear Windows Event Logs\",\"reference\":\"https://attack.mitre.org/techniques/T1070/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear\",\"https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"Clear-EventLog\\\" or\\n \\\"Remove-EventLog\\\" or\\n (\\\"Eventing.Reader.EventLogSession\\\" and \\\".ClearLog\\\") or\\n (\\\"Diagnostics.EventLog\\\" and \\\".Clear\\\")\\n ) and\\n not powershell.file.script_block_text : (\\n \\\"CmdletsToExport=@(\\\\\\\"Add-Content\\\\\\\"\\\"\\n ) and\\n not file.directory : \\\"C:\\\\Program Files\\\\WindowsAdminCenter\\\\PowerShellModules\\\\Microsoft.WindowsAdminCenter.Configuration\\\"\\n\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\Modules\\\\\\\\Microsoft.PowerShell.Management\\\\\\\\*.psd1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\Resources\\\\\\\\*\\\\\\\\M365Library.ps1\"}}}}],\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Script with Log Clear Capabilities\",\"description\":\"Identifies the use of Cmdlets and methods related to Windows event log deletion activities. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: PowerShell Logs\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear\",\"https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.001\",\"name\":\"Clear Windows Event Logs\",\"reference\":\"https://attack.mitre.org/techniques/T1070/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"81c0120d-5eb1-43a9-a77c-6a04b463a21d\",\"rule_id\":\"3d3aa8f9-12af-441f-9344-9f31053e316d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.008Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.948Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\Modules\\\\\\\\Microsoft.PowerShell.Management\\\\\\\\*.psd1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\Resources\\\\\\\\*\\\\\\\\M365Library.ps1\"}}}}],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"Clear-EventLog\\\" or\\n \\\"Remove-EventLog\\\" or\\n (\\\"Eventing.Reader.EventLogSession\\\" and \\\".ClearLog\\\") or\\n (\\\"Diagnostics.EventLog\\\" and \\\".Clear\\\")\\n ) and\\n not powershell.file.script_block_text : (\\n \\\"CmdletsToExport=@(\\\\\\\"Add-Content\\\\\\\"\\\"\\n ) and\\n not file.directory : \\\"C:\\\\Program Files\\\\WindowsAdminCenter\\\\PowerShellModules\\\\Microsoft.WindowsAdminCenter.Configuration\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"163a15e9-3956-4f58-8253-ecf0724e7d5a\",\"rule_id\":\"3e0eeb75-16e8-4f2f-9826-62461ca128b7\",\"revision\":0,\"current_rule\":{\"id\":\"163a15e9-3956-4f58-8253-ecf0724e7d5a\",\"updated_at\":\"2024-12-04T19:45:45.956Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.956Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Execution via Windows Subsystem for Linux\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3e0eeb75-16e8-4f2f-9826-62461ca128b7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/\",\"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/\",\"https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1\"],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type : \\\"start\\\" and\\n (\\n (\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\bash.exe\\\" or ?process.pe.original_file_name == \\\"Bash.exe\\\") and \\n not process.command_line : (\\\"bash\\\", \\\"bash.exe\\\")\\n ) or \\n process.executable : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Packages\\\\\\\\*\\\\\\\\rootfs\\\\\\\\usr\\\\\\\\bin\\\\\\\\bash\\\" or \\n (\\n process.parent.name : \\\"wsl.exe\\\" and ?process.parent.command_line : \\\"bash*\\\" and not process.name : \\\"wslhost.exe\\\"\\n ) or \\n (\\n process.name : \\\"wsl.exe\\\" and process.args : (\\n \\\"curl\\\", \\\"/etc/shadow\\\", \\\"/etc/passwd\\\", \\\"cat\\\", \\\"--system\\\", \\\"root\\\", \\\"-e\\\", \\\"--exec\\\", \\\"bash\\\", \\\"/mnt/c/*\\\"\\n ) and not process.args : (\\\"wsl-bootstrap\\\", \\\"docker-desktop-data\\\", \\\"*.vscode-server*\\\")\\n )\\n ) and \\n not process.parent.executable : (\\\"?:\\\\\\\\Program Files\\\\\\\\Docker\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Docker\\\\\\\\*.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Execution via Windows Subsystem for Linux\",\"description\":\"Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/\",\"https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/\",\"https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"163a15e9-3956-4f58-8253-ecf0724e7d5a\",\"rule_id\":\"3e0eeb75-16e8-4f2f-9826-62461ca128b7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.008Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.956Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type : \\\"start\\\" and\\n (\\n (\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\bash.exe\\\" or ?process.pe.original_file_name == \\\"Bash.exe\\\") and \\n not process.command_line : (\\\"bash\\\", \\\"bash.exe\\\")\\n ) or \\n process.executable : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Packages\\\\\\\\*\\\\\\\\rootfs\\\\\\\\usr\\\\\\\\bin\\\\\\\\bash\\\" or \\n (\\n process.parent.name : \\\"wsl.exe\\\" and process.parent.command_line : \\\"bash*\\\" and not process.name : \\\"wslhost.exe\\\"\\n ) or \\n (\\n process.name : \\\"wsl.exe\\\" and process.args : (\\n \\\"curl\\\", \\\"/etc/shadow\\\", \\\"/etc/passwd\\\", \\\"cat\\\", \\\"--system\\\", \\\"root\\\", \\\"-e\\\", \\\"--exec\\\", \\\"bash\\\", \\\"/mnt/c/*\\\"\\n ) and not process.args : (\\\"wsl-bootstrap\\\", \\\"docker-desktop-data\\\", \\\"*.vscode-server*\\\")\\n )\\n ) and \\n not process.parent.executable : (\\\"?:\\\\\\\\Program Files\\\\\\\\Docker\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Docker\\\\\\\\*.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type : \\\"start\\\" and\\n (\\n (\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\bash.exe\\\" or ?process.pe.original_file_name == \\\"Bash.exe\\\") and \\n not process.command_line : (\\\"bash\\\", \\\"bash.exe\\\")\\n ) or \\n process.executable : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Packages\\\\\\\\*\\\\\\\\rootfs\\\\\\\\usr\\\\\\\\bin\\\\\\\\bash\\\" or \\n (\\n process.parent.name : \\\"wsl.exe\\\" and ?process.parent.command_line : \\\"bash*\\\" and not process.name : \\\"wslhost.exe\\\"\\n ) or \\n (\\n process.name : \\\"wsl.exe\\\" and process.args : (\\n \\\"curl\\\", \\\"/etc/shadow\\\", \\\"/etc/passwd\\\", \\\"cat\\\", \\\"--system\\\", \\\"root\\\", \\\"-e\\\", \\\"--exec\\\", \\\"bash\\\", \\\"/mnt/c/*\\\"\\n ) and not process.args : (\\\"wsl-bootstrap\\\", \\\"docker-desktop-data\\\", \\\"*.vscode-server*\\\")\\n )\\n ) and \\n not process.parent.executable : (\\\"?:\\\\\\\\Program Files\\\\\\\\Docker\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Docker\\\\\\\\*.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type : \\\"start\\\" and\\n (\\n (\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\bash.exe\\\" or ?process.pe.original_file_name == \\\"Bash.exe\\\") and \\n not process.command_line : (\\\"bash\\\", \\\"bash.exe\\\")\\n ) or \\n process.executable : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Packages\\\\\\\\*\\\\\\\\rootfs\\\\\\\\usr\\\\\\\\bin\\\\\\\\bash\\\" or \\n (\\n process.parent.name : \\\"wsl.exe\\\" and process.parent.command_line : \\\"bash*\\\" and not process.name : \\\"wslhost.exe\\\"\\n ) or \\n (\\n process.name : \\\"wsl.exe\\\" and process.args : (\\n \\\"curl\\\", \\\"/etc/shadow\\\", \\\"/etc/passwd\\\", \\\"cat\\\", \\\"--system\\\", \\\"root\\\", \\\"-e\\\", \\\"--exec\\\", \\\"bash\\\", \\\"/mnt/c/*\\\"\\n ) and not process.args : (\\\"wsl-bootstrap\\\", \\\"docker-desktop-data\\\", \\\"*.vscode-server*\\\")\\n )\\n ) and \\n not process.parent.executable : (\\\"?:\\\\\\\\Program Files\\\\\\\\Docker\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Docker\\\\\\\\*.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type : \\\"start\\\" and\\n (\\n (\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\bash.exe\\\" or ?process.pe.original_file_name == \\\"Bash.exe\\\") and \\n not process.command_line : (\\\"bash\\\", \\\"bash.exe\\\")\\n ) or \\n process.executable : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Packages\\\\\\\\*\\\\\\\\rootfs\\\\\\\\usr\\\\\\\\bin\\\\\\\\bash\\\" or \\n (\\n process.parent.name : \\\"wsl.exe\\\" and process.parent.command_line : \\\"bash*\\\" and not process.name : \\\"wslhost.exe\\\"\\n ) or \\n (\\n process.name : \\\"wsl.exe\\\" and process.args : (\\n \\\"curl\\\", \\\"/etc/shadow\\\", \\\"/etc/passwd\\\", \\\"cat\\\", \\\"--system\\\", \\\"root\\\", \\\"-e\\\", \\\"--exec\\\", \\\"bash\\\", \\\"/mnt/c/*\\\"\\n ) and not process.args : (\\\"wsl-bootstrap\\\", \\\"docker-desktop-data\\\", \\\"*.vscode-server*\\\")\\n )\\n ) and \\n not process.parent.executable : (\\\"?:\\\\\\\\Program Files\\\\\\\\Docker\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Docker\\\\\\\\*.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"16cdb383-d384-4cb6-be65-3e29beb7845f\",\"rule_id\":\"3e3d15c6-1509-479a-b125-21718372157e\",\"revision\":0,\"current_rule\":{\"id\":\"16cdb383-d384-4cb6-be65-3e29beb7845f\",\"updated_at\":\"2024-12-04T19:45:45.965Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.965Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Emond Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3e3d15c6-1509-479a-b125-21718372157e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.014\",\"name\":\"Emond\",\"reference\":\"https://attack.mitre.org/techniques/T1546/014/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.xorrior.com/emond-persistence/\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, for MacOS it is recommended to select \\\"Traditional Endpoints\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"process where host.os.type == \\\"macos\\\" and event.type in (\\\"start\\\", \\\"process_started\\\") and\\n process.parent.name : \\\"emond\\\" and\\n process.name : (\\n \\\"bash\\\",\\n \\\"dash\\\",\\n \\\"sh\\\",\\n \\\"tcsh\\\",\\n \\\"csh\\\",\\n \\\"zsh\\\",\\n \\\"ksh\\\",\\n \\\"fish\\\",\\n \\\"Python\\\",\\n \\\"python*\\\",\\n \\\"perl*\\\",\\n \\\"php*\\\",\\n \\\"osascript\\\",\\n \\\"pwsh\\\",\\n \\\"curl\\\",\\n \\\"wget\\\",\\n \\\"cp\\\",\\n \\\"mv\\\",\\n \\\"touch\\\",\\n \\\"echo\\\",\\n \\\"base64\\\",\\n \\\"launchctl\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Emond Child Process\",\"description\":\"Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.xorrior.com/emond-persistence/\",\"https://www.elastic.co/security-labs/handy-elastic-tools-for-the-enthusiastic-detection-engineer\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.014\",\"name\":\"Emond\",\"reference\":\"https://attack.mitre.org/techniques/T1546/014/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, for MacOS it is recommended to select \\\"Traditional Endpoints\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"16cdb383-d384-4cb6-be65-3e29beb7845f\",\"rule_id\":\"3e3d15c6-1509-479a-b125-21718372157e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.008Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:45.965Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"macos\\\" and event.type in (\\\"start\\\", \\\"process_started\\\") and\\n process.parent.name : \\\"emond\\\" and\\n process.name : (\\n \\\"bash\\\",\\n \\\"dash\\\",\\n \\\"sh\\\",\\n \\\"tcsh\\\",\\n \\\"csh\\\",\\n \\\"zsh\\\",\\n \\\"ksh\\\",\\n \\\"fish\\\",\\n \\\"Python\\\",\\n \\\"python*\\\",\\n \\\"perl*\\\",\\n \\\"php*\\\",\\n \\\"osascript\\\",\\n \\\"pwsh\\\",\\n \\\"curl\\\",\\n \\\"wget\\\",\\n \\\"cp\\\",\\n \\\"mv\\\",\\n \\\"touch\\\",\\n \\\"echo\\\",\\n \\\"base64\\\",\\n \\\"launchctl\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.xorrior.com/emond-persistence/\"],\"target_version\":[\"https://www.xorrior.com/emond-persistence/\",\"https://www.elastic.co/security-labs/handy-elastic-tools-for-the-enthusiastic-detection-engineer\"],\"merged_version\":[\"https://www.xorrior.com/emond-persistence/\",\"https://www.elastic.co/security-labs/handy-elastic-tools-for-the-enthusiastic-detection-engineer\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"32ad672c-d860-4dbe-bbc5-733558b0fbd0\",\"rule_id\":\"3ecbdc9e-e4f2-43fa-8cca-63802125e582\",\"revision\":0,\"current_rule\":{\"id\":\"32ad672c-d860-4dbe-bbc5-733558b0fbd0\",\"updated_at\":\"2024-12-04T19:45:46.674Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.674Z\",\"created_by\":\"elastic\",\"name\":\"Privilege Escalation via Named Pipe Impersonation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Privilege Escalation via Named Pipe Impersonation\\n\\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\\n\\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3ecbdc9e-e4f2-43fa-8cca-63802125e582\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\"}]}],\"to\":\"now\",\"references\":[\"https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation\",\"https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/\",\"https://redcanary.com/blog/getsystem-offsec/\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"Cmd.Exe\\\", \\\"PowerShell.EXE\\\") or ?process.pe.original_file_name in (\\\"Cmd.Exe\\\", \\\"PowerShell.EXE\\\")) and\\n process.args : \\\"echo\\\" and process.args : \\\">\\\" and process.args : \\\"\\\\\\\\\\\\\\\\.\\\\\\\\pipe\\\\\\\\*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Privilege Escalation via Named Pipe Impersonation\",\"description\":\"Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Privilege Escalation via Named Pipe Impersonation\\n\\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\\n\\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation\",\"https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/\",\"https://redcanary.com/blog/getsystem-offsec/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"32ad672c-d860-4dbe-bbc5-733558b0fbd0\",\"rule_id\":\"3ecbdc9e-e4f2-43fa-8cca-63802125e582\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.008Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.674Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"Cmd.Exe\\\", \\\"PowerShell.EXE\\\") or ?process.pe.original_file_name in (\\\"Cmd.Exe\\\", \\\"PowerShell.EXE\\\")) and\\n process.args : \\\"echo\\\" and process.args : \\\">\\\" and process.args : \\\"\\\\\\\\\\\\\\\\.\\\\\\\\pipe\\\\\\\\*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9805ab76-5a00-44fc-b1e0-db8b112a3ea3\",\"rule_id\":\"3ed032b2-45d8-4406-bc79-7ad1eabb2c72\",\"revision\":0,\"current_rule\":{\"id\":\"9805ab76-5a00-44fc-b1e0-db8b112a3ea3\",\"updated_at\":\"2024-12-04T19:45:46.677Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.677Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Process Creation CallTrace\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection attempt.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Process Creation CallTrace\\n\\nAttackers may inject code into child processes' memory to hide their actual activity, evade detection mechanisms, and decrease discoverability during forensics. This rule looks for a spawned process by Microsoft Office, scripting, and command line applications, followed by a process access event for an unknown memory region by the parent process, which can indicate a code injection attempt.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Create a memory dump of the child process for analysis.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3ed032b2-45d8-4406-bc79-7ad1eabb2c72\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]}],\"to\":\"now\",\"references\":[],\"version\":208,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallTrace\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetProcessGUID\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by host.id with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.code == \\\"1\\\" and\\n /* sysmon process creation */\\n process.parent.name : (\\\"winword.exe\\\", \\\"excel.exe\\\", \\\"outlook.exe\\\", \\\"powerpnt.exe\\\", \\\"eqnedt32.exe\\\", \\\"fltldr.exe\\\",\\n \\\"mspub.exe\\\", \\\"msaccess.exe\\\",\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\",\\n \\\"mshta.exe\\\", \\\"wmic.exe\\\", \\\"cmstp.exe\\\", \\\"msxsl.exe\\\") and\\n\\n /* noisy FP patterns */\\n not (process.parent.name : \\\"EXCEL.EXE\\\" and process.executable : \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\Office*\\\\\\\\ADDINS\\\\\\\\*.exe\\\") and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\splwow64.exe\\\" and process.args in (\\\"8192\\\", \\\"12288\\\") and process.parent.name : (\\\"winword.exe\\\", \\\"excel.exe\\\", \\\"outlook.exe\\\", \\\"powerpnt.exe\\\")) and\\n not (process.parent.name : \\\"rundll32.exe\\\" and process.parent.args : (\\\"?:\\\\\\\\WINDOWS\\\\\\\\Installer\\\\\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\\\", \\\"--no-sandbox\\\")) and\\n not (process.executable :\\n (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\EdgeWebView\\\\\\\\Application\\\\\\\\*\\\\\\\\msedgewebview2.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Adobe\\\\\\\\Acrobat DC\\\\\\\\Acrobat\\\\\\\\Acrobat.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\DWWIN.EXE\\\") and\\n process.parent.name : (\\\"winword.exe\\\", \\\"excel.exe\\\", \\\"outlook.exe\\\", \\\"powerpnt.exe\\\")) and\\n not (process.parent.name : \\\"regsvr32.exe\\\" and process.parent.args : (\\\"?:\\\\\\\\Program Files\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\"))\\n ] by process.parent.entity_id, process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n /* Sysmon process access event from unknown module */\\n winlog.event_data.CallTrace : \\\"*UNKNOWN*\\\"] by process.entity_id, winlog.event_data.TargetProcessGUID\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Process Creation CallTrace\",\"description\":\"Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection attempt.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Process Creation CallTrace\\n\\nAttackers may inject code into child processes' memory to hide their actual activity, evade detection mechanisms, and decrease discoverability during forensics. This rule looks for a spawned process by Microsoft Office, scripting, and command line applications, followed by a process access event for an unknown memory region by the parent process, which can indicate a code injection attempt.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Create a memory dump of the child process for analysis.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallTrace\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetProcessGUID\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"9805ab76-5a00-44fc-b1e0-db8b112a3ea3\",\"rule_id\":\"3ed032b2-45d8-4406-bc79-7ad1eabb2c72\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.008Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.677Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.code == \\\"1\\\" and\\n /* sysmon process creation */\\n process.parent.name : (\\\"winword.exe\\\", \\\"excel.exe\\\", \\\"outlook.exe\\\", \\\"powerpnt.exe\\\", \\\"eqnedt32.exe\\\", \\\"fltldr.exe\\\",\\n \\\"mspub.exe\\\", \\\"msaccess.exe\\\",\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\",\\n \\\"mshta.exe\\\", \\\"wmic.exe\\\", \\\"cmstp.exe\\\", \\\"msxsl.exe\\\") and\\n\\n /* noisy FP patterns */\\n not (process.parent.name : \\\"EXCEL.EXE\\\" and process.executable : \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\Office*\\\\\\\\ADDINS\\\\\\\\*.exe\\\") and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\splwow64.exe\\\" and process.args in (\\\"8192\\\", \\\"12288\\\") and process.parent.name : (\\\"winword.exe\\\", \\\"excel.exe\\\", \\\"outlook.exe\\\", \\\"powerpnt.exe\\\")) and\\n not (process.parent.name : \\\"rundll32.exe\\\" and process.parent.args : (\\\"?:\\\\\\\\WINDOWS\\\\\\\\Installer\\\\\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\\\", \\\"--no-sandbox\\\")) and\\n not (process.executable :\\n (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\EdgeWebView\\\\\\\\Application\\\\\\\\*\\\\\\\\msedgewebview2.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Adobe\\\\\\\\Acrobat DC\\\\\\\\Acrobat\\\\\\\\Acrobat.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\DWWIN.EXE\\\") and\\n process.parent.name : (\\\"winword.exe\\\", \\\"excel.exe\\\", \\\"outlook.exe\\\", \\\"powerpnt.exe\\\")) and\\n not (process.parent.name : \\\"regsvr32.exe\\\" and process.parent.args : (\\\"?:\\\\\\\\Program Files\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\"))\\n ] by process.parent.entity_id, process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n /* Sysmon process access event from unknown module */\\n winlog.event_data.CallTrace : \\\"*UNKNOWN*\\\"] by process.entity_id, winlog.event_data.TargetProcessGUID\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":208,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e62b0f6e-1eeb-4cca-ad5c-31cd67d9c070\",\"rule_id\":\"3efee4f0-182a-40a8-a835-102c68a4175d\",\"revision\":0,\"current_rule\":{\"id\":\"e62b0f6e-1eeb-4cca-ad5c-31cd67d9c070\",\"updated_at\":\"2024-12-04T19:45:46.679Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.679Z\",\"created_by\":\"elastic\",\"name\":\"Potential Password Spraying of Microsoft 365 User Accounts\",\"tags\":[\"Domain: Cloud\",\"Data Source: Microsoft 365\",\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives.\"],\"from\":\"now-30m\",\"rule_id\":\"3efee4f0-182a-40a8-a835-102c68a4175d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\"}]}],\"to\":\"now\",\"references\":[],\"version\":207,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"o365\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"threshold\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-o365*\"],\"query\":\"event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and\\nevent.action:(\\\"UserLoginFailed\\\" or \\\"PasswordLogonInitialAuthUsingPassword\\\")\\n\",\"threshold\":{\"field\":[\"source.ip\"],\"value\":25},\"actions\":[]},\"target_rule\":{\"name\":\"Deprecated - Potential Password Spraying of Microsoft 365 User Accounts\",\"description\":\"Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"This rule has been deprecated in favor of `Attempts to Brute Force a Microsoft 365 User Account` (26f68dba-ce29-497b-8e13-b4fde1db5a2d).\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Cloud\",\"Data Source: Microsoft 365\",\"Use Case: Identity and Access Audit\",\"Tactic: Credential Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-30m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"o365\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e62b0f6e-1eeb-4cca-ad5c-31cd67d9c070\",\"rule_id\":\"3efee4f0-182a-40a8-a835-102c68a4175d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.008Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.679Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"threshold\",\"query\":\"event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and\\nevent.action:(\\\"UserLoginFailed\\\" or \\\"PasswordLogonInitialAuthUsingPassword\\\")\\n\",\"threshold\":{\"field\":[\"source.ip\"],\"value\":25},\"index\":[\"filebeat-*\",\"logs-o365*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":207,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"name\":{\"has_base_version\":false,\"current_version\":\"Potential Password Spraying of Microsoft 365 User Accounts\",\"target_version\":\"Deprecated - Potential Password Spraying of Microsoft 365 User Accounts\",\"merged_version\":\"Deprecated - Potential Password Spraying of Microsoft 365 User Accounts\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"note\":{\"has_base_version\":false,\"current_version\":\"\",\"target_version\":\"This rule has been deprecated in favor of `Attempts to Brute Force a Microsoft 365 User Account` (26f68dba-ce29-497b-8e13-b4fde1db5a2d).\",\"merged_version\":\"This rule has been deprecated in favor of `Attempts to Brute Force a Microsoft 365 User Account` (26f68dba-ce29-497b-8e13-b4fde1db5a2d).\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d54f4299-11cd-44f9-97cf-ac0564b69c6d\",\"rule_id\":\"3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\",\"revision\":0,\"current_rule\":{\"id\":\"d54f4299-11cd-44f9-97cf-ac0564b69c6d\",\"updated_at\":\"2024-12-04T19:45:46.684Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.684Z\",\"created_by\":\"elastic\",\"name\":\"Potential Protocol Tunneling via Chisel Client\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Protocol Tunneling via Chisel Client\\n\\nAttackers can leverage `chisel` to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems.\\n\\nThis rule looks for a sequence of command line arguments that are consistent with `chisel` client tunneling behavior, followed by a network event by an uncommon process. \\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n\\n- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior.\\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Process Info\\\",\\\"query\\\":\\\"SELECT name, cmdline, parent, path, uid FROM processes\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n\\n### Related rules\\n\\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\\n\\n### False positive analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator or developer who uses port tunneling for benign purposes, consider adding exceptions for specific user accounts or hosts. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1572\",\"name\":\"Protocol Tunneling\",\"reference\":\"https://attack.mitre.org/techniques/T1572/\"}]}],\"to\":\"now\",\"references\":[\"https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform\",\"https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding\"],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"sequence by host.id, process.entity_id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.args == \\\"client\\\" and process.args : (\\\"R*\\\", \\\"*:*\\\", \\\"*socks*\\\", \\\"*.*\\\") and process.args_count >= 4 and \\n process.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")]\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and event.type == \\\"start\\\" and \\n destination.ip != null and destination.ip != \\\"127.0.0.1\\\" and destination.ip != \\\"::1\\\" and \\n not process.name : (\\n \\\"python*\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\", \\\"openssl\\\", \\\"nc\\\", \\\"netcat\\\", \\\"ncat\\\", \\\"telnet\\\", \\\"awk\\\", \\\"java\\\", \\\"telnet\\\",\\n \\\"ftp\\\", \\\"socat\\\", \\\"curl\\\", \\\"wget\\\", \\\"dpkg\\\", \\\"docker\\\", \\\"dockerd\\\", \\\"yum\\\", \\\"apt\\\", \\\"rpm\\\", \\\"dnf\\\", \\\"ssh\\\", \\\"sshd\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Protocol Tunneling via Chisel Client\",\"description\":\"This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Protocol Tunneling via Chisel Client\\n\\nAttackers can leverage `chisel` to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems.\\n\\nThis rule looks for a sequence of command line arguments that are consistent with `chisel` client tunneling behavior, followed by a network event by an uncommon process. \\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n\\n- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior.\\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Process Info\\\",\\\"query\\\":\\\"SELECT name, cmdline, parent, path, uid FROM processes\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n\\n### Related rules\\n\\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\\n\\n### False positive analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator or developer who uses port tunneling for benign purposes, consider adding exceptions for specific user accounts or hosts. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":6,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform\",\"https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1572\",\"name\":\"Protocol Tunneling\",\"reference\":\"https://attack.mitre.org/techniques/T1572/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d54f4299-11cd-44f9-97cf-ac0564b69c6d\",\"rule_id\":\"3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.008Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.684Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id, process.entity_id with maxspan=3s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.args == \\\"client\\\" and process.args : (\\\"R*\\\", \\\"*:*\\\", \\\"*socks*\\\", \\\"*.*\\\") and process.args_count >= 4 and \\n process.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") and\\n not process.name in (\\\"velociraptor\\\", \\\"nbemmcmd\\\")]\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and event.type == \\\"start\\\" and \\n destination.ip != null and destination.ip != \\\"127.0.0.1\\\" and destination.ip != \\\"::1\\\" and \\n not process.name : (\\n \\\"python*\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\", \\\"openssl\\\", \\\"nc\\\", \\\"netcat\\\", \\\"ncat\\\", \\\"telnet\\\", \\\"awk\\\", \\\"java\\\", \\\"telnet\\\",\\n \\\"ftp\\\", \\\"socat\\\", \\\"curl\\\", \\\"wget\\\", \\\"dpkg\\\", \\\"docker\\\", \\\"dockerd\\\", \\\"yum\\\", \\\"apt\\\", \\\"rpm\\\", \\\"dnf\\\", \\\"ssh\\\", \\\"sshd\\\")]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":6,\"merged_version\":6,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by host.id, process.entity_id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.args == \\\"client\\\" and process.args : (\\\"R*\\\", \\\"*:*\\\", \\\"*socks*\\\", \\\"*.*\\\") and process.args_count >= 4 and \\n process.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")]\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and event.type == \\\"start\\\" and \\n destination.ip != null and destination.ip != \\\"127.0.0.1\\\" and destination.ip != \\\"::1\\\" and \\n not process.name : (\\n \\\"python*\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\", \\\"openssl\\\", \\\"nc\\\", \\\"netcat\\\", \\\"ncat\\\", \\\"telnet\\\", \\\"awk\\\", \\\"java\\\", \\\"telnet\\\",\\n \\\"ftp\\\", \\\"socat\\\", \\\"curl\\\", \\\"wget\\\", \\\"dpkg\\\", \\\"docker\\\", \\\"dockerd\\\", \\\"yum\\\", \\\"apt\\\", \\\"rpm\\\", \\\"dnf\\\", \\\"ssh\\\", \\\"sshd\\\")]\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by host.id, process.entity_id with maxspan=3s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.args == \\\"client\\\" and process.args : (\\\"R*\\\", \\\"*:*\\\", \\\"*socks*\\\", \\\"*.*\\\") and process.args_count >= 4 and \\n process.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") and\\n not process.name in (\\\"velociraptor\\\", \\\"nbemmcmd\\\")]\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and event.type == \\\"start\\\" and \\n destination.ip != null and destination.ip != \\\"127.0.0.1\\\" and destination.ip != \\\"::1\\\" and \\n not process.name : (\\n \\\"python*\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\", \\\"openssl\\\", \\\"nc\\\", \\\"netcat\\\", \\\"ncat\\\", \\\"telnet\\\", \\\"awk\\\", \\\"java\\\", \\\"telnet\\\",\\n \\\"ftp\\\", \\\"socat\\\", \\\"curl\\\", \\\"wget\\\", \\\"dpkg\\\", \\\"docker\\\", \\\"dockerd\\\", \\\"yum\\\", \\\"apt\\\", \\\"rpm\\\", \\\"dnf\\\", \\\"ssh\\\", \\\"sshd\\\")]\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by host.id, process.entity_id with maxspan=3s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.args == \\\"client\\\" and process.args : (\\\"R*\\\", \\\"*:*\\\", \\\"*socks*\\\", \\\"*.*\\\") and process.args_count >= 4 and \\n process.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") and\\n not process.name in (\\\"velociraptor\\\", \\\"nbemmcmd\\\")]\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and event.type == \\\"start\\\" and \\n destination.ip != null and destination.ip != \\\"127.0.0.1\\\" and destination.ip != \\\"::1\\\" and \\n not process.name : (\\n \\\"python*\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\", \\\"openssl\\\", \\\"nc\\\", \\\"netcat\\\", \\\"ncat\\\", \\\"telnet\\\", \\\"awk\\\", \\\"java\\\", \\\"telnet\\\",\\n \\\"ftp\\\", \\\"socat\\\", \\\"curl\\\", \\\"wget\\\", \\\"dpkg\\\", \\\"docker\\\", \\\"dockerd\\\", \\\"yum\\\", \\\"apt\\\", \\\"rpm\\\", \\\"dnf\\\", \\\"ssh\\\", \\\"sshd\\\")]\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e1db1993-601c-4c96-be96-608ddb66d0b8\",\"rule_id\":\"3fe4e20c-a600-4a86-9d98-3ecb1ef23550\",\"revision\":0,\"current_rule\":{\"id\":\"e1db1993-601c-4c96-be96-608ddb66d0b8\",\"updated_at\":\"2024-12-04T19:45:46.697Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.697Z\",\"created_by\":\"elastic\",\"name\":\"DNF Package Manager Plugin File Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects file creation events in the plugin directories for the Yum package manager. In Linux, DNF (Dandified YUM) is a command-line utility used for handling packages on Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor DNF to gain persistence by injecting malicious code into plugins that DNF runs, thereby ensuring continued unauthorized access or control each time DNF is used for package management.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"3fe4e20c-a600-4a86-9d98-3ecb1ef23550\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://pwnshift.github.io/2020/10/01/persistence.html\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\n\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\n\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : (\\\"/usr/lib/python*/site-packages/dnf-plugins/*\\\", \\\"/etc/dnf/plugins/*\\\") and not (\\n process.executable in (\\n \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\", \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\",\\n \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\", \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\",\\n \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\", \\\"/bin/puppet\\\",\\n \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\", \\\"/bin/autossl_check\\\",\\n \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\",\\n \\\"/usr/libexec/netplan/generate\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\") or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\",\\n \\\"/etc/kernel/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"DNF Package Manager Plugin File Creation\",\"description\":\"Detects file creation events in the plugin directories for the Yum package manager. In Linux, DNF (Dandified YUM) is a command-line utility used for handling packages on Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor DNF to gain persistence by injecting malicious code into plugins that DNF runs, thereby ensuring continued unauthorized access or control each time DNF is used for package management.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://pwnshift.github.io/2020/10/01/persistence.html\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"setup\":\"## Setup\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\n\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\n\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e1db1993-601c-4c96-be96-608ddb66d0b8\",\"rule_id\":\"3fe4e20c-a600-4a86-9d98-3ecb1ef23550\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.008Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.697Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : (\\\"/usr/lib/python*/site-packages/dnf-plugins/*\\\", \\\"/etc/dnf/plugins/*\\\") and not (\\n process.executable in (\\n \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\", \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\",\\n \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\", \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\",\\n \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\", \\\"/bin/puppet\\\",\\n \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\", \\\"/bin/autossl_check\\\",\\n \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\",\\n \\\"/usr/libexec/netplan/generate\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\") or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\",\\n \\\"/etc/kernel/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://pwnshift.github.io/2020/10/01/persistence.html\"],\"target_version\":[\"https://pwnshift.github.io/2020/10/01/persistence.html\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://pwnshift.github.io/2020/10/01/persistence.html\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3ae32134-8935-4ca9-ae96-0b6442a8e90b\",\"rule_id\":\"40155ee4-1e6a-4e4d-a63b-e8ba16980cfb\",\"revision\":0,\"current_rule\":{\"id\":\"3ae32134-8935-4ca9-ae96-0b6442a8e90b\",\"updated_at\":\"2024-12-04T19:45:46.699Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.699Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Process Spawned by a User\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-45m\",\"rule_id\":\"40155ee4-1e6a-4e4d-a63b-e8ba16980cfb\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"problem_child_rare_process_by_user\"],\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Process Spawned by a User\",\"description\":\"A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\\n\",\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"3ae32134-8935-4ca9-ae96-0b6442a8e90b\",\"rule_id\":\"40155ee4-1e6a-4e4d-a63b-e8ba16980cfb\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.009Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.699Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"problem_child_rare_process_by_user\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e39b1a4c-40f0-495d-8f12-388f41297216\",\"rule_id\":\"403ef0d3-8259-40c9-a5b6-d48354712e49\",\"revision\":0,\"current_rule\":{\"id\":\"e39b1a4c-40f0-495d-8f12-388f41297216\",\"updated_at\":\"2024-12-04T19:45:40.187Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.187Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Persistence via Services Registry\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"403ef0d3-8259-40c9-a5b6-d48354712e49\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"ServiceDLL\\\", \\\"ImagePath\\\") and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ServiceDLL\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ServiceDLL\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\"\\n ) and not registry.data.strings : (\\n \\\"?:\\\\\\\\windows\\\\\\\\system32\\\\\\\\Drivers\\\\\\\\*.sys\\\",\\n \\\"\\\\\\\\SystemRoot\\\\\\\\System32\\\\\\\\drivers\\\\\\\\*.sys\\\",\\n \\\"\\\\\\\\??\\\\\\\\?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\Drivers\\\\\\\\*.SYS\\\",\\n \\\"\\\\\\\\??\\\\\\\\?:\\\\\\\\Windows\\\\\\\\syswow64\\\\\\\\*.sys\\\",\\n \\\"system32\\\\\\\\DRIVERS\\\\\\\\USBSTOR\\\") and\\n not (process.name : \\\"procexp??.exe\\\" and registry.data.strings : \\\"?:\\\\\\\\*\\\\\\\\procexp*.sys\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\winsxs\\\\\\\\*\\\\\\\\TiWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drvinst.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\regsvr32.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WaaSMedicAgent.exe\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Persistence via Services Registry\",\"description\":\"Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e39b1a4c-40f0-495d-8f12-388f41297216\",\"rule_id\":\"403ef0d3-8259-40c9-a5b6-d48354712e49\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.009Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.187Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"ServiceDLL\\\", \\\"ImagePath\\\") and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ServiceDLL\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ServiceDLL\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ServiceDLL\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\"\\n ) and not registry.data.strings : (\\n \\\"?:\\\\\\\\windows\\\\\\\\system32\\\\\\\\Drivers\\\\\\\\*.sys\\\",\\n \\\"\\\\\\\\SystemRoot\\\\\\\\System32\\\\\\\\drivers\\\\\\\\*.sys\\\",\\n \\\"\\\\\\\\??\\\\\\\\?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\Drivers\\\\\\\\*.SYS\\\",\\n \\\"\\\\\\\\??\\\\\\\\?:\\\\\\\\Windows\\\\\\\\syswow64\\\\\\\\*.sys\\\",\\n \\\"system32\\\\\\\\DRIVERS\\\\\\\\USBSTOR\\\") and\\n not (process.name : \\\"procexp??.exe\\\" and registry.data.strings : \\\"?:\\\\\\\\*\\\\\\\\procexp*.sys\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\winsxs\\\\\\\\*\\\\\\\\TiWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drvinst.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\regsvr32.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WaaSMedicAgent.exe\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"ServiceDLL\\\", \\\"ImagePath\\\") and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ServiceDLL\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ServiceDLL\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\"\\n ) and not registry.data.strings : (\\n \\\"?:\\\\\\\\windows\\\\\\\\system32\\\\\\\\Drivers\\\\\\\\*.sys\\\",\\n \\\"\\\\\\\\SystemRoot\\\\\\\\System32\\\\\\\\drivers\\\\\\\\*.sys\\\",\\n \\\"\\\\\\\\??\\\\\\\\?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\Drivers\\\\\\\\*.SYS\\\",\\n \\\"\\\\\\\\??\\\\\\\\?:\\\\\\\\Windows\\\\\\\\syswow64\\\\\\\\*.sys\\\",\\n \\\"system32\\\\\\\\DRIVERS\\\\\\\\USBSTOR\\\") and\\n not (process.name : \\\"procexp??.exe\\\" and registry.data.strings : \\\"?:\\\\\\\\*\\\\\\\\procexp*.sys\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\winsxs\\\\\\\\*\\\\\\\\TiWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drvinst.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\regsvr32.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WaaSMedicAgent.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"ServiceDLL\\\", \\\"ImagePath\\\") and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ServiceDLL\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ServiceDLL\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ServiceDLL\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\"\\n ) and not registry.data.strings : (\\n \\\"?:\\\\\\\\windows\\\\\\\\system32\\\\\\\\Drivers\\\\\\\\*.sys\\\",\\n \\\"\\\\\\\\SystemRoot\\\\\\\\System32\\\\\\\\drivers\\\\\\\\*.sys\\\",\\n \\\"\\\\\\\\??\\\\\\\\?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\Drivers\\\\\\\\*.SYS\\\",\\n \\\"\\\\\\\\??\\\\\\\\?:\\\\\\\\Windows\\\\\\\\syswow64\\\\\\\\*.sys\\\",\\n \\\"system32\\\\\\\\DRIVERS\\\\\\\\USBSTOR\\\") and\\n not (process.name : \\\"procexp??.exe\\\" and registry.data.strings : \\\"?:\\\\\\\\*\\\\\\\\procexp*.sys\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\winsxs\\\\\\\\*\\\\\\\\TiWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drvinst.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\regsvr32.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WaaSMedicAgent.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"ServiceDLL\\\", \\\"ImagePath\\\") and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ServiceDLL\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ServiceDLL\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ServiceDLL\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\"\\n ) and not registry.data.strings : (\\n \\\"?:\\\\\\\\windows\\\\\\\\system32\\\\\\\\Drivers\\\\\\\\*.sys\\\",\\n \\\"\\\\\\\\SystemRoot\\\\\\\\System32\\\\\\\\drivers\\\\\\\\*.sys\\\",\\n \\\"\\\\\\\\??\\\\\\\\?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\Drivers\\\\\\\\*.SYS\\\",\\n \\\"\\\\\\\\??\\\\\\\\?:\\\\\\\\Windows\\\\\\\\syswow64\\\\\\\\*.sys\\\",\\n \\\"system32\\\\\\\\DRIVERS\\\\\\\\USBSTOR\\\") and\\n not (process.name : \\\"procexp??.exe\\\" and registry.data.strings : \\\"?:\\\\\\\\*\\\\\\\\procexp*.sys\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\winsxs\\\\\\\\*\\\\\\\\TiWorker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drvinst.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\regsvr32.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WaaSMedicAgent.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"de42edec-5c76-4bec-9316-df0b80ccaf58\",\"rule_id\":\"40ddbcc8-6561-44d9-afc8-eefdbfe0cccd\",\"revision\":0,\"current_rule\":{\"id\":\"de42edec-5c76-4bec-9316-df0b80ccaf58\",\"updated_at\":\"2024-12-04T19:45:46.702Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.702Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Modprobe File Event\",\"tags\":[\"Data Source: Auditd Manager\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"40ddbcc8-6561-44d9-afc8-eefdbfe0cccd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"to\":\"now\",\"references\":[],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\\n\\n```\\nKibana -->\\nManagement -->\\nIntegrations -->\\nAuditd Manager -->\\nAdd Auditd Manager\\n```\\n\\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\n\\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\\n```\\n-w /etc/modprobe.conf -p wa -k modprobe\\n-w /etc/modprobe.d -p wa -k modprobe\\n```\\n\\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:file and event.action:\\\"opened-file\\\" and\\nfile.path : (\\\"/etc/modprobe.conf\\\" or \\\"/etc/modprobe.d\\\" or /etc/modprobe.d/*) and not process.name:(\\n cp or dpkg or dockerd or lynis or mkinitramfs or snapd or systemd-udevd or grep or borg or auditbeat or lspci or\\n aide or modprobe or python*\\n)\\n\",\"new_terms_fields\":[\"host.id\",\"process.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Modprobe File Event\",\"description\":\"Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":108,\"tags\":[\"Data Source: Auditd Manager\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\\n\\n```\\nKibana -->\\nManagement -->\\nIntegrations -->\\nAuditd Manager -->\\nAdd Auditd Manager\\n```\\n\\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\n\\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\\n```\\n-w /etc/modprobe.conf -p wa -k modprobe\\n-w /etc/modprobe.d -p wa -k modprobe\\n```\\n\\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n\",\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"de42edec-5c76-4bec-9316-df0b80ccaf58\",\"rule_id\":\"40ddbcc8-6561-44d9-afc8-eefdbfe0cccd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.009Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.702Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:file and event.action:\\\"opened-file\\\" and\\nfile.path : (\\\"/etc/modprobe.conf\\\" or \\\"/etc/modprobe.d\\\" or /etc/modprobe.d/*) and not process.name:(\\n cp or dpkg or dockerd or lynis or mkinitramfs or snapd or systemd-udevd or borg or auditbeat or lspci or\\n aide or modprobe or python*\\n)\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":108,\"merged_version\":108,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:file and event.action:\\\"opened-file\\\" and\\nfile.path : (\\\"/etc/modprobe.conf\\\" or \\\"/etc/modprobe.d\\\" or /etc/modprobe.d/*) and not process.name:(\\n cp or dpkg or dockerd or lynis or mkinitramfs or snapd or systemd-udevd or grep or borg or auditbeat or lspci or\\n aide or modprobe or python*\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:file and event.action:\\\"opened-file\\\" and\\nfile.path : (\\\"/etc/modprobe.conf\\\" or \\\"/etc/modprobe.d\\\" or /etc/modprobe.d/*) and not process.name:(\\n cp or dpkg or dockerd or lynis or mkinitramfs or snapd or systemd-udevd or borg or auditbeat or lspci or\\n aide or modprobe or python*\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:file and event.action:\\\"opened-file\\\" and\\nfile.path : (\\\"/etc/modprobe.conf\\\" or \\\"/etc/modprobe.d\\\" or /etc/modprobe.d/*) and not process.name:(\\n cp or dpkg or dockerd or lynis or mkinitramfs or snapd or systemd-udevd or borg or auditbeat or lspci or\\n aide or modprobe or python*\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"new_terms_fields\":{\"has_base_version\":false,\"current_version\":[\"host.id\",\"process.executable\"],\"target_version\":[\"process.executable\"],\"merged_version\":[\"process.executable\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e36101f2-d400-46ac-ba8c-235bc5a8c8bf\",\"rule_id\":\"41284ba3-ed1a-4598-bfba-a97f75d9aba2\",\"revision\":0,\"current_rule\":{\"id\":\"e36101f2-d400-46ac-ba8c-235bc5a8c8bf\",\"updated_at\":\"2024-12-04T19:45:46.704Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.704Z\",\"created_by\":\"elastic\",\"name\":\"Unix Socket Connection\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for inter-process communication via Unix sockets. Adversaries may attempt to communicate with local Unix sockets to enumerate application details, find vulnerabilities/configuration mistakes and potentially escalate privileges or set up malicious communication channels via Unix sockets for inter-process communication to attempt to evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"41284ba3-ed1a-4598-bfba-a97f75d9aba2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1559\",\"name\":\"Inter-Process Communication\",\"reference\":\"https://attack.mitre.org/techniques/T1559/\"}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and (\\n (process.name in (\\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"nc.openbsd\\\") and \\n process.args == \\\"-U\\\" and process.args : (\\\"/usr/local/*\\\", \\\"/run/*\\\", \\\"/var/run/*\\\")) or\\n (process.name == \\\"socat\\\" and \\n process.args == \\\"-\\\" and process.args : (\\\"UNIX-CLIENT:/usr/local/*\\\", \\\"UNIX-CLIENT:/run/*\\\", \\\"UNIX-CLIENT:/var/run/*\\\"))\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unix Socket Connection\",\"description\":\"This rule monitors for inter-process communication via Unix sockets. Adversaries may attempt to communicate with local Unix sockets to enumerate application details, find vulnerabilities/configuration mistakes and potentially escalate privileges or set up malicious communication channels via Unix sockets for inter-process communication to attempt to evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1559\",\"name\":\"Inter-Process Communication\",\"reference\":\"https://attack.mitre.org/techniques/T1559/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e36101f2-d400-46ac-ba8c-235bc5a8c8bf\",\"rule_id\":\"41284ba3-ed1a-4598-bfba-a97f75d9aba2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.009Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.704Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and (\\n (process.name in (\\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"nc.openbsd\\\") and \\n process.args == \\\"-U\\\" and process.args : (\\\"/usr/local/*\\\", \\\"/run/*\\\", \\\"/var/run/*\\\")) or\\n (process.name == \\\"socat\\\" and \\n process.args == \\\"-\\\" and process.args : (\\\"UNIX-CLIENT:/usr/local/*\\\", \\\"UNIX-CLIENT:/run/*\\\", \\\"UNIX-CLIENT:/var/run/*\\\"))\\n) and\\nnot process.args == \\\"/var/run/libvirt/libvirt-sock\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"building_block\":{\"has_base_version\":false,\"current_version\":{\"type\":\"default\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and (\\n (process.name in (\\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"nc.openbsd\\\") and \\n process.args == \\\"-U\\\" and process.args : (\\\"/usr/local/*\\\", \\\"/run/*\\\", \\\"/var/run/*\\\")) or\\n (process.name == \\\"socat\\\" and \\n process.args == \\\"-\\\" and process.args : (\\\"UNIX-CLIENT:/usr/local/*\\\", \\\"UNIX-CLIENT:/run/*\\\", \\\"UNIX-CLIENT:/var/run/*\\\"))\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and (\\n (process.name in (\\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"nc.openbsd\\\") and \\n process.args == \\\"-U\\\" and process.args : (\\\"/usr/local/*\\\", \\\"/run/*\\\", \\\"/var/run/*\\\")) or\\n (process.name == \\\"socat\\\" and \\n process.args == \\\"-\\\" and process.args : (\\\"UNIX-CLIENT:/usr/local/*\\\", \\\"UNIX-CLIENT:/run/*\\\", \\\"UNIX-CLIENT:/var/run/*\\\"))\\n) and\\nnot process.args == \\\"/var/run/libvirt/libvirt-sock\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and (\\n (process.name in (\\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"nc.openbsd\\\") and \\n process.args == \\\"-U\\\" and process.args : (\\\"/usr/local/*\\\", \\\"/run/*\\\", \\\"/var/run/*\\\")) or\\n (process.name == \\\"socat\\\" and \\n process.args == \\\"-\\\" and process.args : (\\\"UNIX-CLIENT:/usr/local/*\\\", \\\"UNIX-CLIENT:/run/*\\\", \\\"UNIX-CLIENT:/var/run/*\\\"))\\n) and\\nnot process.args == \\\"/var/run/libvirt/libvirt-sock\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"37a2c95b-b222-4281-8943-1d82ab154490\",\"rule_id\":\"416697ae-e468-4093-a93d-59661fa619ec\",\"revision\":0,\"current_rule\":{\"id\":\"37a2c95b-b222-4281-8943-1d82ab154490\",\"updated_at\":\"2024-12-04T19:45:46.706Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.706Z\",\"created_by\":\"elastic\",\"name\":\"Control Panel Process with Unusual Arguments\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"416697ae-e468-4093-a93d-59661fa619ec\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.002\",\"name\":\"Control Panel\",\"reference\":\"https://attack.mitre.org/techniques/T1218/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.joesandbox.com/analysis/476188/1/html\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\control.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\control.exe\\\") and\\n process.command_line :\\n (\\\"*.jpg*\\\",\\n \\\"*.png*\\\",\\n \\\"*.gif*\\\",\\n \\\"*.bmp*\\\",\\n \\\"*.jpeg*\\\",\\n \\\"*.TIFF*\\\",\\n \\\"*.inf*\\\",\\n \\\"*.cpl:*/*\\\",\\n \\\"*../../..*\\\",\\n \\\"*/AppData/Local/*\\\",\\n \\\"*:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*\\\",\\n \\\"*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Control Panel Process with Unusual Arguments\",\"description\":\"Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.joesandbox.com/analysis/476188/1/html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.002\",\"name\":\"Control Panel\",\"reference\":\"https://attack.mitre.org/techniques/T1218/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"37a2c95b-b222-4281-8943-1d82ab154490\",\"rule_id\":\"416697ae-e468-4093-a93d-59661fa619ec\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.009Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.706Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"control.exe\\\" and \\n process.command_line : (\\n \\\"*.jpg*\\\", \\\"*.png*\\\",\\n \\\"*.gif*\\\", \\\"*.bmp*\\\",\\n \\\"*.jpeg*\\\", \\\"*.TIFF*\\\",\\n \\\"*.inf*\\\", \\\"*.cpl:*/*\\\",\\n \\\"*../../..*\\\",\\n \\\"*/AppData/Local/*\\\",\\n \\\"*:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*\\\",\\n \\\"*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\*\\\"\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\control.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\control.exe\\\") and\\n process.command_line :\\n (\\\"*.jpg*\\\",\\n \\\"*.png*\\\",\\n \\\"*.gif*\\\",\\n \\\"*.bmp*\\\",\\n \\\"*.jpeg*\\\",\\n \\\"*.TIFF*\\\",\\n \\\"*.inf*\\\",\\n \\\"*.cpl:*/*\\\",\\n \\\"*../../..*\\\",\\n \\\"*/AppData/Local/*\\\",\\n \\\"*:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*\\\",\\n \\\"*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"control.exe\\\" and \\n process.command_line : (\\n \\\"*.jpg*\\\", \\\"*.png*\\\",\\n \\\"*.gif*\\\", \\\"*.bmp*\\\",\\n \\\"*.jpeg*\\\", \\\"*.TIFF*\\\",\\n \\\"*.inf*\\\", \\\"*.cpl:*/*\\\",\\n \\\"*../../..*\\\",\\n \\\"*/AppData/Local/*\\\",\\n \\\"*:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*\\\",\\n \\\"*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\*\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"control.exe\\\" and \\n process.command_line : (\\n \\\"*.jpg*\\\", \\\"*.png*\\\",\\n \\\"*.gif*\\\", \\\"*.bmp*\\\",\\n \\\"*.jpeg*\\\", \\\"*.TIFF*\\\",\\n \\\"*.inf*\\\", \\\"*.cpl:*/*\\\",\\n \\\"*../../..*\\\",\\n \\\"*/AppData/Local/*\\\",\\n \\\"*:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*\\\",\\n \\\"*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\*\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b63d1abd-b59b-4203-b19e-aa893739ab6a\",\"rule_id\":\"4182e486-fc61-11ee-a05d-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"b63d1abd-b59b-4203-b19e-aa893739ab6a\",\"updated_at\":\"2024-12-04T19:46:03.753Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.753Z\",\"created_by\":\"elastic\",\"name\":\"AWS EC2 EBS Snapshot Shared with Another Account\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS EC2\",\"Use Case: Threat Detection\",\"Tactic: Exfiltration\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies AWS EC2 EBS snaphots being shared with another AWS account. EBS virtual disks can be copied into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this in order to copy the snapshot into an environment they control, to access the data.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"\\n## Triage and Analysis\\n\\n### Investigating AWS EC2 EBS Snapshot Shared with Another Account\\n\\nThis rule detects when an AWS EC2 EBS snapshot is shared with another AWS account. EBS virtual disks can be copied into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this to copy the snapshot into an environment they control to access the data. Understanding the context and legitimacy of such changes is crucial to determine if the action is benign or malicious.\\n\\n#### Possible Investigation Steps:\\n\\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific changes made to the snapshot permissions. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the change occurred. Modifications during non-business hours or outside regular maintenance windows might require further scrutiny.\\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\\n\\n### False Positive Analysis:\\n\\n- **Legitimate Administrative Actions**: Confirm if the snapshot sharing aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.\\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the change was successful and intended according to policy.\\n\\n### Response and Remediation:\\n\\n- **Immediate Review and Reversal if Necessary**: If the change was unauthorized, update the snapshot permissions to remove any unauthorized accounts and restore it to its previous state.\\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.\\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning snapshot management and sharing permissions.\\n- **Audit Snapshots and Policies**: Conduct a comprehensive audit of all snapshots and associated policies to ensure they adhere to the principle of least privilege.\\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\\n\\n### Additional Information:\\n\\nFor further guidance on managing EBS snapshots and securing AWS environments, refer to the [AWS EBS documentation](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html) and AWS best practices for security. Additionally, consult the following resources for specific details on EBS snapshot security:\\n- [AWS EBS Snapshot Permissions](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html)\\n- [AWS API ModifySnapshotAttribute](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html)\\n- [AWS EBS Snapshot Dump](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump)\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"AMI sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action.\"],\"from\":\"now-9m\",\"rule_id\":\"4182e486-fc61-11ee-a05d-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1537\",\"name\":\"Transfer Data to Cloud Account\",\"reference\":\"https://attack.mitre.org/techniques/T1537/\"}]}],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html\",\"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html\",\"https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-*\\n| where event.provider == \\\"ec2.amazonaws.com\\\" and event.action == \\\"ModifySnapshotAttribute\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?snapshotId}=%{snapshotId},%{?attributeType}=%{attributeType},%{?createVolumePermission}={%{operationType}={%{?items}=[{%{?userId}=%{userId}}]}}}\\\"\\n| where operationType == \\\"add\\\" and cloud.account.id != userId\\n| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, snapshotId, attributeType, operationType, userId\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS EC2 EBS Snapshot Shared with Another Account\",\"description\":\"Identifies AWS EC2 EBS snaphots being shared with another AWS account. EBS virtual disks can be copied into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this in order to copy the snapshot into an environment they control, to access the data.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\\n## Triage and Analysis\\n\\n### Investigating AWS EC2 EBS Snapshot Shared with Another Account\\n\\nThis rule detects when an AWS EC2 EBS snapshot is shared with another AWS account. EBS virtual disks can be copied into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this to copy the snapshot into an environment they control to access the data. Understanding the context and legitimacy of such changes is crucial to determine if the action is benign or malicious.\\n\\n#### Possible Investigation Steps:\\n\\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific changes made to the snapshot permissions. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the change occurred. Modifications during non-business hours or outside regular maintenance windows might require further scrutiny.\\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\\n\\n### False Positive Analysis:\\n\\n- **Legitimate Administrative Actions**: Confirm if the snapshot sharing aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.\\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the change was successful and intended according to policy.\\n\\n### Response and Remediation:\\n\\n- **Immediate Review and Reversal if Necessary**: If the change was unauthorized, update the snapshot permissions to remove any unauthorized accounts and restore it to its previous state.\\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.\\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning snapshot management and sharing permissions.\\n- **Audit Snapshots and Policies**: Conduct a comprehensive audit of all snapshots and associated policies to ensure they adhere to the principle of least privilege.\\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\\n\\n### Additional Information:\\n\\nFor further guidance on managing EBS snapshots and securing AWS environments, refer to the [AWS EBS documentation](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html) and AWS best practices for security. Additionally, consult the following resources for specific details on EBS snapshot security:\\n- [AWS EBS Snapshot Permissions](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html)\\n- [AWS API ModifySnapshotAttribute](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html)\\n- [AWS EBS Snapshot Dump](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump)\\n\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS EC2\",\"Use Case: Threat Detection\",\"Tactic: Exfiltration\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"AMI sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action.\"],\"references\":[\"https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html\",\"https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html\",\"https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1537\",\"name\":\"Transfer Data to Cloud Account\",\"reference\":\"https://attack.mitre.org/techniques/T1537/\"}]}],\"setup\":\"\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"b63d1abd-b59b-4203-b19e-aa893739ab6a\",\"rule_id\":\"4182e486-fc61-11ee-a05d-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.009Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.753Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"ec2.amazonaws.com\\\" and event.action == \\\"ModifySnapshotAttribute\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?snapshotId}=%{snapshotId},%{?attributeType}=%{attributeType},%{?createVolumePermission}={%{operationType}={%{?items}=[{%{?userId}=%{userId}}]}}}\\\"\\n| where operationType == \\\"add\\\" and cloud.account.id != userId\\n| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, snapshotId, attributeType, operationType, userId\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-aws.cloudtrail-*\\n| where event.provider == \\\"ec2.amazonaws.com\\\" and event.action == \\\"ModifySnapshotAttribute\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?snapshotId}=%{snapshotId},%{?attributeType}=%{attributeType},%{?createVolumePermission}={%{operationType}={%{?items}=[{%{?userId}=%{userId}}]}}}\\\"\\n| where operationType == \\\"add\\\" and cloud.account.id != userId\\n| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, snapshotId, attributeType, operationType, userId\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"ec2.amazonaws.com\\\" and event.action == \\\"ModifySnapshotAttribute\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?snapshotId}=%{snapshotId},%{?attributeType}=%{attributeType},%{?createVolumePermission}={%{operationType}={%{?items}=[{%{?userId}=%{userId}}]}}}\\\"\\n| where operationType == \\\"add\\\" and cloud.account.id != userId\\n| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, snapshotId, attributeType, operationType, userId\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"ec2.amazonaws.com\\\" and event.action == \\\"ModifySnapshotAttribute\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?snapshotId}=%{snapshotId},%{?attributeType}=%{attributeType},%{?createVolumePermission}={%{operationType}={%{?items}=[{%{?userId}=%{userId}}]}}}\\\"\\n| where operationType == \\\"add\\\" and cloud.account.id != userId\\n| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, snapshotId, attributeType, operationType, userId\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"509f9782-cae1-4981-820a-4926bd9db0b8\",\"rule_id\":\"42eeee3d-947f-46d3-a14d-7036b962c266\",\"revision\":0,\"current_rule\":{\"id\":\"509f9782-cae1-4981-820a-4926bd9db0b8\",\"updated_at\":\"2024-12-04T19:45:46.718Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.718Z\",\"created_by\":\"elastic\",\"name\":\"Process Creation via Secondary Logon\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"42eeee3d-947f-46d3-a14d-7036b962c266\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\",\"subtechnique\":[{\"id\":\"T1134.002\",\"name\":\"Create Process with Token\",\"reference\":\"https://attack.mitre.org/techniques/T1134/002/\"},{\"id\":\"T1134.003\",\"name\":\"Make and Impersonate Token\",\"reference\":\"https://attack.mitre.org/techniques/T1134/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://attack.mitre.org/techniques/T1134/002/\"],\"version\":9,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.LogonProcessName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetLogonId\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nAudit events 4624 and 4688 are needed to trigger this rule.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"sequence by winlog.computer_name with maxspan=1m\\n\\n[authentication where event.action:\\\"logged-in\\\" and\\n event.outcome == \\\"success\\\" and user.id : (\\\"S-1-5-21-*\\\", \\\"S-1-12-1-*\\\") and\\n\\n /* seclogon service */\\n process.name == \\\"svchost.exe\\\" and\\n winlog.event_data.LogonProcessName : \\\"seclogo*\\\" and source.ip == \\\"::1\\\" ] by winlog.event_data.TargetLogonId\\n\\n[process where event.type == \\\"start\\\"] by winlog.event_data.TargetLogonId\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Process Creation via Secondary Logon\",\"description\":\"Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":110,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://attack.mitre.org/techniques/T1134/002/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\",\"subtechnique\":[{\"id\":\"T1134.002\",\"name\":\"Create Process with Token\",\"reference\":\"https://attack.mitre.org/techniques/T1134/002/\"},{\"id\":\"T1134.003\",\"name\":\"Make and Impersonate Token\",\"reference\":\"https://attack.mitre.org/techniques/T1134/003/\"}]}]}],\"setup\":\"## Setup\\n\\nAudit events 4624 and 4688 are needed to trigger this rule.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.LogonProcessName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetLogonId\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"509f9782-cae1-4981-820a-4926bd9db0b8\",\"rule_id\":\"42eeee3d-947f-46d3-a14d-7036b962c266\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.009Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.718Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by winlog.computer_name with maxspan=1m\\n\\n[authentication where event.action:\\\"logged-in\\\" and\\n event.outcome == \\\"success\\\" and user.id : (\\\"S-1-5-21-*\\\", \\\"S-1-12-1-*\\\") and\\n\\n /* seclogon service */\\n process.name == \\\"svchost.exe\\\" and\\n winlog.event_data.LogonProcessName : \\\"seclogo*\\\" and source.ip == \\\"::1\\\" ] by winlog.event_data.TargetLogonId\\n\\n[process where event.type == \\\"start\\\"] by winlog.event_data.TargetLogonId\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":9,\"target_version\":110,\"merged_version\":110,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4c1b8461-db71-4881-ad4c-c3e402c9cd39\",\"rule_id\":\"43d6ec12-2b1c-47b5-8f35-e9de65551d3b\",\"revision\":0,\"current_rule\":{\"id\":\"4c1b8461-db71-4881-ad4c-c3e402c9cd39\",\"updated_at\":\"2024-12-04T19:45:46.723Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.723Z\",\"created_by\":\"elastic\",\"name\":\"Linux User Added to Privileged Group\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Linux User User Added to Privileged Group\\n\\nThe `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems.\\n\\nAttackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain.\\n\\nThis rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n\\n- Investigate whether the user was succesfully added to the privileged group.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Retrieve information about the privileged group to which the user was added.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific Group\\\",\\\"query\\\":\\\"SELECT * FROM groups WHERE groupname = {{group.name}}\\\"}}\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Delete the account that seems to be involved in malicious activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"43d6ec12-2b1c-47b5-8f35-e9de65551d3b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.args in (\\n \\\"root\\\", \\\"admin\\\", \\\"wheel\\\", \\\"staff\\\", \\\"sudo\\\",\\\"disk\\\", \\\"video\\\", \\\"shadow\\\", \\\"lxc\\\", \\\"lxd\\\"\\n) and\\n(\\n process.name in (\\\"usermod\\\", \\\"adduser\\\") or\\n process.name == \\\"gpasswd\\\" and \\n process.args in (\\\"-a\\\", \\\"--add\\\", \\\"-M\\\", \\\"--members\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Linux User Added to Privileged Group\",\"description\":\"Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Linux User User Added to Privileged Group\\n\\nThe `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems.\\n\\nAttackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain.\\n\\nThis rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n\\n- Investigate whether the user was succesfully added to the privileged group.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Retrieve information about the privileged group to which the user was added.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific Group\\\",\\\"query\\\":\\\"SELECT * FROM groups WHERE groupname = {{group.name}}\\\"}}\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Delete the account that seems to be involved in malicious activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":8,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"4c1b8461-db71-4881-ad4c-c3e402c9cd39\",\"rule_id\":\"43d6ec12-2b1c-47b5-8f35-e9de65551d3b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.009Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.723Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.args in (\\n \\\"root\\\", \\\"admin\\\", \\\"wheel\\\", \\\"staff\\\", \\\"sudo\\\",\\\"disk\\\", \\\"video\\\", \\\"shadow\\\", \\\"lxc\\\", \\\"lxd\\\"\\n) and\\n(\\n process.name in (\\\"usermod\\\", \\\"adduser\\\") or\\n (process.name == \\\"gpasswd\\\" and process.args in (\\\"-a\\\", \\\"--add\\\", \\\"-M\\\", \\\"--members\\\")) \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":8,\"merged_version\":8,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.args in (\\n \\\"root\\\", \\\"admin\\\", \\\"wheel\\\", \\\"staff\\\", \\\"sudo\\\",\\\"disk\\\", \\\"video\\\", \\\"shadow\\\", \\\"lxc\\\", \\\"lxd\\\"\\n) and\\n(\\n process.name in (\\\"usermod\\\", \\\"adduser\\\") or\\n process.name == \\\"gpasswd\\\" and \\n process.args in (\\\"-a\\\", \\\"--add\\\", \\\"-M\\\", \\\"--members\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.args in (\\n \\\"root\\\", \\\"admin\\\", \\\"wheel\\\", \\\"staff\\\", \\\"sudo\\\",\\\"disk\\\", \\\"video\\\", \\\"shadow\\\", \\\"lxc\\\", \\\"lxd\\\"\\n) and\\n(\\n process.name in (\\\"usermod\\\", \\\"adduser\\\") or\\n (process.name == \\\"gpasswd\\\" and process.args in (\\\"-a\\\", \\\"--add\\\", \\\"-M\\\", \\\"--members\\\")) \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.args in (\\n \\\"root\\\", \\\"admin\\\", \\\"wheel\\\", \\\"staff\\\", \\\"sudo\\\",\\\"disk\\\", \\\"video\\\", \\\"shadow\\\", \\\"lxc\\\", \\\"lxd\\\"\\n) and\\n(\\n process.name in (\\\"usermod\\\", \\\"adduser\\\") or\\n (process.name == \\\"gpasswd\\\" and process.args in (\\\"-a\\\", \\\"--add\\\", \\\"-M\\\", \\\"--members\\\")) \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"110345f8-8835-4667-998f-caba7b0dbacd\",\"rule_id\":\"440e2db4-bc7f-4c96-a068-65b78da59bde\",\"revision\":0,\"current_rule\":{\"id\":\"110345f8-8835-4667-998f-caba7b0dbacd\",\"updated_at\":\"2024-12-04T19:45:46.725Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.725Z\",\"created_by\":\"elastic\",\"name\":\"Startup Persistence by a Suspicious Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Startup Persistence by a Suspicious Process\\n\\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\\n\\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\\n\\n### Related rules\\n\\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"440e2db4-bc7f-4c96-a068-65b78da59bde\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.domain\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n user.domain != \\\"NT AUTHORITY\\\" and\\n file.path : (\\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\StartUp\\\\\\\\*\\\") and\\n process.name : (\\\"cmd.exe\\\",\\n \\\"powershell.exe\\\",\\n \\\"wmic.exe\\\",\\n \\\"mshta.exe\\\",\\n \\\"pwsh.exe\\\",\\n \\\"cscript.exe\\\",\\n \\\"wscript.exe\\\",\\n \\\"regsvr32.exe\\\",\\n \\\"RegAsm.exe\\\",\\n \\\"rundll32.exe\\\",\\n \\\"EQNEDT32.EXE\\\",\\n \\\"WINWORD.EXE\\\",\\n \\\"EXCEL.EXE\\\",\\n \\\"POWERPNT.EXE\\\",\\n \\\"MSPUB.EXE\\\",\\n \\\"MSACCESS.EXE\\\",\\n \\\"iexplore.exe\\\",\\n \\\"InstallUtil.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Startup Persistence by a Suspicious Process\",\"description\":\"Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Startup Persistence by a Suspicious Process\\n\\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\\n\\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\\n\\n### Related rules\\n\\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\",\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.domain\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"110345f8-8835-4667-998f-caba7b0dbacd\",\"rule_id\":\"440e2db4-bc7f-4c96-a068-65b78da59bde\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.009Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.725Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n user.domain != \\\"NT AUTHORITY\\\" and\\n file.path : (\\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\StartUp\\\\\\\\*\\\") and\\n process.name : (\\\"cmd.exe\\\",\\n \\\"powershell.exe\\\",\\n \\\"wmic.exe\\\",\\n \\\"mshta.exe\\\",\\n \\\"pwsh.exe\\\",\\n \\\"cscript.exe\\\",\\n \\\"wscript.exe\\\",\\n \\\"regsvr32.exe\\\",\\n \\\"RegAsm.exe\\\",\\n \\\"rundll32.exe\\\",\\n \\\"EQNEDT32.EXE\\\",\\n \\\"WINWORD.EXE\\\",\\n \\\"EXCEL.EXE\\\",\\n \\\"POWERPNT.EXE\\\",\\n \\\"MSPUB.EXE\\\",\\n \\\"MSACCESS.EXE\\\",\\n \\\"iexplore.exe\\\",\\n \\\"InstallUtil.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\"],\"target_version\":[\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\",\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\"],\"merged_version\":[\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\",\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"fa9b37c7-81a2-4654-944a-7af04298248f\",\"rule_id\":\"445a342e-03fb-42d0-8656-0367eb2dead5\",\"revision\":0,\"current_rule\":{\"id\":\"fa9b37c7-81a2-4654-944a-7af04298248f\",\"updated_at\":\"2024-12-04T19:45:46.728Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.728Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Windows Path Activity\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Persistence\",\"Tactic: Execution\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert.\"],\"from\":\"now-45m\",\"rule_id\":\"445a342e-03fb-42d0-8656-0367eb2dead5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"version\":105,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_path_activity\"],\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Windows Path Activity\",\"description\":\"Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Persistence\",\"Tactic: Execution\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert.\"],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"fa9b37c7-81a2-4654-944a-7af04298248f\",\"rule_id\":\"445a342e-03fb-42d0-8656-0367eb2dead5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.009Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.728Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_path_activity\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":105,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5b1eba63-6e0a-461c-b968-1cc433a39186\",\"rule_id\":\"44fc462c-1159-4fa8-b1b7-9b6296ab4f96\",\"revision\":0,\"current_rule\":{\"id\":\"5b1eba63-6e0a-461c-b968-1cc433a39186\",\"updated_at\":\"2024-12-04T19:45:46.736Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.736Z\",\"created_by\":\"elastic\",\"name\":\"Multiple Vault Web Credentials Read\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"44fc462c-1159-4fa8-b1b7-9b6296ab4f96\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\",\"subtechnique\":[{\"id\":\"T1555.004\",\"name\":\"Windows Credential Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1555/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"version\":10,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.Resource\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SchemaFriendlyName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.process.pid\",\"type\":\"long\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"sequence by winlog.computer_name, winlog.process.pid with maxspan=1s\\n\\n /* 2 consecutive vault reads from same pid for web creds */\\n\\n [any where event.code : \\\"5382\\\" and\\n (winlog.event_data.SchemaFriendlyName : \\\"Windows Web Password Credential\\\" and winlog.event_data.Resource : \\\"http*\\\") and\\n not winlog.event_data.SubjectLogonId : \\\"0x3e7\\\" and \\n not winlog.event_data.Resource : \\\"http://localhost/\\\"]\\n\\n [any where event.code : \\\"5382\\\" and\\n (winlog.event_data.SchemaFriendlyName : \\\"Windows Web Password Credential\\\" and winlog.event_data.Resource : \\\"http*\\\") and\\n not winlog.event_data.SubjectLogonId : \\\"0x3e7\\\" and \\n not winlog.event_data.Resource : \\\"http://localhost/\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Multiple Vault Web Credentials Read\",\"description\":\"Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":111,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\",\"subtechnique\":[{\"id\":\"T1555.004\",\"name\":\"Windows Credential Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1555/004/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.Resource\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SchemaFriendlyName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.process.pid\",\"type\":\"long\",\"ecs\":false}],\"id\":\"5b1eba63-6e0a-461c-b968-1cc433a39186\",\"rule_id\":\"44fc462c-1159-4fa8-b1b7-9b6296ab4f96\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.009Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.736Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by winlog.computer_name, winlog.process.pid with maxspan=1s\\n\\n /* 2 consecutive vault reads from same pid for web creds */\\n\\n [any where event.code : \\\"5382\\\" and\\n (winlog.event_data.SchemaFriendlyName : \\\"Windows Web Password Credential\\\" and winlog.event_data.Resource : \\\"http*\\\") and\\n not winlog.event_data.SubjectLogonId : \\\"0x3e7\\\" and \\n not winlog.event_data.Resource : \\\"http://localhost/\\\"]\\n\\n [any where event.code : \\\"5382\\\" and\\n (winlog.event_data.SchemaFriendlyName : \\\"Windows Web Password Credential\\\" and winlog.event_data.Resource : \\\"http*\\\") and\\n not winlog.event_data.SubjectLogonId : \\\"0x3e7\\\" and \\n not winlog.event_data.Resource : \\\"http://localhost/\\\"]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":10,\"target_version\":111,\"merged_version\":111,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0c7b9bee-60cd-4975-b99e-6d2371bbcf65\",\"rule_id\":\"45ac4800-840f-414c-b221-53dd36a5aaf7\",\"revision\":0,\"current_rule\":{\"id\":\"0c7b9bee-60cd-4975-b99e-6d2371bbcf65\",\"updated_at\":\"2024-12-04T19:45:46.746Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.746Z\",\"created_by\":\"elastic\",\"name\":\"Windows Event Logs Cleared\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Event Logs Cleared\\n\\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\\n\\nThis rule looks for the occurrence of clear actions on the `security` event log.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Verify if any other anti-forensics behaviors were observed.\\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Anabella Cristaldi\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"45ac4800-840f-414c-b221-53dd36a5aaf7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.001\",\"name\":\"Clear Windows Event Logs\",\"reference\":\"https://attack.mitre.org/techniques/T1070/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.api\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.provider_name\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:(\\\"audit-log-cleared\\\" or \\\"Log clear\\\") and winlog.api:\\\"wineventlog\\\" and\\n not winlog.provider_name:\\\"AD FS Auditing\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Windows Event Logs Cleared\",\"description\":\"Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Event Logs Cleared\\n\\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\\n\\nThis rule looks for the occurrence of clear actions on the `security` event log.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Verify if any other anti-forensics behaviors were observed.\\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Anabella Cristaldi\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.001\",\"name\":\"Clear Windows Event Logs\",\"reference\":\"https://attack.mitre.org/techniques/T1070/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.api\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.provider_name\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"0c7b9bee-60cd-4975-b99e-6d2371bbcf65\",\"rule_id\":\"45ac4800-840f-414c-b221-53dd36a5aaf7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.009Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.746Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:(\\\"audit-log-cleared\\\" or \\\"Log clear\\\") and winlog.api:\\\"wineventlog\\\" and\\n not winlog.provider_name:\\\"AD FS Auditing\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c16b0c45-f020-44a1-bcc2-f12208058b11\",\"rule_id\":\"45d273fb-1dca-457d-9855-bcb302180c21\",\"revision\":0,\"current_rule\":{\"id\":\"c16b0c45-f020-44a1-bcc2-f12208058b11\",\"updated_at\":\"2024-12-04T19:45:46.748Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.748Z\",\"created_by\":\"elastic\",\"name\":\"Encrypting Files with WinRar or 7z\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Encrypting Files with WinRar or 7z\\n\\nAttackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.\\n\\nThese steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Retrieve the encrypted file.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check if the password used in the encryption was included in the command line.\\n- Decrypt the `.rar`/`.zip` and check if the information is sensitive.\\n- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the file names included in the encrypted file.\\n- Investigate if the file was transferred to an attacker-controlled server.\\n\\n### False positive analysis\\n\\n- Backup software can use these utilities. Check the `process.parent.executable` and `process.parent.command_line` fields to determine what triggered the encryption.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"45d273fb-1dca-457d-9855-bcb302180c21\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1005\",\"name\":\"Data from Local System\",\"reference\":\"https://attack.mitre.org/techniques/T1005/\"},{\"id\":\"T1560\",\"name\":\"Archive Collected Data\",\"reference\":\"https://attack.mitre.org/techniques/T1560/\",\"subtechnique\":[{\"id\":\"T1560.001\",\"name\":\"Archive via Utility\",\"reference\":\"https://attack.mitre.org/techniques/T1560/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (\\n process.name:\\\"rar.exe\\\" or ?process.code_signature.subject_name == \\\"win.rar GmbH\\\" or\\n ?process.pe.original_file_name == \\\"Command line RAR\\\"\\n ) and\\n process.args == \\\"a\\\" and process.args : (\\\"-hp*\\\", \\\"-p*\\\", \\\"/hp*\\\", \\\"/p*\\\")\\n ) or\\n (\\n ?process.pe.original_file_name in (\\\"7z.exe\\\", \\\"7za.exe\\\") and\\n process.args == \\\"a\\\" and process.args : \\\"-p*\\\"\\n )\\n) and\\n not process.parent.executable : (\\n \\\"C:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\ManageEngine\\\\\\\\*\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"?:\\\\\\\\Nox\\\\\\\\bin\\\\\\\\Nox.exe\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Encrypting Files with WinRar or 7z\",\"description\":\"Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Encrypting Files with WinRar or 7z\\n\\nAttackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.\\n\\nThese steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Retrieve the encrypted file.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check if the password used in the encryption was included in the command line.\\n- Decrypt the `.rar`/`.zip` and check if the information is sensitive.\\n- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the file names included in the encrypted file.\\n- Investigate if the file was transferred to an attacker-controlled server.\\n\\n### False positive analysis\\n\\n- Backup software can use these utilities. Check the `process.parent.executable` and `process.parent.command_line` fields to determine what triggered the encryption.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":214,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1005\",\"name\":\"Data from Local System\",\"reference\":\"https://attack.mitre.org/techniques/T1005/\"},{\"id\":\"T1560\",\"name\":\"Archive Collected Data\",\"reference\":\"https://attack.mitre.org/techniques/T1560/\",\"subtechnique\":[{\"id\":\"T1560.001\",\"name\":\"Archive via Utility\",\"reference\":\"https://attack.mitre.org/techniques/T1560/001/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c16b0c45-f020-44a1-bcc2-f12208058b11\",\"rule_id\":\"45d273fb-1dca-457d-9855-bcb302180c21\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.009Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.748Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (\\n process.name:\\\"rar.exe\\\" or ?process.code_signature.subject_name == \\\"win.rar GmbH\\\" or\\n ?process.pe.original_file_name == \\\"Command line RAR\\\"\\n ) and\\n process.args == \\\"a\\\" and process.args : (\\\"-hp*\\\", \\\"-p*\\\", \\\"/hp*\\\", \\\"/p*\\\")\\n ) or\\n (\\n (process.name : (\\\"7z.exe\\\", \\\"7za.exe\\\") or ?process.pe.original_file_name in (\\\"7z.exe\\\", \\\"7za.exe\\\")) and\\n process.args == \\\"a\\\" and process.args : \\\"-p*\\\"\\n )\\n) and\\n not process.parent.executable : (\\n \\\"C:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\ManageEngine\\\\\\\\*\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"?:\\\\\\\\Nox\\\\\\\\bin\\\\\\\\Nox.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\ManageEngine\\\\\\\\*\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Nox\\\\\\\\bin\\\\\\\\Nox.exe\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":214,\"merged_version\":214,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/\"],\"target_version\":[\"https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merged_version\":[\"https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (\\n process.name:\\\"rar.exe\\\" or ?process.code_signature.subject_name == \\\"win.rar GmbH\\\" or\\n ?process.pe.original_file_name == \\\"Command line RAR\\\"\\n ) and\\n process.args == \\\"a\\\" and process.args : (\\\"-hp*\\\", \\\"-p*\\\", \\\"/hp*\\\", \\\"/p*\\\")\\n ) or\\n (\\n ?process.pe.original_file_name in (\\\"7z.exe\\\", \\\"7za.exe\\\") and\\n process.args == \\\"a\\\" and process.args : \\\"-p*\\\"\\n )\\n) and\\n not process.parent.executable : (\\n \\\"C:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\ManageEngine\\\\\\\\*\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"?:\\\\\\\\Nox\\\\\\\\bin\\\\\\\\Nox.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (\\n process.name:\\\"rar.exe\\\" or ?process.code_signature.subject_name == \\\"win.rar GmbH\\\" or\\n ?process.pe.original_file_name == \\\"Command line RAR\\\"\\n ) and\\n process.args == \\\"a\\\" and process.args : (\\\"-hp*\\\", \\\"-p*\\\", \\\"/hp*\\\", \\\"/p*\\\")\\n ) or\\n (\\n (process.name : (\\\"7z.exe\\\", \\\"7za.exe\\\") or ?process.pe.original_file_name in (\\\"7z.exe\\\", \\\"7za.exe\\\")) and\\n process.args == \\\"a\\\" and process.args : \\\"-p*\\\"\\n )\\n) and\\n not process.parent.executable : (\\n \\\"C:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\ManageEngine\\\\\\\\*\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"?:\\\\\\\\Nox\\\\\\\\bin\\\\\\\\Nox.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\ManageEngine\\\\\\\\*\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Nox\\\\\\\\bin\\\\\\\\Nox.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (\\n process.name:\\\"rar.exe\\\" or ?process.code_signature.subject_name == \\\"win.rar GmbH\\\" or\\n ?process.pe.original_file_name == \\\"Command line RAR\\\"\\n ) and\\n process.args == \\\"a\\\" and process.args : (\\\"-hp*\\\", \\\"-p*\\\", \\\"/hp*\\\", \\\"/p*\\\")\\n ) or\\n (\\n (process.name : (\\\"7z.exe\\\", \\\"7za.exe\\\") or ?process.pe.original_file_name in (\\\"7z.exe\\\", \\\"7za.exe\\\")) and\\n process.args == \\\"a\\\" and process.args : \\\"-p*\\\"\\n )\\n) and\\n not process.parent.executable : (\\n \\\"C:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\ManageEngine\\\\\\\\*\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"?:\\\\\\\\Nox\\\\\\\\bin\\\\\\\\Nox.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\ManageEngine\\\\\\\\*\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Nox\\\\\\\\bin\\\\\\\\Nox.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2f87115c-6e23-456e-ac3b-903ea75bd945\",\"rule_id\":\"4630d948-40d4-4cef-ac69-4002e29bc3db\",\"revision\":0,\"current_rule\":{\"id\":\"2f87115c-6e23-456e-ac3b-903ea75bd945\",\"updated_at\":\"2024-12-04T19:45:46.750Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.750Z\",\"created_by\":\"elastic\",\"name\":\"Adding Hidden File Attribute via Attrib\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Adding Hidden File Attribute via Attrib\\n\\nThe `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. \\n\\nAttackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it.\\n\\nThis rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the command line to identify the target file or folder.\\n - Examine the file, which process created it, header, etc.\\n - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Observe and collect information about the following activities in the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timeline_id\":\"e70679c2-6cde-4510-9764-4823df18f7db\",\"timeline_title\":\"Comprehensive Process Timeline\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"4630d948-40d4-4cef-ac69-4002e29bc3db\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1222\",\"name\":\"File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/\",\"subtechnique\":[{\"id\":\"T1222.001\",\"name\":\"Windows File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/001/\"}]},{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\",\"subtechnique\":[{\"id\":\"T1564.001\",\"name\":\"Hidden Files and Directories\",\"reference\":\"https://attack.mitre.org/techniques/T1564/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"attrib.exe\\\" or ?process.pe.original_file_name == \\\"ATTRIB.EXE\\\") and process.args : \\\"+h\\\" and\\n not (process.parent.name: \\\"cmd.exe\\\" and process.command_line: \\\"attrib +R +H +S +A *.cui\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Adding Hidden File Attribute via Attrib\",\"description\":\"Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"timeline_id\":\"e70679c2-6cde-4510-9764-4823df18f7db\",\"timeline_title\":\"Comprehensive Process Timeline\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Adding Hidden File Attribute via Attrib\\n\\nThe `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. \\n\\nAttackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it.\\n\\nThis rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the command line to identify the target file or folder.\\n - Examine the file, which process created it, header, etc.\\n - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Observe and collect information about the following activities in the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1222\",\"name\":\"File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/\",\"subtechnique\":[{\"id\":\"T1222.001\",\"name\":\"Windows File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/001/\"}]},{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\",\"subtechnique\":[{\"id\":\"T1564.001\",\"name\":\"Hidden Files and Directories\",\"reference\":\"https://attack.mitre.org/techniques/T1564/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2f87115c-6e23-456e-ac3b-903ea75bd945\",\"rule_id\":\"4630d948-40d4-4cef-ac69-4002e29bc3db\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.009Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.750Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"attrib.exe\\\" or ?process.pe.original_file_name == \\\"ATTRIB.EXE\\\") and process.args : \\\"+h\\\" and\\n not (process.parent.name: \\\"cmd.exe\\\" and process.command_line: \\\"attrib +R +H +S +A *.cui\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f229becf-c8de-4ef7-adba-99dc93f8e5b4\",\"rule_id\":\"4682fd2c-cfae-47ed-a543-9bed37657aa6\",\"revision\":0,\"current_rule\":{\"id\":\"f229becf-c8de-4ef7-adba-99dc93f8e5b4\",\"updated_at\":\"2024-12-04T19:45:46.753Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.753Z\",\"created_by\":\"elastic\",\"name\":\"Potential Local NTLM Relay via HTTP\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"4682fd2c-cfae-47ed-a543-9bed37657aa6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1212\",\"name\":\"Exploitation for Credential Access\",\"reference\":\"https://attack.mitre.org/techniques/T1212/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/med0x2e/NTLMRelay2Self\",\"https://github.com/topotam/PetitPotam\",\"https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"rundll32.exe\\\" and\\n\\n /* Rundll32 WbeDav Client */\\n process.args : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\davclnt.dll,DavSetCookie\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\davclnt.dll,DavSetCookie\\\") and\\n\\n /* Access to named pipe via http */\\n process.args : (\\\"http*/print/pipe/*\\\", \\\"http*/pipe/spoolss\\\", \\\"http*/pipe/srvsvc\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Local NTLM Relay via HTTP\",\"description\":\"Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/med0x2e/NTLMRelay2Self\",\"https://github.com/topotam/PetitPotam\",\"https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1212\",\"name\":\"Exploitation for Credential Access\",\"reference\":\"https://attack.mitre.org/techniques/T1212/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f229becf-c8de-4ef7-adba-99dc93f8e5b4\",\"rule_id\":\"4682fd2c-cfae-47ed-a543-9bed37657aa6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.009Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.753Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"rundll32.exe\\\" and\\n\\n /* Rundll32 WbeDav Client */\\n process.args : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\davclnt.dll,DavSetCookie\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\davclnt.dll,DavSetCookie\\\") and\\n\\n /* Access to named pipe via http */\\n process.args : (\\\"http*/print/pipe/*\\\", \\\"http*/pipe/spoolss\\\", \\\"http*/pipe/srvsvc\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"93d5cee1-32db-4830-a855-4e562cb1872d\",\"rule_id\":\"474fd20e-14cc-49c5-8160-d9ab4ba16c8b\",\"revision\":0,\"current_rule\":{\"id\":\"93d5cee1-32db-4830-a855-4e562cb1872d\",\"updated_at\":\"2024-12-04T19:45:46.757Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.757Z\",\"created_by\":\"elastic\",\"name\":\"System V Init Script Created\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the \\\"systemd-sysv-generator\\\" can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating System V Init Script Created\\n\\nThe `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.\\n\\nAttackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.\\n\\nThis rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n#### Possible Investigation Steps\\n\\n- Investigate the file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path LIKE '/etc/init.d/%'\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path LIKE '/etc/init.d/%'\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the maliciously created service/init.d files or restore it to the original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"474fd20e-14cc-49c5-8160-d9ab4ba16c8b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\"}]}],\"to\":\"now\",\"references\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\"],\"version\":11,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"creation\\\", \\\"file_create_event\\\", \\\"rename\\\", \\\"file_rename_event\\\")\\nand file.path : \\\"/etc/init.d/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"System V Init Script Created\",\"description\":\"Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the \\\"systemd-sysv-generator\\\" can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating System V Init Script Created\\n\\nThe `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.\\n\\nAttackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.\\n\\nThis rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n#### Possible Investigation Steps\\n\\n- Investigate the file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path LIKE '/etc/init.d/%'\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path LIKE '/etc/init.d/%'\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the maliciously created service/init.d files or restore it to the original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":13,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"93d5cee1-32db-4830-a855-4e562cb1872d\",\"rule_id\":\"474fd20e-14cc-49c5-8160-d9ab4ba16c8b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.009Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.757Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"creation\\\", \\\"file_create_event\\\", \\\"rename\\\", \\\"file_rename_event\\\")\\nand file.path : \\\"/etc/init.d/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.path like (\\\"/etc/init.d/*beat*\\\", \\\"/etc/init.d/elastic-agent*\\\") or\\n process.executable like (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\") or\\n process.name in (\\\"docker-init\\\", \\\"jumpcloud-agent\\\", \\\"crio\\\") or\\n process.executable == null or\\n (process.name == \\\"ln\\\" and file.path : \\\"/etc/init.d/rc*.d/*\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":11,\"target_version\":13,\"merged_version\":13,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\"],\"target_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"creation\\\", \\\"file_create_event\\\", \\\"rename\\\", \\\"file_rename_event\\\")\\nand file.path : \\\"/etc/init.d/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"creation\\\", \\\"file_create_event\\\", \\\"rename\\\", \\\"file_rename_event\\\")\\nand file.path : \\\"/etc/init.d/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.path like (\\\"/etc/init.d/*beat*\\\", \\\"/etc/init.d/elastic-agent*\\\") or\\n process.executable like (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\") or\\n process.name in (\\\"docker-init\\\", \\\"jumpcloud-agent\\\", \\\"crio\\\") or\\n process.executable == null or\\n (process.name == \\\"ln\\\" and file.path : \\\"/etc/init.d/rc*.d/*\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"creation\\\", \\\"file_create_event\\\", \\\"rename\\\", \\\"file_rename_event\\\")\\nand file.path : \\\"/etc/init.d/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.path like (\\\"/etc/init.d/*beat*\\\", \\\"/etc/init.d/elastic-agent*\\\") or\\n process.executable like (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\") or\\n process.name in (\\\"docker-init\\\", \\\"jumpcloud-agent\\\", \\\"crio\\\") or\\n process.executable == null or\\n (process.name == \\\"ln\\\" and file.path : \\\"/etc/init.d/rc*.d/*\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3a5ead1c-b7b0-4d24-b832-9190c945d902\",\"rule_id\":\"47e22836-4a16-4b35-beee-98f6c4ee9bf2\",\"revision\":0,\"current_rule\":{\"id\":\"3a5ead1c-b7b0-4d24-b832-9190c945d902\",\"updated_at\":\"2024-12-04T19:45:46.762Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.762Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Remote Registry Access via SeBackupPrivilege\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Remote Registry Access via SeBackupPrivilege\\n\\nSeBackupPrivilege is a privilege that allows file content retrieval, designed to enable users to create backup copies of the system. Since it is impossible to make a backup of something you cannot read, this privilege comes at the cost of providing the user with full read access to the file system. This privilege must bypass any access control list (ACL) placed in the system.\\n\\nThis rule identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the activities done by the subject user the login session. The field `winlog.event_data.SubjectLogonId` can be used to get this data.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate abnormal behaviors observed by the subject user such as network connections, registry or file modifications, and processes created.\\n- Investigate if the registry file was retrieved or exfiltrated.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Limit or disable the involved user account to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"47e22836-4a16-4b35-beee-98f6c4ee9bf2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"},{\"id\":\"T1003.004\",\"name\":\"LSA Secrets\",\"reference\":\"https://attack.mitre.org/techniques/T1003/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/mpgn/BackupOperatorToDA\",\"https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.PrivilegeList\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.RelativeTargetName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nObject Access >\\nAudit Detailed File Share (Success)\\n```\\n\\nThe 'Special Logon' audit policy must be configured (Success).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nLogon/Logoff >\\nSpecial Logon (Success)\\n```\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m\\n [iam where event.action == \\\"logged-in-special\\\" and\\n winlog.event_data.PrivilegeList : \\\"SeBackupPrivilege\\\" and\\n\\n /* excluding accounts with existing privileged access */\\n not winlog.event_data.PrivilegeList : \\\"SeDebugPrivilege\\\"]\\n [any where event.action == \\\"Detailed File Share\\\" and winlog.event_data.RelativeTargetName : \\\"winreg\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Remote Registry Access via SeBackupPrivilege\",\"description\":\"Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Remote Registry Access via SeBackupPrivilege\\n\\nSeBackupPrivilege is a privilege that allows file content retrieval, designed to enable users to create backup copies of the system. Since it is impossible to make a backup of something you cannot read, this privilege comes at the cost of providing the user with full read access to the file system. This privilege must bypass any access control list (ACL) placed in the system.\\n\\nThis rule identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the activities done by the subject user the login session. The field `winlog.event_data.SubjectLogonId` can be used to get this data.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate abnormal behaviors observed by the subject user such as network connections, registry or file modifications, and processes created.\\n- Investigate if the registry file was retrieved or exfiltrated.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Limit or disable the involved user account to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/mpgn/BackupOperatorToDA\",\"https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"},{\"id\":\"T1003.004\",\"name\":\"LSA Secrets\",\"reference\":\"https://attack.mitre.org/techniques/T1003/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nObject Access >\\nAudit Detailed File Share (Success)\\n```\\n\\nThe 'Special Logon' audit policy must be configured (Success).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nLogon/Logoff >\\nSpecial Logon (Success)\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.PrivilegeList\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.RelativeTargetName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"3a5ead1c-b7b0-4d24-b832-9190c945d902\",\"rule_id\":\"47e22836-4a16-4b35-beee-98f6c4ee9bf2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.010Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.762Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m\\n [iam where event.action == \\\"logged-in-special\\\" and\\n winlog.event_data.PrivilegeList : \\\"SeBackupPrivilege\\\" and\\n\\n /* excluding accounts with existing privileged access */\\n not winlog.event_data.PrivilegeList : \\\"SeDebugPrivilege\\\"]\\n [any where event.action == \\\"Detailed File Share\\\" and winlog.event_data.RelativeTargetName : \\\"winreg\\\"]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3289da0a-f108-4fc1-ac59-6687aa07ed9a\",\"rule_id\":\"483c4daf-b0c6-49e0-adf3-0bfa93231d6b\",\"revision\":0,\"current_rule\":{\"id\":\"3289da0a-f108-4fc1-ac59-6687aa07ed9a\",\"updated_at\":\"2024-12-04T19:45:46.771Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.771Z\",\"created_by\":\"elastic\",\"name\":\"Microsoft Exchange Server UM Spawning Suspicious Processes\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[\"Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule.\"],\"from\":\"now-9m\",\"rule_id\":\"483c4daf-b0c6-49e0-adf3-0bfa93231d6b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1210\",\"name\":\"Exploitation of Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1210/\"}]}],\"to\":\"now\",\"references\":[\"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers\",\"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"UMService.exe\\\", \\\"UMWorkerProcess.exe\\\") and\\n not process.executable :\\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\werfault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wermgr.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\V??\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange 2016\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"E:\\\\\\\\ExchangeServer\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"E:\\\\\\\\Exchange Server\\\\\\\\V15\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Microsoft Exchange Server UM Spawning Suspicious Processes\",\"description\":\"Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[\"Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule.\"],\"references\":[\"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers\",\"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1210\",\"name\":\"Exploitation of Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1210/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3289da0a-f108-4fc1-ac59-6687aa07ed9a\",\"rule_id\":\"483c4daf-b0c6-49e0-adf3-0bfa93231d6b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.010Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.771Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"UMService.exe\\\", \\\"UMWorkerProcess.exe\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\werfault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wermgr.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\V??\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange 2016\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"E:\\\\\\\\ExchangeServer\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"E:\\\\\\\\Exchange Server\\\\\\\\V15\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\werfault.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wermgr.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\V??\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Exchange 2016\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\ExchangeServer\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Exchange\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Exchange Server\\\\\\\\V15\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"UMService.exe\\\", \\\"UMWorkerProcess.exe\\\") and\\n not process.executable :\\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\werfault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wermgr.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\V??\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange 2016\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"E:\\\\\\\\ExchangeServer\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"E:\\\\\\\\Exchange Server\\\\\\\\V15\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"UMService.exe\\\", \\\"UMWorkerProcess.exe\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\werfault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wermgr.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\V??\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange 2016\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"E:\\\\\\\\ExchangeServer\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"E:\\\\\\\\Exchange Server\\\\\\\\V15\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\werfault.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wermgr.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\V??\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Exchange 2016\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\ExchangeServer\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Exchange\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Exchange Server\\\\\\\\V15\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"UMService.exe\\\", \\\"UMWorkerProcess.exe\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\werfault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wermgr.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\V??\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange 2016\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"E:\\\\\\\\ExchangeServer\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"D:\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"E:\\\\\\\\Exchange Server\\\\\\\\V15\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\werfault.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wermgr.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\V??\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\Microsoft\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Exchange 2016\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\ExchangeServer\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Exchange\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Exchange Server\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Exchange Server\\\\\\\\V15\\\\\\\\Bin\\\\\\\\UMWorkerProcess.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5ad3f6ca-3270-48a5-9bc5-3af1c77e61b7\",\"rule_id\":\"48b6edfc-079d-4907-b43c-baffa243270d\",\"revision\":0,\"current_rule\":{\"id\":\"5ad3f6ca-3270-48a5-9bc5-3af1c77e61b7\",\"updated_at\":\"2024-12-04T19:45:46.778Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.778Z\",\"created_by\":\"elastic\",\"name\":\"Multiple Logon Failure from the same Source Address\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Multiple Logon Failure from the same Source Address\\n\\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\\n\\nThis rule identifies potential password guessing/brute force activity from a single address.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the logon failure reason code and the targeted user names.\\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\\n- Investigate the source IP address of the failed Network Logon attempts.\\n - Identify whether these attempts are coming from the internet or are internal.\\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\\n- Identify the source and the target computer and their roles in the IT environment.\\n- Check whether the involved credentials are used in automation or scheduled tasks.\\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\\n- Examine the source host for derived artifacts that indicate compromise:\\n - Observe and collect information about the following activities in the alert source host:\\n - Attempts to contact external domains and addresses.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\\n\\n### False positive analysis\\n\\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\\n- Authentication misconfiguration or obsolete credentials.\\n- Service account password expired.\\n- Domain trust relationship issues.\\n- Infrastructure or availability issues.\\n\\n### Related rules\\n\\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the source host to prevent further post-compromise behavior.\\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"48b6edfc-079d-4907-b43c-baffa243270d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.001\",\"name\":\"Password Guessing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/001/\"},{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625\",\"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624\",\"https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity\",\"https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638\"],\"version\":9,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"user.domain\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.Status\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\n- In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert.\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"],\"query\":\"sequence by winlog.computer_name, source.ip with maxspan=10s\\n [authentication where event.action == \\\"logon-failed\\\" and\\n /* event 4625 need to be logged */\\n winlog.logon.type : \\\"Network\\\" and\\n source.ip != null and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and\\n not user.name : (\\\"ANONYMOUS LOGON\\\", \\\"-\\\", \\\"*$\\\") and not user.domain == \\\"NT AUTHORITY\\\" and\\n\\n /*\\n noisy failure status codes often associated to authentication misconfiguration :\\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\\n 0XC000005E\\t- There are currently no logon servers available to service the logon request.\\n 0XC0000133\\t- Clocks between DC and other computer too far out of sync.\\n 0XC0000192\\tAn attempt was made to logon, but the Netlogon service was not started.\\n */\\n not winlog.event_data.Status : (\\\"0xC000015B\\\", \\\"0XC000005E\\\", \\\"0XC0000133\\\", \\\"0XC0000192\\\")] with runs=10\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Multiple Logon Failure from the same Source Address\",\"description\":\"Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Multiple Logon Failure from the same Source Address\\n\\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\\n\\nThis rule identifies potential password guessing/brute force activity from a single address.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the logon failure reason code and the targeted user names.\\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\\n- Investigate the source IP address of the failed Network Logon attempts.\\n - Identify whether these attempts are coming from the internet or are internal.\\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\\n- Identify the source and the target computer and their roles in the IT environment.\\n- Check whether the involved credentials are used in automation or scheduled tasks.\\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\\n- Examine the source host for derived artifacts that indicate compromise:\\n - Observe and collect information about the following activities in the alert source host:\\n - Attempts to contact external domains and addresses.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\\n\\n### False positive analysis\\n\\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\\n- Authentication misconfiguration or obsolete credentials.\\n- Service account password expired.\\n- Domain trust relationship issues.\\n- Infrastructure or availability issues.\\n\\n### Related rules\\n\\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the source host to prevent further post-compromise behavior.\\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":110,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625\",\"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624\",\"https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity\",\"https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.001\",\"name\":\"Password Guessing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/001/\"},{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]}]}],\"setup\":\"## Setup\\n\\n- In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert.\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"user.domain\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.Status\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"5ad3f6ca-3270-48a5-9bc5-3af1c77e61b7\",\"rule_id\":\"48b6edfc-079d-4907-b43c-baffa243270d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.010Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.778Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by winlog.computer_name, source.ip with maxspan=10s\\n [authentication where event.action == \\\"logon-failed\\\" and\\n /* event 4625 need to be logged */\\n winlog.logon.type : \\\"Network\\\" and\\n source.ip != null and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and\\n not user.name : (\\\"ANONYMOUS LOGON\\\", \\\"-\\\", \\\"*$\\\") and not user.domain == \\\"NT AUTHORITY\\\" and\\n\\n /*\\n noisy failure status codes often associated to authentication misconfiguration :\\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\\n 0XC000005E\\t- There are currently no logon servers available to service the logon request.\\n 0XC0000133\\t- Clocks between DC and other computer too far out of sync.\\n 0XC0000192\\tAn attempt was made to logon, but the Netlogon service was not started.\\n */\\n not winlog.event_data.Status : (\\\"0xC000015B\\\", \\\"0XC000005E\\\", \\\"0XC0000133\\\", \\\"0XC0000192\\\")] with runs=10\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":9,\"target_version\":110,\"merged_version\":110,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"404f2105-3fbd-4252-b182-c8c8b1d5cf3e\",\"rule_id\":\"494ebba4-ecb7-4be4-8c6f-654c686549ad\",\"revision\":0,\"current_rule\":{\"id\":\"404f2105-3fbd-4252-b182-c8c8b1d5cf3e\",\"updated_at\":\"2024-12-04T19:45:46.790Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.790Z\",\"created_by\":\"elastic\",\"name\":\"Potential Linux Backdoor User Account Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Linux Backdoor User Account Creation\\n\\nThe `usermod` command is used to modify user account attributes and settings in Linux-based operating systems.\\n\\nAttackers may create new accounts with a UID of 0 to maintain root access to target systems without leveraging the root user account.\\n\\nThis rule identifies the usage of the `usermod` command to set a user's UID to 0, indicating that the user becomes a root account. \\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n- Investigate the user account that got assigned a uid of 0, and analyze its corresponding attributes.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve User Accounts with a UID of 0\\\",\\\"query\\\":\\\"SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE\\\\n'0'\\\\n\\\"}}\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific Group\\\",\\\"query\\\":\\\"SELECT * FROM groups WHERE groupname = {{group.name}}\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Delete the created account.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"494ebba4-ecb7-4be4-8c6f-654c686549ad\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":7,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name == \\\"usermod\\\" and process.args : \\\"-u\\\" and process.args : \\\"0\\\" and process.args : \\\"-o\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Linux Backdoor User Account Creation\",\"description\":\"Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Linux Backdoor User Account Creation\\n\\nThe `usermod` command is used to modify user account attributes and settings in Linux-based operating systems.\\n\\nAttackers may create new accounts with a UID of 0 to maintain root access to target systems without leveraging the root user account.\\n\\nThis rule identifies the usage of the `usermod` command to set a user's UID to 0, indicating that the user becomes a root account. \\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n- Investigate the user account that got assigned a uid of 0, and analyze its corresponding attributes.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve User Accounts with a UID of 0\\\",\\\"query\\\":\\\"SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE\\\\n'0'\\\\n\\\"}}\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific Group\\\",\\\"query\\\":\\\"SELECT * FROM groups WHERE groupname = {{group.name}}\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Delete the created account.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":8,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"404f2105-3fbd-4252-b182-c8c8b1d5cf3e\",\"rule_id\":\"494ebba4-ecb7-4be4-8c6f-654c686549ad\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.010Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.790Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name == \\\"usermod\\\" and process.args : \\\"-u\\\" and process.args : \\\"0\\\" and process.args : \\\"-o\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":7,\"target_version\":8,\"merged_version\":8,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"790dc731-0379-4c2a-9973-c288675d46f4\",\"rule_id\":\"495e5f2e-2480-11ed-bea8-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"790dc731-0379-4c2a-9973-c288675d46f4\",\"updated_at\":\"2024-12-04T19:45:46.792Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.792Z\",\"created_by\":\"elastic\",\"name\":\"Application Removed from Blocklist in Google Workspace\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Resources: Investigation Guide\",\"Tactic: Defense Evasion\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Google Workspace administrators may be aware of malicious applications within the Google marketplace and block these applications for user security purposes. An adversary, with administrative privileges, may remove this application from the explicit block list to allow distribution of the application amongst users. This may also indicate the unauthorized use of an application that had been previously blocked before by a user with admin privileges.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Application Removed from Blocklist in Google Workspace\\n\\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\\n\\nMarketplace applications require access to specific Google Workspace resources. Individual users with the appropriate permissions can install applications in their Google Workspace domain. Administrators have additional permissions that allow them to install applications for an entire Google Workspace domain. Consent screens typically display permissions and privileges the user needs to install an application. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\\n\\nGoogle clearly states that they are not responsible for any Marketplace product that originates from a source that isn't Google.\\n\\nThis rule identifies a Marketplace blocklist update that consists of a Google Workspace account with administrative privileges manually removing a previously blocked application.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\\n- With access to the Google Workspace admin console, visit the `Security > Investigation` tool with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\\n- After identifying the involved user account, review other potentially related events within the last 48 hours.\\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\\n\\n### False positive analysis\\n\\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Applications can be added and removed from blocklists by Google Workspace administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-130m\",\"rule_id\":\"495e5f2e-2480-11ed-bea8-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/6328701?hl=en#\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.application.name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.admin.new_value\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.admin.old_value\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.category:\\\"iam\\\" and event.type:\\\"change\\\" and\\n event.action:\\\"CHANGE_APPLICATION_SETTING\\\" and\\n google_workspace.admin.application.name:\\\"Google Workspace Marketplace\\\" and\\n google_workspace.admin.old_value: *allowed*false* and google_workspace.admin.new_value: *allowed*true*\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Application Removed from Blocklist in Google Workspace\",\"description\":\"Google Workspace administrators may be aware of malicious applications within the Google marketplace and block these applications for user security purposes. An adversary, with administrative privileges, may remove this application from the explicit block list to allow distribution of the application amongst users. This may also indicate the unauthorized use of an application that had been previously blocked before by a user with admin privileges.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Application Removed from Blocklist in Google Workspace\\n\\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\\n\\nMarketplace applications require access to specific Google Workspace resources. Individual users with the appropriate permissions can install applications in their Google Workspace domain. Administrators have additional permissions that allow them to install applications for an entire Google Workspace domain. Consent screens typically display permissions and privileges the user needs to install an application. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\\n\\nGoogle clearly states that they are not responsible for any Marketplace product that originates from a source that isn't Google.\\n\\nThis rule identifies a Marketplace blocklist update that consists of a Google Workspace account with administrative privileges manually removing a previously blocked application.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\\n- With access to the Google Workspace admin console, visit the `Security > Investigation` tool with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\\n- After identifying the involved user account, review other potentially related events within the last 48 hours.\\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\\n\\n### False positive analysis\\n\\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Resources: Investigation Guide\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Applications can be added and removed from blocklists by Google Workspace administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://support.google.com/a/answer/6328701?hl=en#\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.application.name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.admin.new_value\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.admin.old_value\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"790dc731-0379-4c2a-9973-c288675d46f4\",\"rule_id\":\"495e5f2e-2480-11ed-bea8-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.010Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.792Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.category:\\\"iam\\\" and event.type:\\\"change\\\" and\\n event.action:\\\"CHANGE_APPLICATION_SETTING\\\" and\\n google_workspace.admin.application.name:\\\"Google Workspace Marketplace\\\" and\\n google_workspace.admin.old_value: *allowed*false* and google_workspace.admin.new_value: *allowed*true*\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/6328701?hl=en#\"],\"target_version\":[\"https://support.google.com/a/answer/6328701?hl=en#\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/6328701?hl=en#\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f6b901eb-1783-4b2b-9b0b-f03cfd679ce0\",\"rule_id\":\"4982ac3e-d0ee-4818-b95d-d9522d689259\",\"revision\":0,\"current_rule\":{\"id\":\"f6b901eb-1783-4b2b-9b0b-f03cfd679ce0\",\"updated_at\":\"2024-12-04T19:45:46.794Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.794Z\",\"created_by\":\"elastic\",\"name\":\"Process Discovery Using Built-in Tools\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule identifies the execution of commands that can be used to enumerate running processes. Adversaries may enumerate processes to identify installed applications and security solutions.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"4982ac3e-d0ee-4818-b95d-d9522d689259\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1057\",\"name\":\"Process Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1057/\"}]}],\"to\":\"now\",\"references\":[],\"version\":4,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-system.security*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name :(\\\"PsList.exe\\\", \\\"qprocess.exe\\\") or \\n (process.name : \\\"powershell.exe\\\" and process.args : (\\\"*get-process*\\\", \\\"*Win32_Process*\\\")) or \\n (process.name : \\\"wmic.exe\\\" and process.args : (\\\"process\\\", \\\"*Win32_Process*\\\")) or\\n (process.name : \\\"tasklist.exe\\\" and not process.args : (\\\"pid eq*\\\")) or\\n (process.name : \\\"query.exe\\\" and process.args : \\\"process\\\")\\n ) and not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Process Discovery Using Built-in Tools\",\"description\":\"This rule identifies the execution of commands that can be used to enumerate running processes. Adversaries may enumerate processes to identify installed applications and security solutions.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":106,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1057\",\"name\":\"Process Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1057/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f6b901eb-1783-4b2b-9b0b-f03cfd679ce0\",\"rule_id\":\"4982ac3e-d0ee-4818-b95d-d9522d689259\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.010Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.794Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name :(\\\"PsList.exe\\\", \\\"qprocess.exe\\\") or \\n (process.name : \\\"powershell.exe\\\" and process.args : (\\\"*get-process*\\\", \\\"*Win32_Process*\\\")) or \\n (process.name : \\\"wmic.exe\\\" and process.args : (\\\"process\\\", \\\"*Win32_Process*\\\")) or\\n (process.name : \\\"tasklist.exe\\\" and not process.args : (\\\"pid eq*\\\")) or\\n (process.name : \\\"query.exe\\\" and process.args : \\\"process\\\")\\n ) and not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-system.security*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":4,\"target_version\":106,\"merged_version\":106,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"ac85f86e-5692-4a48-b499-4b66b2da7970\",\"rule_id\":\"4a4e23cf-78a2-449c-bac3-701924c269d3\",\"revision\":0,\"current_rule\":{\"id\":\"ac85f86e-5692-4a48-b499-4b66b2da7970\",\"updated_at\":\"2024-12-04T19:45:46.797Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.797Z\",\"created_by\":\"elastic\",\"name\":\"Possible FIN7 DGA Command and Control Behavior\",\"tags\":[\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Domain: Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\nIn the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations.\"],\"from\":\"now-9m\",\"rule_id\":\"4a4e23cf-78a2-449c-bac3-701924c269d3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\"},{\"id\":\"T1568\",\"name\":\"Dynamic Resolution\",\"reference\":\"https://attack.mitre.org/techniques/T1568/\",\"subtechnique\":[{\"id\":\"T1568.002\",\"name\":\"Domain Generation Algorithms\",\"reference\":\"https://attack.mitre.org/techniques/T1568/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\"],\"version\":105,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"\",\"type\":\"query\",\"language\":\"lucene\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"],\"query\":\"(event.dataset: (network_traffic.tls OR network_traffic.http) OR\\n (event.category: (network OR network_traffic) AND type: (tls OR http) AND network.transport: tcp)) AND\\ndestination.domain:/[a-zA-Z]{4,5}\\\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Possible FIN7 DGA Command and Control Behavior\",\"description\":\"This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\nIn the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.\",\"output_index\":\"\",\"version\":106,\"tags\":[\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations.\"],\"references\":[\"https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\"},{\"id\":\"T1568\",\"name\":\"Dynamic Resolution\",\"reference\":\"https://attack.mitre.org/techniques/T1568/\",\"subtechnique\":[{\"id\":\"T1568.002\",\"name\":\"Domain Generation Algorithms\",\"reference\":\"https://attack.mitre.org/techniques/T1568/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"ac85f86e-5692-4a48-b499-4b66b2da7970\",\"rule_id\":\"4a4e23cf-78a2-449c-bac3-701924c269d3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.010Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:46.797Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"],\"query\":\"(event.dataset: (network_traffic.tls OR network_traffic.http) OR\\n (event.category: (network OR network_traffic) AND type: (tls OR http) AND network.transport: tcp)) AND\\ndestination.domain:/[a-zA-Z]{4,5}\\\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us\\n\",\"language\":\"lucene\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":105,\"target_version\":106,\"merged_version\":106,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Domain: Endpoint\"],\"target_version\":[\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"834d06a5-d955-4007-9f25-9b5f6917f6f6\",\"rule_id\":\"4aa58ac6-4dc0-4d18-b713-f58bf8bd015c\",\"revision\":0,\"current_rule\":{\"id\":\"834d06a5-d955-4007-9f25-9b5f6917f6f6\",\"updated_at\":\"2024-12-04T19:46:03.757Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.757Z\",\"created_by\":\"elastic\",\"name\":\"Potential Cross Site Scripting (XSS)\",\"tags\":[\"Data Source: APM\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Cross-Site Scripting (XSS) is a type of attack in which malicious scripts are injected into trusted websites. In XSS attacks, an attacker uses a benign web application to send malicious code, generally in the form of a browser-side script. This detection rule identifies the potential malicious executions of such browser-side scripts.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"4aa58ac6-4dc0-4d18-b713-f58bf8bd015c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1189\",\"name\":\"Drive-by Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1189/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/payloadbox/xss-payload-list\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"apm\",\"version\":\"^8.0.0\"}],\"required_fields\":[{\"name\":\"processor.name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"url.fragment\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"apm-*-transaction*\",\"traces-apm*\"],\"query\":\"any where processor.name == \\\"transaction\\\" and\\nurl.fragment : (\\\"\\\", \\\"\\\", \\\"*onerror=*\\\", \\\"*javascript*alert*\\\", \\\"*eval*(*)*\\\", \\\"*onclick=*\\\",\\n\\\"*alert(document.cookie)*\\\", \\\"*alert(document.domain)*\\\",\\\"*onresize=*\\\",\\\"*onload=*\\\",\\\"*onmouseover=*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Cross Site Scripting (XSS)\",\"description\":\"Cross-Site Scripting (XSS) is a type of attack in which malicious scripts are injected into trusted websites. In XSS attacks, an attacker uses a benign web application to send malicious code, generally in the form of a browser-side script. This detection rule identifies the potential malicious executions of such browser-side scripts.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Data Source: APM\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/payloadbox/xss-payload-list\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1189\",\"name\":\"Drive-by Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1189/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"apm\",\"version\":\"^8.0.0\"}],\"required_fields\":[{\"name\":\"processor.name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"url.fragment\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"834d06a5-d955-4007-9f25-9b5f6917f6f6\",\"rule_id\":\"4aa58ac6-4dc0-4d18-b713-f58bf8bd015c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.010Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.757Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where processor.name == \\\"transaction\\\" and\\nurl.fragment : (\\\"\\\", \\\"\\\", \\\"*onerror=*\\\", \\\"*javascript*alert*\\\", \\\"*eval*(*)*\\\", \\\"*onclick=*\\\",\\n\\\"*alert(document.cookie)*\\\", \\\"*alert(document.domain)*\\\",\\\"*onresize=*\\\",\\\"*onload=*\\\",\\\"*onmouseover=*\\\")\\n\",\"language\":\"eql\",\"index\":[\"apm-*-transaction*\",\"traces-apm*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Data Source: APM\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\"],\"target_version\":[\"Data Source: APM\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Rule Type: BBR\"],\"merged_version\":[\"Data Source: APM\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Rule Type: BBR\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"57c025be-d199-419e-9991-f95959915749\",\"rule_id\":\"4b438734-3793-4fda-bd42-ceeada0be8f9\",\"revision\":0,\"current_rule\":{\"id\":\"57c025be-d199-419e-9991-f95959915749\",\"updated_at\":\"2024-12-04T19:45:47.885Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.885Z\",\"created_by\":\"elastic\",\"name\":\"Disable Windows Firewall Rules via Netsh\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Disable Windows Firewall Rules via Netsh\\n\\nThe Windows Defender Firewall is a native component which provides host-based, two-way network traffic filtering for a device, and blocks unauthorized network traffic flowing into or out of the local device.\\n\\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\\n\\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `netsh.exe` utility.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the user to check if they are aware of the operation.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"4b438734-3793-4fda-bd42-ceeada0be8f9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.004\",\"name\":\"Disable or Modify System Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"netsh.exe\\\" and\\n (\\n (process.args : \\\"disable\\\" and process.args : \\\"firewall\\\" and process.args : \\\"set\\\") or\\n (process.args : \\\"advfirewall\\\" and process.args : \\\"off\\\" and process.args : \\\"state\\\")\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Disable Windows Firewall Rules via Netsh\",\"description\":\"Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Disable Windows Firewall Rules via Netsh\\n\\nThe Windows Defender Firewall is a native component which provides host-based, two-way network traffic filtering for a device, and blocks unauthorized network traffic flowing into or out of the local device.\\n\\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\\n\\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `netsh.exe` utility.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the user to check if they are aware of the operation.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.004\",\"name\":\"Disable or Modify System Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"57c025be-d199-419e-9991-f95959915749\",\"rule_id\":\"4b438734-3793-4fda-bd42-ceeada0be8f9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.010Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.885Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"netsh.exe\\\" and\\n (\\n (process.args : \\\"disable\\\" and process.args : \\\"firewall\\\" and process.args : \\\"set\\\") or\\n (process.args : \\\"advfirewall\\\" and process.args : \\\"off\\\" and process.args : \\\"state\\\")\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7f281506-1b66-4f78-80d8-3649e6a2d6aa\",\"rule_id\":\"4bd1c1af-79d4-4d37-9efa-6e0240640242\",\"revision\":0,\"current_rule\":{\"id\":\"7f281506-1b66-4f78-80d8-3649e6a2d6aa\",\"updated_at\":\"2024-12-04T19:45:47.759Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.759Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Process Execution Path - Alternate Data Stream\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"4bd1c1af-79d4-4d37-9efa-6e0240640242\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\",\"subtechnique\":[{\"id\":\"T1564.004\",\"name\":\"NTFS File Attributes\",\"reference\":\"https://attack.mitre.org/techniques/T1564/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.args : \\\"?:\\\\\\\\*:*\\\" and process.args_count == 1\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Process Execution Path - Alternate Data Stream\",\"description\":\"Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\",\"subtechnique\":[{\"id\":\"T1564.004\",\"name\":\"NTFS File Attributes\",\"reference\":\"https://attack.mitre.org/techniques/T1564/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true}],\"id\":\"7f281506-1b66-4f78-80d8-3649e6a2d6aa\",\"rule_id\":\"4bd1c1af-79d4-4d37-9efa-6e0240640242\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.010Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.759Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.args : \\\"?:\\\\\\\\*:*\\\" and process.args_count == 1\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1c28a44a-38df-4da6-8e10-ee737d03ce66\",\"rule_id\":\"4c59cff1-b78a-41b8-a9f1-4231984d1fb6\",\"revision\":0,\"current_rule\":{\"id\":\"1c28a44a-38df-4da6-8e10-ee737d03ce66\",\"updated_at\":\"2024-12-04T19:45:47.762Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.762Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Share Enumeration Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Collection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects scripts that contain PowerShell functions, structures, or Windows API functions related to windows share enumeration activities. Attackers, mainly ransomware groups, commonly identify and inspect network shares, looking for critical information for encryption and/or exfiltration.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Share Enumeration Script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can use PowerShell to enumerate shares to search for sensitive data like documents, scripts, and other kinds of valuable data for encryption, exfiltration, and lateral movement.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Check for additional PowerShell and command line logs that indicate that imported functions were run.\\n - Evaluate which information was potentially mapped and accessed by the attacker.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"4c59cff1-b78a-41b8-a9f1-4231984d1fb6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1135\",\"name\":\"Network Share Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1135/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1039\",\"name\":\"Data from Network Shared Drive\",\"reference\":\"https://attack.mitre.org/techniques/T1039/\"}]}],\"to\":\"now\",\"references\":[\"https://www.advintel.io/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations\",\"https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\",\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"version\":9,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\\n\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text:(\\n \\\"Invoke-ShareFinder\\\" or\\n \\\"Invoke-ShareFinderThreaded\\\" or\\n (\\n \\\"shi1_netname\\\" and\\n \\\"shi1_remark\\\"\\n ) or\\n (\\n \\\"NetShareEnum\\\" and\\n \\\"NetApiBufferFree\\\"\\n )\\n ) and not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Share Enumeration Script\",\"description\":\"Detects scripts that contain PowerShell functions, structures, or Windows API functions related to windows share enumeration activities. Attackers, mainly ransomware groups, commonly identify and inspect network shares, looking for critical information for encryption and/or exfiltration.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Share Enumeration Script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can use PowerShell to enumerate shares to search for sensitive data like documents, scripts, and other kinds of valuable data for encryption, exfiltration, and lateral movement.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Check for additional PowerShell and command line logs that indicate that imported functions were run.\\n - Evaluate which information was potentially mapped and accessed by the attacker.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":111,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Collection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.advintel.io/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations\",\"https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/\",\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1135\",\"name\":\"Network Share Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1135/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1039\",\"name\":\"Data from Network Shared Drive\",\"reference\":\"https://attack.mitre.org/techniques/T1039/\"}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\\n\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1c28a44a-38df-4da6-8e10-ee737d03ce66\",\"rule_id\":\"4c59cff1-b78a-41b8-a9f1-4231984d1fb6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.010Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.762Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text:(\\n \\\"Invoke-ShareFinder\\\" or\\n \\\"Invoke-ShareFinderThreaded\\\" or\\n (\\n \\\"shi1_netname\\\" and\\n \\\"shi1_remark\\\"\\n ) or\\n (\\n \\\"NetShareEnum\\\" and\\n \\\"NetApiBufferFree\\\"\\n )\\n ) and not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":9,\"target_version\":111,\"merged_version\":111,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"96b998d9-4f32-41cf-8a1c-99619ede4b23\",\"rule_id\":\"4d4c35f4-414e-4d0c-bb7e-6db7c80a6957\",\"revision\":0,\"current_rule\":{\"id\":\"96b998d9-4f32-41cf-8a1c-99619ede4b23\",\"updated_at\":\"2024-12-04T19:45:47.764Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.764Z\",\"created_by\":\"elastic\",\"name\":\"Kernel Load or Unload via Kexec Detected\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to tamper with the system's trusted state, allowing e.g. a VM Escape.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"4d4c35f4-414e-4d0c-bb7e-6db7c80a6957\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1611\",\"name\":\"Escape to Host\",\"reference\":\"https://attack.mitre.org/techniques/T1611/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.006\",\"name\":\"Kernel Modules and Extensions\",\"reference\":\"https://attack.mitre.org/techniques/T1547/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1601\",\"name\":\"Modify System Image\",\"reference\":\"https://attack.mitre.org/techniques/T1601/\",\"subtechnique\":[{\"id\":\"T1601.001\",\"name\":\"Patch System Image\",\"reference\":\"https://attack.mitre.org/techniques/T1601/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.crowdstrike.com/blog/venom-vulnerability-details/\",\"https://www.makeuseof.com/what-is-venom-vulnerability/\",\"https://madaidans-insecurities.github.io/guides/linux-hardening.html\"],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name == \\\"kexec\\\" and process.args in (\\\"--exec\\\", \\\"-e\\\", \\\"--load\\\", \\\"-l\\\", \\\"--unload\\\", \\\"-u\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Kernel Load or Unload via Kexec Detected\",\"description\":\"This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to tamper with the system's trusted state, allowing e.g. a VM Escape.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.crowdstrike.com/blog/venom-vulnerability-details/\",\"https://www.makeuseof.com/what-is-venom-vulnerability/\",\"https://madaidans-insecurities.github.io/guides/linux-hardening.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1611\",\"name\":\"Escape to Host\",\"reference\":\"https://attack.mitre.org/techniques/T1611/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.006\",\"name\":\"Kernel Modules and Extensions\",\"reference\":\"https://attack.mitre.org/techniques/T1547/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1601\",\"name\":\"Modify System Image\",\"reference\":\"https://attack.mitre.org/techniques/T1601/\",\"subtechnique\":[{\"id\":\"T1601.001\",\"name\":\"Patch System Image\",\"reference\":\"https://attack.mitre.org/techniques/T1601/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"96b998d9-4f32-41cf-8a1c-99619ede4b23\",\"rule_id\":\"4d4c35f4-414e-4d0c-bb7e-6db7c80a6957\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.010Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.764Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name == \\\"kexec\\\" and process.args in (\\\"--exec\\\", \\\"-e\\\", \\\"--load\\\", \\\"-l\\\", \\\"--unload\\\", \\\"-u\\\") and not\\n process.parent.name in (\\\"kdumpctl\\\", \\\"unload.sh\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name == \\\"kexec\\\" and process.args in (\\\"--exec\\\", \\\"-e\\\", \\\"--load\\\", \\\"-l\\\", \\\"--unload\\\", \\\"-u\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name == \\\"kexec\\\" and process.args in (\\\"--exec\\\", \\\"-e\\\", \\\"--load\\\", \\\"-l\\\", \\\"--unload\\\", \\\"-u\\\") and not\\n process.parent.name in (\\\"kdumpctl\\\", \\\"unload.sh\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name == \\\"kexec\\\" and process.args in (\\\"--exec\\\", \\\"-e\\\", \\\"--load\\\", \\\"-l\\\", \\\"--unload\\\", \\\"-u\\\") and not\\n process.parent.name in (\\\"kdumpctl\\\", \\\"unload.sh\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0c2523fc-618c-4d09-b473-e4f2c7032f53\",\"rule_id\":\"4de76544-f0e5-486a-8f84-eae0b6063cdc\",\"revision\":0,\"current_rule\":{\"id\":\"0c2523fc-618c-4d09-b473-e4f2c7032f53\",\"updated_at\":\"2024-12-04T19:45:47.772Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.772Z\",\"created_by\":\"elastic\",\"name\":\"Disable Windows Event and Security Logs Using Built-in Tools\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Disable Windows Event and Security Logs Using Built-in Tools\\n\\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\\n\\nThis rule looks for the usage of different utilities to disable the EventLog service or specific event logs.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Verify if any other anti-forensics behaviors were observed.\\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Re-enable affected logging components, services, and security monitoring.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Ivan Ninichuck\",\"Austin Songer\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"4de76544-f0e5-486a-8f84-eae0b6063cdc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.001\",\"name\":\"Clear Windows Event Logs\",\"reference\":\"https://attack.mitre.org/techniques/T1070/001/\"}]},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.002\",\"name\":\"Disable Windows Event Logging\",\"reference\":\"https://attack.mitre.org/techniques/T1562/002/\"},{\"id\":\"T1562.006\",\"name\":\"Indicator Blocking\",\"reference\":\"https://attack.mitre.org/techniques/T1562/006/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman\",\"https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n ((process.name:\\\"logman.exe\\\" or ?process.pe.original_file_name == \\\"Logman.exe\\\") and\\n process.args : \\\"EventLog-*\\\" and process.args : (\\\"stop\\\", \\\"delete\\\")) or\\n\\n ((process.name : (\\\"pwsh.exe\\\", \\\"powershell.exe\\\", \\\"powershell_ise.exe\\\") or ?process.pe.original_file_name in\\n (\\\"pwsh.exe\\\", \\\"powershell.exe\\\", \\\"powershell_ise.exe\\\")) and\\n\\tprocess.args : \\\"Set-Service\\\" and process.args: \\\"EventLog\\\" and process.args : \\\"Disabled\\\") or\\n\\n ((process.name:\\\"auditpol.exe\\\" or ?process.pe.original_file_name == \\\"AUDITPOL.EXE\\\") and process.args : \\\"/success:disable\\\")\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Disable Windows Event and Security Logs Using Built-in Tools\",\"description\":\"Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Disable Windows Event and Security Logs Using Built-in Tools\\n\\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\\n\\nThis rule looks for the usage of different utilities to disable the EventLog service or specific event logs.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Verify if any other anti-forensics behaviors were observed.\\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Re-enable affected logging components, services, and security monitoring.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Ivan Ninichuck\",\"Austin Songer\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman\",\"https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.001\",\"name\":\"Clear Windows Event Logs\",\"reference\":\"https://attack.mitre.org/techniques/T1070/001/\"}]},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.002\",\"name\":\"Disable Windows Event Logging\",\"reference\":\"https://attack.mitre.org/techniques/T1562/002/\"},{\"id\":\"T1562.006\",\"name\":\"Indicator Blocking\",\"reference\":\"https://attack.mitre.org/techniques/T1562/006/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0c2523fc-618c-4d09-b473-e4f2c7032f53\",\"rule_id\":\"4de76544-f0e5-486a-8f84-eae0b6063cdc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.010Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.772Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (process.name:\\\"logman.exe\\\" or ?process.pe.original_file_name == \\\"Logman.exe\\\") and\\n process.args : \\\"EventLog-*\\\" and process.args : (\\\"stop\\\", \\\"delete\\\")\\n ) or\\n (\\n (\\n process.name : (\\\"pwsh.exe\\\", \\\"powershell.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"pwsh.exe\\\", \\\"powershell.exe\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n\\t process.args : \\\"Set-Service\\\" and process.args: \\\"EventLog\\\" and process.args : \\\"Disabled\\\"\\n ) or\\n (\\n (process.name:\\\"auditpol.exe\\\" or ?process.pe.original_file_name == \\\"AUDITPOL.EXE\\\") and process.args : \\\"/success:disable\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n ((process.name:\\\"logman.exe\\\" or ?process.pe.original_file_name == \\\"Logman.exe\\\") and\\n process.args : \\\"EventLog-*\\\" and process.args : (\\\"stop\\\", \\\"delete\\\")) or\\n\\n ((process.name : (\\\"pwsh.exe\\\", \\\"powershell.exe\\\", \\\"powershell_ise.exe\\\") or ?process.pe.original_file_name in\\n (\\\"pwsh.exe\\\", \\\"powershell.exe\\\", \\\"powershell_ise.exe\\\")) and\\n\\tprocess.args : \\\"Set-Service\\\" and process.args: \\\"EventLog\\\" and process.args : \\\"Disabled\\\") or\\n\\n ((process.name:\\\"auditpol.exe\\\" or ?process.pe.original_file_name == \\\"AUDITPOL.EXE\\\") and process.args : \\\"/success:disable\\\")\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (process.name:\\\"logman.exe\\\" or ?process.pe.original_file_name == \\\"Logman.exe\\\") and\\n process.args : \\\"EventLog-*\\\" and process.args : (\\\"stop\\\", \\\"delete\\\")\\n ) or\\n (\\n (\\n process.name : (\\\"pwsh.exe\\\", \\\"powershell.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"pwsh.exe\\\", \\\"powershell.exe\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n\\t process.args : \\\"Set-Service\\\" and process.args: \\\"EventLog\\\" and process.args : \\\"Disabled\\\"\\n ) or\\n (\\n (process.name:\\\"auditpol.exe\\\" or ?process.pe.original_file_name == \\\"AUDITPOL.EXE\\\") and process.args : \\\"/success:disable\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (process.name:\\\"logman.exe\\\" or ?process.pe.original_file_name == \\\"Logman.exe\\\") and\\n process.args : \\\"EventLog-*\\\" and process.args : (\\\"stop\\\", \\\"delete\\\")\\n ) or\\n (\\n (\\n process.name : (\\\"pwsh.exe\\\", \\\"powershell.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"pwsh.exe\\\", \\\"powershell.exe\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n\\t process.args : \\\"Set-Service\\\" and process.args: \\\"EventLog\\\" and process.args : \\\"Disabled\\\"\\n ) or\\n (\\n (process.name:\\\"auditpol.exe\\\" or ?process.pe.original_file_name == \\\"AUDITPOL.EXE\\\") and process.args : \\\"/success:disable\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"fe6d5f93-1f90-4244-b07f-a52344952ec1\",\"rule_id\":\"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\",\"revision\":0,\"current_rule\":{\"id\":\"fe6d5f93-1f90-4244-b07f-a52344952ec1\",\"updated_at\":\"2024-12-04T19:45:47.778Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.778Z\",\"created_by\":\"elastic\",\"name\":\"Multiple Logon Failure Followed by Logon Success\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Multiple Logon Failure Followed by Logon Success\\n\\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\\n\\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the logon failure reason code and the targeted user name.\\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\\n- Investigate the source IP address of the failed Network Logon attempts.\\n - Identify whether these attempts are coming from the internet or are internal.\\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\\n- Identify the source and the target computer and their roles in the IT environment.\\n- Check whether the involved credentials are used in automation or scheduled tasks.\\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\\n- Examine the source host for derived artifacts that indicate compromise:\\n - Observe and collect information about the following activities in the alert source host:\\n - Attempts to contact external domains and addresses.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\\n\\n### False positive analysis\\n\\n- Authentication misconfiguration or obsolete credentials.\\n- Service account password expired.\\n- Domain trust relationship issues.\\n- Infrastructure or availability issues.\\n\\n### Related rules\\n\\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the source host to prevent further post-compromise behavior.\\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.001\",\"name\":\"Password Guessing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/001/\"},{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625\"],\"version\":10,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"user.domain\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.Status\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetUserSid\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"],\"query\":\"sequence by winlog.computer_name, source.ip with maxspan=5s\\n [authentication where event.action == \\\"logon-failed\\\" and\\n /* event 4625 need to be logged */\\n winlog.logon.type : \\\"Network\\\" and user.id != null and \\n source.ip != null and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and \\n not winlog.event_data.TargetUserSid : \\\"S-1-0-0\\\" and not user.id : \\\"S-1-0-0\\\" and \\n not user.name : (\\\"ANONYMOUS LOGON\\\", \\\"-\\\", \\\"*$\\\") and not user.domain == \\\"NT AUTHORITY\\\" and\\n\\n /* noisy failure status codes often associated to authentication misconfiguration */\\n not winlog.event_data.Status : (\\\"0xC000015B\\\", \\\"0XC000005E\\\", \\\"0XC0000133\\\", \\\"0XC0000192\\\")] with runs=5\\n [authentication where event.action == \\\"logged-in\\\" and\\n /* event 4624 need to be logged */\\n winlog.logon.type : \\\"Network\\\" and\\n source.ip != null and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and\\n not user.name : (\\\"ANONYMOUS LOGON\\\", \\\"-\\\", \\\"*$\\\") and not user.domain == \\\"NT AUTHORITY\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Multiple Logon Failure Followed by Logon Success\",\"description\":\"Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Multiple Logon Failure Followed by Logon Success\\n\\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\\n\\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the logon failure reason code and the targeted user name.\\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\\n- Investigate the source IP address of the failed Network Logon attempts.\\n - Identify whether these attempts are coming from the internet or are internal.\\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\\n- Identify the source and the target computer and their roles in the IT environment.\\n- Check whether the involved credentials are used in automation or scheduled tasks.\\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\\n- Examine the source host for derived artifacts that indicate compromise:\\n - Observe and collect information about the following activities in the alert source host:\\n - Attempts to contact external domains and addresses.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\\n\\n### False positive analysis\\n\\n- Authentication misconfiguration or obsolete credentials.\\n- Service account password expired.\\n- Domain trust relationship issues.\\n- Infrastructure or availability issues.\\n\\n### Related rules\\n\\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the source host to prevent further post-compromise behavior.\\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":111,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.001\",\"name\":\"Password Guessing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/001/\"},{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"user.domain\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.Status\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetUserSid\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"fe6d5f93-1f90-4244-b07f-a52344952ec1\",\"rule_id\":\"4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.010Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.778Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by winlog.computer_name, source.ip with maxspan=5s\\n [authentication where event.action == \\\"logon-failed\\\" and\\n /* event 4625 need to be logged */\\n winlog.logon.type : \\\"Network\\\" and user.id != null and \\n source.ip != null and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and \\n not winlog.event_data.TargetUserSid : \\\"S-1-0-0\\\" and not user.id : \\\"S-1-0-0\\\" and \\n not user.name : (\\\"ANONYMOUS LOGON\\\", \\\"-\\\", \\\"*$\\\") and not user.domain == \\\"NT AUTHORITY\\\" and\\n\\n /* noisy failure status codes often associated to authentication misconfiguration */\\n not winlog.event_data.Status : (\\\"0xC000015B\\\", \\\"0XC000005E\\\", \\\"0XC0000133\\\", \\\"0XC0000192\\\")] with runs=5\\n [authentication where event.action == \\\"logged-in\\\" and\\n /* event 4624 need to be logged */\\n winlog.logon.type : \\\"Network\\\" and\\n source.ip != null and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and\\n not user.name : (\\\"ANONYMOUS LOGON\\\", \\\"-\\\", \\\"*$\\\") and not user.domain == \\\"NT AUTHORITY\\\"]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":10,\"target_version\":111,\"merged_version\":111,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"31dd90b1-0bff-4741-9ef8-71abb28e871f\",\"rule_id\":\"4ed493fc-d637-4a36-80ff-ac84937e5461\",\"revision\":0,\"current_rule\":{\"id\":\"31dd90b1-0bff-4741-9ef8-71abb28e871f\",\"updated_at\":\"2024-12-04T19:45:47.782Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.782Z\",\"created_by\":\"elastic\",\"name\":\"Execution via MSSQL xp_cmdshell Stored Procedure\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Execution via MSSQL xp_cmdshell Stored Procedure\\n\\nMicrosoft SQL Server (MSSQL) has procedures meant to extend its functionality, the Extended Stored Procedures. These procedures are external functions written in C/C++; some provide interfaces for external programs. This is the case for xp_cmdshell, which spawns a Windows command shell and passes in a string for execution. Attackers can use this to execute commands on the system running the SQL server, commonly to escalate their privileges and establish persistence.\\n\\nThe xp_cmdshell procedure is disabled by default, but when used, it has the same security context as the MSSQL Server service account, which is often privileged.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately, but it brings inherent risk. The security team must monitor any activity of it. If recurrent tasks are being executed using this mechanism, consider adding exceptions — preferably with a full command line.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Ensure that SQL servers are not directly exposed to the internet. If there is a business justification for such, use an allowlist to allow only connections from known legitimate sources.\\n- Disable the xp_cmdshell stored procedure.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"4ed493fc-d637-4a36-80ff-ac84937e5461\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1505\",\"name\":\"Server Software Component\",\"reference\":\"https://attack.mitre.org/techniques/T1505/\",\"subtechnique\":[{\"id\":\"T1505.001\",\"name\":\"SQL Stored Procedures\",\"reference\":\"https://attack.mitre.org/techniques/T1505/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"sqlservr.exe\\\" and \\n (\\n (process.name : \\\"cmd.exe\\\" and \\n not process.args : (\\\"\\\\\\\\\\\\\\\\*\\\", \\\"diskfree\\\", \\\"rmdir\\\", \\\"mkdir\\\", \\\"dir\\\", \\\"del\\\", \\\"rename\\\", \\\"bcp\\\", \\\"*XMLNAMESPACES*\\\", \\n \\\"?:\\\\\\\\MSSQL\\\\\\\\Backup\\\\\\\\Jobs\\\\\\\\sql_agent_backup_job.ps1\\\", \\\"K:\\\\\\\\MSSQL\\\\\\\\Backup\\\\\\\\msdb\\\", \\\"K:\\\\\\\\MSSQL\\\\\\\\Backup\\\\\\\\Logins\\\")) or \\n \\n (process.name : \\\"vpnbridge.exe\\\" or ?process.pe.original_file_name : \\\"vpnbridge.exe\\\") or \\n\\n (process.name : \\\"certutil.exe\\\" or ?process.pe.original_file_name == \\\"CertUtil.exe\\\") or \\n\\n (process.name : \\\"bitsadmin.exe\\\" or ?process.pe.original_file_name == \\\"bitsadmin.exe\\\")\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Execution via MSSQL xp_cmdshell Stored Procedure\",\"description\":\"Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Execution via MSSQL xp_cmdshell Stored Procedure\\n\\nMicrosoft SQL Server (MSSQL) has procedures meant to extend its functionality, the Extended Stored Procedures. These procedures are external functions written in C/C++; some provide interfaces for external programs. This is the case for xp_cmdshell, which spawns a Windows command shell and passes in a string for execution. Attackers can use this to execute commands on the system running the SQL server, commonly to escalate their privileges and establish persistence.\\n\\nThe xp_cmdshell procedure is disabled by default, but when used, it has the same security context as the MSSQL Server service account, which is often privileged.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately, but it brings inherent risk. The security team must monitor any activity of it. If recurrent tasks are being executed using this mechanism, consider adding exceptions — preferably with a full command line.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Ensure that SQL servers are not directly exposed to the internet. If there is a business justification for such, use an allowlist to allow only connections from known legitimate sources.\\n- Disable the xp_cmdshell stored procedure.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1505\",\"name\":\"Server Software Component\",\"reference\":\"https://attack.mitre.org/techniques/T1505/\",\"subtechnique\":[{\"id\":\"T1505.001\",\"name\":\"SQL Stored Procedures\",\"reference\":\"https://attack.mitre.org/techniques/T1505/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"31dd90b1-0bff-4741-9ef8-71abb28e871f\",\"rule_id\":\"4ed493fc-d637-4a36-80ff-ac84937e5461\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.010Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.782Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"sqlservr.exe\\\" and \\n (\\n (process.name : \\\"cmd.exe\\\" and \\n not process.args : (\\\"\\\\\\\\\\\\\\\\*\\\", \\\"diskfree\\\", \\\"rmdir\\\", \\\"mkdir\\\", \\\"dir\\\", \\\"del\\\", \\\"rename\\\", \\\"bcp\\\", \\\"*XMLNAMESPACES*\\\", \\n \\\"?:\\\\\\\\MSSQL\\\\\\\\Backup\\\\\\\\Jobs\\\\\\\\sql_agent_backup_job.ps1\\\", \\\"K:\\\\\\\\MSSQL\\\\\\\\Backup\\\\\\\\msdb\\\", \\\"K:\\\\\\\\MSSQL\\\\\\\\Backup\\\\\\\\Logins\\\")) or \\n \\n (process.name : \\\"vpnbridge.exe\\\" or ?process.pe.original_file_name : \\\"vpnbridge.exe\\\") or \\n\\n (process.name : \\\"certutil.exe\\\" or ?process.pe.original_file_name == \\\"CertUtil.exe\\\") or \\n\\n (process.name : \\\"bitsadmin.exe\\\" or ?process.pe.original_file_name == \\\"bitsadmin.exe\\\")\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"42249f85-4d8c-45ee-93de-60b20a67816a\",\"rule_id\":\"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff\",\"revision\":0,\"current_rule\":{\"id\":\"42249f85-4d8c-45ee-93de-60b20a67816a\",\"updated_at\":\"2024-12-04T19:45:47.785Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.785Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Script Object Execution\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.010\",\"name\":\"Regsvr32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/010/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"any where host.os.type == \\\"windows\\\" and \\n (event.category == \\\"library\\\" or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and \\n (?dll.name : \\\"scrobj.dll\\\" or ?file.name : \\\"scrobj.dll\\\") and \\n process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe\\\") and \\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\smartscreen.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\taskhostw.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\system32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\SysWOW64\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mshta.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cmd.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\OpenWith.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WMIADAP.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Script Object Execution\",\"description\":\"Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.010\",\"name\":\"Regsvr32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/010/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"42249f85-4d8c-45ee-93de-60b20a67816a\",\"rule_id\":\"4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.010Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.785Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and \\n (event.category : (\\\"library\\\", \\\"driver\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and \\n (?dll.name : \\\"scrobj.dll\\\" or ?file.name : \\\"scrobj.dll\\\") and \\n process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe\\\") and \\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\smartscreen.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\taskhostw.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\system32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\SysWOW64\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mshta.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cmd.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\OpenWith.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WMIADAP.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"any where host.os.type == \\\"windows\\\" and \\n (event.category == \\\"library\\\" or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and \\n (?dll.name : \\\"scrobj.dll\\\" or ?file.name : \\\"scrobj.dll\\\") and \\n process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe\\\") and \\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\smartscreen.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\taskhostw.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\system32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\SysWOW64\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mshta.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cmd.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\OpenWith.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WMIADAP.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"any where host.os.type == \\\"windows\\\" and \\n (event.category : (\\\"library\\\", \\\"driver\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and \\n (?dll.name : \\\"scrobj.dll\\\" or ?file.name : \\\"scrobj.dll\\\") and \\n process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe\\\") and \\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\smartscreen.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\taskhostw.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\system32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\SysWOW64\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mshta.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cmd.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\OpenWith.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WMIADAP.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"any where host.os.type == \\\"windows\\\" and \\n (event.category : (\\\"library\\\", \\\"driver\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and \\n (?dll.name : \\\"scrobj.dll\\\" or ?file.name : \\\"scrobj.dll\\\") and \\n process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe\\\") and \\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\smartscreen.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\taskhostw.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\system32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\SysWOW64\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\wscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wscript.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mshta.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cmd.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\OpenWith.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WMIADAP.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"endgame-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"endgame-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9db24aad-45b7-4e51-a9ad-b949e3da9027\",\"rule_id\":\"4f855297-c8e0-4097-9d97-d653f7e471c4\",\"revision\":0,\"current_rule\":{\"id\":\"9db24aad-45b7-4e51-a9ad-b949e3da9027\",\"updated_at\":\"2024-12-04T19:46:03.760Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.760Z\",\"created_by\":\"elastic\",\"name\":\"Unusual High Confidence Misconduct Blocks Detected\",\"tags\":[\"Domain: LLM\",\"Data Source: AWS Bedrock\",\"Data Source: AWS S3\",\"Use Case: Policy Violation\",\"Mitre Atlas: T0051\",\"Mitre Atlas: T0054\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects repeated high-confidence 'BLOCKED' actions coupled with specific violation codes such as 'MISCONDUCT', indicating persistent misuse or attempts to probe the model's ethical boundaries.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"New model deployments.\",\"Testing updates to compliance policies.\"],\"from\":\"now-60m\",\"rule_id\":\"4f855297-c8e0-4097-9d97-d653f7e471c4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html\",\"https://atlas.mitre.org/techniques/AML.T0051\",\"https://atlas.mitre.org/techniques/AML.T0054\",\"https://www.elastic.co/security-labs/elastic-advances-llm-security\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\\n\\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\\n\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.policy.confidence == \\\"HIGH\\\" and gen_ai.policy.action == \\\"BLOCKED\\\" and gen_ai.compliance.violation_code == \\\"MISCONDUCT\\\"\\n| stats high_confidence_blocks = count() by user.id\\n| where high_confidence_blocks > 5\\n| sort high_confidence_blocks desc\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual High Confidence Misconduct Blocks Detected\",\"description\":\"Detects repeated high-confidence 'BLOCKED' actions coupled with specific violation codes such as 'MISCONDUCT', indicating persistent misuse or attempts to probe the model's ethical boundaries.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Amazon Bedrock Guardrail High Confidence Misconduct Blocks.\\n\\nAmazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.\\n\\nIt enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.\\n\\nThrough Guardrail, organizations can define \\\"denied topics\\\" to prevent the model from generating content on specific, undesired subjects,\\nand they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that queried denied topics and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's prompts and responses in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that queried denied topics, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: LLM\",\"Data Source: AWS Bedrock\",\"Data Source: AWS S3\",\"Use Case: Policy Violation\",\"Mitre Atlas: T0051\",\"Mitre Atlas: T0054\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-60m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"New model deployments.\",\"Testing updates to compliance policies.\"],\"references\":[\"https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html\",\"https://atlas.mitre.org/techniques/AML.T0051\",\"https://atlas.mitre.org/techniques/AML.T0054\",\"https://www.elastic.co/security-labs/elastic-advances-llm-security\"],\"max_signals\":100,\"threat\":[],\"setup\":\"## Setup\\n\\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\\n\\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\\n\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"9db24aad-45b7-4e51-a9ad-b949e3da9027\",\"rule_id\":\"4f855297-c8e0-4097-9d97-d653f7e471c4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.011Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.760Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws_bedrock.invocation-*\\n| MV_EXPAND gen_ai.compliance.violation_code\\n| MV_EXPAND gen_ai.policy.confidence\\n| where gen_ai.policy.action == \\\"BLOCKED\\\" and gen_ai.policy.confidence LIKE \\\"HIGH\\\" and gen_ai.compliance.violation_code LIKE \\\"MISCONDUCT\\\"\\n| keep user.id\\n| stats high_confidence_blocks = count() by user.id\\n| where high_confidence_blocks > 5\\n| sort high_confidence_blocks desc\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"note\":{\"has_base_version\":false,\"current_version\":\"\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating Amazon Bedrock Guardrail High Confidence Misconduct Blocks.\\n\\nAmazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.\\n\\nIt enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.\\n\\nThrough Guardrail, organizations can define \\\"denied topics\\\" to prevent the model from generating content on specific, undesired subjects,\\nand they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that queried denied topics and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's prompts and responses in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that queried denied topics, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating Amazon Bedrock Guardrail High Confidence Misconduct Blocks.\\n\\nAmazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.\\n\\nIt enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.\\n\\nThrough Guardrail, organizations can define \\\"denied topics\\\" to prevent the model from generating content on specific, undesired subjects,\\nand they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that queried denied topics and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's prompts and responses in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that queried denied topics, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.policy.confidence == \\\"HIGH\\\" and gen_ai.policy.action == \\\"BLOCKED\\\" and gen_ai.compliance.violation_code == \\\"MISCONDUCT\\\"\\n| stats high_confidence_blocks = count() by user.id\\n| where high_confidence_blocks > 5\\n| sort high_confidence_blocks desc\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| MV_EXPAND gen_ai.compliance.violation_code\\n| MV_EXPAND gen_ai.policy.confidence\\n| where gen_ai.policy.action == \\\"BLOCKED\\\" and gen_ai.policy.confidence LIKE \\\"HIGH\\\" and gen_ai.compliance.violation_code LIKE \\\"MISCONDUCT\\\"\\n| keep user.id\\n| stats high_confidence_blocks = count() by user.id\\n| where high_confidence_blocks > 5\\n| sort high_confidence_blocks desc\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| MV_EXPAND gen_ai.compliance.violation_code\\n| MV_EXPAND gen_ai.policy.confidence\\n| where gen_ai.policy.action == \\\"BLOCKED\\\" and gen_ai.policy.confidence LIKE \\\"HIGH\\\" and gen_ai.compliance.violation_code LIKE \\\"MISCONDUCT\\\"\\n| keep user.id\\n| stats high_confidence_blocks = count() by user.id\\n| where high_confidence_blocks > 5\\n| sort high_confidence_blocks desc\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2a543efa-f6e0-4171-a942-187337c36b4b\",\"rule_id\":\"4fe9d835-40e1-452d-8230-17c147cafad8\",\"revision\":0,\"current_rule\":{\"id\":\"2a543efa-f6e0-4171-a942-187337c36b4b\",\"updated_at\":\"2024-12-04T19:45:47.790Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.790Z\",\"created_by\":\"elastic\",\"name\":\"Execution via TSClient Mountpoint\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"4fe9d835-40e1-452d-8230-17c147cafad8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.executable : \\\"\\\\\\\\Device\\\\\\\\Mup\\\\\\\\tsclient\\\\\\\\*.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Execution via TSClient Mountpoint\",\"description\":\"Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2a543efa-f6e0-4171-a942-187337c36b4b\",\"rule_id\":\"4fe9d835-40e1-452d-8230-17c147cafad8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.011Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.790Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.executable : \\\"\\\\\\\\Device\\\\\\\\Mup\\\\\\\\tsclient\\\\\\\\*.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\"],\"target_version\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merged_version\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"39724c4e-a5a3-4a12-9e57-aa3d1f590eee\",\"rule_id\":\"51176ed2-2d90-49f2-9f3d-17196428b169\",\"revision\":0,\"current_rule\":{\"id\":\"39724c4e-a5a3-4a12-9e57-aa3d1f590eee\",\"updated_at\":\"2024-12-04T19:45:47.794Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.794Z\",\"created_by\":\"elastic\",\"name\":\"Windows System Information Discovery\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the execution of commands used to discover information about the system, which attackers may use after compromising a system to gain situational awareness.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"51176ed2-2d90-49f2-9f3d-17196428b169\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n process.name : \\\"cmd.exe\\\" and process.args : \\\"ver*\\\" and not\\n process.parent.executable : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Keybase\\\\\\\\upd.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\python*.exe\\\"\\n )\\n ) or \\n process.name : (\\\"systeminfo.exe\\\", \\\"hostname.exe\\\") or \\n (process.name : \\\"wmic.exe\\\" and process.args : \\\"os\\\" and process.args : \\\"get\\\")\\n) and not\\nprocess.parent.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\"\\n) and not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Windows System Information Discovery\",\"description\":\"Detects the execution of commands used to discover information about the system, which attackers may use after compromising a system to gain situational awareness.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":108,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"39724c4e-a5a3-4a12-9e57-aa3d1f590eee\",\"rule_id\":\"51176ed2-2d90-49f2-9f3d-17196428b169\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.011Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.794Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n process.name : \\\"cmd.exe\\\" and process.args : \\\"ver*\\\" and not\\n process.parent.executable : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Keybase\\\\\\\\upd.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\python*.exe\\\"\\n )\\n ) or \\n process.name : (\\\"systeminfo.exe\\\", \\\"hostname.exe\\\") or \\n (process.name : \\\"wmic.exe\\\" and process.args : \\\"os\\\" and process.args : \\\"get\\\")\\n) and not\\nprocess.parent.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\"\\n) and not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":108,\"merged_version\":108,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"070cf104-7a62-4b08-9112-242eee495c88\",\"rule_id\":\"5124e65f-df97-4471-8dcb-8e3953b3ea97\",\"revision\":0,\"current_rule\":{\"id\":\"070cf104-7a62-4b08-9112-242eee495c88\",\"updated_at\":\"2024-12-04T19:45:47.797Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.797Z\",\"created_by\":\"elastic\",\"name\":\"Hidden Files and Directories via Hidden Flag\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identify activity related where adversaries can add the 'hidden' flag to files to hide them from the user in an attempt to evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"5124e65f-df97-4471-8dcb-8e3953b3ea97\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\",\"subtechnique\":[{\"id\":\"T1564.001\",\"name\":\"Hidden Files and Directories\",\"reference\":\"https://attack.mitre.org/techniques/T1564/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"file where event.type == \\\"creation\\\" and process.name == \\\"chflags\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Hidden Files and Directories via Hidden Flag\",\"description\":\"Identify activity related where adversaries can add the 'hidden' flag to files to hide them from the user in an attempt to evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\",\"subtechnique\":[{\"id\":\"T1564.001\",\"name\":\"Hidden Files and Directories\",\"reference\":\"https://attack.mitre.org/techniques/T1564/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"070cf104-7a62-4b08-9112-242eee495c88\",\"rule_id\":\"5124e65f-df97-4471-8dcb-8e3953b3ea97\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.011Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.797Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"creation\\\" and process.name == \\\"chflags\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"rule_schedule\":{\"has_base_version\":false,\"current_version\":{\"interval\":\"60m\",\"lookback\":\"3540s\"},\"target_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merged_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"building_block\":{\"has_base_version\":false,\"current_version\":{\"type\":\"default\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where event.type == \\\"creation\\\" and process.name == \\\"chflags\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"creation\\\" and process.name == \\\"chflags\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"creation\\\" and process.name == \\\"chflags\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e285cb69-6b59-405f-89e5-eb9285a292d0\",\"rule_id\":\"513f0ffd-b317-4b9c-9494-92ce861f22c7\",\"revision\":0,\"current_rule\":{\"id\":\"e285cb69-6b59-405f-89e5-eb9285a292d0\",\"updated_at\":\"2024-12-04T19:45:40.203Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.203Z\",\"created_by\":\"elastic\",\"name\":\"Registry Persistence via AppCert DLL\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"513f0ffd-b317-4b9c-9494-92ce861f22c7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.009\",\"name\":\"AppCert DLLs\",\"reference\":\"https://attack.mitre.org/techniques/T1546/009/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.009\",\"name\":\"AppCert DLLs\",\"reference\":\"https://attack.mitre.org/techniques/T1546/009/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":312,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\*\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\*\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Registry Persistence via AppCert DLL\",\"description\":\"Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":412,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.009\",\"name\":\"AppCert DLLs\",\"reference\":\"https://attack.mitre.org/techniques/T1546/009/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.009\",\"name\":\"AppCert DLLs\",\"reference\":\"https://attack.mitre.org/techniques/T1546/009/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e285cb69-6b59-405f-89e5-eb9285a292d0\",\"rule_id\":\"513f0ffd-b317-4b9c-9494-92ce861f22c7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.011Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.203Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\*\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\AppCertDLLs\\\\\\\\*\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":312,\"target_version\":412,\"merged_version\":412,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"29b5fe70-ce69-49b8-9845-35c8c8d91ea4\",\"rule_id\":\"5188c68e-d3de-4e96-994d-9e242269446f\",\"revision\":0,\"current_rule\":{\"id\":\"29b5fe70-ce69-49b8-9845-35c8c8d91ea4\",\"updated_at\":\"2024-12-04T19:45:47.804Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.804Z\",\"created_by\":\"elastic\",\"name\":\"Service DACL Modification via sc.exe\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies DACL modifications to deny access to a service, making it unstoppable, or hide it from system and users.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"5188c68e-d3de-4e96-994d-9e242269446f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml\",\"https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings\",\"https://www.sans.org/blog/red-team-tactics-hiding-windows-services/\"],\"version\":103,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"sc.exe\\\" or ?process.pe.original_file_name : \\\"sc.exe\\\") and\\n process.args : \\\"sdset\\\" and process.args : \\\"*D;*\\\" and\\n process.args : (\\\"*;IU*\\\", \\\"*;SU*\\\", \\\"*;BA*\\\", \\\"*;SY*\\\", \\\"*;WD*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Service DACL Modification via sc.exe\",\"description\":\"Identifies DACL modifications to deny access to a service, making it unstoppable, or hide it from system and users.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":204,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml\",\"https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings\",\"https://www.sans.org/blog/red-team-tactics-hiding-windows-services/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"29b5fe70-ce69-49b8-9845-35c8c8d91ea4\",\"rule_id\":\"5188c68e-d3de-4e96-994d-9e242269446f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.011Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.804Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"sc.exe\\\" or ?process.pe.original_file_name : \\\"sc.exe\\\") and\\n process.args : \\\"sdset\\\" and process.args : \\\"*D;*\\\" and\\n process.args : (\\\"*;IU*\\\", \\\"*;SU*\\\", \\\"*;BA*\\\", \\\"*;SY*\\\", \\\"*;WD*\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":103,\"target_version\":204,\"merged_version\":204,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f5849979-f174-4f8b-8d3a-285c1e52bc54\",\"rule_id\":\"51ce96fb-9e52-4dad-b0ba-99b54440fc9a\",\"revision\":0,\"current_rule\":{\"id\":\"f5849979-f174-4f8b-8d3a-285c1e52bc54\",\"updated_at\":\"2024-12-04T19:45:47.812Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.812Z\",\"created_by\":\"elastic\",\"name\":\"Incoming DCOM Lateral Movement with MMC\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"51ce96fb-9e52-4dad-b0ba-99b54440fc9a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.003\",\"name\":\"Distributed Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1021/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.014\",\"name\":\"MMC\",\"reference\":\"https://attack.mitre.org/techniques/T1218/014/\"}]}]}],\"to\":\"now\",\"references\":[\"https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by host.id with maxspan=1m\\n [network where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"mmc.exe\\\" and source.port >= 49152 and\\n destination.port >= 49152 and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and network.transport == \\\"tcp\\\"\\n ] by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"mmc.exe\\\"\\n ] by process.parent.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Incoming DCOM Lateral Movement with MMC\",\"description\":\"Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.003\",\"name\":\"Distributed Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1021/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.014\",\"name\":\"MMC\",\"reference\":\"https://attack.mitre.org/techniques/T1218/014/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true}],\"id\":\"f5849979-f174-4f8b-8d3a-285c1e52bc54\",\"rule_id\":\"51ce96fb-9e52-4dad-b0ba-99b54440fc9a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.011Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.812Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=1m\\n [network where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"mmc.exe\\\" and source.port >= 49152 and\\n destination.port >= 49152 and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and network.transport == \\\"tcp\\\"\\n ] by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"mmc.exe\\\"\\n ] by process.parent.entity_id\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"15094995-f9c2-496b-8292-4156d51f28b1\",\"rule_id\":\"52376a86-ee86-4967-97ae-1a05f55816f0\",\"revision\":0,\"current_rule\":{\"id\":\"15094995-f9c2-496b-8292-4156d51f28b1\",\"updated_at\":\"2024-12-04T19:45:47.820Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.820Z\",\"created_by\":\"elastic\",\"name\":\"Linux Restricted Shell Breakout via Linux Binary(s)\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Shell Evasion via Linux Utilities\\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\\nenvironments by spawning an interactive system shell.\\nHere are some possible avenues of investigation:\\n- Examine the entry point to the host and user in action via the Analyse View.\\n - Identify the session entry leader and session user\\n- Examine the contents of session leading to the abuse via the Session View.\\n - Examine the command execution pattern in the session, which may lead to suspricous activities\\n- Examine the execution of commands in the spawned shell.\\n - Identify imment threat to the system from the executed commands\\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\\n\\n### Related rules\\n\\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\\n\\n### Response and remediation\\n\\nInitiate the incident response process based on the outcome of the triage.\\n\\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\\n - Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware execution via the maliciously spawned shell,\\n - Search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- If the triage revelaed defence evasion for imparing defenses\\n - Isolate the involved host to prevent further post-compromise behavior.\\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\\n - Isolate further login to the systems that can initae auto start scripts.\\n - Identify the auto start scripts and disable and remove the same from the systems\\n- If the triage revealed data crawling or data export via remote copy\\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"52376a86-ee86-4967-97ae-1a05f55816f0\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://gtfobins.github.io/gtfobins/apt/\",\"https://gtfobins.github.io/gtfobins/apt-get/\",\"https://gtfobins.github.io/gtfobins/nawk/\",\"https://gtfobins.github.io/gtfobins/mawk/\",\"https://gtfobins.github.io/gtfobins/awk/\",\"https://gtfobins.github.io/gtfobins/gawk/\",\"https://gtfobins.github.io/gtfobins/busybox/\",\"https://gtfobins.github.io/gtfobins/c89/\",\"https://gtfobins.github.io/gtfobins/c99/\",\"https://gtfobins.github.io/gtfobins/cpulimit/\",\"https://gtfobins.github.io/gtfobins/crash/\",\"https://gtfobins.github.io/gtfobins/env/\",\"https://gtfobins.github.io/gtfobins/expect/\",\"https://gtfobins.github.io/gtfobins/find/\",\"https://gtfobins.github.io/gtfobins/flock/\",\"https://gtfobins.github.io/gtfobins/gcc/\",\"https://gtfobins.github.io/gtfobins/mysql/\",\"https://gtfobins.github.io/gtfobins/nice/\",\"https://gtfobins.github.io/gtfobins/ssh/\",\"https://gtfobins.github.io/gtfobins/vi/\",\"https://gtfobins.github.io/gtfobins/vim/\",\"https://gtfobins.github.io/gtfobins/capsh/\",\"https://gtfobins.github.io/gtfobins/byebug/\",\"https://gtfobins.github.io/gtfobins/git/\",\"https://gtfobins.github.io/gtfobins/ftp/\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\nSession View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above.\\n#### To confirm that Session View data is enabled:\\n- Go to “Manage → Policies”, and edit one or more of your Elastic Defend integration policies.\\n- Select the” Policy settings” tab, then scroll down to the “Linux event collection” section near the bottom.\\n- Check the box for “Process events”, and turn on the “Include session data” toggle.\\n- If you want to include file and network alerts in Session View, check the boxes for “Network and File events”.\\n- If you want to enable terminal output capture, turn on the “Capture terminal output” toggle.\\nFor more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\n(\\n /* launching shell from capsh */\\n (process.name == \\\"capsh\\\" and process.args == \\\"--\\\") or\\n \\n /* launching shells from unusual parents or parent+arg combos */\\n (process.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") and (\\n (process.parent.name : \\\"*awk\\\" and process.parent.args : \\\"BEGIN {system(*)}\\\") or\\n (process.parent.name == \\\"git\\\" and process.parent.args : (\\\"*PAGER*\\\", \\\"!*sh\\\", \\\"exec *sh\\\") or \\n process.args : (\\\"*PAGER*\\\", \\\"!*sh\\\", \\\"exec *sh\\\") and not process.name == \\\"ssh\\\" ) or\\n (process.parent.name : (\\\"byebug\\\", \\\"ftp\\\", \\\"strace\\\", \\\"zip\\\", \\\"tar\\\") and \\n (\\n process.parent.args : \\\"BEGIN {system(*)}\\\" or\\n (process.parent.args : (\\\"*PAGER*\\\", \\\"!*sh\\\", \\\"exec *sh\\\") or process.args : (\\\"*PAGER*\\\", \\\"!*sh\\\", \\\"exec *sh\\\")) or\\n (\\n (process.parent.args : \\\"exec=*sh\\\" or (process.parent.args : \\\"-I\\\" and process.parent.args : \\\"*sh\\\")) or\\n (process.args : \\\"exec=*sh\\\" or (process.args : \\\"-I\\\" and process.args : \\\"*sh\\\"))\\n )\\n )\\n ) or\\n \\n /* shells specified in parent args */\\n /* nice rule is broken in 8.2 */\\n (process.parent.args : \\\"*sh\\\" and\\n (\\n (process.parent.name == \\\"nice\\\") or\\n (process.parent.name == \\\"cpulimit\\\" and process.parent.args == \\\"-f\\\") or\\n (process.parent.name == \\\"find\\\" and process.parent.args == \\\".\\\" and process.parent.args == \\\"-exec\\\" and \\n process.parent.args == \\\";\\\" and process.parent.args : \\\"/bin/*sh\\\") or\\n (process.parent.name == \\\"flock\\\" and process.parent.args == \\\"-u\\\" and process.parent.args == \\\"/\\\")\\n )\\n )\\n )) or\\n\\n /* shells specified in args */\\n (process.args : \\\"*sh\\\" and (\\n (process.parent.name == \\\"crash\\\" and process.parent.args == \\\"-h\\\") or\\n (process.name == \\\"sensible-pager\\\" and process.parent.name in (\\\"apt\\\", \\\"apt-get\\\") and process.parent.args == \\\"changelog\\\")\\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\\n \\n )) or\\n (process.name == \\\"busybox\\\" and event.action == \\\"exec\\\" and process.args_count == 2 and process.args : \\\"*sh\\\" and not \\n process.executable : \\\"/var/lib/docker/overlay2/*/merged/bin/busybox\\\" and not (process.parent.args == \\\"init\\\" and\\n process.parent.args == \\\"runc\\\") and not process.parent.args in (\\\"ls-remote\\\", \\\"push\\\", \\\"fetch\\\") and not process.parent.name == \\\"mkinitramfs\\\") or\\n (process.name == \\\"env\\\" and process.args_count == 2 and process.args : \\\"*sh\\\") or\\n (process.parent.name in (\\\"vi\\\", \\\"vim\\\") and process.parent.args == \\\"-c\\\" and process.parent.args : \\\":!*sh\\\") or\\n (process.parent.name in (\\\"c89\\\", \\\"c99\\\", \\\"gcc\\\") and process.parent.args : \\\"*sh,-s\\\" and process.parent.args == \\\"-wrapper\\\") or\\n (process.parent.name == \\\"expect\\\" and process.parent.args == \\\"-c\\\" and process.parent.args : \\\"spawn *sh;interact\\\") or\\n (process.parent.name == \\\"mysql\\\" and process.parent.args == \\\"-e\\\" and process.parent.args : \\\"\\\\\\\\!*sh\\\") or\\n (process.parent.name == \\\"ssh\\\" and process.parent.args == \\\"-o\\\" and process.parent.args : \\\"ProxyCommand=;*sh 0<&2 1>&2\\\")\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Linux Restricted Shell Breakout via Linux Binary(s)\",\"description\":\"Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Shell Evasion via Linux Utilities\\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\\nenvironments by spawning an interactive system shell.\\nHere are some possible avenues of investigation:\\n- Examine the entry point to the host and user in action via the Analyse View.\\n - Identify the session entry leader and session user\\n- Examine the contents of session leading to the abuse via the Session View.\\n - Examine the command execution pattern in the session, which may lead to suspricous activities\\n- Examine the execution of commands in the spawned shell.\\n - Identify imment threat to the system from the executed commands\\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\\n\\n### Related rules\\n\\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\\n\\n### Response and remediation\\n\\nInitiate the incident response process based on the outcome of the triage.\\n\\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\\n - Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware execution via the maliciously spawned shell,\\n - Search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- If the triage revelaed defence evasion for imparing defenses\\n - Isolate the involved host to prevent further post-compromise behavior.\\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\\n - Isolate further login to the systems that can initae auto start scripts.\\n - Identify the auto start scripts and disable and remove the same from the systems\\n- If the triage revealed data crawling or data export via remote copy\\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":113,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://gtfobins.github.io/gtfobins/apt/\",\"https://gtfobins.github.io/gtfobins/apt-get/\",\"https://gtfobins.github.io/gtfobins/nawk/\",\"https://gtfobins.github.io/gtfobins/mawk/\",\"https://gtfobins.github.io/gtfobins/awk/\",\"https://gtfobins.github.io/gtfobins/gawk/\",\"https://gtfobins.github.io/gtfobins/busybox/\",\"https://gtfobins.github.io/gtfobins/c89/\",\"https://gtfobins.github.io/gtfobins/c99/\",\"https://gtfobins.github.io/gtfobins/cpulimit/\",\"https://gtfobins.github.io/gtfobins/crash/\",\"https://gtfobins.github.io/gtfobins/env/\",\"https://gtfobins.github.io/gtfobins/expect/\",\"https://gtfobins.github.io/gtfobins/find/\",\"https://gtfobins.github.io/gtfobins/flock/\",\"https://gtfobins.github.io/gtfobins/gcc/\",\"https://gtfobins.github.io/gtfobins/mysql/\",\"https://gtfobins.github.io/gtfobins/nice/\",\"https://gtfobins.github.io/gtfobins/ssh/\",\"https://gtfobins.github.io/gtfobins/vi/\",\"https://gtfobins.github.io/gtfobins/vim/\",\"https://gtfobins.github.io/gtfobins/capsh/\",\"https://gtfobins.github.io/gtfobins/byebug/\",\"https://gtfobins.github.io/gtfobins/git/\",\"https://gtfobins.github.io/gtfobins/ftp/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\nSession View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above.\\n#### To confirm that Session View data is enabled:\\n- Go to “Manage → Policies”, and edit one or more of your Elastic Defend integration policies.\\n- Select the” Policy settings” tab, then scroll down to the “Linux event collection” section near the bottom.\\n- Check the box for “Process events”, and turn on the “Include session data” toggle.\\n- If you want to include file and network alerts in Session View, check the boxes for “Network and File events”.\\n- If you want to enable terminal output capture, turn on the “Capture terminal output” toggle.\\nFor more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"15094995-f9c2-496b-8292-4156d51f28b1\",\"rule_id\":\"52376a86-ee86-4967-97ae-1a05f55816f0\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.011Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.820Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\n(\\n /* launching shell from capsh */\\n (process.name == \\\"capsh\\\" and process.args == \\\"--\\\") or\\n \\n /* launching shells from unusual parents or parent+arg combos */\\n (process.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") and (\\n (process.parent.name : \\\"*awk\\\" and process.parent.args : \\\"BEGIN {system(*)}\\\") or\\n (process.parent.name == \\\"git\\\" and process.parent.args : (\\\"*PAGER*\\\", \\\"!*sh\\\", \\\"exec *sh\\\") or \\n process.args : (\\\"*PAGER*\\\", \\\"!*sh\\\", \\\"exec *sh\\\") and not process.name == \\\"ssh\\\" ) or\\n (process.parent.name : (\\\"byebug\\\", \\\"ftp\\\", \\\"strace\\\", \\\"zip\\\", \\\"tar\\\") and \\n (\\n process.parent.args : \\\"BEGIN {system(*)}\\\" or\\n (process.parent.args : (\\\"*PAGER*\\\", \\\"!*sh\\\", \\\"exec *sh\\\") or process.args : (\\\"*PAGER*\\\", \\\"!*sh\\\", \\\"exec *sh\\\")) or\\n (\\n (process.parent.args : \\\"exec=*sh\\\" or (process.parent.args : \\\"-I\\\" and process.parent.args : \\\"*sh\\\")) or\\n (process.args : \\\"exec=*sh\\\" or (process.args : \\\"-I\\\" and process.args : \\\"*sh\\\"))\\n )\\n )\\n ) or\\n \\n /* shells specified in parent args */\\n /* nice rule is broken in 8.2 */\\n (process.parent.args : \\\"*sh\\\" and\\n (\\n (process.parent.name == \\\"nice\\\") or\\n (process.parent.name == \\\"cpulimit\\\" and process.parent.args == \\\"-f\\\") or\\n (process.parent.name == \\\"find\\\" and process.parent.args == \\\".\\\" and process.parent.args == \\\"-exec\\\" and \\n process.parent.args == \\\";\\\" and process.parent.args : \\\"/bin/*sh\\\") or\\n (process.parent.name == \\\"flock\\\" and process.parent.args == \\\"-u\\\" and process.parent.args == \\\"/\\\")\\n )\\n )\\n )) or\\n\\n /* shells specified in args */\\n (process.args : \\\"*sh\\\" and (\\n (process.parent.name == \\\"crash\\\" and process.parent.args == \\\"-h\\\") or\\n (process.name == \\\"sensible-pager\\\" and process.parent.name in (\\\"apt\\\", \\\"apt-get\\\") and process.parent.args == \\\"changelog\\\")\\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\\n \\n )) or\\n (process.name == \\\"busybox\\\" and event.action == \\\"exec\\\" and process.args_count == 2 and process.args : \\\"*sh\\\" and not \\n process.executable : \\\"/var/lib/docker/overlay2/*/merged/bin/busybox\\\" and not (process.parent.args == \\\"init\\\" and\\n process.parent.args == \\\"runc\\\") and not process.parent.args in (\\\"ls-remote\\\", \\\"push\\\", \\\"fetch\\\") and not process.parent.name == \\\"mkinitramfs\\\") or\\n (process.name == \\\"env\\\" and process.args_count == 2 and process.args : \\\"*sh\\\") or\\n (process.parent.name in (\\\"vi\\\", \\\"vim\\\") and process.parent.args == \\\"-c\\\" and process.parent.args : \\\":!*sh\\\") or\\n (process.parent.name in (\\\"c89\\\", \\\"c99\\\", \\\"gcc\\\") and process.parent.args : \\\"*sh,-s\\\" and process.parent.args == \\\"-wrapper\\\") or\\n (process.parent.name == \\\"expect\\\" and process.parent.args == \\\"-c\\\" and process.parent.args : \\\"spawn *sh;interact\\\") or\\n (process.parent.name == \\\"mysql\\\" and process.parent.args == \\\"-e\\\" and process.parent.args : \\\"\\\\\\\\!*sh\\\") or\\n (process.parent.name == \\\"ssh\\\" and process.parent.args == \\\"-o\\\" and process.parent.args : \\\"ProxyCommand=;*sh 0<&2 1>&2\\\")\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":113,\"merged_version\":113,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://gtfobins.github.io/gtfobins/apt/\",\"https://gtfobins.github.io/gtfobins/apt-get/\",\"https://gtfobins.github.io/gtfobins/nawk/\",\"https://gtfobins.github.io/gtfobins/mawk/\",\"https://gtfobins.github.io/gtfobins/awk/\",\"https://gtfobins.github.io/gtfobins/gawk/\",\"https://gtfobins.github.io/gtfobins/busybox/\",\"https://gtfobins.github.io/gtfobins/c89/\",\"https://gtfobins.github.io/gtfobins/c99/\",\"https://gtfobins.github.io/gtfobins/cpulimit/\",\"https://gtfobins.github.io/gtfobins/crash/\",\"https://gtfobins.github.io/gtfobins/env/\",\"https://gtfobins.github.io/gtfobins/expect/\",\"https://gtfobins.github.io/gtfobins/find/\",\"https://gtfobins.github.io/gtfobins/flock/\",\"https://gtfobins.github.io/gtfobins/gcc/\",\"https://gtfobins.github.io/gtfobins/mysql/\",\"https://gtfobins.github.io/gtfobins/nice/\",\"https://gtfobins.github.io/gtfobins/ssh/\",\"https://gtfobins.github.io/gtfobins/vi/\",\"https://gtfobins.github.io/gtfobins/vim/\",\"https://gtfobins.github.io/gtfobins/capsh/\",\"https://gtfobins.github.io/gtfobins/byebug/\",\"https://gtfobins.github.io/gtfobins/git/\",\"https://gtfobins.github.io/gtfobins/ftp/\"],\"target_version\":[\"https://gtfobins.github.io/gtfobins/apt/\",\"https://gtfobins.github.io/gtfobins/apt-get/\",\"https://gtfobins.github.io/gtfobins/nawk/\",\"https://gtfobins.github.io/gtfobins/mawk/\",\"https://gtfobins.github.io/gtfobins/awk/\",\"https://gtfobins.github.io/gtfobins/gawk/\",\"https://gtfobins.github.io/gtfobins/busybox/\",\"https://gtfobins.github.io/gtfobins/c89/\",\"https://gtfobins.github.io/gtfobins/c99/\",\"https://gtfobins.github.io/gtfobins/cpulimit/\",\"https://gtfobins.github.io/gtfobins/crash/\",\"https://gtfobins.github.io/gtfobins/env/\",\"https://gtfobins.github.io/gtfobins/expect/\",\"https://gtfobins.github.io/gtfobins/find/\",\"https://gtfobins.github.io/gtfobins/flock/\",\"https://gtfobins.github.io/gtfobins/gcc/\",\"https://gtfobins.github.io/gtfobins/mysql/\",\"https://gtfobins.github.io/gtfobins/nice/\",\"https://gtfobins.github.io/gtfobins/ssh/\",\"https://gtfobins.github.io/gtfobins/vi/\",\"https://gtfobins.github.io/gtfobins/vim/\",\"https://gtfobins.github.io/gtfobins/capsh/\",\"https://gtfobins.github.io/gtfobins/byebug/\",\"https://gtfobins.github.io/gtfobins/git/\",\"https://gtfobins.github.io/gtfobins/ftp/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://gtfobins.github.io/gtfobins/apt/\",\"https://gtfobins.github.io/gtfobins/apt-get/\",\"https://gtfobins.github.io/gtfobins/nawk/\",\"https://gtfobins.github.io/gtfobins/mawk/\",\"https://gtfobins.github.io/gtfobins/awk/\",\"https://gtfobins.github.io/gtfobins/gawk/\",\"https://gtfobins.github.io/gtfobins/busybox/\",\"https://gtfobins.github.io/gtfobins/c89/\",\"https://gtfobins.github.io/gtfobins/c99/\",\"https://gtfobins.github.io/gtfobins/cpulimit/\",\"https://gtfobins.github.io/gtfobins/crash/\",\"https://gtfobins.github.io/gtfobins/env/\",\"https://gtfobins.github.io/gtfobins/expect/\",\"https://gtfobins.github.io/gtfobins/find/\",\"https://gtfobins.github.io/gtfobins/flock/\",\"https://gtfobins.github.io/gtfobins/gcc/\",\"https://gtfobins.github.io/gtfobins/mysql/\",\"https://gtfobins.github.io/gtfobins/nice/\",\"https://gtfobins.github.io/gtfobins/ssh/\",\"https://gtfobins.github.io/gtfobins/vi/\",\"https://gtfobins.github.io/gtfobins/vim/\",\"https://gtfobins.github.io/gtfobins/capsh/\",\"https://gtfobins.github.io/gtfobins/byebug/\",\"https://gtfobins.github.io/gtfobins/git/\",\"https://gtfobins.github.io/gtfobins/ftp/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"72cc54b8-3d1d-402f-bf9b-3897f764b2f4\",\"rule_id\":\"52aaab7b-b51c-441a-89ce-4387b3aea886\",\"revision\":0,\"current_rule\":{\"id\":\"72cc54b8-3d1d-402f-bf9b-3897f764b2f4\",\"updated_at\":\"2024-12-04T19:45:47.822Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.822Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Network Connection via RunDLL32\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command and Control activity.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Network Connection via RunDLL32\\n\\nRunDLL32 is a built-in Windows utility and also a vital component used by the operating system itself. The functionality provided by RunDLL32 to execute Dynamic Link Libraries (DLLs) is widely abused by attackers, because it makes it hard to differentiate malicious activity from normal operations.\\n\\nThis rule looks for external network connections established using RunDLL32 when the utility is being executed with no arguments, which can potentially indicate command and control activity.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the target host that RunDLL32 is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Identify the target computer and its role in the IT environment.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"52aaab7b-b51c-441a-89ce-4387b3aea886\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\",\"subtechnique\":[{\"id\":\"T1071.001\",\"name\":\"Web Protocols\",\"reference\":\"https://attack.mitre.org/techniques/T1071/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\",\"https://redcanary.com/threat-detection-report/techniques/rundll32/\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by host.id, process.entity_id with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"rundll32.exe\\\" and process.args_count == 1]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"rundll32.exe\\\" and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\",\\n \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\",\\n \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\",\\n \\\"FE80::/10\\\", \\\"FF00::/8\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Network Connection via RunDLL32\",\"description\":\"Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command and Control activity.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Network Connection via RunDLL32\\n\\nRunDLL32 is a built-in Windows utility and also a vital component used by the operating system itself. The functionality provided by RunDLL32 to execute Dynamic Link Libraries (DLLs) is widely abused by attackers, because it makes it hard to differentiate malicious activity from normal operations.\\n\\nThis rule looks for external network connections established using RunDLL32 when the utility is being executed with no arguments, which can potentially indicate command and control activity.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the target host that RunDLL32 is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Identify the target computer and its role in the IT environment.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\",\"https://redcanary.com/threat-detection-report/techniques/rundll32/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\",\"subtechnique\":[{\"id\":\"T1071.001\",\"name\":\"Web Protocols\",\"reference\":\"https://attack.mitre.org/techniques/T1071/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"72cc54b8-3d1d-402f-bf9b-3897f764b2f4\",\"rule_id\":\"52aaab7b-b51c-441a-89ce-4387b3aea886\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.011Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.822Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id, process.entity_id with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"rundll32.exe\\\" and process.args_count == 1]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"rundll32.exe\\\" and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\",\\n \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\",\\n \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\",\\n \\\"FE80::/10\\\", \\\"FF00::/8\\\")]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"da0e47aa-156e-43a9-8cc7-f2d854a025d0\",\"rule_id\":\"53617418-17b4-4e9c-8a2c-8deb8086ca4b\",\"revision\":0,\"current_rule\":{\"id\":\"da0e47aa-156e-43a9-8cc7-f2d854a025d0\",\"updated_at\":\"2024-12-04T19:45:47.829Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.829Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Network Activity to the Internet by Previously Unknown Executable\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Network Activity to the Internet by Previously Unknown Executable\\n\\nAfter being installed, malware will often call out to its command and control server to receive further instructions by its operators.\\n\\nThis rule leverages the new terms rule type to detect previously unknown processes, initiating network connections to external IP-addresses. \\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n\\n- Identify any signs of suspicious network activity or anomalies that may indicate malicious behavior. This could include unexpected traffic patterns or unusual network behavior.\\n - Investigate listening ports and open sockets to look for potential malicious processes, reverse shells or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Process Info\\\",\\\"query\\\":\\\"SELECT name, cmdline, parent, path, uid FROM processes\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n\\n### Related rules\\n\\n- Network Activity Detected via cat - afd04601-12fc-4149-9b78-9c3f8fe45d39\\n\\n### False positive analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-59m\",\"rule_id\":\"53617418-17b4-4e9c-8a2c-8deb8086ca4b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\"}]}],\"to\":\"now\",\"references\":[],\"version\":10,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n- Filebeat\\n- Packetbeat\\n\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest to select \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n### Filebeat Setup\\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\\n\\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\\n- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\\n\\n### Packetbeat Setup\\nPacketbeat is a real-time network packet analyzer that you can use for application monitoring, performance analytics, and threat detection. Packetbeat works by capturing the network traffic between your application servers, decoding the application layer protocols (HTTP, MySQL, Redis, and so on), correlating the requests with the responses, and recording the interesting fields for each transaction.\\n\\n#### The following steps should be executed in order to add the Packetbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setup-repositories.html).\\n- To run Packetbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/running-on-docker.html).\\n- For quick start information for Packetbeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-installation-configuration.html).\\n- For complete “Setup and Run Packetbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html).\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and\\nprocess.executable:(\\n (/etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or\\n /etc/update-motd.d/* or /home/*/.* or /tmp/* or /usr/lib/update-notifier/* or /var/log/* or /var/tmp/*\\n) and\\nnot (/tmp/newroot/* or /tmp/snap.rootfs*) and\\nnot /etc/cron.hourly/BitdefenderRedline) and\\nsource.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\\nnot process.name:(\\n apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or git-remote-https or java or kite-update or kited or node\\n or rpm or saml2aws or selenium-manager or solana-validator or wget or yum or ansible* or aws* or php* or pip* or python*\\n or steam* or terraform*\\n) and\\nnot destination.ip:(\\n 0.0.0.0 or 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or\\n 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or 192.168.0.0/16 or\\n 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or 198.51.100.0/24 or 203.0.113.0/24\\n or 224.0.0.0/4 or 240.0.0.0/4 or \\\"::1\\\" or \\\"FE80::/10\\\" or \\\"FF00::/8\\\"\\n)\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-20d\",\"index\":[\"auditbeat-*\",\"filebeat-*\",\"packetbeat-*\",\"logs-endpoint.events.*\",\"endgame-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Network Activity to the Internet by Previously Unknown Executable\",\"description\":\"This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Network Activity to the Internet by Previously Unknown Executable\\n\\nAfter being installed, malware will often call out to its command and control server to receive further instructions by its operators.\\n\\nThis rule leverages the new terms rule type to detect previously unknown processes, initiating network connections to external IP-addresses. \\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n\\n- Identify any signs of suspicious network activity or anomalies that may indicate malicious behavior. This could include unexpected traffic patterns or unusual network behavior.\\n - Investigate listening ports and open sockets to look for potential malicious processes, reverse shells or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Process Info\\\",\\\"query\\\":\\\"SELECT name, cmdline, parent, path, uid FROM processes\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n\\n### Related rules\\n\\n- Network Activity Detected via cat - afd04601-12fc-4149-9b78-9c3f8fe45d39\\n\\n### False positive analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":11,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-59m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n- Filebeat\\n- Packetbeat\\n\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest to select \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n### Filebeat Setup\\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\\n\\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\\n- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\\n\\n### Packetbeat Setup\\nPacketbeat is a real-time network packet analyzer that you can use for application monitoring, performance analytics, and threat detection. Packetbeat works by capturing the network traffic between your application servers, decoding the application layer protocols (HTTP, MySQL, Redis, and so on), correlating the requests with the responses, and recording the interesting fields for each transaction.\\n\\n#### The following steps should be executed in order to add the Packetbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setup-repositories.html).\\n- To run Packetbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/running-on-docker.html).\\n- For quick start information for Packetbeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-installation-configuration.html).\\n- For complete “Setup and Run Packetbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"da0e47aa-156e-43a9-8cc7-f2d854a025d0\",\"rule_id\":\"53617418-17b4-4e9c-8a2c-8deb8086ca4b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.011Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.829Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and\\nprocess.executable : (\\n /etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or\\n /etc/update-motd.d/* or /home/*/.* or /tmp/* or /usr/lib/update-notifier/* or /var/log/* or /var/tmp/*\\n) and process.name : * and\\nnot (\\n process.executable : (\\n /tmp/newroot/* or /tmp/snap.rootfs* or /etc/cron.hourly/BitdefenderRedline or /tmp/go-build* or /srv/snp/docker/* or\\n /run/containerd/* or /tmp/.mount* or /run/k3s/containerd/* or /tmp/selenium* or /tmp/tmp.*/juliainstaller or\\n /tmp/.criu.mntns* or /home/*/.local/share/containers/* or /etc/update-motd.d/*\\n ) or\\n source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) or\\n process.name : (\\n apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or git-remote-https or java or kite-update or\\n kited or node or rpm or saml2aws or selenium-manager or solana-validator or wget or yum or ansible* or aws* or\\n php* or pip* or python* or steam* or terraform*\\n ) or\\n destination.ip:(\\n 0.0.0.0 or 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or\\n 192.0.0.0/29 or 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or\\n 192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or\\n 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or \\\"::1\\\" or \\\"FE80::/10\\\" or \\\"FF00::/8\\\"\\n )\\n)\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-20d\",\"index\":[\"auditbeat-*\",\"filebeat-*\",\"packetbeat-*\",\"logs-endpoint.events.*\",\"endgame-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":10,\"target_version\":11,\"merged_version\":11,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and\\nprocess.executable:(\\n (/etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or\\n /etc/update-motd.d/* or /home/*/.* or /tmp/* or /usr/lib/update-notifier/* or /var/log/* or /var/tmp/*\\n) and\\nnot (/tmp/newroot/* or /tmp/snap.rootfs*) and\\nnot /etc/cron.hourly/BitdefenderRedline) and\\nsource.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\\nnot process.name:(\\n apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or git-remote-https or java or kite-update or kited or node\\n or rpm or saml2aws or selenium-manager or solana-validator or wget or yum or ansible* or aws* or php* or pip* or python*\\n or steam* or terraform*\\n) and\\nnot destination.ip:(\\n 0.0.0.0 or 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or\\n 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or 192.168.0.0/16 or\\n 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or 198.51.100.0/24 or 203.0.113.0/24\\n or 224.0.0.0/4 or 240.0.0.0/4 or \\\"::1\\\" or \\\"FE80::/10\\\" or \\\"FF00::/8\\\"\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and\\nprocess.executable : (\\n /etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or\\n /etc/update-motd.d/* or /home/*/.* or /tmp/* or /usr/lib/update-notifier/* or /var/log/* or /var/tmp/*\\n) and process.name : * and\\nnot (\\n process.executable : (\\n /tmp/newroot/* or /tmp/snap.rootfs* or /etc/cron.hourly/BitdefenderRedline or /tmp/go-build* or /srv/snp/docker/* or\\n /run/containerd/* or /tmp/.mount* or /run/k3s/containerd/* or /tmp/selenium* or /tmp/tmp.*/juliainstaller or\\n /tmp/.criu.mntns* or /home/*/.local/share/containers/* or /etc/update-motd.d/*\\n ) or\\n source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) or\\n process.name : (\\n apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or git-remote-https or java or kite-update or\\n kited or node or rpm or saml2aws or selenium-manager or solana-validator or wget or yum or ansible* or aws* or\\n php* or pip* or python* or steam* or terraform*\\n ) or\\n destination.ip:(\\n 0.0.0.0 or 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or\\n 192.0.0.0/29 or 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or\\n 192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or\\n 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or \\\"::1\\\" or \\\"FE80::/10\\\" or \\\"FF00::/8\\\"\\n )\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and\\nprocess.executable : (\\n /etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or\\n /etc/update-motd.d/* or /home/*/.* or /tmp/* or /usr/lib/update-notifier/* or /var/log/* or /var/tmp/*\\n) and process.name : * and\\nnot (\\n process.executable : (\\n /tmp/newroot/* or /tmp/snap.rootfs* or /etc/cron.hourly/BitdefenderRedline or /tmp/go-build* or /srv/snp/docker/* or\\n /run/containerd/* or /tmp/.mount* or /run/k3s/containerd/* or /tmp/selenium* or /tmp/tmp.*/juliainstaller or\\n /tmp/.criu.mntns* or /home/*/.local/share/containers/* or /etc/update-motd.d/*\\n ) or\\n source.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) or\\n process.name : (\\n apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or git-remote-https or java or kite-update or\\n kited or node or rpm or saml2aws or selenium-manager or solana-validator or wget or yum or ansible* or aws* or\\n php* or pip* or python* or steam* or terraform*\\n ) or\\n destination.ip:(\\n 0.0.0.0 or 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or\\n 192.0.0.0/29 or 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or\\n 192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or\\n 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or \\\"::1\\\" or \\\"FE80::/10\\\" or \\\"FF00::/8\\\"\\n )\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"91ef676e-1c27-4be1-b2e1-511aea9cb6ee\",\"rule_id\":\"53a26770-9cbd-40c5-8b57-61d01a325e14\",\"revision\":1,\"current_rule\":{\"id\":\"91ef676e-1c27-4be1-b2e1-511aea9cb6ee\",\"updated_at\":\"2024-12-04T19:49:59.665Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.839Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious PDF Reader Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":1,\"description\":\"Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious PDF Reader Child Process\\n\\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\\n\\nThis rule looks for commonly abused built-in utilities spawned by a PDF reader process, which is likely a malicious behavior.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\\n- Determine if the collected files are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"53a26770-9cbd-40c5-8b57-61d01a325e14\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1203\",\"name\":\"Exploitation for Client Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1203/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[{\"id\":\"45fc22d6-c943-4028-911f-83dcfe3c000e\",\"list_id\":\"a8b5c0c7-6f1d-4399-b366-88e640119be2\",\"type\":\"rule_default\",\"namespace_type\":\"single\"}],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":true},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"AcroRd32.exe\\\",\\n \\\"Acrobat.exe\\\",\\n \\\"FoxitPhantomPDF.exe\\\",\\n \\\"FoxitReader.exe\\\") and\\n process.name : (\\\"arp.exe\\\", \\\"dsquery.exe\\\", \\\"dsget.exe\\\", \\\"gpresult.exe\\\", \\\"hostname.exe\\\", \\\"ipconfig.exe\\\", \\\"nbtstat.exe\\\",\\n \\\"net.exe\\\", \\\"net1.exe\\\", \\\"netsh.exe\\\", \\\"netstat.exe\\\", \\\"nltest.exe\\\", \\\"ping.exe\\\", \\\"qprocess.exe\\\",\\n \\\"quser.exe\\\", \\\"qwinsta.exe\\\", \\\"reg.exe\\\", \\\"sc.exe\\\", \\\"systeminfo.exe\\\", \\\"tasklist.exe\\\", \\\"tracert.exe\\\",\\n \\\"whoami.exe\\\", \\\"bginfo.exe\\\", \\\"cdb.exe\\\", \\\"cmstp.exe\\\", \\\"csi.exe\\\", \\\"dnx.exe\\\", \\\"fsi.exe\\\", \\\"ieexec.exe\\\",\\n \\\"iexpress.exe\\\", \\\"installutil.exe\\\", \\\"Microsoft.Workflow.Compiler.exe\\\", \\\"msbuild.exe\\\", \\\"mshta.exe\\\",\\n \\\"msxsl.exe\\\", \\\"odbcconf.exe\\\", \\\"rcsi.exe\\\", \\\"regsvr32.exe\\\", \\\"xwizard.exe\\\", \\\"atbroker.exe\\\",\\n \\\"forfiles.exe\\\", \\\"schtasks.exe\\\", \\\"regasm.exe\\\", \\\"regsvcs.exe\\\", \\\"cmd.exe\\\", \\\"cscript.exe\\\",\\n \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"wmic.exe\\\", \\\"wscript.exe\\\", \\\"bitsadmin.exe\\\", \\\"certutil.exe\\\", \\\"ftp.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious PDF Reader Child Process\",\"description\":\"Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious PDF Reader Child Process\\n\\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\\n\\nThis rule looks for commonly abused built-in utilities spawned by a PDF reader process, which is likely a malicious behavior.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\\n- Determine if the collected files are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1203\",\"name\":\"Exploitation for Client Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1203/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"91ef676e-1c27-4be1-b2e1-511aea9cb6ee\",\"rule_id\":\"53a26770-9cbd-40c5-8b57-61d01a325e14\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.011Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.839Z\",\"created_by\":\"elastic\",\"revision\":2,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"AcroRd32.exe\\\",\\n \\\"Acrobat.exe\\\",\\n \\\"FoxitPhantomPDF.exe\\\",\\n \\\"FoxitReader.exe\\\") and\\n process.name : (\\\"arp.exe\\\", \\\"dsquery.exe\\\", \\\"dsget.exe\\\", \\\"gpresult.exe\\\", \\\"hostname.exe\\\", \\\"ipconfig.exe\\\", \\\"nbtstat.exe\\\",\\n \\\"net.exe\\\", \\\"net1.exe\\\", \\\"netsh.exe\\\", \\\"netstat.exe\\\", \\\"nltest.exe\\\", \\\"ping.exe\\\", \\\"qprocess.exe\\\",\\n \\\"quser.exe\\\", \\\"qwinsta.exe\\\", \\\"reg.exe\\\", \\\"sc.exe\\\", \\\"systeminfo.exe\\\", \\\"tasklist.exe\\\", \\\"tracert.exe\\\",\\n \\\"whoami.exe\\\", \\\"bginfo.exe\\\", \\\"cdb.exe\\\", \\\"cmstp.exe\\\", \\\"csi.exe\\\", \\\"dnx.exe\\\", \\\"fsi.exe\\\", \\\"ieexec.exe\\\",\\n \\\"iexpress.exe\\\", \\\"installutil.exe\\\", \\\"Microsoft.Workflow.Compiler.exe\\\", \\\"msbuild.exe\\\", \\\"mshta.exe\\\",\\n \\\"msxsl.exe\\\", \\\"odbcconf.exe\\\", \\\"rcsi.exe\\\", \\\"regsvr32.exe\\\", \\\"xwizard.exe\\\", \\\"atbroker.exe\\\",\\n \\\"forfiles.exe\\\", \\\"schtasks.exe\\\", \\\"regasm.exe\\\", \\\"regsvcs.exe\\\", \\\"cmd.exe\\\", \\\"cscript.exe\\\",\\n \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"wmic.exe\\\", \\\"wscript.exe\\\", \\\"bitsadmin.exe\\\", \\\"certutil.exe\\\", \\\"ftp.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"821da973-626f-449e-bc02-3af1669855b1\",\"rule_id\":\"53dedd83-1be7-430f-8026-363256395c8b\",\"revision\":0,\"current_rule\":{\"id\":\"821da973-626f-449e-bc02-3af1669855b1\",\"updated_at\":\"2024-12-04T19:45:47.841Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.841Z\",\"created_by\":\"elastic\",\"name\":\"Binary Content Copy via Cmd.exe\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"53dedd83-1be7-430f-8026-363256395c8b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1140\",\"name\":\"Deobfuscate/Decode Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1140/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":4,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"cmd.exe\\\" and (\\n (process.args : \\\"type\\\" and process.args : (\\\">\\\", \\\">>\\\")) or\\n (process.args : \\\"copy\\\" and process.args : \\\"/b\\\"))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Binary Content Copy via Cmd.exe\",\"description\":\"Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":106,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1140\",\"name\":\"Deobfuscate/Decode Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1140/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"821da973-626f-449e-bc02-3af1669855b1\",\"rule_id\":\"53dedd83-1be7-430f-8026-363256395c8b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.011Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.841Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"cmd.exe\\\" and (\\n (process.args : \\\"type\\\" and process.args : (\\\">\\\", \\\">>\\\")) or\\n (process.args : \\\"copy\\\" and process.args : \\\"/b\\\"))\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":4,\"target_version\":106,\"merged_version\":106,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"32642744-8386-4a5a-96ef-7c8a80cd9af0\",\"rule_id\":\"54902e45-3467-49a4-8abc-529f2c8cfb80\",\"revision\":0,\"current_rule\":{\"id\":\"32642744-8386-4a5a-96ef-7c8a80cd9af0\",\"updated_at\":\"2024-12-04T19:45:40.181Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.181Z\",\"created_by\":\"elastic\",\"name\":\"Uncommon Registry Persistence Change\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timeline_id\":\"3e47ef71-ebfc-4520-975c-cb27fc090799\",\"timeline_title\":\"Comprehensive Registry Timeline\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"54902e45-3467-49a4-8abc-529f2c8cfb80\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.002\",\"name\":\"Screensaver\",\"reference\":\"https://attack.mitre.org/techniques/T1546/002/\"}]},{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[\"https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n length(registry.data.strings) > 0 and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Runonce\\\\\\\\*\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\Load\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\Run\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\IconServiceLib\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\AppSetup\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Taskman\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Userinit\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\VmApplet\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\Shell\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Logoff\\\\\\\\Script\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Logon\\\\\\\\Script\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Shutdown\\\\\\\\Script\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Startup\\\\\\\\Script\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\Shell\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Logoff\\\\\\\\Script\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Logon\\\\\\\\Script\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Shutdown\\\\\\\\Script\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Startup\\\\\\\\Script\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Active Setup\\\\\\\\Installed Components\\\\\\\\*\\\\\\\\ShellComponent\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows CE Services\\\\\\\\AutoStartOnConnect\\\\\\\\MicrosoftActiveSync\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows CE Services\\\\\\\\AutoStartOnDisconnect\\\\\\\\MicrosoftActiveSync\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Ctf\\\\\\\\LangBarAddin\\\\\\\\*\\\\\\\\FilePath\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Internet Explorer\\\\\\\\Extensions\\\\\\\\*\\\\\\\\Exec\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Internet Explorer\\\\\\\\Extensions\\\\\\\\*\\\\\\\\Script\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Command Processor\\\\\\\\Autorun\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Ctf\\\\\\\\LangBarAddin\\\\\\\\*\\\\\\\\FilePath\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Internet Explorer\\\\\\\\Extensions\\\\\\\\*\\\\\\\\Exec\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Internet Explorer\\\\\\\\Extensions\\\\\\\\*\\\\\\\\Script\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Command Processor\\\\\\\\Autorun\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Control Panel\\\\\\\\Desktop\\\\\\\\scrnsave.exe\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\VerifierDlls\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\GpExtensions\\\\\\\\*\\\\\\\\DllName\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\SafeBoot\\\\\\\\AlternateShell\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\Wds\\\\\\\\rdpwd\\\\\\\\StartupPrograms\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\InitialProgram\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\BootExecute\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\SetupExecute\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\Execute\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\S0InitialCommand\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\ServiceControlManagerExtension\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\BootVerificationProgram\\\\\\\\ImagePath\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\Setup\\\\\\\\CmdLine\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Environment\\\\\\\\UserInitMprLogonScript\\\") and\\n\\n not registry.data.strings : (\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\userinit.exe\\\", \\\"cmd.exe\\\", \\\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Program Files\\\\\\\\*.exe\\\") and\\n not (process.name : \\\"rundll32.exe\\\" and registry.path : \\\"*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Internet Explorer\\\\\\\\Extensions\\\\\\\\*\\\\\\\\Script\\\") and\\n not process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"C:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\") and\\n not (process.name : (\\\"TiWorker.exe\\\", \\\"poqexec.exe\\\") and registry.value : \\\"SetupExecute\\\" and\\n registry.data.strings : (\\n \\\"C:\\\\\\\\windows\\\\\\\\System32\\\\\\\\poqexec.exe /display_progress \\\\\\\\SystemRoot\\\\\\\\WinSxS\\\\\\\\pending.xml\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\poqexec.exe /skip_critical_poq /display_progress \\\\\\\\SystemRoot\\\\\\\\WinSxS\\\\\\\\pending.xml\\\"\\n )\\n ) and\\n not (process.name : \\\"svchost.exe\\\" and registry.value : \\\"SCRNSAVE.EXE\\\" and\\n registry.data.strings : (\\n \\\"%windir%\\\\\\\\system32\\\\\\\\rundll32.exe user32.dll,LockWorkStation\\\",\\n \\\"scrnsave.scr\\\",\\n \\\"%windir%\\\\\\\\system32\\\\\\\\Ribbons.scr\\\"\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Uncommon Registry Persistence Change\",\"description\":\"Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"timeline_id\":\"3e47ef71-ebfc-4520-975c-cb27fc090799\",\"timeline_title\":\"Comprehensive Registry Timeline\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.002\",\"name\":\"Screensaver\",\"reference\":\"https://attack.mitre.org/techniques/T1546/002/\"}]},{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"32642744-8386-4a5a-96ef-7c8a80cd9af0\",\"rule_id\":\"54902e45-3467-49a4-8abc-529f2c8cfb80\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.011Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.181Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n length(registry.data.strings) > 0 and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Terminal Server\\\\\\\\Install\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Runonce\\\\\\\\*\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\Load\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\Run\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\IconServiceLib\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\AppSetup\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Taskman\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Userinit\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\VmApplet\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\Shell\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Logoff\\\\\\\\Script\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Logon\\\\\\\\Script\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Shutdown\\\\\\\\Script\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Startup\\\\\\\\Script\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\Shell\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Logoff\\\\\\\\Script\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Logon\\\\\\\\Script\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Shutdown\\\\\\\\Script\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\System\\\\\\\\Scripts\\\\\\\\Startup\\\\\\\\Script\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Active Setup\\\\\\\\Installed Components\\\\\\\\*\\\\\\\\ShellComponent\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows CE Services\\\\\\\\AutoStartOnConnect\\\\\\\\MicrosoftActiveSync\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows CE Services\\\\\\\\AutoStartOnDisconnect\\\\\\\\MicrosoftActiveSync\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Ctf\\\\\\\\LangBarAddin\\\\\\\\*\\\\\\\\FilePath\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Internet Explorer\\\\\\\\Extensions\\\\\\\\*\\\\\\\\Exec\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Internet Explorer\\\\\\\\Extensions\\\\\\\\*\\\\\\\\Script\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Command Processor\\\\\\\\Autorun\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Ctf\\\\\\\\LangBarAddin\\\\\\\\*\\\\\\\\FilePath\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Internet Explorer\\\\\\\\Extensions\\\\\\\\*\\\\\\\\Exec\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Internet Explorer\\\\\\\\Extensions\\\\\\\\*\\\\\\\\Script\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Command Processor\\\\\\\\Autorun\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Control Panel\\\\\\\\Desktop\\\\\\\\scrnsave.exe\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\VerifierDlls\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\GpExtensions\\\\\\\\*\\\\\\\\DllName\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\SafeBoot\\\\\\\\AlternateShell\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\Wds\\\\\\\\rdpwd\\\\\\\\StartupPrograms\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\InitialProgram\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\BootExecute\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\SetupExecute\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\Execute\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Session Manager\\\\\\\\S0InitialCommand\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\ServiceControlManagerExtension\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\BootVerificationProgram\\\\\\\\ImagePath\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\Setup\\\\\\\\CmdLine\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Environment\\\\\\\\UserInitMprLogonScript\\\") and\\n\\n not registry.data.strings : (\\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\userinit.exe\\\", \\\"cmd.exe\\\", \\\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Program Files\\\\\\\\*.exe\\\") and\\n not (process.name : \\\"rundll32.exe\\\" and registry.path : \\\"*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Internet Explorer\\\\\\\\Extensions\\\\\\\\*\\\\\\\\Script\\\") and\\n not process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"C:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\") and\\n not (process.name : (\\\"TiWorker.exe\\\", \\\"poqexec.exe\\\") and registry.value : \\\"SetupExecute\\\" and\\n registry.data.strings : (\\n \\\"C:\\\\\\\\windows\\\\\\\\System32\\\\\\\\poqexec.exe /display_progress \\\\\\\\SystemRoot\\\\\\\\WinSxS\\\\\\\\pending.xml\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\poqexec.exe /skip_critical_poq /display_progress \\\\\\\\SystemRoot\\\\\\\\WinSxS\\\\\\\\pending.xml\\\"\\n )\\n ) and\\n not (process.name : \\\"svchost.exe\\\" and registry.value : \\\"SCRNSAVE.EXE\\\" and\\n registry.data.strings : (\\n \\\"%windir%\\\\\\\\system32\\\\\\\\rundll32.exe user32.dll,LockWorkStation\\\",\\n \\\"scrnsave.scr\\\",\\n \\\"%windir%\\\\\\\\system32\\\\\\\\Ribbons.scr\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c49cfcec-7199-430a-a9cd-3270083ee0bf\",\"rule_id\":\"54a81f68-5f2a-421e-8eed-f888278bb712\",\"revision\":0,\"current_rule\":{\"id\":\"c49cfcec-7199-430a-a9cd-3270083ee0bf\",\"updated_at\":\"2024-12-04T19:45:47.843Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.843Z\",\"created_by\":\"elastic\",\"name\":\"Exchange Mailbox Export via PowerShell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Exchange Mailbox Export via PowerShell\\n\\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the export operation:\\n - Identify the user account that performed the action and whether it should perform this kind of action.\\n - Contact the account owner and confirm whether they are aware of this activity.\\n - Check if this operation was approved and performed according to the organization's change management policy.\\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \\\"Mailbox Import Export\\\" privilege for abnormal activity.\\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\\n- If the operation was completed successfully:\\n - Check if the file is on the path specified in the command.\\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Review the privileges of users with the \\\"Mailbox Import Export\\\" privilege to ensure that the least privilege principle is being followed.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate exchange system administration activity.\"],\"from\":\"now-9m\",\"rule_id\":\"54a81f68-5f2a-421e-8eed-f888278bb712\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1005\",\"name\":\"Data from Local System\",\"reference\":\"https://attack.mitre.org/techniques/T1005/\"},{\"id\":\"T1114\",\"name\":\"Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/\",\"subtechnique\":[{\"id\":\"T1114.001\",\"name\":\"Local Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/001/\"},{\"id\":\"T1114.002\",\"name\":\"Remote Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\",\"https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : \\\"New-MailboxExportRequest\\\"\\n\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Exchange\\\\\\\\RemotePowerShell\\\\\\\\*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\tmp_????????.???\\\\\\\\tmp_????????.???.ps?1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\TEMP\\\\\\\\tmp_????????.???\\\\\\\\tmp_????????.???.ps?1\"}}}}],\"actions\":[]},\"target_rule\":{\"name\":\"Exchange Mailbox Export via PowerShell\",\"description\":\"Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Exchange Mailbox Export via PowerShell\\n\\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the export operation:\\n - Identify the user account that performed the action and whether it should perform this kind of action.\\n - Contact the account owner and confirm whether they are aware of this activity.\\n - Check if this operation was approved and performed according to the organization's change management policy.\\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \\\"Mailbox Import Export\\\" privilege for abnormal activity.\\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\\n- If the operation was completed successfully:\\n - Check if the file is on the path specified in the command.\\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Review the privileges of users with the \\\"Mailbox Import Export\\\" privilege to ensure that the least privilege principle is being followed.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate exchange system administration activity.\"],\"references\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\",\"https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1005\",\"name\":\"Data from Local System\",\"reference\":\"https://attack.mitre.org/techniques/T1005/\"},{\"id\":\"T1114\",\"name\":\"Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/\",\"subtechnique\":[{\"id\":\"T1114.001\",\"name\":\"Local Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/001/\"},{\"id\":\"T1114.002\",\"name\":\"Remote Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"c49cfcec-7199-430a-a9cd-3270083ee0bf\",\"rule_id\":\"54a81f68-5f2a-421e-8eed-f888278bb712\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.011Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.843Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Exchange\\\\\\\\RemotePowerShell\\\\\\\\*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\tmp_????????.???\\\\\\\\tmp_????????.???.ps?1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\TEMP\\\\\\\\tmp_????????.???\\\\\\\\tmp_????????.???.ps?1\"}}}}],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : \\\"New-MailboxExportRequest\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"01e6e529-11ac-4799-ac57-bbb0401594a6\",\"rule_id\":\"54c3d186-0461-4dc3-9b33-2dc5c7473936\",\"revision\":0,\"current_rule\":{\"id\":\"01e6e529-11ac-4799-ac57-bbb0401594a6\",\"updated_at\":\"2024-12-04T19:45:40.209Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.209Z\",\"created_by\":\"elastic\",\"name\":\"Network Logon Provider Registry Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Network Logon Provider Registry Modification\\n\\nNetwork logon providers are components in Windows responsible for handling the authentication process during a network logon.\\n\\nThis rule identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in plain text during user logon.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Examine the `registry.data.strings` field to identify the DLL registered.\\n- Identify the process responsible for the registry operation and the file creation and investigate their process execution chains (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n - Investigate any abnormal behavior by the subject process, such as network connections, DLLs loaded, registry or file modifications, and any spawned child processes.\\n- Retrieve the file and examine if it is signed with valid digital signatures from vendors that are supposed to implement this kind of software and approved to use in the environment. Check for prevalence in the environment and whether they are located in expected locations.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the executables of the processes using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n\\n### False positive analysis\\n\\n- False Positives can include legitimate software installations or updates that modify the network logon provider registry. These modifications may be necessary for the proper functioning of the software and are not indicative of malicious activity.\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Authorized third party network logon providers.\"],\"from\":\"now-9m\",\"rule_id\":\"54c3d186-0461-4dc3-9b33-2dc5c7473936\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy\",\"https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.data.strings : \\\"?*\\\" and registry.value : \\\"ProviderPath\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\NetworkProvider\\\\\\\\ProviderPath\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\NetworkProvider\\\\\\\\ProviderPath\\\"\\n ) and\\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\\n not (\\n user.id : \\\"S-1-5-18\\\" and\\n registry.data.strings : (\\n \\\"%SystemRoot%\\\\\\\\System32\\\\\\\\ntlanman.dll\\\",\\n \\\"%SystemRoot%\\\\\\\\System32\\\\\\\\drprov.dll\\\",\\n \\\"%SystemRoot%\\\\\\\\System32\\\\\\\\davclnt.dll\\\",\\n \\\"%SystemRoot%\\\\\\\\System32\\\\\\\\vmhgfs.dll\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Citrix\\\\\\\\ICA Client\\\\\\\\x64\\\\\\\\pnsson.dll\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Dell\\\\\\\\SARemediation\\\\\\\\agent\\\\\\\\DellMgmtNP.dll\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CheckPoint\\\\\\\\Endpoint Connect\\\\\\\\\\\\\\\\epcgina.dll\\\"\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Network Logon Provider Registry Modification\",\"description\":\"Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Network Logon Provider Registry Modification\\n\\nNetwork logon providers are components in Windows responsible for handling the authentication process during a network logon.\\n\\nThis rule identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in plain text during user logon.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Examine the `registry.data.strings` field to identify the DLL registered.\\n- Identify the process responsible for the registry operation and the file creation and investigate their process execution chains (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n - Investigate any abnormal behavior by the subject process, such as network connections, DLLs loaded, registry or file modifications, and any spawned child processes.\\n- Retrieve the file and examine if it is signed with valid digital signatures from vendors that are supposed to implement this kind of software and approved to use in the environment. Check for prevalence in the environment and whether they are located in expected locations.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the executables of the processes using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n\\n### False positive analysis\\n\\n- False Positives can include legitimate software installations or updates that modify the network logon provider registry. These modifications may be necessary for the proper functioning of the software and are not indicative of malicious activity.\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Authorized third party network logon providers.\"],\"references\":[\"https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy\",\"https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"01e6e529-11ac-4799-ac57-bbb0401594a6\",\"rule_id\":\"54c3d186-0461-4dc3-9b33-2dc5c7473936\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.011Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.209Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.data.strings : \\\"?*\\\" and registry.value : \\\"ProviderPath\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\NetworkProvider\\\\\\\\ProviderPath\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\NetworkProvider\\\\\\\\ProviderPath\\\"\\n ) and\\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\\n not (\\n user.id : \\\"S-1-5-18\\\" and\\n registry.data.strings : (\\n \\\"%SystemRoot%\\\\\\\\System32\\\\\\\\ntlanman.dll\\\",\\n \\\"%SystemRoot%\\\\\\\\System32\\\\\\\\drprov.dll\\\",\\n \\\"%SystemRoot%\\\\\\\\System32\\\\\\\\davclnt.dll\\\",\\n \\\"%SystemRoot%\\\\\\\\System32\\\\\\\\vmhgfs.dll\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Citrix\\\\\\\\ICA Client\\\\\\\\x64\\\\\\\\pnsson.dll\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Dell\\\\\\\\SARemediation\\\\\\\\agent\\\\\\\\DellMgmtNP.dll\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CheckPoint\\\\\\\\Endpoint Connect\\\\\\\\\\\\\\\\epcgina.dll\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"cdd80eec-8642-4c77-9f45-f6784057a91b\",\"rule_id\":\"55c2bf58-2a39-4c58-a384-c8b1978153c2\",\"revision\":0,\"current_rule\":{\"id\":\"cdd80eec-8642-4c77-9f45-f6784057a91b\",\"updated_at\":\"2024-12-04T19:45:47.850Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.850Z\",\"created_by\":\"elastic\",\"name\":\"Windows Service Installed via an Unusual Client\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"55c2bf58-2a39-4c58-a384-c8b1978153c2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.x86matthew.com/view_post?id=create_svc_rpc\",\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ClientProcessId\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ParentProcessId\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ServiceFileName\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Security System Extension' logging policy must be configured for (Success)\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nSystem >\\nAudit Security System Extension (Success)\\n```\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"configuration where host.os.type == \\\"windows\\\" and\\n event.action == \\\"service-installed\\\" and\\n (winlog.event_data.ClientProcessId == \\\"0\\\" or winlog.event_data.ParentProcessId == \\\"0\\\") and\\n not winlog.event_data.ServiceFileName : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\VeeamLogShipper\\\\\\\\VeeamLogShipper.exe\\\",\\n \\\"%SystemRoot%\\\\\\\\system32\\\\\\\\Drivers\\\\\\\\Crowdstrike\\\\\\\\*-CsInstallerService.exe\\\",\\n \\\"\\\\\\\"%windir%\\\\\\\\AdminArsenal\\\\\\\\PDQInventory-Scanner\\\\\\\\service-1\\\\\\\\PDQInventory-Scanner-1.exe\\\\\\\" \\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Windows Service Installed via an Unusual Client\",\"description\":\"Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.x86matthew.com/view_post?id=create_svc_rpc\",\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Security System Extension' logging policy must be configured for (Success)\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nSystem >\\nAudit Security System Extension (Success)\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ClientProcessId\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ParentProcessId\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ServiceFileName\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"cdd80eec-8642-4c77-9f45-f6784057a91b\",\"rule_id\":\"55c2bf58-2a39-4c58-a384-c8b1978153c2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.011Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.850Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"configuration where host.os.type == \\\"windows\\\" and\\n event.action == \\\"service-installed\\\" and\\n (winlog.event_data.ClientProcessId == \\\"0\\\" or winlog.event_data.ParentProcessId == \\\"0\\\") and\\n not winlog.event_data.ServiceFileName : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\VeeamLogShipper\\\\\\\\VeeamLogShipper.exe\\\",\\n \\\"%SystemRoot%\\\\\\\\system32\\\\\\\\Drivers\\\\\\\\Crowdstrike\\\\\\\\*-CsInstallerService.exe\\\",\\n \\\"\\\\\\\"%windir%\\\\\\\\AdminArsenal\\\\\\\\PDQInventory-Scanner\\\\\\\\service-1\\\\\\\\PDQInventory-Scanner-1.exe\\\\\\\" \\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.x86matthew.com/view_post?id=create_svc_rpc\",\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md\"],\"target_version\":[\"https://www.x86matthew.com/view_post?id=create_svc_rpc\",\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merged_version\":[\"https://www.x86matthew.com/view_post?id=create_svc_rpc\",\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bd3010b0-362d-4717-9b1d-fee582ab6914\",\"rule_id\":\"55d551c6-333b-4665-ab7e-5d14a59715ce\",\"revision\":0,\"current_rule\":{\"id\":\"bd3010b0-362d-4717-9b1d-fee582ab6914\",\"updated_at\":\"2024-12-04T19:45:47.852Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.852Z\",\"created_by\":\"elastic\",\"name\":\"PsExec Network Connection\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating PsExec Network Connection\\n\\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. Microsoft develops it as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\\n\\nThis rule identifies PsExec execution by looking for the creation of `PsExec.exe`, the default name for the utility, followed by a network connection done by the process.\\n\\n#### Possible investigation steps\\n\\n- Check if the usage of this tool complies with the organization's administration policy.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Identify the target computer and its role in the IT environment.\\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - Prioritize cases involving critical servers and users.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool.\"],\"from\":\"now-9m\",\"rule_id\":\"55d551c6-333b-4665-ab7e-5d14a59715ce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1569\",\"name\":\"System Services\",\"reference\":\"https://attack.mitre.org/techniques/T1569/\",\"subtechnique\":[{\"id\":\"T1569.002\",\"name\":\"Service Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1569/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]},{\"id\":\"T1570\",\"name\":\"Lateral Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1570/\"}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and process.name : \\\"PsExec.exe\\\" and event.type == \\\"start\\\" and\\n\\n /* This flag suppresses the display of the license dialog and may\\n indicate that psexec executed for the first time in the machine */\\n process.args : \\\"-accepteula\\\" and\\n\\n not process.executable : (\\\"?:\\\\\\\\ProgramData\\\\\\\\Docusnap\\\\\\\\Discovery\\\\\\\\discovery\\\\\\\\plugins\\\\\\\\17\\\\\\\\Bin\\\\\\\\psexec.exe\\\",\\n \\\"?:\\\\\\\\Docusnap 11\\\\\\\\Bin\\\\\\\\psexec.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Docusnap X\\\\\\\\Bin\\\\\\\\psexec.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Docusnap X\\\\\\\\Tools\\\\\\\\dsDNS.exe\\\") and\\n not process.parent.executable : \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Cynet\\\\\\\\Cynet Scanner\\\\\\\\CynetScanner.exe\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"PsExec.exe\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PsExec Network Connection\",\"description\":\"Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PsExec Network Connection\\n\\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. Microsoft develops it as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\\n\\nThis rule identifies PsExec execution by looking for the creation of `PsExec.exe`, the default name for the utility, followed by a network connection done by the process.\\n\\n#### Possible investigation steps\\n\\n- Check if the usage of this tool complies with the organization's administration policy.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Identify the target computer and its role in the IT environment.\\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - Prioritize cases involving critical servers and users.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1569\",\"name\":\"System Services\",\"reference\":\"https://attack.mitre.org/techniques/T1569/\",\"subtechnique\":[{\"id\":\"T1569.002\",\"name\":\"Service Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1569/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]},{\"id\":\"T1570\",\"name\":\"Lateral Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1570/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"bd3010b0-362d-4717-9b1d-fee582ab6914\",\"rule_id\":\"55d551c6-333b-4665-ab7e-5d14a59715ce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.011Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.852Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and process.name : \\\"PsExec.exe\\\" and event.type == \\\"start\\\" and\\n\\n /* This flag suppresses the display of the license dialog and may\\n indicate that psexec executed for the first time in the machine */\\n process.args : \\\"-accepteula\\\" and\\n\\n not process.executable : (\\\"?:\\\\\\\\ProgramData\\\\\\\\Docusnap\\\\\\\\Discovery\\\\\\\\discovery\\\\\\\\plugins\\\\\\\\17\\\\\\\\Bin\\\\\\\\psexec.exe\\\",\\n \\\"?:\\\\\\\\Docusnap 11\\\\\\\\Bin\\\\\\\\psexec.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Docusnap X\\\\\\\\Bin\\\\\\\\psexec.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Docusnap X\\\\\\\\Tools\\\\\\\\dsDNS.exe\\\") and\\n not process.parent.executable : \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Cynet\\\\\\\\Cynet Scanner\\\\\\\\CynetScanner.exe\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"PsExec.exe\\\"]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c29f3c48-c64f-4c7b-948c-3dadaff14289\",\"rule_id\":\"56004189-4e69-4a39-b4a9-195329d226e9\",\"revision\":0,\"current_rule\":{\"id\":\"c29f3c48-c64f-4c7b-948c-3dadaff14289\",\"updated_at\":\"2024-12-04T19:45:47.857Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.857Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Process Spawned by a Host\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"A machine learning job has detected a suspicious Windows process. This process has been classified as suspicious in two ways. It was predicted to be suspicious by the ProblemChild supervised ML model, and it was found to be an unusual process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-45m\",\"rule_id\":\"56004189-4e69-4a39-b4a9-195329d226e9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"problem_child_rare_process_by_host\"],\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Process Spawned by a Host\",\"description\":\"A machine learning job has detected a suspicious Windows process. This process has been classified as suspicious in two ways. It was predicted to be suspicious by the ProblemChild supervised ML model, and it was found to be an unusual process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\\n\",\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"c29f3c48-c64f-4c7b-948c-3dadaff14289\",\"rule_id\":\"56004189-4e69-4a39-b4a9-195329d226e9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.012Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.857Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"problem_child_rare_process_by_host\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8ec857aa-8821-4206-9f32-aa83de1ffd4c\",\"rule_id\":\"56557cde-d923-4b88-adee-c61b3f3b5dc3\",\"revision\":0,\"current_rule\":{\"id\":\"8ec857aa-8821-4206-9f32-aa83de1ffd4c\",\"updated_at\":\"2024-12-04T19:45:47.860Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.860Z\",\"created_by\":\"elastic\",\"name\":\"Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Use Case: Vulnerability\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-6m\",\"rule_id\":\"56557cde-d923-4b88-adee-c61b3f3b5dc3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1553\",\"name\":\"Subvert Trust Controls\",\"reference\":\"https://attack.mitre.org/techniques/T1553/\",\"subtechnique\":[{\"id\":\"T1553.002\",\"name\":\"Code Signing\",\"reference\":\"https://attack.mitre.org/techniques/T1553/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":104,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"message\",\"type\":\"match_only_text\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.*\",\"logs-system.security*\"],\"query\":\"event.provider:\\\"Microsoft-Windows-Audit-CVE\\\" and message:\\\"[CVE-2020-0601]\\\" and host.os.type:windows\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)\",\"description\":\"A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Use Case: Vulnerability\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1553\",\"name\":\"Subvert Trust Controls\",\"reference\":\"https://attack.mitre.org/techniques/T1553/\",\"subtechnique\":[{\"id\":\"T1553.002\",\"name\":\"Code Signing\",\"reference\":\"https://attack.mitre.org/techniques/T1553/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"message\",\"type\":\"match_only_text\",\"ecs\":true}],\"id\":\"8ec857aa-8821-4206-9f32-aa83de1ffd4c\",\"rule_id\":\"56557cde-d923-4b88-adee-c61b3f3b5dc3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.012Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.860Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.*\",\"logs-system.security*\"],\"query\":\"event.provider:\\\"Microsoft-Windows-Audit-CVE\\\" and message:\\\"[CVE-2020-0601]\\\" and host.os.type:windows\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":104,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Use Case: Vulnerability\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Use Case: Vulnerability\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Use Case: Vulnerability\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"848ad196-d748-4bd0-8e41-f6786e759e80\",\"rule_id\":\"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\",\"revision\":0,\"current_rule\":{\"id\":\"848ad196-d748-4bd0-8e41-f6786e759e80\",\"updated_at\":\"2024-12-04T19:45:47.869Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.869Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell PSReflect Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell PSReflect Script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily—all without touching the disk.\\n\\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\\n\\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate PowerShell scripts that make use of PSReflect to access the win32 API\"],\"from\":\"now-9m\",\"rule_id\":\"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1\",\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"version\":211,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\\n\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text:(\\n \\\"New-InMemoryModule\\\" or\\n \\\"Add-Win32Type\\\" or\\n psenum or\\n DefineDynamicAssembly or\\n DefineDynamicModule or\\n \\\"Reflection.TypeAttributes\\\" or\\n \\\"Reflection.Emit.OpCodes\\\" or\\n \\\"Reflection.Emit.CustomAttributeBuilder\\\" or\\n \\\"Runtime.InteropServices.DllImportAttribute\\\"\\n ) and\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ProgramData\\\\\\\\MaaS360\\\\\\\\Cloud Extender\\\\\\\\AR\\\\\\\\Scripts\\\\\\\\ASModuleCommon.ps1\"}}}}],\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell PSReflect Script\",\"description\":\"Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell PSReflect Script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily—all without touching the disk.\\n\\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\\n\\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate PowerShell scripts that make use of PSReflect to access the win32 API\"],\"references\":[\"https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1\",\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\\n\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"848ad196-d748-4bd0-8e41-f6786e759e80\",\"rule_id\":\"56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.012Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.869Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ProgramData\\\\\\\\MaaS360\\\\\\\\Cloud Extender\\\\\\\\AR\\\\\\\\Scripts\\\\\\\\ASModuleCommon.ps1\"}}}}],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text:(\\n \\\"New-InMemoryModule\\\" or\\n \\\"Add-Win32Type\\\" or\\n psenum or\\n DefineDynamicAssembly or\\n DefineDynamicModule or\\n \\\"Reflection.TypeAttributes\\\" or\\n \\\"Reflection.Emit.OpCodes\\\" or\\n \\\"Reflection.Emit.CustomAttributeBuilder\\\" or\\n \\\"Runtime.InteropServices.DllImportAttribute\\\"\\n ) and\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":211,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5e008dca-8f5c-4be9-bc79-564740961f5d\",\"rule_id\":\"5700cb81-df44-46aa-a5d7-337798f53eb8\",\"revision\":0,\"current_rule\":{\"id\":\"5e008dca-8f5c-4be9-bc79-564740961f5d\",\"updated_at\":\"2024-12-04T19:45:47.874Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.874Z\",\"created_by\":\"elastic\",\"name\":\"VNC (Virtual Network Computing) from the Internet\",\"tags\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious.\"],\"from\":\"now-9m\",\"rule_id\":\"5700cb81-df44-46aa-a5d7-337798f53eb8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1219\",\"name\":\"Remote Access Software\",\"reference\":\"https://attack.mitre.org/techniques/T1219/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]}],\"to\":\"now\",\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"version\":104,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\\n network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\\n not source.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n ) and\\n destination.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"VNC (Virtual Network Computing) from the Internet\",\"description\":\"This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious.\"],\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1219\",\"name\":\"Remote Access Software\",\"reference\":\"https://attack.mitre.org/techniques/T1219/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"5e008dca-8f5c-4be9-bc79-564740961f5d\",\"rule_id\":\"5700cb81-df44-46aa-a5d7-337798f53eb8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.012Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:47.874Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\\n network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\\n not source.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n ) and\\n destination.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":104,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"target_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"target_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merged_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"766092cd-a124-4237-9ef0-15a2f2abab82\",\"rule_id\":\"577ec21e-56fe-4065-91d8-45eb8224fe77\",\"revision\":0,\"current_rule\":{\"id\":\"766092cd-a124-4237-9ef0-15a2f2abab82\",\"updated_at\":\"2024-12-04T19:45:48.951Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.951Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell MiniDump Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects PowerShell scripts capable of dumping process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell MiniDump Script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can abuse Process Memory Dump capabilities to extract credentials from LSASS or to obtain other privileged information stored in the process memory.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Check if the imported function was executed and which process it targeted.\\n\\n### False positive analysis\\n\\n- Regular users do not have a business justification for using scripting utilities to dump process memory, making false positives unlikely.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"PowerShell scripts that use this capability for troubleshooting.\"],\"from\":\"now-9m\",\"rule_id\":\"577ec21e-56fe-4065-91d8-45eb8224fe77\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1\",\"https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1\",\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell MiniDump Script\",\"description\":\"This rule detects PowerShell scripts capable of dumping process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell MiniDump Script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can abuse Process Memory Dump capabilities to extract credentials from LSASS or to obtain other privileged information stored in the process memory.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Check if the imported function was executed and which process it targeted.\\n\\n### False positive analysis\\n\\n- Regular users do not have a business justification for using scripting utilities to dump process memory, making false positives unlikely.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"PowerShell scripts that use this capability for troubleshooting.\"],\"references\":[\"https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1\",\"https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1\",\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"766092cd-a124-4237-9ef0-15a2f2abab82\",\"rule_id\":\"577ec21e-56fe-4065-91d8-45eb8224fe77\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.012Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.951Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"14478b7e-2c17-4ae3-aea1-27b0a5064aea\",\"rule_id\":\"57bccf1d-daf5-4e1a-9049-ff79b5254704\",\"revision\":0,\"current_rule\":{\"id\":\"14478b7e-2c17-4ae3-aea1-27b0a5064aea\",\"updated_at\":\"2024-12-04T19:45:48.821Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.821Z\",\"created_by\":\"elastic\",\"name\":\"File Staged in Root Folder of Recycle Bin\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies files written to the root of the Recycle Bin folder instead of subdirectories. Adversaries may place files in the root of the Recycle Bin in preparation for exfiltration or to evade defenses.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"57bccf1d-daf5-4e1a-9049-ff79b5254704\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1074\",\"name\":\"Data Staged\",\"reference\":\"https://attack.mitre.org/techniques/T1074/\",\"subtechnique\":[{\"id\":\"T1074.001\",\"name\":\"Local Data Staging\",\"reference\":\"https://attack.mitre.org/techniques/T1074/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":4,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n file.path : \\\"?:\\\\\\\\$RECYCLE.BIN\\\\\\\\*\\\" and\\n not file.path : \\\"?:\\\\\\\\$RECYCLE.BIN\\\\\\\\*\\\\\\\\*\\\" and\\n not file.name : \\\"desktop.ini\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"File Staged in Root Folder of Recycle Bin\",\"description\":\"Identifies files written to the root of the Recycle Bin folder instead of subdirectories. Adversaries may place files in the root of the Recycle Bin in preparation for exfiltration or to evade defenses.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":106,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1074\",\"name\":\"Data Staged\",\"reference\":\"https://attack.mitre.org/techniques/T1074/\",\"subtechnique\":[{\"id\":\"T1074.001\",\"name\":\"Local Data Staging\",\"reference\":\"https://attack.mitre.org/techniques/T1074/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"14478b7e-2c17-4ae3-aea1-27b0a5064aea\",\"rule_id\":\"57bccf1d-daf5-4e1a-9049-ff79b5254704\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.012Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.821Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n file.path : \\\"?:\\\\\\\\$RECYCLE.BIN\\\\\\\\*\\\" and\\n not file.path : \\\"?:\\\\\\\\$RECYCLE.BIN\\\\\\\\*\\\\\\\\*\\\" and\\n not file.name : \\\"desktop.ini\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":4,\"target_version\":106,\"merged_version\":106,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9e508560-c4ec-4b9a-8e39-37a26dbae8c8\",\"rule_id\":\"57bfa0a9-37c0-44d6-b724-54bf16787492\",\"revision\":0,\"current_rule\":{\"id\":\"9e508560-c4ec-4b9a-8e39-37a26dbae8c8\",\"updated_at\":\"2024-12-04T19:45:48.824Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.824Z\",\"created_by\":\"elastic\",\"name\":\"DNS Global Query Block List Modified or Disabled\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies changes to the DNS Global Query Block List (GQBL), a security feature that prevents the resolution of certain DNS names often exploited in attacks like WPAD spoofing. Attackers with certain privileges, such as DNSAdmins, can modify or disable the GQBL, allowing exploitation of hosts running WPAD with default settings for privilege escalation and lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"57bfa0a9-37c0-44d6-b724-54bf16787492\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1557\",\"name\":\"Adversary-in-the-Middle\",\"reference\":\"https://attack.mitre.org/techniques/T1557/\"}]}],\"to\":\"now\",\"references\":[\"https://cube0x0.github.io/Pocing-Beyond-DA/\",\"https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing\",\"https://www.netspi.com/blog/technical-blog/network-penetration-testing/adidns-revisited/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n(\\n (registry.value : \\\"EnableGlobalQueryBlockList\\\" and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")) or\\n (registry.value : \\\"GlobalQueryBlockList\\\" and not registry.data.strings : \\\"wpad\\\")\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"DNS Global Query Block List Modified or Disabled\",\"description\":\"Identifies changes to the DNS Global Query Block List (GQBL), a security feature that prevents the resolution of certain DNS names often exploited in attacks like WPAD spoofing. Attackers with certain privileges, such as DNSAdmins, can modify or disable the GQBL, allowing exploitation of hosts running WPAD with default settings for privilege escalation and lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":203,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://cube0x0.github.io/Pocing-Beyond-DA/\",\"https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing\",\"https://www.netspi.com/blog/technical-blog/network-penetration-testing/adidns-revisited/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1557\",\"name\":\"Adversary-in-the-Middle\",\"reference\":\"https://attack.mitre.org/techniques/T1557/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"9e508560-c4ec-4b9a-8e39-37a26dbae8c8\",\"rule_id\":\"57bfa0a9-37c0-44d6-b724-54bf16787492\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.012Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.824Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n(\\n (registry.value : \\\"EnableGlobalQueryBlockList\\\" and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")) or\\n (registry.value : \\\"GlobalQueryBlockList\\\" and not registry.data.strings : \\\"wpad\\\")\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":203,\"merged_version\":203,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e2e8f252-1593-4e90-b3c1-a0b29a4a3145\",\"rule_id\":\"581add16-df76-42bb-af8e-c979bfb39a59\",\"revision\":0,\"current_rule\":{\"id\":\"e2e8f252-1593-4e90-b3c1-a0b29a4a3145\",\"updated_at\":\"2024-12-04T19:45:48.828Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.828Z\",\"created_by\":\"elastic\",\"name\":\"Deleting Backup Catalogs with Wbadmin\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Deleting Backup Catalogs with Wbadmin\\n\\nWindows Server Backup stores the details about your backups (what volumes are backed up and where the backups are located) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files. Deleting these files is a common step in threat actor playbooks.\\n\\nThis rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Check if any files on the host machine have been encrypted.\\n\\n### False positive analysis\\n\\n- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate.\\n\\n### Related rules\\n\\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\\n- If any backups were affected:\\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"581add16-df76-42bb-af8e-c979bfb39a59\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1485\",\"name\":\"Data Destruction\",\"reference\":\"https://attack.mitre.org/techniques/T1485/\"},{\"id\":\"T1490\",\"name\":\"Inhibit System Recovery\",\"reference\":\"https://attack.mitre.org/techniques/T1490/\"}]}],\"to\":\"now\",\"references\":[],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"wbadmin.exe\\\" or ?process.pe.original_file_name == \\\"WBADMIN.EXE\\\") and\\n process.args : \\\"catalog\\\" and process.args : \\\"delete\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Deleting Backup Catalogs with Wbadmin\",\"description\":\"Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Deleting Backup Catalogs with Wbadmin\\n\\nWindows Server Backup stores the details about your backups (what volumes are backed up and where the backups are located) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files. Deleting these files is a common step in threat actor playbooks.\\n\\nThis rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Check if any files on the host machine have been encrypted.\\n\\n### False positive analysis\\n\\n- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate.\\n\\n### Related rules\\n\\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\\n- If any backups were affected:\\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1485\",\"name\":\"Data Destruction\",\"reference\":\"https://attack.mitre.org/techniques/T1485/\"},{\"id\":\"T1490\",\"name\":\"Inhibit System Recovery\",\"reference\":\"https://attack.mitre.org/techniques/T1490/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e2e8f252-1593-4e90-b3c1-a0b29a4a3145\",\"rule_id\":\"581add16-df76-42bb-af8e-c979bfb39a59\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.012Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.828Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"wbadmin.exe\\\" or ?process.pe.original_file_name == \\\"WBADMIN.EXE\\\") and\\n process.args : \\\"catalog\\\" and process.args : \\\"delete\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"43f251f8-9f51-4a8e-b901-b03bebacf967\",\"rule_id\":\"58aa72ca-d968-4f34-b9f7-bea51d75eb50\",\"revision\":0,\"current_rule\":{\"id\":\"43f251f8-9f51-4a8e-b901-b03bebacf967\",\"updated_at\":\"2024-12-04T19:45:40.184Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.184Z\",\"created_by\":\"elastic\",\"name\":\"RDP Enabled via Registry\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating RDP Enabled via Registry\\n\\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\\n\\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\\n\\nThis rule detects modification of the fDenyTSConnections registry key to the value `0`, which specifies that remote desktop connections are enabled. Attackers can abuse remote registry, use psexec, etc., to enable RDP and move laterally.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the user to check if they are aware of the operation.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\\n- Check if the host is directly exposed to the internet.\\n- Check whether privileged accounts accessed the host shortly after the modification.\\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether they are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If RDP is needed, make sure to secure it using firewall rules:\\n - Allowlist RDP traffic to specific trusted hosts.\\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"58aa72ca-d968-4f34-b9f7-bea51d75eb50\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\fDenyTSConnections\\\" and\\n registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\") and\\n not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesRemote.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesAdvanced.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemSettingsAdminFlows.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\\\\\\TiWorker.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"RDP Enabled via Registry\",\"description\":\"Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating RDP Enabled via Registry\\n\\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\\n\\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\\n\\nThis rule detects modification of the fDenyTSConnections registry key to the value `0`, which specifies that remote desktop connections are enabled. Attackers can abuse remote registry, use psexec, etc., to enable RDP and move laterally.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the user to check if they are aware of the operation.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\\n- Check if the host is directly exposed to the internet.\\n- Check whether privileged accounts accessed the host shortly after the modification.\\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether they are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If RDP is needed, make sure to secure it using firewall rules:\\n - Allowlist RDP traffic to specific trusted hosts.\\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"43f251f8-9f51-4a8e-b901-b03bebacf967\",\"rule_id\":\"58aa72ca-d968-4f34-b9f7-bea51d75eb50\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.012Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.184Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\fDenyTSConnections\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\fDenyTSConnections\\\",\\n \\\"MACHINE\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\fDenyTSConnections\\\"\\n ) and\\n registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\") and\\n not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesRemote.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesAdvanced.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemSettingsAdminFlows.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\\\\\\TiWorker.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\fDenyTSConnections\\\" and\\n registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\") and\\n not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesRemote.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesAdvanced.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemSettingsAdminFlows.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\\\\\\TiWorker.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\fDenyTSConnections\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\fDenyTSConnections\\\",\\n \\\"MACHINE\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\fDenyTSConnections\\\"\\n ) and\\n registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\") and\\n not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesRemote.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesAdvanced.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemSettingsAdminFlows.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\\\\\\TiWorker.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\fDenyTSConnections\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\fDenyTSConnections\\\",\\n \\\"MACHINE\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\fDenyTSConnections\\\"\\n ) and\\n registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\") and\\n not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesRemote.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesAdvanced.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemSettingsAdminFlows.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\\\\\\TiWorker.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a7c5f068-6cc2-4128-94c3-64e04b0c059f\",\"rule_id\":\"58bc134c-e8d2-4291-a552-b4b3e537c60b\",\"revision\":0,\"current_rule\":{\"id\":\"a7c5f068-6cc2-4128-94c3-64e04b0c059f\",\"updated_at\":\"2024-12-04T19:45:48.833Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.833Z\",\"created_by\":\"elastic\",\"name\":\"Potential Lateral Tool Transfer via SMB Share\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Lateral Tool Transfer via SMB Share\\n\\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc. Attackers can also leverage file shares that employees frequently access to host malicious files to gain a foothold in other machines.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve the created file and determine if it is malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Review the privileges needed to write to the network share and restrict write access as needed.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"58bc134c-e8d2-4291-a552-b4b3e537c60b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]},{\"id\":\"T1570\",\"name\":\"Lateral Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1570/\"}]}],\"to\":\"now\",\"references\":[],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.header_bytes\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"logs-endpoint.events.network-*\"],\"query\":\"sequence by host.id with maxspan=30s\\n [network where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.pid == 4 and destination.port == 445 and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and\\n network.transport == \\\"tcp\\\" and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"\\n ] by process.entity_id\\n /* add more executable extensions here if they are not noisy in your environment */\\n [file where host.os.type == \\\"windows\\\" and event.type in (\\\"creation\\\", \\\"change\\\") and process.pid == 4 and \\n (file.Ext.header_bytes : \\\"4d5a*\\\" or file.extension : (\\\"exe\\\", \\\"scr\\\", \\\"pif\\\", \\\"com\\\", \\\"dll\\\"))] by process.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Lateral Tool Transfer via SMB Share\",\"description\":\"Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Lateral Tool Transfer via SMB Share\\n\\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc. Attackers can also leverage file shares that employees frequently access to host malicious files to gain a foothold in other machines.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve the created file and determine if it is malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Review the privileges needed to write to the network share and restrict write access as needed.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":109,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]},{\"id\":\"T1570\",\"name\":\"Lateral Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1570/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.header_bytes\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"a7c5f068-6cc2-4128-94c3-64e04b0c059f\",\"rule_id\":\"58bc134c-e8d2-4291-a552-b4b3e537c60b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.012Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.833Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=30s\\n [network where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.pid == 4 and destination.port == 445 and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and\\n network.transport == \\\"tcp\\\" and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"\\n ] by process.entity_id\\n /* add more executable extensions here if they are not noisy in your environment */\\n [file where host.os.type == \\\"windows\\\" and event.type in (\\\"creation\\\", \\\"change\\\") and process.pid == 4 and \\n (file.Ext.header_bytes : \\\"4d5a*\\\" or file.extension : (\\\"exe\\\", \\\"scr\\\", \\\"pif\\\", \\\"com\\\", \\\"dll\\\"))] by process.entity_id\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"logs-endpoint.events.network-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":109,\"merged_version\":109,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merged_version\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"ae4cc076-0683-473f-ae07-d62434ff5ff0\",\"rule_id\":\"5a14d01d-7ac8-4545-914c-b687c2cf66b3\",\"revision\":0,\"current_rule\":{\"id\":\"ae4cc076-0683-473f-ae07-d62434ff5ff0\",\"updated_at\":\"2024-12-04T19:45:48.851Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.851Z\",\"created_by\":\"elastic\",\"name\":\"UAC Bypass Attempt via Privileged IFileOperation COM Interface\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"5a14d01d-7ac8-4545-914c-b687c2cf66b3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.002\",\"name\":\"DLL Side-Loading\",\"reference\":\"https://attack.mitre.org/techniques/T1574/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/hfiref0x/UACME\",\"https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type : \\\"change\\\" and process.name : \\\"dllhost.exe\\\" and\\n /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\\n file.name : (\\\"wow64log.dll\\\", \\\"comctl32.dll\\\", \\\"DismCore.dll\\\", \\\"OskSupport.dll\\\", \\\"duser.dll\\\", \\\"Accessibility.ni.dll\\\") and\\n /* has no impact on rule logic just to avoid OS install related FPs */\\n not file.path : (\\\"C:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\*\\\", \\\"C:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"UAC Bypass Attempt via Privileged IFileOperation COM Interface\",\"description\":\"Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/hfiref0x/UACME\",\"https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.002\",\"name\":\"DLL Side-Loading\",\"reference\":\"https://attack.mitre.org/techniques/T1574/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"ae4cc076-0683-473f-ae07-d62434ff5ff0\",\"rule_id\":\"5a14d01d-7ac8-4545-914c-b687c2cf66b3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.012Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.851Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type : \\\"change\\\" and process.name : \\\"dllhost.exe\\\" and\\n /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\\n file.name : (\\\"wow64log.dll\\\", \\\"comctl32.dll\\\", \\\"DismCore.dll\\\", \\\"OskSupport.dll\\\", \\\"duser.dll\\\", \\\"Accessibility.ni.dll\\\") and\\n /* has no impact on rule logic just to avoid OS install related FPs */\\n not file.path : (\\\"C:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\*\\\", \\\"C:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"14bf0c5c-9e4b-4624-b47a-02c323542364\",\"rule_id\":\"5aee924b-6ceb-4633-980e-1bde8cdb40c5\",\"revision\":0,\"current_rule\":{\"id\":\"14bf0c5c-9e4b-4624-b47a-02c323542364\",\"updated_at\":\"2024-12-04T19:45:48.861Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.861Z\",\"created_by\":\"elastic\",\"name\":\"Potential Secure File Deletion via SDelete Utility\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Impact\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Secure File Deletion via SDelete Utility\\n\\nSDelete is a tool primarily used for securely deleting data from storage devices, making it unrecoverable. Microsoft develops it as part of the Sysinternals Suite. Although commonly used to delete data securely, attackers can abuse it to delete forensic indicators and remove files as a post-action to a destructive action such as ransomware or data theft to hinder recovery efforts.\\n\\nThis rule identifies file name patterns generated by the use of SDelete utility to securely delete a file via multiple file overwrite and rename operations.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Examine the command line and identify the files deleted, their importance and whether they could be the target of antiforensics activity.\\n\\n### False positive analysis\\n\\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and there are justifications for the execution.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - Prioritize cases involving critical servers and users.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If important data was encrypted, deleted, or modified, activate your data recovery plan.\\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"5aee924b-6ceb-4633-980e-1bde8cdb40c5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.004\",\"name\":\"File Deletion\",\"reference\":\"https://attack.mitre.org/techniques/T1070/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1485\",\"name\":\"Data Destruction\",\"reference\":\"https://attack.mitre.org/techniques/T1485/\"}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and file.name : \\\"*AAA.AAA\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Secure File Deletion via SDelete Utility\",\"description\":\"Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Secure File Deletion via SDelete Utility\\n\\nSDelete is a tool primarily used for securely deleting data from storage devices, making it unrecoverable. Microsoft develops it as part of the Sysinternals Suite. Although commonly used to delete data securely, attackers can abuse it to delete forensic indicators and remove files as a post-action to a destructive action such as ransomware or data theft to hinder recovery efforts.\\n\\nThis rule identifies file name patterns generated by the use of SDelete utility to securely delete a file via multiple file overwrite and rename operations.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Examine the command line and identify the files deleted, their importance and whether they could be the target of antiforensics activity.\\n\\n### False positive analysis\\n\\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and there are justifications for the execution.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - Prioritize cases involving critical servers and users.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If important data was encrypted, deleted, or modified, activate your data recovery plan.\\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Impact\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.004\",\"name\":\"File Deletion\",\"reference\":\"https://attack.mitre.org/techniques/T1070/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1485\",\"name\":\"Data Destruction\",\"reference\":\"https://attack.mitre.org/techniques/T1485/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"14bf0c5c-9e4b-4624-b47a-02c323542364\",\"rule_id\":\"5aee924b-6ceb-4633-980e-1bde8cdb40c5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.012Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.861Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and file.name : \\\"*AAA.AAA\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Impact\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Impact\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Impact\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"85ed98d7-3c30-4d8b-a6b7-c9b1b793b9d5\",\"rule_id\":\"5b06a27f-ad72-4499-91db-0c69667bffa5\",\"revision\":0,\"current_rule\":{\"id\":\"85ed98d7-3c30-4d8b-a6b7-c9b1b793b9d5\",\"updated_at\":\"2024-12-04T19:45:48.866Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.866Z\",\"created_by\":\"elastic\",\"name\":\"SUID/SGUID Enumeration Detected\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for the usage of the \\\"find\\\" command in conjunction with SUID and SGUID permission arguments. SUID (Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"5b06a27f-ad72-4499-91db-0c69667bffa5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1083\",\"name\":\"File and Directory Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1083/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.001\",\"name\":\"Setuid and Setgid\",\"reference\":\"https://attack.mitre.org/techniques/T1548/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.Ext.real.id\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.Ext.real.id\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\nprocess.name == \\\"find\\\" and process.args : \\\"-perm\\\" and process.args : (\\n \\\"/6000\\\", \\\"-6000\\\", \\\"/4000\\\", \\\"-4000\\\", \\\"/2000\\\", \\\"-2000\\\", \\\"/u=s\\\", \\\"-u=s\\\", \\\"/g=s\\\", \\\"-g=s\\\", \\\"/u=s,g=s\\\", \\\"/g=s,u=s\\\"\\n) and not (\\n user.Ext.real.id == \\\"0\\\" or group.Ext.real.id == \\\"0\\\" or process.args_count >= 12 or \\n (process.args : \\\"/usr/bin/pkexec\\\" and process.args : \\\"-xdev\\\" and process.args_count == 7)\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"SUID/SGUID Enumeration Detected\",\"description\":\"This rule monitors for the usage of the \\\"find\\\" command in conjunction with SUID and SGUID permission arguments. SUID (Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":6,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1083\",\"name\":\"File and Directory Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1083/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.001\",\"name\":\"Setuid and Setgid\",\"reference\":\"https://attack.mitre.org/techniques/T1548/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.Ext.real.id\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.Ext.real.id\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"85ed98d7-3c30-4d8b-a6b7-c9b1b793b9d5\",\"rule_id\":\"5b06a27f-ad72-4499-91db-0c69667bffa5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.012Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.866Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\nprocess.name == \\\"find\\\" and process.args : \\\"-perm\\\" and process.args : (\\n \\\"/6000\\\", \\\"-6000\\\", \\\"/4000\\\", \\\"-4000\\\", \\\"/2000\\\", \\\"-2000\\\", \\\"/u=s\\\", \\\"-u=s\\\", \\\"/g=s\\\", \\\"-g=s\\\", \\\"/u=s,g=s\\\", \\\"/g=s,u=s\\\"\\n) and not (\\n user.Ext.real.id == \\\"0\\\" or group.Ext.real.id == \\\"0\\\" or process.args_count >= 12 or \\n (process.args : \\\"/usr/bin/pkexec\\\" and process.args : \\\"-xdev\\\" and process.args_count == 7)\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":6,\"merged_version\":6,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3f248845-dc8d-4ad8-b9fa-4bd0517d922f\",\"rule_id\":\"5b18eef4-842c-4b47-970f-f08d24004bde\",\"revision\":0,\"current_rule\":{\"id\":\"3f248845-dc8d-4ad8-b9fa-4bd0517d922f\",\"updated_at\":\"2024-12-04T19:45:48.868Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.868Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious which Enumeration\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a system to escalate privileges or move latteraly across the network.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"5b18eef4-842c-4b47-970f-f08d24004bde\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"to\":\"now\",\"references\":[],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.name == \\\"which\\\" and process.args_count >= 10 and not process.parent.name == \\\"jem\\\" and \\nnot process.args == \\\"--tty-only\\\"\\n\\n/* potential tuning if rule would turn out to be noisy\\nand process.args in (\\\"nmap\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", nc.traditional\\\", \\\"gcc\\\", \\\"g++\\\", \\\"socat\\\") and \\nprocess.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n*/\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious which Enumeration\",\"description\":\"This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a system to escalate privileges or move latteraly across the network.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3f248845-dc8d-4ad8-b9fa-4bd0517d922f\",\"rule_id\":\"5b18eef4-842c-4b47-970f-f08d24004bde\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.012Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.868Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.name == \\\"which\\\" and process.args_count >= 10 and not (\\n process.parent.name == \\\"jem\\\" or\\n process.parent.executable like (\\\"/vz/root/*\\\", \\\"/var/lib/docker/*\\\") or\\n process.args == \\\"--tty-only\\\"\\n)\\n\\n/* potential tuning if rule would turn out to be noisy\\nand process.args in (\\\"nmap\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", nc.traditional\\\", \\\"gcc\\\", \\\"g++\\\", \\\"socat\\\") and \\nprocess.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n*/\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.name == \\\"which\\\" and process.args_count >= 10 and not process.parent.name == \\\"jem\\\" and \\nnot process.args == \\\"--tty-only\\\"\\n\\n/* potential tuning if rule would turn out to be noisy\\nand process.args in (\\\"nmap\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", nc.traditional\\\", \\\"gcc\\\", \\\"g++\\\", \\\"socat\\\") and \\nprocess.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n*/\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.name == \\\"which\\\" and process.args_count >= 10 and not (\\n process.parent.name == \\\"jem\\\" or\\n process.parent.executable like (\\\"/vz/root/*\\\", \\\"/var/lib/docker/*\\\") or\\n process.args == \\\"--tty-only\\\"\\n)\\n\\n/* potential tuning if rule would turn out to be noisy\\nand process.args in (\\\"nmap\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", nc.traditional\\\", \\\"gcc\\\", \\\"g++\\\", \\\"socat\\\") and \\nprocess.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n*/\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.name == \\\"which\\\" and process.args_count >= 10 and not (\\n process.parent.name == \\\"jem\\\" or\\n process.parent.executable like (\\\"/vz/root/*\\\", \\\"/var/lib/docker/*\\\") or\\n process.args == \\\"--tty-only\\\"\\n)\\n\\n/* potential tuning if rule would turn out to be noisy\\nand process.args in (\\\"nmap\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", nc.traditional\\\", \\\"gcc\\\", \\\"g++\\\", \\\"socat\\\") and \\nprocess.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n*/\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4910a749-99f5-4881-9d29-10e526640130\",\"rule_id\":\"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8\",\"revision\":0,\"current_rule\":{\"id\":\"4910a749-99f5-4881-9d29-10e526640130\",\"updated_at\":\"2024-12-04T19:45:48.873Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.873Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious PrintSpooler Service Executable File Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"to\":\"now\",\"references\":[\"https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/\",\"https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n process.name : \\\"spoolsv.exe\\\" and file.extension : \\\"dll\\\" and\\n file.path : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*\\\") and\\n not file.path : (\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\SysWOW64\\\\\\\\PrintConfig.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\x5lrs.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\sysWOW64\\\\\\\\x5lrs.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\PrintConfig.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\spool\\\\\\\\DRIVERS\\\\\\\\x64\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\spool\\\\\\\\DRIVERS\\\\\\\\W32X86\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\spool\\\\\\\\PRTPROCS\\\\\\\\x64\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\spool\\\\\\\\{????????-????-????-????-????????????}\\\\\\\\*.dll\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious PrintSpooler Service Executable File Creation\",\"description\":\"Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/\",\"https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"4910a749-99f5-4881-9d29-10e526640130\",\"rule_id\":\"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.012Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.873Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.category : \\\"file\\\" and host.os.type : \\\"windows\\\" and event.type : \\\"creation\\\" and\\n process.name : \\\"spoolsv.exe\\\" and file.extension : \\\"dll\\\"\\n\",\"new_terms_fields\":[\"host.id\",\"file.path\"],\"history_window_start\":\"now-14d\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"],\"filters\":[{\"meta\":{\"negate\":false},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\PrintConfig.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\x5lrs.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\spool\\\\\\\\DRIVERS\\\\\\\\x64\\\\\\\\*.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\spool\\\\\\\\DRIVERS\\\\\\\\W32X86\\\\\\\\*.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\spool\\\\\\\\PRTPROCS\\\\\\\\x64\\\\\\\\*.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\spool\\\\\\\\{????????-????-????-????-????????????}\\\\\\\\*.dll\"}}}}],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"severity\":{\"has_base_version\":false,\"current_version\":\"high\",\"target_version\":\"low\",\"merged_version\":\"low\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"risk_score\":{\"has_base_version\":false,\"current_version\":73,\"target_version\":21,\"merged_version\":21,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"type\":{\"has_base_version\":false,\"current_version\":\"eql\",\"target_version\":\"new_terms\",\"merged_version\":\"new_terms\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NON_SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"target_version\":{\"type\":\"inline_query\",\"query\":\"event.category : \\\"file\\\" and host.os.type : \\\"windows\\\" and event.type : \\\"creation\\\" and\\n process.name : \\\"spoolsv.exe\\\" and file.extension : \\\"dll\\\"\\n\",\"language\":\"kuery\",\"filters\":[{\"meta\":{\"negate\":false},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\PrintConfig.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\x5lrs.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\spool\\\\\\\\DRIVERS\\\\\\\\x64\\\\\\\\*.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\spool\\\\\\\\DRIVERS\\\\\\\\W32X86\\\\\\\\*.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\spool\\\\\\\\PRTPROCS\\\\\\\\x64\\\\\\\\*.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\spool\\\\\\\\{????????-????-????-????-????????????}\\\\\\\\*.dll\"}}}}]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"event.category : \\\"file\\\" and host.os.type : \\\"windows\\\" and event.type : \\\"creation\\\" and\\n process.name : \\\"spoolsv.exe\\\" and file.extension : \\\"dll\\\"\\n\",\"language\":\"kuery\",\"filters\":[{\"meta\":{\"negate\":false},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\PrintConfig.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\x5lrs.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\spool\\\\\\\\DRIVERS\\\\\\\\x64\\\\\\\\*.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\spool\\\\\\\\DRIVERS\\\\\\\\W32X86\\\\\\\\*.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\spool\\\\\\\\PRTPROCS\\\\\\\\x64\\\\\\\\*.dll\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\spool\\\\\\\\{????????-????-????-????-????????????}\\\\\\\\*.dll\"}}}}]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n process.name : \\\"spoolsv.exe\\\" and file.extension : \\\"dll\\\" and\\n file.path : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*\\\") and\\n not file.path : (\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\SysWOW64\\\\\\\\PrintConfig.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\x5lrs.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\sysWOW64\\\\\\\\x5lrs.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\PrintConfig.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\spool\\\\\\\\DRIVERS\\\\\\\\x64\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\spool\\\\\\\\DRIVERS\\\\\\\\W32X86\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\spool\\\\\\\\PRTPROCS\\\\\\\\x64\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\spool\\\\\\\\{????????-????-????-????-????????????}\\\\\\\\*.dll\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"new_terms_fields\":{\"has_base_version\":false,\"target_version\":[\"host.id\",\"file.path\"],\"merged_version\":[\"host.id\",\"file.path\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"history_window_start\":{\"has_base_version\":false,\"target_version\":\"now-14d\",\"merged_version\":\"now-14d\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":13,\"num_fields_with_conflicts\":12,\"num_fields_with_non_solvable_conflicts\":1}},{\"id\":\"c6ec4463-0d4a-4749-9037-0ed60f160cf0\",\"rule_id\":\"5c602cba-ae00-4488-845d-24de2b6d8055\",\"revision\":0,\"current_rule\":{\"id\":\"c6ec4463-0d4a-4749-9037-0ed60f160cf0\",\"updated_at\":\"2024-12-04T19:46:03.767Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.767Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Script with Veeam Credential Access Capabilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies PowerShell scripts that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"5c602cba-ae00-4488-845d-24de2b6d8055\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html\",\"https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\n \\\"[dbo].[Credentials]\\\" and\\n (\\\"Veeam\\\" or \\\"VeeamBackup\\\")\\n ) or\\n \\\"ProtectedStorage]::GetLocalString\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Script with Veeam Credential Access Capabilities\",\"description\":\"Identifies PowerShell scripts that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html\",\"https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"c6ec4463-0d4a-4749-9037-0ed60f160cf0\",\"rule_id\":\"5c602cba-ae00-4488-845d-24de2b6d8055\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.012Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.767Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\n \\\"[dbo].[Credentials]\\\" and\\n (\\\"Veeam\\\" or \\\"VeeamBackup\\\")\\n ) or\\n \\\"ProtectedStorage]::GetLocalString\\\"\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d1d66543-3031-4361-8ba0-333debd7715f\",\"rule_id\":\"5c6f4c58-b381-452a-8976-f1b1c6aa0def\",\"revision\":0,\"current_rule\":{\"id\":\"d1d66543-3031-4361-8ba0-333debd7715f\",\"updated_at\":\"2024-12-04T19:45:48.880Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.880Z\",\"created_by\":\"elastic\",\"name\":\"FirstTime Seen Account Performing DCSync\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating FirstTime Seen Account Performing DCSync\\n\\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\\n\\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\\n\\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys that are used legitimately for creating tickets, but also for forging tickets by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\\n\\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\\n\\nThis rule monitors for when a Windows Event ID 4662 (Operation was performed on an Active Directory object) with the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set) is seen in the environment for the first time in the last 15 days.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\\n\\n### False positive analysis\\n\\n- Administrators may use custom accounts on Azure AD Connect; investigate if this is part of a new Azure AD account setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. Investigate if this is part of a new product setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the entire domain or the `krbtgt` user was compromised:\\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"5c6f4c58-b381-452a-8976-f1b1c6aa0def\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.006\",\"name\":\"DCSync\",\"reference\":\"https://attack.mitre.org/techniques/T1003/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md\",\"https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync\",\"https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync\"],\"version\":10,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.Properties\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Access (Success,Failure)\\n```\\n\",\"type\":\"new_terms\",\"query\":\"event.action:(\\\"Directory Service Access\\\" or \\\"object-operation-performed\\\") and event.code:\\\"4662\\\" and\\n winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or\\n *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or\\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and\\n not winlog.event_data.SubjectUserName:(*$ or MSOL_*)\\n\",\"new_terms_fields\":[\"winlog.event_data.SubjectUserName\"],\"history_window_start\":\"now-15d\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"FirstTime Seen Account Performing DCSync\",\"description\":\"This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating FirstTime Seen Account Performing DCSync\\n\\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\\n\\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\\n\\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys that are used legitimately for creating tickets, but also for forging tickets by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\\n\\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\\n\\nThis rule monitors for when a Windows Event ID 4662 (Operation was performed on an Active Directory object) with the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set) is seen in the environment for the first time in the last 15 days.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\\n\\n### False positive analysis\\n\\n- Administrators may use custom accounts on Azure AD Connect; investigate if this is part of a new Azure AD account setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. Investigate if this is part of a new product setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the entire domain or the `krbtgt` user was compromised:\\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":113,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md\",\"https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync\",\"https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.006\",\"name\":\"DCSync\",\"reference\":\"https://attack.mitre.org/techniques/T1003/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Access (Success,Failure)\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.Properties\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"d1d66543-3031-4361-8ba0-333debd7715f\",\"rule_id\":\"5c6f4c58-b381-452a-8976-f1b1c6aa0def\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.013Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.880Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.action:(\\\"Directory Service Access\\\" or \\\"object-operation-performed\\\") and event.code:\\\"4662\\\" and\\n winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or\\n *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or\\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and\\n not winlog.event_data.SubjectUserName:(*$ or MSOL_*)\\n\",\"new_terms_fields\":[\"winlog.event_data.SubjectUserName\"],\"history_window_start\":\"now-15d\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":10,\"target_version\":113,\"merged_version\":113,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a5db82cf-28fe-4474-8615-97902edc71d0\",\"rule_id\":\"5c895b4f-9133-4e68-9e23-59902175355c\",\"revision\":0,\"current_rule\":{\"id\":\"a5db82cf-28fe-4474-8615-97902edc71d0\",\"updated_at\":\"2024-12-04T19:45:48.883Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.883Z\",\"created_by\":\"elastic\",\"name\":\"Potential Meterpreter Reverse Shell\",\"tags\":[\"Data Source: Auditd Manager\",\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting this pattern is indicative of a successful meterpreter shell connection.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"5c895b4f-9133-4e68-9e23-59902175355c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\"}]}],\"to\":\"now\",\"references\":[],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"auditd.data.a2\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.syscall\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Auditbeat\\n- Auditd Manager\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n### Auditd Manager Integration Setup\\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"auditd_manager\\\" on a Linux System:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.\\n- Click “Add Auditd Manager”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\\n\\n#### Rule Specific Setup Note\\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\n- For this detection rule the following additional audit rules are required to be added to the integration:\\n -w /proc/net/ -p r -k audit_proc\\n -w /etc/machine-id -p wa -k machineid\\n -w /etc/passwd -p wa -k passwd\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"sample by host.id, process.pid, user.id\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"open\\\" and auditd.data.a2 == \\\"1b6\\\" and file.path == \\\"/etc/machine-id\\\"]\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"open\\\" and auditd.data.a2 == \\\"1b6\\\" and file.path == \\\"/etc/passwd\\\"]\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"open\\\" and auditd.data.a2 == \\\"1b6\\\" and file.path == \\\"/proc/net/route\\\"]\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"open\\\" and auditd.data.a2 == \\\"1b6\\\" and file.path == \\\"/proc/net/ipv6_route\\\"]\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"open\\\" and auditd.data.a2 == \\\"1b6\\\" and file.path == \\\"/proc/net/if_inet6\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Meterpreter Reverse Shell\",\"description\":\"This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting this pattern is indicative of a successful meterpreter shell connection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Data Source: Auditd Manager\",\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\",\"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Auditbeat\\n- Auditd Manager\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n### Auditd Manager Integration Setup\\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"auditd_manager\\\" on a Linux System:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.\\n- Click “Add Auditd Manager”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\\n\\n#### Rule Specific Setup Note\\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\n- For this detection rule the following additional audit rules are required to be added to the integration:\\n -w /proc/net/ -p r -k audit_proc\\n -w /etc/machine-id -p wa -k machineid\\n -w /etc/passwd -p wa -k passwd\\n\",\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"auditd.data.a2\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.syscall\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a5db82cf-28fe-4474-8615-97902edc71d0\",\"rule_id\":\"5c895b4f-9133-4e68-9e23-59902175355c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.013Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.883Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sample by host.id, process.pid, user.id\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"open\\\" and auditd.data.a2 == \\\"1b6\\\" and file.path == \\\"/etc/machine-id\\\"]\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"open\\\" and auditd.data.a2 == \\\"1b6\\\" and file.path == \\\"/etc/passwd\\\"]\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"open\\\" and auditd.data.a2 == \\\"1b6\\\" and file.path == \\\"/proc/net/route\\\"]\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"open\\\" and auditd.data.a2 == \\\"1b6\\\" and file.path == \\\"/proc/net/ipv6_route\\\"]\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"open\\\" and auditd.data.a2 == \\\"1b6\\\" and file.path == \\\"/proc/net/if_inet6\\\"]\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\",\"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\",\"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"74612fc5-dd90-4bd3-839b-513e4889f540\",\"rule_id\":\"5cd55388-a19c-47c7-8ec4-f41656c2fded\",\"revision\":0,\"current_rule\":{\"id\":\"74612fc5-dd90-4bd3-839b-513e4889f540\",\"updated_at\":\"2024-12-04T19:45:48.894Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.894Z\",\"created_by\":\"elastic\",\"name\":\"Outbound Scheduled Task Activity via PowerShell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks may be created during installation of new software.\"],\"from\":\"now-9m\",\"rule_id\":\"5cd55388-a19c-47c7-8ec4-f41656c2fded\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]},{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.address\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.library-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by host.id, process.entity_id with maxspan = 5s\\n [any where host.os.type == \\\"windows\\\" and (event.category == \\\"library\\\" or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n (?dll.name : \\\"taskschd.dll\\\" or file.name : \\\"taskschd.dll\\\") and process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\")]\\n [network where host.os.type == \\\"windows\\\" and process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") and destination.port == 135 and not destination.address in (\\\"127.0.0.1\\\", \\\"::1\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Outbound Scheduled Task Activity via PowerShell\",\"description\":\"Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks may be created during installation of new software.\"],\"references\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]},{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.address\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"74612fc5-dd90-4bd3-839b-513e4889f540\",\"rule_id\":\"5cd55388-a19c-47c7-8ec4-f41656c2fded\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.013Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.894Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id, process.entity_id with maxspan = 5s\\n [any where host.os.type == \\\"windows\\\" and (event.category == \\\"library\\\" or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n (?dll.name : \\\"taskschd.dll\\\" or file.name : \\\"taskschd.dll\\\") and process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\")]\\n [network where host.os.type == \\\"windows\\\" and process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") and destination.port == 135 and not destination.address in (\\\"127.0.0.1\\\", \\\"::1\\\")]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.library-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\"],\"target_version\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merged_version\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"96f7c180-8673-408d-93fc-245dec7dbb5b\",\"rule_id\":\"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae\",\"revision\":0,\"current_rule\":{\"id\":\"96f7c180-8673-408d-93fc-245dec7dbb5b\",\"updated_at\":\"2024-12-04T19:45:48.896Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.896Z\",\"created_by\":\"elastic\",\"name\":\"User Added to Privileged Group\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating User Added to Privileged Group in Active Directory\\n\\nPrivileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.\\n\\nAttackers can add users to privileged groups to maintain a level of access if their other privileged accounts are uncovered by the security team. This allows them to keep operating after the security team discovers abused accounts.\\n\\nThis rule monitors events related to a user being added to a privileged group.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should manage members of this group.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- This attack abuses a legitimate Active Directory mechanism, so it is important to determine whether the activity is legitimate, if the administrator is authorized to perform this operation, and if there is a need to grant the account this level of privilege.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If the admin is not aware of the operation, activate your Active Directory incident response plan.\\n- If the user does not need the administrator privileges, remove the account from the privileged group.\\n- Review the privileges of the administrator account that performed the action.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Skoetting\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.api\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"iam where winlog.api == \\\"wineventlog\\\" and event.action == \\\"added-member-to-group\\\" and\\n(\\n (\\n group.name : (\\n \\\"Admin*\\\",\\n \\\"Local Administrators\\\",\\n \\\"Domain Admins\\\",\\n \\\"Enterprise Admins\\\",\\n \\\"Backup Admins\\\",\\n \\\"Schema Admins\\\",\\n \\\"DnsAdmins\\\",\\n \\\"Exchange Organization Administrators\\\",\\n \\\"Print Operators\\\",\\n \\\"Server Operators\\\",\\n \\\"Account Operators\\\"\\n )\\n ) or\\n (\\n group.id : (\\n \\\"S-1-5-32-544\\\",\\n \\\"S-1-5-21-*-544\\\",\\n \\\"S-1-5-21-*-512\\\",\\n \\\"S-1-5-21-*-519\\\",\\n \\\"S-1-5-21-*-551\\\",\\n \\\"S-1-5-21-*-518\\\",\\n \\\"S-1-5-21-*-1101\\\",\\n \\\"S-1-5-21-*-1102\\\",\\n \\\"S-1-5-21-*-550\\\",\\n \\\"S-1-5-21-*-549\\\",\\n \\\"S-1-5-21-*-548\\\"\\n )\\n )\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"User Added to Privileged Group\",\"description\":\"Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating User Added to Privileged Group in Active Directory\\n\\nPrivileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.\\n\\nAttackers can add users to privileged groups to maintain a level of access if their other privileged accounts are uncovered by the security team. This allows them to keep operating after the security team discovers abused accounts.\\n\\nThis rule monitors events related to a user being added to a privileged group.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should manage members of this group.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- This attack abuses a legitimate Active Directory mechanism, so it is important to determine whether the activity is legitimate, if the administrator is authorized to perform this operation, and if there is a need to grant the account this level of privilege.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If the admin is not aware of the operation, activate your Active Directory incident response plan.\\n- If the user does not need the administrator privileges, remove the account from the privileged group.\\n- Review the privileges of the administrator account that performed the action.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Skoetting\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.api\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"96f7c180-8673-408d-93fc-245dec7dbb5b\",\"rule_id\":\"5cd8e1f7-0050-4afc-b2df-904e40b2f5ae\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.013Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.896Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where winlog.api == \\\"wineventlog\\\" and event.action == \\\"added-member-to-group\\\" and\\n(\\n (\\n group.name : (\\n \\\"Admin*\\\",\\n \\\"Local Administrators\\\",\\n \\\"Domain Admins\\\",\\n \\\"Enterprise Admins\\\",\\n \\\"Backup Admins\\\",\\n \\\"Schema Admins\\\",\\n \\\"DnsAdmins\\\",\\n \\\"Exchange Organization Administrators\\\",\\n \\\"Print Operators\\\",\\n \\\"Server Operators\\\",\\n \\\"Account Operators\\\"\\n )\\n ) or\\n (\\n group.id : (\\n \\\"S-1-5-32-544\\\",\\n \\\"S-1-5-21-*-544\\\",\\n \\\"S-1-5-21-*-512\\\",\\n \\\"S-1-5-21-*-519\\\",\\n \\\"S-1-5-21-*-551\\\",\\n \\\"S-1-5-21-*-518\\\",\\n \\\"S-1-5-21-*-1101\\\",\\n \\\"S-1-5-21-*-1102\\\",\\n \\\"S-1-5-21-*-550\\\",\\n \\\"S-1-5-21-*-549\\\",\\n \\\"S-1-5-21-*-548\\\"\\n )\\n )\\n)\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f155262a-fdd8-4b2d-9e88-3ac4a9af3e66\",\"rule_id\":\"5cf6397e-eb91-4f31-8951-9f0eaa755a31\",\"revision\":0,\"current_rule\":{\"id\":\"f155262a-fdd8-4b2d-9e88-3ac4a9af3e66\",\"updated_at\":\"2024-12-04T19:45:48.899Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.899Z\",\"created_by\":\"elastic\",\"name\":\"Persistence via PowerShell profile\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation or modification of a PowerShell profile. PowerShell profile is a script that is executed when PowerShell starts to customize the user environment, which can be abused by attackers to persist in a environment where PowerShell is common.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Persistence via PowerShell profile\\n\\nPowerShell profiles are scripts executed when PowerShell starts, customizing the user environment. They are commonly used in Windows environments for legitimate purposes, such as setting variables or loading modules. However, adversaries can abuse PowerShell profiles to establish persistence by inserting malicious code that executes each time PowerShell is launched.\\n\\nThis rule identifies the creation or modification of a PowerShell profile. It does this by monitoring file events on Windows systems, specifically targeting profile-related file paths and names, such as `profile.ps1` and `Microsoft.Powershell_profile.ps1`. By detecting these activities, security analysts can investigate potential abuse of PowerShell profiles for malicious persistence.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Retrive and inspect the PowerShell profile content; look for suspicious DLL imports, collection or persistence capabilities, suspicious functions, encoded or compressed data, suspicious commands, and other potentially malicious characteristics.\\n- Identify the process responsible for the PowerShell profile creation/modification. Use the Elastic Defend events to examine all the activity of the subject process by filtering by the process's `process.entity_id`.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Check for additional PowerShell and command-line logs that indicate that any suspicious command or function were run.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Observe and collect information about the following activities in the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n\\n### False positive analysis\\n\\n- This is a dual-use mechanism, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the script doesn't contain malicious functions or potential for abuse, no other suspicious activity was identified, and the user has business justifications to use PowerShell.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n - Consider enabling and collecting PowerShell logs such as transcription, module, and script block logging, to improve visibility into PowerShell activities.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"5cf6397e-eb91-4f31-8951-9f0eaa755a31\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.013\",\"name\":\"PowerShell Profile\",\"reference\":\"https://attack.mitre.org/techniques/T1546/013/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.013\",\"name\":\"PowerShell Profile\",\"reference\":\"https://attack.mitre.org/techniques/T1546/013/\"}]}]}],\"to\":\"now\",\"references\":[\"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles\",\"https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/\"],\"version\":9,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.path : (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Documents\\\\\\\\WindowsPowerShell\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Documents\\\\\\\\PowerShell\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\*\\\") and\\n file.name : (\\\"profile.ps1\\\", \\\"Microsoft.Powershell_profile.ps1\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Persistence via PowerShell profile\",\"description\":\"Identifies the creation or modification of a PowerShell profile. PowerShell profile is a script that is executed when PowerShell starts to customize the user environment, which can be abused by attackers to persist in a environment where PowerShell is common.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Persistence via PowerShell profile\\n\\nPowerShell profiles are scripts executed when PowerShell starts, customizing the user environment. They are commonly used in Windows environments for legitimate purposes, such as setting variables or loading modules. However, adversaries can abuse PowerShell profiles to establish persistence by inserting malicious code that executes each time PowerShell is launched.\\n\\nThis rule identifies the creation or modification of a PowerShell profile. It does this by monitoring file events on Windows systems, specifically targeting profile-related file paths and names, such as `profile.ps1` and `Microsoft.Powershell_profile.ps1`. By detecting these activities, security analysts can investigate potential abuse of PowerShell profiles for malicious persistence.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Retrive and inspect the PowerShell profile content; look for suspicious DLL imports, collection or persistence capabilities, suspicious functions, encoded or compressed data, suspicious commands, and other potentially malicious characteristics.\\n- Identify the process responsible for the PowerShell profile creation/modification. Use the Elastic Defend events to examine all the activity of the subject process by filtering by the process's `process.entity_id`.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Check for additional PowerShell and command-line logs that indicate that any suspicious command or function were run.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Observe and collect information about the following activities in the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n\\n### False positive analysis\\n\\n- This is a dual-use mechanism, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the script doesn't contain malicious functions or potential for abuse, no other suspicious activity was identified, and the user has business justifications to use PowerShell.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n - Consider enabling and collecting PowerShell logs such as transcription, module, and script block logging, to improve visibility into PowerShell activities.\\n\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles\",\"https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.013\",\"name\":\"PowerShell Profile\",\"reference\":\"https://attack.mitre.org/techniques/T1546/013/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.013\",\"name\":\"PowerShell Profile\",\"reference\":\"https://attack.mitre.org/techniques/T1546/013/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f155262a-fdd8-4b2d-9e88-3ac4a9af3e66\",\"rule_id\":\"5cf6397e-eb91-4f31-8951-9f0eaa755a31\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.013Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.899Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.path : (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Documents\\\\\\\\WindowsPowerShell\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Documents\\\\\\\\PowerShell\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\*\\\") and\\n file.name : (\\\"profile.ps1\\\", \\\"Microsoft.Powershell_profile.ps1\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":9,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"cf1f58c6-a208-446d-8547-341c14f018eb\",\"rule_id\":\"5d1d6907-0747-4d5d-9b24-e4a18853dc0a\",\"revision\":0,\"current_rule\":{\"id\":\"cf1f58c6-a208-446d-8547-341c14f018eb\",\"updated_at\":\"2024-12-04T19:45:48.903Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.903Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Execution via Scheduled Task\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks running third party software.\"],\"from\":\"now-9m\",\"rule_id\":\"5d1d6907-0747-4d5d-9b24-e4a18853dc0a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n /* Schedule service cmdline on Win10+ */\\n process.parent.name : \\\"svchost.exe\\\" and process.parent.args : \\\"Schedule\\\" and\\n /* add suspicious programs here */\\n process.pe.original_file_name in\\n (\\n \\\"cscript.exe\\\",\\n \\\"wscript.exe\\\",\\n \\\"PowerShell.EXE\\\",\\n \\\"Cmd.Exe\\\",\\n \\\"MSHTA.EXE\\\",\\n \\\"RUNDLL32.EXE\\\",\\n \\\"REGSVR32.EXE\\\",\\n \\\"MSBuild.exe\\\",\\n \\\"InstallUtil.exe\\\",\\n \\\"RegAsm.exe\\\",\\n \\\"RegSvcs.exe\\\",\\n \\\"msxsl.exe\\\",\\n \\\"CONTROL.EXE\\\",\\n \\\"EXPLORER.EXE\\\",\\n \\\"Microsoft.Workflow.Compiler.exe\\\",\\n \\\"msiexec.exe\\\"\\n ) and\\n /* add suspicious paths here */\\n process.args : (\\n \\\"C:\\\\\\\\Users\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\PerfLogs\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Intel\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Debug\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\HP\\\\\\\\*\\\") and\\n\\n not (process.name : \\\"cmd.exe\\\" and process.args : \\\"?:\\\\\\\\*.bat\\\" and process.working_directory : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\\\\") and\\n not (process.name : \\\"cscript.exe\\\" and process.args : \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\calluxxprovider.vbs\\\") and\\n not (process.name : \\\"powershell.exe\\\" and process.args : (\\\"-File\\\", \\\"-PSConsoleFile\\\") and user.id : \\\"S-1-5-18\\\") and\\n not (process.name : \\\"msiexec.exe\\\" and user.id : \\\"S-1-5-18\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Execution via Scheduled Task\",\"description\":\"Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks running third party software.\"],\"references\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"cf1f58c6-a208-446d-8547-341c14f018eb\",\"rule_id\":\"5d1d6907-0747-4d5d-9b24-e4a18853dc0a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.013Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.903Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n /* Schedule service cmdline on Win10+ */\\n process.parent.name : \\\"svchost.exe\\\" and process.parent.args : \\\"Schedule\\\" and\\n /* add suspicious programs here */\\n process.pe.original_file_name in\\n (\\n \\\"cscript.exe\\\",\\n \\\"wscript.exe\\\",\\n \\\"PowerShell.EXE\\\",\\n \\\"Cmd.Exe\\\",\\n \\\"MSHTA.EXE\\\",\\n \\\"RUNDLL32.EXE\\\",\\n \\\"REGSVR32.EXE\\\",\\n \\\"MSBuild.exe\\\",\\n \\\"InstallUtil.exe\\\",\\n \\\"RegAsm.exe\\\",\\n \\\"RegSvcs.exe\\\",\\n \\\"msxsl.exe\\\",\\n \\\"CONTROL.EXE\\\",\\n \\\"EXPLORER.EXE\\\",\\n \\\"Microsoft.Workflow.Compiler.exe\\\",\\n \\\"msiexec.exe\\\"\\n ) and\\n /* add suspicious paths here */\\n process.args : (\\n \\\"C:\\\\\\\\Users\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\PerfLogs\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Intel\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Debug\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\HP\\\\\\\\*\\\") and\\n\\n not (process.name : \\\"cmd.exe\\\" and process.args : \\\"?:\\\\\\\\*.bat\\\" and process.working_directory : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\\\\") and\\n not (process.name : \\\"cscript.exe\\\" and process.args : \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\calluxxprovider.vbs\\\") and\\n not (process.name : \\\"powershell.exe\\\" and process.args : (\\\"-File\\\", \\\"-PSConsoleFile\\\") and user.id : \\\"S-1-5-18\\\") and\\n not (process.name : \\\"msiexec.exe\\\" and user.id : \\\"S-1-5-18\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"merged_version\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"ff3141ab-e4a0-4527-8d1c-98db8a5d20b1\",\"rule_id\":\"5d676480-9655-4507-adc6-4eec311efff8\",\"revision\":0,\"current_rule\":{\"id\":\"ff3141ab-e4a0-4527-8d1c-98db8a5d20b1\",\"updated_at\":\"2024-12-04T19:46:03.772Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.772Z\",\"created_by\":\"elastic\",\"name\":\"Unsigned DLL loaded by DNS Service\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies unusual DLLs loaded by the DNS Server process, potentially indicating the abuse of the ServerLevelPluginDll functionality. This can lead to privilege escalation and remote code execution with SYSTEM privileges.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"5d676480-9655-4507-adc6-4eec311efff8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"to\":\"now\",\"references\":[\"https://cube0x0.github.io/Pocing-Beyond-DA/\",\"https://adsecurity.org/?p=4064\",\"https://github.com/gtworek/PSBits/tree/master/ServerLevelPluginDll\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"any where host.os.type == \\\"windows\\\" and event.category : (\\\"library\\\", \\\"process\\\") and\\n event.type : (\\\"start\\\", \\\"change\\\") and event.action : (\\\"load\\\", \\\"Image loaded*\\\") and\\n process.executable : \\\"?:\\\\\\\\windows\\\\\\\\system32\\\\\\\\dns.exe\\\" and \\n not ?dll.code_signature.trusted == true and\\n not file.code_signature.status == \\\"Valid\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unsigned DLL loaded by DNS Service\",\"description\":\"Identifies unusual DLLs loaded by the DNS Server process, potentially indicating the abuse of the ServerLevelPluginDll functionality. This can lead to privilege escalation and remote code execution with SYSTEM privileges.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://cube0x0.github.io/Pocing-Beyond-DA/\",\"https://adsecurity.org/?p=4064\",\"https://github.com/gtworek/PSBits/tree/master/ServerLevelPluginDll\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"ff3141ab-e4a0-4527-8d1c-98db8a5d20b1\",\"rule_id\":\"5d676480-9655-4507-adc6-4eec311efff8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.013Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.772Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and event.category : (\\\"library\\\", \\\"process\\\") and\\n event.type : (\\\"start\\\", \\\"change\\\") and event.action : (\\\"load\\\", \\\"Image loaded*\\\") and\\n process.executable : \\\"?:\\\\\\\\windows\\\\\\\\system32\\\\\\\\dns.exe\\\" and \\n not ?dll.code_signature.trusted == true and\\n not file.code_signature.status == \\\"Valid\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2b9df3e4-c56d-4c87-b981-73d0a070daab\",\"rule_id\":\"5e161522-2545-11ed-ac47-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"2b9df3e4-c56d-4c87-b981-73d0a070daab\",\"updated_at\":\"2024-12-04T19:45:48.908Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.908Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace 2SV Policy Disabled\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Google Workspace admins may setup 2-step verification (2SV) to add an extra layer of security to user accounts by asking users to verify their identity when they use login credentials. Admins have the ability to enforce 2SV from the admin console as well as the methods acceptable for verification and enrollment period. 2SV requires enablement on admin accounts prior to it being enabled for users within organization units. Adversaries may disable 2SV to lower the security requirements to access a valid account.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace 2SV Policy Disabled\\n\\nGoogle Workspace administrators manage password policies to enforce password requirements for an organization's compliance needs. Administrators have the capability to set restrictions on password length, reset frequencies, reuse capability, expiration, and much more. Google Workspace also allows multi-factor authentication (MFA) and 2-step verification (2SV) for authentication. 2SV allows users to verify their identity using security keys, Google prompt, authentication codes, text messages, and more.\\n\\n2SV adds an extra authentication layer for Google Workspace users to verify their identity. If 2SV or MFA aren't implemented, users only authenticate with their user name and password credentials. This authentication method has often been compromised and can be susceptible to credential access techniques when weak password policies are used.\\n\\nThis rule detects when a 2SV policy is disabled in Google Workspace.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user account(s) by reviewing `user.name` or `source.user.email` in the alert.\\n- Identify what password setting was created or adjusted by reviewing `google_workspace.admin.setting.name`.\\n- Review if a password setting was enabled or disabled by reviewing `google_workspace.admin.new_value` and `google_workspace.admin.old_value`.\\n- After identifying the involved user account, verify administrative privileges are scoped properly.\\n- Filter `event.dataset` for `google_workspace.login` and aggregate by `user.name`, `event.action`.\\n - The `google_workspace.login.challenge_method` field can be used to identify the challenge method that was used for failed and successful logins.\\n\\n### False positive analysis\\n\\n- After finding the user account that updated the password policy, verify whether the action was intentional.\\n- Verify whether the user should have Google Workspace administrative privileges that allow them to modify password policies.\\n- Review organizational units or groups the role may have been added to and ensure its privileges are properly aligned.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may remove 2-step verification (2SV) temporarily for testing or during maintenance. If 2SV was previously enabled, it is not common to disable this policy for extended periods of time.\"],\"from\":\"now-130m\",\"rule_id\":\"5e161522-2545-11ed-ac47-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/9176657?hl=en\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.login\\\" and event.action:\\\"2sv_disable\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace 2SV Policy Disabled\",\"description\":\"Google Workspace admins may setup 2-step verification (2SV) to add an extra layer of security to user accounts by asking users to verify their identity when they use login credentials. Admins have the ability to enforce 2SV from the admin console as well as the methods acceptable for verification and enrollment period. 2SV requires enablement on admin accounts prior to it being enabled for users within organization units. Adversaries may disable 2SV to lower the security requirements to access a valid account.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace 2SV Policy Disabled\\n\\nGoogle Workspace administrators manage password policies to enforce password requirements for an organization's compliance needs. Administrators have the capability to set restrictions on password length, reset frequencies, reuse capability, expiration, and much more. Google Workspace also allows multi-factor authentication (MFA) and 2-step verification (2SV) for authentication. 2SV allows users to verify their identity using security keys, Google prompt, authentication codes, text messages, and more.\\n\\n2SV adds an extra authentication layer for Google Workspace users to verify their identity. If 2SV or MFA aren't implemented, users only authenticate with their user name and password credentials. This authentication method has often been compromised and can be susceptible to credential access techniques when weak password policies are used.\\n\\nThis rule detects when a 2SV policy is disabled in Google Workspace.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user account(s) by reviewing `user.name` or `source.user.email` in the alert.\\n- Identify what password setting was created or adjusted by reviewing `google_workspace.admin.setting.name`.\\n- Review if a password setting was enabled or disabled by reviewing `google_workspace.admin.new_value` and `google_workspace.admin.old_value`.\\n- After identifying the involved user account, verify administrative privileges are scoped properly.\\n- Filter `event.dataset` for `google_workspace.login` and aggregate by `user.name`, `event.action`.\\n - The `google_workspace.login.challenge_method` field can be used to identify the challenge method that was used for failed and successful logins.\\n\\n### False positive analysis\\n\\n- After finding the user account that updated the password policy, verify whether the action was intentional.\\n- Verify whether the user should have Google Workspace administrative privileges that allow them to modify password policies.\\n- Review organizational units or groups the role may have been added to and ensure its privileges are properly aligned.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may remove 2-step verification (2SV) temporarily for testing or during maintenance. If 2SV was previously enabled, it is not common to disable this policy for extended periods of time.\"],\"references\":[\"https://support.google.com/a/answer/9176657?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2b9df3e4-c56d-4c87-b981-73d0a070daab\",\"rule_id\":\"5e161522-2545-11ed-ac47-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.013Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.908Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.login\\\" and event.action:\\\"2sv_disable\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/9176657?hl=en\"],\"target_version\":[\"https://support.google.com/a/answer/9176657?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/9176657?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"fde6003d-d87c-4a18-9a2e-e247c25c9a1e\",\"rule_id\":\"5f0234fd-7f21-42af-8391-511d5fd11d5c\",\"revision\":0,\"current_rule\":{\"id\":\"fde6003d-d87c-4a18-9a2e-e247c25c9a1e\",\"updated_at\":\"2024-12-04T19:45:48.913Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.913Z\",\"created_by\":\"elastic\",\"name\":\"AWS S3 Bucket Enumeration or Brute Force\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS S3\",\"Resources: Investigation Guide\",\"Use Case: Log Auditing\",\"Tactic: Impact\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a high number of failed S3 operations from a single source and account (or anonymous account) within a short timeframe. This activity can be indicative of attempting to cause an increase in billing to an account for excessive random operations, cause resource exhaustion, or enumerating bucket names for discovery.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS S3 Bucket Enumeration or Brute Force\\n\\nAWS S3 buckets can be be brute forced to cause financial impact against the resource owner. What makes this even riskier is that even private, locked down buckets can still trigger a potential cost, even with an \\\"Access Denied\\\", while also being accessible from unauthenticated, anonymous accounts. This also appears to work on several or all [operations](https://docs.aws.amazon.com/cli/latest/reference/s3api/) (GET, PUT, list-objects, etc.). Additionally, buckets are trivially discoverable by default as long as the bucket name is known, making it vulnerable to enumeration for discovery.\\n\\nAttackers may attempt to enumerate names until a valid bucket is discovered and then pivot to cause financial impact, enumerate for more information, or brute force in other ways to attempt to exfil data.\\n\\n#### Possible investigation steps\\n\\n- Examine the history of the operation requests from the same `source.address` and `cloud.account.id` to determine if there is other suspicious activity.\\n- Review similar requests and look at the `user.agent` info to ascertain the source of the requests (though do not overly rely on this since it is controlled by the requestor).\\n- Review other requests to the same `aws.s3.object.key` as well as other `aws.s3.object.key` accessed by the same `cloud.account.id` or `source.address`.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the `source.address` and `cloud.account.id` - there are some valid operations from within AWS directly that can cause failures and false positives. Additionally, failed automation can also caeuse false positives, but should be identifiable by reviewing the `source.address` and `cloud.account.id`.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n- Check for PutBucketPolicy event actions as well to see if they have been tampered with. While we monitor for denied, a single successful action to add a backdoor into the bucket via policy updates (however they got permissions) may be critical to identify during TDIR.\\n\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Known or internal account IDs or automation\"],\"from\":\"now-6m\",\"rule_id\":\"5f0234fd-7f21-42af-8391-511d5fd11d5c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1657\",\"name\":\"Financial Theft\",\"reference\":\"https://attack.mitre.org/techniques/T1657/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1580\",\"name\":\"Cloud Infrastructure Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1580/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1530\",\"name\":\"Data from Cloud Storage\",\"reference\":\"https://attack.mitre.org/techniques/T1530/\"}]}],\"to\":\"now\",\"references\":[\"https://medium.com/@maciej.pocwierz/how-an-empty-s3-bucket-can-make-your-aws-bill-explode-934a383cb8b1\",\"https://docs.aws.amazon.com/cli/latest/reference/s3api/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail*\\n| where event.provider == \\\"s3.amazonaws.com\\\" and aws.cloudtrail.error_code == \\\"AccessDenied\\\"\\n| stats failed_requests = count(*) by tls.client.server_name, source.address, cloud.account.id\\n // can modify the failed request count or tweak time window to fit environment\\n // can add `not cloud.account.id in (KNOWN)` or specify in exceptions\\n| where failed_requests > 40\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS S3 Bucket Enumeration or Brute Force\",\"description\":\"Identifies a high number of failed S3 operations from a single source and account (or anonymous account) within a short timeframe. This activity can be indicative of attempting to cause an increase in billing to an account for excessive random operations, cause resource exhaustion, or enumerating bucket names for discovery.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS S3 Bucket Enumeration or Brute Force\\n\\nAWS S3 buckets can be be brute forced to cause financial impact against the resource owner. What makes this even riskier is that even private, locked down buckets can still trigger a potential cost, even with an \\\"Access Denied\\\", while also being accessible from unauthenticated, anonymous accounts. This also appears to work on several or all [operations](https://docs.aws.amazon.com/cli/latest/reference/s3api/) (GET, PUT, list-objects, etc.). Additionally, buckets are trivially discoverable by default as long as the bucket name is known, making it vulnerable to enumeration for discovery.\\n\\nAttackers may attempt to enumerate names until a valid bucket is discovered and then pivot to cause financial impact, enumerate for more information, or brute force in other ways to attempt to exfil data.\\n\\n#### Possible investigation steps\\n\\n- Examine the history of the operation requests from the same `source.address` and `cloud.account.id` to determine if there is other suspicious activity.\\n- Review similar requests and look at the `user.agent` info to ascertain the source of the requests (though do not overly rely on this since it is controlled by the requestor).\\n- Review other requests to the same `aws.s3.object.key` as well as other `aws.s3.object.key` accessed by the same `cloud.account.id` or `source.address`.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the `source.address` and `cloud.account.id` - there are some valid operations from within AWS directly that can cause failures and false positives. Additionally, failed automation can also caeuse false positives, but should be identifiable by reviewing the `source.address` and `cloud.account.id`.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n- Check for PutBucketPolicy event actions as well to see if they have been tampered with. While we monitor for denied, a single successful action to add a backdoor into the bucket via policy updates (however they got permissions) may be critical to identify during TDIR.\\n\\n\",\"output_index\":\"\",\"investigation_fields\":{\"field_names\":[\"source.address\",\"tls.client.server_name\",\"cloud.account.id\",\"failed_requests\"]},\"version\":4,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS S3\",\"Resources: Investigation Guide\",\"Use Case: Log Auditing\",\"Tactic: Impact\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Known or internal account IDs or automation\"],\"references\":[\"https://medium.com/@maciej.pocwierz/how-an-empty-s3-bucket-can-make-your-aws-bill-explode-934a383cb8b1\",\"https://docs.aws.amazon.com/cli/latest/reference/s3api/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1657\",\"name\":\"Financial Theft\",\"reference\":\"https://attack.mitre.org/techniques/T1657/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1580\",\"name\":\"Cloud Infrastructure Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1580/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1530\",\"name\":\"Data from Cloud Storage\",\"reference\":\"https://attack.mitre.org/techniques/T1530/\"}]}],\"setup\":\"\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"fde6003d-d87c-4a18-9a2e-e247c25c9a1e\",\"rule_id\":\"5f0234fd-7f21-42af-8391-511d5fd11d5c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.013Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.913Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail*\\n| where event.provider == \\\"s3.amazonaws.com\\\" and aws.cloudtrail.error_code == \\\"AccessDenied\\\"\\n// keep only relevant fields\\n| keep tls.client.server_name, source.address, cloud.account.id\\n| stats failed_requests = count(*) by tls.client.server_name, source.address, cloud.account.id\\n // can modify the failed request count or tweak time window to fit environment\\n // can add `not cloud.account.id in (KNOWN)` or specify in exceptions\\n| where failed_requests > 40\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"investigation_fields\":{\"has_base_version\":false,\"target_version\":{\"field_names\":[\"source.address\",\"tls.client.server_name\",\"cloud.account.id\",\"failed_requests\"]},\"merged_version\":{\"field_names\":[\"source.address\",\"tls.client.server_name\",\"cloud.account.id\",\"failed_requests\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-aws.cloudtrail*\\n| where event.provider == \\\"s3.amazonaws.com\\\" and aws.cloudtrail.error_code == \\\"AccessDenied\\\"\\n| stats failed_requests = count(*) by tls.client.server_name, source.address, cloud.account.id\\n // can modify the failed request count or tweak time window to fit environment\\n // can add `not cloud.account.id in (KNOWN)` or specify in exceptions\\n| where failed_requests > 40\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-aws.cloudtrail*\\n| where event.provider == \\\"s3.amazonaws.com\\\" and aws.cloudtrail.error_code == \\\"AccessDenied\\\"\\n// keep only relevant fields\\n| keep tls.client.server_name, source.address, cloud.account.id\\n| stats failed_requests = count(*) by tls.client.server_name, source.address, cloud.account.id\\n // can modify the failed request count or tweak time window to fit environment\\n // can add `not cloud.account.id in (KNOWN)` or specify in exceptions\\n| where failed_requests > 40\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-aws.cloudtrail*\\n| where event.provider == \\\"s3.amazonaws.com\\\" and aws.cloudtrail.error_code == \\\"AccessDenied\\\"\\n// keep only relevant fields\\n| keep tls.client.server_name, source.address, cloud.account.id\\n| stats failed_requests = count(*) by tls.client.server_name, source.address, cloud.account.id\\n // can modify the failed request count or tweak time window to fit environment\\n // can add `not cloud.account.id in (KNOWN)` or specify in exceptions\\n| where failed_requests > 40\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"cbb3e24b-5ad1-4cc2-aca2-b220fdadeab5\",\"rule_id\":\"5f2f463e-6997-478c-8405-fb41cc283281\",\"revision\":0,\"current_rule\":{\"id\":\"cbb3e24b-5ad1-4cc2-aca2-b220fdadeab5\",\"updated_at\":\"2024-12-04T19:46:03.774Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.774Z\",\"created_by\":\"elastic\",\"name\":\"Potential File Download via a Headless Browser\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Windows\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of a browser to download a file from a remote URL and from a suspicious parent process. Adversaries may use browsers to avoid ingress tool transfer restrictions.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential File Download via a Headless Browser\\n\\n- Investigate the process execution chain (parent process tree).\\n- Investigate the process network and file events.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"5f2f463e-6997-478c-8405-fb41cc283281\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"to\":\"now\",\"references\":[\"https://lolbas-project.github.io/lolbas/Binaries/Msedge/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"chrome.exe\\\", \\\"msedge.exe\\\", \\\"brave.exe\\\", \\\"browser.exe\\\", \\\"dragon.exe\\\", \\\"vivaldi.exe\\\") and\\n (process.args : \\\"--headless*\\\" or process.args : \\\"data:text/html;base64,*\\\") and\\n process.parent.name :\\n (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"wscript.exe\\\", \\\"cscript.exe\\\", \\\"mshta.exe\\\", \\\"conhost.exe\\\", \\\"msiexec.exe\\\",\\n \\\"explorer.exe\\\", \\\"rundll32.exe\\\", \\\"winword.exe\\\", \\\"excel.exe\\\", \\\"onenote.exe\\\", \\\"hh.exe\\\", \\\"powerpnt.exe\\\", \\\"forfiles.exe\\\",\\n \\\"pcalua.exe\\\", \\\"wmiprvse.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential File Download via a Headless Browser\",\"description\":\"Identifies the use of a browser to download a file from a remote URL and from a suspicious parent process. Adversaries may use browsers to avoid ingress tool transfer restrictions.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential File Download via a Headless Browser\\n\\n- Investigate the process execution chain (parent process tree).\\n- Investigate the process network and file events.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":203,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Windows\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://lolbas-project.github.io/lolbas/Binaries/Msedge/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"cbb3e24b-5ad1-4cc2-aca2-b220fdadeab5\",\"rule_id\":\"5f2f463e-6997-478c-8405-fb41cc283281\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.013Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.774Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"chrome.exe\\\", \\\"msedge.exe\\\", \\\"brave.exe\\\", \\\"browser.exe\\\", \\\"dragon.exe\\\", \\\"vivaldi.exe\\\") and\\n (process.args : \\\"--headless*\\\" or process.args : \\\"data:text/html;base64,*\\\") and\\n process.parent.name :\\n (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"wscript.exe\\\", \\\"cscript.exe\\\", \\\"mshta.exe\\\", \\\"conhost.exe\\\", \\\"msiexec.exe\\\",\\n \\\"explorer.exe\\\", \\\"rundll32.exe\\\", \\\"winword.exe\\\", \\\"excel.exe\\\", \\\"onenote.exe\\\", \\\"hh.exe\\\", \\\"powerpnt.exe\\\", \\\"forfiles.exe\\\",\\n \\\"pcalua.exe\\\", \\\"wmiprvse.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":203,\"merged_version\":203,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Windows\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Windows\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Windows\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"96e852a0-3151-4da5-8833-85c7864192e6\",\"rule_id\":\"610949a1-312f-4e04-bb55-3a79b8c95267\",\"revision\":0,\"current_rule\":{\"id\":\"96e852a0-3151-4da5-8833-85c7864192e6\",\"updated_at\":\"2024-12-04T19:45:48.927Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.927Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Process Network Connection\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Process Network Connection\\n\\nThis rule identifies network activity from unexpected system utilities and applications. These applications are commonly abused by attackers to execute code, evade detections, and bypass security protections.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the target host that the process is communicating with.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"610949a1-312f-4e04-bb55-3a79b8c95267\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\"}]}],\"to\":\"now\",\"references\":[],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and (process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"xwizard.exe\\\") and\\n event.type == \\\"start\\\"]\\n [network where host.os.type == \\\"windows\\\" and (process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"xwizard.exe\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Process Network Connection\",\"description\":\"Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Process Network Connection\\n\\nThis rule identifies network activity from unexpected system utilities and applications. These applications are commonly abused by attackers to execute code, evade detections, and bypass security protections.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the target host that the process is communicating with.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"96e852a0-3151-4da5-8833-85c7864192e6\",\"rule_id\":\"610949a1-312f-4e04-bb55-3a79b8c95267\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.013Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.927Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and (process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"xwizard.exe\\\") and\\n event.type == \\\"start\\\"]\\n [network where host.os.type == \\\"windows\\\" and (process.name : \\\"Microsoft.Workflow.Compiler.exe\\\" or\\n process.name : \\\"bginfo.exe\\\" or\\n process.name : \\\"cdb.exe\\\" or\\n process.name : \\\"cmstp.exe\\\" or\\n process.name : \\\"csi.exe\\\" or\\n process.name : \\\"dnx.exe\\\" or\\n process.name : \\\"fsi.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or\\n process.name : \\\"iexpress.exe\\\" or\\n process.name : \\\"odbcconf.exe\\\" or\\n process.name : \\\"rcsi.exe\\\" or\\n process.name : \\\"xwizard.exe\\\")]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"df2fad4b-6d57-4050-99e9-a042d12bafed\",\"rule_id\":\"61766ef9-48a5-4247-ad74-3349de7eb2ad\",\"revision\":0,\"current_rule\":{\"id\":\"df2fad4b-6d57-4050-99e9-a042d12bafed\",\"updated_at\":\"2024-12-04T19:45:48.929Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.929Z\",\"created_by\":\"elastic\",\"name\":\"Interactive Logon by an Unusual Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may create a new token to escalate privileges and bypass access controls.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"61766ef9-48a5-4247-ad74-3349de7eb2ad\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\",\"subtechnique\":[{\"id\":\"T1134.002\",\"name\":\"Create Process with Token\",\"reference\":\"https://attack.mitre.org/techniques/T1134/002/\"},{\"id\":\"T1134.003\",\"name\":\"Make and Impersonate Token\",\"reference\":\"https://attack.mitre.org/techniques/T1134/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://attack.mitre.org/techniques/T1134/002/\"],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.LogonProcessName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetUserSid\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nAudit event 4624 is needed to trigger this rule.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"authentication where \\n host.os.type : \\\"windows\\\" and winlog.event_data.LogonProcessName : \\\"Advapi*\\\" and \\n winlog.logon.type == \\\"Interactive\\\" and winlog.event_data.SubjectUserSid : (\\\"S-1-5-21*\\\", \\\"S-1-12-*\\\") and \\n winlog.event_data.TargetUserSid : (\\\"S-1-5-21*\\\", \\\"S-1-12-*\\\") and process.executable : \\\"C:\\\\\\\\*\\\" and \\n not startswith~(winlog.event_data.SubjectUserSid, winlog.event_data.TargetUserSid) and \\n not process.executable : \\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winlogon.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wininit.exe\\\", \\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Interactive Logon by an Unusual Process\",\"description\":\"Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may create a new token to escalate privileges and bypass access controls.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://attack.mitre.org/techniques/T1134/002/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\",\"subtechnique\":[{\"id\":\"T1134.002\",\"name\":\"Create Process with Token\",\"reference\":\"https://attack.mitre.org/techniques/T1134/002/\"},{\"id\":\"T1134.003\",\"name\":\"Make and Impersonate Token\",\"reference\":\"https://attack.mitre.org/techniques/T1134/003/\"}]}]}],\"setup\":\"## Setup\\n\\nAudit event 4624 is needed to trigger this rule.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.LogonProcessName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetUserSid\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"df2fad4b-6d57-4050-99e9-a042d12bafed\",\"rule_id\":\"61766ef9-48a5-4247-ad74-3349de7eb2ad\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.013Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.929Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"authentication where \\n host.os.type : \\\"windows\\\" and winlog.event_data.LogonProcessName : \\\"Advapi*\\\" and \\n winlog.logon.type == \\\"Interactive\\\" and winlog.event_data.SubjectUserSid : (\\\"S-1-5-21*\\\", \\\"S-1-12-*\\\") and \\n winlog.event_data.TargetUserSid : (\\\"S-1-5-21*\\\", \\\"S-1-12-*\\\") and process.executable : \\\"C:\\\\\\\\*\\\" and \\n not startswith~(winlog.event_data.SubjectUserSid, winlog.event_data.TargetUserSid) and \\n not process.executable : \\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\winlogon.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wininit.exe\\\", \\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9b70ff72-a6cb-4d9c-a43a-719cb8dd57d9\",\"rule_id\":\"61ac3638-40a3-44b2-855a-985636ca985e\",\"revision\":0,\"current_rule\":{\"id\":\"9b70ff72-a6cb-4d9c-a43a-719cb8dd57d9\",\"updated_at\":\"2024-12-04T19:45:48.932Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.932Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Suspicious Discovery Related Windows API Functions\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Collection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries like PSReflect or Get-ProcAddress Cmdlet.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\\n\\n### False positive analysis\\n\\n- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. However, analysts should keep in mind that this is not a common way of getting information, making it suspicious.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate PowerShell scripts that make use of these functions.\"],\"from\":\"now-9m\",\"rule_id\":\"61ac3638-40a3-44b2-855a-985636ca985e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1069\",\"name\":\"Permission Groups Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1069/\",\"subtechnique\":[{\"id\":\"T1069.001\",\"name\":\"Local Groups\",\"reference\":\"https://attack.mitre.org/techniques/T1069/001/\"}]},{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\",\"subtechnique\":[{\"id\":\"T1087.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/001/\"}]},{\"id\":\"T1482\",\"name\":\"Domain Trust Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1482/\"},{\"id\":\"T1135\",\"name\":\"Network Share Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1135/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1039\",\"name\":\"Data from Network Shared Drive\",\"reference\":\"https://attack.mitre.org/techniques/T1039/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413\",\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"version\":214,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n NetShareEnum or\\n NetWkstaUserEnum or\\n NetSessionEnum or\\n NetLocalGroupEnum or\\n NetLocalGroupGetMembers or\\n DsGetSiteName or\\n DsEnumerateDomainTrusts or\\n WTSEnumerateSessionsEx or\\n WTSQuerySessionInformation or\\n LsaGetLogonSessionData or\\n QueryServiceObjectSecurity or\\n GetComputerNameEx or\\n NetWkstaGetInfo or\\n GetUserNameEx or\\n NetUserEnum or\\n NetUserGetInfo or\\n NetGroupEnum or\\n NetGroupGetInfo or\\n NetGroupGetUsers or\\n NetWkstaTransportEnum or\\n NetServerGetInfo or\\n LsaEnumerateTrustedDomains or\\n NetScheduleJobEnum or\\n NetUserModalsGet\\n ) and\\n not powershell.file.script_block_text : (\\n (\\\"DsGetSiteName\\\" and (\\\"DiscoverWindowsComputerProperties.ps1\\\" and \\\"param($SourceType, $SourceId, $ManagedEntityId, $ComputerIdentity)\\\")) or\\n (\\\"# Copyright: (c) 2018, Ansible Project\\\" and \\\"#Requires -Module Ansible.ModuleUtils.AddType\\\" and \\\"#AnsibleRequires -CSharpUtil Ansible.Basic\\\") or\\n (\\\"Ansible.Windows.Setup\\\" and \\\"Ansible.Windows.Setup\\\" and \\\"NativeMethods.NetWkstaGetInfo(null, 100, out netBuffer);\\\")\\n )\\n\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\DataCollection\\\\\\\\*\"}}}}],\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Suspicious Discovery Related Windows API Functions\",\"description\":\"This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries like PSReflect or Get-ProcAddress Cmdlet.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\\n\\n### False positive analysis\\n\\n- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. However, analysts should keep in mind that this is not a common way of getting information, making it suspicious.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":316,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Collection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate PowerShell scripts that make use of these functions.\"],\"references\":[\"https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413\",\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1069\",\"name\":\"Permission Groups Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1069/\",\"subtechnique\":[{\"id\":\"T1069.001\",\"name\":\"Local Groups\",\"reference\":\"https://attack.mitre.org/techniques/T1069/001/\"}]},{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\",\"subtechnique\":[{\"id\":\"T1087.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/001/\"}]},{\"id\":\"T1482\",\"name\":\"Domain Trust Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1482/\"},{\"id\":\"T1135\",\"name\":\"Network Share Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1135/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1039\",\"name\":\"Data from Network Shared Drive\",\"reference\":\"https://attack.mitre.org/techniques/T1039/\"}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"9b70ff72-a6cb-4d9c-a43a-719cb8dd57d9\",\"rule_id\":\"61ac3638-40a3-44b2-855a-985636ca985e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.013Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.932Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\DataCollection\\\\\\\\*\"}}}}],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n NetShareEnum or\\n NetWkstaUserEnum or\\n NetSessionEnum or\\n NetLocalGroupEnum or\\n NetLocalGroupGetMembers or\\n DsGetSiteName or\\n DsEnumerateDomainTrusts or\\n WTSEnumerateSessionsEx or\\n WTSQuerySessionInformation or\\n LsaGetLogonSessionData or\\n QueryServiceObjectSecurity or\\n GetComputerNameEx or\\n NetWkstaGetInfo or\\n GetUserNameEx or\\n NetUserEnum or\\n NetUserGetInfo or\\n NetGroupEnum or\\n NetGroupGetInfo or\\n NetGroupGetUsers or\\n NetWkstaTransportEnum or\\n NetServerGetInfo or\\n LsaEnumerateTrustedDomains or\\n NetScheduleJobEnum or\\n NetUserModalsGet\\n ) and\\n not powershell.file.script_block_text : (\\n (\\\"DsGetSiteName\\\" and (\\\"DiscoverWindowsComputerProperties.ps1\\\" and \\\"param($SourceType, $SourceId, $ManagedEntityId, $ComputerIdentity)\\\")) or\\n (\\\"# Copyright: (c) 2018, Ansible Project\\\" and \\\"#Requires -Module Ansible.ModuleUtils.AddType\\\" and \\\"#AnsibleRequires -CSharpUtil Ansible.Basic\\\") or\\n (\\\"Ansible.Windows.Setup\\\" and \\\"Ansible.Windows.Setup\\\" and \\\"NativeMethods.NetWkstaGetInfo(null, 100, out netBuffer);\\\")\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":214,\"target_version\":316,\"merged_version\":316,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0f4c47e2-24c8-43bb-9a90-b0a6baf38290\",\"rule_id\":\"61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7\",\"revision\":0,\"current_rule\":{\"id\":\"0f4c47e2-24c8-43bb-9a90-b0a6baf38290\",\"updated_at\":\"2024-12-04T19:45:48.934Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.934Z\",\"created_by\":\"elastic\",\"name\":\"AdminSDHolder SDProp Exclusion Added\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating AdminSDHolder SDProp Exclusion Added\\n\\nThe SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object.\\n\\nThe dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory.\\n\\nAdministrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):\\n\\n- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001).\\n\\nThe usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges.\\n\\nThis rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:\\n - Account Operators eq 1\\n - Server Operators eq 2\\n - Print Operators eq 4\\n - Backup Operators eq 8\\n The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit.\\n\\n### False positive analysis\\n\\n- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.\\n\\n### Response and remediation\\n\\n- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]},{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[\"https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad\",\"https://petri.com/active-directory-security-understanding-adminsdholder-object\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success)\\n```\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"any where event.action in (\\\"Directory Service Changes\\\", \\\"directory-service-object-modified\\\") and\\n event.code == \\\"5136\\\" and\\n winlog.event_data.AttributeLDAPDisplayName : \\\"dSHeuristics\\\" and\\n length(winlog.event_data.AttributeValue) > 15 and\\n winlog.event_data.AttributeValue regex~ \\\"[0-9]{15}([1-9a-f]).*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AdminSDHolder SDProp Exclusion Added\",\"description\":\"Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating AdminSDHolder SDProp Exclusion Added\\n\\nThe SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object.\\n\\nThe dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory.\\n\\nAdministrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):\\n\\n- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001).\\n\\nThe usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges.\\n\\nThis rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:\\n - Account Operators eq 1\\n - Server Operators eq 2\\n - Print Operators eq 4\\n - Backup Operators eq 8\\n The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit.\\n\\n### False positive analysis\\n\\n- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.\\n\\n### Response and remediation\\n\\n- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":212,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad\",\"https://petri.com/active-directory-security-understanding-adminsdholder-object\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]},{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success)\\n```\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"0f4c47e2-24c8-43bb-9a90-b0a6baf38290\",\"rule_id\":\"61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.013Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.934Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where event.action in (\\\"Directory Service Changes\\\", \\\"directory-service-object-modified\\\") and\\n event.code == \\\"5136\\\" and\\n winlog.event_data.AttributeLDAPDisplayName : \\\"dSHeuristics\\\" and\\n length(winlog.event_data.AttributeValue) > 15 and\\n winlog.event_data.AttributeValue regex~ \\\"[0-9]{15}([1-9a-f]).*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":212,\"merged_version\":212,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a6646439-8f29-46cc-a442-6ad94a65daba\",\"rule_id\":\"622ecb68-fa81-4601-90b5-f8cd661e4520\",\"revision\":0,\"current_rule\":{\"id\":\"a6646439-8f29-46cc-a442-6ad94a65daba\",\"updated_at\":\"2024-12-04T19:45:48.939Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.939Z\",\"created_by\":\"elastic\",\"name\":\"Incoming DCOM Lateral Movement via MSHTA\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evade detection.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"622ecb68-fa81-4601-90b5-f8cd661e4520\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.003\",\"name\":\"Distributed Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1021/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.005\",\"name\":\"Mshta\",\"reference\":\"https://attack.mitre.org/techniques/T1218/005/\"}]}]}],\"to\":\"now\",\"references\":[\"https://codewhitesec.blogspot.com/2018/07/lethalhta.html\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"mshta.exe\\\" and process.args : \\\"-Embedding\\\"\\n ] by host.id, process.entity_id\\n [network where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"mshta.exe\\\" and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and network.transport == \\\"tcp\\\" and\\n source.port > 49151 and destination.port > 49151 and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"\\n ] by host.id, process.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Incoming DCOM Lateral Movement via MSHTA\",\"description\":\"Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evade detection.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://codewhitesec.blogspot.com/2018/07/lethalhta.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.003\",\"name\":\"Distributed Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1021/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.005\",\"name\":\"Mshta\",\"reference\":\"https://attack.mitre.org/techniques/T1218/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true}],\"id\":\"a6646439-8f29-46cc-a442-6ad94a65daba\",\"rule_id\":\"622ecb68-fa81-4601-90b5-f8cd661e4520\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.013Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.939Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"mshta.exe\\\" and process.args : \\\"-Embedding\\\"\\n ] by host.id, process.entity_id\\n [network where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"mshta.exe\\\" and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and network.transport == \\\"tcp\\\" and\\n source.port > 49151 and destination.port > 49151 and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"\\n ] by host.id, process.entity_id\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b5805976-1427-45e6-a4a7-463f1325d7f2\",\"rule_id\":\"62a70f6f-3c37-43df-a556-f64fa475fba2\",\"revision\":0,\"current_rule\":{\"id\":\"b5805976-1427-45e6-a4a7-463f1325d7f2\",\"updated_at\":\"2024-12-04T19:45:48.941Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.941Z\",\"created_by\":\"elastic\",\"name\":\"Account Configured with Never-Expiring Password\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the creation and modification of an account with the \\\"Don't Expire Password\\\" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Account Configured with Never-Expiring Password\\n\\nActive Directory provides a setting that prevents users' passwords from expiring. Enabling this setting is bad practice and can expose environments to vulnerabilities that weaken security posture, especially when these accounts are privileged.\\n\\nThe setting is usually configured so a user account can act as a service account. Attackers can abuse these accounts to persist in the domain and maintain long-term access using compromised accounts with a never-expiring password set.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/source host during the past 48 hours.\\n- Inspect the account for suspicious or abnormal behaviors in the alert timeframe.\\n\\n### False positive analysis\\n\\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\\n- Using user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor potential benign true positives (B-TPs), especially if the account is privileged. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Reset the password of the account and update its password settings.\\n- Search for other occurrences on the domain.\\n - Using the [Active Directory PowerShell module](https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser):\\n - `get-aduser -filter { passwordNeverExpires -eq $true -and enabled -eq $true } | ft`\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"User accounts can be used as service accounts and have their password set never to expire. This is a bad security practice that exposes the account to Credential Access attacks. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically.\"],\"from\":\"now-9m\",\"rule_id\":\"62a70f6f-3c37-43df-a556-f64fa475fba2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[\"https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire\",\"http://web.archive.org/web/20230329171952/https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"message\",\"type\":\"match_only_text\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.api\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:\\\"modified-user-account\\\" and winlog.api:\\\"wineventlog\\\" and event.code:\\\"4738\\\" and\\n message:\\\"'Don't Expire Password' - Enabled\\\" and not user.id:\\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Account Configured with Never-Expiring Password\",\"description\":\"Detects the creation and modification of an account with the \\\"Don't Expire Password\\\" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Account Configured with Never-Expiring Password\\n\\nActive Directory provides a setting that prevents users' passwords from expiring. Enabling this setting is bad practice and can expose environments to vulnerabilities that weaken security posture, especially when these accounts are privileged.\\n\\nThe setting is usually configured so a user account can act as a service account. Attackers can abuse these accounts to persist in the domain and maintain long-term access using compromised accounts with a never-expiring password set.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/source host during the past 48 hours.\\n- Inspect the account for suspicious or abnormal behaviors in the alert timeframe.\\n\\n### False positive analysis\\n\\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\\n- Using user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor potential benign true positives (B-TPs), especially if the account is privileged. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Reset the password of the account and update its password settings.\\n- Search for other occurrences on the domain.\\n - Using the [Active Directory PowerShell module](https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser):\\n - `get-aduser -filter { passwordNeverExpires -eq $true -and enabled -eq $true } | ft`\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"User accounts can be used as service accounts and have their password set never to expire. This is a bad security practice that exposes the account to Credential Access attacks. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically.\"],\"references\":[\"https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire\",\"http://web.archive.org/web/20230329171952/https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"message\",\"type\":\"match_only_text\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.api\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"b5805976-1427-45e6-a4a7-463f1325d7f2\",\"rule_id\":\"62a70f6f-3c37-43df-a556-f64fa475fba2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.013Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.941Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:\\\"modified-user-account\\\" and winlog.api:\\\"wineventlog\\\" and event.code:\\\"4738\\\" and\\n message:\\\"'Don't Expire Password' - Enabled\\\" and not user.id:\\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d6589a0a-1af4-48f5-8f5b-d64db577f80f\",\"rule_id\":\"63431796-f813-43af-820b-492ee2efec8e\",\"revision\":0,\"current_rule\":{\"id\":\"d6589a0a-1af4-48f5-8f5b-d64db577f80f\",\"updated_at\":\"2024-12-04T19:45:48.946Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.946Z\",\"created_by\":\"elastic\",\"name\":\"Network Connection Initiated by SSHD Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule identifies an egress internet connection initiated by an SSH Daemon child process. This behavior is indicative of the alteration of a shell configuration file or other mechanism that launches a process when a new SSH login occurs. Attackers can also backdoor the SSH daemon to allow for persistence, call out to a C2 or to steal credentials.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"63431796-f813-43af-820b-492ee2efec8e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.004\",\"name\":\"Unix Shell Configuration Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1546/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.004\",\"name\":\"SSH\",\"reference\":\"https://attack.mitre.org/techniques/T1021/004/\"}]},{\"id\":\"T1563\",\"name\":\"Remote Service Session Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/\",\"subtechnique\":[{\"id\":\"T1563.001\",\"name\":\"SSH Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://hadess.io/the-art-of-linux-persistence/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"sequence by host.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.executable == \\\"/usr/sbin/sshd\\\"] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\", \\\"172.31.0.0/16\\\"\\n )\\n ) and not process.executable in (\\\"/bin/yum\\\", \\\"/usr/bin/yum\\\")\\n ] by process.parent.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Network Connection Initiated by SSHD Child Process\",\"description\":\"This rule identifies an egress internet connection initiated by an SSH Daemon child process. This behavior is indicative of the alteration of a shell configuration file or other mechanism that launches a process when a new SSH login occurs. Attackers can also backdoor the SSH daemon to allow for persistence, call out to a C2 or to steal credentials.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://hadess.io/the-art-of-linux-persistence/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.004\",\"name\":\"Unix Shell Configuration Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1546/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.004\",\"name\":\"SSH\",\"reference\":\"https://attack.mitre.org/techniques/T1021/004/\"}]},{\"id\":\"T1563\",\"name\":\"Remote Service Session Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/\",\"subtechnique\":[{\"id\":\"T1563.001\",\"name\":\"SSH Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d6589a0a-1af4-48f5-8f5b-d64db577f80f\",\"rule_id\":\"63431796-f813-43af-820b-492ee2efec8e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.014Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:48.946Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.executable == \\\"/usr/sbin/sshd\\\"] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\", \\\"172.31.0.0/16\\\"\\n )\\n ) and not (\\n process.executable in (\\\"/bin/yum\\\", \\\"/usr/bin/yum\\\") or\\n process.name in (\\\"login_duo\\\", \\\"ssh\\\", \\\"sshd\\\", \\\"sshd-session\\\")\\n )\\n ] by process.parent.entity_id\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by host.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.executable == \\\"/usr/sbin/sshd\\\"] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\", \\\"172.31.0.0/16\\\"\\n )\\n ) and not process.executable in (\\\"/bin/yum\\\", \\\"/usr/bin/yum\\\")\\n ] by process.parent.entity_id\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by host.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.executable == \\\"/usr/sbin/sshd\\\"] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\", \\\"172.31.0.0/16\\\"\\n )\\n ) and not (\\n process.executable in (\\\"/bin/yum\\\", \\\"/usr/bin/yum\\\") or\\n process.name in (\\\"login_duo\\\", \\\"ssh\\\", \\\"sshd\\\", \\\"sshd-session\\\")\\n )\\n ] by process.parent.entity_id\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by host.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.executable == \\\"/usr/sbin/sshd\\\"] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\", \\\"172.31.0.0/16\\\"\\n )\\n ) and not (\\n process.executable in (\\\"/bin/yum\\\", \\\"/usr/bin/yum\\\") or\\n process.name in (\\\"login_duo\\\", \\\"ssh\\\", \\\"sshd\\\", \\\"sshd-session\\\")\\n )\\n ] by process.parent.entity_id\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"fee9de56-691c-4348-b41e-f498bf8dd222\",\"rule_id\":\"63e65ec3-43b1-45b0-8f2d-45b34291dc44\",\"revision\":0,\"current_rule\":{\"id\":\"fee9de56-691c-4348-b41e-f498bf8dd222\",\"updated_at\":\"2024-12-04T19:45:49.908Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.908Z\",\"created_by\":\"elastic\",\"name\":\"Network Connection via Signed Binary\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Network Connection via Signed Binary\\n\\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\\n\\nThis rule looks for the execution of `expand.exe`, `extrac32.exe`, `ieexec.exe`, or `makecab.exe` utilities, followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities to bypass detections and evade defenses.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\\n- Investigate the target host that the signed binary is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of destination IP address and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"63e65ec3-43b1-45b0-8f2d-45b34291dc44\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"to\":\"now\",\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and (process.name : \\\"expand.exe\\\" or process.name : \\\"extrac32.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or process.name : \\\"makecab.exe\\\") and\\n event.type == \\\"start\\\"]\\n [network where host.os.type == \\\"windows\\\" and (process.name : \\\"expand.exe\\\" or process.name : \\\"extrac32.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or process.name : \\\"makecab.exe\\\") and\\n not cidrmatch(destination.ip,\\n \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\",\\n \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\",\\n \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\n \\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\", \\\"FF00::/8\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Network Connection via Signed Binary\",\"description\":\"Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Network Connection via Signed Binary\\n\\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\\n\\nThis rule looks for the execution of `expand.exe`, `extrac32.exe`, `ieexec.exe`, or `makecab.exe` utilities, followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities to bypass detections and evade defenses.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\\n- Investigate the target host that the signed binary is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of destination IP address and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"fee9de56-691c-4348-b41e-f498bf8dd222\",\"rule_id\":\"63e65ec3-43b1-45b0-8f2d-45b34291dc44\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.014Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.908Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and (process.name : \\\"expand.exe\\\" or process.name : \\\"extrac32.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or process.name : \\\"makecab.exe\\\") and\\n event.type == \\\"start\\\"]\\n [network where host.os.type == \\\"windows\\\" and (process.name : \\\"expand.exe\\\" or process.name : \\\"extrac32.exe\\\" or\\n process.name : \\\"ieexec.exe\\\" or process.name : \\\"makecab.exe\\\") and\\n not cidrmatch(destination.ip,\\n \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\",\\n \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\",\\n \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\n \\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\", \\\"FF00::/8\\\")]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"feee5663-d92d-4369-b770-cf4174503063\",\"rule_id\":\"64cfca9e-0f6f-4048-8251-9ec56a055e9e\",\"revision\":0,\"current_rule\":{\"id\":\"feee5663-d92d-4369-b770-cf4174503063\",\"updated_at\":\"2024-12-04T19:45:49.916Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.916Z\",\"created_by\":\"elastic\",\"name\":\"Network Connection via Recently Compiled Executable\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. Attackers may spawn reverse shells to establish persistence onto a target system.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"64cfca9e-0f6f-4048-8251-9ec56a055e9e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\"}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"sequence by host.id with maxspan=1m\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.name in (\\\"gcc\\\", \\\"g++\\\", \\\"cc\\\")] by process.args\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and process.name == \\\"ld\\\"] by file.name\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\"] by process.name\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and destination.ip != null and \\n not cidrmatch(destination.ip, \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"224.0.0.0/4\\\", \\\"::1\\\")] by process.name\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Network Connection via Recently Compiled Executable\",\"description\":\"This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. Attackers may spawn reverse shells to establish persistence onto a target system.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":6,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"feee5663-d92d-4369-b770-cf4174503063\",\"rule_id\":\"64cfca9e-0f6f-4048-8251-9ec56a055e9e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.014Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.916Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=1m\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.name in (\\\"gcc\\\", \\\"g++\\\", \\\"cc\\\")] by process.args\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and process.name == \\\"ld\\\"] by file.name\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\"] by process.name\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and destination.ip != null and not (\\n cidrmatch(destination.ip, \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"224.0.0.0/4\\\", \\\"::1\\\") or\\n process.name in (\\\"simpleX\\\", \\\"conftest\\\", \\\"ssh\\\", \\\"python\\\", \\\"ispnull\\\", \\\"pvtui\\\")\\n )] by process.name\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":6,\"merged_version\":6,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by host.id with maxspan=1m\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.name in (\\\"gcc\\\", \\\"g++\\\", \\\"cc\\\")] by process.args\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and process.name == \\\"ld\\\"] by file.name\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\"] by process.name\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and destination.ip != null and \\n not cidrmatch(destination.ip, \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"224.0.0.0/4\\\", \\\"::1\\\")] by process.name\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by host.id with maxspan=1m\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.name in (\\\"gcc\\\", \\\"g++\\\", \\\"cc\\\")] by process.args\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and process.name == \\\"ld\\\"] by file.name\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\"] by process.name\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and destination.ip != null and not (\\n cidrmatch(destination.ip, \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"224.0.0.0/4\\\", \\\"::1\\\") or\\n process.name in (\\\"simpleX\\\", \\\"conftest\\\", \\\"ssh\\\", \\\"python\\\", \\\"ispnull\\\", \\\"pvtui\\\")\\n )] by process.name\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by host.id with maxspan=1m\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and \\n process.name in (\\\"gcc\\\", \\\"g++\\\", \\\"cc\\\")] by process.args\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and process.name == \\\"ld\\\"] by file.name\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\"] by process.name\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and destination.ip != null and not (\\n cidrmatch(destination.ip, \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"224.0.0.0/4\\\", \\\"::1\\\") or\\n process.name in (\\\"simpleX\\\", \\\"conftest\\\", \\\"ssh\\\", \\\"python\\\", \\\"ispnull\\\", \\\"pvtui\\\")\\n )] by process.name\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"ccd68042-857e-464b-a385-ffcc808d0e6e\",\"rule_id\":\"665e7a4f-c58e-4fc6-bc83-87a7572670ac\",\"revision\":0,\"current_rule\":{\"id\":\"ccd68042-857e-464b-a385-ffcc808d0e6e\",\"updated_at\":\"2024-12-04T19:45:49.931Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.931Z\",\"created_by\":\"elastic\",\"name\":\"WebServer Access Logs Deleted\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"665e7a4f-c58e-4fc6-bc83-87a7572670ac\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\"}]}],\"to\":\"now\",\"references\":[],\"version\":105,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"winlogbeat-*\",\"logs-endpoint.events.*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"file where event.type == \\\"deletion\\\" and\\n file.path : (\\\"C:\\\\\\\\inetpub\\\\\\\\logs\\\\\\\\LogFiles\\\\\\\\*.log\\\",\\n \\\"/var/log/apache*/access.log\\\",\\n \\\"/etc/httpd/logs/access_log\\\",\\n \\\"/var/log/httpd/access_log\\\",\\n \\\"/var/www/*/logs/access.log\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"WebServer Access Logs Deleted\",\"description\":\"Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"ccd68042-857e-464b-a385-ffcc808d0e6e\",\"rule_id\":\"665e7a4f-c58e-4fc6-bc83-87a7572670ac\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.014Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.931Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where event.type == \\\"deletion\\\" and\\n file.path : (\\\"C:\\\\\\\\inetpub\\\\\\\\logs\\\\\\\\LogFiles\\\\\\\\*.log\\\",\\n \\\"/var/log/apache*/access.log\\\",\\n \\\"/etc/httpd/logs/access_log\\\",\\n \\\"/var/log/httpd/access_log\\\",\\n \\\"/var/www/*/logs/access.log\\\")\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"winlogbeat-*\",\"logs-endpoint.events.*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":105,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f02560b7-018b-4978-b854-272e71fb7fe3\",\"rule_id\":\"66883649-f908-4a5b-a1e0-54090a1d3a32\",\"revision\":0,\"current_rule\":{\"id\":\"f02560b7-018b-4978-b854-272e71fb7fe3\",\"updated_at\":\"2024-12-04T19:45:49.936Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.936Z\",\"created_by\":\"elastic\",\"name\":\"Connection to Commonly Abused Web Services\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Connection to Commonly Abused Web Services\\n\\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\\n\\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the user in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"user.id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{user.id}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the host in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"host.name\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{host.name}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n- Verify whether the digital signature exists in the executable.\\n- Identify the operation type (upload, download, tunneling, etc.).\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - !{investigate{\\\"label\\\":\\\"Investigate the Subject Process Network Events\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"process.entity_id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{process.entity_id}}\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"event.category\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"network\\\",\\\"valueType\\\":\\\"string\\\"}]]}}\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"66883649-f908-4a5b-a1e0-54090a1d3a32\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1102\",\"name\":\"Web Service\",\"reference\":\"https://attack.mitre.org/techniques/T1102/\"},{\"id\":\"T1568\",\"name\":\"Dynamic Resolution\",\"reference\":\"https://attack.mitre.org/techniques/T1568/\",\"subtechnique\":[{\"id\":\"T1568.002\",\"name\":\"Domain Generation Algorithms\",\"reference\":\"https://attack.mitre.org/techniques/T1568/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1567\",\"name\":\"Exfiltration Over Web Service\",\"reference\":\"https://attack.mitre.org/techniques/T1567/\",\"subtechnique\":[{\"id\":\"T1567.001\",\"name\":\"Exfiltration to Code Repository\",\"reference\":\"https://attack.mitre.org/techniques/T1567/001/\"},{\"id\":\"T1567.002\",\"name\":\"Exfiltration to Cloud Storage\",\"reference\":\"https://attack.mitre.org/techniques/T1567/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":114,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.network-*\"],\"query\":\"network where host.os.type == \\\"windows\\\" and network.protocol == \\\"dns\\\" and\\n process.name != null and user.id not in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n /* Add new WebSvc domains here */\\n dns.question.name :\\n (\\n \\\"raw.githubusercontent.*\\\",\\n \\\"pastebin.*\\\",\\n \\\"paste4btc.com\\\",\\n \\\"paste.ee\\\",\\n \\\"ghostbin.com\\\",\\n \\\"drive.google.com\\\",\\n \\\"?.docs.live.net\\\",\\n \\\"api.dropboxapi.*\\\",\\n \\\"content.dropboxapi.*\\\",\\n \\\"dl.dropboxusercontent.*\\\",\\n \\\"api.onedrive.com\\\",\\n \\\"*.onedrive.org\\\",\\n \\\"onedrive.live.com\\\",\\n \\\"filebin.net\\\",\\n \\\"*.ngrok.io\\\",\\n \\\"ngrok.com\\\",\\n \\\"*.portmap.*\\\",\\n \\\"*serveo.net\\\",\\n \\\"*localtunnel.me\\\",\\n \\\"*pagekite.me\\\",\\n \\\"*localxpose.io\\\",\\n \\\"*notabug.org\\\",\\n \\\"rawcdn.githack.*\\\",\\n \\\"paste.nrecom.net\\\",\\n \\\"zerobin.net\\\",\\n \\\"controlc.com\\\",\\n \\\"requestbin.net\\\",\\n \\\"slack.com\\\",\\n \\\"api.slack.com\\\",\\n \\\"slack-redir.net\\\",\\n \\\"slack-files.com\\\",\\n \\\"cdn.discordapp.com\\\",\\n \\\"discordapp.com\\\",\\n \\\"discord.com\\\",\\n \\\"apis.azureedge.net\\\",\\n \\\"cdn.sql.gg\\\",\\n \\\"?.top4top.io\\\",\\n \\\"top4top.io\\\",\\n \\\"www.uplooder.net\\\",\\n \\\"*.cdnmegafiles.com\\\",\\n \\\"transfer.sh\\\",\\n \\\"gofile.io\\\",\\n \\\"updates.peer2profit.com\\\",\\n \\\"api.telegram.org\\\",\\n \\\"t.me\\\",\\n \\\"meacz.gq\\\",\\n \\\"rwrd.org\\\",\\n \\\"*.publicvm.com\\\",\\n \\\"*.blogspot.com\\\",\\n \\\"api.mylnikov.org\\\",\\n \\\"file.io\\\",\\n \\\"stackoverflow.com\\\",\\n \\\"*files.1drv.com\\\",\\n \\\"api.anonfile.com\\\",\\n \\\"*hosting-profi.de\\\",\\n \\\"ipbase.com\\\",\\n \\\"ipfs.io\\\",\\n \\\"*up.freeo*.space\\\",\\n \\\"api.mylnikov.org\\\",\\n \\\"script.google.com\\\",\\n \\\"script.googleusercontent.com\\\",\\n \\\"api.notion.com\\\",\\n \\\"graph.microsoft.com\\\",\\n \\\"*.sharepoint.com\\\",\\n \\\"mbasic.facebook.com\\\",\\n \\\"login.live.com\\\",\\n \\\"api.gofile.io\\\",\\n \\\"api.anonfiles.com\\\",\\n \\\"api.notion.com\\\",\\n \\\"api.trello.com\\\",\\n \\\"gist.githubusercontent.com\\\",\\n \\\"files.pythonhosted.org\\\",\\n \\\"g.live.com\\\",\\n \\\"*.zulipchat.com\\\",\\n \\\"webhook.site\\\",\\n \\\"run.mocky.io\\\",\\n \\\"mockbin.org\\\", \\n \\\"www.googleapis.com\\\", \\n \\\"googleapis.com\\\") and\\n \\n /* Insert noisy false positives here */\\n not (\\n (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WWAHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\smartscreen.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MicrosoftEdgeCP.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\BraveSoftware\\\\\\\\*\\\\\\\\Application\\\\\\\\brave.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Vivaldi\\\\\\\\Application\\\\\\\\vivaldi.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Opera*\\\\\\\\opera.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Fiddler\\\\\\\\Fiddler.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Microsoft VS Code\\\\\\\\Code.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\OneDrive.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mobsync.exe\\\"\\n )\\n ) or\\n \\n /* Discord App */\\n (process.name : \\\"Discord.exe\\\" and (process.code_signature.subject_name : \\\"Discord Inc.\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"discord.com\\\", \\\"cdn.discordapp.com\\\", \\\"discordapp.com\\\")\\n ) or \\n\\n /* MS Sharepoint */\\n (process.name : \\\"Microsoft.SharePoint.exe\\\" and (process.code_signature.subject_name : \\\"Microsoft Corporation\\\" and\\n process.code_signature.trusted == true) and dns.question.name : \\\"onedrive.live.com\\\"\\n ) or \\n\\n /* Firefox */\\n (process.name : \\\"firefox.exe\\\" and (process.code_signature.subject_name : \\\"Mozilla Corporation\\\" and\\n process.code_signature.trusted == true)\\n ) or \\n\\n /* Dropbox */\\n (process.name : \\\"Dropbox.exe\\\" and (process.code_signature.subject_name : \\\"Dropbox, Inc\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"api.dropboxapi.com\\\", \\\"*.dropboxusercontent.com\\\")\\n ) or \\n\\n /* Obsidian - Plugins are stored on raw.githubusercontent.com */\\n (process.name : \\\"Obsidian.exe\\\" and (process.code_signature.subject_name : \\\"Dynalist Inc\\\" and\\n process.code_signature.trusted == true) and dns.question.name : \\\"raw.githubusercontent.com\\\"\\n ) or \\n\\n /* WebExperienceHostApp */\\n (process.name : \\\"WebExperienceHostApp.exe\\\" and (process.code_signature.subject_name : \\\"Microsoft Windows\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"onedrive.live.com\\\", \\\"skyapi.onedrive.live.com\\\")\\n ) or\\n\\n (process.code_signature.subject_name : \\\"Microsoft *\\\" and process.code_signature.trusted == true and\\n dns.question.name : (\\\"*.sharepoint.com\\\", \\\"graph.microsoft.com\\\", \\\"g.live.com\\\", \\\"login.live.com\\\", \\\"login.live.com\\\")) or\\n\\n (process.code_signature.trusted == true and\\n process.code_signature.subject_name :\\n (\\\"Johannes Schindelin\\\",\\n \\\"Redis Inc.\\\",\\n \\\"Slack Technologies, LLC\\\",\\n \\\"Cisco Systems, Inc.\\\",\\n \\\"Dropbox, Inc\\\",\\n \\\"Amazon.com Services LLC\\\"))\\n ) \\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Connection to Commonly Abused Web Services\",\"description\":\"Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Connection to Commonly Abused Web Services\\n\\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\\n\\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the user in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"user.id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{user.id}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the host in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"host.name\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{host.name}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n- Verify whether the digital signature exists in the executable.\\n- Identify the operation type (upload, download, tunneling, etc.).\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - !{investigate{\\\"label\\\":\\\"Investigate the Subject Process Network Events\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.category\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"network\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"process.entity_id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{process.entity_id}}\\\",\\\"valueType\\\":\\\"string\\\"}]]}}\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":116,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/operation-bleeding-bear\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1102\",\"name\":\"Web Service\",\"reference\":\"https://attack.mitre.org/techniques/T1102/\"},{\"id\":\"T1568\",\"name\":\"Dynamic Resolution\",\"reference\":\"https://attack.mitre.org/techniques/T1568/\",\"subtechnique\":[{\"id\":\"T1568.002\",\"name\":\"Domain Generation Algorithms\",\"reference\":\"https://attack.mitre.org/techniques/T1568/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1567\",\"name\":\"Exfiltration Over Web Service\",\"reference\":\"https://attack.mitre.org/techniques/T1567/\",\"subtechnique\":[{\"id\":\"T1567.001\",\"name\":\"Exfiltration to Code Repository\",\"reference\":\"https://attack.mitre.org/techniques/T1567/001/\"},{\"id\":\"T1567.002\",\"name\":\"Exfiltration to Cloud Storage\",\"reference\":\"https://attack.mitre.org/techniques/T1567/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f02560b7-018b-4978-b854-272e71fb7fe3\",\"rule_id\":\"66883649-f908-4a5b-a1e0-54090a1d3a32\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.014Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.936Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"network where host.os.type == \\\"windows\\\" and network.protocol == \\\"dns\\\" and\\n process.name != null and user.id not in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n /* Add new WebSvc domains here */\\n dns.question.name :\\n (\\n \\\"raw.githubusercontent.*\\\",\\n \\\"pastebin.*\\\",\\n \\\"paste4btc.com\\\",\\n \\\"paste.ee\\\",\\n \\\"ghostbin.com\\\",\\n \\\"drive.google.com\\\",\\n \\\"?.docs.live.net\\\",\\n \\\"api.dropboxapi.*\\\",\\n \\\"content.dropboxapi.*\\\",\\n \\\"dl.dropboxusercontent.*\\\",\\n \\\"api.onedrive.com\\\",\\n \\\"*.onedrive.org\\\",\\n \\\"onedrive.live.com\\\",\\n \\\"filebin.net\\\",\\n \\\"*.ngrok.io\\\",\\n \\\"ngrok.com\\\",\\n \\\"*.portmap.*\\\",\\n \\\"*serveo.net\\\",\\n \\\"*localtunnel.me\\\",\\n \\\"*pagekite.me\\\",\\n \\\"*localxpose.io\\\",\\n \\\"*notabug.org\\\",\\n \\\"rawcdn.githack.*\\\",\\n \\\"paste.nrecom.net\\\",\\n \\\"zerobin.net\\\",\\n \\\"controlc.com\\\",\\n \\\"requestbin.net\\\",\\n \\\"slack.com\\\",\\n \\\"api.slack.com\\\",\\n \\\"slack-redir.net\\\",\\n \\\"slack-files.com\\\",\\n \\\"cdn.discordapp.com\\\",\\n \\\"discordapp.com\\\",\\n \\\"discord.com\\\",\\n \\\"apis.azureedge.net\\\",\\n \\\"cdn.sql.gg\\\",\\n \\\"?.top4top.io\\\",\\n \\\"top4top.io\\\",\\n \\\"www.uplooder.net\\\",\\n \\\"*.cdnmegafiles.com\\\",\\n \\\"transfer.sh\\\",\\n \\\"gofile.io\\\",\\n \\\"updates.peer2profit.com\\\",\\n \\\"api.telegram.org\\\",\\n \\\"t.me\\\",\\n \\\"meacz.gq\\\",\\n \\\"rwrd.org\\\",\\n \\\"*.publicvm.com\\\",\\n \\\"*.blogspot.com\\\",\\n \\\"api.mylnikov.org\\\",\\n \\\"file.io\\\",\\n \\\"stackoverflow.com\\\",\\n \\\"*files.1drv.com\\\",\\n \\\"api.anonfile.com\\\",\\n \\\"*hosting-profi.de\\\",\\n \\\"ipbase.com\\\",\\n \\\"ipfs.io\\\",\\n \\\"*up.freeo*.space\\\",\\n \\\"api.mylnikov.org\\\",\\n \\\"script.google.com\\\",\\n \\\"script.googleusercontent.com\\\",\\n \\\"api.notion.com\\\",\\n \\\"graph.microsoft.com\\\",\\n \\\"*.sharepoint.com\\\",\\n \\\"mbasic.facebook.com\\\",\\n \\\"login.live.com\\\",\\n \\\"api.gofile.io\\\",\\n \\\"api.anonfiles.com\\\",\\n \\\"api.notion.com\\\",\\n \\\"api.trello.com\\\",\\n \\\"gist.githubusercontent.com\\\",\\n \\\"files.pythonhosted.org\\\",\\n \\\"g.live.com\\\",\\n \\\"*.zulipchat.com\\\",\\n \\\"webhook.site\\\",\\n \\\"run.mocky.io\\\",\\n \\\"mockbin.org\\\", \\n \\\"www.googleapis.com\\\", \\n \\\"googleapis.com\\\",\\n \\\"global.rel.tunnels.api.visualstudio.com\\\",\\n \\\"*.devtunnels.ms\\\") and\\n \\n /* Insert noisy false positives here */\\n not (\\n (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WWAHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\smartscreen.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MicrosoftEdgeCP.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\BraveSoftware\\\\\\\\*\\\\\\\\Application\\\\\\\\brave.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Vivaldi\\\\\\\\Application\\\\\\\\vivaldi.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Opera*\\\\\\\\opera.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Fiddler\\\\\\\\Fiddler.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Microsoft VS Code\\\\\\\\Code.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\OneDrive.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mobsync.exe\\\"\\n )\\n ) or\\n \\n /* Discord App */\\n (process.name : \\\"Discord.exe\\\" and (process.code_signature.subject_name : \\\"Discord Inc.\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"discord.com\\\", \\\"cdn.discordapp.com\\\", \\\"discordapp.com\\\")\\n ) or \\n\\n /* MS Sharepoint */\\n (process.name : \\\"Microsoft.SharePoint.exe\\\" and (process.code_signature.subject_name : \\\"Microsoft Corporation\\\" and\\n process.code_signature.trusted == true) and dns.question.name : \\\"onedrive.live.com\\\"\\n ) or \\n\\n /* Firefox */\\n (process.name : \\\"firefox.exe\\\" and (process.code_signature.subject_name : \\\"Mozilla Corporation\\\" and\\n process.code_signature.trusted == true)\\n ) or \\n\\n /* Dropbox */\\n (process.name : \\\"Dropbox.exe\\\" and (process.code_signature.subject_name : \\\"Dropbox, Inc\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"api.dropboxapi.com\\\", \\\"*.dropboxusercontent.com\\\")\\n ) or \\n\\n /* Obsidian - Plugins are stored on raw.githubusercontent.com */\\n (process.name : \\\"Obsidian.exe\\\" and (process.code_signature.subject_name : \\\"Dynalist Inc\\\" and\\n process.code_signature.trusted == true) and dns.question.name : \\\"raw.githubusercontent.com\\\"\\n ) or \\n\\n /* WebExperienceHostApp */\\n (process.name : \\\"WebExperienceHostApp.exe\\\" and (process.code_signature.subject_name : \\\"Microsoft Windows\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"onedrive.live.com\\\", \\\"skyapi.onedrive.live.com\\\")\\n ) or\\n\\n (process.code_signature.subject_name : \\\"Microsoft *\\\" and process.code_signature.trusted == true and\\n dns.question.name : (\\\"*.sharepoint.com\\\", \\\"graph.microsoft.com\\\", \\\"g.live.com\\\", \\\"login.live.com\\\", \\\"login.live.com\\\")) or\\n\\n (process.code_signature.trusted == true and\\n process.code_signature.subject_name :\\n (\\\"Johannes Schindelin\\\",\\n \\\"Redis Inc.\\\",\\n \\\"Slack Technologies, LLC\\\",\\n \\\"Cisco Systems, Inc.\\\",\\n \\\"Dropbox, Inc\\\",\\n \\\"Amazon.com Services LLC\\\"))\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.network-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":114,\"target_version\":116,\"merged_version\":116,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/operation-bleeding-bear\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merged_version\":[\"https://www.elastic.co/security-labs/operation-bleeding-bear\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"note\":{\"has_base_version\":false,\"current_version\":\"## Triage and analysis\\n\\n### Investigating Connection to Commonly Abused Web Services\\n\\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\\n\\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the user in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"user.id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{user.id}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the host in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"host.name\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{host.name}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n- Verify whether the digital signature exists in the executable.\\n- Identify the operation type (upload, download, tunneling, etc.).\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - !{investigate{\\\"label\\\":\\\"Investigate the Subject Process Network Events\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"process.entity_id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{process.entity_id}}\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"event.category\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"network\\\",\\\"valueType\\\":\\\"string\\\"}]]}}\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating Connection to Commonly Abused Web Services\\n\\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\\n\\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the user in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"user.id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{user.id}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the host in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"host.name\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{host.name}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n- Verify whether the digital signature exists in the executable.\\n- Identify the operation type (upload, download, tunneling, etc.).\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - !{investigate{\\\"label\\\":\\\"Investigate the Subject Process Network Events\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.category\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"network\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"process.entity_id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{process.entity_id}}\\\",\\\"valueType\\\":\\\"string\\\"}]]}}\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating Connection to Commonly Abused Web Services\\n\\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\\n\\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the user in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"user.id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{user.id}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the host in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"host.name\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{host.name}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n- Verify whether the digital signature exists in the executable.\\n- Identify the operation type (upload, download, tunneling, etc.).\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - !{investigate{\\\"label\\\":\\\"Investigate the Subject Process Network Events\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.category\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"network\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"process.entity_id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{process.entity_id}}\\\",\\\"valueType\\\":\\\"string\\\"}]]}}\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"network where host.os.type == \\\"windows\\\" and network.protocol == \\\"dns\\\" and\\n process.name != null and user.id not in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n /* Add new WebSvc domains here */\\n dns.question.name :\\n (\\n \\\"raw.githubusercontent.*\\\",\\n \\\"pastebin.*\\\",\\n \\\"paste4btc.com\\\",\\n \\\"paste.ee\\\",\\n \\\"ghostbin.com\\\",\\n \\\"drive.google.com\\\",\\n \\\"?.docs.live.net\\\",\\n \\\"api.dropboxapi.*\\\",\\n \\\"content.dropboxapi.*\\\",\\n \\\"dl.dropboxusercontent.*\\\",\\n \\\"api.onedrive.com\\\",\\n \\\"*.onedrive.org\\\",\\n \\\"onedrive.live.com\\\",\\n \\\"filebin.net\\\",\\n \\\"*.ngrok.io\\\",\\n \\\"ngrok.com\\\",\\n \\\"*.portmap.*\\\",\\n \\\"*serveo.net\\\",\\n \\\"*localtunnel.me\\\",\\n \\\"*pagekite.me\\\",\\n \\\"*localxpose.io\\\",\\n \\\"*notabug.org\\\",\\n \\\"rawcdn.githack.*\\\",\\n \\\"paste.nrecom.net\\\",\\n \\\"zerobin.net\\\",\\n \\\"controlc.com\\\",\\n \\\"requestbin.net\\\",\\n \\\"slack.com\\\",\\n \\\"api.slack.com\\\",\\n \\\"slack-redir.net\\\",\\n \\\"slack-files.com\\\",\\n \\\"cdn.discordapp.com\\\",\\n \\\"discordapp.com\\\",\\n \\\"discord.com\\\",\\n \\\"apis.azureedge.net\\\",\\n \\\"cdn.sql.gg\\\",\\n \\\"?.top4top.io\\\",\\n \\\"top4top.io\\\",\\n \\\"www.uplooder.net\\\",\\n \\\"*.cdnmegafiles.com\\\",\\n \\\"transfer.sh\\\",\\n \\\"gofile.io\\\",\\n \\\"updates.peer2profit.com\\\",\\n \\\"api.telegram.org\\\",\\n \\\"t.me\\\",\\n \\\"meacz.gq\\\",\\n \\\"rwrd.org\\\",\\n \\\"*.publicvm.com\\\",\\n \\\"*.blogspot.com\\\",\\n \\\"api.mylnikov.org\\\",\\n \\\"file.io\\\",\\n \\\"stackoverflow.com\\\",\\n \\\"*files.1drv.com\\\",\\n \\\"api.anonfile.com\\\",\\n \\\"*hosting-profi.de\\\",\\n \\\"ipbase.com\\\",\\n \\\"ipfs.io\\\",\\n \\\"*up.freeo*.space\\\",\\n \\\"api.mylnikov.org\\\",\\n \\\"script.google.com\\\",\\n \\\"script.googleusercontent.com\\\",\\n \\\"api.notion.com\\\",\\n \\\"graph.microsoft.com\\\",\\n \\\"*.sharepoint.com\\\",\\n \\\"mbasic.facebook.com\\\",\\n \\\"login.live.com\\\",\\n \\\"api.gofile.io\\\",\\n \\\"api.anonfiles.com\\\",\\n \\\"api.notion.com\\\",\\n \\\"api.trello.com\\\",\\n \\\"gist.githubusercontent.com\\\",\\n \\\"files.pythonhosted.org\\\",\\n \\\"g.live.com\\\",\\n \\\"*.zulipchat.com\\\",\\n \\\"webhook.site\\\",\\n \\\"run.mocky.io\\\",\\n \\\"mockbin.org\\\", \\n \\\"www.googleapis.com\\\", \\n \\\"googleapis.com\\\") and\\n \\n /* Insert noisy false positives here */\\n not (\\n (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WWAHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\smartscreen.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MicrosoftEdgeCP.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\BraveSoftware\\\\\\\\*\\\\\\\\Application\\\\\\\\brave.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Vivaldi\\\\\\\\Application\\\\\\\\vivaldi.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Opera*\\\\\\\\opera.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Fiddler\\\\\\\\Fiddler.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Microsoft VS Code\\\\\\\\Code.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\OneDrive.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mobsync.exe\\\"\\n )\\n ) or\\n \\n /* Discord App */\\n (process.name : \\\"Discord.exe\\\" and (process.code_signature.subject_name : \\\"Discord Inc.\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"discord.com\\\", \\\"cdn.discordapp.com\\\", \\\"discordapp.com\\\")\\n ) or \\n\\n /* MS Sharepoint */\\n (process.name : \\\"Microsoft.SharePoint.exe\\\" and (process.code_signature.subject_name : \\\"Microsoft Corporation\\\" and\\n process.code_signature.trusted == true) and dns.question.name : \\\"onedrive.live.com\\\"\\n ) or \\n\\n /* Firefox */\\n (process.name : \\\"firefox.exe\\\" and (process.code_signature.subject_name : \\\"Mozilla Corporation\\\" and\\n process.code_signature.trusted == true)\\n ) or \\n\\n /* Dropbox */\\n (process.name : \\\"Dropbox.exe\\\" and (process.code_signature.subject_name : \\\"Dropbox, Inc\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"api.dropboxapi.com\\\", \\\"*.dropboxusercontent.com\\\")\\n ) or \\n\\n /* Obsidian - Plugins are stored on raw.githubusercontent.com */\\n (process.name : \\\"Obsidian.exe\\\" and (process.code_signature.subject_name : \\\"Dynalist Inc\\\" and\\n process.code_signature.trusted == true) and dns.question.name : \\\"raw.githubusercontent.com\\\"\\n ) or \\n\\n /* WebExperienceHostApp */\\n (process.name : \\\"WebExperienceHostApp.exe\\\" and (process.code_signature.subject_name : \\\"Microsoft Windows\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"onedrive.live.com\\\", \\\"skyapi.onedrive.live.com\\\")\\n ) or\\n\\n (process.code_signature.subject_name : \\\"Microsoft *\\\" and process.code_signature.trusted == true and\\n dns.question.name : (\\\"*.sharepoint.com\\\", \\\"graph.microsoft.com\\\", \\\"g.live.com\\\", \\\"login.live.com\\\", \\\"login.live.com\\\")) or\\n\\n (process.code_signature.trusted == true and\\n process.code_signature.subject_name :\\n (\\\"Johannes Schindelin\\\",\\n \\\"Redis Inc.\\\",\\n \\\"Slack Technologies, LLC\\\",\\n \\\"Cisco Systems, Inc.\\\",\\n \\\"Dropbox, Inc\\\",\\n \\\"Amazon.com Services LLC\\\"))\\n ) \\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"network where host.os.type == \\\"windows\\\" and network.protocol == \\\"dns\\\" and\\n process.name != null and user.id not in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n /* Add new WebSvc domains here */\\n dns.question.name :\\n (\\n \\\"raw.githubusercontent.*\\\",\\n \\\"pastebin.*\\\",\\n \\\"paste4btc.com\\\",\\n \\\"paste.ee\\\",\\n \\\"ghostbin.com\\\",\\n \\\"drive.google.com\\\",\\n \\\"?.docs.live.net\\\",\\n \\\"api.dropboxapi.*\\\",\\n \\\"content.dropboxapi.*\\\",\\n \\\"dl.dropboxusercontent.*\\\",\\n \\\"api.onedrive.com\\\",\\n \\\"*.onedrive.org\\\",\\n \\\"onedrive.live.com\\\",\\n \\\"filebin.net\\\",\\n \\\"*.ngrok.io\\\",\\n \\\"ngrok.com\\\",\\n \\\"*.portmap.*\\\",\\n \\\"*serveo.net\\\",\\n \\\"*localtunnel.me\\\",\\n \\\"*pagekite.me\\\",\\n \\\"*localxpose.io\\\",\\n \\\"*notabug.org\\\",\\n \\\"rawcdn.githack.*\\\",\\n \\\"paste.nrecom.net\\\",\\n \\\"zerobin.net\\\",\\n \\\"controlc.com\\\",\\n \\\"requestbin.net\\\",\\n \\\"slack.com\\\",\\n \\\"api.slack.com\\\",\\n \\\"slack-redir.net\\\",\\n \\\"slack-files.com\\\",\\n \\\"cdn.discordapp.com\\\",\\n \\\"discordapp.com\\\",\\n \\\"discord.com\\\",\\n \\\"apis.azureedge.net\\\",\\n \\\"cdn.sql.gg\\\",\\n \\\"?.top4top.io\\\",\\n \\\"top4top.io\\\",\\n \\\"www.uplooder.net\\\",\\n \\\"*.cdnmegafiles.com\\\",\\n \\\"transfer.sh\\\",\\n \\\"gofile.io\\\",\\n \\\"updates.peer2profit.com\\\",\\n \\\"api.telegram.org\\\",\\n \\\"t.me\\\",\\n \\\"meacz.gq\\\",\\n \\\"rwrd.org\\\",\\n \\\"*.publicvm.com\\\",\\n \\\"*.blogspot.com\\\",\\n \\\"api.mylnikov.org\\\",\\n \\\"file.io\\\",\\n \\\"stackoverflow.com\\\",\\n \\\"*files.1drv.com\\\",\\n \\\"api.anonfile.com\\\",\\n \\\"*hosting-profi.de\\\",\\n \\\"ipbase.com\\\",\\n \\\"ipfs.io\\\",\\n \\\"*up.freeo*.space\\\",\\n \\\"api.mylnikov.org\\\",\\n \\\"script.google.com\\\",\\n \\\"script.googleusercontent.com\\\",\\n \\\"api.notion.com\\\",\\n \\\"graph.microsoft.com\\\",\\n \\\"*.sharepoint.com\\\",\\n \\\"mbasic.facebook.com\\\",\\n \\\"login.live.com\\\",\\n \\\"api.gofile.io\\\",\\n \\\"api.anonfiles.com\\\",\\n \\\"api.notion.com\\\",\\n \\\"api.trello.com\\\",\\n \\\"gist.githubusercontent.com\\\",\\n \\\"files.pythonhosted.org\\\",\\n \\\"g.live.com\\\",\\n \\\"*.zulipchat.com\\\",\\n \\\"webhook.site\\\",\\n \\\"run.mocky.io\\\",\\n \\\"mockbin.org\\\", \\n \\\"www.googleapis.com\\\", \\n \\\"googleapis.com\\\",\\n \\\"global.rel.tunnels.api.visualstudio.com\\\",\\n \\\"*.devtunnels.ms\\\") and\\n \\n /* Insert noisy false positives here */\\n not (\\n (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WWAHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\smartscreen.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MicrosoftEdgeCP.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\BraveSoftware\\\\\\\\*\\\\\\\\Application\\\\\\\\brave.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Vivaldi\\\\\\\\Application\\\\\\\\vivaldi.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Opera*\\\\\\\\opera.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Fiddler\\\\\\\\Fiddler.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Microsoft VS Code\\\\\\\\Code.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\OneDrive.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mobsync.exe\\\"\\n )\\n ) or\\n \\n /* Discord App */\\n (process.name : \\\"Discord.exe\\\" and (process.code_signature.subject_name : \\\"Discord Inc.\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"discord.com\\\", \\\"cdn.discordapp.com\\\", \\\"discordapp.com\\\")\\n ) or \\n\\n /* MS Sharepoint */\\n (process.name : \\\"Microsoft.SharePoint.exe\\\" and (process.code_signature.subject_name : \\\"Microsoft Corporation\\\" and\\n process.code_signature.trusted == true) and dns.question.name : \\\"onedrive.live.com\\\"\\n ) or \\n\\n /* Firefox */\\n (process.name : \\\"firefox.exe\\\" and (process.code_signature.subject_name : \\\"Mozilla Corporation\\\" and\\n process.code_signature.trusted == true)\\n ) or \\n\\n /* Dropbox */\\n (process.name : \\\"Dropbox.exe\\\" and (process.code_signature.subject_name : \\\"Dropbox, Inc\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"api.dropboxapi.com\\\", \\\"*.dropboxusercontent.com\\\")\\n ) or \\n\\n /* Obsidian - Plugins are stored on raw.githubusercontent.com */\\n (process.name : \\\"Obsidian.exe\\\" and (process.code_signature.subject_name : \\\"Dynalist Inc\\\" and\\n process.code_signature.trusted == true) and dns.question.name : \\\"raw.githubusercontent.com\\\"\\n ) or \\n\\n /* WebExperienceHostApp */\\n (process.name : \\\"WebExperienceHostApp.exe\\\" and (process.code_signature.subject_name : \\\"Microsoft Windows\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"onedrive.live.com\\\", \\\"skyapi.onedrive.live.com\\\")\\n ) or\\n\\n (process.code_signature.subject_name : \\\"Microsoft *\\\" and process.code_signature.trusted == true and\\n dns.question.name : (\\\"*.sharepoint.com\\\", \\\"graph.microsoft.com\\\", \\\"g.live.com\\\", \\\"login.live.com\\\", \\\"login.live.com\\\")) or\\n\\n (process.code_signature.trusted == true and\\n process.code_signature.subject_name :\\n (\\\"Johannes Schindelin\\\",\\n \\\"Redis Inc.\\\",\\n \\\"Slack Technologies, LLC\\\",\\n \\\"Cisco Systems, Inc.\\\",\\n \\\"Dropbox, Inc\\\",\\n \\\"Amazon.com Services LLC\\\"))\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"network where host.os.type == \\\"windows\\\" and network.protocol == \\\"dns\\\" and\\n process.name != null and user.id not in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n /* Add new WebSvc domains here */\\n dns.question.name :\\n (\\n \\\"raw.githubusercontent.*\\\",\\n \\\"pastebin.*\\\",\\n \\\"paste4btc.com\\\",\\n \\\"paste.ee\\\",\\n \\\"ghostbin.com\\\",\\n \\\"drive.google.com\\\",\\n \\\"?.docs.live.net\\\",\\n \\\"api.dropboxapi.*\\\",\\n \\\"content.dropboxapi.*\\\",\\n \\\"dl.dropboxusercontent.*\\\",\\n \\\"api.onedrive.com\\\",\\n \\\"*.onedrive.org\\\",\\n \\\"onedrive.live.com\\\",\\n \\\"filebin.net\\\",\\n \\\"*.ngrok.io\\\",\\n \\\"ngrok.com\\\",\\n \\\"*.portmap.*\\\",\\n \\\"*serveo.net\\\",\\n \\\"*localtunnel.me\\\",\\n \\\"*pagekite.me\\\",\\n \\\"*localxpose.io\\\",\\n \\\"*notabug.org\\\",\\n \\\"rawcdn.githack.*\\\",\\n \\\"paste.nrecom.net\\\",\\n \\\"zerobin.net\\\",\\n \\\"controlc.com\\\",\\n \\\"requestbin.net\\\",\\n \\\"slack.com\\\",\\n \\\"api.slack.com\\\",\\n \\\"slack-redir.net\\\",\\n \\\"slack-files.com\\\",\\n \\\"cdn.discordapp.com\\\",\\n \\\"discordapp.com\\\",\\n \\\"discord.com\\\",\\n \\\"apis.azureedge.net\\\",\\n \\\"cdn.sql.gg\\\",\\n \\\"?.top4top.io\\\",\\n \\\"top4top.io\\\",\\n \\\"www.uplooder.net\\\",\\n \\\"*.cdnmegafiles.com\\\",\\n \\\"transfer.sh\\\",\\n \\\"gofile.io\\\",\\n \\\"updates.peer2profit.com\\\",\\n \\\"api.telegram.org\\\",\\n \\\"t.me\\\",\\n \\\"meacz.gq\\\",\\n \\\"rwrd.org\\\",\\n \\\"*.publicvm.com\\\",\\n \\\"*.blogspot.com\\\",\\n \\\"api.mylnikov.org\\\",\\n \\\"file.io\\\",\\n \\\"stackoverflow.com\\\",\\n \\\"*files.1drv.com\\\",\\n \\\"api.anonfile.com\\\",\\n \\\"*hosting-profi.de\\\",\\n \\\"ipbase.com\\\",\\n \\\"ipfs.io\\\",\\n \\\"*up.freeo*.space\\\",\\n \\\"api.mylnikov.org\\\",\\n \\\"script.google.com\\\",\\n \\\"script.googleusercontent.com\\\",\\n \\\"api.notion.com\\\",\\n \\\"graph.microsoft.com\\\",\\n \\\"*.sharepoint.com\\\",\\n \\\"mbasic.facebook.com\\\",\\n \\\"login.live.com\\\",\\n \\\"api.gofile.io\\\",\\n \\\"api.anonfiles.com\\\",\\n \\\"api.notion.com\\\",\\n \\\"api.trello.com\\\",\\n \\\"gist.githubusercontent.com\\\",\\n \\\"files.pythonhosted.org\\\",\\n \\\"g.live.com\\\",\\n \\\"*.zulipchat.com\\\",\\n \\\"webhook.site\\\",\\n \\\"run.mocky.io\\\",\\n \\\"mockbin.org\\\", \\n \\\"www.googleapis.com\\\", \\n \\\"googleapis.com\\\",\\n \\\"global.rel.tunnels.api.visualstudio.com\\\",\\n \\\"*.devtunnels.ms\\\") and\\n \\n /* Insert noisy false positives here */\\n not (\\n (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WWAHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\smartscreen.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MicrosoftEdgeCP.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\BraveSoftware\\\\\\\\*\\\\\\\\Application\\\\\\\\brave.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Vivaldi\\\\\\\\Application\\\\\\\\vivaldi.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Opera*\\\\\\\\opera.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Fiddler\\\\\\\\Fiddler.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Microsoft VS Code\\\\\\\\Code.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\OneDrive.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\mobsync.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mobsync.exe\\\"\\n )\\n ) or\\n \\n /* Discord App */\\n (process.name : \\\"Discord.exe\\\" and (process.code_signature.subject_name : \\\"Discord Inc.\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"discord.com\\\", \\\"cdn.discordapp.com\\\", \\\"discordapp.com\\\")\\n ) or \\n\\n /* MS Sharepoint */\\n (process.name : \\\"Microsoft.SharePoint.exe\\\" and (process.code_signature.subject_name : \\\"Microsoft Corporation\\\" and\\n process.code_signature.trusted == true) and dns.question.name : \\\"onedrive.live.com\\\"\\n ) or \\n\\n /* Firefox */\\n (process.name : \\\"firefox.exe\\\" and (process.code_signature.subject_name : \\\"Mozilla Corporation\\\" and\\n process.code_signature.trusted == true)\\n ) or \\n\\n /* Dropbox */\\n (process.name : \\\"Dropbox.exe\\\" and (process.code_signature.subject_name : \\\"Dropbox, Inc\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"api.dropboxapi.com\\\", \\\"*.dropboxusercontent.com\\\")\\n ) or \\n\\n /* Obsidian - Plugins are stored on raw.githubusercontent.com */\\n (process.name : \\\"Obsidian.exe\\\" and (process.code_signature.subject_name : \\\"Dynalist Inc\\\" and\\n process.code_signature.trusted == true) and dns.question.name : \\\"raw.githubusercontent.com\\\"\\n ) or \\n\\n /* WebExperienceHostApp */\\n (process.name : \\\"WebExperienceHostApp.exe\\\" and (process.code_signature.subject_name : \\\"Microsoft Windows\\\" and\\n process.code_signature.trusted == true) and dns.question.name : (\\\"onedrive.live.com\\\", \\\"skyapi.onedrive.live.com\\\")\\n ) or\\n\\n (process.code_signature.subject_name : \\\"Microsoft *\\\" and process.code_signature.trusted == true and\\n dns.question.name : (\\\"*.sharepoint.com\\\", \\\"graph.microsoft.com\\\", \\\"g.live.com\\\", \\\"login.live.com\\\", \\\"login.live.com\\\")) or\\n\\n (process.code_signature.trusted == true and\\n process.code_signature.subject_name :\\n (\\\"Johannes Schindelin\\\",\\n \\\"Redis Inc.\\\",\\n \\\"Slack Technologies, LLC\\\",\\n \\\"Cisco Systems, Inc.\\\",\\n \\\"Dropbox, Inc\\\",\\n \\\"Amazon.com Services LLC\\\"))\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b07dbb7b-b0f7-4449-baec-a7790e633a6a\",\"rule_id\":\"670b3b5a-35e5-42db-bd36-6c5b9b4b7313\",\"revision\":0,\"current_rule\":{\"id\":\"b07dbb7b-b0f7-4449-baec-a7790e633a6a\",\"updated_at\":\"2024-12-04T19:45:49.943Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.943Z\",\"created_by\":\"elastic\",\"name\":\"Modification of the msPKIAccountCredentials\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Data Source: Active Directory\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"670b3b5a-35e5-42db-bd36-6c5b9b4b7313\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"to\":\"now\",\"references\":[\"https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming\",\"https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx\",\"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136\"],\"version\":10,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.OperationType\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:(\\\"Directory Service Changes\\\" or \\\"directory-service-object-modified\\\") and event.code:\\\"5136\\\" and\\n winlog.event_data.AttributeLDAPDisplayName:\\\"msPKIAccountCredentials\\\" and winlog.event_data.OperationType:\\\"%%14674\\\" and\\n not winlog.event_data.SubjectUserSid : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Modification of the msPKIAccountCredentials\",\"description\":\"Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":113,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Data Source: Active Directory\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming\",\"https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx\",\"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.OperationType\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"b07dbb7b-b0f7-4449-baec-a7790e633a6a\",\"rule_id\":\"670b3b5a-35e5-42db-bd36-6c5b9b4b7313\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.014Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.943Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:(\\\"Directory Service Changes\\\" or \\\"directory-service-object-modified\\\") and event.code:\\\"5136\\\" and\\n winlog.event_data.AttributeLDAPDisplayName:\\\"msPKIAccountCredentials\\\" and winlog.event_data.OperationType:\\\"%%14674\\\" and\\n not winlog.event_data.SubjectUserSid : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":10,\"target_version\":113,\"merged_version\":113,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Data Source: Active Directory\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Data Source: Active Directory\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Data Source: Active Directory\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0774bf05-bdb4-4812-9294-f6ed5ec9fd43\",\"rule_id\":\"6839c821-011d-43bd-bd5b-acff00257226\",\"revision\":0,\"current_rule\":{\"id\":\"0774bf05-bdb4-4812-9294-f6ed5ec9fd43\",\"updated_at\":\"2024-12-04T19:45:40.172Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.172Z\",\"created_by\":\"elastic\",\"name\":\"Image File Execution Options Injection\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"6839c821-011d-43bd-bd5b-acff00257226\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.012\",\"name\":\"Image File Execution Options Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1546/012/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[\"https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"Debugger\\\", \\\"MonitorProcess\\\") and length(registry.data.strings) > 0 and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*.exe\\\\\\\\Debugger\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\Debugger\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*.exe\\\\\\\\Debugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\Debugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\"\\n ) and\\n /* add FPs here */\\n not registry.data.strings regex~ (\\\"\\\"\\\"C:\\\\\\\\Program Files( \\\\(x86\\\\))?\\\\\\\\ThinKiosk\\\\\\\\thinkiosk\\\\.exe\\\"\\\"\\\", \\\"\\\"\\\".*\\\\\\\\PSAppDeployToolkit\\\\\\\\.*\\\"\\\"\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Image File Execution Options Injection\",\"description\":\"The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.012\",\"name\":\"Image File Execution Options Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1546/012/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0774bf05-bdb4-4812-9294-f6ed5ec9fd43\",\"rule_id\":\"6839c821-011d-43bd-bd5b-acff00257226\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.014Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.172Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"Debugger\\\", \\\"MonitorProcess\\\") and length(registry.data.strings) > 0 and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*.exe\\\\\\\\Debugger\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\Debugger\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*.exe\\\\\\\\Debugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\Debugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*.exe\\\\\\\\Debugger\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\Debugger\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\"\\n ) and\\n /* add FPs here */\\n not registry.data.strings regex~ (\\\"\\\"\\\"C:\\\\\\\\Program Files( \\\\(x86\\\\))?\\\\\\\\ThinKiosk\\\\\\\\thinkiosk\\\\.exe\\\"\\\"\\\", \\\"\\\"\\\".*\\\\\\\\PSAppDeployToolkit\\\\\\\\.*\\\"\\\"\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"Debugger\\\", \\\"MonitorProcess\\\") and length(registry.data.strings) > 0 and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*.exe\\\\\\\\Debugger\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\Debugger\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*.exe\\\\\\\\Debugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\Debugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\"\\n ) and\\n /* add FPs here */\\n not registry.data.strings regex~ (\\\"\\\"\\\"C:\\\\\\\\Program Files( \\\\(x86\\\\))?\\\\\\\\ThinKiosk\\\\\\\\thinkiosk\\\\.exe\\\"\\\"\\\", \\\"\\\"\\\".*\\\\\\\\PSAppDeployToolkit\\\\\\\\.*\\\"\\\"\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"Debugger\\\", \\\"MonitorProcess\\\") and length(registry.data.strings) > 0 and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*.exe\\\\\\\\Debugger\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\Debugger\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*.exe\\\\\\\\Debugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\Debugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*.exe\\\\\\\\Debugger\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\Debugger\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\"\\n ) and\\n /* add FPs here */\\n not registry.data.strings regex~ (\\\"\\\"\\\"C:\\\\\\\\Program Files( \\\\(x86\\\\))?\\\\\\\\ThinKiosk\\\\\\\\thinkiosk\\\\.exe\\\"\\\"\\\", \\\"\\\"\\\".*\\\\\\\\PSAppDeployToolkit\\\\\\\\.*\\\"\\\"\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"Debugger\\\", \\\"MonitorProcess\\\") and length(registry.data.strings) > 0 and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*.exe\\\\\\\\Debugger\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\Debugger\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*.exe\\\\\\\\Debugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\Debugger\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*.exe\\\\\\\\Debugger\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Image File Execution Options\\\\\\\\*\\\\\\\\Debugger\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\SilentProcessExit\\\\\\\\*\\\\\\\\MonitorProcess\\\"\\n ) and\\n /* add FPs here */\\n not registry.data.strings regex~ (\\\"\\\"\\\"C:\\\\\\\\Program Files( \\\\(x86\\\\))?\\\\\\\\ThinKiosk\\\\\\\\thinkiosk\\\\.exe\\\"\\\"\\\", \\\"\\\"\\\".*\\\\\\\\PSAppDeployToolkit\\\\\\\\.*\\\"\\\"\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5af11627-7f37-4bff-851c-c2984b35042b\",\"rule_id\":\"68921d85-d0dc-48b3-865f-43291ca2c4f2\",\"revision\":0,\"current_rule\":{\"id\":\"5af11627-7f37-4bff-851c-c2984b35042b\",\"updated_at\":\"2024-12-04T19:45:49.961Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.961Z\",\"created_by\":\"elastic\",\"name\":\"Persistence via TelemetryController Scheduled Task Hijack\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"68921d85-d0dc-48b3-865f-43291ca2c4f2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]}],\"to\":\"now\",\"references\":[\"https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"CompatTelRunner.exe\\\" and process.args : \\\"-cv*\\\" and\\n not process.name : (\\\"conhost.exe\\\",\\n \\\"DeviceCensus.exe\\\",\\n \\\"CompatTelRunner.exe\\\",\\n \\\"DismHost.exe\\\",\\n \\\"rundll32.exe\\\",\\n \\\"powershell.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Persistence via TelemetryController Scheduled Task Hijack\",\"description\":\"Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"5af11627-7f37-4bff-851c-c2984b35042b\",\"rule_id\":\"68921d85-d0dc-48b3-865f-43291ca2c4f2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.014Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.961Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"CompatTelRunner.exe\\\" and process.args : \\\"-cv*\\\" and\\n not process.name : (\\\"conhost.exe\\\",\\n \\\"DeviceCensus.exe\\\",\\n \\\"CompatTelRunner.exe\\\",\\n \\\"DismHost.exe\\\",\\n \\\"rundll32.exe\\\",\\n \\\"powershell.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2e8ce13a-f327-4796-b89d-8324caf2edb1\",\"rule_id\":\"68994a6c-c7ba-4e82-b476-26a26877adf6\",\"revision\":0,\"current_rule\":{\"id\":\"2e8ce13a-f327-4796-b89d-8324caf2edb1\",\"updated_at\":\"2024-12-04T19:45:49.968Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.968Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace Admin Role Assigned to a User\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Assigning the administrative role to a user will grant them access to the Google Admin console and grant them administrator privileges which allow them to access and manage various resources and applications. An adversary may create a new administrator account for persistence or apply the admin role to an existing user to carry out further intrusion efforts. Users with super-admin privileges can bypass single-sign on if enabled in Google Workspace.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Admin Role Assigned to a User\\n\\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups. These assignments should follow the principle of least privilege (PoLP). Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created when prebuilt roles are not sufficient.\\n\\nAdministrator roles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Administrative roles also give users access to the admin console, where domain-wide settings can be adjusted. Threat actors might rely on these new privileges to advance their intrusion efforts and laterally move throughout the organization. Users with unexpected administrative privileges may also cause operational dysfunction if unfamiliar settings are adjusted without warning.\\n\\nThis rule identifies when a Google Workspace administrative role is assigned to a user.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n - The `user.target.email` field contains the user who received the admin role.\\n- Identify the role given to the user by reviewing the `google_workspace.admin.role.name` field in the alert.\\n- After identifying the involved user, verify their administrative privileges are scoped properly.\\n- To identify other users with this role, search the alert for `event.action: ASSIGN_ROLE`.\\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\\n - Adjust the relative time accordingly to identify all users that were assigned this admin role.\\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\\n - Add `user.email` with the target user account that recently received this new admin role.\\n- After identifying the involved user, create a filter with their `user.name` or `user.target.email`. Review the last 48 hours of their activity for anything that may indicate a compromise.\\n\\n### False positive analysis\\n\\n- After identifying user account that added the admin role, verify the action was intentional.\\n- Verify that the target user who was assigned the admin role should have administrative privileges in Google Workspace.\\n- Review organizational units or groups the target user might have been added to and ensure the admin role permissions align.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Google Workspace admin role assignments may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-130m\",\"rule_id\":\"68994a6c-c7ba-4e82-b476-26a26877adf6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/172176?hl=en\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.role.name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.event.type\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.category:\\\"iam\\\" and event.action:\\\"ASSIGN_ROLE\\\"\\n and google_workspace.event.type:\\\"DELEGATED_ADMIN_SETTINGS\\\" and google_workspace.admin.role.name : *_ADMIN_ROLE\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace Admin Role Assigned to a User\",\"description\":\"Assigning the administrative role to a user will grant them access to the Google Admin console and grant them administrator privileges which allow them to access and manage various resources and applications. An adversary may create a new administrator account for persistence or apply the admin role to an existing user to carry out further intrusion efforts. Users with super-admin privileges can bypass single-sign on if enabled in Google Workspace.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Admin Role Assigned to a User\\n\\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups. These assignments should follow the principle of least privilege (PoLP). Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created when prebuilt roles are not sufficient.\\n\\nAdministrator roles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Administrative roles also give users access to the admin console, where domain-wide settings can be adjusted. Threat actors might rely on these new privileges to advance their intrusion efforts and laterally move throughout the organization. Users with unexpected administrative privileges may also cause operational dysfunction if unfamiliar settings are adjusted without warning.\\n\\nThis rule identifies when a Google Workspace administrative role is assigned to a user.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n - The `user.target.email` field contains the user who received the admin role.\\n- Identify the role given to the user by reviewing the `google_workspace.admin.role.name` field in the alert.\\n- After identifying the involved user, verify their administrative privileges are scoped properly.\\n- To identify other users with this role, search the alert for `event.action: ASSIGN_ROLE`.\\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\\n - Adjust the relative time accordingly to identify all users that were assigned this admin role.\\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\\n - Add `user.email` with the target user account that recently received this new admin role.\\n- After identifying the involved user, create a filter with their `user.name` or `user.target.email`. Review the last 48 hours of their activity for anything that may indicate a compromise.\\n\\n### False positive analysis\\n\\n- After identifying user account that added the admin role, verify the action was intentional.\\n- Verify that the target user who was assigned the admin role should have administrative privileges in Google Workspace.\\n- Review organizational units or groups the target user might have been added to and ensure the admin role permissions align.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Google Workspace admin role assignments may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://support.google.com/a/answer/172176?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.role.name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.event.type\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"2e8ce13a-f327-4796-b89d-8324caf2edb1\",\"rule_id\":\"68994a6c-c7ba-4e82-b476-26a26877adf6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.014Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.968Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.category:\\\"iam\\\" and event.action:\\\"ASSIGN_ROLE\\\"\\n and google_workspace.event.type:\\\"DELEGATED_ADMIN_SETTINGS\\\" and google_workspace.admin.role.name : *_ADMIN_ROLE\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/172176?hl=en\"],\"target_version\":[\"https://support.google.com/a/answer/172176?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/172176?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"22c4dafb-b6bc-40fa-afcb-71a4ab1d0277\",\"rule_id\":\"689b9d57-e4d5-4357-ad17-9c334609d79a\",\"revision\":0,\"current_rule\":{\"id\":\"22c4dafb-b6bc-40fa-afcb-71a4ab1d0277\",\"updated_at\":\"2024-12-04T19:45:40.189Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.189Z\",\"created_by\":\"elastic\",\"name\":\"Scheduled Task Created by a Windows Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\nDecode the base64 encoded Tasks Actions registry value to investigate the task's configured action.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks may be created during installation of new software.\"],\"from\":\"now-9m\",\"rule_id\":\"689b9d57-e4d5-4357-ad17-9c334609d79a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"sequence by host.id with maxspan = 30s\\n [any where host.os.type == \\\"windows\\\" and \\n (event.category : (\\\"library\\\", \\\"driver\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n (?dll.name : \\\"taskschd.dll\\\" or file.name : \\\"taskschd.dll\\\") and\\n process.name : (\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\")]\\n [registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Actions\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\TaskCache\\\\\\\\Tasks\\\\\\\\*\\\\\\\\Actions\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\TaskCache\\\\\\\\Tasks\\\\\\\\*\\\\\\\\Actions\\\"\\n )]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Scheduled Task Created by a Windows Script\",\"description\":\"A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\nDecode the base64 encoded Tasks Actions registry value to investigate the task's configured action.\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks may be created during installation of new software.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"22c4dafb-b6bc-40fa-afcb-71a4ab1d0277\",\"rule_id\":\"689b9d57-e4d5-4357-ad17-9c334609d79a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.014Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.189Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan = 30s\\n [any where host.os.type == \\\"windows\\\" and \\n (event.category : (\\\"library\\\", \\\"driver\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n (?dll.name : \\\"taskschd.dll\\\" or file.name : \\\"taskschd.dll\\\") and\\n process.name : (\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\")]\\n [registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Actions\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\TaskCache\\\\\\\\Tasks\\\\\\\\*\\\\\\\\Actions\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\TaskCache\\\\\\\\Tasks\\\\\\\\*\\\\\\\\Actions\\\"\\n )]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e1be2e25-86df-404c-b5a9-bf2b89460b38\",\"rule_id\":\"68ad737b-f90a-4fe5-bda6-a68fa460044e\",\"revision\":0,\"current_rule\":{\"id\":\"e1be2e25-86df-404c-b5a9-bf2b89460b38\",\"updated_at\":\"2024-12-04T19:45:49.973Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.973Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Access to LDAP Attributes\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: System\",\"Data Source: Active Directory\",\"Data Source: Windows\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identify read access to a high number of Active Directory object attributes. The knowledge of objects properties can help adversaries find vulnerabilities, elevate privileges or collect sensitive information.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"68ad737b-f90a-4fe5-bda6-a68fa460044e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1069\",\"name\":\"Permission Groups Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1069/\"}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessMaskDescription\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.Properties\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"],\"query\":\"any where event.action in (\\\"Directory Service Access\\\", \\\"object-operation-performed\\\") and\\n event.code == \\\"4662\\\" and not winlog.event_data.SubjectUserSid : \\\"S-1-5-18\\\" and\\n winlog.event_data.AccessMaskDescription == \\\"Read Property\\\" and length(winlog.event_data.Properties) >= 2000\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Access to LDAP Attributes\",\"description\":\"Identify read access to a high number of Active Directory object attributes. The knowledge of objects properties can help adversaries find vulnerabilities, elevate privileges or collect sensitive information.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":102,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: System\",\"Data Source: Active Directory\",\"Data Source: Windows\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1069\",\"name\":\"Permission Groups Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1069/\"}]}],\"setup\":\"The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessMaskDescription\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.Properties\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"e1be2e25-86df-404c-b5a9-bf2b89460b38\",\"rule_id\":\"68ad737b-f90a-4fe5-bda6-a68fa460044e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.014Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.973Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where event.action in (\\\"Directory Service Access\\\", \\\"object-operation-performed\\\") and\\n event.code == \\\"4662\\\" and not winlog.event_data.SubjectUserSid : \\\"S-1-5-18\\\" and\\n winlog.event_data.AccessMaskDescription == \\\"Read Property\\\" and length(winlog.event_data.Properties) >= 2000\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":102,\"merged_version\":102,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0bb9c000-2cf0-4a6f-9ef5-8e97eddfcf98\",\"rule_id\":\"68d56fdc-7ffa-4419-8e95-81641bd6f845\",\"revision\":0,\"current_rule\":{\"id\":\"0bb9c000-2cf0-4a6f-9ef5-8e97eddfcf98\",\"updated_at\":\"2024-12-04T19:45:49.976Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.976Z\",\"created_by\":\"elastic\",\"name\":\"UAC Bypass via ICMLuaUtil Elevated COM Interface\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"68d56fdc-7ffa-4419-8e95-81641bd6f845\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1559\",\"name\":\"Inter-Process Communication\",\"reference\":\"https://attack.mitre.org/techniques/T1559/\",\"subtechnique\":[{\"id\":\"T1559.001\",\"name\":\"Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1559/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name == \\\"dllhost.exe\\\" and\\n process.parent.args in (\\\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\\\", \\\"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\\\") and\\n process.pe.original_file_name != \\\"WerFault.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"UAC Bypass via ICMLuaUtil Elevated COM Interface\",\"description\":\"Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1559\",\"name\":\"Inter-Process Communication\",\"reference\":\"https://attack.mitre.org/techniques/T1559/\",\"subtechnique\":[{\"id\":\"T1559.001\",\"name\":\"Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1559/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0bb9c000-2cf0-4a6f-9ef5-8e97eddfcf98\",\"rule_id\":\"68d56fdc-7ffa-4419-8e95-81641bd6f845\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.014Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.976Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name == \\\"dllhost.exe\\\" and\\n process.parent.args in (\\\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\\\", \\\"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\\\") and\\n process.pe.original_file_name != \\\"WerFault.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"57ef5966-2477-4eac-ae4a-9fce5dd86794\",\"rule_id\":\"696015ef-718e-40ff-ac4a-cc2ba88dbeeb\",\"revision\":0,\"current_rule\":{\"id\":\"57ef5966-2477-4eac-ae4a-9fce5dd86794\",\"updated_at\":\"2024-12-04T19:45:49.981Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.981Z\",\"created_by\":\"elastic\",\"name\":\"AWS IAM User Created Access Keys For Another User\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by creating a new set of credentials for an existing user. This rule looks for use of the IAM `CreateAccessKey` API operation to create new programatic access keys for another IAM user.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS IAM User Created Access Keys For Another User\\n\\nAWS access keys created for IAM users or root user are long-term credentials that provide programatic access to AWS. \\nWith access to the `iam:CreateAccessKey` permission, a set of compromised credentials could be used to create a new \\nset of credentials for another user for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `CreateAccessKey` operation where the user.name is different from the user.target.name.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify both related accounts and their role in the environment.\\n- Review IAM permission policies for the user identities.\\n- Identify the applications or users that should use these accounts.\\n- Investigate other alerts associated with the accounts during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owners and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `CreateAccessKey` operation. Verify the `aws.cloudtrail.user_identity.arn` should use this operation against the `user.target.name` account.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the newly created credentials from the affected user(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `CreateAccessKey` for the targeted user.\"],\"from\":\"now-6m\",\"rule_id\":\"696015ef-718e-40ff-ac4a-cc2ba88dbeeb\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.001\",\"name\":\"Additional Cloud Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1098/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.001\",\"name\":\"Additional Cloud Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1098/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/#iamcreateaccesskey\",\"https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence\",\"https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud\",\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-*\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"CreateAccessKey\\\" and event.outcome == \\\"success\\\" and user.name != user.target.name\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS IAM User Created Access Keys For Another User\",\"description\":\"An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by creating a new set of credentials for an existing user. This rule looks for use of the IAM `CreateAccessKey` API operation to create new programmatic access keys for another IAM user.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS IAM User Created Access Keys For Another User\\n\\nAWS access keys created for IAM users or root user are long-term credentials that provide programmatic access to AWS.\\nWith access to the `iam:CreateAccessKey` permission, a set of compromised credentials could be used to create a new\\nset of credentials for another user for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `CreateAccessKey` operation where the user.name is different from the user.target.name.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify both related accounts and their role in the environment.\\n- Review IAM permission policies for the user identities.\\n- Identify the applications or users that should use these accounts.\\n- Investigate other alerts associated with the accounts during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owners and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `CreateAccessKey` operation. Verify the `aws.cloudtrail.user_identity.arn` should use this operation against the `user.target.name` account.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the newly created credentials from the affected user(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment.\\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"investigation_fields\":{\"field_names\":[\"@timestamp\",\"user.name\",\"source.address\",\"aws.cloudtrail.user_identity.arn\",\"aws.cloudtrail.user_identity.type\",\"user_agent.original\",\"user.target.name\",\"event.action\",\"event.outcome\",\"cloud.region\",\"event.provider\",\"aws.cloudtrail.request_parameters\",\"aws.cloudtrail.response_elements\"]},\"version\":4,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `CreateAccessKey` for the targeted user.\"],\"references\":[\"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/#iamcreateaccesskey\",\"https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence\",\"https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud\",\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.001\",\"name\":\"Additional Cloud Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1098/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.001\",\"name\":\"Additional Cloud Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1098/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"57ef5966-2477-4eac-ae4a-9fce5dd86794\",\"rule_id\":\"696015ef-718e-40ff-ac4a-cc2ba88dbeeb\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.014Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.981Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"iam.amazonaws.com\\\"\\n and event.action == \\\"CreateAccessKey\\\"\\n and event.outcome == \\\"success\\\"\\n and user.name != user.target.name\\n| keep\\n @timestamp,\\n cloud.region,\\n event.provider,\\n event.action,\\n event.outcome,\\n user.name,\\n source.address,\\n user.target.name,\\n user_agent.original,\\n aws.cloudtrail.request_parameters,\\n aws.cloudtrail.response_elements,\\n aws.cloudtrail.user_identity.arn,\\n aws.cloudtrail.user_identity.type,\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"description\":{\"has_base_version\":false,\"current_version\":\"An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by creating a new set of credentials for an existing user. This rule looks for use of the IAM `CreateAccessKey` API operation to create new programatic access keys for another IAM user.\",\"target_version\":\"An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by creating a new set of credentials for an existing user. This rule looks for use of the IAM `CreateAccessKey` API operation to create new programmatic access keys for another IAM user.\",\"merged_version\":\"An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by creating a new set of credentials for an existing user. This rule looks for use of the IAM `CreateAccessKey` API operation to create new programmatic access keys for another IAM user.\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"note\":{\"has_base_version\":false,\"current_version\":\"## Triage and analysis\\n\\n### Investigating AWS IAM User Created Access Keys For Another User\\n\\nAWS access keys created for IAM users or root user are long-term credentials that provide programatic access to AWS. \\nWith access to the `iam:CreateAccessKey` permission, a set of compromised credentials could be used to create a new \\nset of credentials for another user for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `CreateAccessKey` operation where the user.name is different from the user.target.name.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify both related accounts and their role in the environment.\\n- Review IAM permission policies for the user identities.\\n- Identify the applications or users that should use these accounts.\\n- Investigate other alerts associated with the accounts during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owners and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `CreateAccessKey` operation. Verify the `aws.cloudtrail.user_identity.arn` should use this operation against the `user.target.name` account.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the newly created credentials from the affected user(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating AWS IAM User Created Access Keys For Another User\\n\\nAWS access keys created for IAM users or root user are long-term credentials that provide programmatic access to AWS.\\nWith access to the `iam:CreateAccessKey` permission, a set of compromised credentials could be used to create a new\\nset of credentials for another user for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `CreateAccessKey` operation where the user.name is different from the user.target.name.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify both related accounts and their role in the environment.\\n- Review IAM permission policies for the user identities.\\n- Identify the applications or users that should use these accounts.\\n- Investigate other alerts associated with the accounts during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owners and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `CreateAccessKey` operation. Verify the `aws.cloudtrail.user_identity.arn` should use this operation against the `user.target.name` account.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the newly created credentials from the affected user(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment.\\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating AWS IAM User Created Access Keys For Another User\\n\\nAWS access keys created for IAM users or root user are long-term credentials that provide programmatic access to AWS.\\nWith access to the `iam:CreateAccessKey` permission, a set of compromised credentials could be used to create a new\\nset of credentials for another user for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `CreateAccessKey` operation where the user.name is different from the user.target.name.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify both related accounts and their role in the environment.\\n- Review IAM permission policies for the user identities.\\n- Identify the applications or users that should use these accounts.\\n- Investigate other alerts associated with the accounts during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owners and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `CreateAccessKey` operation. Verify the `aws.cloudtrail.user_identity.arn` should use this operation against the `user.target.name` account.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the newly created credentials from the affected user(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment.\\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"investigation_fields\":{\"has_base_version\":false,\"target_version\":{\"field_names\":[\"@timestamp\",\"user.name\",\"source.address\",\"aws.cloudtrail.user_identity.arn\",\"aws.cloudtrail.user_identity.type\",\"user_agent.original\",\"user.target.name\",\"event.action\",\"event.outcome\",\"cloud.region\",\"event.provider\",\"aws.cloudtrail.request_parameters\",\"aws.cloudtrail.response_elements\"]},\"merged_version\":{\"field_names\":[\"@timestamp\",\"user.name\",\"source.address\",\"aws.cloudtrail.user_identity.arn\",\"aws.cloudtrail.user_identity.type\",\"user_agent.original\",\"user.target.name\",\"event.action\",\"event.outcome\",\"cloud.region\",\"event.provider\",\"aws.cloudtrail.request_parameters\",\"aws.cloudtrail.response_elements\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-aws.cloudtrail-*\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"CreateAccessKey\\\" and event.outcome == \\\"success\\\" and user.name != user.target.name\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"iam.amazonaws.com\\\"\\n and event.action == \\\"CreateAccessKey\\\"\\n and event.outcome == \\\"success\\\"\\n and user.name != user.target.name\\n| keep\\n @timestamp,\\n cloud.region,\\n event.provider,\\n event.action,\\n event.outcome,\\n user.name,\\n source.address,\\n user.target.name,\\n user_agent.original,\\n aws.cloudtrail.request_parameters,\\n aws.cloudtrail.response_elements,\\n aws.cloudtrail.user_identity.arn,\\n aws.cloudtrail.user_identity.type,\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"iam.amazonaws.com\\\"\\n and event.action == \\\"CreateAccessKey\\\"\\n and event.outcome == \\\"success\\\"\\n and user.name != user.target.name\\n| keep\\n @timestamp,\\n cloud.region,\\n event.provider,\\n event.action,\\n event.outcome,\\n user.name,\\n source.address,\\n user.target.name,\\n user_agent.original,\\n aws.cloudtrail.request_parameters,\\n aws.cloudtrail.response_elements,\\n aws.cloudtrail.user_identity.arn,\\n aws.cloudtrail.user_identity.type,\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"94330b7f-c02c-4be3-a2ab-fc517ea2927a\",\"rule_id\":\"69c116bb-d86f-48b0-857d-3648511a6cac\",\"revision\":0,\"current_rule\":{\"id\":\"94330b7f-c02c-4be3-a2ab-fc517ea2927a\",\"updated_at\":\"2024-12-04T19:46:03.788Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.788Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious rc.local Error Message\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors the syslog log file for error messages related to the rc.local process. The rc.local file is a script that is executed during the boot process on Linux systems. Attackers may attempt to modify the rc.local file to execute malicious commands or scripts during system startup. This rule detects error messages such as \\\"Connection refused,\\\" \\\"No such file or directory,\\\" or \\\"command not found\\\" in the syslog log file, which may indicate that the rc.local file has been tampered with.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"69c116bb-d86f-48b0-857d-3648511a6cac\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"message\",\"type\":\"match_only_text\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Filebeat\\n\\n### Filebeat Setup\\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\\n\\n#### The following steps should be executed in order to add the Filebeat for the Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\\n- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\\n\\n#### Rule Specific Setup Note\\n- This rule requires the Filebeat System Module to be enabled.\\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"logs-system.syslog-*\"],\"query\":\"host.os.type:linux and event.dataset:system.syslog and process.name:rc.local and\\nmessage:(\\\"Connection refused\\\" or \\\"No such file or directory\\\" or \\\"command not found\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious rc.local Error Message\",\"description\":\"This rule monitors the syslog log file for error messages related to the rc.local process. The rc.local file is a script that is executed during the boot process on Linux systems. Attackers may attempt to modify the rc.local file to execute malicious commands or scripts during system startup. This rule detects error messages such as \\\"Connection refused,\\\" \\\"No such file or directory,\\\" or \\\"command not found\\\" in the syslog log file, which may indicate that the rc.local file has been tampered with.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Filebeat\\n\\n### Filebeat Setup\\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\\n\\n#### The following steps should be executed in order to add the Filebeat for the Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\\n- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\\n\\n#### Rule Specific Setup Note\\n- This rule requires the Filebeat System Module to be enabled.\\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"message\",\"type\":\"match_only_text\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"94330b7f-c02c-4be3-a2ab-fc517ea2927a\",\"rule_id\":\"69c116bb-d86f-48b0-857d-3648511a6cac\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.014Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.788Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"logs-system.syslog-*\"],\"query\":\"host.os.type:linux and event.dataset:system.syslog and process.name:rc.local and\\nmessage:(\\\"Connection refused\\\" or \\\"No such file or directory\\\" or \\\"command not found\\\")\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\"],\"target_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f1f0b7c3-df26-487f-a1e6-4364996270b2\",\"rule_id\":\"69c251fb-a5d6-4035-b5ec-40438bd829ff\",\"revision\":0,\"current_rule\":{\"id\":\"f1f0b7c3-df26-487f-a1e6-4364996270b2\",\"updated_at\":\"2024-12-04T19:45:49.983Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.983Z\",\"created_by\":\"elastic\",\"name\":\"Modification of Boot Configuration\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Modification of Boot Configuration\\n\\nBoot entry parameters, or boot parameters, are optional, system-specific settings that represent configuration options. These are stored in a boot configuration data (BCD) store, and administrators can use utilities like `bcdedit.exe` to configure these.\\n\\nThis rule identifies the usage of `bcdedit.exe` to:\\n\\n- Disable Windows Error Recovery (recoveryenabled).\\n- Ignore errors if there is a failed boot, failed shutdown, or failed checkpoint (bootstatuspolicy ignoreallfailures).\\n\\nThese are common steps in destructive attacks by adversaries leveraging ransomware.\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Check if any files on the host machine have been encrypted.\\n\\n### False positive analysis\\n\\n- The usage of these options is not inherently malicious. Administrators can modify these configurations to force a machine to boot for troubleshooting or data recovery purposes.\\n\\n### Related rules\\n\\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"69c251fb-a5d6-4035-b5ec-40438bd829ff\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1490\",\"name\":\"Inhibit System Recovery\",\"reference\":\"https://attack.mitre.org/techniques/T1490/\"}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"bcdedit.exe\\\" or ?process.pe.original_file_name == \\\"bcdedit.exe\\\") and\\n (\\n (process.args : \\\"/set\\\" and process.args : \\\"bootstatuspolicy\\\" and process.args : \\\"ignoreallfailures\\\") or\\n (process.args : \\\"no\\\" and process.args : \\\"recoveryenabled\\\")\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Modification of Boot Configuration\",\"description\":\"Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Modification of Boot Configuration\\n\\nBoot entry parameters, or boot parameters, are optional, system-specific settings that represent configuration options. These are stored in a boot configuration data (BCD) store, and administrators can use utilities like `bcdedit.exe` to configure these.\\n\\nThis rule identifies the usage of `bcdedit.exe` to:\\n\\n- Disable Windows Error Recovery (recoveryenabled).\\n- Ignore errors if there is a failed boot, failed shutdown, or failed checkpoint (bootstatuspolicy ignoreallfailures).\\n\\nThese are common steps in destructive attacks by adversaries leveraging ransomware.\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Check if any files on the host machine have been encrypted.\\n\\n### False positive analysis\\n\\n- The usage of these options is not inherently malicious. Administrators can modify these configurations to force a machine to boot for troubleshooting or data recovery purposes.\\n\\n### Related rules\\n\\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1490\",\"name\":\"Inhibit System Recovery\",\"reference\":\"https://attack.mitre.org/techniques/T1490/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f1f0b7c3-df26-487f-a1e6-4364996270b2\",\"rule_id\":\"69c251fb-a5d6-4035-b5ec-40438bd829ff\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.014Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.983Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"bcdedit.exe\\\" or ?process.pe.original_file_name == \\\"bcdedit.exe\\\") and\\n (\\n (process.args : \\\"/set\\\" and process.args : \\\"bootstatuspolicy\\\" and process.args : \\\"ignoreallfailures\\\") or\\n (process.args : \\\"no\\\" and process.args : \\\"recoveryenabled\\\")\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1cbd1908-5473-4027-af3c-039007ee30ea\",\"rule_id\":\"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7\",\"revision\":0,\"current_rule\":{\"id\":\"1cbd1908-5473-4027-af3c-039007ee30ea\",\"updated_at\":\"2024-12-04T19:45:49.991Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.991Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Service Host Child Process - Childless Service\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Changes to Windows services or a rarely executed child process.\"],\"from\":\"now-9m\",\"rule_id\":\"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\",\"subtechnique\":[{\"id\":\"T1055.012\",\"name\":\"Process Hollowing\",\"reference\":\"https://attack.mitre.org/techniques/T1055/012/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\",\"subtechnique\":[{\"id\":\"T1055.012\",\"name\":\"Process Hollowing\",\"reference\":\"https://attack.mitre.org/techniques/T1055/012/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"svchost.exe\\\" and\\n\\n /* based on svchost service arguments -s svcname where the service is known to be childless */\\n process.parent.args : (\\n \\\"WdiSystemHost\\\", \\\"LicenseManager\\\", \\\"StorSvc\\\", \\\"CDPSvc\\\", \\\"cdbhsvc\\\", \\\"BthAvctpSvc\\\", \\\"SstpSvc\\\", \\\"WdiServiceHost\\\",\\n \\\"imgsvc\\\", \\\"TrkWks\\\", \\\"WpnService\\\", \\\"IKEEXT\\\", \\\"PolicyAgent\\\", \\\"CryptSvc\\\", \\\"netprofm\\\", \\\"ProfSvc\\\", \\\"StateRepository\\\",\\n \\\"camsvc\\\", \\\"LanmanWorkstation\\\", \\\"NlaSvc\\\", \\\"EventLog\\\", \\\"hidserv\\\", \\\"DisplayEnhancementService\\\", \\\"ShellHWDetection\\\",\\n \\\"AppHostSvc\\\", \\\"fhsvc\\\", \\\"CscService\\\", \\\"PushToInstall\\\"\\n ) and\\n\\n /* unknown FPs can be added here */\\n not process.name : (\\\"WerFault.exe\\\", \\\"WerFaultSecure.exe\\\", \\\"wermgr.exe\\\") and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RelPost.exe\\\" and process.parent.args : \\\"WdiSystemHost\\\") and\\n not (\\n process.name : \\\"rundll32.exe\\\" and\\n process.args : \\\"?:\\\\\\\\WINDOWS\\\\\\\\System32\\\\\\\\winethc.dll,ForceProxyDetectionOnNextRun\\\" and\\n process.parent.args : \\\"WdiServiceHost\\\"\\n ) and\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Kodak\\\\\\\\kds_?????\\\\\\\\lib\\\\\\\\lexexe.exe\\\"\\n ) and process.parent.args : \\\"imgsvc\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Service Host Child Process - Childless Service\",\"description\":\"Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Changes to Windows services or a rarely executed child process.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\",\"subtechnique\":[{\"id\":\"T1055.012\",\"name\":\"Process Hollowing\",\"reference\":\"https://attack.mitre.org/techniques/T1055/012/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\",\"subtechnique\":[{\"id\":\"T1055.012\",\"name\":\"Process Hollowing\",\"reference\":\"https://attack.mitre.org/techniques/T1055/012/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1cbd1908-5473-4027-af3c-039007ee30ea\",\"rule_id\":\"6a8ab9cc-4023-4d17-b5df-1a3e16882ce7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.015Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.991Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"svchost.exe\\\" and\\n\\n /* based on svchost service arguments -s svcname where the service is known to be childless */\\n process.parent.args : (\\n \\\"WdiSystemHost\\\", \\\"LicenseManager\\\", \\\"StorSvc\\\", \\\"CDPSvc\\\", \\\"cdbhsvc\\\", \\\"BthAvctpSvc\\\", \\\"SstpSvc\\\", \\\"WdiServiceHost\\\",\\n \\\"imgsvc\\\", \\\"TrkWks\\\", \\\"WpnService\\\", \\\"IKEEXT\\\", \\\"PolicyAgent\\\", \\\"CryptSvc\\\", \\\"netprofm\\\", \\\"ProfSvc\\\", \\\"StateRepository\\\",\\n \\\"camsvc\\\", \\\"LanmanWorkstation\\\", \\\"NlaSvc\\\", \\\"EventLog\\\", \\\"hidserv\\\", \\\"DisplayEnhancementService\\\", \\\"ShellHWDetection\\\",\\n \\\"AppHostSvc\\\", \\\"fhsvc\\\", \\\"CscService\\\", \\\"PushToInstall\\\"\\n ) and\\n\\n /* unknown FPs can be added here */\\n not process.name : (\\\"WerFault.exe\\\", \\\"WerFaultSecure.exe\\\", \\\"wermgr.exe\\\") and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RelPost.exe\\\" and process.parent.args : \\\"WdiSystemHost\\\") and\\n not (\\n process.name : \\\"rundll32.exe\\\" and\\n process.args : \\\"?:\\\\\\\\WINDOWS\\\\\\\\System32\\\\\\\\winethc.dll,ForceProxyDetectionOnNextRun\\\" and\\n process.parent.args : \\\"WdiServiceHost\\\"\\n ) and\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Kodak\\\\\\\\kds_?????\\\\\\\\lib\\\\\\\\lexexe.exe\\\"\\n ) and process.parent.args : \\\"imgsvc\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3ea58a8a-e9e1-45f8-aa56-0fe5bd6ac46e\",\"rule_id\":\"6aace640-e631-4870-ba8e-5fdda09325db\",\"revision\":0,\"current_rule\":{\"id\":\"3ea58a8a-e9e1-45f8-aa56-0fe5bd6ac46e\",\"updated_at\":\"2024-12-04T19:45:49.993Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.993Z\",\"created_by\":\"elastic\",\"name\":\"Exporting Exchange Mailbox via PowerShell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Exporting Exchange Mailbox via PowerShell\\n\\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\\n\\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\\n\\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the export operation:\\n - Identify the user account that performed the action and whether it should perform this kind of action.\\n - Contact the account owner and confirm whether they are aware of this activity.\\n - Check if this operation was approved and performed according to the organization's change management policy.\\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \\\"Mailbox Import Export\\\" privilege for abnormal activity.\\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\\n- If the operation was completed successfully:\\n - Check if the file is on the path specified in the command.\\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Review the privileges of users with the \\\"Mailbox Import Export\\\" privilege to ensure that the least privilege principle is being followed.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate exchange system administration activity.\"],\"from\":\"now-9m\",\"rule_id\":\"6aace640-e631-4870-ba8e-5fdda09325db\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1005\",\"name\":\"Data from Local System\",\"reference\":\"https://attack.mitre.org/techniques/T1005/\"},{\"id\":\"T1114\",\"name\":\"Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/\",\"subtechnique\":[{\"id\":\"T1114.002\",\"name\":\"Remote Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\",\"https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps\"],\"version\":314,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name: (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") and\\n process.command_line : (\\\"*MailboxExportRequest*\\\", \\\"*-Mailbox*-ContentFilter*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Exporting Exchange Mailbox via PowerShell\",\"description\":\"Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Exporting Exchange Mailbox via PowerShell\\n\\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\\n\\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\\n\\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the export operation:\\n - Identify the user account that performed the action and whether it should perform this kind of action.\\n - Contact the account owner and confirm whether they are aware of this activity.\\n - Check if this operation was approved and performed according to the organization's change management policy.\\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \\\"Mailbox Import Export\\\" privilege for abnormal activity.\\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\\n- If the operation was completed successfully:\\n - Check if the file is on the path specified in the command.\\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Review the privileges of users with the \\\"Mailbox Import Export\\\" privilege to ensure that the least privilege principle is being followed.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":417,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate exchange system administration activity.\"],\"references\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\",\"https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1005\",\"name\":\"Data from Local System\",\"reference\":\"https://attack.mitre.org/techniques/T1005/\"},{\"id\":\"T1114\",\"name\":\"Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/\",\"subtechnique\":[{\"id\":\"T1114.002\",\"name\":\"Remote Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3ea58a8a-e9e1-45f8-aa56-0fe5bd6ac46e\",\"rule_id\":\"6aace640-e631-4870-ba8e-5fdda09325db\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.015Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:49.993Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name: (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") and\\n process.command_line : (\\\"*MailboxExportRequest*\\\", \\\"*-Mailbox*-ContentFilter*\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":314,\"target_version\":417,\"merged_version\":417,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\",\"https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps\"],\"target_version\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\",\"https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merged_version\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\",\"https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d6605276-db55-4bc9-8aee-7ad35e834629\",\"rule_id\":\"6bed021a-0afb-461c-acbe-ffdb9574d3f3\",\"revision\":0,\"current_rule\":{\"id\":\"d6605276-db55-4bc9-8aee-7ad35e834629\",\"updated_at\":\"2024-12-04T19:45:50.005Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.005Z\",\"created_by\":\"elastic\",\"name\":\"Remote Computer Account DnsHostName Update\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Use Case: Vulnerability\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the remote update to a computer account's DnsHostName attribute. If the new value set is a valid domain controller DNS hostname and the subject computer name is not a domain controller, then it's highly likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"6bed021a-0afb-461c-acbe-ffdb9574d3f3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"},{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4\",\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26923\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.DnsHostName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetUserName\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"iam where event.action == \\\"changed-computer-account\\\" and user.id : (\\\"S-1-5-21-*\\\", \\\"S-1-12-1-*\\\") and\\n\\n /* if DnsHostName value equal a DC DNS hostname then it's highly suspicious */\\n winlog.event_data.DnsHostName : \\\"??*\\\" and\\n\\n /* exclude FPs where DnsHostName starts with the ComputerName that was changed */\\n not startswith~(winlog.event_data.DnsHostName, substring(winlog.event_data.TargetUserName, 0, length(winlog.event_data.TargetUserName) - 1))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Remote Computer Account DnsHostName Update\",\"description\":\"Identifies the remote update to a computer account's DnsHostName attribute. If the new value set is a valid domain controller DNS hostname and the subject computer name is not a domain controller, then it's highly likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Use Case: Vulnerability\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4\",\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26923\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"},{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.DnsHostName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetUserName\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"d6605276-db55-4bc9-8aee-7ad35e834629\",\"rule_id\":\"6bed021a-0afb-461c-acbe-ffdb9574d3f3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.015Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.005Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where event.action == \\\"changed-computer-account\\\" and user.id : (\\\"S-1-5-21-*\\\", \\\"S-1-12-1-*\\\") and\\n\\n /* if DnsHostName value equal a DC DNS hostname then it's highly suspicious */\\n winlog.event_data.DnsHostName : \\\"??*\\\" and\\n\\n /* exclude FPs where DnsHostName starts with the ComputerName that was changed */\\n not startswith~(winlog.event_data.DnsHostName, substring(winlog.event_data.TargetUserName, 0, length(winlog.event_data.TargetUserName) - 1))\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Use Case: Vulnerability\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Use Case: Vulnerability\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Use Case: Vulnerability\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a206b3a9-a89d-4b48-9d5c-966fe290e327\",\"rule_id\":\"6cd1779c-560f-4b68-a8f1-11009b27fe63\",\"revision\":0,\"current_rule\":{\"id\":\"a206b3a9-a89d-4b48-9d5c-966fe290e327\",\"updated_at\":\"2024-12-04T19:45:50.010Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.010Z\",\"created_by\":\"elastic\",\"name\":\"Microsoft Exchange Server UM Writing Suspicious Files\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\nPositive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).\\n\\nMicrosoft highly recommends that the best course of action is patching, but this may not protect already compromised systems\\nfrom existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support\\n[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[\"Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.\",\"This rule was tuned using the following baseline: https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to help determine normalcy.\"],\"from\":\"now-9m\",\"rule_id\":\"6cd1779c-560f-4b68-a8f1-11009b27fe63\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1210\",\"name\":\"Exploitation of Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1210/\"}]}],\"to\":\"now\",\"references\":[\"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers\",\"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n process.name : (\\\"UMWorkerProcess.exe\\\", \\\"umservice.exe\\\") and\\n file.extension : (\\\"php\\\", \\\"jsp\\\", \\\"js\\\", \\\"aspx\\\", \\\"asmx\\\", \\\"asax\\\", \\\"cfm\\\", \\\"shtml\\\") and\\n (\\n file.path : \\\"?:\\\\\\\\inetpub\\\\\\\\wwwroot\\\\\\\\aspnet_client\\\\\\\\*\\\" or\\n\\n (file.path : \\\"?:\\\\\\\\*\\\\\\\\Microsoft\\\\\\\\Exchange Server*\\\\\\\\FrontEnd\\\\\\\\HttpProxy\\\\\\\\owa\\\\\\\\auth\\\\\\\\*\\\" and\\n not (file.path : \\\"?:\\\\\\\\*\\\\\\\\Microsoft\\\\\\\\Exchange Server*\\\\\\\\FrontEnd\\\\\\\\HttpProxy\\\\\\\\owa\\\\\\\\auth\\\\\\\\version\\\\\\\\*\\\" or\\n file.name : (\\\"errorFE.aspx\\\", \\\"expiredpassword.aspx\\\", \\\"frowny.aspx\\\", \\\"GetIdToken.htm\\\", \\\"logoff.aspx\\\",\\n \\\"logon.aspx\\\", \\\"OutlookCN.aspx\\\", \\\"RedirSuiteServiceProxy.aspx\\\", \\\"signout.aspx\\\"))) or\\n\\n (file.path : \\\"?:\\\\\\\\*\\\\\\\\Microsoft\\\\\\\\Exchange Server*\\\\\\\\FrontEnd\\\\\\\\HttpProxy\\\\\\\\ecp\\\\\\\\auth\\\\\\\\*\\\" and\\n not file.name : \\\"TimeoutLogoff.aspx\\\")\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Microsoft Exchange Server UM Writing Suspicious Files\",\"description\":\"Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\nPositive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).\\n\\nMicrosoft highly recommends that the best course of action is patching, but this may not protect already compromised systems\\nfrom existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support\\n[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)\\n\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[\"Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.\",\"This rule was tuned using the following baseline: https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to help determine normalcy.\"],\"references\":[\"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers\",\"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1210\",\"name\":\"Exploitation of Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1210/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a206b3a9-a89d-4b48-9d5c-966fe290e327\",\"rule_id\":\"6cd1779c-560f-4b68-a8f1-11009b27fe63\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.015Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.010Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n process.name : (\\\"UMWorkerProcess.exe\\\", \\\"umservice.exe\\\") and\\n file.extension : (\\\"php\\\", \\\"jsp\\\", \\\"js\\\", \\\"aspx\\\", \\\"asmx\\\", \\\"asax\\\", \\\"cfm\\\", \\\"shtml\\\") and\\n (\\n file.path : \\\"?:\\\\\\\\inetpub\\\\\\\\wwwroot\\\\\\\\aspnet_client\\\\\\\\*\\\" or\\n\\n (file.path : \\\"?:\\\\\\\\*\\\\\\\\Microsoft\\\\\\\\Exchange Server*\\\\\\\\FrontEnd\\\\\\\\HttpProxy\\\\\\\\owa\\\\\\\\auth\\\\\\\\*\\\" and\\n not (file.path : \\\"?:\\\\\\\\*\\\\\\\\Microsoft\\\\\\\\Exchange Server*\\\\\\\\FrontEnd\\\\\\\\HttpProxy\\\\\\\\owa\\\\\\\\auth\\\\\\\\version\\\\\\\\*\\\" or\\n file.name : (\\\"errorFE.aspx\\\", \\\"expiredpassword.aspx\\\", \\\"frowny.aspx\\\", \\\"GetIdToken.htm\\\", \\\"logoff.aspx\\\",\\n \\\"logon.aspx\\\", \\\"OutlookCN.aspx\\\", \\\"RedirSuiteServiceProxy.aspx\\\", \\\"signout.aspx\\\"))) or\\n\\n (file.path : \\\"?:\\\\\\\\*\\\\\\\\Microsoft\\\\\\\\Exchange Server*\\\\\\\\FrontEnd\\\\\\\\HttpProxy\\\\\\\\ecp\\\\\\\\auth\\\\\\\\*\\\" and\\n not file.name : \\\"TimeoutLogoff.aspx\\\")\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8360a07e-b93e-4d53-827a-579b12957b7f\",\"rule_id\":\"6d448b96-c922-4adb-b51c-b767f1ea5b76\",\"revision\":0,\"current_rule\":{\"id\":\"8360a07e-b93e-4d53-827a-579b12957b7f\",\"updated_at\":\"2024-12-04T19:45:50.012Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.012Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Process For a Windows Host\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Process For a Windows Host\\n\\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\\n\\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\\n - Investigate the process metadata — such as the digital signature, directory, etc. — to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Retrieve Service Unisgned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert.\"],\"from\":\"now-45m\",\"rule_id\":\"6d448b96-c922-4adb-b51c-b767f1ea5b76\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_rare_process_by_host_windows\"],\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Process For a Windows Host\",\"description\":\"Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Process For a Windows Host\\n\\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\\n\\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\\n - Investigate the process metadata — such as the digital signature, directory, etc. — to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Retrieve Service Unisgned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert.\"],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"8360a07e-b93e-4d53-827a-579b12957b7f\",\"rule_id\":\"6d448b96-c922-4adb-b51c-b767f1ea5b76\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.015Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.012Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_rare_process_by_host_windows\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"33c761b4-5b75-4975-a073-48d4d80ad662\",\"rule_id\":\"6e1a2cc4-d260-11ed-8829-f661ea17fbcc\",\"revision\":0,\"current_rule\":{\"id\":\"33c761b4-5b75-4975-a073-48d4d80ad662\",\"updated_at\":\"2024-12-04T19:45:50.017Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.017Z\",\"created_by\":\"elastic\",\"name\":\"First Time Seen Commonly Abused Remote Access Tool Execution\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Adversaries may install legitimate remote access tools (RAT) to compromised endpoints for further command-and-control (C2). Adversaries can rely on installed RATs for persistence, execution of native commands and more. This rule detects when a process is started whose name or code signature resembles commonly abused RATs. This is a New Terms rule type indicating the host has not seen this RAT process started before within the last 30 days.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating First Time Seen Commonly Abused Remote Access Tool Execution\\n\\nRemote access software is a class of tools commonly used by IT departments to provide support by connecting securely to users' computers. Remote access is an ever-growing market where new companies constantly offer new ways of quickly accessing remote systems.\\n\\nAt the same pace as IT departments adopt these tools, the attackers also adopt them as part of their workflow to connect into an interactive session, maintain access with legitimate software as a persistence mechanism, drop malicious software, etc.\\n\\nThis rule detects when a remote access tool is seen in the environment for the first time in the last 15 days, enabling analysts to investigate and enforce the correct usage of such tools.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Check if the execution of the remote access tool is approved by the organization's IT department.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n - If the tool is not approved for use in the organization, the employee could have been tricked into installing it and providing access to a malicious third party. Investigate whether this third party could be attempting to scam the end-user or gain access to the environment through social engineering.\\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n\\n### False positive analysis\\n\\n- If an authorized support person or administrator used the tool to conduct legitimate support or remote access, consider reinforcing that only tooling approved by the IT policy should be used. The analyst can dismiss the alert if no other suspicious behavior is observed involving the host or users.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If an unauthorized third party did the access via social engineering, consider improvements to the security awareness program.\\n- Enforce that only tooling approved by the IT policy should be used for remote access purposes and only by authorized staff.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"6e1a2cc4-d260-11ed-8829-f661ea17fbcc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1219\",\"name\":\"Remote Access Software\",\"reference\":\"https://attack.mitre.org/techniques/T1219/\"}]}],\"to\":\"now\",\"references\":[\"https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\",\"https://attack.mitre.org/techniques/T1219/\",\"https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json\"],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name.caseless\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"host.os.type: \\\"windows\\\" and\\n\\n event.category: \\\"process\\\" and event.type : \\\"start\\\" and\\n\\n (\\n process.code_signature.subject_name : (\\n \\\"Action1 Corporation\\\" or\\n \\\"AeroAdmin LLC\\\" or\\n \\\"Ammyy LLC\\\" or\\n \\\"Atera Networks Ltd\\\" or\\n \\\"AWERAY PTE. LTD.\\\" or\\n \\\"BeamYourScreen GmbH\\\" or\\n \\\"Bomgar Corporation\\\" or\\n \\\"DUC FABULOUS CO.,LTD\\\" or\\n \\\"DOMOTZ INC.\\\" or\\n \\\"DWSNET OÜ\\\" or\\n \\\"FleetDeck Inc\\\" or\\n \\\"GlavSoft LLC\\\" or\\n \\\"GlavSoft LLC.\\\" or\\n \\\"Hefei Pingbo Network Technology Co. Ltd\\\" or\\n \\\"IDrive, Inc.\\\" or\\n \\\"IMPERO SOLUTIONS LIMITED\\\" or\\n \\\"Instant Housecall\\\" or\\n \\\"ISL Online Ltd.\\\" or\\n \\\"LogMeIn, Inc.\\\" or\\n \\\"Monitoring Client\\\" or\\n \\\"MMSOFT Design Ltd.\\\" or\\n \\\"Nanosystems S.r.l.\\\" or\\n \\\"NetSupport Ltd\\\" or\\n \\\"NinjaRMM, LLC\\\" or\\n \\\"Parallels International GmbH\\\" or\\n \\\"philandro Software GmbH\\\" or\\n \\\"Pro Softnet Corporation\\\" or\\n \\\"RealVNC\\\" or\\n \\\"RealVNC Limited\\\" or\\n \\\"BreakingSecurity.net\\\" or\\n \\\"Remote Utilities LLC\\\" or\\n \\\"Rocket Software, Inc.\\\" or\\n \\\"SAFIB\\\" or\\n \\\"Servably, Inc.\\\" or\\n \\\"ShowMyPC INC\\\" or\\n \\\"Splashtop Inc.\\\" or\\n \\\"Superops Inc.\\\" or\\n \\\"TeamViewer\\\" or\\n \\\"TeamViewer GmbH\\\" or\\n \\\"TeamViewer Germany GmbH\\\" or\\n \\\"Techinline Limited\\\" or\\n \\\"uvnc bvba\\\" or\\n \\\"Yakhnovets Denis Aleksandrovich IP\\\" or\\n \\\"Zhou Huabing\\\"\\n ) or\\n\\n process.name.caseless : (\\n AA_v*.exe or\\n \\\"AeroAdmin.exe\\\" or\\n \\\"AnyDesk.exe\\\" or\\n \\\"apc_Admin.exe\\\" or\\n \\\"apc_host.exe\\\" or\\n \\\"AteraAgent.exe\\\" or\\n aweray_remote*.exe or\\n \\\"AweSun.exe\\\" or\\n \\\"B4-Service.exe\\\" or\\n \\\"BASupSrvc.exe\\\" or\\n \\\"bomgar-scc.exe\\\" or\\n \\\"domotzagent.exe\\\" or\\n \\\"domotz-windows-x64-10.exe\\\" or\\n \\\"dwagsvc.exe\\\" or\\n \\\"DWRCC.exe\\\" or\\n \\\"ImperoClientSVC.exe\\\" or\\n \\\"ImperoServerSVC.exe\\\" or\\n \\\"ISLLight.exe\\\" or\\n \\\"ISLLightClient.exe\\\" or\\n fleetdeck_commander*.exe or\\n \\\"getscreen.exe\\\" or\\n \\\"LMIIgnition.exe\\\" or\\n \\\"LogMeIn.exe\\\" or\\n \\\"ManageEngine_Remote_Access_Plus.exe\\\" or\\n \\\"Mikogo-Service.exe\\\" or\\n \\\"NinjaRMMAgent.exe\\\" or\\n \\\"NinjaRMMAgenPatcher.exe\\\" or\\n \\\"ninjarmm-cli.exe\\\" or\\n \\\"r_server.exe\\\" or\\n \\\"radmin.exe\\\" or\\n \\\"radmin3.exe\\\" or\\n \\\"RCClient.exe\\\" or\\n \\\"RCService.exe\\\" or\\n \\\"RemoteDesktopManager.exe\\\" or\\n \\\"RemotePC.exe\\\" or\\n \\\"RemotePCDesktop.exe\\\" or\\n \\\"RemotePCService.exe\\\" or\\n \\\"rfusclient.exe\\\" or\\n \\\"ROMServer.exe\\\" or\\n \\\"ROMViewer.exe\\\" or\\n \\\"RPCSuite.exe\\\" or\\n \\\"rserver3.exe\\\" or\\n \\\"rustdesk.exe\\\" or\\n \\\"rutserv.exe\\\" or\\n \\\"rutview.exe\\\" or\\n \\\"saazapsc.exe\\\" or\\n ScreenConnect*.exe or\\n \\\"smpcview.exe\\\" or\\n \\\"spclink.exe\\\" or\\n \\\"Splashtop-streamer.exe\\\" or\\n \\\"SRService.exe\\\" or\\n \\\"strwinclt.exe\\\" or\\n \\\"Supremo.exe\\\" or\\n \\\"SupremoService.exe\\\" or\\n \\\"teamviewer.exe\\\" or\\n \\\"TiClientCore.exe\\\" or\\n \\\"TSClient.exe\\\" or\\n \\\"tvn.exe\\\" or\\n \\\"tvnserver.exe\\\" or\\n \\\"tvnviewer.exe\\\" or\\n UltraVNC*.exe or\\n UltraViewer*.exe or\\n \\\"vncserver.exe\\\" or\\n \\\"vncviewer.exe\\\" or\\n \\\"winvnc.exe\\\" or\\n \\\"winwvc.exe\\\" or\\n \\\"Zaservice.exe\\\" or\\n \\\"ZohoURS.exe\\\"\\n ) or\\n process.name : (\\n AA_v*.exe or\\n \\\"AeroAdmin.exe\\\" or\\n \\\"AnyDesk.exe\\\" or\\n \\\"apc_Admin.exe\\\" or\\n \\\"apc_host.exe\\\" or\\n \\\"AteraAgent.exe\\\" or\\n aweray_remote*.exe or\\n \\\"AweSun.exe\\\" or\\n \\\"B4-Service.exe\\\" or\\n \\\"BASupSrvc.exe\\\" or\\n \\\"bomgar-scc.exe\\\" or\\n \\\"domotzagent.exe\\\" or\\n \\\"domotz-windows-x64-10.exe\\\" or\\n \\\"dwagsvc.exe\\\" or\\n \\\"DWRCC.exe\\\" or\\n \\\"ImperoClientSVC.exe\\\" or\\n \\\"ImperoServerSVC.exe\\\" or\\n \\\"ISLLight.exe\\\" or\\n \\\"ISLLightClient.exe\\\" or\\n fleetdeck_commander*.exe or\\n \\\"getscreen.exe\\\" or\\n \\\"LMIIgnition.exe\\\" or\\n \\\"LogMeIn.exe\\\" or\\n \\\"ManageEngine_Remote_Access_Plus.exe\\\" or\\n \\\"Mikogo-Service.exe\\\" or\\n \\\"NinjaRMMAgent.exe\\\" or\\n \\\"NinjaRMMAgenPatcher.exe\\\" or\\n \\\"ninjarmm-cli.exe\\\" or\\n \\\"r_server.exe\\\" or\\n \\\"radmin.exe\\\" or\\n \\\"radmin3.exe\\\" or\\n \\\"RCClient.exe\\\" or\\n \\\"RCService.exe\\\" or\\n \\\"RemoteDesktopManager.exe\\\" or\\n \\\"RemotePC.exe\\\" or\\n \\\"RemotePCDesktop.exe\\\" or\\n \\\"RemotePCService.exe\\\" or\\n \\\"rfusclient.exe\\\" or\\n \\\"ROMServer.exe\\\" or\\n \\\"ROMViewer.exe\\\" or\\n \\\"RPCSuite.exe\\\" or\\n \\\"rserver3.exe\\\" or\\n \\\"rustdesk.exe\\\" or\\n \\\"rutserv.exe\\\" or\\n \\\"rutview.exe\\\" or\\n \\\"saazapsc.exe\\\" or\\n ScreenConnect*.exe or\\n \\\"smpcview.exe\\\" or\\n \\\"spclink.exe\\\" or\\n \\\"Splashtop-streamer.exe\\\" or\\n \\\"SRService.exe\\\" or\\n \\\"strwinclt.exe\\\" or\\n \\\"Supremo.exe\\\" or\\n \\\"SupremoService.exe\\\" or\\n \\\"teamviewer.exe\\\" or\\n \\\"TiClientCore.exe\\\" or\\n \\\"TSClient.exe\\\" or\\n \\\"tvn.exe\\\" or\\n \\\"tvnserver.exe\\\" or\\n \\\"tvnviewer.exe\\\" or\\n UltraVNC*.exe or\\n UltraViewer*.exe or\\n \\\"vncserver.exe\\\" or\\n \\\"vncviewer.exe\\\" or\\n \\\"winvnc.exe\\\" or\\n \\\"winwvc.exe\\\" or\\n \\\"Zaservice.exe\\\" or\\n \\\"ZohoURS.exe\\\"\\n )\\n\\t) and\\n\\n\\tnot (process.pe.original_file_name : (\\\"G2M.exe\\\" or \\\"Updater.exe\\\" or \\\"powershell.exe\\\") and process.code_signature.subject_name : \\\"LogMeIn, Inc.\\\")\\n\",\"new_terms_fields\":[\"host.id\"],\"history_window_start\":\"now-15d\",\"index\":[\"logs-endpoint.events.process-*\",\"endgame-*\",\"winlogbeat-*\",\"logs-windows.*\",\"logs-system.security*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Time Seen Commonly Abused Remote Access Tool Execution\",\"description\":\"Adversaries may install legitimate remote access tools (RAT) to compromised endpoints for further command-and-control (C2). Adversaries can rely on installed RATs for persistence, execution of native commands and more. This rule detects when a process is started whose name or code signature resembles commonly abused RATs. This is a New Terms rule type indicating the host has not seen this RAT process started before within the last 30 days.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating First Time Seen Commonly Abused Remote Access Tool Execution\\n\\nRemote access software is a class of tools commonly used by IT departments to provide support by connecting securely to users' computers. Remote access is an ever-growing market where new companies constantly offer new ways of quickly accessing remote systems.\\n\\nAt the same pace as IT departments adopt these tools, the attackers also adopt them as part of their workflow to connect into an interactive session, maintain access with legitimate software as a persistence mechanism, drop malicious software, etc.\\n\\nThis rule detects when a remote access tool is seen in the environment for the first time in the last 15 days, enabling analysts to investigate and enforce the correct usage of such tools.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Check if the execution of the remote access tool is approved by the organization's IT department.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n - If the tool is not approved for use in the organization, the employee could have been tricked into installing it and providing access to a malicious third party. Investigate whether this third party could be attempting to scam the end-user or gain access to the environment through social engineering.\\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n\\n### False positive analysis\\n\\n- If an authorized support person or administrator used the tool to conduct legitimate support or remote access, consider reinforcing that only tooling approved by the IT policy should be used. The analyst can dismiss the alert if no other suspicious behavior is observed involving the host or users.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If an unauthorized third party did the access via social engineering, consider improvements to the security awareness program.\\n- Enforce that only tooling approved by the IT policy should be used for remote access purposes and only by authorized staff.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":108,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/\",\"https://attack.mitre.org/techniques/T1219/\",\"https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1219\",\"name\":\"Remote Access Software\",\"reference\":\"https://attack.mitre.org/techniques/T1219/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name.caseless\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"33c761b4-5b75-4975-a073-48d4d80ad662\",\"rule_id\":\"6e1a2cc4-d260-11ed-8829-f661ea17fbcc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.015Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.017Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type: \\\"windows\\\" and\\n\\n event.category: \\\"process\\\" and event.type : \\\"start\\\" and\\n\\n (\\n process.code_signature.subject_name : (\\n \\\"Action1 Corporation\\\" or\\n \\\"AeroAdmin LLC\\\" or\\n \\\"Ammyy LLC\\\" or\\n \\\"Atera Networks Ltd\\\" or\\n \\\"AWERAY PTE. LTD.\\\" or\\n \\\"BeamYourScreen GmbH\\\" or\\n \\\"Bomgar Corporation\\\" or\\n \\\"DUC FABULOUS CO.,LTD\\\" or\\n \\\"DOMOTZ INC.\\\" or\\n \\\"DWSNET OÜ\\\" or\\n \\\"FleetDeck Inc\\\" or\\n \\\"GlavSoft LLC\\\" or\\n \\\"GlavSoft LLC.\\\" or\\n \\\"Hefei Pingbo Network Technology Co. Ltd\\\" or\\n \\\"IDrive, Inc.\\\" or\\n \\\"IMPERO SOLUTIONS LIMITED\\\" or\\n \\\"Instant Housecall\\\" or\\n \\\"ISL Online Ltd.\\\" or\\n \\\"LogMeIn, Inc.\\\" or\\n \\\"Monitoring Client\\\" or\\n \\\"MMSOFT Design Ltd.\\\" or\\n \\\"Nanosystems S.r.l.\\\" or\\n \\\"NetSupport Ltd\\\" or\\n \\\"NinjaRMM, LLC\\\" or\\n \\\"Parallels International GmbH\\\" or\\n \\\"philandro Software GmbH\\\" or\\n \\\"Pro Softnet Corporation\\\" or\\n \\\"RealVNC\\\" or\\n \\\"RealVNC Limited\\\" or\\n \\\"BreakingSecurity.net\\\" or\\n \\\"Remote Utilities LLC\\\" or\\n \\\"Rocket Software, Inc.\\\" or\\n \\\"SAFIB\\\" or\\n \\\"Servably, Inc.\\\" or\\n \\\"ShowMyPC INC\\\" or\\n \\\"Splashtop Inc.\\\" or\\n \\\"Superops Inc.\\\" or\\n \\\"TeamViewer\\\" or\\n \\\"TeamViewer GmbH\\\" or\\n \\\"TeamViewer Germany GmbH\\\" or\\n \\\"Techinline Limited\\\" or\\n \\\"uvnc bvba\\\" or\\n \\\"Yakhnovets Denis Aleksandrovich IP\\\" or\\n \\\"Zhou Huabing\\\"\\n ) or\\n\\n process.name.caseless : (\\n AA_v*.exe or\\n \\\"AeroAdmin.exe\\\" or\\n \\\"AnyDesk.exe\\\" or\\n \\\"apc_Admin.exe\\\" or\\n \\\"apc_host.exe\\\" or\\n \\\"AteraAgent.exe\\\" or\\n aweray_remote*.exe or\\n \\\"AweSun.exe\\\" or\\n \\\"B4-Service.exe\\\" or\\n \\\"BASupSrvc.exe\\\" or\\n \\\"bomgar-scc.exe\\\" or\\n \\\"domotzagent.exe\\\" or\\n \\\"domotz-windows-x64-10.exe\\\" or\\n \\\"dwagsvc.exe\\\" or\\n \\\"DWRCC.exe\\\" or\\n \\\"ImperoClientSVC.exe\\\" or\\n \\\"ImperoServerSVC.exe\\\" or\\n \\\"ISLLight.exe\\\" or\\n \\\"ISLLightClient.exe\\\" or\\n fleetdeck_commander*.exe or\\n \\\"getscreen.exe\\\" or\\n \\\"LMIIgnition.exe\\\" or\\n \\\"LogMeIn.exe\\\" or\\n \\\"ManageEngine_Remote_Access_Plus.exe\\\" or\\n \\\"Mikogo-Service.exe\\\" or\\n \\\"NinjaRMMAgent.exe\\\" or\\n \\\"NinjaRMMAgenPatcher.exe\\\" or\\n \\\"ninjarmm-cli.exe\\\" or\\n \\\"r_server.exe\\\" or\\n \\\"radmin.exe\\\" or\\n \\\"radmin3.exe\\\" or\\n \\\"RCClient.exe\\\" or\\n \\\"RCService.exe\\\" or\\n \\\"RemoteDesktopManager.exe\\\" or\\n \\\"RemotePC.exe\\\" or\\n \\\"RemotePCDesktop.exe\\\" or\\n \\\"RemotePCService.exe\\\" or\\n \\\"rfusclient.exe\\\" or\\n \\\"ROMServer.exe\\\" or\\n \\\"ROMViewer.exe\\\" or\\n \\\"RPCSuite.exe\\\" or\\n \\\"rserver3.exe\\\" or\\n \\\"rustdesk.exe\\\" or\\n \\\"rutserv.exe\\\" or\\n \\\"rutview.exe\\\" or\\n \\\"saazapsc.exe\\\" or\\n ScreenConnect*.exe or\\n \\\"smpcview.exe\\\" or\\n \\\"spclink.exe\\\" or\\n \\\"Splashtop-streamer.exe\\\" or\\n \\\"SRService.exe\\\" or\\n \\\"strwinclt.exe\\\" or\\n \\\"Supremo.exe\\\" or\\n \\\"SupremoService.exe\\\" or\\n \\\"teamviewer.exe\\\" or\\n \\\"TiClientCore.exe\\\" or\\n \\\"TSClient.exe\\\" or\\n \\\"tvn.exe\\\" or\\n \\\"tvnserver.exe\\\" or\\n \\\"tvnviewer.exe\\\" or\\n UltraVNC*.exe or\\n UltraViewer*.exe or\\n \\\"vncserver.exe\\\" or\\n \\\"vncviewer.exe\\\" or\\n \\\"winvnc.exe\\\" or\\n \\\"winwvc.exe\\\" or\\n \\\"Zaservice.exe\\\" or\\n \\\"ZohoURS.exe\\\"\\n ) or\\n process.name : (\\n AA_v*.exe or\\n \\\"AeroAdmin.exe\\\" or\\n \\\"AnyDesk.exe\\\" or\\n \\\"apc_Admin.exe\\\" or\\n \\\"apc_host.exe\\\" or\\n \\\"AteraAgent.exe\\\" or\\n aweray_remote*.exe or\\n \\\"AweSun.exe\\\" or\\n \\\"B4-Service.exe\\\" or\\n \\\"BASupSrvc.exe\\\" or\\n \\\"bomgar-scc.exe\\\" or\\n \\\"domotzagent.exe\\\" or\\n \\\"domotz-windows-x64-10.exe\\\" or\\n \\\"dwagsvc.exe\\\" or\\n \\\"DWRCC.exe\\\" or\\n \\\"ImperoClientSVC.exe\\\" or\\n \\\"ImperoServerSVC.exe\\\" or\\n \\\"ISLLight.exe\\\" or\\n \\\"ISLLightClient.exe\\\" or\\n fleetdeck_commander*.exe or\\n \\\"getscreen.exe\\\" or\\n \\\"LMIIgnition.exe\\\" or\\n \\\"LogMeIn.exe\\\" or\\n \\\"ManageEngine_Remote_Access_Plus.exe\\\" or\\n \\\"Mikogo-Service.exe\\\" or\\n \\\"NinjaRMMAgent.exe\\\" or\\n \\\"NinjaRMMAgenPatcher.exe\\\" or\\n \\\"ninjarmm-cli.exe\\\" or\\n \\\"r_server.exe\\\" or\\n \\\"radmin.exe\\\" or\\n \\\"radmin3.exe\\\" or\\n \\\"RCClient.exe\\\" or\\n \\\"RCService.exe\\\" or\\n \\\"RemoteDesktopManager.exe\\\" or\\n \\\"RemotePC.exe\\\" or\\n \\\"RemotePCDesktop.exe\\\" or\\n \\\"RemotePCService.exe\\\" or\\n \\\"rfusclient.exe\\\" or\\n \\\"ROMServer.exe\\\" or\\n \\\"ROMViewer.exe\\\" or\\n \\\"RPCSuite.exe\\\" or\\n \\\"rserver3.exe\\\" or\\n \\\"rustdesk.exe\\\" or\\n \\\"rutserv.exe\\\" or\\n \\\"rutview.exe\\\" or\\n \\\"saazapsc.exe\\\" or\\n ScreenConnect*.exe or\\n \\\"smpcview.exe\\\" or\\n \\\"spclink.exe\\\" or\\n \\\"Splashtop-streamer.exe\\\" or\\n \\\"SRService.exe\\\" or\\n \\\"strwinclt.exe\\\" or\\n \\\"Supremo.exe\\\" or\\n \\\"SupremoService.exe\\\" or\\n \\\"teamviewer.exe\\\" or\\n \\\"TiClientCore.exe\\\" or\\n \\\"TSClient.exe\\\" or\\n \\\"tvn.exe\\\" or\\n \\\"tvnserver.exe\\\" or\\n \\\"tvnviewer.exe\\\" or\\n UltraVNC*.exe or\\n UltraViewer*.exe or\\n \\\"vncserver.exe\\\" or\\n \\\"vncviewer.exe\\\" or\\n \\\"winvnc.exe\\\" or\\n \\\"winwvc.exe\\\" or\\n \\\"Zaservice.exe\\\" or\\n \\\"ZohoURS.exe\\\"\\n )\\n\\t) and\\n\\n\\tnot (process.pe.original_file_name : (\\\"G2M.exe\\\" or \\\"Updater.exe\\\" or \\\"powershell.exe\\\") and process.code_signature.subject_name : \\\"LogMeIn, Inc.\\\")\\n\",\"new_terms_fields\":[\"host.id\"],\"history_window_start\":\"now-15d\",\"index\":[\"logs-endpoint.events.process-*\",\"endgame-*\",\"winlogbeat-*\",\"logs-windows.*\",\"logs-system.security*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":108,\"merged_version\":108,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4729402a-0d68-49dd-a7b4-319d98c6d997\",\"rule_id\":\"6e40d56f-5c0e-4ac6-aece-bee96645b172\",\"revision\":0,\"current_rule\":{\"id\":\"4729402a-0d68-49dd-a7b4-319d98c6d997\",\"updated_at\":\"2024-12-04T19:45:50.020Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.020Z\",\"created_by\":\"elastic\",\"name\":\"Anomalous Process For a Windows Population\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Persistence\",\"Tactic: Execution\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Anomalous Process For a Windows Population\\n\\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\\n\\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for all of the monitored Windows hosts in your environment.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\\n - Investigate the process metadata — such as the digital signature, directory, etc. — to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSyste' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Retrieve Service Unisgned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert.\"],\"from\":\"now-45m\",\"rule_id\":\"6e40d56f-5c0e-4ac6-aece-bee96645b172\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_process_all_hosts\"],\"actions\":[]},\"target_rule\":{\"name\":\"Anomalous Process For a Windows Population\",\"description\":\"Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Anomalous Process For a Windows Population\\n\\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\\n\\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for all of the monitored Windows hosts in your environment.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\\n - Investigate the process metadata — such as the digital signature, directory, etc. — to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSyste' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Retrieve Service Unisgned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Persistence\",\"Tactic: Execution\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert.\"],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"4729402a-0d68-49dd-a7b4-319d98c6d997\",\"rule_id\":\"6e40d56f-5c0e-4ac6-aece-bee96645b172\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.016Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.020Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_process_all_hosts\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"53ef0680-aecb-426b-b77e-9e0d8b9eb5be\",\"rule_id\":\"6e9130a5-9be6-48e5-943a-9628bfc74b18\",\"revision\":0,\"current_rule\":{\"id\":\"53ef0680-aecb-426b-b77e-9e0d8b9eb5be\",\"updated_at\":\"2024-12-04T19:45:50.022Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.022Z\",\"created_by\":\"elastic\",\"name\":\"AdminSDHolder Backdoor\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"6e9130a5-9be6-48e5-943a-9628bfc74b18\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]},{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[\"https://adsecurity.org/?p=1906\",\"https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ObjectDN\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:(\\\"Directory Service Changes\\\" or \\\"directory-service-object-modified\\\") and event.code:5136 and\\n winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System*\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AdminSDHolder Backdoor\",\"description\":\"Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://adsecurity.org/?p=1906\",\"https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]},{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ObjectDN\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"53ef0680-aecb-426b-b77e-9e0d8b9eb5be\",\"rule_id\":\"6e9130a5-9be6-48e5-943a-9628bfc74b18\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.016Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.022Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:(\\\"Directory Service Changes\\\" or \\\"directory-service-object-modified\\\") and event.code:5136 and\\n winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System*\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d69bb234-06d0-4fd1-816e-98cc33a63c57\",\"rule_id\":\"6ea41894-66c3-4df7-ad6b-2c5074eb3df8\",\"revision\":0,\"current_rule\":{\"id\":\"d69bb234-06d0-4fd1-816e-98cc33a63c57\",\"updated_at\":\"2024-12-04T19:45:50.027Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.027Z\",\"created_by\":\"elastic\",\"name\":\"Potential Windows Error Manager Masquerading\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Windows Error Manager Masquerading\\n\\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\\n\\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legit Application Crash with rare Werfault commandline value\"],\"from\":\"now-9m\",\"rule_id\":\"6ea41894-66c3-4df7-ad6b-2c5074eb3df8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]}]}],\"to\":\"now\",\"references\":[\"https://twitter.com/SBousseaden/status/1235533224337641473\",\"https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/\",\"https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by host.id, process.entity_id with maxspan = 5s\\n [process where host.os.type == \\\"windows\\\" and event.type:\\\"start\\\" and process.name : (\\\"wermgr.exe\\\", \\\"WerFault.exe\\\") and process.args_count == 1]\\n [network where host.os.type == \\\"windows\\\" and process.name : (\\\"wermgr.exe\\\", \\\"WerFault.exe\\\") and network.protocol != \\\"dns\\\" and\\n network.direction : (\\\"outgoing\\\", \\\"egress\\\") and destination.ip !=\\\"::1\\\" and destination.ip !=\\\"127.0.0.1\\\"\\n ]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Windows Error Manager Masquerading\",\"description\":\"Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Windows Error Manager Masquerading\\n\\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\\n\\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legit Application Crash with rare Werfault commandline value\"],\"references\":[\"https://twitter.com/SBousseaden/status/1235533224337641473\",\"https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/\",\"https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/\",\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d69bb234-06d0-4fd1-816e-98cc33a63c57\",\"rule_id\":\"6ea41894-66c3-4df7-ad6b-2c5074eb3df8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.017Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.027Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id, process.entity_id with maxspan = 5s\\n [process where host.os.type == \\\"windows\\\" and event.type:\\\"start\\\" and process.name : (\\\"wermgr.exe\\\", \\\"WerFault.exe\\\") and process.args_count == 1]\\n [network where host.os.type == \\\"windows\\\" and process.name : (\\\"wermgr.exe\\\", \\\"WerFault.exe\\\") and network.protocol != \\\"dns\\\" and\\n network.direction : (\\\"outgoing\\\", \\\"egress\\\") and destination.ip !=\\\"::1\\\" and destination.ip !=\\\"127.0.0.1\\\"\\n ]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://twitter.com/SBousseaden/status/1235533224337641473\",\"https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/\",\"https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/\"],\"target_version\":[\"https://twitter.com/SBousseaden/status/1235533224337641473\",\"https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/\",\"https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/\",\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\"],\"merged_version\":[\"https://twitter.com/SBousseaden/status/1235533224337641473\",\"https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/\",\"https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/\",\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9602b280-3a4c-4590-aeb5-38695ab0b4d0\",\"rule_id\":\"6ea55c81-e2ba-42f2-a134-bccf857ba922\",\"revision\":0,\"current_rule\":{\"id\":\"9602b280-3a4c-4590-aeb5-38695ab0b4d0\",\"updated_at\":\"2024-12-04T19:45:50.029Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.029Z\",\"created_by\":\"elastic\",\"name\":\"Security Software Discovery using WMIC\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.\",\"risk_score\":47,\"severity\":\"medium\",\"building_block_type\":\"default\",\"note\":\"## Triage and analysis\\n\\n### Investigating Security Software Discovery using WMIC\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `wmic` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"6ea55c81-e2ba-42f2-a134-bccf857ba922\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1518\",\"name\":\"Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/\",\"subtechnique\":[{\"id\":\"T1518.001\",\"name\":\"Security Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"to\":\"now\",\"references\":[],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(process.name : \\\"wmic.exe\\\" or ?process.pe.original_file_name : \\\"wmic.exe\\\") and\\nprocess.args : \\\"/namespace:\\\\\\\\\\\\\\\\root\\\\\\\\SecurityCenter2\\\" and process.args : \\\"Get\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Security Software Discovery using WMIC\",\"description\":\"Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Security Software Discovery using WMIC\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `wmic` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":214,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1518\",\"name\":\"Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/\",\"subtechnique\":[{\"id\":\"T1518.001\",\"name\":\"Security Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"9602b280-3a4c-4590-aeb5-38695ab0b4d0\",\"rule_id\":\"6ea55c81-e2ba-42f2-a134-bccf857ba922\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.017Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.029Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(process.name : \\\"wmic.exe\\\" or ?process.pe.original_file_name : \\\"wmic.exe\\\") and\\nprocess.args : \\\"/namespace:\\\\\\\\\\\\\\\\root\\\\\\\\SecurityCenter2\\\" and process.args : \\\"Get\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":214,\"merged_version\":214,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"310793ea-71e1-4363-9b85-312131629961\",\"rule_id\":\"6f024bde-7085-489b-8250-5957efdf1caf\",\"revision\":0,\"current_rule\":{\"id\":\"310793ea-71e1-4363-9b85-312131629961\",\"updated_at\":\"2024-12-04T19:46:03.792Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.792Z\",\"created_by\":\"elastic\",\"name\":\"Active Directory Group Modification by SYSTEM\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain account.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"6f024bde-7085-489b-8250-5957efdf1caf\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.api\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"],\"query\":\"iam where winlog.api == \\\"wineventlog\\\" and event.code == \\\"4728\\\" and\\nwinlog.event_data.SubjectUserSid : \\\"S-1-5-18\\\" and\\n\\n/* DOMAIN_USERS and local groups */\\nnot group.id : \\\"S-1-5-21-*-513\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Active Directory Group Modification by SYSTEM\",\"description\":\"Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain account.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":102,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.api\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"310793ea-71e1-4363-9b85-312131629961\",\"rule_id\":\"6f024bde-7085-489b-8250-5957efdf1caf\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.017Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.792Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where winlog.api == \\\"wineventlog\\\" and event.code == \\\"4728\\\" and\\nwinlog.event_data.SubjectUserSid : \\\"S-1-5-18\\\" and\\n\\n/* DOMAIN_USERS and local groups */\\nnot group.id : \\\"S-1-5-21-*-513\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":102,\"merged_version\":102,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a75eb231-a420-4e79-9462-79b5e60a6d3b\",\"rule_id\":\"6f435062-b7fc-4af9-acea-5b1ead65c5a5\",\"revision\":0,\"current_rule\":{\"id\":\"a75eb231-a420-4e79-9462-79b5e60a6d3b\",\"updated_at\":\"2024-12-04T19:45:50.034Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.034Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace Role Modified\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Resources: Investigation Guide\",\"Tactic: Persistence\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Role Modified\\n\\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt admin roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred. Each Google Workspace service has a set of custodial privileges that can be added to custom roles.\\n\\nRoles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Threat actors might modify existing roles with new privileges to advance their intrusion efforts and laterally move throughout the organization. Users with unexpected privileges might also cause operational dysfunction if unfamiliar settings are adjusted without warning.\\n\\nThis rule identifies when a Google Workspace role is modified.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- Identify the role modified by reviewing the `google_workspace.admin.role.name` field in the alert.\\n- Identify the privilege that was added or removed by reviewing the `google_workspace.admin.privilege.name` field in the alert.\\n- After identifying the involved user, verify administrative privileges are scoped properly.\\n- To identify other users with this role, search for `event.action: ASSIGN_ROLE`\\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\\n - Adjust the relative time accordingly to identify all users that were assigned this role.\\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\\n- If a privilege was added, monitor users assigned this role for the next 24 hours and look for attempts to use the new privilege.\\n - The `event.provider` field will help filter for specific services in Google Workspace such as Drive or Admin.\\n - The `event.action` field will help trace actions that are being taken by users.\\n\\n### False positive analysis\\n\\n- After identifying the user account that modified the role, verify the action was intentional.\\n- Verify that the user is expected to have administrative privileges in Google Workspace to modify roles.\\n- Review organizational units or groups the role might have been added to and ensure the new privileges align properly.\\n- Use the `user.name` to filter for `event.action` where `ADD_PRIVILEGE` or `UPDATE_ROLE` has been seen before to check if these actions are new or historical.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Google Workspace admin roles may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-130m\",\"rule_id\":\"6f435062-b7fc-4af9-acea-5b1ead65c5a5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/2406043?hl=en\"],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace Role Modified\",\"description\":\"Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Role Modified\\n\\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt admin roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred. Each Google Workspace service has a set of custodial privileges that can be added to custom roles.\\n\\nRoles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Threat actors might modify existing roles with new privileges to advance their intrusion efforts and laterally move throughout the organization. Users with unexpected privileges might also cause operational dysfunction if unfamiliar settings are adjusted without warning.\\n\\nThis rule identifies when a Google Workspace role is modified.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- Identify the role modified by reviewing the `google_workspace.admin.role.name` field in the alert.\\n- Identify the privilege that was added or removed by reviewing the `google_workspace.admin.privilege.name` field in the alert.\\n- After identifying the involved user, verify administrative privileges are scoped properly.\\n- To identify other users with this role, search for `event.action: ASSIGN_ROLE`\\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\\n - Adjust the relative time accordingly to identify all users that were assigned this role.\\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\\n- If a privilege was added, monitor users assigned this role for the next 24 hours and look for attempts to use the new privilege.\\n - The `event.provider` field will help filter for specific services in Google Workspace such as Drive or Admin.\\n - The `event.action` field will help trace actions that are being taken by users.\\n\\n### False positive analysis\\n\\n- After identifying the user account that modified the role, verify the action was intentional.\\n- Verify that the user is expected to have administrative privileges in Google Workspace to modify roles.\\n- Review organizational units or groups the role might have been added to and ensure the new privileges align properly.\\n- Use the `user.name` to filter for `event.action` where `ADD_PRIVILEGE` or `UPDATE_ROLE` has been seen before to check if these actions are new or historical.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Resources: Investigation Guide\",\"Tactic: Persistence\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Google Workspace admin roles may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://support.google.com/a/answer/2406043?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a75eb231-a420-4e79-9462-79b5e60a6d3b\",\"rule_id\":\"6f435062-b7fc-4af9-acea-5b1ead65c5a5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.017Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.034Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/2406043?hl=en\"],\"target_version\":[\"https://support.google.com/a/answer/2406043?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/2406043?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"62afe461-f236-430e-93c9-2b7013664430\",\"rule_id\":\"7024e2a0-315d-4334-bb1a-441c593e16ab\",\"revision\":0,\"current_rule\":{\"id\":\"62afe461-f236-430e-93c9-2b7013664430\",\"updated_at\":\"2024-12-04T19:45:50.037Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.037Z\",\"created_by\":\"elastic\",\"name\":\"AWS CloudTrail Log Deleted\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Use Case: Log Auditing\",\"Resources: Investigation Guide\",\"Tactic: Defense Evasion\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS CloudTrail Log Deleted\\n\\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\\n\\nThis rule identifies the deletion of an AWS log trail using the API `DeleteTrail` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Contact the account and resource owners and confirm whether they are aware of this activity.\\n- Check if this operation was approved and performed according to the organization's change management policy.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and IP address conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\"],\"from\":\"now-60m\",\"rule_id\":\"7024e2a0-315d-4334-bb1a-441c593e16ab\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html\",\"https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html\"],\"version\":209,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"query\":\"event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS CloudTrail Log Deleted\",\"description\":\"Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS CloudTrail Log Deleted\\n\\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\\n\\nThis rule identifies the deletion of an AWS log trail using the API `DeleteTrail` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Contact the account and resource owners and confirm whether they are aware of this activity.\\n- Check if this operation was approved and performed according to the organization's change management policy.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and IP address conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"output_index\":\"\",\"investigation_fields\":{\"field_names\":[\"@timestamp\",\"user.name\",\"aws.cloudtrail.user_identity.arn\",\"aws.cloudtrail.user_identity.type\",\"source.address\",\"user_agent.original\",\"aws.cloudtrail.flattened.request_parameters.name\",\"event.action\",\"event.outcome\",\"cloud.region\",\"aws.cloudtrail.request_parameters\"]},\"version\":210,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Use Case: Log Auditing\",\"Resources: Investigation Guide\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-60m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\"],\"references\":[\"https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html\",\"https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"setup\":\"The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"62afe461-f236-430e-93c9-2b7013664430\",\"rule_id\":\"7024e2a0-315d-4334-bb1a-441c593e16ab\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.017Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:50.037Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"query\":\"event.dataset:aws.cloudtrail\\n and event.provider:cloudtrail.amazonaws.com\\n and event.action:DeleteTrail\\n and event.outcome:success\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":209,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"investigation_fields\":{\"has_base_version\":false,\"target_version\":{\"field_names\":[\"@timestamp\",\"user.name\",\"aws.cloudtrail.user_identity.arn\",\"aws.cloudtrail.user_identity.type\",\"source.address\",\"user_agent.original\",\"aws.cloudtrail.flattened.request_parameters.name\",\"event.action\",\"event.outcome\",\"cloud.region\",\"aws.cloudtrail.request_parameters\"]},\"merged_version\":{\"field_names\":[\"@timestamp\",\"user.name\",\"aws.cloudtrail.user_identity.arn\",\"aws.cloudtrail.user_identity.type\",\"source.address\",\"user_agent.original\",\"aws.cloudtrail.flattened.request_parameters.name\",\"event.action\",\"event.outcome\",\"cloud.region\",\"aws.cloudtrail.request_parameters\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset:aws.cloudtrail\\n and event.provider:cloudtrail.amazonaws.com\\n and event.action:DeleteTrail\\n and event.outcome:success\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset:aws.cloudtrail\\n and event.provider:cloudtrail.amazonaws.com\\n and event.action:DeleteTrail\\n and event.outcome:success\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d482bbe2-dbf7-4e67-ae98-e5b78fe41bb4\",\"rule_id\":\"708c9d92-22a3-4fe0-b6b9-1f861c55502d\",\"revision\":0,\"current_rule\":{\"id\":\"d482bbe2-dbf7-4e67-ae98-e5b78fe41bb4\",\"updated_at\":\"2024-12-04T19:45:51.161Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.161Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Execution via MSIEXEC\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious execution of the built-in Windows Installer, msiexec.exe, to install a package from usual paths or parent process. Adversaries may abuse msiexec.exe to launch malicious local MSI files.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"708c9d92-22a3-4fe0-b6b9-1f861c55502d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.007\",\"name\":\"Msiexec\",\"reference\":\"https://attack.mitre.org/techniques/T1218/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://lolbas-project.github.io/lolbas/Binaries/Msiexec/\",\"https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.action == \\\"start\\\" and\\n process.name : \\\"msiexec.exe\\\" and user.id : (\\\"S-1-5-21*\\\", \\\"S-1-12-*\\\") and process.parent.executable != null and\\n (\\n (process.args : \\\"/i\\\" and process.args : (\\\"/q\\\", \\\"/quiet\\\") and process.args_count == 4 and\\n process.args : (\\\"?:\\\\\\\\Users\\\\\\\\*\\\", \\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\") and\\n not process.parent.executable : (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Desktop\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\programdata\\\\\\\\*\\\")) or\\n\\n (process.args_count == 1 and not process.parent.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\explorer.exe\\\")) or\\n\\n (process.args : \\\"/i\\\" and process.args : (\\\"/q\\\", \\\"/quiet\\\") and process.args_count == 4 and\\n (process.parent.args : \\\"Schedule\\\" or process.parent.name : \\\"wmiprvse.exe\\\" or\\n process.parent.executable : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\*\\\" or\\n (process.parent.name : (\\\"powershell.exe\\\", \\\"cmd.exe\\\") and length(process.parent.command_line) >= 200))) or\\n\\n (process.args : \\\"/i\\\" and process.args : (\\\"/q\\\", \\\"/quiet\\\") and process.args_count == 4 and\\n ?process.working_directory : \\\"?:\\\\\\\\\\\" and process.parent.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\"))\\n ) and\\n\\n /* noisy pattern */\\n not (process.parent.executable : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*\\\" and ?process.parent.args_count >= 2 and\\n process.args : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*\\\\\\\\*.msi\\\") and\\n\\n not process.args : (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Execution via MSIEXEC\",\"description\":\"Identifies suspicious execution of the built-in Windows Installer, msiexec.exe, to install a package from usual paths or parent process. Adversaries may abuse msiexec.exe to launch malicious local MSI files.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://lolbas-project.github.io/lolbas/Binaries/Msiexec/\",\"https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.007\",\"name\":\"Msiexec\",\"reference\":\"https://attack.mitre.org/techniques/T1218/007/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d482bbe2-dbf7-4e67-ae98-e5b78fe41bb4\",\"rule_id\":\"708c9d92-22a3-4fe0-b6b9-1f861c55502d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.017Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.161Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.action == \\\"start\\\" and\\n process.name : \\\"msiexec.exe\\\" and user.id : (\\\"S-1-5-21*\\\", \\\"S-1-12-*\\\") and process.parent.executable != null and\\n (\\n (process.args : \\\"/i\\\" and process.args : (\\\"/q\\\", \\\"/quiet\\\") and process.args_count == 4 and\\n process.args : (\\\"?:\\\\\\\\Users\\\\\\\\*\\\", \\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\") and\\n not process.parent.executable : (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Desktop\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\programdata\\\\\\\\*\\\")) or\\n\\n (process.args_count == 1 and not process.parent.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\explorer.exe\\\")) or\\n\\n (process.args : \\\"/i\\\" and process.args : (\\\"/q\\\", \\\"/quiet\\\") and process.args_count == 4 and\\n (process.parent.args : \\\"Schedule\\\" or process.parent.name : \\\"wmiprvse.exe\\\" or\\n process.parent.executable : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\*\\\" or\\n (process.parent.name : (\\\"powershell.exe\\\", \\\"cmd.exe\\\") and length(process.parent.command_line) >= 200))) or\\n\\n (process.args : \\\"/i\\\" and process.args : (\\\"/q\\\", \\\"/quiet\\\") and process.args_count == 4 and\\n ?process.working_directory : \\\"?:\\\\\\\\\\\" and process.parent.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\"))\\n ) and\\n\\n /* noisy pattern */\\n not (process.parent.executable : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*\\\" and ?process.parent.args_count >= 2 and\\n process.args : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*\\\\\\\\*.msi\\\") and\\n\\n not process.args : (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e5bb807d-0c21-46a8-b828-be3a80797120\",\"rule_id\":\"71bccb61-e19b-452f-b104-79a60e546a95\",\"revision\":0,\"current_rule\":{\"id\":\"e5bb807d-0c21-46a8-b828-be3a80797120\",\"updated_at\":\"2024-12-04T19:45:51.172Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.172Z\",\"created_by\":\"elastic\",\"name\":\"Unusual File Creation - Alternate Data Stream\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual File Creation - Alternate Data Stream\\n\\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\\n\\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\\n\\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\\n - `Get-Content C:\\\\Path\\\\To\\\\file.exe -stream SampleAlternateDataStreamName`\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of process executable and file conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"71bccb61-e19b-452f-b104-79a60e546a95\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\",\"subtechnique\":[{\"id\":\"T1564.004\",\"name\":\"NTFS File Attributes\",\"reference\":\"https://attack.mitre.org/techniques/T1564/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":115,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n\\n file.path : \\\"C:\\\\\\\\*:*\\\" and\\n not file.path : \\n (\\\"C:\\\\\\\\*:zone.identifier*\\\",\\n \\\"C:\\\\\\\\users\\\\\\\\*\\\\\\\\appdata\\\\\\\\roaming\\\\\\\\microsoft\\\\\\\\teams\\\\\\\\old_weblogs_*:$DATA\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\CSC\\\\\\\\*:CscBitmapStream\\\") and\\n\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Dropbox\\\\\\\\Client\\\\\\\\Dropbox.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\EXCEL.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\OUTLOOK.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\POWERPNT.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\ExpressConnect\\\\\\\\ExpressConnectNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\EXCEL.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\OUTLOOK.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\POWERPNT.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Mozilla Firefox\\\\\\\\firefox.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Rivet Networks\\\\\\\\SmartByte\\\\\\\\SmartByteNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DataExchangeHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\Intel\\\\\\\\ICPS\\\\\\\\IntelConnectivityNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\RivetNetworks\\\\\\\\Killer\\\\\\\\KillerNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\PickerHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RuntimeBroker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchProtocolHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sihost.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\System32\\\\\\\\svchost.exe\\\"\\n ) and\\n\\n file.extension :\\n (\\n \\\"pdf\\\",\\n \\\"dll\\\",\\n \\\"exe\\\",\\n \\\"dat\\\",\\n \\\"com\\\",\\n \\\"bat\\\",\\n \\\"cmd\\\",\\n \\\"sys\\\",\\n \\\"vbs\\\",\\n \\\"ps1\\\",\\n \\\"hta\\\",\\n \\\"txt\\\",\\n \\\"vbe\\\",\\n \\\"js\\\",\\n \\\"wsh\\\",\\n \\\"docx\\\",\\n \\\"doc\\\",\\n \\\"xlsx\\\",\\n \\\"xls\\\",\\n \\\"pptx\\\",\\n \\\"ppt\\\",\\n \\\"rtf\\\",\\n \\\"gif\\\",\\n \\\"jpg\\\",\\n \\\"png\\\",\\n \\\"bmp\\\",\\n \\\"img\\\",\\n \\\"iso\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual File Creation - Alternate Data Stream\",\"description\":\"Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual File Creation - Alternate Data Stream\\n\\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\\n\\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\\n\\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\\n - `Get-Content C:\\\\Path\\\\To\\\\file.exe -stream SampleAlternateDataStreamName`\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of process executable and file conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":315,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\",\"subtechnique\":[{\"id\":\"T1564.004\",\"name\":\"NTFS File Attributes\",\"reference\":\"https://attack.mitre.org/techniques/T1564/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e5bb807d-0c21-46a8-b828-be3a80797120\",\"rule_id\":\"71bccb61-e19b-452f-b104-79a60e546a95\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.017Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.172Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n\\n file.path : \\\"C:\\\\\\\\*:*\\\" and\\n not file.path : \\n (\\\"C:\\\\\\\\*:zone.identifier*\\\",\\n \\\"C:\\\\\\\\users\\\\\\\\*\\\\\\\\appdata\\\\\\\\roaming\\\\\\\\microsoft\\\\\\\\teams\\\\\\\\old_weblogs_*:$DATA\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\CSC\\\\\\\\*:CscBitmapStream\\\") and\\n\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Dropbox\\\\\\\\Client\\\\\\\\Dropbox.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\EXCEL.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\OUTLOOK.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\POWERPNT.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\ExpressConnect\\\\\\\\ExpressConnectNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\EXCEL.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\OUTLOOK.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\POWERPNT.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Mozilla Firefox\\\\\\\\firefox.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Rivet Networks\\\\\\\\SmartByte\\\\\\\\SmartByteNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DataExchangeHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\Intel\\\\\\\\ICPS\\\\\\\\IntelConnectivityNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\RivetNetworks\\\\\\\\Killer\\\\\\\\KillerNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\PickerHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RuntimeBroker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchProtocolHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sihost.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\System32\\\\\\\\svchost.exe\\\"\\n ) and\\n\\n file.extension :\\n (\\n \\\"pdf\\\", \\\"dll\\\", \\\"exe\\\", \\\"dat\\\", \\\"com\\\", \\\"bat\\\", \\\"cmd\\\", \\\"sys\\\", \\\"vbs\\\", \\\"ps1\\\", \\\"hta\\\", \\\"txt\\\", \\\"vbe\\\", \\\"js\\\",\\n \\\"wsh\\\", \\\"docx\\\", \\\"doc\\\", \\\"xlsx\\\", \\\"xls\\\", \\\"pptx\\\", \\\"ppt\\\", \\\"rtf\\\", \\\"gif\\\", \\\"jpg\\\", \\\"png\\\", \\\"bmp\\\", \\\"img\\\", \\\"iso\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":115,\"target_version\":315,\"merged_version\":315,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n\\n file.path : \\\"C:\\\\\\\\*:*\\\" and\\n not file.path : \\n (\\\"C:\\\\\\\\*:zone.identifier*\\\",\\n \\\"C:\\\\\\\\users\\\\\\\\*\\\\\\\\appdata\\\\\\\\roaming\\\\\\\\microsoft\\\\\\\\teams\\\\\\\\old_weblogs_*:$DATA\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\CSC\\\\\\\\*:CscBitmapStream\\\") and\\n\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Dropbox\\\\\\\\Client\\\\\\\\Dropbox.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\EXCEL.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\OUTLOOK.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\POWERPNT.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\ExpressConnect\\\\\\\\ExpressConnectNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\EXCEL.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\OUTLOOK.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\POWERPNT.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Mozilla Firefox\\\\\\\\firefox.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Rivet Networks\\\\\\\\SmartByte\\\\\\\\SmartByteNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DataExchangeHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\Intel\\\\\\\\ICPS\\\\\\\\IntelConnectivityNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\RivetNetworks\\\\\\\\Killer\\\\\\\\KillerNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\PickerHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RuntimeBroker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchProtocolHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sihost.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\System32\\\\\\\\svchost.exe\\\"\\n ) and\\n\\n file.extension :\\n (\\n \\\"pdf\\\",\\n \\\"dll\\\",\\n \\\"exe\\\",\\n \\\"dat\\\",\\n \\\"com\\\",\\n \\\"bat\\\",\\n \\\"cmd\\\",\\n \\\"sys\\\",\\n \\\"vbs\\\",\\n \\\"ps1\\\",\\n \\\"hta\\\",\\n \\\"txt\\\",\\n \\\"vbe\\\",\\n \\\"js\\\",\\n \\\"wsh\\\",\\n \\\"docx\\\",\\n \\\"doc\\\",\\n \\\"xlsx\\\",\\n \\\"xls\\\",\\n \\\"pptx\\\",\\n \\\"ppt\\\",\\n \\\"rtf\\\",\\n \\\"gif\\\",\\n \\\"jpg\\\",\\n \\\"png\\\",\\n \\\"bmp\\\",\\n \\\"img\\\",\\n \\\"iso\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n\\n file.path : \\\"C:\\\\\\\\*:*\\\" and\\n not file.path : \\n (\\\"C:\\\\\\\\*:zone.identifier*\\\",\\n \\\"C:\\\\\\\\users\\\\\\\\*\\\\\\\\appdata\\\\\\\\roaming\\\\\\\\microsoft\\\\\\\\teams\\\\\\\\old_weblogs_*:$DATA\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\CSC\\\\\\\\*:CscBitmapStream\\\") and\\n\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Dropbox\\\\\\\\Client\\\\\\\\Dropbox.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\EXCEL.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\OUTLOOK.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\POWERPNT.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\ExpressConnect\\\\\\\\ExpressConnectNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\EXCEL.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\OUTLOOK.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\POWERPNT.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Mozilla Firefox\\\\\\\\firefox.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Rivet Networks\\\\\\\\SmartByte\\\\\\\\SmartByteNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DataExchangeHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\Intel\\\\\\\\ICPS\\\\\\\\IntelConnectivityNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\RivetNetworks\\\\\\\\Killer\\\\\\\\KillerNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\PickerHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RuntimeBroker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchProtocolHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sihost.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\System32\\\\\\\\svchost.exe\\\"\\n ) and\\n\\n file.extension :\\n (\\n \\\"pdf\\\", \\\"dll\\\", \\\"exe\\\", \\\"dat\\\", \\\"com\\\", \\\"bat\\\", \\\"cmd\\\", \\\"sys\\\", \\\"vbs\\\", \\\"ps1\\\", \\\"hta\\\", \\\"txt\\\", \\\"vbe\\\", \\\"js\\\",\\n \\\"wsh\\\", \\\"docx\\\", \\\"doc\\\", \\\"xlsx\\\", \\\"xls\\\", \\\"pptx\\\", \\\"ppt\\\", \\\"rtf\\\", \\\"gif\\\", \\\"jpg\\\", \\\"png\\\", \\\"bmp\\\", \\\"img\\\", \\\"iso\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n\\n file.path : \\\"C:\\\\\\\\*:*\\\" and\\n not file.path : \\n (\\\"C:\\\\\\\\*:zone.identifier*\\\",\\n \\\"C:\\\\\\\\users\\\\\\\\*\\\\\\\\appdata\\\\\\\\roaming\\\\\\\\microsoft\\\\\\\\teams\\\\\\\\old_weblogs_*:$DATA\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\CSC\\\\\\\\*:CscBitmapStream\\\") and\\n\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Dropbox\\\\\\\\Client\\\\\\\\Dropbox.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\EXCEL.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\OUTLOOK.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\POWERPNT.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\ExpressConnect\\\\\\\\ExpressConnectNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\EXCEL.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\OUTLOOK.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\POWERPNT.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Office\\\\\\\\root\\\\\\\\*\\\\\\\\WINWORD.EXE\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Mozilla Firefox\\\\\\\\firefox.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Rivet Networks\\\\\\\\SmartByte\\\\\\\\SmartByteNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DataExchangeHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\Intel\\\\\\\\ICPS\\\\\\\\IntelConnectivityNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\RivetNetworks\\\\\\\\Killer\\\\\\\\KillerNetworkService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\PickerHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RuntimeBroker.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchProtocolHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sihost.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\System32\\\\\\\\svchost.exe\\\"\\n ) and\\n\\n file.extension :\\n (\\n \\\"pdf\\\", \\\"dll\\\", \\\"exe\\\", \\\"dat\\\", \\\"com\\\", \\\"bat\\\", \\\"cmd\\\", \\\"sys\\\", \\\"vbs\\\", \\\"ps1\\\", \\\"hta\\\", \\\"txt\\\", \\\"vbe\\\", \\\"js\\\",\\n \\\"wsh\\\", \\\"docx\\\", \\\"doc\\\", \\\"xlsx\\\", \\\"xls\\\", \\\"pptx\\\", \\\"ppt\\\", \\\"rtf\\\", \\\"gif\\\", \\\"jpg\\\", \\\"png\\\", \\\"bmp\\\", \\\"img\\\", \\\"iso\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6060d5fb-b829-405a-91a3-4fd209b39c64\",\"rule_id\":\"71c5cb27-eca5-4151-bb47-64bc3f883270\",\"revision\":0,\"current_rule\":{\"id\":\"6060d5fb-b829-405a-91a3-4fd209b39c64\",\"updated_at\":\"2024-12-04T19:45:51.174Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.174Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious RDP ActiveX Client Loaded\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"71c5cb27-eca5-4151-bb47-64bc3f883270\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.library-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"any where host.os.type == \\\"windows\\\" and\\n (event.category : (\\\"library\\\", \\\"driver\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n (?dll.name : \\\"mstscax.dll\\\" or file.name : \\\"mstscax.dll\\\") and\\n /* depending on noise in your env add here extra paths */\\n process.executable : (\\n \\\"C:\\\\\\\\Windows\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\Default\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Intel\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\PerfLogs\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\Mup\\\\\\\\*\\\",\\n \\\"\\\\\\\\\\\\\\\\*\\\"\\n ) and\\n /* add here FPs */\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mstsc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vmconnect.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsSandboxClient.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\hvsirdpclient.exe\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious RDP ActiveX Client Loaded\",\"description\":\"Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"6060d5fb-b829-405a-91a3-4fd209b39c64\",\"rule_id\":\"71c5cb27-eca5-4151-bb47-64bc3f883270\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.017Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.174Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and\\n (event.category : (\\\"library\\\", \\\"driver\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n (?dll.name : \\\"mstscax.dll\\\" or file.name : \\\"mstscax.dll\\\") and\\n /* depending on noise in your env add here extra paths */\\n process.executable : (\\n \\\"C:\\\\\\\\Windows\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\Default\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Intel\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\PerfLogs\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\Mup\\\\\\\\*\\\",\\n \\\"\\\\\\\\\\\\\\\\*\\\"\\n ) and\\n /* add here FPs */\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\mstsc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vmconnect.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsSandboxClient.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\hvsirdpclient.exe\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.library-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\"],\"target_version\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merged_version\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e3f27689-d65f-48e9-8349-9ec08125085a\",\"rule_id\":\"730ed57d-ae0f-444f-af50-78708b57edd5\",\"revision\":0,\"current_rule\":{\"id\":\"e3f27689-d65f-48e9-8349-9ec08125085a\",\"updated_at\":\"2024-12-04T19:45:51.200Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.200Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious JetBrains TeamCity Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious processes being spawned by the JetBrain TeamCity process. This activity could be related to JetBrains remote code execution vulnerabilities.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Powershell and Windows Command Shell are often observed as legit child processes of the Jetbrains TeamCity service and may require further tuning.\"],\"from\":\"now-9m\",\"rule_id\":\"730ed57d-ae0f-444f-af50-78708b57edd5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.executable :\\n (\\\"?:\\\\\\\\TeamCity\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\TeamCity\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\TeamCity\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"?:\\\\\\\\TeamCity\\\\\\\\BuildAgent\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\") and\\n process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"msiexec.exe\\\", \\\"certutil.exe\\\", \\\"bitsadmin.exe\\\", \\\"wmic.exe\\\", \\\"curl.exe\\\", \\\"ssh.exe\\\",\\n \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\", \\\"mshta.exe\\\", \\\"certreq.exe\\\", \\\"net.exe\\\", \\\"nltest.exe\\\", \\\"whoami.exe\\\", \\\"hostname.exe\\\",\\n \\\"tasklist.exe\\\", \\\"arp.exe\\\", \\\"nbtstat.exe\\\", \\\"netstat.exe\\\", \\\"reg.exe\\\", \\\"tasklist.exe\\\", \\\"Microsoft.Workflow.Compiler.exe\\\",\\n \\\"arp.exe\\\", \\\"atbroker.exe\\\", \\\"bginfo.exe\\\", \\\"bitsadmin.exe\\\", \\\"cdb.exe\\\", \\\"cmstp.exe\\\", \\\"control.exe\\\", \\\"cscript.exe\\\", \\\"csi.exe\\\",\\n \\\"dnx.exe\\\", \\\"dsget.exe\\\", \\\"dsquery.exe\\\", \\\"forfiles.exe\\\", \\\"fsi.exe\\\", \\\"ftp.exe\\\", \\\"gpresult.exe\\\", \\\"ieexec.exe\\\", \\\"iexpress.exe\\\",\\n \\\"installutil.exe\\\", \\\"ipconfig.exe\\\",\\\"msxsl.exe\\\", \\\"netsh.exe\\\", \\\"odbcconf.exe\\\", \\\"ping.exe\\\", \\\"pwsh.exe\\\", \\\"qprocess.exe\\\",\\n \\\"quser.exe\\\", \\\"qwinsta.exe\\\", \\\"rcsi.exe\\\", \\\"regasm.exe\\\", \\\"regsvcs.exe\\\", \\\"regsvr32.exe\\\", \\\"sc.exe\\\", \\\"schtasks.exe\\\",\\n \\\"systeminfo.exe\\\", \\\"tracert.exe\\\", \\\"wmic.exe\\\", \\\"wscript.exe\\\",\\\"xwizard.exe\\\", \\\"explorer.exe\\\", \\\"msdt.exe\\\") and\\n not (process.name : \\\"powershell.exe\\\" and process.args : \\\"-ExecutionPolicy\\\" and process.args : \\\"?:\\\\\\\\TeamCity\\\\\\\\buildAgent\\\\\\\\work\\\\\\\\*.ps1\\\") and\\n not (process.name : \\\"cmd.exe\\\" and process.args : \\\"dir\\\" and process.args : \\\"/-c\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious JetBrains TeamCity Child Process\",\"description\":\"Identifies suspicious processes being spawned by the JetBrain TeamCity process. This activity could be related to JetBrains remote code execution vulnerabilities.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":203,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Powershell and Windows Command Shell are often observed as legit child processes of the Jetbrains TeamCity service and may require further tuning.\"],\"references\":[\"https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e3f27689-d65f-48e9-8349-9ec08125085a\",\"rule_id\":\"730ed57d-ae0f-444f-af50-78708b57edd5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.017Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.200Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.executable :\\n (\\\"?:\\\\\\\\TeamCity\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\TeamCity\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\TeamCity\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"?:\\\\\\\\TeamCity\\\\\\\\BuildAgent\\\\\\\\jre\\\\\\\\bin\\\\\\\\java.exe\\\") and\\n process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"msiexec.exe\\\", \\\"certutil.exe\\\", \\\"bitsadmin.exe\\\", \\\"wmic.exe\\\", \\\"curl.exe\\\", \\\"ssh.exe\\\",\\n \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\", \\\"mshta.exe\\\", \\\"certreq.exe\\\", \\\"net.exe\\\", \\\"nltest.exe\\\", \\\"whoami.exe\\\", \\\"hostname.exe\\\",\\n \\\"tasklist.exe\\\", \\\"arp.exe\\\", \\\"nbtstat.exe\\\", \\\"netstat.exe\\\", \\\"reg.exe\\\", \\\"tasklist.exe\\\", \\\"Microsoft.Workflow.Compiler.exe\\\",\\n \\\"arp.exe\\\", \\\"atbroker.exe\\\", \\\"bginfo.exe\\\", \\\"bitsadmin.exe\\\", \\\"cdb.exe\\\", \\\"cmstp.exe\\\", \\\"control.exe\\\", \\\"cscript.exe\\\", \\\"csi.exe\\\",\\n \\\"dnx.exe\\\", \\\"dsget.exe\\\", \\\"dsquery.exe\\\", \\\"forfiles.exe\\\", \\\"fsi.exe\\\", \\\"ftp.exe\\\", \\\"gpresult.exe\\\", \\\"ieexec.exe\\\", \\\"iexpress.exe\\\",\\n \\\"installutil.exe\\\", \\\"ipconfig.exe\\\",\\\"msxsl.exe\\\", \\\"netsh.exe\\\", \\\"odbcconf.exe\\\", \\\"ping.exe\\\", \\\"pwsh.exe\\\", \\\"qprocess.exe\\\",\\n \\\"quser.exe\\\", \\\"qwinsta.exe\\\", \\\"rcsi.exe\\\", \\\"regasm.exe\\\", \\\"regsvcs.exe\\\", \\\"regsvr32.exe\\\", \\\"sc.exe\\\", \\\"schtasks.exe\\\",\\n \\\"systeminfo.exe\\\", \\\"tracert.exe\\\", \\\"wmic.exe\\\", \\\"wscript.exe\\\",\\\"xwizard.exe\\\", \\\"explorer.exe\\\", \\\"msdt.exe\\\") and\\n not (process.name : \\\"powershell.exe\\\" and process.args : \\\"-ExecutionPolicy\\\" and process.args : \\\"?:\\\\\\\\TeamCity\\\\\\\\buildAgent\\\\\\\\work\\\\\\\\*.ps1\\\") and\\n not (process.name : \\\"cmd.exe\\\" and process.args : \\\"dir\\\" and process.args : \\\"/-c\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":203,\"merged_version\":203,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f94723e6-0fdd-4934-a2ec-da9aeb2e1e23\",\"rule_id\":\"7318affb-bfe8-4d50-a425-f617833be160\",\"revision\":0,\"current_rule\":{\"id\":\"f94723e6-0fdd-4934-a2ec-da9aeb2e1e23\",\"updated_at\":\"2024-12-04T19:46:03.797Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.797Z\",\"created_by\":\"elastic\",\"name\":\"Potential Execution of rc.local Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects the potential execution of the `/etc/rc.local` script through the `already_running` event action created by the `rc-local.service` systemd service. The `/etc/rc.local` script is a legacy initialization script that is executed at the end of the boot process. The `/etc/rc.local` script is not enabled by default on most Linux distributions. The `/etc/rc.local` script can be used by attackers to persistently execute malicious commands or scripts on a compromised system at reboot. As the rc.local file is executed prior to the initialization of Elastic Defend, the execution event is not ingested, and therefore the `already_running` event is leveraged to provide insight into the potential execution of `rc.local`.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"7318affb-bfe8-4d50-a425-f617833be160\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"info\\\" and event.action == \\\"already_running\\\" and \\nprocess.parent.args == \\\"/etc/rc.local\\\" and process.parent.args == \\\"start\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Execution of rc.local Script\",\"description\":\"This rule detects the potential execution of the `/etc/rc.local` script through the `already_running` event action created by the `rc-local.service` systemd service. The `/etc/rc.local` script is a legacy initialization script that is executed at the end of the boot process. The `/etc/rc.local` script is not enabled by default on most Linux distributions. The `/etc/rc.local` script can be used by attackers to persistently execute malicious commands or scripts on a compromised system at reboot. As the rc.local file is executed prior to the initialization of Elastic Defend, the execution event is not ingested, and therefore the `already_running` event is leveraged to provide insight into the potential execution of `rc.local`.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f94723e6-0fdd-4934-a2ec-da9aeb2e1e23\",\"rule_id\":\"7318affb-bfe8-4d50-a425-f617833be160\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.017Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.797Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"info\\\" and event.action == \\\"already_running\\\" and \\nprocess.parent.args == \\\"/etc/rc.local\\\" and process.parent.args == \\\"start\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\"],\"target_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4a8bcc0a-0826-4418-9328-960fc22d0602\",\"rule_id\":\"7405ddf1-6c8e-41ce-818f-48bea6bcaed8\",\"revision\":0,\"current_rule\":{\"id\":\"4a8bcc0a-0826-4418-9328-960fc22d0602\",\"updated_at\":\"2024-12-04T19:45:51.203Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.203Z\",\"created_by\":\"elastic\",\"name\":\"Potential Modification of Accessibility Binaries\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Modification of Accessibility Binaries\\n\\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\\n\\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\\n\\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"7405ddf1-6c8e-41ce-818f-48bea6bcaed8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.008\",\"name\":\"Accessibility Features\",\"reference\":\"https://attack.mitre.org/techniques/T1546/008/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.008\",\"name\":\"Accessibility Features\",\"reference\":\"https://attack.mitre.org/techniques/T1546/008/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/blog/practical-security-engineering-stateful-detection\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"Utilman.exe\\\", \\\"winlogon.exe\\\") and user.name == \\\"SYSTEM\\\" and\\n process.pe.original_file_name : \\\"?*\\\" and\\n process.args :\\n (\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\osk.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Magnify.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Narrator.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Sethc.exe\\\",\\n \\\"utilman.exe\\\",\\n \\\"ATBroker.exe\\\",\\n \\\"DisplaySwitch.exe\\\",\\n \\\"sethc.exe\\\"\\n )\\n and not process.pe.original_file_name in\\n (\\n \\\"osk.exe\\\",\\n \\\"sethc.exe\\\",\\n \\\"utilman2.exe\\\",\\n \\\"DisplaySwitch.exe\\\",\\n \\\"ATBroker.exe\\\",\\n \\\"ScreenMagnifier.exe\\\",\\n \\\"SR.exe\\\",\\n \\\"Narrator.exe\\\",\\n \\\"magnify.exe\\\",\\n \\\"MAGNIFY.EXE\\\"\\n )\\n\\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\\n/* and process.code_signature.subject_name == \\\"Microsoft Windows\\\" and process.code_signature.status == \\\"trusted\\\" */\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Modification of Accessibility Binaries\",\"description\":\"Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Modification of Accessibility Binaries\\n\\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\\n\\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\\n\\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":212,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/blog/practical-security-engineering-stateful-detection\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.008\",\"name\":\"Accessibility Features\",\"reference\":\"https://attack.mitre.org/techniques/T1546/008/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.008\",\"name\":\"Accessibility Features\",\"reference\":\"https://attack.mitre.org/techniques/T1546/008/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"4a8bcc0a-0826-4418-9328-960fc22d0602\",\"rule_id\":\"7405ddf1-6c8e-41ce-818f-48bea6bcaed8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.017Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.203Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"Utilman.exe\\\", \\\"winlogon.exe\\\") and user.name == \\\"SYSTEM\\\" and\\n process.pe.original_file_name : \\\"?*\\\" and\\n process.args :\\n (\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\osk.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Magnify.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Narrator.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Sethc.exe\\\",\\n \\\"utilman.exe\\\",\\n \\\"ATBroker.exe\\\",\\n \\\"DisplaySwitch.exe\\\",\\n \\\"sethc.exe\\\"\\n )\\n and not process.pe.original_file_name in\\n (\\n \\\"osk.exe\\\",\\n \\\"sethc.exe\\\",\\n \\\"utilman2.exe\\\",\\n \\\"DisplaySwitch.exe\\\",\\n \\\"ATBroker.exe\\\",\\n \\\"ScreenMagnifier.exe\\\",\\n \\\"SR.exe\\\",\\n \\\"Narrator.exe\\\",\\n \\\"magnify.exe\\\",\\n \\\"MAGNIFY.EXE\\\"\\n )\\n\\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\\n/* and process.code_signature.subject_name == \\\"Microsoft Windows\\\" and process.code_signature.status == \\\"trusted\\\" */\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":212,\"merged_version\":212,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0b5a61bb-e0f8-4553-9555-b663c398c0b3\",\"rule_id\":\"7592c127-89fb-4209-a8f6-f9944dfd7e02\",\"revision\":0,\"current_rule\":{\"id\":\"0b5a61bb-e0f8-4553-9555-b663c398c0b3\",\"updated_at\":\"2024-12-04T19:45:51.212Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.212Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Sysctl File Event\",\"tags\":[\"Data Source: Auditd Manager\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"7592c127-89fb-4209-a8f6-f9944dfd7e02\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"to\":\"now\",\"references\":[],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\\n\\n```\\nKibana -->\\nManagement -->\\nIntegrations -->\\nAuditd Manager -->\\nAdd Auditd Manager\\n```\\n\\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\n\\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\\n\\n```\\n-w /etc/sysctl.conf -p wa -k sysctl\\n-w /etc/sysctl.d -p wa -k sysctl\\n```\\n\\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:file and event.action:(\\\"opened-file\\\" or \\\"read-file\\\" or \\\"wrote-to-file\\\") and\\nfile.path : (\\\"/etc/sysctl.conf\\\" or \\\"/etc/sysctl.d\\\" or /etc/sysctl.d/*) and not process.name:(\\n dpkg or dockerd or unattended-upg or systemd-sysctl or python* or auditbeat or dpkg or grep or pool*\\n)\\n\",\"new_terms_fields\":[\"host.id\",\"process.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Sysctl File Event\",\"description\":\"Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":108,\"tags\":[\"Data Source: Auditd Manager\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\\n\\n```\\nKibana -->\\nManagement -->\\nIntegrations -->\\nAuditd Manager -->\\nAdd Auditd Manager\\n```\\n\\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\n\\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\\n\\n```\\n-w /etc/sysctl.conf -p wa -k sysctl\\n-w /etc/sysctl.d -p wa -k sysctl\\n```\\n\\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n\",\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0b5a61bb-e0f8-4553-9555-b663c398c0b3\",\"rule_id\":\"7592c127-89fb-4209-a8f6-f9944dfd7e02\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.017Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.212Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:file and event.action:(\\\"opened-file\\\" or \\\"read-file\\\" or \\\"wrote-to-file\\\") and\\nfile.path : (\\\"/etc/sysctl.conf\\\" or \\\"/etc/sysctl.d\\\" or /etc/sysctl.d/*) and not process.name:(\\n dpkg or dockerd or unattended-upg or systemd-sysctl or python* or auditbeat or dpkg or pool*\\n)\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":108,\"merged_version\":108,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:file and event.action:(\\\"opened-file\\\" or \\\"read-file\\\" or \\\"wrote-to-file\\\") and\\nfile.path : (\\\"/etc/sysctl.conf\\\" or \\\"/etc/sysctl.d\\\" or /etc/sysctl.d/*) and not process.name:(\\n dpkg or dockerd or unattended-upg or systemd-sysctl or python* or auditbeat or dpkg or grep or pool*\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:file and event.action:(\\\"opened-file\\\" or \\\"read-file\\\" or \\\"wrote-to-file\\\") and\\nfile.path : (\\\"/etc/sysctl.conf\\\" or \\\"/etc/sysctl.d\\\" or /etc/sysctl.d/*) and not process.name:(\\n dpkg or dockerd or unattended-upg or systemd-sysctl or python* or auditbeat or dpkg or pool*\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:file and event.action:(\\\"opened-file\\\" or \\\"read-file\\\" or \\\"wrote-to-file\\\") and\\nfile.path : (\\\"/etc/sysctl.conf\\\" or \\\"/etc/sysctl.d\\\" or /etc/sysctl.d/*) and not process.name:(\\n dpkg or dockerd or unattended-upg or systemd-sysctl or python* or auditbeat or dpkg or pool*\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"new_terms_fields\":{\"has_base_version\":false,\"current_version\":[\"host.id\",\"process.executable\"],\"target_version\":[\"process.executable\"],\"merged_version\":[\"process.executable\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a7918216-c7a5-48b2-9817-8eecf925d050\",\"rule_id\":\"76152ca1-71d0-4003-9e37-0983e12832da\",\"revision\":0,\"current_rule\":{\"id\":\"a7918216-c7a5-48b2-9817-8eecf925d050\",\"updated_at\":\"2024-12-04T19:45:51.219Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.219Z\",\"created_by\":\"elastic\",\"name\":\"Potential Privilege Escalation via Sudoers File Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"76152ca1-71d0-4003-9e37-0983e12832da\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.003\",\"name\":\"Sudo and Sudo Caching\",\"reference\":\"https://attack.mitre.org/techniques/T1548/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":103,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\"],\"query\":\"event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Privilege Escalation via Sudoers File Modification\",\"description\":\"A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.003\",\"name\":\"Sudo and Sudo Caching\",\"reference\":\"https://attack.mitre.org/techniques/T1548/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a7918216-c7a5-48b2-9817-8eecf925d050\",\"rule_id\":\"76152ca1-71d0-4003-9e37-0983e12832da\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.017Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.219Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\"],\"query\":\"event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*)\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":103,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"de760181-3820-4fb5-a2ac-e8d40bd286a2\",\"rule_id\":\"764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66\",\"revision\":0,\"current_rule\":{\"id\":\"de760181-3820-4fb5-a2ac-e8d40bd286a2\",\"updated_at\":\"2024-12-04T19:45:51.224Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.224Z\",\"created_by\":\"elastic\",\"name\":\"Access to a Sensitive LDAP Attribute\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\",\"subtechnique\":[{\"id\":\"T1552.004\",\"name\":\"Private Keys\",\"reference\":\"https://attack.mitre.org/techniques/T1552/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming\",\"https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx\",\"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\"],\"version\":11,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessMask\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.Properties\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Access (Success,Failure)\\n```\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"any where event.action in (\\\"Directory Service Access\\\", \\\"object-operation-performed\\\") and event.code == \\\"4662\\\" and\\n\\n not winlog.event_data.SubjectUserSid : \\\"S-1-5-18\\\" and\\n\\n winlog.event_data.Properties : (\\n /* unixUserPassword */\\n \\\"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\\\",\\n\\n /* ms-PKI-AccountCredentials */\\n \\\"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\\\",\\n\\n /* ms-PKI-DPAPIMasterKeys */\\n \\\"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\\\",\\n\\n /* msPKI-CredentialRoamingTokens */\\n \\\"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\\\"\\n ) and\\n\\n /*\\n Excluding noisy AccessMasks\\n 0x0 undefined and 0x100 Control Access\\n https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\\n */\\n not winlog.event_data.AccessMask in (\\\"0x0\\\", \\\"0x100\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Access to a Sensitive LDAP Attribute\",\"description\":\"Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":112,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming\",\"https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx\",\"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\",\"subtechnique\":[{\"id\":\"T1552.004\",\"name\":\"Private Keys\",\"reference\":\"https://attack.mitre.org/techniques/T1552/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Access (Success,Failure)\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessMask\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.Properties\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"de760181-3820-4fb5-a2ac-e8d40bd286a2\",\"rule_id\":\"764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.017Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.224Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where event.action in (\\\"Directory Service Access\\\", \\\"object-operation-performed\\\") and event.code == \\\"4662\\\" and\\n\\n not winlog.event_data.SubjectUserSid : \\\"S-1-5-18\\\" and\\n\\n winlog.event_data.Properties : (\\n /* unixUserPassword */\\n \\\"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\\\",\\n\\n /* ms-PKI-AccountCredentials */\\n \\\"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\\\",\\n\\n /* ms-PKI-DPAPIMasterKeys */\\n \\\"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\\\",\\n\\n /* msPKI-CredentialRoamingTokens */\\n \\\"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\\\"\\n ) and\\n\\n /*\\n Excluding noisy AccessMasks\\n 0x0 undefined and 0x100 Control Access\\n https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\\n */\\n not winlog.event_data.AccessMask in (\\\"0x0\\\", \\\"0x100\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":11,\"target_version\":112,\"merged_version\":112,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e94cb6fd-2f55-46f6-99fc-70de23da3fcd\",\"rule_id\":\"76ddb638-abf7-42d5-be22-4a70b0bf7241\",\"revision\":0,\"current_rule\":{\"id\":\"e94cb6fd-2f55-46f6-99fc-70de23da3fcd\",\"updated_at\":\"2024-12-04T19:45:51.234Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.234Z\",\"created_by\":\"elastic\",\"name\":\"Privilege Escalation via Rogue Named Pipe Impersonation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"76ddb638-abf7-42d5-be22-4a70b0bf7241\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\"}]}],\"to\":\"now\",\"references\":[\"https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/\",\"https://github.com/zcgonvh/EfsPotato\",\"https://twitter.com/SBousseaden/status/1429530155291193354\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nNamed Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\\n`condition equal \\\"contains\\\" and keyword equal \\\"pipe\\\"`\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.action : \\\"Pipe Created*\\\" and\\n /* normal sysmon named pipe creation events truncate the pipe keyword */\\n file.name : \\\"\\\\\\\\*\\\\\\\\Pipe\\\\\\\\*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Privilege Escalation via Rogue Named Pipe Impersonation\",\"description\":\"Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/\",\"https://github.com/zcgonvh/EfsPotato\",\"https://twitter.com/SBousseaden/status/1429530155291193354\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\"}]}],\"setup\":\"## Setup\\n\\nNamed Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\\n`condition equal \\\"contains\\\" and keyword equal \\\"pipe\\\"`\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e94cb6fd-2f55-46f6-99fc-70de23da3fcd\",\"rule_id\":\"76ddb638-abf7-42d5-be22-4a70b0bf7241\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.017Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.234Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.action : \\\"Pipe Created*\\\" and\\n /* normal sysmon named pipe creation events truncate the pipe keyword */\\n file.name : \\\"\\\\\\\\*\\\\\\\\Pipe\\\\\\\\*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a0288771-7be3-4a44-bd48-a5b4d051f8e7\",\"rule_id\":\"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f\",\"revision\":0,\"current_rule\":{\"id\":\"a0288771-7be3-4a44-bd48-a5b4d051f8e7\",\"updated_at\":\"2024-12-04T19:45:51.238Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.238Z\",\"created_by\":\"elastic\",\"name\":\"Potential Remote Desktop Tunneling Detected\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Remote Desktop Tunneling Detected\\n\\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination.\\n\\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols.\\n\\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine network data to determine if the host communicated with external servers using the tunnel.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1572\",\"name\":\"Protocol Tunneling\",\"reference\":\"https://attack.mitre.org/techniques/T1572/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.004\",\"name\":\"SSH\",\"reference\":\"https://attack.mitre.org/techniques/T1021/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/\"],\"version\":313,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n /* RDP port and usual SSH tunneling related switches in command line */\\n process.args : \\\"*:3389\\\" and\\n process.args : (\\\"-L\\\", \\\"-P\\\", \\\"-R\\\", \\\"-pw\\\", \\\"-ssh\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Remote Desktop Tunneling Detected\",\"description\":\"Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Remote Desktop Tunneling Detected\\n\\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination.\\n\\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols.\\n\\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine network data to determine if the host communicated with external servers using the tunnel.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":416,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1572\",\"name\":\"Protocol Tunneling\",\"reference\":\"https://attack.mitre.org/techniques/T1572/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.004\",\"name\":\"SSH\",\"reference\":\"https://attack.mitre.org/techniques/T1021/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a0288771-7be3-4a44-bd48-a5b4d051f8e7\",\"rule_id\":\"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.017Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.238Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n /* RDP port and usual SSH tunneling related switches in command line */\\n process.args : \\\"*:3389\\\" and\\n process.args : (\\\"-L\\\", \\\"-P\\\", \\\"-R\\\", \\\"-pw\\\", \\\"-ssh\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":313,\"target_version\":416,\"merged_version\":416,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8e28566a-3091-425e-a525-8159d532fcf1\",\"rule_id\":\"770e0c4d-b998-41e5-a62e-c7901fd7f470\",\"revision\":0,\"current_rule\":{\"id\":\"8e28566a-3091-425e-a525-8159d532fcf1\",\"updated_at\":\"2024-12-04T19:45:51.241Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.241Z\",\"created_by\":\"elastic\",\"name\":\"Enumeration Command Spawned via WMIPrvSE\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"770e0c4d-b998-41e5-a62e-c7901fd7f470\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1016\",\"name\":\"System Network Configuration Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1016/\",\"subtechnique\":[{\"id\":\"T1016.001\",\"name\":\"Internet Connection Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1016/001/\"}]},{\"id\":\"T1018\",\"name\":\"Remote System Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1018/\"},{\"id\":\"T1057\",\"name\":\"Process Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1057/\"},{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\"},{\"id\":\"T1518\",\"name\":\"Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/\"}]}],\"to\":\"now\",\"references\":[],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.command_line != null and \\n process.name:\\n (\\n \\\"arp.exe\\\",\\n \\\"dsquery.exe\\\",\\n \\\"dsget.exe\\\",\\n \\\"gpresult.exe\\\",\\n \\\"hostname.exe\\\",\\n \\\"ipconfig.exe\\\",\\n \\\"nbtstat.exe\\\",\\n \\\"net.exe\\\",\\n \\\"net1.exe\\\",\\n \\\"netsh.exe\\\",\\n \\\"netstat.exe\\\",\\n \\\"nltest.exe\\\",\\n \\\"ping.exe\\\",\\n \\\"qprocess.exe\\\",\\n \\\"quser.exe\\\",\\n \\\"qwinsta.exe\\\",\\n \\\"reg.exe\\\",\\n \\\"sc.exe\\\",\\n \\\"systeminfo.exe\\\",\\n \\\"tasklist.exe\\\",\\n \\\"tracert.exe\\\",\\n \\\"whoami.exe\\\"\\n ) and\\n process.parent.name:\\\"wmiprvse.exe\\\" and \\n not (\\n process.name : \\\"sc.exe\\\" and process.args : \\\"RemoteRegistry\\\" and process.args : \\\"start=\\\" and \\n process.args : (\\\"demand\\\", \\\"disabled\\\")\\n ) and\\n not process.args : \\\"tenable_mw_scan\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Enumeration Command Spawned via WMIPrvSE\",\"description\":\"Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1016\",\"name\":\"System Network Configuration Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1016/\",\"subtechnique\":[{\"id\":\"T1016.001\",\"name\":\"Internet Connection Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1016/001/\"}]},{\"id\":\"T1018\",\"name\":\"Remote System Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1018/\"},{\"id\":\"T1057\",\"name\":\"Process Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1057/\"},{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\"},{\"id\":\"T1518\",\"name\":\"Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"8e28566a-3091-425e-a525-8159d532fcf1\",\"rule_id\":\"770e0c4d-b998-41e5-a62e-c7901fd7f470\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.018Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.241Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.command_line != null and \\n process.name:\\n (\\n \\\"arp.exe\\\", \\\"dsquery.exe\\\", \\\"dsget.exe\\\", \\\"gpresult.exe\\\", \\\"hostname.exe\\\", \\\"ipconfig.exe\\\", \\\"nbtstat.exe\\\",\\n \\\"net.exe\\\", \\\"net1.exe\\\", \\\"netsh.exe\\\", \\\"netstat.exe\\\", \\\"nltest.exe\\\", \\\"ping.exe\\\", \\\"qprocess.exe\\\", \\\"quser.exe\\\",\\n \\\"qwinsta.exe\\\", \\\"reg.exe\\\", \\\"sc.exe\\\", \\\"systeminfo.exe\\\", \\\"tasklist.exe\\\", \\\"tracert.exe\\\", \\\"whoami.exe\\\"\\n ) and\\n process.parent.name:\\\"wmiprvse.exe\\\" and \\n not (\\n process.name : \\\"sc.exe\\\" and process.args : \\\"RemoteRegistry\\\" and process.args : \\\"start=\\\" and \\n process.args : (\\\"demand\\\", \\\"disabled\\\")\\n ) and\\n not process.args : \\\"tenable_mw_scan\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.command_line != null and \\n process.name:\\n (\\n \\\"arp.exe\\\",\\n \\\"dsquery.exe\\\",\\n \\\"dsget.exe\\\",\\n \\\"gpresult.exe\\\",\\n \\\"hostname.exe\\\",\\n \\\"ipconfig.exe\\\",\\n \\\"nbtstat.exe\\\",\\n \\\"net.exe\\\",\\n \\\"net1.exe\\\",\\n \\\"netsh.exe\\\",\\n \\\"netstat.exe\\\",\\n \\\"nltest.exe\\\",\\n \\\"ping.exe\\\",\\n \\\"qprocess.exe\\\",\\n \\\"quser.exe\\\",\\n \\\"qwinsta.exe\\\",\\n \\\"reg.exe\\\",\\n \\\"sc.exe\\\",\\n \\\"systeminfo.exe\\\",\\n \\\"tasklist.exe\\\",\\n \\\"tracert.exe\\\",\\n \\\"whoami.exe\\\"\\n ) and\\n process.parent.name:\\\"wmiprvse.exe\\\" and \\n not (\\n process.name : \\\"sc.exe\\\" and process.args : \\\"RemoteRegistry\\\" and process.args : \\\"start=\\\" and \\n process.args : (\\\"demand\\\", \\\"disabled\\\")\\n ) and\\n not process.args : \\\"tenable_mw_scan\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.command_line != null and \\n process.name:\\n (\\n \\\"arp.exe\\\", \\\"dsquery.exe\\\", \\\"dsget.exe\\\", \\\"gpresult.exe\\\", \\\"hostname.exe\\\", \\\"ipconfig.exe\\\", \\\"nbtstat.exe\\\",\\n \\\"net.exe\\\", \\\"net1.exe\\\", \\\"netsh.exe\\\", \\\"netstat.exe\\\", \\\"nltest.exe\\\", \\\"ping.exe\\\", \\\"qprocess.exe\\\", \\\"quser.exe\\\",\\n \\\"qwinsta.exe\\\", \\\"reg.exe\\\", \\\"sc.exe\\\", \\\"systeminfo.exe\\\", \\\"tasklist.exe\\\", \\\"tracert.exe\\\", \\\"whoami.exe\\\"\\n ) and\\n process.parent.name:\\\"wmiprvse.exe\\\" and \\n not (\\n process.name : \\\"sc.exe\\\" and process.args : \\\"RemoteRegistry\\\" and process.args : \\\"start=\\\" and \\n process.args : (\\\"demand\\\", \\\"disabled\\\")\\n ) and\\n not process.args : \\\"tenable_mw_scan\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.command_line != null and \\n process.name:\\n (\\n \\\"arp.exe\\\", \\\"dsquery.exe\\\", \\\"dsget.exe\\\", \\\"gpresult.exe\\\", \\\"hostname.exe\\\", \\\"ipconfig.exe\\\", \\\"nbtstat.exe\\\",\\n \\\"net.exe\\\", \\\"net1.exe\\\", \\\"netsh.exe\\\", \\\"netstat.exe\\\", \\\"nltest.exe\\\", \\\"ping.exe\\\", \\\"qprocess.exe\\\", \\\"quser.exe\\\",\\n \\\"qwinsta.exe\\\", \\\"reg.exe\\\", \\\"sc.exe\\\", \\\"systeminfo.exe\\\", \\\"tasklist.exe\\\", \\\"tracert.exe\\\", \\\"whoami.exe\\\"\\n ) and\\n process.parent.name:\\\"wmiprvse.exe\\\" and \\n not (\\n process.name : \\\"sc.exe\\\" and process.args : \\\"RemoteRegistry\\\" and process.args : \\\"start=\\\" and \\n process.args : (\\\"demand\\\", \\\"disabled\\\")\\n ) and\\n not process.args : \\\"tenable_mw_scan\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"35f5a880-5ee2-4d0d-a652-4012afb803e9\",\"rule_id\":\"7787362c-90ff-4b1a-b313-8808b1020e64\",\"revision\":0,\"current_rule\":{\"id\":\"35f5a880-5ee2-4d0d-a652-4012afb803e9\",\"updated_at\":\"2024-12-04T19:45:51.246Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.246Z\",\"created_by\":\"elastic\",\"name\":\"UID Elevation from Previously Unknown Executable\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Monitors for the elevation of regular user permissions to root permissions through a previously unknown executable. Attackers may attempt to evade detection by hijacking the execution flow and hooking certain functions/syscalls through a rootkit in order to provide easy access to root via a special modified command.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"7787362c-90ff-4b1a-b313-8808b1020e64\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.013\",\"name\":\"KernelCallbackTable\",\"reference\":\"https://attack.mitre.org/techniques/T1574/013/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1014\",\"name\":\"Rootkit\",\"reference\":\"https://attack.mitre.org/techniques/T1014/\"}]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click Add integrations.\\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\\n- Click Add Elastic Defend.\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest to select \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click Save and Continue.\\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:\\\"linux\\\" and event.category:\\\"process\\\" and event.action:\\\"uid_change\\\" and event.type:\\\"change\\\" and user.id:\\\"0\\\"\\nand process.parent.name:(\\\"bash\\\" or \\\"dash\\\" or \\\"sh\\\" or \\\"tcsh\\\" or \\\"csh\\\" or \\\"zsh\\\" or \\\"ksh\\\" or \\\"fish\\\") and not (\\n process.executable:(\\n /bin/* or /usr/bin/* or /sbin/* or /usr/sbin/* or /snap/* or /tmp/newroot/* or /var/lib/docker/* or /usr/local/* or\\n /opt/psa/admin/* or /usr/lib/snapd/snap-confine or /opt/dynatrace/* or /opt/microsoft/* or\\n /var/lib/snapd/snap/bin/node or /opt/gitlab/embedded/sbin/logrotate or /etc/apt/universal-hooks/* or\\n /opt/puppetlabs/puppet/bin/puppet or /opt/cisco/* or /run/k3s/containerd/* or /usr/lib/postfix/sbin/master or\\n /usr/libexec/postfix/local\\n ) or\\n process.name:(\\n \\\"bash\\\" or \\\"dash\\\" or \\\"sh\\\" or \\\"tcsh\\\" or \\\"csh\\\" or \\\"zsh\\\" or \\\"ksh\\\" or \\\"fish\\\" or \\\"sudo\\\" or \\\"su\\\" or \\\"apt\\\" or \\\"apt-get\\\" or\\n \\\"aptitude\\\" or \\\"squid\\\" or \\\"snap\\\" or \\\"fusermount\\\" or \\\"pkexec\\\" or \\\"umount\\\" or \\\"master\\\" or \\\"omsbaseline\\\" or \\\"dzdo\\\" or\\n \\\"sandfly\\\" or \\\"logrotate\\\"\\n ) or\\n process.args:/usr/bin/python*\\n)\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"UID Elevation from Previously Unknown Executable\",\"description\":\"Monitors for the elevation of regular user permissions to root permissions through a previously unknown executable. Attackers may attempt to evade detection by hijacking the execution flow and hooking certain functions/syscalls through a rootkit in order to provide easy access to root via a special modified command.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.013\",\"name\":\"KernelCallbackTable\",\"reference\":\"https://attack.mitre.org/techniques/T1574/013/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1014\",\"name\":\"Rootkit\",\"reference\":\"https://attack.mitre.org/techniques/T1014/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click Add integrations.\\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\\n- Click Add Elastic Defend.\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest to select \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click Save and Continue.\\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"35f5a880-5ee2-4d0d-a652-4012afb803e9\",\"rule_id\":\"7787362c-90ff-4b1a-b313-8808b1020e64\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.018Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.246Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:\\\"linux\\\" and event.category:\\\"process\\\" and event.action:\\\"uid_change\\\" and event.type:\\\"change\\\" and user.id:\\\"0\\\"\\nand process.parent.name:(\\\"bash\\\" or \\\"dash\\\" or \\\"sh\\\" or \\\"tcsh\\\" or \\\"csh\\\" or \\\"zsh\\\" or \\\"ksh\\\" or \\\"fish\\\") and not (\\n process.executable:(\\n /bin/* or /usr/bin/* or /sbin/* or /usr/sbin/* or /snap/* or /tmp/newroot/* or /var/lib/docker/* or /usr/local/* or\\n /opt/psa/admin/* or /usr/lib/snapd/snap-confine or /opt/dynatrace/* or /opt/microsoft/* or\\n /var/lib/snapd/snap/bin/node or /opt/gitlab/embedded/sbin/logrotate or /etc/apt/universal-hooks/* or\\n /opt/puppetlabs/puppet/bin/puppet or /opt/cisco/* or /run/k3s/containerd/* or /usr/lib/postfix/sbin/master or\\n /usr/libexec/postfix/local or /var/lib/snapd/snap/bin/postgresql* or /opt/puppetlabs/puppet/bin/ruby\\n ) or\\n process.name:(\\n \\\"bash\\\" or \\\"dash\\\" or \\\"sh\\\" or \\\"tcsh\\\" or \\\"csh\\\" or \\\"zsh\\\" or \\\"ksh\\\" or \\\"fish\\\" or \\\"sudo\\\" or \\\"su\\\" or \\\"apt\\\" or \\\"apt-get\\\" or\\n \\\"aptitude\\\" or \\\"squid\\\" or \\\"snap\\\" or \\\"fusermount\\\" or \\\"pkexec\\\" or \\\"umount\\\" or \\\"master\\\" or \\\"omsbaseline\\\" or \\\"dzdo\\\" or\\n \\\"sandfly\\\" or \\\"logrotate\\\"\\n ) or\\n process.args:/usr/bin/python*\\n)\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:\\\"linux\\\" and event.category:\\\"process\\\" and event.action:\\\"uid_change\\\" and event.type:\\\"change\\\" and user.id:\\\"0\\\"\\nand process.parent.name:(\\\"bash\\\" or \\\"dash\\\" or \\\"sh\\\" or \\\"tcsh\\\" or \\\"csh\\\" or \\\"zsh\\\" or \\\"ksh\\\" or \\\"fish\\\") and not (\\n process.executable:(\\n /bin/* or /usr/bin/* or /sbin/* or /usr/sbin/* or /snap/* or /tmp/newroot/* or /var/lib/docker/* or /usr/local/* or\\n /opt/psa/admin/* or /usr/lib/snapd/snap-confine or /opt/dynatrace/* or /opt/microsoft/* or\\n /var/lib/snapd/snap/bin/node or /opt/gitlab/embedded/sbin/logrotate or /etc/apt/universal-hooks/* or\\n /opt/puppetlabs/puppet/bin/puppet or /opt/cisco/* or /run/k3s/containerd/* or /usr/lib/postfix/sbin/master or\\n /usr/libexec/postfix/local\\n ) or\\n process.name:(\\n \\\"bash\\\" or \\\"dash\\\" or \\\"sh\\\" or \\\"tcsh\\\" or \\\"csh\\\" or \\\"zsh\\\" or \\\"ksh\\\" or \\\"fish\\\" or \\\"sudo\\\" or \\\"su\\\" or \\\"apt\\\" or \\\"apt-get\\\" or\\n \\\"aptitude\\\" or \\\"squid\\\" or \\\"snap\\\" or \\\"fusermount\\\" or \\\"pkexec\\\" or \\\"umount\\\" or \\\"master\\\" or \\\"omsbaseline\\\" or \\\"dzdo\\\" or\\n \\\"sandfly\\\" or \\\"logrotate\\\"\\n ) or\\n process.args:/usr/bin/python*\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:\\\"linux\\\" and event.category:\\\"process\\\" and event.action:\\\"uid_change\\\" and event.type:\\\"change\\\" and user.id:\\\"0\\\"\\nand process.parent.name:(\\\"bash\\\" or \\\"dash\\\" or \\\"sh\\\" or \\\"tcsh\\\" or \\\"csh\\\" or \\\"zsh\\\" or \\\"ksh\\\" or \\\"fish\\\") and not (\\n process.executable:(\\n /bin/* or /usr/bin/* or /sbin/* or /usr/sbin/* or /snap/* or /tmp/newroot/* or /var/lib/docker/* or /usr/local/* or\\n /opt/psa/admin/* or /usr/lib/snapd/snap-confine or /opt/dynatrace/* or /opt/microsoft/* or\\n /var/lib/snapd/snap/bin/node or /opt/gitlab/embedded/sbin/logrotate or /etc/apt/universal-hooks/* or\\n /opt/puppetlabs/puppet/bin/puppet or /opt/cisco/* or /run/k3s/containerd/* or /usr/lib/postfix/sbin/master or\\n /usr/libexec/postfix/local or /var/lib/snapd/snap/bin/postgresql* or /opt/puppetlabs/puppet/bin/ruby\\n ) or\\n process.name:(\\n \\\"bash\\\" or \\\"dash\\\" or \\\"sh\\\" or \\\"tcsh\\\" or \\\"csh\\\" or \\\"zsh\\\" or \\\"ksh\\\" or \\\"fish\\\" or \\\"sudo\\\" or \\\"su\\\" or \\\"apt\\\" or \\\"apt-get\\\" or\\n \\\"aptitude\\\" or \\\"squid\\\" or \\\"snap\\\" or \\\"fusermount\\\" or \\\"pkexec\\\" or \\\"umount\\\" or \\\"master\\\" or \\\"omsbaseline\\\" or \\\"dzdo\\\" or\\n \\\"sandfly\\\" or \\\"logrotate\\\"\\n ) or\\n process.args:/usr/bin/python*\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:\\\"linux\\\" and event.category:\\\"process\\\" and event.action:\\\"uid_change\\\" and event.type:\\\"change\\\" and user.id:\\\"0\\\"\\nand process.parent.name:(\\\"bash\\\" or \\\"dash\\\" or \\\"sh\\\" or \\\"tcsh\\\" or \\\"csh\\\" or \\\"zsh\\\" or \\\"ksh\\\" or \\\"fish\\\") and not (\\n process.executable:(\\n /bin/* or /usr/bin/* or /sbin/* or /usr/sbin/* or /snap/* or /tmp/newroot/* or /var/lib/docker/* or /usr/local/* or\\n /opt/psa/admin/* or /usr/lib/snapd/snap-confine or /opt/dynatrace/* or /opt/microsoft/* or\\n /var/lib/snapd/snap/bin/node or /opt/gitlab/embedded/sbin/logrotate or /etc/apt/universal-hooks/* or\\n /opt/puppetlabs/puppet/bin/puppet or /opt/cisco/* or /run/k3s/containerd/* or /usr/lib/postfix/sbin/master or\\n /usr/libexec/postfix/local or /var/lib/snapd/snap/bin/postgresql* or /opt/puppetlabs/puppet/bin/ruby\\n ) or\\n process.name:(\\n \\\"bash\\\" or \\\"dash\\\" or \\\"sh\\\" or \\\"tcsh\\\" or \\\"csh\\\" or \\\"zsh\\\" or \\\"ksh\\\" or \\\"fish\\\" or \\\"sudo\\\" or \\\"su\\\" or \\\"apt\\\" or \\\"apt-get\\\" or\\n \\\"aptitude\\\" or \\\"squid\\\" or \\\"snap\\\" or \\\"fusermount\\\" or \\\"pkexec\\\" or \\\"umount\\\" or \\\"master\\\" or \\\"omsbaseline\\\" or \\\"dzdo\\\" or\\n \\\"sandfly\\\" or \\\"logrotate\\\"\\n ) or\\n process.args:/usr/bin/python*\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"692f2450-0b9c-42ef-a8c6-f84c608561be\",\"rule_id\":\"781f8746-2180-4691-890c-4c96d11ca91d\",\"revision\":0,\"current_rule\":{\"id\":\"692f2450-0b9c-42ef-a8c6-f84c608561be\",\"updated_at\":\"2024-12-04T19:45:51.250Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.250Z\",\"created_by\":\"elastic\",\"name\":\"Potential Network Sweep Detected\",\"tags\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"781f8746-2180-4691-890c-4c96d11ca91d\",\"max_signals\":5,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1046\",\"name\":\"Network Service Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1046/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0043\",\"name\":\"Reconnaissance\",\"reference\":\"https://attack.mitre.org/tactics/TA0043/\"},\"technique\":[{\"id\":\"T1595\",\"name\":\"Active Scanning\",\"reference\":\"https://attack.mitre.org/techniques/T1595/\",\"subtechnique\":[{\"id\":\"T1595.001\",\"name\":\"Scanning IP Blocks\",\"reference\":\"https://attack.mitre.org/techniques/T1595/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"threshold\",\"language\":\"kuery\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-endpoint.events.network-*\"],\"query\":\"destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and\\nsource.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\\n\",\"threshold\":{\"field\":[\"source.ip\"],\"value\":1,\"cardinality\":[{\"field\":\"destination.ip\",\"value\":100}]},\"actions\":[]},\"target_rule\":{\"name\":\"Potential Network Sweep Detected\",\"description\":\"This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":8,\"tags\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\",\"Data Source: Elastic Defend\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":5,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1046\",\"name\":\"Network Service Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1046/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0043\",\"name\":\"Reconnaissance\",\"reference\":\"https://attack.mitre.org/tactics/TA0043/\"},\"technique\":[{\"id\":\"T1595\",\"name\":\"Active Scanning\",\"reference\":\"https://attack.mitre.org/techniques/T1595/\",\"subtechnique\":[{\"id\":\"T1595.001\",\"name\":\"Scanning IP Blocks\",\"reference\":\"https://attack.mitre.org/techniques/T1595/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"692f2450-0b9c-42ef-a8c6-f84c608561be\",\"rule_id\":\"781f8746-2180-4691-890c-4c96d11ca91d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.018Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.250Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"threshold\",\"query\":\"destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and\\nsource.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\\n\",\"threshold\":{\"field\":[\"source.ip\"],\"value\":1,\"cardinality\":[{\"field\":\"destination.ip\",\"value\":100}]},\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-endpoint.events.network-*\",\"logs-panw.panos*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":8,\"merged_version\":8,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\"],\"target_version\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\",\"Data Source: Elastic Defend\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\",\"Data Source: Elastic Defend\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-endpoint.events.network-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-endpoint.events.network-*\",\"logs-panw.panos*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-endpoint.events.network-*\",\"logs-panw.panos*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b0c1eccd-b668-4e58-b659-9e66977174bc\",\"rule_id\":\"78390eb5-c838-4c1d-8240-69dd7397cfb7\",\"revision\":0,\"current_rule\":{\"id\":\"b0c1eccd-b668-4e58-b659-9e66977174bc\",\"updated_at\":\"2024-12-04T19:46:03.800Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.800Z\",\"created_by\":\"elastic\",\"name\":\"Yum/DNF Plugin Status Discovery\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects the execution of the `grep` command with the `plugins` argument on Linux systems. This command is used to search for YUM/DNF configurations and/or plugins with an enabled state. This behavior may indicate an attacker is attempting to establish persistence in a YUM or DNF plugin.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"78390eb5-c838-4c1d-8240-69dd7397cfb7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb\",\"https://pwnshift.github.io/2020/10/01/persistence.html\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\nThis rule requires data coming in from Elastic Defend.\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\nprocess.name == \\\"grep\\\" and process.args : \\\"plugins*\\\" and process.args : (\\n \\\"/etc/yum.conf\\\", \\\"/usr/lib/yum-plugins/*\\\", \\\"/etc/yum/pluginconf.d/*\\\",\\n \\\"/usr/lib/python*/site-packages/dnf-plugins/*\\\", \\\"/etc/dnf/plugins/*\\\", \\\"/etc/dnf/dnf.conf\\\"\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Yum/DNF Plugin Status Discovery\",\"description\":\"This rule detects the execution of the `grep` command with the `plugins` argument on Linux systems. This command is used to search for YUM/DNF configurations and/or plugins with an enabled state. This behavior may indicate an attacker is attempting to establish persistence in a YUM or DNF plugin.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb\",\"https://pwnshift.github.io/2020/10/01/persistence.html\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"setup\":\"## Setup\\nThis rule requires data coming in from Elastic Defend.\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b0c1eccd-b668-4e58-b659-9e66977174bc\",\"rule_id\":\"78390eb5-c838-4c1d-8240-69dd7397cfb7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.018Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.800Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\nprocess.name == \\\"grep\\\" and process.args : \\\"plugins*\\\" and process.args : (\\n \\\"/etc/yum.conf\\\", \\\"/usr/lib/yum-plugins/*\\\", \\\"/etc/yum/pluginconf.d/*\\\",\\n \\\"/usr/lib/python*/site-packages/dnf-plugins/*\\\", \\\"/etc/dnf/plugins/*\\\", \\\"/etc/dnf/dnf.conf\\\"\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb\",\"https://pwnshift.github.io/2020/10/01/persistence.html\"],\"target_version\":[\"https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb\",\"https://pwnshift.github.io/2020/10/01/persistence.html\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb\",\"https://pwnshift.github.io/2020/10/01/persistence.html\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e1aa46f2-aef7-4e7a-93c7-ad1be33d8641\",\"rule_id\":\"785a404b-75aa-4ffd-8be5-3334a5a544dd\",\"revision\":0,\"current_rule\":{\"id\":\"e1aa46f2-aef7-4e7a-93c7-ad1be33d8641\",\"updated_at\":\"2024-12-04T19:45:51.253Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.253Z\",\"created_by\":\"elastic\",\"name\":\"Application Added to Google Workspace Domain\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization’s Google Workspace domain in order to maintain a presence in their target’s organization and steal data.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Application Added to Google Workspace Domain\\n\\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or on Google Apps Script and created by both Google and third-party developers.\\n\\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\\n\\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\\n\\nThis rule checks for applications that were manually added to the Marketplace by a Google Workspace account.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\\n- With access to the Google Workspace admin console, visit the `Security > Investigation tool` with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\\n- With the user account, review other potentially related events within the last 48 hours.\\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\\n\\n### False positive analysis\\n\\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-130m\",\"rule_id\":\"785a404b-75aa-4ffd-8be5-3334a5a544dd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/6328701?hl=en#\"],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Application Added to Google Workspace Domain\",\"description\":\"Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization’s Google Workspace domain in order to maintain a presence in their target’s organization and steal data.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Application Added to Google Workspace Domain\\n\\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or on Google Apps Script and created by both Google and third-party developers.\\n\\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\\n\\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\\n\\nThis rule checks for applications that were manually added to the Marketplace by a Google Workspace account.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\\n- With access to the Google Workspace admin console, visit the `Security > Investigation tool` with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\\n- With the user account, review other potentially related events within the last 48 hours.\\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\\n\\n### False positive analysis\\n\\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://support.google.com/a/answer/6328701?hl=en#\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e1aa46f2-aef7-4e7a-93c7-ad1be33d8641\",\"rule_id\":\"785a404b-75aa-4ffd-8be5-3334a5a544dd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.018Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.253Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/6328701?hl=en#\"],\"target_version\":[\"https://support.google.com/a/answer/6328701?hl=en#\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/6328701?hl=en#\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"641169f2-cd01-4e4c-8fa7-4414ea0f72d9\",\"rule_id\":\"78de1aeb-5225-4067-b8cc-f4a1de8a8546\",\"revision\":0,\"current_rule\":{\"id\":\"641169f2-cd01-4e4c-8fa7-4414ea0f72d9\",\"updated_at\":\"2024-12-04T19:45:51.260Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.260Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious ScreenConnect Client Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution abusing unauthorized access to the ScreenConnect remote access software.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"78de1aeb-5225-4067-b8cc-f4a1de8a8546\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1219\",\"name\":\"Remote Access Software\",\"reference\":\"https://attack.mitre.org/techniques/T1219/\"}]}],\"to\":\"now\",\"references\":[\"https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\"],\"version\":204,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"logs-system.security*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name :\\n (\\\"ScreenConnect.ClientService.exe\\\",\\n \\\"ScreenConnect.WindowsClient.exe\\\",\\n \\\"ScreenConnect.WindowsBackstageShell.exe\\\",\\n \\\"ScreenConnect.WindowsFileManager.exe\\\") and\\n (\\n (process.name : \\\"powershell.exe\\\" and\\n process.args : (\\\"-enc\\\", \\\"-ec\\\", \\\"-e\\\", \\\"*downloadstring*\\\", \\\"*Reflection.Assembly*\\\", \\\"*http*\\\")) or\\n (process.name : \\\"cmd.exe\\\" and process.args : \\\"/c\\\") or\\n (process.name : \\\"net.exe\\\" and process.args : \\\"/add\\\") or\\n (process.name : \\\"schtasks.exe\\\" and process.args : (\\\"/create\\\", \\\"-create\\\")) or\\n (process.name : \\\"sc.exe\\\" and process.args : \\\"create\\\") or\\n (process.name : \\\"rundll32.exe\\\" and not process.args : \\\"url.dll,FileProtocolHandler\\\") or\\n (process.name : \\\"msiexec.exe\\\" and process.args : (\\\"/i\\\", \\\"-i\\\") and\\n process.args : (\\\"/q\\\", \\\"/quiet\\\", \\\"/qn\\\", \\\"-q\\\", \\\"-quiet\\\", \\\"-qn\\\", \\\"-Q+\\\")) or\\n process.name : (\\\"mshta.exe\\\", \\\"certutil.exe\\\", \\\"bistadmin.exe\\\", \\\"certreq.exe\\\", \\\"wscript.exe\\\", \\\"cscript.exe\\\", \\\"curl.exe\\\",\\n \\\"ssh.exe\\\", \\\"scp.exe\\\", \\\"wevtutil.exe\\\", \\\"wget.exe\\\", \\\"wmic.exe\\\")\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious ScreenConnect Client Child Process\",\"description\":\"Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution abusing unauthorized access to the ScreenConnect remote access software.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":307,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1219\",\"name\":\"Remote Access Software\",\"reference\":\"https://attack.mitre.org/techniques/T1219/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"641169f2-cd01-4e4c-8fa7-4414ea0f72d9\",\"rule_id\":\"78de1aeb-5225-4067-b8cc-f4a1de8a8546\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.018Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.260Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name :\\n (\\\"ScreenConnect.ClientService.exe\\\",\\n \\\"ScreenConnect.WindowsClient.exe\\\",\\n \\\"ScreenConnect.WindowsBackstageShell.exe\\\",\\n \\\"ScreenConnect.WindowsFileManager.exe\\\") and\\n (\\n (process.name : \\\"powershell.exe\\\" and\\n process.args : (\\\"-enc\\\", \\\"-ec\\\", \\\"-e\\\", \\\"*downloadstring*\\\", \\\"*Reflection.Assembly*\\\", \\\"*http*\\\")) or\\n (process.name : \\\"cmd.exe\\\" and process.args : \\\"/c\\\") or\\n (process.name : \\\"net.exe\\\" and process.args : \\\"/add\\\") or\\n (process.name : \\\"schtasks.exe\\\" and process.args : (\\\"/create\\\", \\\"-create\\\")) or\\n (process.name : \\\"sc.exe\\\" and process.args : \\\"create\\\") or\\n (process.name : \\\"rundll32.exe\\\" and not process.args : \\\"url.dll,FileProtocolHandler\\\") or\\n (process.name : \\\"msiexec.exe\\\" and process.args : (\\\"/i\\\", \\\"-i\\\") and\\n process.args : (\\\"/q\\\", \\\"/quiet\\\", \\\"/qn\\\", \\\"-q\\\", \\\"-quiet\\\", \\\"-qn\\\", \\\"-Q+\\\")) or\\n process.name : (\\\"mshta.exe\\\", \\\"certutil.exe\\\", \\\"bistadmin.exe\\\", \\\"certreq.exe\\\", \\\"wscript.exe\\\", \\\"cscript.exe\\\", \\\"curl.exe\\\",\\n \\\"ssh.exe\\\", \\\"scp.exe\\\", \\\"wevtutil.exe\\\", \\\"wget.exe\\\", \\\"wmic.exe\\\")\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"logs-system.security*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":204,\"target_version\":307,\"merged_version\":307,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"logs-system.security*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"logs-system.security*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"logs-system.security*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b4cf8f12-a626-4135-a639-4a91193d251e\",\"rule_id\":\"78ef0c95-9dc2-40ac-a8da-5deb6293a14e\",\"revision\":0,\"current_rule\":{\"id\":\"b4cf8f12-a626-4135-a639-4a91193d251e\",\"updated_at\":\"2024-12-04T19:45:51.269Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.269Z\",\"created_by\":\"elastic\",\"name\":\"Unsigned DLL Loaded by Svchost\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"78ef0c95-9dc2-40ac-a8da-5deb6293a14e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.001\",\"name\":\"Invalid Code Signature\",\"reference\":\"https://attack.mitre.org/techniques/T1036/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1569\",\"name\":\"System Services\",\"reference\":\"https://attack.mitre.org/techniques/T1569/\",\"subtechnique\":[{\"id\":\"T1569.002\",\"name\":\"Service Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1569/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"dll.Ext.relative_file_creation_time\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"dll.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"dll.hash.sha256\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.library-*\"],\"query\":\"library where host.os.type == \\\"windows\\\" and\\n\\n process.executable : \\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Syswow64\\\\\\\\svchost.exe\\\") and \\n \\n dll.code_signature.trusted != true and \\n \\n not dll.code_signature.status : (\\\"trusted\\\", \\\"errorExpired\\\", \\\"errorCode_endpoint*\\\") and \\n \\n dll.hash.sha256 != null and \\n \\n (\\n /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */\\n dll.Ext.relative_file_creation_time <= 300 or \\n \\n /* unusual paths */\\n dll.path :(\\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\PerfLogs\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\AMD\\\\\\\\Temp\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\AppReadiness\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ServiceState\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\IdentityCRL\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Branding\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\csc\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\DigitalLocker\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\en-US\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\wlansvc\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Prefetch\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\diagnostics\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\INF\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Speech\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\tracing\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\IME\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Performance\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\intel\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\ms\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\dot3svc\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\panther\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\RemotePackages\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\OCR\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\appcompat\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\apppatch\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\addins\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SKB\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Vss\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CbsTemp\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Logs\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WaaS\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\twain_32\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ShellExperiences\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ShellComponents\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PLA\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Migration\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\debug\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Cursors\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Containers\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Boot\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\bcastdvr\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\TextInput\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\schemas\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SchCache\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Resources\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\rescache\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Provisioning\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PrintDialog\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PolicyDefinitions\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\media\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Globalization\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\L2Schemas\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LiveKernelReports\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ModemLogs\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\$Recycle.Bin\\\\\\\\*\\\")\\n ) and \\n \\n not dll.hash.sha256 : \\n (\\\"3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6\\\", \\n \\\"b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4\\\", \\n \\\"214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba\\\", \\n \\\"23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244\\\", \\n \\\"5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unsigned DLL Loaded by Svchost\",\"description\":\"Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.001\",\"name\":\"Invalid Code Signature\",\"reference\":\"https://attack.mitre.org/techniques/T1036/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1569\",\"name\":\"System Services\",\"reference\":\"https://attack.mitre.org/techniques/T1569/\",\"subtechnique\":[{\"id\":\"T1569.002\",\"name\":\"Service Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1569/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"dll.Ext.relative_file_creation_time\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"dll.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"dll.hash.sha256\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b4cf8f12-a626-4135-a639-4a91193d251e\",\"rule_id\":\"78ef0c95-9dc2-40ac-a8da-5deb6293a14e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.018Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.269Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"library where host.os.type == \\\"windows\\\" and\\n\\n process.executable : \\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Syswow64\\\\\\\\svchost.exe\\\") and \\n \\n dll.code_signature.trusted != true and \\n \\n not dll.code_signature.status : (\\\"trusted\\\", \\\"errorExpired\\\", \\\"errorCode_endpoint*\\\") and \\n \\n dll.hash.sha256 != null and \\n \\n (\\n /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */\\n dll.Ext.relative_file_creation_time <= 300 or \\n \\n /* unusual paths */\\n dll.path :(\\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\PerfLogs\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\AMD\\\\\\\\Temp\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\AppReadiness\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ServiceState\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\IdentityCRL\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Branding\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\csc\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\DigitalLocker\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\en-US\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\wlansvc\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Prefetch\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\diagnostics\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\INF\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Speech\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\tracing\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\IME\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Performance\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\intel\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\ms\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\dot3svc\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\panther\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\RemotePackages\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\OCR\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\appcompat\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\apppatch\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\addins\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SKB\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Vss\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CbsTemp\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Logs\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WaaS\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\twain_32\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ShellExperiences\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ShellComponents\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PLA\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Migration\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\debug\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Cursors\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Containers\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Boot\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\bcastdvr\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\TextInput\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\schemas\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SchCache\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Resources\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\rescache\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Provisioning\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PrintDialog\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PolicyDefinitions\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\media\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Globalization\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\L2Schemas\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LiveKernelReports\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ModemLogs\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\$Recycle.Bin\\\\\\\\*\\\")\\n ) and \\n \\n not dll.hash.sha256 : \\n (\\\"3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6\\\", \\n \\\"b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4\\\", \\n \\\"214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba\\\", \\n \\\"23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244\\\", \\n \\\"5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.library-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion\"],\"merged_version\":[\"https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2f0836c0-3e11-4a42-910f-a868fd059154\",\"rule_id\":\"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c\",\"revision\":0,\"current_rule\":{\"id\":\"2f0836c0-3e11-4a42-910f-a868fd059154\",\"updated_at\":\"2024-12-04T19:45:51.278Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.278Z\",\"created_by\":\"elastic\",\"name\":\"Potential File Transfer via Certreq\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Command and Control\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential File Transfer via Certreq\\n\\nCertreq is a command-line utility in Windows operating systems that allows users to request and manage certificates from certificate authorities. It is primarily used for generating certificate signing requests (CSRs) and installing certificates. However, adversaries may abuse Certreq's functionality to download files or upload data to a remote URL by making an HTTP POST request.\\n\\nThis rule identifies the potential abuse of Certreq to download files or upload data to a remote URL.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the details of the dropped file, and whether it was executed.\\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1567\",\"name\":\"Exfiltration Over Web Service\",\"reference\":\"https://attack.mitre.org/techniques/T1567/\"}]}],\"to\":\"now\",\"references\":[\"https://lolbas-project.github.io/lolbas/Binaries/Certreq/\"],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"CertReq.exe\\\" or ?process.pe.original_file_name == \\\"CertReq.exe\\\") and process.args : \\\"-Post\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential File Transfer via Certreq\",\"description\":\"Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential File Transfer via Certreq\\n\\nCertreq is a command-line utility in Windows operating systems that allows users to request and manage certificates from certificate authorities. It is primarily used for generating certificate signing requests (CSRs) and installing certificates. However, adversaries may abuse Certreq's functionality to download files or upload data to a remote URL by making an HTTP POST request.\\n\\nThis rule identifies the potential abuse of Certreq to download files or upload data to a remote URL.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the details of the dropped file, and whether it was executed.\\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Command and Control\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://lolbas-project.github.io/lolbas/Binaries/Certreq/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1567\",\"name\":\"Exfiltration Over Web Service\",\"reference\":\"https://attack.mitre.org/techniques/T1567/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2f0836c0-3e11-4a42-910f-a868fd059154\",\"rule_id\":\"79f0a1f7-ed6b-471c-8eb1-23abd6470b1c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.018Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.278Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"CertReq.exe\\\" or ?process.pe.original_file_name == \\\"CertReq.exe\\\") and process.args : \\\"-Post\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Command and Control\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Command and Control\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Command and Control\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b5345381-c262-4f3b-8c0a-f77dab6f85d5\",\"rule_id\":\"79f97b31-480e-4e63-a7f4-ede42bf2c6de\",\"revision\":0,\"current_rule\":{\"id\":\"b5345381-c262-4f3b-8c0a-f77dab6f85d5\",\"updated_at\":\"2024-12-04T19:45:51.281Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.281Z\",\"created_by\":\"elastic\",\"name\":\"Potential Shadow Credentials added to AD Object\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Shadow Credentials added to AD Object\\n\\nThe msDS-KeyCredentialLink is an Active Directory (AD) attribute that links cryptographic certificates to a user or computer for domain authentication.\\n\\nAttackers with write privileges on this attribute over an object can abuse it to gain access to the object or maintain persistence. This means they can authenticate and perform actions on behalf of the exploited identity, and they can use Shadow Credentials to request Ticket Granting Tickets (TGTs) on behalf of the identity.\\n\\n#### Possible investigation steps\\n\\n- Identify whether Windows Hello for Business (WHfB) and/or Azure AD is used in the environment.\\n - Review the event ID 4624 for logon events involving the subject identity (`winlog.event_data.SubjectUserName`).\\n - Check whether the `source.ip` is the server running Azure AD Connect.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Review the event IDs 4768 and 4769 for suspicious ticket requests involving the modified identity (`winlog.event_data.ObjectDN`).\\n - Extract the source IP addresses from these events and use them as indicators of compromise (IoCs) to investigate whether the host is compromised and to scope the attacker's access to the environment.\\n\\n### False positive analysis\\n\\n- Administrators might use custom accounts on Azure AD Connect. If this is the case, make sure the account is properly secured. You can also create an exception for the account if expected activity makes too much noise in your environment.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n - Remove the Shadow Credentials from the object.\\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions.\"],\"from\":\"now-9m\",\"rule_id\":\"79f97b31-480e-4e63-a7f4-ede42bf2c6de\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]}],\"to\":\"now\",\"references\":[\"https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab\",\"https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials\",\"https://github.com/OTRF/Set-AuditRule\",\"https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\\n\\n```\\nSet-AuditRule -AdObjectPath 'AD:\\\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:(\\\"Directory Service Changes\\\" or \\\"directory-service-object-modified\\\") and event.code:\\\"5136\\\" and\\n winlog.event_data.AttributeLDAPDisplayName:\\\"msDS-KeyCredentialLink\\\" and winlog.event_data.AttributeValue :B\\\\:828* and\\n not winlog.event_data.SubjectUserName: MSOL_*\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Shadow Credentials added to AD Object\",\"description\":\"Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Shadow Credentials added to AD Object\\n\\nThe msDS-KeyCredentialLink is an Active Directory (AD) attribute that links cryptographic certificates to a user or computer for domain authentication.\\n\\nAttackers with write privileges on this attribute over an object can abuse it to gain access to the object or maintain persistence. This means they can authenticate and perform actions on behalf of the exploited identity, and they can use Shadow Credentials to request Ticket Granting Tickets (TGTs) on behalf of the identity.\\n\\n#### Possible investigation steps\\n\\n- Identify whether Windows Hello for Business (WHfB) and/or Azure AD is used in the environment.\\n - Review the event ID 4624 for logon events involving the subject identity (`winlog.event_data.SubjectUserName`).\\n - Check whether the `source.ip` is the server running Azure AD Connect.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Review the event IDs 4768 and 4769 for suspicious ticket requests involving the modified identity (`winlog.event_data.ObjectDN`).\\n - Extract the source IP addresses from these events and use them as indicators of compromise (IoCs) to investigate whether the host is compromised and to scope the attacker's access to the environment.\\n\\n### False positive analysis\\n\\n- Administrators might use custom accounts on Azure AD Connect. If this is the case, make sure the account is properly secured. You can also create an exception for the account if expected activity makes too much noise in your environment.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n - Remove the Shadow Credentials from the object.\\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":212,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions.\"],\"references\":[\"https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab\",\"https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials\",\"https://github.com/OTRF/Set-AuditRule\",\"https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\\n\\n```\\nSet-AuditRule -AdObjectPath 'AD:\\\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"b5345381-c262-4f3b-8c0a-f77dab6f85d5\",\"rule_id\":\"79f97b31-480e-4e63-a7f4-ede42bf2c6de\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.018Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.281Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:(\\\"Directory Service Changes\\\" or \\\"directory-service-object-modified\\\") and event.code:\\\"5136\\\" and\\n winlog.event_data.AttributeLDAPDisplayName:\\\"msDS-KeyCredentialLink\\\" and winlog.event_data.AttributeValue :B\\\\:828* and\\n not winlog.event_data.SubjectUserName: MSOL_*\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":212,\"merged_version\":212,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"29d03784-b5ac-44bd-808d-5b62d3e66a68\",\"rule_id\":\"7afc6cc9-8800-4c7f-be6b-b688d2dea248\",\"revision\":0,\"current_rule\":{\"id\":\"29d03784-b5ac-44bd-808d-5b62d3e66a68\",\"updated_at\":\"2024-12-04T19:46:03.802Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.802Z\",\"created_by\":\"elastic\",\"name\":\"Potential Execution via XZBackdoor\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Persistence\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"It identifies potential malicious shell executions through remote SSH and detects cases where the sshd service suddenly terminates soon after successful execution, suggesting suspicious behavior similar to the XZ backdoor.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"7afc6cc9-8800-4c7f-be6b-b688d2dea248\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.004\",\"name\":\"SSH\",\"reference\":\"https://attack.mitre.org/techniques/T1021/004/\"}]},{\"id\":\"T1563\",\"name\":\"Remote Service Session Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/\",\"subtechnique\":[{\"id\":\"T1563.001\",\"name\":\"SSH Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/amlweems/xzbot\",\"https://access.redhat.com/security/cve/CVE-2024-3094\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.exit_code\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"sequence by host.id, user.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"sshd\\\" and\\n process.args == \\\"-D\\\" and process.args == \\\"-R\\\"] by process.pid, process.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.parent.name == \\\"sshd\\\" and \\n process.executable != \\\"/usr/sbin/sshd\\\"] by process.parent.pid, process.parent.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.action == \\\"end\\\" and process.name == \\\"sshd\\\" and process.exit_code != 0] by process.pid, process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"end\\\" and event.action == \\\"disconnect_received\\\" and process.name == \\\"sshd\\\"] by process.pid, process.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Execution via XZBackdoor\",\"description\":\"It identifies potential malicious shell executions through remote SSH and detects cases where the sshd service suddenly terminates soon after successful execution, suggesting suspicious behavior similar to the XZ backdoor.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Persistence\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/amlweems/xzbot\",\"https://access.redhat.com/security/cve/CVE-2024-3094\",\"https://www.elastic.co/security-labs/500ms-to-midnight\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.004\",\"name\":\"SSH\",\"reference\":\"https://attack.mitre.org/techniques/T1021/004/\"}]},{\"id\":\"T1563\",\"name\":\"Remote Service Session Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/\",\"subtechnique\":[{\"id\":\"T1563.001\",\"name\":\"SSH Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.exit_code\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"29d03784-b5ac-44bd-808d-5b62d3e66a68\",\"rule_id\":\"7afc6cc9-8800-4c7f-be6b-b688d2dea248\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.018Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.802Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id, user.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"sshd\\\" and\\n process.args == \\\"-D\\\" and process.args == \\\"-R\\\"] by process.pid, process.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.parent.name == \\\"sshd\\\" and \\n process.executable != null and not (\\n process.executable in (\\\"/usr/sbin/sshd\\\", \\\"/usr/sbin/unix_chkpwd\\\", \\\"/usr/bin/google_authorized_keys\\\", \\\"/usr/bin/fipscheck\\\") or\\n process.args like (\\\"rsync*\\\", \\\"systemctl*\\\", \\\"/usr/sbin/unix_chkpwd\\\", \\\"/usr/bin/google_authorized_keys\\\", \\\"/usr/sbin/aad_certhandler*\\\") or\\n process.command_line like \\\"sh -c /usr/bin/env -i PATH=*\\\"\\n )] by process.parent.pid, process.parent.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.action == \\\"end\\\" and process.name == \\\"sshd\\\" and process.exit_code != 0] by process.pid, process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"end\\\" and event.action == \\\"disconnect_received\\\" and process.name == \\\"sshd\\\"] by process.pid, process.entity_id\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://github.com/amlweems/xzbot\",\"https://access.redhat.com/security/cve/CVE-2024-3094\"],\"target_version\":[\"https://github.com/amlweems/xzbot\",\"https://access.redhat.com/security/cve/CVE-2024-3094\",\"https://www.elastic.co/security-labs/500ms-to-midnight\"],\"merged_version\":[\"https://github.com/amlweems/xzbot\",\"https://access.redhat.com/security/cve/CVE-2024-3094\",\"https://www.elastic.co/security-labs/500ms-to-midnight\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.exit_code\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.exit_code\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.exit_code\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by host.id, user.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"sshd\\\" and\\n process.args == \\\"-D\\\" and process.args == \\\"-R\\\"] by process.pid, process.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.parent.name == \\\"sshd\\\" and \\n process.executable != \\\"/usr/sbin/sshd\\\"] by process.parent.pid, process.parent.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.action == \\\"end\\\" and process.name == \\\"sshd\\\" and process.exit_code != 0] by process.pid, process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"end\\\" and event.action == \\\"disconnect_received\\\" and process.name == \\\"sshd\\\"] by process.pid, process.entity_id\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by host.id, user.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"sshd\\\" and\\n process.args == \\\"-D\\\" and process.args == \\\"-R\\\"] by process.pid, process.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.parent.name == \\\"sshd\\\" and \\n process.executable != null and not (\\n process.executable in (\\\"/usr/sbin/sshd\\\", \\\"/usr/sbin/unix_chkpwd\\\", \\\"/usr/bin/google_authorized_keys\\\", \\\"/usr/bin/fipscheck\\\") or\\n process.args like (\\\"rsync*\\\", \\\"systemctl*\\\", \\\"/usr/sbin/unix_chkpwd\\\", \\\"/usr/bin/google_authorized_keys\\\", \\\"/usr/sbin/aad_certhandler*\\\") or\\n process.command_line like \\\"sh -c /usr/bin/env -i PATH=*\\\"\\n )] by process.parent.pid, process.parent.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.action == \\\"end\\\" and process.name == \\\"sshd\\\" and process.exit_code != 0] by process.pid, process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"end\\\" and event.action == \\\"disconnect_received\\\" and process.name == \\\"sshd\\\"] by process.pid, process.entity_id\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by host.id, user.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"sshd\\\" and\\n process.args == \\\"-D\\\" and process.args == \\\"-R\\\"] by process.pid, process.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.parent.name == \\\"sshd\\\" and \\n process.executable != null and not (\\n process.executable in (\\\"/usr/sbin/sshd\\\", \\\"/usr/sbin/unix_chkpwd\\\", \\\"/usr/bin/google_authorized_keys\\\", \\\"/usr/bin/fipscheck\\\") or\\n process.args like (\\\"rsync*\\\", \\\"systemctl*\\\", \\\"/usr/sbin/unix_chkpwd\\\", \\\"/usr/bin/google_authorized_keys\\\", \\\"/usr/sbin/aad_certhandler*\\\") or\\n process.command_line like \\\"sh -c /usr/bin/env -i PATH=*\\\"\\n )] by process.parent.pid, process.parent.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.action == \\\"end\\\" and process.name == \\\"sshd\\\" and process.exit_code != 0] by process.pid, process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"end\\\" and event.action == \\\"disconnect_received\\\" and process.name == \\\"sshd\\\"] by process.pid, process.entity_id\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c658a81e-f0ef-40f2-a52a-87639e4559de\",\"rule_id\":\"7b8bfc26-81d2-435e-965c-d722ee397ef1\",\"revision\":0,\"current_rule\":{\"id\":\"c658a81e-f0ef-40f2-a52a-87639e4559de\",\"updated_at\":\"2024-12-04T19:45:51.288Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.288Z\",\"created_by\":\"elastic\",\"name\":\"Windows Network Enumeration\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.\",\"risk_score\":47,\"severity\":\"medium\",\"building_block_type\":\"default\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Network Enumeration\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `net` utility to enumerate servers in the environment that hosts shared drives or printers. This information is useful to attackers as they can identify targets for lateral movements and search for valuable shared data.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"7b8bfc26-81d2-435e-965c-d722ee397ef1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1018\",\"name\":\"Remote System Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1018/\"},{\"id\":\"T1135\",\"name\":\"Network Share Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1135/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1039\",\"name\":\"Data from Network Shared Drive\",\"reference\":\"https://attack.mitre.org/techniques/T1039/\"}]}],\"to\":\"now\",\"references\":[],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n ((process.name : \\\"net.exe\\\" or process.pe.original_file_name == \\\"net.exe\\\") or\\n ((process.name : \\\"net1.exe\\\" or process.pe.original_file_name == \\\"net1.exe\\\") and\\n not process.parent.name : \\\"net.exe\\\")) and\\n (process.args : \\\"view\\\" or (process.args : \\\"time\\\" and process.args : \\\"\\\\\\\\\\\\\\\\*\\\")) and\\n not process.command_line : \\\"net view \\\\\\\\\\\\\\\\localhost \\\"\\n\\n\\n /* expand when ancestry is available\\n and not descendant of [process where event.type == \\\"start\\\" and process.name : \\\"cmd.exe\\\" and\\n ((process.parent.name : \\\"userinit.exe\\\") or\\n (process.parent.name : \\\"gpscript.exe\\\") or\\n (process.parent.name : \\\"explorer.exe\\\" and\\n process.args : \\\"C:\\\\\\\\*\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.bat*\\\"))]\\n */\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Windows Network Enumeration\",\"description\":\"Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Network Enumeration\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `net` utility to enumerate servers in the environment that hosts shared drives or printers. This information is useful to attackers as they can identify targets for lateral movements and search for valuable shared data.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":214,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1018\",\"name\":\"Remote System Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1018/\"},{\"id\":\"T1135\",\"name\":\"Network Share Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1135/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1039\",\"name\":\"Data from Network Shared Drive\",\"reference\":\"https://attack.mitre.org/techniques/T1039/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c658a81e-f0ef-40f2-a52a-87639e4559de\",\"rule_id\":\"7b8bfc26-81d2-435e-965c-d722ee397ef1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.018Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.288Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n ((process.name : \\\"net.exe\\\" or process.pe.original_file_name == \\\"net.exe\\\") or\\n ((process.name : \\\"net1.exe\\\" or process.pe.original_file_name == \\\"net1.exe\\\") and\\n not process.parent.name : \\\"net.exe\\\")) and\\n (process.args : \\\"view\\\" or (process.args : \\\"time\\\" and process.args : \\\"\\\\\\\\\\\\\\\\*\\\")) and\\n not process.command_line : \\\"net view \\\\\\\\\\\\\\\\localhost \\\"\\n\\n\\n /* expand when ancestry is available\\n and not descendant of [process where event.type == \\\"start\\\" and process.name : \\\"cmd.exe\\\" and\\n ((process.parent.name : \\\"userinit.exe\\\") or\\n (process.parent.name : \\\"gpscript.exe\\\") or\\n (process.parent.name : \\\"explorer.exe\\\" and\\n process.args : \\\"C:\\\\\\\\*\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.bat*\\\"))]\\n */\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":214,\"merged_version\":214,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merged_version\":[\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7186583a-f4f4-46fa-80b6-4c26f00e6a8a\",\"rule_id\":\"7ba58110-ae13-439b-8192-357b0fcfa9d7\",\"revision\":0,\"current_rule\":{\"id\":\"7186583a-f4f4-46fa-80b6-4c26f00e6a8a\",\"updated_at\":\"2024-12-04T19:45:51.290Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.290Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious LSASS Access via MalSecLogon\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"7ba58110-ae13-439b-8192-357b0fcfa9d7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html\"],\"version\":208,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallTrace\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.GrantedAccess\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetImage\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n winlog.event_data.TargetImage : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\lsass.exe\\\" and\\n\\n /* seclogon service accessing lsass */\\n winlog.event_data.CallTrace : \\\"*seclogon.dll*\\\" and process.name : \\\"svchost.exe\\\" and\\n\\n /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */\\n winlog.event_data.GrantedAccess == \\\"0x14c0\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious LSASS Access via MalSecLogon\",\"description\":\"Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallTrace\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.GrantedAccess\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetImage\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"7186583a-f4f4-46fa-80b6-4c26f00e6a8a\",\"rule_id\":\"7ba58110-ae13-439b-8192-357b0fcfa9d7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.018Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.290Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n winlog.event_data.TargetImage : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\lsass.exe\\\" and\\n\\n /* seclogon service accessing lsass */\\n winlog.event_data.CallTrace : \\\"*seclogon.dll*\\\" and process.name : \\\"svchost.exe\\\" and\\n\\n /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */\\n winlog.event_data.GrantedAccess == \\\"0x14c0\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":208,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"eb280dc8-1070-494a-af2a-5fb8c702cb17\",\"rule_id\":\"7bcbb3ac-e533-41ad-a612-d6c3bf666aba\",\"revision\":0,\"current_rule\":{\"id\":\"eb280dc8-1070-494a-af2a-5fb8c702cb17\",\"updated_at\":\"2024-12-04T19:45:51.293Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.293Z\",\"created_by\":\"elastic\",\"name\":\"Tampering of Shell Command-Line History\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"7bcbb3ac-e533-41ad-a612-d6c3bf666aba\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.003\",\"name\":\"Clear Command History\",\"reference\":\"https://attack.mitre.org/techniques/T1070/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"process where event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and event.type == \\\"start\\\" and\\n (\\n ((process.args : (\\\"rm\\\", \\\"echo\\\") or\\n (process.args : \\\"ln\\\" and process.args : \\\"-sf\\\" and process.args : \\\"/dev/null\\\") or\\n (process.args : \\\"truncate\\\" and process.args : \\\"-s0\\\"))\\n and process.args : (\\\".bash_history\\\", \\\"/root/.bash_history\\\", \\\"/home/*/.bash_history\\\",\\\"/Users/.bash_history\\\", \\\"/Users/*/.bash_history\\\",\\n \\\".zsh_history\\\", \\\"/root/.zsh_history\\\", \\\"/home/*/.zsh_history\\\", \\\"/Users/.zsh_history\\\", \\\"/Users/*/.zsh_history\\\")) or\\n (process.args : \\\"history\\\" and process.args : \\\"-c\\\") or\\n (process.args : \\\"export\\\" and process.args : (\\\"HISTFILE=/dev/null\\\", \\\"HISTFILESIZE=0\\\")) or\\n (process.args : \\\"unset\\\" and process.args : \\\"HISTFILE\\\") or\\n (process.args : \\\"set\\\" and process.args : \\\"history\\\" and process.args : \\\"+o\\\")\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Tampering of Shell Command-Line History\",\"description\":\"Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.003\",\"name\":\"Clear Command History\",\"reference\":\"https://attack.mitre.org/techniques/T1070/003/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"eb280dc8-1070-494a-af2a-5fb8c702cb17\",\"rule_id\":\"7bcbb3ac-e533-41ad-a612-d6c3bf666aba\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.018Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.293Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and event.type == \\\"start\\\" and\\n (\\n ((process.args : (\\\"rm\\\", \\\"echo\\\") or\\n (process.args : \\\"ln\\\" and process.args : \\\"-sf\\\" and process.args : \\\"/dev/null\\\") or\\n (process.args : \\\"truncate\\\" and process.args : \\\"-s0\\\"))\\n and process.args : (\\\".bash_history\\\", \\\"/root/.bash_history\\\", \\\"/home/*/.bash_history\\\",\\\"/Users/.bash_history\\\", \\\"/Users/*/.bash_history\\\",\\n \\\".zsh_history\\\", \\\"/root/.zsh_history\\\", \\\"/home/*/.zsh_history\\\", \\\"/Users/.zsh_history\\\", \\\"/Users/*/.zsh_history\\\")) or\\n (process.args : \\\"history\\\" and process.args : \\\"-c\\\") or\\n (process.args : \\\"export\\\" and process.args : (\\\"HISTFILE=/dev/null\\\", \\\"HISTFILESIZE=0\\\")) or\\n (process.args : \\\"unset\\\" and process.args : \\\"HISTFILE\\\") or\\n (process.args : \\\"set\\\" and process.args : \\\"history\\\" and process.args : \\\"+o\\\")\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"merged_version\":[\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"296d3f1f-f511-438a-9898-1243c7a09b26\",\"rule_id\":\"7c2e1297-7664-42bc-af11-6d5d35220b6b\",\"revision\":0,\"current_rule\":{\"id\":\"296d3f1f-f511-438a-9898-1243c7a09b26\",\"updated_at\":\"2024-12-04T19:45:51.295Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.295Z\",\"created_by\":\"elastic\",\"name\":\"APT Package Manager Configuration File Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects file creation events in the configuration directory for the APT package manager. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on (by default) Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"7c2e1297-7664-42bc-af11-6d5d35220b6b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://packetstormsecurity.com/files/152668/APT-Package-Manager-Persistence.html\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : \\\"/etc/apt/apt.conf.d/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/usr/local/bin/apt-get\\\", \\\"/usr/bin/apt-get\\\"\\n ) or\\n file.path :(\\\"/etc/apt/apt.conf.d/*.tmp*\\\") or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\",\\n \\\"/etc/kernel/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"APT Package Manager Configuration File Creation\",\"description\":\"Detects file creation events in the configuration directory for the APT package manager. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on (by default) Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://packetstormsecurity.com/files/152668/APT-Package-Manager-Persistence.html\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"296d3f1f-f511-438a-9898-1243c7a09b26\",\"rule_id\":\"7c2e1297-7664-42bc-af11-6d5d35220b6b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.018Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.295Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : \\\"/etc/apt/apt.conf.d/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/usr/local/bin/apt-get\\\", \\\"/usr/bin/apt-get\\\"\\n ) or\\n file.path :(\\\"/etc/apt/apt.conf.d/*.tmp*\\\") or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\",\\n \\\"/etc/kernel/*\\\"\\n ) or\\n process.executable == null or\\n process.name in (\\\"pveupdate\\\", \\\"perl\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://packetstormsecurity.com/files/152668/APT-Package-Manager-Persistence.html\"],\"target_version\":[\"https://packetstormsecurity.com/files/152668/APT-Package-Manager-Persistence.html\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://packetstormsecurity.com/files/152668/APT-Package-Manager-Persistence.html\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : \\\"/etc/apt/apt.conf.d/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/usr/local/bin/apt-get\\\", \\\"/usr/bin/apt-get\\\"\\n ) or\\n file.path :(\\\"/etc/apt/apt.conf.d/*.tmp*\\\") or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\",\\n \\\"/etc/kernel/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : \\\"/etc/apt/apt.conf.d/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/usr/local/bin/apt-get\\\", \\\"/usr/bin/apt-get\\\"\\n ) or\\n file.path :(\\\"/etc/apt/apt.conf.d/*.tmp*\\\") or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\",\\n \\\"/etc/kernel/*\\\"\\n ) or\\n process.executable == null or\\n process.name in (\\\"pveupdate\\\", \\\"perl\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : \\\"/etc/apt/apt.conf.d/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/usr/local/bin/apt-get\\\", \\\"/usr/bin/apt-get\\\"\\n ) or\\n file.path :(\\\"/etc/apt/apt.conf.d/*.tmp*\\\") or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/*\\\", \\\"/usr/libexec/*\\\",\\n \\\"/etc/kernel/*\\\"\\n ) or\\n process.executable == null or\\n process.name in (\\\"pveupdate\\\", \\\"perl\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c110365e-4202-41fb-8d2e-4bfd55038691\",\"rule_id\":\"7caa8e60-2df0-11ed-b814-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"c110365e-4202-41fb-8d2e-4bfd55038691\",\"updated_at\":\"2024-12-04T19:45:51.298Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.298Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace Bitlocker Setting Disabled\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Google Workspace administrators whom manage Windows devices and have Windows device management enabled may also enable BitLocker drive encryption to mitigate unauthorized data access on lost or stolen computers. Adversaries with valid account access may disable BitLocker to access sensitive data on an endpoint added to Google Workspace device management.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Bitlocker Setting Disabled\\n\\nBitLocker Drive Encryption is a data protection feature that integrates with the Windows operating system to address the data theft or exposure threats from lost, stolen, or inappropriately decommissioned computers. BitLocker helps mitigate unauthorized data access by enhancing file and system protections, such as data encryption and rendering data inaccessible. Google Workspace can sync with Windows endpoints that are registered in inventory, where BitLocker can be enabled and disabled.\\n\\nDisabling Bitlocker on an endpoint decrypts data at rest and makes it accessible, which raises the risk of exposing sensitive endpoint data.\\n\\nThis rule identifies a user with administrative privileges and access to the admin console, disabling BitLocker for Windows endpoints.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- After identifying the user, verify if the user should have administrative privileges to disable BitLocker on Windows endpoints.\\n- From the Google Workspace admin console, review `Reporting > Audit` and `Investigation > Device` logs, filtering on the user email identified from the alert.\\n - If a Google Workspace user logged into their account using a potentially compromised account, this will create an `Device sync event` event.\\n\\n### False positive analysis\\n\\n- An administrator may have intentionally disabled BitLocker for routine maintenance or endpoint updates.\\n - Verify with the user that they intended to disable BitLocker on Windows endpoints.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may temporarily disabled Bitlocker on managed devices for maintenance, testing or to resolve potential endpoint conflicts.\"],\"from\":\"now-130m\",\"rule_id\":\"7caa8e60-2df0-11ed-b814-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/9176657?hl=en\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.new_value\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.admin.setting.name\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.action:\\\"CHANGE_APPLICATION_SETTING\\\" and event.category:(iam or configuration)\\n and google_workspace.admin.new_value:\\\"Disabled\\\" and google_workspace.admin.setting.name:BitLocker*\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace Bitlocker Setting Disabled\",\"description\":\"Google Workspace administrators whom manage Windows devices and have Windows device management enabled may also enable BitLocker drive encryption to mitigate unauthorized data access on lost or stolen computers. Adversaries with valid account access may disable BitLocker to access sensitive data on an endpoint added to Google Workspace device management.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Bitlocker Setting Disabled\\n\\nBitLocker Drive Encryption is a data protection feature that integrates with the Windows operating system to address the data theft or exposure threats from lost, stolen, or inappropriately decommissioned computers. BitLocker helps mitigate unauthorized data access by enhancing file and system protections, such as data encryption and rendering data inaccessible. Google Workspace can sync with Windows endpoints that are registered in inventory, where BitLocker can be enabled and disabled.\\n\\nDisabling Bitlocker on an endpoint decrypts data at rest and makes it accessible, which raises the risk of exposing sensitive endpoint data.\\n\\nThis rule identifies a user with administrative privileges and access to the admin console, disabling BitLocker for Windows endpoints.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- After identifying the user, verify if the user should have administrative privileges to disable BitLocker on Windows endpoints.\\n- From the Google Workspace admin console, review `Reporting > Audit` and `Investigation > Device` logs, filtering on the user email identified from the alert.\\n - If a Google Workspace user logged into their account using a potentially compromised account, this will create an `Device sync event` event.\\n\\n### False positive analysis\\n\\n- An administrator may have intentionally disabled BitLocker for routine maintenance or endpoint updates.\\n - Verify with the user that they intended to disable BitLocker on Windows endpoints.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may temporarily disabled Bitlocker on managed devices for maintenance, testing or to resolve potential endpoint conflicts.\"],\"references\":[\"https://support.google.com/a/answer/9176657?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.new_value\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.admin.setting.name\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"c110365e-4202-41fb-8d2e-4bfd55038691\",\"rule_id\":\"7caa8e60-2df0-11ed-b814-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.018Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:51.298Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.action:\\\"CHANGE_APPLICATION_SETTING\\\" and event.category:(iam or configuration)\\n and google_workspace.admin.new_value:\\\"Disabled\\\" and google_workspace.admin.setting.name:BitLocker*\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/9176657?hl=en\"],\"target_version\":[\"https://support.google.com/a/answer/9176657?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/9176657?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d4b7d849-b6f2-4a30-bfe5-603dd00ce5fd\",\"rule_id\":\"7ce5e1c7-6a49-45e6-a101-0720d185667f\",\"revision\":0,\"current_rule\":{\"id\":\"d4b7d849-b6f2-4a30-bfe5-603dd00ce5fd\",\"updated_at\":\"2024-12-04T19:46:03.804Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.804Z\",\"created_by\":\"elastic\",\"name\":\"Git Hook Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects child processes spawned by Git hooks. Git hooks are scripts that Git executes before or after events such as commit, push, and receive. The rule identifies child processes spawned by Git hooks that are not typically spawned by the Git process itself. This behavior may indicate an attacker attempting to hide malicious activity by leveraging the legitimate Git process to execute unauthorized commands.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"7ce5e1c7-6a49-45e6-a101-0720d185667f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://git-scm.com/docs/githooks/2.26.0\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.parent.name in (\\n \\\"applypatch-msg\\\", \\\"commit-msg\\\", \\\"fsmonitor-watchman\\\", \\\"post-update\\\", \\\"post-checkout\\\", \\\"post-commit\\\",\\n \\\"pre-applypatch\\\", \\\"pre-commit\\\", \\\"pre-merge-commit\\\", \\\"prepare-commit-msg\\\", \\\"pre-push\\\", \\\"pre-rebase\\\", \\\"pre-receive\\\",\\n \\\"push-to-checkout\\\", \\\"update\\\", \\\"post-receive\\\", \\\"pre-auto-gc\\\", \\\"post-rewrite\\\", \\\"sendemail-validate\\\", \\\"p4-pre-submit\\\",\\n \\\"post-index-change\\\", \\\"post-merge\\\", \\\"post-applypatch\\\"\\n) and (\\n process.name in (\\\"nohup\\\", \\\"setsid\\\", \\\"disown\\\", \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") or \\n process.name : (\\\"php*\\\", \\\"perl*\\\", \\\"ruby*\\\", \\\"lua*\\\") or \\n process.executable : (\\n \\\"/boot/*\\\", \\\"/dev/shm/*\\\", \\\"/etc/cron.*/*\\\", \\\"/etc/init.d/*\\\", \\\"/etc/update-motd.d/*\\\",\\n \\\"/run/*\\\", \\\"/srv/*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\", \\\"/var/log/*\\\"\\n )\\n) and not process.name in (\\\"git\\\", \\\"dirname\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Git Hook Child Process\",\"description\":\"This rule detects child processes spawned by Git hooks. Git hooks are scripts that Git executes before or after events such as commit, push, and receive. The rule identifies child processes spawned by Git hooks that are not typically spawned by the Git process itself. This behavior may indicate an attacker attempting to hide malicious activity by leveraging the legitimate Git process to execute unauthorized commands.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://git-scm.com/docs/githooks/2.26.0\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d4b7d849-b6f2-4a30-bfe5-603dd00ce5fd\",\"rule_id\":\"7ce5e1c7-6a49-45e6-a101-0720d185667f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.018Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.804Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.parent.name in (\\n \\\"applypatch-msg\\\", \\\"commit-msg\\\", \\\"fsmonitor-watchman\\\", \\\"post-update\\\", \\\"post-checkout\\\", \\\"post-commit\\\",\\n \\\"pre-applypatch\\\", \\\"pre-commit\\\", \\\"pre-merge-commit\\\", \\\"prepare-commit-msg\\\", \\\"pre-push\\\", \\\"pre-rebase\\\", \\\"pre-receive\\\",\\n \\\"push-to-checkout\\\", \\\"update\\\", \\\"post-receive\\\", \\\"pre-auto-gc\\\", \\\"post-rewrite\\\", \\\"sendemail-validate\\\", \\\"p4-pre-submit\\\",\\n \\\"post-index-change\\\", \\\"post-merge\\\", \\\"post-applypatch\\\"\\n) and (\\n process.name in (\\\"nohup\\\", \\\"setsid\\\", \\\"disown\\\", \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\") or \\n process.name : (\\\"php*\\\", \\\"perl*\\\", \\\"ruby*\\\", \\\"lua*\\\") or \\n process.executable : (\\n \\\"/boot/*\\\", \\\"/dev/shm/*\\\", \\\"/etc/cron.*/*\\\", \\\"/etc/init.d/*\\\", \\\"/etc/update-motd.d/*\\\",\\n \\\"/run/*\\\", \\\"/srv/*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\", \\\"/var/log/*\\\"\\n )\\n) and not process.name in (\\\"git\\\", \\\"dirname\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://git-scm.com/docs/githooks/2.26.0\"],\"target_version\":[\"https://git-scm.com/docs/githooks/2.26.0\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://git-scm.com/docs/githooks/2.26.0\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b13ac4f6-a37b-455e-b513-81e7bafd92d8\",\"rule_id\":\"7df3cb8b-5c0c-4228-b772-bb6cd619053c\",\"revision\":0,\"current_rule\":{\"id\":\"b13ac4f6-a37b-455e-b513-81e7bafd92d8\",\"updated_at\":\"2024-12-04T19:45:52.011Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.011Z\",\"created_by\":\"elastic\",\"name\":\"SSH Key Generated via ssh-keygen\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule identifies the creation of SSH keys using the ssh-keygen tool, which is the standard utility for generating SSH keys. Users often create SSH keys for authentication with remote services. However, threat actors can exploit this tool to move laterally across a network or maintain persistence by generating unauthorized SSH keys, granting them SSH access to systems.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"7df3cb8b-5c0c-4228-b772-bb6cd619053c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.004\",\"name\":\"SSH Authorized Keys\",\"reference\":\"https://attack.mitre.org/techniques/T1098/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.004\",\"name\":\"SSH\",\"reference\":\"https://attack.mitre.org/techniques/T1021/004/\"}]},{\"id\":\"T1563\",\"name\":\"Remote Service Session Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/\",\"subtechnique\":[{\"id\":\"T1563.001\",\"name\":\"SSH Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"creation\\\", \\\"file_create_event\\\") and\\nprocess.executable == \\\"/usr/bin/ssh-keygen\\\" and file.path : (\\\"/home/*/.ssh/*\\\", \\\"/root/.ssh/*\\\", \\\"/etc/ssh/*\\\") and\\nnot file.name : \\\"known_hosts.*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"SSH Key Generated via ssh-keygen\",\"description\":\"This rule identifies the creation of SSH keys using the ssh-keygen tool, which is the standard utility for generating SSH keys. Users often create SSH keys for authentication with remote services. However, threat actors can exploit this tool to move laterally across a network or maintain persistence by generating unauthorized SSH keys, granting them SSH access to systems.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.004\",\"name\":\"SSH Authorized Keys\",\"reference\":\"https://attack.mitre.org/techniques/T1098/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.004\",\"name\":\"SSH\",\"reference\":\"https://attack.mitre.org/techniques/T1021/004/\"}]},{\"id\":\"T1563\",\"name\":\"Remote Service Session Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/\",\"subtechnique\":[{\"id\":\"T1563.001\",\"name\":\"SSH Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1563/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b13ac4f6-a37b-455e-b513-81e7bafd92d8\",\"rule_id\":\"7df3cb8b-5c0c-4228-b772-bb6cd619053c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.019Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.011Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"creation\\\", \\\"file_create_event\\\") and\\nprocess.executable == \\\"/usr/bin/ssh-keygen\\\" and file.path : (\\\"/home/*/.ssh/*\\\", \\\"/root/.ssh/*\\\", \\\"/etc/ssh/*\\\") and\\nnot file.name : \\\"known_hosts.*\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"316e0abc-06e1-4e1b-a7eb-0806fb9ef6df\",\"rule_id\":\"7e23dfef-da2c-4d64-b11d-5f285b638853\",\"revision\":0,\"current_rule\":{\"id\":\"316e0abc-06e1-4e1b-a7eb-0806fb9ef6df\",\"updated_at\":\"2024-12-04T19:45:52.016Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.016Z\",\"created_by\":\"elastic\",\"name\":\"Microsoft Management Console File from Unusual Path\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to open a Microsoft Management Console File from untrusted paths. Adversaries may use MSC files for initial access and execution.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"7e23dfef-da2c-4d64-b11d-5f285b638853\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"},{\"id\":\"T1059.007\",\"name\":\"JavaScript\",\"reference\":\"https://attack.mitre.org/techniques/T1059/007/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.014\",\"name\":\"MMC\",\"reference\":\"https://attack.mitre.org/techniques/T1218/014/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/security-labs/grimresource\"],\"version\":204,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\" and process.args : \\\"*.msc\\\" and\\n not process.args : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.msc\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.msc\\\", \\\"?:\\\\\\\\Program files\\\\\\\\*.msc\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.msc\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Microsoft Management Console File from Unusual Path\",\"description\":\"Identifies attempts to open a Microsoft Management Console File from untrusted paths. Adversaries may use MSC files for initial access and execution.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":307,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/grimresource\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"},{\"id\":\"T1059.007\",\"name\":\"JavaScript\",\"reference\":\"https://attack.mitre.org/techniques/T1059/007/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.014\",\"name\":\"MMC\",\"reference\":\"https://attack.mitre.org/techniques/T1218/014/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"316e0abc-06e1-4e1b-a7eb-0806fb9ef6df\",\"rule_id\":\"7e23dfef-da2c-4d64-b11d-5f285b638853\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.019Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.016Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\"\\n ) and\\n process.args : \\\"*.msc\\\" and\\n not process.args : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.msc\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.msc\\\",\\n \\\"?:\\\\\\\\Program files\\\\\\\\*.msc\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.msc\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":204,\"target_version\":307,\"merged_version\":307,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\" and process.args : \\\"*.msc\\\" and\\n not process.args : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.msc\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.msc\\\", \\\"?:\\\\\\\\Program files\\\\\\\\*.msc\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.msc\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\"\\n ) and\\n process.args : \\\"*.msc\\\" and\\n not process.args : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.msc\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.msc\\\",\\n \\\"?:\\\\\\\\Program files\\\\\\\\*.msc\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.msc\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\"\\n ) and\\n process.args : \\\"*.msc\\\" and\\n not process.args : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.msc\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.msc\\\",\\n \\\"?:\\\\\\\\Program files\\\\\\\\*.msc\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.msc\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1f473896-c207-4311-b386-d5220ece829d\",\"rule_id\":\"7f370d54-c0eb-4270-ac5a-9a6020585dc6\",\"revision\":0,\"current_rule\":{\"id\":\"1f473896-c207-4311-b386-d5220ece829d\",\"updated_at\":\"2024-12-04T19:45:52.019Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.019Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious WMIC XSL Script Execution\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"7f370d54-c0eb-4270-ac5a-9a6020585dc6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1220\",\"name\":\"XSL Script Processing\",\"reference\":\"https://attack.mitre.org/techniques/T1220/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id with maxspan = 2m\\n[process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"WMIC.exe\\\" or process.pe.original_file_name : \\\"wmic.exe\\\") and\\n process.args : (\\\"format*:*\\\", \\\"/format*:*\\\", \\\"*-format*:*\\\") and\\n not process.command_line : (\\\"* /format:table *\\\", \\\"* /format:table\\\")]\\n[any where host.os.type == \\\"windows\\\" and (event.category == \\\"library\\\" or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n (?dll.name : (\\\"jscript.dll\\\", \\\"vbscript.dll\\\") or file.name : (\\\"jscript.dll\\\", \\\"vbscript.dll\\\"))]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious WMIC XSL Script Execution\",\"description\":\"Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1220\",\"name\":\"XSL Script Processing\",\"reference\":\"https://attack.mitre.org/techniques/T1220/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1f473896-c207-4311-b386-d5220ece829d\",\"rule_id\":\"7f370d54-c0eb-4270-ac5a-9a6020585dc6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.019Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.019Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id with maxspan = 2m\\n[process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"WMIC.exe\\\" or process.pe.original_file_name : \\\"wmic.exe\\\") and\\n process.args : (\\\"format*:*\\\", \\\"/format*:*\\\", \\\"*-format*:*\\\") and\\n not process.command_line : (\\\"* /format:table *\\\", \\\"* /format:table\\\")]\\n[any where host.os.type == \\\"windows\\\" and (event.category == \\\"library\\\" or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n (?dll.name : (\\\"jscript.dll\\\", \\\"vbscript.dll\\\") or file.name : (\\\"jscript.dll\\\", \\\"vbscript.dll\\\"))]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"41759309-c850-4cb5-a74b-ffe66bb57df9\",\"rule_id\":\"7fb500fa-8e24-4bd1-9480-2a819352602c\",\"revision\":0,\"current_rule\":{\"id\":\"41759309-c850-4cb5-a74b-ffe66bb57df9\",\"updated_at\":\"2024-12-04T19:45:52.024Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.024Z\",\"created_by\":\"elastic\",\"name\":\"Systemd Timer Created\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Systemd Timer Created\\n\\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \\n\\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \\n\\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the timer file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\\n- Search for the systemd service file named similarly to the timer that was created.\\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%'\\\\nOR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%'\\\\nOR path LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"7fb500fa-8e24-4bd1-9480-2a819352602c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.006\",\"name\":\"Systemd Timers\",\"reference\":\"https://attack.mitre.org/techniques/T1053/006/\"}]}]}],\"to\":\"now\",\"references\":[\"https://opensource.com/article/20/7/systemd-timers\",\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\"],\"version\":13,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/systemd/system/*\\\", \\\"/etc/systemd/user/*\\\", \\\"/usr/local/lib/systemd/system/*\\\",\\n \\\"/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/user/*\\\",\\n \\\"/home/*/.config/systemd/user/*\\\", \\\"/home/*/.local/share/systemd/user/*\\\",\\n \\\"/root/.config/systemd/user/*\\\", \\\"/root/.local/share/systemd/user/*\\\"\\n) and file.extension == \\\"timer\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/crio\\\", \\\"/usr/sbin/crond\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/kaniko/kaniko-executor\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/podman\\\", \\\"/bin/install\\\", \\\"/proc/self/exe\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Systemd Timer Created\",\"description\":\"Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Systemd Timer Created\\n\\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \\n\\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \\n\\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the timer file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\\n- Search for the systemd service file named similarly to the timer that was created.\\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE\\\\n'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE\\\\n'/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path LIKE\\\\n'/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%' OR\\\\npath LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path\\\\nLIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%'\\\\nOR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":15,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://opensource.com/article/20/7/systemd-timers\",\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.006\",\"name\":\"Systemd Timers\",\"reference\":\"https://attack.mitre.org/techniques/T1053/006/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"41759309-c850-4cb5-a74b-ffe66bb57df9\",\"rule_id\":\"7fb500fa-8e24-4bd1-9480-2a819352602c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.019Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.024Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/systemd/system/*\\\", \\\"/etc/systemd/user/*\\\", \\\"/usr/local/lib/systemd/system/*\\\",\\n \\\"/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/user/*\\\",\\n \\\"/home/*/.config/systemd/user/*\\\", \\\"/home/*/.local/share/systemd/user/*\\\",\\n \\\"/root/.config/systemd/user/*\\\", \\\"/root/.local/share/systemd/user/*\\\"\\n) and file.extension == \\\"timer\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/crio\\\", \\\"/usr/sbin/crond\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/kaniko/kaniko-executor\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/podman\\\", \\\"/bin/install\\\", \\\"/proc/self/exe\\\"\\n ) or\\n process.name like (\\n \\\"python*\\\", \\\"crio\\\", \\\"apt-get\\\", \\\"install\\\", \\\"snapd\\\", \\\"cloudflared\\\", \\\"sshd\\\", \\\"convert-usrmerge\\\", \\\"docker-init\\\",\\n \\\"google_metadata_script_runner\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":13,\"target_version\":15,\"merged_version\":15,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://opensource.com/article/20/7/systemd-timers\",\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\"],\"target_version\":[\"https://opensource.com/article/20/7/systemd-timers\",\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://opensource.com/article/20/7/systemd-timers\",\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"note\":{\"has_base_version\":false,\"current_version\":\"## Triage and analysis\\n\\n### Investigating Systemd Timer Created\\n\\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \\n\\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \\n\\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the timer file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\\n- Search for the systemd service file named similarly to the timer that was created.\\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%'\\\\nOR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%'\\\\nOR path LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating Systemd Timer Created\\n\\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \\n\\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \\n\\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the timer file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\\n- Search for the systemd service file named similarly to the timer that was created.\\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE\\\\n'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE\\\\n'/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path LIKE\\\\n'/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%' OR\\\\npath LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path\\\\nLIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%'\\\\nOR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating Systemd Timer Created\\n\\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \\n\\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \\n\\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the timer file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\\n- Search for the systemd service file named similarly to the timer that was created.\\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE\\\\n'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE\\\\n'/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path LIKE\\\\n'/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%' OR\\\\npath LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path\\\\nLIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%'\\\\nOR path LIKE '/usr/lib/systemd/user/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/systemd/system/*\\\", \\\"/etc/systemd/user/*\\\", \\\"/usr/local/lib/systemd/system/*\\\",\\n \\\"/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/user/*\\\",\\n \\\"/home/*/.config/systemd/user/*\\\", \\\"/home/*/.local/share/systemd/user/*\\\",\\n \\\"/root/.config/systemd/user/*\\\", \\\"/root/.local/share/systemd/user/*\\\"\\n) and file.extension == \\\"timer\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/crio\\\", \\\"/usr/sbin/crond\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/kaniko/kaniko-executor\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/podman\\\", \\\"/bin/install\\\", \\\"/proc/self/exe\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/systemd/system/*\\\", \\\"/etc/systemd/user/*\\\", \\\"/usr/local/lib/systemd/system/*\\\",\\n \\\"/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/user/*\\\",\\n \\\"/home/*/.config/systemd/user/*\\\", \\\"/home/*/.local/share/systemd/user/*\\\",\\n \\\"/root/.config/systemd/user/*\\\", \\\"/root/.local/share/systemd/user/*\\\"\\n) and file.extension == \\\"timer\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/crio\\\", \\\"/usr/sbin/crond\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/kaniko/kaniko-executor\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/podman\\\", \\\"/bin/install\\\", \\\"/proc/self/exe\\\"\\n ) or\\n process.name like (\\n \\\"python*\\\", \\\"crio\\\", \\\"apt-get\\\", \\\"install\\\", \\\"snapd\\\", \\\"cloudflared\\\", \\\"sshd\\\", \\\"convert-usrmerge\\\", \\\"docker-init\\\",\\n \\\"google_metadata_script_runner\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/systemd/system/*\\\", \\\"/etc/systemd/user/*\\\", \\\"/usr/local/lib/systemd/system/*\\\",\\n \\\"/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/system/*\\\", \\\"/usr/lib/systemd/user/*\\\",\\n \\\"/home/*/.config/systemd/user/*\\\", \\\"/home/*/.local/share/systemd/user/*\\\",\\n \\\"/root/.config/systemd/user/*\\\", \\\"/root/.local/share/systemd/user/*\\\"\\n) and file.extension == \\\"timer\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/crio\\\", \\\"/usr/sbin/crond\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/kaniko/kaniko-executor\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/usr/bin/podman\\\", \\\"/bin/install\\\", \\\"/proc/self/exe\\\"\\n ) or\\n process.name like (\\n \\\"python*\\\", \\\"crio\\\", \\\"apt-get\\\", \\\"install\\\", \\\"snapd\\\", \\\"cloudflared\\\", \\\"sshd\\\", \\\"convert-usrmerge\\\", \\\"docker-init\\\",\\n \\\"google_metadata_script_runner\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3529d334-6118-4205-856d-1af2867fed0f\",\"rule_id\":\"7fda9bb2-fd28-11ee-85f9-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"3529d334-6118-4205-856d-1af2867fed0f\",\"updated_at\":\"2024-12-04T19:45:52.026Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.026Z\",\"created_by\":\"elastic\",\"name\":\"Potential AWS S3 Bucket Ransomware Note Uploaded\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS S3\",\"Use Case: Threat Detection\",\"Tactic: Impact\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the `PutObject` S3 API call with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"\\n## Triage and Analysis\\n\\n### Investigating Potential AWS S3 Bucket Ransomware Note Uploaded\\n\\nThis rule detects the `PutObject` S3 API call with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.\\n\\n#### Possible Investigation Steps:\\n\\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.\\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the `PutObject` action. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the ransom note was uploaded. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.\\n- **Inspect the Ransom Note**: Review the `aws.cloudtrail.request_parameters` for the `PutObject` action to identify the characteristics of the uploaded ransom note. Look for common ransomware file extensions such as `.txt`, `.note`, `.ransom`, or `.html`.\\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.\\n- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects before placing the ransom note.\\n\\n### False Positive Analysis:\\n\\n- **Legitimate Administrative Actions**: Confirm if the `PutObject` action aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management systems.\\n- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the upload was successful and intended according to policy.\\n\\n### Response and Remediation:\\n\\n- **Immediate Review and Reversal if Necessary**: If the activity was unauthorized, remove the uploaded ransom notes from the S3 bucket and review the bucket's access logs for any suspicious activity.\\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar `PutObject` actions, especially those involving sensitive data or unusual file extensions.\\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware.\\n- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege.\\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\\n\\n### Additional Information:\\n\\nFor further guidance on managing S3 bucket security and protecting against ransomware, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection:\\n- [ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild](https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf)\\n- [AWS S3 Ransomware Batch Deletion](https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion/)\\n- [S3 Ransomware Part 1: Attack Vector](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may legitimately access, delete, and replace objects in S3 buckets. Ensure that the sequence of events is not part of a legitimate operation before taking action.\"],\"from\":\"now-9m\",\"rule_id\":\"7fda9bb2-fd28-11ee-85f9-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1485\",\"name\":\"Data Destruction\",\"reference\":\"https://attack.mitre.org/techniques/T1485/\"}]}],\"to\":\"now\",\"references\":[\"https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf\",\"https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion/\",\"https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"AWS S3 data types need to be enabled in the CloudTrail trail configuration.\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-*\\n\\n// any successful uploads via S3 API requests\\n| where event.dataset == \\\"aws.cloudtrail\\\"\\n and event.provider == \\\"s3.amazonaws.com\\\"\\n and event.action == \\\"PutObject\\\"\\n and event.outcome == \\\"success\\\"\\n\\n// abstract object name from API request parameters\\n| dissect aws.cloudtrail.request_parameters \\\"%{?ignore_values}key=%{object_name}}\\\"\\n\\n// regex on common ransomware note extensions\\n| where object_name rlike \\\"(.*)(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)(.*)\\\"\\n and not object_name rlike \\\"(.*)(AWSLogs|CloudTrail|access-logs)(.*)\\\"\\n\\n// aggregate by S3 bucket, resource and object name\\n| stats note_upload_count = count(*) by tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name\\n\\n// filter for single occurrence to eliminate common upload operations\\n| where note_upload_count == 1\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential AWS S3 Bucket Ransomware Note Uploaded\",\"description\":\"Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the `PutObject` S3 API call with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\\n## Triage and Analysis\\n\\n### Investigating Potential AWS S3 Bucket Ransomware Note Uploaded\\n\\nThis rule detects the `PutObject` S3 API call with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.\\n\\n#### Possible Investigation Steps:\\n\\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.\\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the `PutObject` action. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the ransom note was uploaded. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.\\n- **Inspect the Ransom Note**: Review the `aws.cloudtrail.request_parameters` for the `PutObject` action to identify the characteristics of the uploaded ransom note. Look for common ransomware file extensions such as `.txt`, `.note`, `.ransom`, or `.html`.\\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.\\n- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects before placing the ransom note.\\n\\n### False Positive Analysis:\\n\\n- **Legitimate Administrative Actions**: Confirm if the `PutObject` action aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management systems.\\n- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the upload was successful and intended according to policy.\\n\\n### Response and Remediation:\\n\\n- **Immediate Review and Reversal if Necessary**: If the activity was unauthorized, remove the uploaded ransom notes from the S3 bucket and review the bucket's access logs for any suspicious activity.\\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar `PutObject` actions, especially those involving sensitive data or unusual file extensions.\\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware.\\n- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege.\\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\\n\\n### Additional Information:\\n\\nFor further guidance on managing S3 bucket security and protecting against ransomware, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection:\\n- [ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild](https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf)\\n- [AWS S3 Ransomware Batch Deletion](https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion/)\\n- [S3 Ransomware Part 1: Attack Vector](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)\\n\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS S3\",\"Use Case: Threat Detection\",\"Tactic: Impact\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may legitimately access, delete, and replace objects in S3 buckets. Ensure that the sequence of events is not part of a legitimate operation before taking action.\"],\"references\":[\"https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf\",\"https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion/\",\"https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1485\",\"name\":\"Data Destruction\",\"reference\":\"https://attack.mitre.org/techniques/T1485/\"}]}],\"setup\":\"AWS S3 data types need to be enabled in the CloudTrail trail configuration.\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"3529d334-6118-4205-856d-1af2867fed0f\",\"rule_id\":\"7fda9bb2-fd28-11ee-85f9-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.019Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.026Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-*\\n\\n// any successful uploads via S3 API requests\\n| where event.dataset == \\\"aws.cloudtrail\\\"\\n and event.provider == \\\"s3.amazonaws.com\\\"\\n and event.action == \\\"PutObject\\\"\\n and event.outcome == \\\"success\\\"\\n\\n// abstract object name from API request parameters\\n| dissect aws.cloudtrail.request_parameters \\\"%{?ignore_values}key=%{object_name}}\\\"\\n\\n// regex on common ransomware note extensions\\n| where object_name rlike \\\"(.*)(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)(.*)\\\"\\n and not object_name rlike \\\"(.*)(AWSLogs|CloudTrail|access-logs)(.*)\\\"\\n\\n// keep relevant fields\\n| keep tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name\\n\\n// aggregate by S3 bucket, resource and object name\\n| stats note_upload_count = count(*) by tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name\\n\\n// filter for single occurrence to eliminate common upload operations\\n| where note_upload_count == 1\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-aws.cloudtrail-*\\n\\n// any successful uploads via S3 API requests\\n| where event.dataset == \\\"aws.cloudtrail\\\"\\n and event.provider == \\\"s3.amazonaws.com\\\"\\n and event.action == \\\"PutObject\\\"\\n and event.outcome == \\\"success\\\"\\n\\n// abstract object name from API request parameters\\n| dissect aws.cloudtrail.request_parameters \\\"%{?ignore_values}key=%{object_name}}\\\"\\n\\n// regex on common ransomware note extensions\\n| where object_name rlike \\\"(.*)(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)(.*)\\\"\\n and not object_name rlike \\\"(.*)(AWSLogs|CloudTrail|access-logs)(.*)\\\"\\n\\n// aggregate by S3 bucket, resource and object name\\n| stats note_upload_count = count(*) by tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name\\n\\n// filter for single occurrence to eliminate common upload operations\\n| where note_upload_count == 1\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-aws.cloudtrail-*\\n\\n// any successful uploads via S3 API requests\\n| where event.dataset == \\\"aws.cloudtrail\\\"\\n and event.provider == \\\"s3.amazonaws.com\\\"\\n and event.action == \\\"PutObject\\\"\\n and event.outcome == \\\"success\\\"\\n\\n// abstract object name from API request parameters\\n| dissect aws.cloudtrail.request_parameters \\\"%{?ignore_values}key=%{object_name}}\\\"\\n\\n// regex on common ransomware note extensions\\n| where object_name rlike \\\"(.*)(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)(.*)\\\"\\n and not object_name rlike \\\"(.*)(AWSLogs|CloudTrail|access-logs)(.*)\\\"\\n\\n// keep relevant fields\\n| keep tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name\\n\\n// aggregate by S3 bucket, resource and object name\\n| stats note_upload_count = count(*) by tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name\\n\\n// filter for single occurrence to eliminate common upload operations\\n| where note_upload_count == 1\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-aws.cloudtrail-*\\n\\n// any successful uploads via S3 API requests\\n| where event.dataset == \\\"aws.cloudtrail\\\"\\n and event.provider == \\\"s3.amazonaws.com\\\"\\n and event.action == \\\"PutObject\\\"\\n and event.outcome == \\\"success\\\"\\n\\n// abstract object name from API request parameters\\n| dissect aws.cloudtrail.request_parameters \\\"%{?ignore_values}key=%{object_name}}\\\"\\n\\n// regex on common ransomware note extensions\\n| where object_name rlike \\\"(.*)(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)(.*)\\\"\\n and not object_name rlike \\\"(.*)(AWSLogs|CloudTrail|access-logs)(.*)\\\"\\n\\n// keep relevant fields\\n| keep tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name\\n\\n// aggregate by S3 bucket, resource and object name\\n| stats note_upload_count = count(*) by tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name\\n\\n// filter for single occurrence to eliminate common upload operations\\n| where note_upload_count == 1\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3312834b-6897-4fcb-86b4-c5224316fd42\",\"rule_id\":\"80084fa9-8677-4453-8680-b891d3c0c778\",\"revision\":0,\"current_rule\":{\"id\":\"3312834b-6897-4fcb-86b4-c5224316fd42\",\"updated_at\":\"2024-12-04T19:45:52.029Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.029Z\",\"created_by\":\"elastic\",\"name\":\"Enumeration of Kernel Modules via Proc\",\"tags\":[\"Data Source: Auditd Manager\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as lsmod and kmod to list the available kernel modules.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username.\"],\"from\":\"now-119m\",\"rule_id\":\"80084fa9-8677-4453-8680-b891d3c0c778\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"to\":\"now\",\"references\":[],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\\n```\\nKibana -->\\nManagement -->\\nIntegrations -->\\nAuditd Manager -->\\nAdd Auditd Manager\\n```\\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\\n```\\n-w /proc/ -p r -k audit_proc\\n```\\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:file and event.action:\\\"opened-file\\\" and file.path:\\\"/proc/modules\\\" and\\nnot process.name:(grep or python* or chef-client)\\n\",\"new_terms_fields\":[\"host.id\",\"process.executable\"],\"history_window_start\":\"now-7d\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Enumeration of Kernel Modules via Proc\",\"description\":\"Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as lsmod and kmod to list the available kernel modules.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Data Source: Auditd Manager\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\\n```\\nKibana -->\\nManagement -->\\nIntegrations -->\\nAuditd Manager -->\\nAdd Auditd Manager\\n```\\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\\n```\\n-w /proc/ -p r -k audit_proc\\n```\\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n\",\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3312834b-6897-4fcb-86b4-c5224316fd42\",\"rule_id\":\"80084fa9-8677-4453-8680-b891d3c0c778\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.019Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.029Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:file and event.action:\\\"opened-file\\\" and file.path:\\\"/proc/modules\\\" and\\nnot process.name:(python* or chef-client)\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:file and event.action:\\\"opened-file\\\" and file.path:\\\"/proc/modules\\\" and\\nnot process.name:(grep or python* or chef-client)\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:file and event.action:\\\"opened-file\\\" and file.path:\\\"/proc/modules\\\" and\\nnot process.name:(python* or chef-client)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:file and event.action:\\\"opened-file\\\" and file.path:\\\"/proc/modules\\\" and\\nnot process.name:(python* or chef-client)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"new_terms_fields\":{\"has_base_version\":false,\"current_version\":[\"host.id\",\"process.executable\"],\"target_version\":[\"process.executable\"],\"merged_version\":[\"process.executable\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"history_window_start\":{\"has_base_version\":false,\"current_version\":\"now-7d\",\"target_version\":\"now-14d\",\"merged_version\":\"now-14d\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4bffc57c-18d4-46de-9aac-535ced89b1a4\",\"rule_id\":\"8025db49-c57c-4fc0-bd86-7ccd6d10a35a\",\"revision\":0,\"current_rule\":{\"id\":\"4bffc57c-18d4-46de-9aac-535ced89b1a4\",\"updated_at\":\"2024-12-04T19:46:03.807Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.807Z\",\"created_by\":\"elastic\",\"name\":\"Potential PowerShell Obfuscated Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies scripts that contain patterns and known methods that obfuscate PowerShell code. Attackers can use obfuscation techniques to bypass PowerShell security protections such as Antimalware Scan Interface (AMSI).\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"8025db49-c57c-4fc0-bd86-7ccd6d10a35a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1027\",\"name\":\"Obfuscated Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1027/\"},{\"id\":\"T1140\",\"name\":\"Deobfuscate/Decode Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1140/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/danielbohannon/Invoke-Obfuscation\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"[string]::join\\\" or\\n \\\"-Join\\\" or\\n \\\"[convert]::toint16\\\" or\\n \\\"[char][int]$_\\\" or\\n (\\\"ConvertTo-SecureString\\\" and \\\"PtrToStringAuto\\\") or\\n \\\".GetNetworkCredential().password\\\" or\\n \\\"-BXor\\\" or\\n (\\\"replace\\\" and \\\"char\\\") or\\n \\\"[array]::reverse\\\"\\n ) and\\n powershell.file.script_block_text : (\\n (\\\"$pSHoMe[\\\" and \\\"+$pSHoMe[\\\") or\\n (\\\"$ShellId[\\\" and \\\"+$ShellId[\\\") or\\n (\\\"$env:ComSpec[4\\\" and \\\"25]-Join\\\") or\\n ((\\\"Set-Variable\\\" or \\\"SV\\\" or \\\"Set-Item\\\") and \\\"OFS\\\") or\\n (\\\"*MDR*\\\" and \\\"Name[3,11,2]\\\") or\\n (\\\"$VerbosePreference\\\" and \\\"[1,3]+'X'-Join''\\\") or\\n (\\\"rahc\\\" or \\\"ekovin\\\" or \\\"gnirts\\\" or \\\"ecnereferpesobrev\\\" or \\\"ecalper\\\" or \\\"cepsmoc\\\" or \\\"dillehs\\\")\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential PowerShell Obfuscated Script\",\"description\":\"Identifies scripts that contain patterns and known methods that obfuscate PowerShell code. Attackers can use obfuscation techniques to bypass PowerShell security protections such as Antimalware Scan Interface (AMSI).\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/danielbohannon/Invoke-Obfuscation\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1027\",\"name\":\"Obfuscated Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1027/\"},{\"id\":\"T1140\",\"name\":\"Deobfuscate/Decode Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1140/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"4bffc57c-18d4-46de-9aac-535ced89b1a4\",\"rule_id\":\"8025db49-c57c-4fc0-bd86-7ccd6d10a35a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.019Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:03.807Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"[string]::join\\\" or\\n \\\"-Join\\\" or\\n \\\"[convert]::toint16\\\" or\\n \\\"[char][int]$_\\\" or\\n (\\\"ConvertTo-SecureString\\\" and \\\"PtrToStringAuto\\\") or\\n \\\".GetNetworkCredential().password\\\" or\\n \\\"-BXor\\\" or\\n (\\\"replace\\\" and \\\"char\\\") or\\n \\\"[array]::reverse\\\"\\n ) and\\n powershell.file.script_block_text : (\\n (\\\"$pSHoMe[\\\" and \\\"+$pSHoMe[\\\") or\\n (\\\"$ShellId[\\\" and \\\"+$ShellId[\\\") or\\n (\\\"$env:ComSpec[4\\\" and \\\"25]-Join\\\") or\\n ((\\\"Set-Variable\\\" or \\\"SV\\\" or \\\"Set-Item\\\") and \\\"OFS\\\") or\\n (\\\"*MDR*\\\" and \\\"Name[3,11,2]\\\") or\\n (\\\"$VerbosePreference\\\" and \\\"[1,3]+'X'-Join''\\\") or\\n (\\\"rahc\\\" or \\\"ekovin\\\" or \\\"gnirts\\\" or \\\"ecnereferpesobrev\\\" or \\\"ecalper\\\" or \\\"cepsmoc\\\" or \\\"dillehs\\\")\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"29e48c76-26ec-4943-ba8d-ad597c979051\",\"rule_id\":\"808291d3-e918-4a3a-86cd-73052a0c9bdc\",\"revision\":0,\"current_rule\":{\"id\":\"29e48c76-26ec-4943-ba8d-ad597c979051\",\"updated_at\":\"2024-12-04T19:45:52.037Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.037Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Troubleshooting Pack Cabinet Execution\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of the Microsoft Diagnostic Wizard to open a diagcab file from a suspicious path and with an unusual parent process. This may indicate an attempt to execute malicious Troubleshooting Pack Cabinet files.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"808291d3-e918-4a3a-86cd-73052a0c9bdc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"to\":\"now\",\"references\":[\"https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-system.security*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.action == \\\"start\\\" and\\n (process.name : \\\"msdt.exe\\\" or ?process.pe.original_file_name == \\\"msdt.exe\\\") and process.args : \\\"/cab\\\" and\\n process.parent.name : (\\n \\\"firefox.exe\\\", \\\"chrome.exe\\\", \\\"msedge.exe\\\", \\\"explorer.exe\\\", \\\"brave.exe\\\", \\\"whale.exe\\\", \\\"browser.exe\\\",\\n \\\"dragon.exe\\\", \\\"vivaldi.exe\\\", \\\"opera.exe\\\", \\\"iexplore\\\", \\\"firefox.exe\\\", \\\"waterfox.exe\\\", \\\"iexplore.exe\\\",\\n \\\"winrar.exe\\\", \\\"winrar.exe\\\", \\\"7zFM.exe\\\", \\\"outlook.exe\\\", \\\"winword.exe\\\", \\\"excel.exe\\\"\\n ) and\\n process.args : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\",\\n \\\"\\\\\\\\\\\\\\\\*\\\",\\n \\\"http*\\\",\\n \\\"ftp://*\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Troubleshooting Pack Cabinet Execution\",\"description\":\"Identifies the execution of the Microsoft Diagnostic Wizard to open a diagcab file from a suspicious path and with an unusual parent process. This may indicate an attempt to execute malicious Troubleshooting Pack Cabinet files.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"29e48c76-26ec-4943-ba8d-ad597c979051\",\"rule_id\":\"808291d3-e918-4a3a-86cd-73052a0c9bdc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.019Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.037Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.action == \\\"start\\\" and\\n (process.name : \\\"msdt.exe\\\" or ?process.pe.original_file_name == \\\"msdt.exe\\\") and process.args : \\\"/cab\\\" and\\n process.parent.name : (\\n \\\"firefox.exe\\\", \\\"chrome.exe\\\", \\\"msedge.exe\\\", \\\"explorer.exe\\\", \\\"brave.exe\\\", \\\"whale.exe\\\", \\\"browser.exe\\\",\\n \\\"dragon.exe\\\", \\\"vivaldi.exe\\\", \\\"opera.exe\\\", \\\"iexplore\\\", \\\"firefox.exe\\\", \\\"waterfox.exe\\\", \\\"iexplore.exe\\\",\\n \\\"winrar.exe\\\", \\\"winrar.exe\\\", \\\"7zFM.exe\\\", \\\"outlook.exe\\\", \\\"winword.exe\\\", \\\"excel.exe\\\"\\n ) and\\n process.args : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\",\\n \\\"\\\\\\\\\\\\\\\\*\\\",\\n \\\"http*\\\",\\n \\\"ftp://*\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-system.security*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d5dd2920-2e3c-48d3-8a28-4c258f1d70cf\",\"rule_id\":\"818e23e6-2094-4f0e-8c01-22d30f3506c6\",\"revision\":0,\"current_rule\":{\"id\":\"d5dd2920-2e3c-48d3-8a28-4c258f1d70cf\",\"updated_at\":\"2024-12-04T19:45:52.047Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.047Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Script Block Logging Disabled\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable this logging to conceal their activities in the host and evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Script Block Logging Disabled\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available in various environments and creating an attractive way for attackers to execute code.\\n\\nPowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it processes, giving defenders visibility of PowerShell scripts and sequences of executed commands.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check whether it makes sense for the user to use PowerShell to complete tasks.\\n- Investigate if PowerShell scripts were run after logging was disabled.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"818e23e6-2094-4f0e-8c01-22d30f3506c6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.002\",\"name\":\"Disable Windows Event Logging\",\"reference\":\"https://attack.mitre.org/techniques/T1562/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\PowerShell\\\\\\\\ScriptBlockLogging\\\\\\\\EnableScriptBlockLogging\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\PowerShell\\\\\\\\ScriptBlockLogging\\\\\\\\EnableScriptBlockLogging\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Script Block Logging Disabled\",\"description\":\"Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable this logging to conceal their activities in the host and evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Script Block Logging Disabled\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available in various environments and creating an attractive way for attackers to execute code.\\n\\nPowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it processes, giving defenders visibility of PowerShell scripts and sequences of executed commands.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check whether it makes sense for the user to use PowerShell to complete tasks.\\n- Investigate if PowerShell scripts were run after logging was disabled.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.002\",\"name\":\"Disable Windows Event Logging\",\"reference\":\"https://attack.mitre.org/techniques/T1562/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d5dd2920-2e3c-48d3-8a28-4c258f1d70cf\",\"rule_id\":\"818e23e6-2094-4f0e-8c01-22d30f3506c6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.019Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.047Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\PowerShell\\\\\\\\ScriptBlockLogging\\\\\\\\EnableScriptBlockLogging\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\PowerShell\\\\\\\\ScriptBlockLogging\\\\\\\\EnableScriptBlockLogging\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\PowerShell\\\\\\\\ScriptBlockLogging\\\\\\\\EnableScriptBlockLogging\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\PowerShell\\\\\\\\ScriptBlockLogging\\\\\\\\EnableScriptBlockLogging\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\PowerShell\\\\\\\\ScriptBlockLogging\\\\\\\\EnableScriptBlockLogging\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\PowerShell\\\\\\\\ScriptBlockLogging\\\\\\\\EnableScriptBlockLogging\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\PowerShell\\\\\\\\ScriptBlockLogging\\\\\\\\EnableScriptBlockLogging\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\PowerShell\\\\\\\\ScriptBlockLogging\\\\\\\\EnableScriptBlockLogging\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\PowerShell\\\\\\\\ScriptBlockLogging\\\\\\\\EnableScriptBlockLogging\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\PowerShell\\\\\\\\ScriptBlockLogging\\\\\\\\EnableScriptBlockLogging\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\PowerShell\\\\\\\\ScriptBlockLogging\\\\\\\\EnableScriptBlockLogging\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"263424d7-e73d-4165-b646-3cec5de61ff0\",\"rule_id\":\"81fe9dc6-a2d7-4192-a2d8-eed98afc766a\",\"revision\":0,\"current_rule\":{\"id\":\"263424d7-e73d-4165-b646-3cec5de61ff0\",\"updated_at\":\"2024-12-04T19:45:52.049Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.049Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Suspicious Payload Encoded and Compressed\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate PowerShell Scripts which makes use of compression and encoding.\"],\"from\":\"now-9m\",\"rule_id\":\"81fe9dc6-a2d7-4192-a2d8-eed98afc766a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1027\",\"name\":\"Obfuscated Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1027/\"},{\"id\":\"T1140\",\"name\":\"Deobfuscate/Decode Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1140/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":212,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\n \\\"System.IO.Compression.DeflateStream\\\" or\\n \\\"System.IO.Compression.GzipStream\\\" or\\n \\\"IO.Compression.DeflateStream\\\" or\\n \\\"IO.Compression.GzipStream\\\"\\n ) and\\n FromBase64String\\n ) and\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\Downloads\\\\\\\\*\"}}}}],\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Suspicious Payload Encoded and Compressed\",\"description\":\"Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate PowerShell Scripts which makes use of compression and encoding.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1027\",\"name\":\"Obfuscated Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1027/\"},{\"id\":\"T1140\",\"name\":\"Deobfuscate/Decode Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1140/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"263424d7-e73d-4165-b646-3cec5de61ff0\",\"rule_id\":\"81fe9dc6-a2d7-4192-a2d8-eed98afc766a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.019Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.049Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\Downloads\\\\\\\\*\"}}}}],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\n \\\"System.IO.Compression.DeflateStream\\\" or\\n \\\"System.IO.Compression.GzipStream\\\" or\\n \\\"IO.Compression.DeflateStream\\\" or\\n \\\"IO.Compression.GzipStream\\\"\\n ) and\\n FromBase64String\\n ) and\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":212,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f0fd8b2e-f67b-4965-8e22-8e3232d569cc\",\"rule_id\":\"81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe\",\"revision\":0,\"current_rule\":{\"id\":\"f0fd8b2e-f67b-4965-8e22-8e3232d569cc\",\"updated_at\":\"2024-12-04T19:45:52.051Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.051Z\",\"created_by\":\"elastic\",\"name\":\"Temporarily Scheduled Task Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks may be created during installation of new software.\"],\"from\":\"now-9m\",\"rule_id\":\"81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698\"],\"version\":7,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TaskName\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m\\n [iam where event.action == \\\"scheduled-task-created\\\" and not user.name : \\\"*$\\\"]\\n [iam where event.action == \\\"scheduled-task-deleted\\\" and not user.name : \\\"*$\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Temporarily Scheduled Task Creation\",\"description\":\"Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":108,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks may be created during installation of new software.\"],\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TaskName\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"f0fd8b2e-f67b-4965-8e22-8e3232d569cc\",\"rule_id\":\"81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.019Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.051Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m\\n [iam where event.action == \\\"scheduled-task-created\\\" and not user.name : \\\"*$\\\"]\\n [iam where event.action == \\\"scheduled-task-deleted\\\" and not user.name : \\\"*$\\\"]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":7,\"target_version\":108,\"merged_version\":108,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e63c20df-98ab-4553-9375-732d68527841\",\"rule_id\":\"835c0622-114e-40b5-a346-f843ea5d01f1\",\"revision\":0,\"current_rule\":{\"id\":\"e63c20df-98ab-4553-9375-732d68527841\",\"updated_at\":\"2024-12-04T19:45:52.056Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.056Z\",\"created_by\":\"elastic\",\"name\":\"Potential Linux Local Account Brute Force Detected\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a set of customly crafted passwords in an attempt to gain access to these accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"835c0622-114e-40b5-a346-f843ea5d01f1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.001\",\"name\":\"Password Guessing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"sequence by host.id, process.parent.executable, user.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"su\\\" and \\n not process.parent.name in (\\n \\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\", \\\"clickhouse-server\\\", \\\"ma\\\", \\\"gitlab-runner\\\",\\n \\\"updatedb.findutils\\\", \\\"cron\\\"\\n )\\n ] with runs=10\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Linux Local Account Brute Force Detected\",\"description\":\"Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a set of customly crafted passwords in an attempt to gain access to these accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.001\",\"name\":\"Password Guessing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e63c20df-98ab-4553-9375-732d68527841\",\"rule_id\":\"835c0622-114e-40b5-a346-f843ea5d01f1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.019Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.056Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id, process.parent.executable, user.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"su\\\" and \\n not process.parent.name in (\\n \\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\", \\\"clickhouse-server\\\", \\\"ma\\\", \\\"gitlab-runner\\\",\\n \\\"updatedb.findutils\\\", \\\"cron\\\", \\\"perl\\\", \\\"sudo\\\", \\\"java\\\", \\\"cloud-app-identify\\\", \\\"ambari-sudo.sh\\\"\\n )\\n ] with runs=10\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by host.id, process.parent.executable, user.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"su\\\" and \\n not process.parent.name in (\\n \\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\", \\\"clickhouse-server\\\", \\\"ma\\\", \\\"gitlab-runner\\\",\\n \\\"updatedb.findutils\\\", \\\"cron\\\"\\n )\\n ] with runs=10\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by host.id, process.parent.executable, user.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"su\\\" and \\n not process.parent.name in (\\n \\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\", \\\"clickhouse-server\\\", \\\"ma\\\", \\\"gitlab-runner\\\",\\n \\\"updatedb.findutils\\\", \\\"cron\\\", \\\"perl\\\", \\\"sudo\\\", \\\"java\\\", \\\"cloud-app-identify\\\", \\\"ambari-sudo.sh\\\"\\n )\\n ] with runs=10\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by host.id, process.parent.executable, user.id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"su\\\" and \\n not process.parent.name in (\\n \\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\", \\\"clickhouse-server\\\", \\\"ma\\\", \\\"gitlab-runner\\\",\\n \\\"updatedb.findutils\\\", \\\"cron\\\", \\\"perl\\\", \\\"sudo\\\", \\\"java\\\", \\\"cloud-app-identify\\\", \\\"ambari-sudo.sh\\\"\\n )\\n ] with runs=10\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0352a280-e30a-48f1-baa2-a7574817dea8\",\"rule_id\":\"83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f\",\"revision\":0,\"current_rule\":{\"id\":\"0352a280-e30a-48f1-baa2-a7574817dea8\",\"updated_at\":\"2024-12-04T19:45:52.061Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.061Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Disable IPTables or Firewall\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":7,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\n (\\n /* disable FW */\\n (\\n (process.name == \\\"ufw\\\" and process.args == \\\"disable\\\") or\\n (process.name == \\\"iptables\\\" and process.args == \\\"-F\\\" and process.args_count == 2)\\n ) or\\n\\n /* stop FW service */\\n (\\n ((process.name == \\\"service\\\" and process.args == \\\"stop\\\") or\\n (process.name == \\\"chkconfig\\\" and process.args == \\\"off\\\") or\\n (process.name == \\\"systemctl\\\" and process.args in (\\\"disable\\\", \\\"stop\\\", \\\"kill\\\"))) and\\n process.args in (\\\"firewalld\\\", \\\"ip6tables\\\", \\\"iptables\\\")\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Disable IPTables or Firewall\",\"description\":\"Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":9,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0352a280-e30a-48f1-baa2-a7574817dea8\",\"rule_id\":\"83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.019Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.061Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\n (\\n /* disable FW */\\n (\\n (process.name == \\\"ufw\\\" and process.args == \\\"disable\\\") or\\n (process.name == \\\"iptables\\\" and process.args in (\\\"-F\\\", \\\"--flush\\\", \\\"-X\\\", \\\"--delete-chain\\\") and process.args_count == 2) or\\n (process.name in (\\\"iptables\\\", \\\"ip6tables\\\") and process.parent.args == \\\"force-stop\\\")\\n ) or\\n\\n /* stop FW service */\\n (\\n ((process.name == \\\"service\\\" and process.args == \\\"stop\\\") or\\n (process.name == \\\"chkconfig\\\" and process.args == \\\"off\\\") or\\n (process.name == \\\"systemctl\\\" and process.args in (\\\"disable\\\", \\\"stop\\\", \\\"kill\\\"))) and\\n process.args in (\\\"firewalld\\\", \\\"ip6tables\\\", \\\"iptables\\\", \\\"firewalld.service\\\", \\\"ip6tables.service\\\", \\\"iptables.service\\\")\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":7,\"target_version\":9,\"merged_version\":9,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"merged_version\":[\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\n (\\n /* disable FW */\\n (\\n (process.name == \\\"ufw\\\" and process.args == \\\"disable\\\") or\\n (process.name == \\\"iptables\\\" and process.args == \\\"-F\\\" and process.args_count == 2)\\n ) or\\n\\n /* stop FW service */\\n (\\n ((process.name == \\\"service\\\" and process.args == \\\"stop\\\") or\\n (process.name == \\\"chkconfig\\\" and process.args == \\\"off\\\") or\\n (process.name == \\\"systemctl\\\" and process.args in (\\\"disable\\\", \\\"stop\\\", \\\"kill\\\"))) and\\n process.args in (\\\"firewalld\\\", \\\"ip6tables\\\", \\\"iptables\\\")\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\n (\\n /* disable FW */\\n (\\n (process.name == \\\"ufw\\\" and process.args == \\\"disable\\\") or\\n (process.name == \\\"iptables\\\" and process.args in (\\\"-F\\\", \\\"--flush\\\", \\\"-X\\\", \\\"--delete-chain\\\") and process.args_count == 2) or\\n (process.name in (\\\"iptables\\\", \\\"ip6tables\\\") and process.parent.args == \\\"force-stop\\\")\\n ) or\\n\\n /* stop FW service */\\n (\\n ((process.name == \\\"service\\\" and process.args == \\\"stop\\\") or\\n (process.name == \\\"chkconfig\\\" and process.args == \\\"off\\\") or\\n (process.name == \\\"systemctl\\\" and process.args in (\\\"disable\\\", \\\"stop\\\", \\\"kill\\\"))) and\\n process.args in (\\\"firewalld\\\", \\\"ip6tables\\\", \\\"iptables\\\", \\\"firewalld.service\\\", \\\"ip6tables.service\\\", \\\"iptables.service\\\")\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\n (\\n /* disable FW */\\n (\\n (process.name == \\\"ufw\\\" and process.args == \\\"disable\\\") or\\n (process.name == \\\"iptables\\\" and process.args in (\\\"-F\\\", \\\"--flush\\\", \\\"-X\\\", \\\"--delete-chain\\\") and process.args_count == 2) or\\n (process.name in (\\\"iptables\\\", \\\"ip6tables\\\") and process.parent.args == \\\"force-stop\\\")\\n ) or\\n\\n /* stop FW service */\\n (\\n ((process.name == \\\"service\\\" and process.args == \\\"stop\\\") or\\n (process.name == \\\"chkconfig\\\" and process.args == \\\"off\\\") or\\n (process.name == \\\"systemctl\\\" and process.args in (\\\"disable\\\", \\\"stop\\\", \\\"kill\\\"))) and\\n process.args in (\\\"firewalld\\\", \\\"ip6tables\\\", \\\"iptables\\\", \\\"firewalld.service\\\", \\\"ip6tables.service\\\", \\\"iptables.service\\\")\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0ac86616-b625-4f53-a643-0e09a153dedd\",\"rule_id\":\"846fe13f-6772-4c83-bd39-9d16d4ad1a81\",\"revision\":0,\"current_rule\":{\"id\":\"0ac86616-b625-4f53-a643-0e09a153dedd\",\"updated_at\":\"2024-12-04T19:45:52.066Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.066Z\",\"created_by\":\"elastic\",\"name\":\"Microsoft Exchange Transport Agent Install Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: PowerShell Logs\",\"Rule Type: BBR\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of Cmdlets and methods related to Microsoft Exchange Transport Agents install. Adversaries may leverage malicious Microsoft Exchange Transport Agents to execute tasks in response to adversary-defined criteria, establishing persistence.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"846fe13f-6772-4c83-bd39-9d16d4ad1a81\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1505\",\"name\":\"Server Software Component\",\"reference\":\"https://attack.mitre.org/techniques/T1505/\",\"subtechnique\":[{\"id\":\"T1505.002\",\"name\":\"Transport Agent\",\"reference\":\"https://attack.mitre.org/techniques/T1505/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\nSteps to implement the logging policy via registry:\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category: \\\"process\\\" and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\n \\\"Install-TransportAgent\\\" or\\n \\\"Enable-TransportAgent\\\"\\n )\\n ) and\\n not user.id : \\\"S-1-5-18\\\" and\\n not powershell.file.script_block_text : (\\n \\\"'Install-TransportAgent', 'Invoke-MonitoringProbe', 'Mount-Database', 'Move-ActiveMailboxDatabase',\\\" or\\n \\\"'Enable-TransportAgent', 'Enable-TransportRule', 'Export-ActiveSyncLog', 'Export-AutoDiscoverConfig',\\\" or\\n (\\\"scriptCmd.GetSteppablePipeline\\\" and \\\"ForwardHelpTargetName Install-TransportAgent\\\")\\n )\\n\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Exchange\\\\\\\\RemotePowerShell\\\\\\\\*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\tmp_????????.???\\\\\\\\tmp_????????.???.ps?1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\TEMP\\\\\\\\tmp_????????.???\\\\\\\\tmp_????????.???.ps?1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*\\\\\\\\tmp_????????.???\\\\\\\\tmp_????????.???.ps?1\"}}}}],\"actions\":[]},\"target_rule\":{\"name\":\"Microsoft Exchange Transport Agent Install Script\",\"description\":\"Identifies the use of Cmdlets and methods related to Microsoft Exchange Transport Agents install. Adversaries may leverage malicious Microsoft Exchange Transport Agents to execute tasks in response to adversary-defined criteria, establishing persistence.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: PowerShell Logs\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1505\",\"name\":\"Server Software Component\",\"reference\":\"https://attack.mitre.org/techniques/T1505/\",\"subtechnique\":[{\"id\":\"T1505.002\",\"name\":\"Transport Agent\",\"reference\":\"https://attack.mitre.org/techniques/T1505/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\nSteps to implement the logging policy via registry:\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0ac86616-b625-4f53-a643-0e09a153dedd\",\"rule_id\":\"846fe13f-6772-4c83-bd39-9d16d4ad1a81\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.019Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.066Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Exchange\\\\\\\\RemotePowerShell\\\\\\\\*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\tmp_????????.???\\\\\\\\tmp_????????.???.ps?1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\TEMP\\\\\\\\tmp_????????.???\\\\\\\\tmp_????????.???.ps?1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*\\\\\\\\tmp_????????.???\\\\\\\\tmp_????????.???.ps?1\"}}}}],\"query\":\"event.category: \\\"process\\\" and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\n \\\"Install-TransportAgent\\\" or\\n \\\"Enable-TransportAgent\\\"\\n )\\n ) and\\n not user.id : \\\"S-1-5-18\\\" and\\n not powershell.file.script_block_text : (\\n \\\"'Install-TransportAgent', 'Invoke-MonitoringProbe', 'Mount-Database', 'Move-ActiveMailboxDatabase',\\\" or\\n \\\"'Enable-TransportAgent', 'Enable-TransportRule', 'Export-ActiveSyncLog', 'Export-AutoDiscoverConfig',\\\" or\\n (\\\"scriptCmd.GetSteppablePipeline\\\" and \\\"ForwardHelpTargetName Install-TransportAgent\\\")\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c90d3ec4-3232-4320-a40e-f36aef87d039\",\"rule_id\":\"84755a05-78c8-4430-8681-89cd6c857d71\",\"revision\":0,\"current_rule\":{\"id\":\"c90d3ec4-3232-4320-a40e-f36aef87d039\",\"updated_at\":\"2024-12-04T19:46:04.828Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.828Z\",\"created_by\":\"elastic\",\"name\":\"At Job Created or Modified\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for at jobs being created or renamed. Linux at jobs are scheduled tasks that can be leveraged by system administrators to set up scheduled tasks, but may be abused by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"84755a05-78c8-4430-8681-89cd6c857d71\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.002\",\"name\":\"At\",\"reference\":\"https://attack.mitre.org/techniques/T1053/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.002\",\"name\":\"At\",\"reference\":\"https://attack.mitre.org/techniques/T1053/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.002\",\"name\":\"At\",\"reference\":\"https://attack.mitre.org/techniques/T1053/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and\\nevent.action in (\\\"rename\\\", \\\"creation\\\") and file.path : \\\"/var/spool/cron/atjobs/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/local/bin/dockerd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\") or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"At Job Created or Modified\",\"description\":\"This rule monitors for at jobs being created or renamed. Linux at jobs are scheduled tasks that can be leveraged by system administrators to set up scheduled tasks, but may be abused by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.002\",\"name\":\"At\",\"reference\":\"https://attack.mitre.org/techniques/T1053/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.002\",\"name\":\"At\",\"reference\":\"https://attack.mitre.org/techniques/T1053/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.002\",\"name\":\"At\",\"reference\":\"https://attack.mitre.org/techniques/T1053/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c90d3ec4-3232-4320-a40e-f36aef87d039\",\"rule_id\":\"84755a05-78c8-4430-8681-89cd6c857d71\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.019Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.828Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and\\nevent.action in (\\\"rename\\\", \\\"creation\\\") and file.path : \\\"/var/spool/cron/atjobs/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/local/bin/dockerd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\") or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5330e282-3308-4f3a-b9fe-b08308529801\",\"rule_id\":\"84da2554-e12a-11ec-b896-f661ea17fbcd\",\"revision\":0,\"current_rule\":{\"id\":\"5330e282-3308-4f3a-b9fe-b08308529801\",\"updated_at\":\"2024-12-04T19:45:52.074Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.074Z\",\"created_by\":\"elastic\",\"name\":\"Enumerating Domain Trusts via NLTEST.EXE\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Enumerating Domain Trusts via NLTEST.EXE\\n\\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \\\"trusting\\\" domain permits users from a \\\"trusted\\\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\\n\\nThis rule identifies the usage of the `nltest.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Related rules\\n\\n- Enumerating Domain Trusts via DSQUERY.EXE - 06a7a03c-c735-47a6-a313-51c354aef6c3\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Domain administrators may use this command-line utility for legitimate information gathering purposes, but it is not common for environments with Windows Server 2012 and newer.\"],\"from\":\"now-9m\",\"rule_id\":\"84da2554-e12a-11ec-b896-f661ea17fbcd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1018\",\"name\":\"Remote System Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1018/\"},{\"id\":\"T1482\",\"name\":\"Domain Trust Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1482/\"}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)\",\"https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"nltest.exe\\\" and process.args : (\\n \\\"/DCLIST:*\\\", \\\"/DCNAME:*\\\", \\\"/DSGET*\\\",\\n \\\"/LSAQUERYFTI:*\\\", \\\"/PARENTDOMAIN\\\",\\n \\\"/DOMAIN_TRUSTS\\\", \\\"/BDC_QUERY:*\\\"\\n ) and \\nnot process.parent.name : \\\"PDQInventoryScanner.exe\\\" and \\nnot user.id in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Enumerating Domain Trusts via NLTEST.EXE\",\"description\":\"Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Enumerating Domain Trusts via NLTEST.EXE\\n\\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \\\"trusting\\\" domain permits users from a \\\"trusted\\\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\\n\\nThis rule identifies the usage of the `nltest.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Related rules\\n\\n- Enumerating Domain Trusts via DSQUERY.EXE - 06a7a03c-c735-47a6-a313-51c354aef6c3\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":214,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Domain administrators may use this command-line utility for legitimate information gathering purposes, but it is not common for environments with Windows Server 2012 and newer.\"],\"references\":[\"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)\",\"https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1018\",\"name\":\"Remote System Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1018/\"},{\"id\":\"T1482\",\"name\":\"Domain Trust Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1482/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"5330e282-3308-4f3a-b9fe-b08308529801\",\"rule_id\":\"84da2554-e12a-11ec-b896-f661ea17fbcd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.019Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.074Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"nltest.exe\\\" and process.args : (\\n \\\"/DCLIST:*\\\", \\\"/DCNAME:*\\\", \\\"/DSGET*\\\",\\n \\\"/LSAQUERYFTI:*\\\", \\\"/PARENTDOMAIN\\\",\\n \\\"/DOMAIN_TRUSTS\\\", \\\"/BDC_QUERY:*\\\"\\n ) and \\nnot process.parent.name : \\\"PDQInventoryScanner.exe\\\" and \\nnot user.id in (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":214,\"merged_version\":214,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"264e8c96-b2f7-406e-ab38-456e277b8add\",\"rule_id\":\"852c1f19-68e8-43a6-9dce-340771fe1be3\",\"revision\":0,\"current_rule\":{\"id\":\"264e8c96-b2f7-406e-ab38-456e277b8add\",\"updated_at\":\"2024-12-04T19:45:52.079Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.079Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious PowerShell Engine ImageLoad\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious PowerShell Engine ImageLoad\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called \\\"PowerShell without PowerShell,\\\" works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"852c1f19-68e8-43a6-9dce-340771fe1be3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":210,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable.caseless\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.name.caseless\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"host.os.type:windows and event.category:library and \\n dll.name:(\\\"System.Management.Automation.dll\\\" or \\\"System.Management.Automation.ni.dll\\\") and \\n not (\\n process.code_signature.subject_name:(\\\"Microsoft Corporation\\\" or \\\"Microsoft Dynamic Code Publisher\\\" or \\\"Microsoft Windows\\\") and process.code_signature.trusted:true and not process.name.caseless:(\\\"regsvr32.exe\\\" or \\\"rundll32.exe\\\")\\n ) and \\n not (\\n process.executable.caseless:(C\\\\:\\\\\\\\Program*Files*\\\\(x86\\\\)\\\\\\\\*.exe or C\\\\:\\\\\\\\Program*Files\\\\\\\\*.exe) and\\n process.code_signature.trusted:true\\n ) and \\n not (\\n process.executable.caseless: C\\\\:\\\\\\\\Windows\\\\\\\\Lenovo\\\\\\\\*.exe and process.code_signature.subject_name:\\\"Lenovo\\\" and \\n process.code_signature.trusted:true\\n ) and \\n not (\\n process.executable.caseless: \\\"C:\\\\\\\\ProgramData\\\\\\\\chocolatey\\\\\\\\choco.exe\\\" and\\n process.code_signature.subject_name:\\\"Chocolatey Software, Inc.\\\" and process.code_signature.trusted:true\\n ) and not process.executable.caseless : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\"\\n\",\"new_terms_fields\":[\"host.id\",\"process.executable\",\"user.id\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.library-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious PowerShell Engine ImageLoad\",\"description\":\"Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious PowerShell Engine ImageLoad\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called \\\"PowerShell without PowerShell,\\\" works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable.caseless\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.name.caseless\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"264e8c96-b2f7-406e-ab38-456e277b8add\",\"rule_id\":\"852c1f19-68e8-43a6-9dce-340771fe1be3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.020Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.079Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:windows and event.category:library and \\n dll.name:(\\\"System.Management.Automation.dll\\\" or \\\"System.Management.Automation.ni.dll\\\") and \\n not (\\n process.code_signature.subject_name:(\\\"Microsoft Corporation\\\" or \\\"Microsoft Dynamic Code Publisher\\\" or \\\"Microsoft Windows\\\") and process.code_signature.trusted:true and not process.name.caseless:(\\\"regsvr32.exe\\\" or \\\"rundll32.exe\\\")\\n ) and \\n not (\\n process.executable.caseless:(C\\\\:\\\\\\\\Program*Files*\\\\(x86\\\\)\\\\\\\\*.exe or C\\\\:\\\\\\\\Program*Files\\\\\\\\*.exe) and\\n process.code_signature.trusted:true\\n ) and \\n not (\\n process.executable.caseless: C\\\\:\\\\\\\\Windows\\\\\\\\Lenovo\\\\\\\\*.exe and process.code_signature.subject_name:\\\"Lenovo\\\" and \\n process.code_signature.trusted:true\\n ) and \\n not (\\n process.executable.caseless: \\\"C:\\\\\\\\ProgramData\\\\\\\\chocolatey\\\\\\\\choco.exe\\\" and\\n process.code_signature.subject_name:\\\"Chocolatey Software, Inc.\\\" and process.code_signature.trusted:true\\n ) and not process.executable.caseless : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\"\\n\",\"new_terms_fields\":[\"host.id\",\"process.executable\",\"user.id\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.library-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":210,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit\"],\"merged_version\":[\"https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"502cdc78-7075-434d-9ab1-041b03112953\",\"rule_id\":\"870aecc0-cea4-4110-af3f-e02e9b373655\",\"revision\":0,\"current_rule\":{\"id\":\"502cdc78-7075-434d-9ab1-041b03112953\",\"updated_at\":\"2024-12-04T19:45:52.089Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.089Z\",\"created_by\":\"elastic\",\"name\":\"Security Software Discovery via Grep\",\"tags\":[\"Domain: Endpoint\",\"OS: macOS\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Security Software Discovery via Grep\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `grep` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Endpoint Security installers, updaters and post installation verification scripts.\"],\"from\":\"now-9m\",\"rule_id\":\"870aecc0-cea4-4110-af3f-e02e9b373655\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1518\",\"name\":\"Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/\",\"subtechnique\":[{\"id\":\"T1518.001\",\"name\":\"Security Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"auditbeat-*\"],\"query\":\"process where event.type == \\\"start\\\" and\\nprocess.name : \\\"grep\\\" and user.id != \\\"0\\\" and\\n not process.parent.executable : (\\\"/Library/Application Support/*\\\", \\\"/opt/McAfee/agent/scripts/ma\\\") and\\n process.args :\\n (\\\"Little Snitch*\\\",\\n \\\"Avast*\\\",\\n \\\"Avira*\\\",\\n \\\"ESET*\\\",\\n \\\"BlockBlock*\\\",\\n \\\"360Sec*\\\",\\n \\\"LuLu*\\\",\\n \\\"KnockKnock*\\\",\\n \\\"kav\\\",\\n \\\"KIS\\\",\\n \\\"RTProtectionDaemon*\\\",\\n \\\"Malware*\\\",\\n \\\"VShieldScanner*\\\",\\n \\\"WebProtection*\\\",\\n \\\"webinspectord*\\\",\\n \\\"McAfee*\\\",\\n \\\"isecespd*\\\",\\n \\\"macmnsvc*\\\",\\n \\\"masvc*\\\",\\n \\\"kesl*\\\",\\n \\\"avscan*\\\",\\n \\\"guard*\\\",\\n \\\"rtvscand*\\\",\\n \\\"symcfgd*\\\",\\n \\\"scmdaemon*\\\",\\n \\\"symantec*\\\",\\n \\\"sophos*\\\",\\n \\\"osquery*\\\",\\n \\\"elastic-endpoint*\\\"\\n ) and\\n not (\\n (process.args : \\\"Avast\\\" and process.args : \\\"Passwords\\\") or\\n (process.parent.args : \\\"/opt/McAfee/agent/scripts/ma\\\" and process.parent.args : \\\"checkhealth\\\") or\\n (process.command_line : (\\n \\\"grep ESET Command-line scanner, version %s -A2\\\",\\n \\\"grep -i McAfee Web Gateway Core version:\\\",\\n \\\"grep --color=auto ESET Command-line scanner, version %s -A2\\\"\\n )\\n ) or\\n (process.parent.command_line : (\\n \\\"\\\"\\\"sh -c printf \\\"command_start_%s\\\"*; perl -pe 's/[^ -~]/\\\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1; printf \\\"command_done_%s*\\\"\\\"\\\",\\n \\\"\\\"\\\"bash -c perl -pe 's/[^ -~]/\\\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1\\\"\\\"\\\"\\n )\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Security Software Discovery via Grep\",\"description\":\"Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Security Software Discovery via Grep\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `grep` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":110,\"tags\":[\"Domain: Endpoint\",\"OS: macOS\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Endpoint Security installers, updaters and post installation verification scripts.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1518\",\"name\":\"Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/\",\"subtechnique\":[{\"id\":\"T1518.001\",\"name\":\"Security Software Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1518/001/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"502cdc78-7075-434d-9ab1-041b03112953\",\"rule_id\":\"870aecc0-cea4-4110-af3f-e02e9b373655\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.020Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.089Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where event.type == \\\"start\\\" and\\nprocess.name : \\\"grep\\\" and user.id != \\\"0\\\" and\\n not process.parent.executable : (\\\"/Library/Application Support/*\\\", \\\"/opt/McAfee/agent/scripts/ma\\\") and\\n process.args :\\n (\\\"Little Snitch*\\\",\\n \\\"Avast*\\\",\\n \\\"Avira*\\\",\\n \\\"ESET*\\\",\\n \\\"BlockBlock*\\\",\\n \\\"360Sec*\\\",\\n \\\"LuLu*\\\",\\n \\\"KnockKnock*\\\",\\n \\\"kav\\\",\\n \\\"KIS\\\",\\n \\\"RTProtectionDaemon*\\\",\\n \\\"Malware*\\\",\\n \\\"VShieldScanner*\\\",\\n \\\"WebProtection*\\\",\\n \\\"webinspectord*\\\",\\n \\\"McAfee*\\\",\\n \\\"isecespd*\\\",\\n \\\"macmnsvc*\\\",\\n \\\"masvc*\\\",\\n \\\"kesl*\\\",\\n \\\"avscan*\\\",\\n \\\"guard*\\\",\\n \\\"rtvscand*\\\",\\n \\\"symcfgd*\\\",\\n \\\"scmdaemon*\\\",\\n \\\"symantec*\\\",\\n \\\"sophos*\\\",\\n \\\"osquery*\\\",\\n \\\"elastic-endpoint*\\\"\\n ) and\\n not (\\n (process.args : \\\"Avast\\\" and process.args : \\\"Passwords\\\") or\\n (process.args == \\\"osquery.conf\\\") or \\n (process.parent.args : \\\"/opt/McAfee/agent/scripts/ma\\\" and process.parent.args : \\\"checkhealth\\\") or\\n (process.command_line : (\\n \\\"grep ESET Command-line scanner, version %s -A2\\\",\\n \\\"grep -i McAfee Web Gateway Core version:\\\",\\n \\\"grep --color=auto ESET Command-line scanner, version %s -A2\\\"\\n )\\n ) or\\n (process.parent.command_line : (\\n \\\"\\\"\\\"sh -c printf \\\"command_start_%s\\\"*; perl -pe 's/[^ -~]/\\\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1; printf \\\"command_done_%s*\\\"\\\"\\\",\\n \\\"\\\"\\\"bash -c perl -pe 's/[^ -~]/\\\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1\\\"\\\"\\\"\\n )\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"auditbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":110,\"merged_version\":110,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where event.type == \\\"start\\\" and\\nprocess.name : \\\"grep\\\" and user.id != \\\"0\\\" and\\n not process.parent.executable : (\\\"/Library/Application Support/*\\\", \\\"/opt/McAfee/agent/scripts/ma\\\") and\\n process.args :\\n (\\\"Little Snitch*\\\",\\n \\\"Avast*\\\",\\n \\\"Avira*\\\",\\n \\\"ESET*\\\",\\n \\\"BlockBlock*\\\",\\n \\\"360Sec*\\\",\\n \\\"LuLu*\\\",\\n \\\"KnockKnock*\\\",\\n \\\"kav\\\",\\n \\\"KIS\\\",\\n \\\"RTProtectionDaemon*\\\",\\n \\\"Malware*\\\",\\n \\\"VShieldScanner*\\\",\\n \\\"WebProtection*\\\",\\n \\\"webinspectord*\\\",\\n \\\"McAfee*\\\",\\n \\\"isecespd*\\\",\\n \\\"macmnsvc*\\\",\\n \\\"masvc*\\\",\\n \\\"kesl*\\\",\\n \\\"avscan*\\\",\\n \\\"guard*\\\",\\n \\\"rtvscand*\\\",\\n \\\"symcfgd*\\\",\\n \\\"scmdaemon*\\\",\\n \\\"symantec*\\\",\\n \\\"sophos*\\\",\\n \\\"osquery*\\\",\\n \\\"elastic-endpoint*\\\"\\n ) and\\n not (\\n (process.args : \\\"Avast\\\" and process.args : \\\"Passwords\\\") or\\n (process.parent.args : \\\"/opt/McAfee/agent/scripts/ma\\\" and process.parent.args : \\\"checkhealth\\\") or\\n (process.command_line : (\\n \\\"grep ESET Command-line scanner, version %s -A2\\\",\\n \\\"grep -i McAfee Web Gateway Core version:\\\",\\n \\\"grep --color=auto ESET Command-line scanner, version %s -A2\\\"\\n )\\n ) or\\n (process.parent.command_line : (\\n \\\"\\\"\\\"sh -c printf \\\"command_start_%s\\\"*; perl -pe 's/[^ -~]/\\\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1; printf \\\"command_done_%s*\\\"\\\"\\\",\\n \\\"\\\"\\\"bash -c perl -pe 's/[^ -~]/\\\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1\\\"\\\"\\\"\\n )\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where event.type == \\\"start\\\" and\\nprocess.name : \\\"grep\\\" and user.id != \\\"0\\\" and\\n not process.parent.executable : (\\\"/Library/Application Support/*\\\", \\\"/opt/McAfee/agent/scripts/ma\\\") and\\n process.args :\\n (\\\"Little Snitch*\\\",\\n \\\"Avast*\\\",\\n \\\"Avira*\\\",\\n \\\"ESET*\\\",\\n \\\"BlockBlock*\\\",\\n \\\"360Sec*\\\",\\n \\\"LuLu*\\\",\\n \\\"KnockKnock*\\\",\\n \\\"kav\\\",\\n \\\"KIS\\\",\\n \\\"RTProtectionDaemon*\\\",\\n \\\"Malware*\\\",\\n \\\"VShieldScanner*\\\",\\n \\\"WebProtection*\\\",\\n \\\"webinspectord*\\\",\\n \\\"McAfee*\\\",\\n \\\"isecespd*\\\",\\n \\\"macmnsvc*\\\",\\n \\\"masvc*\\\",\\n \\\"kesl*\\\",\\n \\\"avscan*\\\",\\n \\\"guard*\\\",\\n \\\"rtvscand*\\\",\\n \\\"symcfgd*\\\",\\n \\\"scmdaemon*\\\",\\n \\\"symantec*\\\",\\n \\\"sophos*\\\",\\n \\\"osquery*\\\",\\n \\\"elastic-endpoint*\\\"\\n ) and\\n not (\\n (process.args : \\\"Avast\\\" and process.args : \\\"Passwords\\\") or\\n (process.args == \\\"osquery.conf\\\") or \\n (process.parent.args : \\\"/opt/McAfee/agent/scripts/ma\\\" and process.parent.args : \\\"checkhealth\\\") or\\n (process.command_line : (\\n \\\"grep ESET Command-line scanner, version %s -A2\\\",\\n \\\"grep -i McAfee Web Gateway Core version:\\\",\\n \\\"grep --color=auto ESET Command-line scanner, version %s -A2\\\"\\n )\\n ) or\\n (process.parent.command_line : (\\n \\\"\\\"\\\"sh -c printf \\\"command_start_%s\\\"*; perl -pe 's/[^ -~]/\\\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1; printf \\\"command_done_%s*\\\"\\\"\\\",\\n \\\"\\\"\\\"bash -c perl -pe 's/[^ -~]/\\\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1\\\"\\\"\\\"\\n )\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where event.type == \\\"start\\\" and\\nprocess.name : \\\"grep\\\" and user.id != \\\"0\\\" and\\n not process.parent.executable : (\\\"/Library/Application Support/*\\\", \\\"/opt/McAfee/agent/scripts/ma\\\") and\\n process.args :\\n (\\\"Little Snitch*\\\",\\n \\\"Avast*\\\",\\n \\\"Avira*\\\",\\n \\\"ESET*\\\",\\n \\\"BlockBlock*\\\",\\n \\\"360Sec*\\\",\\n \\\"LuLu*\\\",\\n \\\"KnockKnock*\\\",\\n \\\"kav\\\",\\n \\\"KIS\\\",\\n \\\"RTProtectionDaemon*\\\",\\n \\\"Malware*\\\",\\n \\\"VShieldScanner*\\\",\\n \\\"WebProtection*\\\",\\n \\\"webinspectord*\\\",\\n \\\"McAfee*\\\",\\n \\\"isecespd*\\\",\\n \\\"macmnsvc*\\\",\\n \\\"masvc*\\\",\\n \\\"kesl*\\\",\\n \\\"avscan*\\\",\\n \\\"guard*\\\",\\n \\\"rtvscand*\\\",\\n \\\"symcfgd*\\\",\\n \\\"scmdaemon*\\\",\\n \\\"symantec*\\\",\\n \\\"sophos*\\\",\\n \\\"osquery*\\\",\\n \\\"elastic-endpoint*\\\"\\n ) and\\n not (\\n (process.args : \\\"Avast\\\" and process.args : \\\"Passwords\\\") or\\n (process.args == \\\"osquery.conf\\\") or \\n (process.parent.args : \\\"/opt/McAfee/agent/scripts/ma\\\" and process.parent.args : \\\"checkhealth\\\") or\\n (process.command_line : (\\n \\\"grep ESET Command-line scanner, version %s -A2\\\",\\n \\\"grep -i McAfee Web Gateway Core version:\\\",\\n \\\"grep --color=auto ESET Command-line scanner, version %s -A2\\\"\\n )\\n ) or\\n (process.parent.command_line : (\\n \\\"\\\"\\\"sh -c printf \\\"command_start_%s\\\"*; perl -pe 's/[^ -~]/\\\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1; printf \\\"command_done_%s*\\\"\\\"\\\",\\n \\\"\\\"\\\"bash -c perl -pe 's/[^ -~]/\\\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1\\\"\\\"\\\"\\n )\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3f64fe8b-508b-47f3-b86c-836f52b74b6a\",\"rule_id\":\"871ea072-1b71-4def-b016-6278b505138d\",\"revision\":0,\"current_rule\":{\"id\":\"3f64fe8b-508b-47f3-b86c-836f52b74b6a\",\"updated_at\":\"2024-12-04T19:45:52.091Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.091Z\",\"created_by\":\"elastic\",\"name\":\"Enumeration of Administrator Accounts\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Enumeration of Administrator Accounts\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups in the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Related rules\\n\\n- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"871ea072-1b71-4def-b016-6278b505138d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1069\",\"name\":\"Permission Groups Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1069/\",\"subtechnique\":[{\"id\":\"T1069.001\",\"name\":\"Local Groups\",\"reference\":\"https://attack.mitre.org/techniques/T1069/001/\"},{\"id\":\"T1069.002\",\"name\":\"Domain Groups\",\"reference\":\"https://attack.mitre.org/techniques/T1069/002/\"}]},{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\",\"subtechnique\":[{\"id\":\"T1087.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/001/\"},{\"id\":\"T1087.002\",\"name\":\"Domain Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (\\n (process.name : \\\"net.exe\\\" or ?process.pe.original_file_name == \\\"net.exe\\\") or\\n ((process.name : \\\"net1.exe\\\" or ?process.pe.original_file_name == \\\"net1.exe\\\") and not process.parent.name : \\\"net.exe\\\")\\n ) and\\n process.args : (\\\"group\\\", \\\"user\\\", \\\"localgroup\\\") and\\n process.args : (\\\"*admin*\\\", \\\"Domain Admins\\\", \\\"Remote Desktop Users\\\", \\\"Enterprise Admins\\\", \\\"Organization Management\\\")\\n and not process.args : (\\\"/add\\\", \\\"/delete\\\")\\n ) or\\n (\\n (process.name : \\\"wmic.exe\\\" or ?process.pe.original_file_name == \\\"wmic.exe\\\") and\\n process.args : (\\\"group\\\", \\\"useraccount\\\")\\n )\\n) and not user.id : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Enumeration of Administrator Accounts\",\"description\":\"Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Enumeration of Administrator Accounts\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups in the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Related rules\\n\\n- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":215,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1069\",\"name\":\"Permission Groups Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1069/\",\"subtechnique\":[{\"id\":\"T1069.001\",\"name\":\"Local Groups\",\"reference\":\"https://attack.mitre.org/techniques/T1069/001/\"},{\"id\":\"T1069.002\",\"name\":\"Domain Groups\",\"reference\":\"https://attack.mitre.org/techniques/T1069/002/\"}]},{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\",\"subtechnique\":[{\"id\":\"T1087.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/001/\"},{\"id\":\"T1087.002\",\"name\":\"Domain Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3f64fe8b-508b-47f3-b86c-836f52b74b6a\",\"rule_id\":\"871ea072-1b71-4def-b016-6278b505138d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.020Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.091Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (\\n (process.name : \\\"net.exe\\\" or ?process.pe.original_file_name == \\\"net.exe\\\") or\\n ((process.name : \\\"net1.exe\\\" or ?process.pe.original_file_name == \\\"net1.exe\\\") and not process.parent.name : \\\"net.exe\\\")\\n ) and\\n process.args : (\\\"group\\\", \\\"user\\\", \\\"localgroup\\\") and\\n process.args : (\\\"*admin*\\\", \\\"Domain Admins\\\", \\\"Remote Desktop Users\\\", \\\"Enterprise Admins\\\", \\\"Organization Management\\\")\\n and not process.args : (\\\"/add\\\", \\\"/delete\\\")\\n ) or\\n (\\n (process.name : \\\"wmic.exe\\\" or ?process.pe.original_file_name == \\\"wmic.exe\\\") and\\n process.args : (\\\"group\\\", \\\"useraccount\\\")\\n )\\n) and not user.id : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":215,\"merged_version\":215,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5dfb9850-5e54-4bdf-9758-5fd10850aa47\",\"rule_id\":\"884e87cc-c67b-4c90-a4ed-e1e24a940c82\",\"revision\":0,\"current_rule\":{\"id\":\"5dfb9850-5e54-4bdf-9758-5fd10850aa47\",\"updated_at\":\"2024-12-04T19:45:52.096Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.096Z\",\"created_by\":\"elastic\",\"name\":\"Potential Suspicious Clipboard Activity Detected\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process group leader. Adversaries may collect data stored in the clipboard from users copying information within or between applications.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"884e87cc-c67b-4c90-a4ed-e1e24a940c82\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1115\",\"name\":\"Clipboard Data\",\"reference\":\"https://attack.mitre.org/techniques/T1115/\"}]}],\"to\":\"now\",\"references\":[],\"version\":4,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.category:process and host.os.type:\\\"linux\\\" and\\nevent.type:\\\"start\\\" and event.action:(\\\"exec\\\" or \\\"exec_event\\\" or \\\"executed\\\" or \\\"process_started\\\") and\\nprocess.name:(\\\"xclip\\\" or \\\"xsel\\\" or \\\"wl-clipboard\\\" or \\\"clipman\\\" or \\\"copyq\\\")\\n\",\"new_terms_fields\":[\"host.id\",\"process.group_leader.executable\"],\"history_window_start\":\"now-7d\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Linux Clipboard Activity Detected\",\"description\":\"This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process group leader. Adversaries may collect data stored in the clipboard from users copying information within or between applications.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":5,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1115\",\"name\":\"Clipboard Data\",\"reference\":\"https://attack.mitre.org/techniques/T1115/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"5dfb9850-5e54-4bdf-9758-5fd10850aa47\",\"rule_id\":\"884e87cc-c67b-4c90-a4ed-e1e24a940c82\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.020Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.096Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.category:process and host.os.type:\\\"linux\\\" and event.type:\\\"start\\\" and\\nevent.action:(\\\"exec\\\" or \\\"exec_event\\\" or \\\"executed\\\" or \\\"process_started\\\") and\\nprocess.name:(\\\"xclip\\\" or \\\"xsel\\\" or \\\"wl-clipboard\\\" or \\\"clipman\\\" or \\\"copyq\\\") and\\nnot process.parent.name:(\\\"bwrap\\\" or \\\"micro\\\")\\n\",\"new_terms_fields\":[\"host.id\",\"process.group_leader.executable\"],\"history_window_start\":\"now-7d\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":4,\"target_version\":5,\"merged_version\":5,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"name\":{\"has_base_version\":false,\"current_version\":\"Potential Suspicious Clipboard Activity Detected\",\"target_version\":\"Linux Clipboard Activity Detected\",\"merged_version\":\"Linux Clipboard Activity Detected\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"rule_schedule\":{\"has_base_version\":false,\"current_version\":{\"interval\":\"60m\",\"lookback\":\"3540s\"},\"target_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merged_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"building_block\":{\"has_base_version\":false,\"current_version\":{\"type\":\"default\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"event.category:process and host.os.type:\\\"linux\\\" and\\nevent.type:\\\"start\\\" and event.action:(\\\"exec\\\" or \\\"exec_event\\\" or \\\"executed\\\" or \\\"process_started\\\") and\\nprocess.name:(\\\"xclip\\\" or \\\"xsel\\\" or \\\"wl-clipboard\\\" or \\\"clipman\\\" or \\\"copyq\\\")\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"event.category:process and host.os.type:\\\"linux\\\" and event.type:\\\"start\\\" and\\nevent.action:(\\\"exec\\\" or \\\"exec_event\\\" or \\\"executed\\\" or \\\"process_started\\\") and\\nprocess.name:(\\\"xclip\\\" or \\\"xsel\\\" or \\\"wl-clipboard\\\" or \\\"clipman\\\" or \\\"copyq\\\") and\\nnot process.parent.name:(\\\"bwrap\\\" or \\\"micro\\\")\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"event.category:process and host.os.type:\\\"linux\\\" and event.type:\\\"start\\\" and\\nevent.action:(\\\"exec\\\" or \\\"exec_event\\\" or \\\"executed\\\" or \\\"process_started\\\") and\\nprocess.name:(\\\"xclip\\\" or \\\"xsel\\\" or \\\"wl-clipboard\\\" or \\\"clipman\\\" or \\\"copyq\\\") and\\nnot process.parent.name:(\\\"bwrap\\\" or \\\"micro\\\")\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b687ca60-607c-4593-b5e3-251266cf8c31\",\"rule_id\":\"88fdcb8c-60e5-46ee-9206-2663adf1b1ce\",\"revision\":0,\"current_rule\":{\"id\":\"b687ca60-607c-4593-b5e3-251266cf8c31\",\"updated_at\":\"2024-12-04T19:45:52.103Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.103Z\",\"created_by\":\"elastic\",\"name\":\"Potential Sudo Hijacking\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"88fdcb8c-60e5-46ee-9206-2663adf1b1ce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.003\",\"name\":\"Sudo and Sudo Caching\",\"reference\":\"https://attack.mitre.org/techniques/T1548/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]}],\"to\":\"now\",\"references\":[\"https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.Ext.original.path\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"creation\\\", \\\"rename\\\") and\\nfile.path in (\\\"/usr/bin/sudo\\\", \\\"/bin/sudo\\\") and not (\\n file.Ext.original.path in (\\\"/usr/bin/sudo\\\", \\\"/bin/sudo\\\") or\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\", \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\",\\n \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\", \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\",\\n \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\", \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\",\\n \\\"/usr/sbin/pacman\\\", \\\"/usr/bin/microdnf\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/local/bin/podman\\\", \\\"/usr/local/bin/dnf\\\",\\n \\\"/kaniko/executor\\\", \\\"/proc/self/exe\\\", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-cache\\\", \\\"/usr/bin/apt-mark\\\"\\n ) or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/var/lib/docker/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\")\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Sudo Hijacking\",\"description\":\"Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.003\",\"name\":\"Sudo and Sudo Caching\",\"reference\":\"https://attack.mitre.org/techniques/T1548/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.Ext.original.path\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b687ca60-607c-4593-b5e3-251266cf8c31\",\"rule_id\":\"88fdcb8c-60e5-46ee-9206-2663adf1b1ce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.020Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.103Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"creation\\\", \\\"rename\\\") and\\nfile.path in (\\\"/usr/bin/sudo\\\", \\\"/bin/sudo\\\") and not (\\n file.Ext.original.path in (\\\"/usr/bin/sudo\\\", \\\"/bin/sudo\\\") or\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\", \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\",\\n \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\", \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\",\\n \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\", \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\",\\n \\\"/usr/sbin/pacman\\\", \\\"/usr/bin/microdnf\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/local/bin/podman\\\", \\\"/usr/local/bin/dnf\\\",\\n \\\"/kaniko/executor\\\", \\\"/proc/self/exe\\\", \\\"/usr/bin/apt-get\\\", \\\"/usr/bin/apt-cache\\\", \\\"/usr/bin/apt-mark\\\"\\n ) or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/var/lib/docker/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\")\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/\"],\"target_version\":[\"https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e61250dc-31ea-4d6c-9ef3-f6f78b1e16d5\",\"rule_id\":\"891cb88e-441a-4c3e-be2d-120d99fe7b0d\",\"revision\":0,\"current_rule\":{\"id\":\"e61250dc-31ea-4d6c-9ef3-f6f78b1e16d5\",\"updated_at\":\"2024-12-04T19:45:52.109Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.109Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious WMI Image Load from MS Office\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"891cb88e-441a-4c3e-be2d-120d99fe7b0d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"to\":\"now\",\"references\":[\"https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"any where host.os.type == \\\"windows\\\" and\\n (event.category : (\\\"library\\\", \\\"driver\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n process.name : (\\\"WINWORD.EXE\\\", \\\"EXCEL.EXE\\\", \\\"POWERPNT.EXE\\\", \\\"MSPUB.EXE\\\", \\\"MSACCESS.EXE\\\") and\\n (?dll.name : \\\"wmiutils.dll\\\" or file.name : \\\"wmiutils.dll\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious WMI Image Load from MS Office\",\"description\":\"Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e61250dc-31ea-4d6c-9ef3-f6f78b1e16d5\",\"rule_id\":\"891cb88e-441a-4c3e-be2d-120d99fe7b0d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.020Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.109Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and\\n (event.category : (\\\"library\\\", \\\"driver\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n process.name : (\\\"WINWORD.EXE\\\", \\\"EXCEL.EXE\\\", \\\"POWERPNT.EXE\\\", \\\"MSPUB.EXE\\\", \\\"MSACCESS.EXE\\\") and\\n (?dll.name : \\\"wmiutils.dll\\\" or file.name : \\\"wmiutils.dll\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bb354b45-54af-42c1-96ba-b013b9384087\",\"rule_id\":\"894326d2-56c0-4342-b553-4abfaf421b5b\",\"revision\":0,\"current_rule\":{\"id\":\"bb354b45-54af-42c1-96ba-b013b9384087\",\"updated_at\":\"2024-12-04T19:45:52.112Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.112Z\",\"created_by\":\"elastic\",\"name\":\"Potential WPAD Spoofing via DNS Record Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of a DNS record that is potentially meant to enable WPAD spoofing. Attackers can disable the Global Query Block List (GQBL) and create a \\\"wpad\\\" record to exploit hosts running WPAD with default settings for privilege escalation and lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"894326d2-56c0-4342-b553-4abfaf421b5b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1557\",\"name\":\"Adversary-in-the-Middle\",\"reference\":\"https://attack.mitre.org/techniques/T1557/\"}]}],\"to\":\"now\",\"references\":[\"https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing#through-adidns-spoofing\",\"https://cube0x0.github.io/Pocing-Beyond-DA/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ObjectDN\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\\n\\n```\\nSet-AuditRule -AdObjectPath 'AD:\\\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\\n```\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"any where host.os.type == \\\"windows\\\" and event.action in (\\\"Directory Service Changes\\\", \\\"directory-service-object-modified\\\") and\\n event.code == \\\"5137\\\" and winlog.event_data.ObjectDN : \\\"DC=wpad,*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential WPAD Spoofing via DNS Record Creation\",\"description\":\"Identifies the creation of a DNS record that is potentially meant to enable WPAD spoofing. Attackers can disable the Global Query Block List (GQBL) and create a \\\"wpad\\\" record to exploit hosts running WPAD with default settings for privilege escalation and lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing#through-adidns-spoofing\",\"https://cube0x0.github.io/Pocing-Beyond-DA/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1557\",\"name\":\"Adversary-in-the-Middle\",\"reference\":\"https://attack.mitre.org/techniques/T1557/\"}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\\n\\n```\\nSet-AuditRule -AdObjectPath 'AD:\\\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ObjectDN\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"bb354b45-54af-42c1-96ba-b013b9384087\",\"rule_id\":\"894326d2-56c0-4342-b553-4abfaf421b5b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.020Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.112Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and event.action in (\\\"Directory Service Changes\\\", \\\"directory-service-object-modified\\\") and\\n event.code == \\\"5137\\\" and winlog.event_data.ObjectDN : \\\"DC=wpad,*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"78572426-2b38-4545-94d0-69bc1add54ae\",\"rule_id\":\"897dc6b5-b39f-432a-8d75-d3730d50c782\",\"revision\":0,\"current_rule\":{\"id\":\"78572426-2b38-4545-94d0-69bc1add54ae\",\"updated_at\":\"2024-12-04T19:45:52.114Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.114Z\",\"created_by\":\"elastic\",\"name\":\"Kerberos Traffic from Unusual Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Kerberos Traffic from Unusual Process\\n\\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\\n\\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check if the Destination IP is related to a Domain Controller.\\n- Review event ID 4769 for suspicious ticket requests.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\\n- Exceptions can be added for noisy/frequent connections.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n - Ticket requests can be used to investigate potentially compromised accounts.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller.\"],\"from\":\"now-9m\",\"rule_id\":\"897dc6b5-b39f-432a-8d75-d3730d50c782\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\"}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.address\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.network-*\"],\"query\":\"network where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and network.direction == \\\"egress\\\" and\\n destination.port == 88 and source.port >= 49152 and process.pid != 4 and destination.address : \\\"*\\\" and\\n not \\n (\\n process.executable : (\\n \\\"\\\\\\\\device\\\\\\\\harddiskvolume?\\\\\\\\program files (x86)\\\\\\\\nmap\\\\\\\\nmap.exe\\\",\\n \\\"\\\\\\\\device\\\\\\\\harddiskvolume?\\\\\\\\program files (x86)\\\\\\\\nmap oem\\\\\\\\nmap.exe\\\",\\n \\\"\\\\\\\\device\\\\\\\\harddiskvolume?\\\\\\\\windows\\\\\\\\system32\\\\\\\\lsass.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Amazon Corretto\\\\\\\\jdk1*\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\BlackBerry\\\\\\\\UEM\\\\\\\\Proxy Server\\\\\\\\bin\\\\\\\\prunsrv.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\BlackBerry\\\\\\\\UEM\\\\\\\\Core\\\\\\\\tomcat-core\\\\\\\\bin\\\\\\\\tomcat9.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\DBeaver\\\\\\\\dbeaver.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Docker\\\\\\\\Docker\\\\\\\\resources\\\\\\\\com.docker.backend.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Docker\\\\\\\\Docker\\\\\\\\resources\\\\\\\\com.docker.vpnkit.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Docker\\\\\\\\Docker\\\\\\\\resources\\\\\\\\vpnkit.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Internet Explorer\\\\\\\\iexplore.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\JetBrains\\\\\\\\PyCharm Community Edition*\\\\\\\\bin\\\\\\\\pycharm64.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Mozilla Firefox\\\\\\\\firefox.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Oracle\\\\\\\\VirtualBox\\\\\\\\VirtualBoxVM.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Puppet Labs\\\\\\\\Puppet\\\\\\\\puppet\\\\\\\\bin\\\\\\\\ruby.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\rapid7\\\\\\\\nexpose\\\\\\\\nse\\\\\\\\.DLLCACHE\\\\\\\\nseserv.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Silverfort\\\\\\\\Silverfort AD Adapter\\\\\\\\SilverfortServer.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Tenable\\\\\\\\Nessus\\\\\\\\nessusd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\VMware\\\\\\\\VMware View\\\\\\\\Server\\\\\\\\bin\\\\\\\\ws_TomcatService.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Advanced Port Scanner\\\\\\\\advanced_port_scanner.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\DesktopCentral_Agent\\\\\\\\bin\\\\\\\\dcpatchscan.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\GFI\\\\\\\\LanGuard 12 Agent\\\\\\\\lnsscomm.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Internet Explorer\\\\\\\\iexplore.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\EdgeUpdate\\\\\\\\MicrosoftEdgeUpdate.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Silverlight\\\\\\\\sllauncher.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Nmap\\\\\\\\nmap.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Nmap OEM\\\\\\\\nmap.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\nwps\\\\\\\\NetScanTools Pro\\\\\\\\NSTPRO.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SAP BusinessObjects\\\\\\\\tomcat\\\\\\\\bin\\\\\\\\tomcat9.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SuperScan\\\\\\\\scanner.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Zscaler\\\\\\\\ZSATunnel\\\\\\\\ZSATunnel.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MicrosoftEdgeCP.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\vmnat.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SystemApps\\\\\\\\Microsoft.MicrosoftEdge_*\\\\\\\\MicrosoftEdge.exe\\\",\\n \\\"System\\\"\\n ) and process.code_signature.trusted == true\\n ) and\\n destination.address != \\\"127.0.0.1\\\" and destination.address != \\\"::1\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Kerberos Traffic from Unusual Process\",\"description\":\"Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Kerberos Traffic from Unusual Process\\n\\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\\n\\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check if the Destination IP is related to a Domain Controller.\\n- Review event ID 4769 for suspicious ticket requests.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\\n- Exceptions can be added for noisy/frequent connections.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n - Ticket requests can be used to investigate potentially compromised accounts.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"destination.address\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true}],\"id\":\"78572426-2b38-4545-94d0-69bc1add54ae\",\"rule_id\":\"897dc6b5-b39f-432a-8d75-d3730d50c782\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.020Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.114Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"network where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and network.direction == \\\"egress\\\" and\\n destination.port == 88 and source.port >= 49152 and process.pid != 4 and destination.address : \\\"*\\\" and\\n not \\n (\\n process.executable : (\\n \\\"\\\\\\\\device\\\\\\\\harddiskvolume?\\\\\\\\program files (x86)\\\\\\\\nmap\\\\\\\\nmap.exe\\\",\\n \\\"\\\\\\\\device\\\\\\\\harddiskvolume?\\\\\\\\program files (x86)\\\\\\\\nmap oem\\\\\\\\nmap.exe\\\",\\n \\\"\\\\\\\\device\\\\\\\\harddiskvolume?\\\\\\\\windows\\\\\\\\system32\\\\\\\\lsass.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Amazon Corretto\\\\\\\\jdk1*\\\\\\\\bin\\\\\\\\java.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\BlackBerry\\\\\\\\UEM\\\\\\\\Proxy Server\\\\\\\\bin\\\\\\\\prunsrv.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\BlackBerry\\\\\\\\UEM\\\\\\\\Core\\\\\\\\tomcat-core\\\\\\\\bin\\\\\\\\tomcat9.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\DBeaver\\\\\\\\dbeaver.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Docker\\\\\\\\Docker\\\\\\\\resources\\\\\\\\com.docker.backend.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Docker\\\\\\\\Docker\\\\\\\\resources\\\\\\\\com.docker.vpnkit.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Docker\\\\\\\\Docker\\\\\\\\resources\\\\\\\\vpnkit.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Internet Explorer\\\\\\\\iexplore.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\JetBrains\\\\\\\\PyCharm Community Edition*\\\\\\\\bin\\\\\\\\pycharm64.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Mozilla Firefox\\\\\\\\firefox.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Oracle\\\\\\\\VirtualBox\\\\\\\\VirtualBoxVM.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Puppet Labs\\\\\\\\Puppet\\\\\\\\puppet\\\\\\\\bin\\\\\\\\ruby.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\rapid7\\\\\\\\nexpose\\\\\\\\nse\\\\\\\\.DLLCACHE\\\\\\\\nseserv.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Silverfort\\\\\\\\Silverfort AD Adapter\\\\\\\\SilverfortServer.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Tenable\\\\\\\\Nessus\\\\\\\\nessusd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\VMware\\\\\\\\VMware View\\\\\\\\Server\\\\\\\\bin\\\\\\\\ws_TomcatService.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Advanced Port Scanner\\\\\\\\advanced_port_scanner.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\DesktopCentral_Agent\\\\\\\\bin\\\\\\\\dcpatchscan.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\GFI\\\\\\\\LanGuard 12 Agent\\\\\\\\lnsscomm.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Internet Explorer\\\\\\\\iexplore.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\EdgeUpdate\\\\\\\\MicrosoftEdgeUpdate.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft Silverlight\\\\\\\\sllauncher.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Nmap\\\\\\\\nmap.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Nmap OEM\\\\\\\\nmap.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\nwps\\\\\\\\NetScanTools Pro\\\\\\\\NSTPRO.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SAP BusinessObjects\\\\\\\\tomcat\\\\\\\\bin\\\\\\\\tomcat9.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SuperScan\\\\\\\\scanner.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Zscaler\\\\\\\\ZSATunnel\\\\\\\\ZSATunnel.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MicrosoftEdgeCP.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\vmnat.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SystemApps\\\\\\\\Microsoft.MicrosoftEdge_*\\\\\\\\MicrosoftEdge.exe\\\",\\n \\\"System\\\"\\n ) and process.code_signature.trusted == true\\n ) and\\n destination.address != \\\"127.0.0.1\\\" and destination.address != \\\"::1\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.network-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d4faad8f-3648-4ce3-99e8-71df0388b4d8\",\"rule_id\":\"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696\",\"revision\":0,\"current_rule\":{\"id\":\"d4faad8f-3648-4ce3-99e8-71df0388b4d8\",\"updated_at\":\"2024-12-04T19:45:52.117Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.117Z\",\"created_by\":\"elastic\",\"name\":\"Command Prompt Network Connection\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Command Prompt Network Connection\\n\\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using a command and control channel. However, they can also abuse signed utilities to drop these files.\\n\\nThis rule looks for a network connection to an external address from the `cmd.exe` utility, which can indicate the abuse of the utility to download malicious files and tools.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\\n- Investigate the target host that the signed binary is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Examine if any file was downloaded and check if it is an executable or script.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the downloaded file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of destination IP address and file name conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool.\"],\"from\":\"now-9m\",\"rule_id\":\"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"to\":\"now\",\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and process.name : \\\"cmd.exe\\\" and event.type == \\\"start\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"cmd.exe\\\" and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\",\\n \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\",\\n \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\n \\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\",\\n \\\"FE80::/10\\\", \\\"FF00::/8\\\") and\\n not dns.question.name : (\\n \\\"wpad\\\", \\\"localhost\\\", \\\"ocsp.comodoca.com\\\", \\\"ocsp.digicert.com\\\", \\\"ocsp.sectigo.com\\\", \\\"crl.comodoca.com\\\"\\n )]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Command Prompt Network Connection\",\"description\":\"Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Command Prompt Network Connection\\n\\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using a command and control channel. However, they can also abuse signed utilities to drop these files.\\n\\nThis rule looks for a network connection to an external address from the `cmd.exe` utility, which can indicate the abuse of the utility to download malicious files and tools.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\\n- Investigate the target host that the signed binary is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Examine if any file was downloaded and check if it is an executable or script.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the downloaded file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of destination IP address and file name conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool.\"],\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d4faad8f-3648-4ce3-99e8-71df0388b4d8\",\"rule_id\":\"89f9a4b0-9f8f-4ee0-8823-c4751a6d6696\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.020Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.117Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and process.name : \\\"cmd.exe\\\" and event.type == \\\"start\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"cmd.exe\\\" and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\",\\n \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\",\\n \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\n \\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\",\\n \\\"FE80::/10\\\", \\\"FF00::/8\\\") and\\n not dns.question.name : (\\n \\\"wpad\\\", \\\"localhost\\\", \\\"ocsp.comodoca.com\\\", \\\"ocsp.digicert.com\\\", \\\"ocsp.sectigo.com\\\", \\\"crl.comodoca.com\\\"\\n )]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"40d369db-a9d5-49bd-a856-5197bf2bdb2a\",\"rule_id\":\"8a1b0278-0f9a-487d-96bd-d4833298e87a\",\"revision\":0,\"current_rule\":{\"id\":\"40d369db-a9d5-49bd-a856-5197bf2bdb2a\",\"updated_at\":\"2024-12-04T19:45:52.124Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.124Z\",\"created_by\":\"elastic\",\"name\":\"SUID/SGID Bit Set\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"8a1b0278-0f9a-487d-96bd-d4833298e87a\",\"max_signals\":33,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.001\",\"name\":\"Setuid and Setgid\",\"reference\":\"https://attack.mitre.org/techniques/T1548/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[],\"version\":104,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and (\\n (process.name == \\\"chmod\\\" and (process.args : (\\\"+s\\\", \\\"u+s\\\", \\\"g+s\\\") or process.args regex \\\"[24][0-9]{3}\\\")) or\\n (process.name == \\\"install\\\" and process.args : \\\"-m\\\" and\\n (process.args : (\\\"+s\\\", \\\"u+s\\\", \\\"g+s\\\") or process.args regex \\\"[24][0-9]{3}\\\"))\\n) and not (\\n process.parent.executable : (\\n \\\"/usr/NX/*\\\", \\\"/var/lib/docker/*\\\", \\\"/var/lib/dpkg/info*\\\", \\\"/tmp/newroot/*\\\",\\n \\\"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\\\"\\n ) or\\n process.args : (\\n \\\"/run/*\\\", \\\"/var/run/*\\\", \\\"/usr/bin/keybase-redirector\\\", \\\"/usr/local/share/fonts\\\", \\\"/usr/bin/ssh-agent\\\"\\n )\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"SUID/SGID Bit Set\",\"description\":\"An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":33,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.001\",\"name\":\"Setuid and Setgid\",\"reference\":\"https://attack.mitre.org/techniques/T1548/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"40d369db-a9d5-49bd-a856-5197bf2bdb2a\",\"rule_id\":\"8a1b0278-0f9a-487d-96bd-d4833298e87a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.020Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.124Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and (\\n (process.name == \\\"chmod\\\" and (process.args : (\\\"+s\\\", \\\"u+s\\\", \\\"g+s\\\") or process.args regex \\\"[24][0-9]{3}\\\")) or\\n (process.name == \\\"install\\\" and process.args : \\\"-m\\\" and\\n (process.args : (\\\"+s\\\", \\\"u+s\\\", \\\"g+s\\\") or process.args regex \\\"[24][0-9]{3}\\\"))\\n) and not (\\n process.parent.executable : (\\n \\\"/usr/NX/*\\\", \\\"/var/lib/docker/*\\\", \\\"/var/lib/dpkg/info*\\\", \\\"/tmp/newroot/*\\\",\\n \\\"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\\\"\\n ) or\\n process.args : (\\n \\\"/run/*\\\", \\\"/var/run/*\\\", \\\"/usr/bin/keybase-redirector\\\", \\\"/usr/local/share/fonts\\\", \\\"/usr/bin/ssh-agent\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":104,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d2b15151-5625-44e1-ae51-fbb33fcee6be\",\"rule_id\":\"8a1d4831-3ce6-4859-9891-28931fa6101d\",\"revision\":0,\"current_rule\":{\"id\":\"d2b15151-5625-44e1-ae51-fbb33fcee6be\",\"updated_at\":\"2024-12-04T19:45:52.126Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.126Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Execution from a Mounted Device\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"8a1d4831-3ce6-4859-9891-28931fa6101d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.005\",\"name\":\"Mshta\",\"reference\":\"https://attack.mitre.org/techniques/T1218/005/\"},{\"id\":\"T1218.010\",\"name\":\"Regsvr32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/010/\"},{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.executable : \\\"C:\\\\\\\\*\\\" and\\n (process.working_directory : \\\"?:\\\\\\\\\\\" and not process.working_directory: \\\"C:\\\\\\\\\\\") and\\n process.parent.name : \\\"explorer.exe\\\" and\\n process.name : (\\\"rundll32.exe\\\", \\\"mshta.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"cmd.exe\\\", \\\"regsvr32.exe\\\",\\n \\\"cscript.exe\\\", \\\"wscript.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Execution from a Mounted Device\",\"description\":\"Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.005\",\"name\":\"Mshta\",\"reference\":\"https://attack.mitre.org/techniques/T1218/005/\"},{\"id\":\"T1218.010\",\"name\":\"Regsvr32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/010/\"},{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d2b15151-5625-44e1-ae51-fbb33fcee6be\",\"rule_id\":\"8a1d4831-3ce6-4859-9891-28931fa6101d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.020Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.126Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.executable : \\\"C:\\\\\\\\*\\\" and\\n (process.working_directory : \\\"?:\\\\\\\\\\\" and not process.working_directory: \\\"C:\\\\\\\\\\\") and\\n process.parent.name : \\\"explorer.exe\\\" and\\n process.name : (\\\"rundll32.exe\\\", \\\"mshta.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"cmd.exe\\\", \\\"regsvr32.exe\\\",\\n \\\"cscript.exe\\\", \\\"wscript.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"05dd1bbe-8e3b-4d41-a5f9-e21a87f2b426\",\"rule_id\":\"8acb7614-1d92-4359-bfcf-478b6d9de150\",\"revision\":0,\"current_rule\":{\"id\":\"05dd1bbe-8e3b-4d41-a5f9-e21a87f2b426\",\"updated_at\":\"2024-12-04T19:45:52.131Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.131Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious JAVA Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Java Child Process\\n\\nThis rule identifies a suspicious child process of the Java interpreter process. It may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a Java specific vulnerability.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of process and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"8acb7614-1d92-4359-bfcf-478b6d9de150\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.007\",\"name\":\"JavaScript\",\"reference\":\"https://attack.mitre.org/techniques/T1059/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.lunasec.io/docs/blog/log4j-zero-day/\",\"https://github.com/christophetd/log4shell-vulnerable-app\",\"https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf\",\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\",\"https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046\"],\"version\":208,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"new_terms\",\"query\":\"event.category:process and event.type:(\\\"start\\\" or \\\"process_started\\\") and process.parent.name:\\\"java\\\" and process.name:(\\n bash or dash or sh or tcsh or csh or zsh or ksh or fish or python* or php* or perl or ruby or lua* or openssl or\\n nc or netcat or ncat or telnet or awk or socat or wget or curl\\n) and process.args :(\\n whoami or id or uname or cat or hostname or ip or curl or wget or pwd or ls or cd or python* or php* or perl or\\n ruby or lua* or openssl or nc or netcat or ncat or telnet or awk or socat\\n)\\n\",\"new_terms_fields\":[\"host.id\",\"process.command_line\"],\"history_window_start\":\"now-14d\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Deprecated - Suspicious JAVA Child Process\",\"description\":\"Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Java Child Process\\n\\nThis rule identifies a suspicious child process of the Java interpreter process. It may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a Java specific vulnerability.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of process and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.lunasec.io/docs/blog/log4j-zero-day/\",\"https://github.com/christophetd/log4shell-vulnerable-app\",\"https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf\",\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\",\"https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.007\",\"name\":\"JavaScript\",\"reference\":\"https://attack.mitre.org/techniques/T1059/007/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"05dd1bbe-8e3b-4d41-a5f9-e21a87f2b426\",\"rule_id\":\"8acb7614-1d92-4359-bfcf-478b6d9de150\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.020Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.131Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.category:process and event.type:(\\\"start\\\" or \\\"process_started\\\") and process.parent.name:\\\"java\\\" and process.name:(\\n bash or dash or sh or tcsh or csh or zsh or ksh or fish or python* or php* or perl or ruby or lua* or openssl or\\n nc or netcat or ncat or telnet or awk or socat or wget or curl\\n) and process.args :(\\n whoami or id or uname or cat or hostname or ip or curl or wget or pwd or ls or cd or python* or php* or perl or\\n ruby or lua* or openssl or nc or netcat or ncat or telnet or awk or socat\\n)\\n\",\"new_terms_fields\":[\"host.id\",\"process.command_line\"],\"history_window_start\":\"now-14d\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":208,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"name\":{\"has_base_version\":false,\"current_version\":\"Suspicious JAVA Child Process\",\"target_version\":\"Deprecated - Suspicious JAVA Child Process\",\"merged_version\":\"Deprecated - Suspicious JAVA Child Process\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7b4fd6b0-eafb-4d9e-950e-cbcd2fa28bbf\",\"rule_id\":\"8b2b3a62-a598-4293-bc14-3d5fa22bb98f\",\"revision\":0,\"current_rule\":{\"id\":\"7b4fd6b0-eafb-4d9e-950e-cbcd2fa28bbf\",\"updated_at\":\"2024-12-04T19:45:52.136Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.136Z\",\"created_by\":\"elastic\",\"name\":\"Executable File Creation with Multiple Extensions\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"8b2b3a62-a598-4293-bc14-3d5fa22bb98f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.007\",\"name\":\"Double File Extension\",\"reference\":\"https://attack.mitre.org/techniques/T1036/007/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and file.extension : \\\"exe\\\" and\\n file.name regex~ \\\"\\\"\\\".*\\\\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\\\\.exe\\\"\\\"\\\" and\\n not (process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\", \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\QGIS_SCCM\\\\\\\\Files\\\\\\\\QGIS-OSGeo4W-*-Setup-x86_64.exe\\\") and\\n file.path : \\\"?:\\\\\\\\Program Files\\\\\\\\QGIS *\\\\\\\\apps\\\\\\\\grass\\\\\\\\*.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Executable File Creation with Multiple Extensions\",\"description\":\"Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.007\",\"name\":\"Double File Extension\",\"reference\":\"https://attack.mitre.org/techniques/T1036/007/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"7b4fd6b0-eafb-4d9e-950e-cbcd2fa28bbf\",\"rule_id\":\"8b2b3a62-a598-4293-bc14-3d5fa22bb98f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.020Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:52.136Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and file.extension : \\\"exe\\\" and\\n file.name regex~ \\\"\\\"\\\".*\\\\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\\\\.exe\\\"\\\"\\\" and\\n not (process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\", \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\QGIS_SCCM\\\\\\\\Files\\\\\\\\QGIS-OSGeo4W-*-Setup-x86_64.exe\\\") and\\n file.path : \\\"?:\\\\\\\\Program Files\\\\\\\\QGIS *\\\\\\\\apps\\\\\\\\grass\\\\\\\\*.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7f13b232-bfd7-40c1-9bfd-8fa12926f963\",\"rule_id\":\"8b4f0816-6a65-4630-86a6-c21c179c0d09\",\"revision\":0,\"current_rule\":{\"id\":\"7f13b232-bfd7-40c1-9bfd-8fa12926f963\",\"updated_at\":\"2024-12-04T19:45:53.202Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.202Z\",\"created_by\":\"elastic\",\"name\":\"Enable Host Network Discovery via Netsh\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Enable Host Network Discovery via Netsh\\n\\nThe Windows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\\n\\nAttackers can enable Network Discovery on the Windows firewall to find other systems present in the same network. Systems with this setting enabled will communicate with other systems using broadcast messages, which can be used to identify targets for lateral movement. This rule looks for the setup of this setting using the netsh utility.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Disable Network Discovery:\\n - Using netsh: `netsh advfirewall firewall set rule group=\\\"Network Discovery\\\" new enable=No`\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Host Windows Firewall planned system administration changes.\"],\"from\":\"now-9m\",\"rule_id\":\"8b4f0816-6a65-4630-86a6-c21c179c0d09\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.004\",\"name\":\"Disable or Modify System Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\nprocess.name : \\\"netsh.exe\\\" and\\nprocess.args : (\\\"firewall\\\", \\\"advfirewall\\\") and process.args : \\\"group=Network Discovery\\\" and process.args : \\\"enable=Yes\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Enable Host Network Discovery via Netsh\",\"description\":\"Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Enable Host Network Discovery via Netsh\\n\\nThe Windows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\\n\\nAttackers can enable Network Discovery on the Windows firewall to find other systems present in the same network. Systems with this setting enabled will communicate with other systems using broadcast messages, which can be used to identify targets for lateral movement. This rule looks for the setup of this setting using the netsh utility.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Disable Network Discovery:\\n - Using netsh: `netsh advfirewall firewall set rule group=\\\"Network Discovery\\\" new enable=No`\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Host Windows Firewall planned system administration changes.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.004\",\"name\":\"Disable or Modify System Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"7f13b232-bfd7-40c1-9bfd-8fa12926f963\",\"rule_id\":\"8b4f0816-6a65-4630-86a6-c21c179c0d09\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.020Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.202Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\nprocess.name : \\\"netsh.exe\\\" and\\nprocess.args : (\\\"firewall\\\", \\\"advfirewall\\\") and process.args : \\\"group=Network Discovery\\\" and process.args : \\\"enable=Yes\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0f68ad23-53f8-4d10-a2c0-07e112d5c0b9\",\"rule_id\":\"8c1bdde8-4204-45c0-9e0c-c85ca3902488\",\"revision\":0,\"current_rule\":{\"id\":\"0f68ad23-53f8-4d10-a2c0-07e112d5c0b9\",\"updated_at\":\"2024-12-04T19:45:53.072Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.072Z\",\"created_by\":\"elastic\",\"name\":\"RDP (Remote Desktop Protocol) from the Internet\",\"tags\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timeline_id\":\"300afc76-072d-4261-864d-4149714bf3f1\",\"timeline_title\":\"Comprehensive Network Timeline\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected.\"],\"from\":\"now-9m\",\"rule_id\":\"8c1bdde8-4204-45c0-9e0c-c85ca3902488\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]}],\"to\":\"now\",\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"version\":103,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\\n network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and\\n not source.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n ) and\\n destination.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"RDP (Remote Desktop Protocol) from the Internet\",\"description\":\"This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"timeline_id\":\"300afc76-072d-4261-864d-4149714bf3f1\",\"timeline_title\":\"Comprehensive Network Timeline\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected.\"],\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"0f68ad23-53f8-4d10-a2c0-07e112d5c0b9\",\"rule_id\":\"8c1bdde8-4204-45c0-9e0c-c85ca3902488\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.020Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.072Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\\n network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and\\n not source.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n ) and\\n destination.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":103,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"target_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"target_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merged_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"880d7182-a473-49ee-811c-fb57cad6aaaf\",\"rule_id\":\"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45\",\"revision\":0,\"current_rule\":{\"id\":\"880d7182-a473-49ee-811c-fb57cad6aaaf\",\"updated_at\":\"2024-12-04T19:45:53.074Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.074Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Child Process of dns.exe\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Child Process of dns.exe\\n\\nSIGRed (CVE-2020-1350) is a wormable, critical vulnerability in the Windows DNS server that affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response. Because the service is running in elevated privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can effectively compromise the entire corporate infrastructure.\\n\\nThis rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a similar remote code execution vulnerability in the DNS server.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes.\\n - Any suspicious or abnormal child process spawned from dns.exe should be carefully reviewed and investigated. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (`whoami.exe`, `netstat.exe`, `systeminfo.exe`, `tasklist.exe`).\\n - Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: `mshta.exe`, `powershell.exe`, `regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`.\\n - If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to `werfault.exe` occurring.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the host during the past 48 hours.\\n- Check whether the server is vulnerable to CVE-2020-1350.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reimage the host operating system or restore the compromised server to a clean state.\\n- Install the latest patches on systems that run Microsoft DNS Server.\\n- Consider the implementation of a patch management system, such as the Windows Server Update Services (WSUS).\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn.\"],\"from\":\"now-9m\",\"rule_id\":\"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1210\",\"name\":\"Exploitation of Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1210/\"}]}],\"to\":\"now\",\"references\":[\"https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/\",\"https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/\",\"https://github.com/maxpl0it/CVE-2020-1350-DoS\",\"https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"dns.exe\\\" and\\n not process.name : \\\"conhost.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Child Process of dns.exe\",\"description\":\"Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Child Process of dns.exe\\n\\nSIGRed (CVE-2020-1350) is a wormable, critical vulnerability in the Windows DNS server that affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response. Because the service is running in elevated privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can effectively compromise the entire corporate infrastructure.\\n\\nThis rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a similar remote code execution vulnerability in the DNS server.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes.\\n - Any suspicious or abnormal child process spawned from dns.exe should be carefully reviewed and investigated. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (`whoami.exe`, `netstat.exe`, `systeminfo.exe`, `tasklist.exe`).\\n - Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: `mshta.exe`, `powershell.exe`, `regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`.\\n - If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to `werfault.exe` occurring.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the host during the past 48 hours.\\n- Check whether the server is vulnerable to CVE-2020-1350.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reimage the host operating system or restore the compromised server to a clean state.\\n- Install the latest patches on systems that run Microsoft DNS Server.\\n- Consider the implementation of a patch management system, such as the Windows Server Update Services (WSUS).\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn.\"],\"references\":[\"https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/\",\"https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/\",\"https://github.com/maxpl0it/CVE-2020-1350-DoS\",\"https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1210\",\"name\":\"Exploitation of Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1210/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"880d7182-a473-49ee-811c-fb57cad6aaaf\",\"rule_id\":\"8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.020Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.074Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"dns.exe\\\" and\\n not process.name : \\\"conhost.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8b069a41-9c5a-46d4-984d-76933234c92e\",\"rule_id\":\"8c81e506-6e82-4884-9b9a-75d3d252f967\",\"revision\":0,\"current_rule\":{\"id\":\"8b069a41-9c5a-46d4-984d-76933234c92e\",\"updated_at\":\"2024-12-04T19:45:40.214Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.214Z\",\"created_by\":\"elastic\",\"name\":\"Potential SharpRDP Behavior\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"8c81e506-6e82-4884-9b9a-75d3d252f967\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\",\"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.registry-*\",\"logs-endpoint.events.network-*\"],\"query\":\"/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */\\n\\nsequence by host.id with maxspan=1m\\n [network where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"svchost.exe\\\" and destination.port == 3389 and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and network.transport == \\\"tcp\\\" and\\n source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"\\n ]\\n\\n [registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and process.name : \\\"explorer.exe\\\" and\\n registry.path : (\\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\RunMRU\\\\\\\\*\\\") and\\n registry.data.strings : (\\\"cmd.exe*\\\", \\\"powershell.exe*\\\", \\\"taskmgr*\\\", \\\"\\\\\\\\\\\\\\\\tsclient\\\\\\\\*.exe\\\\\\\\*\\\")\\n ]\\n\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.parent.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"taskmgr.exe\\\") or process.args : (\\\"\\\\\\\\\\\\\\\\tsclient\\\\\\\\*.exe\\\")) and\\n not process.name : \\\"conhost.exe\\\"\\n ]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential SharpRDP Behavior\",\"description\":\"Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":108,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\",\"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"8b069a41-9c5a-46d4-984d-76933234c92e\",\"rule_id\":\"8c81e506-6e82-4884-9b9a-75d3d252f967\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.021Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.214Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */\\n\\nsequence by host.id with maxspan=1m\\n [network where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"svchost.exe\\\" and destination.port == 3389 and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and network.transport == \\\"tcp\\\" and\\n source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"\\n ]\\n\\n [registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and process.name : \\\"explorer.exe\\\" and\\n registry.path : (\\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\RunMRU\\\\\\\\*\\\") and\\n registry.data.strings : (\\\"cmd.exe*\\\", \\\"powershell.exe*\\\", \\\"taskmgr*\\\", \\\"\\\\\\\\\\\\\\\\tsclient\\\\\\\\*.exe\\\\\\\\*\\\")\\n ]\\n\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.parent.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"taskmgr.exe\\\") or process.args : (\\\"\\\\\\\\\\\\\\\\tsclient\\\\\\\\*.exe\\\")) and\\n not process.name : \\\"conhost.exe\\\"\\n ]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.registry-*\",\"logs-endpoint.events.network-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":108,\"merged_version\":108,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\",\"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx\"],\"target_version\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\",\"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merged_version\":[\"https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3\",\"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"df59d506-d784-4fb4-b467-b2733b5775c6\",\"rule_id\":\"8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf\",\"revision\":0,\"current_rule\":{\"id\":\"df59d506-d784-4fb4-b467-b2733b5775c6\",\"updated_at\":\"2024-12-04T19:46:04.715Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.715Z\",\"created_by\":\"elastic\",\"name\":\"RPM Package Installed by Unusual Parent Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule leverages the new_terms rule type to identify the installation of RPM packages by an unusual parent process. RPM is a package management system used in Linux systems such as Red Hat, CentOS and Fedora. Attacks may backdoor RPM packages to gain initial access or install malicious RPM packages to maintain persistence.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\nThis rule requires data coming in from Elastic Defend.\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:rpm and\\nprocess.args:(\\\"-i\\\" or \\\"--install\\\")\\n\",\"new_terms_fields\":[\"process.parent.executable\"],\"history_window_start\":\"now-7d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"RPM Package Installed by Unusual Parent Process\",\"description\":\"This rule leverages the new_terms rule type to identify the installation of RPM packages by an unusual parent process. RPM is a package management system used in Linux systems such as Red Hat, CentOS and Fedora. Attacks may backdoor RPM packages to gain initial access or install malicious RPM packages to maintain persistence.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"setup\":\"## Setup\\nThis rule requires data coming in from Elastic Defend.\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"df59d506-d784-4fb4-b467-b2733b5775c6\",\"rule_id\":\"8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.021Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.715Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:rpm and\\nprocess.args:(\\\"-i\\\" or \\\"--install\\\")\\n\",\"new_terms_fields\":[\"process.parent.executable\"],\"history_window_start\":\"now-7d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"739563fe-bb9c-47f7-a516-781749766d68\",\"rule_id\":\"8e2485b6-a74f-411b-bf7f-38b819f3a846\",\"revision\":0,\"current_rule\":{\"id\":\"739563fe-bb9c-47f7-a516-781749766d68\",\"updated_at\":\"2024-12-04T19:45:53.094Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.094Z\",\"created_by\":\"elastic\",\"name\":\"Potential WSUS Abuse for Lateral Movement\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a potential Windows Server Update Services (WSUS) abuse to execute psexec to enable for lateral movement. WSUS is limited to executing Microsoft signed binaries, which limits the executables that can be used to tools published by Microsoft.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"8e2485b6-a74f-411b-bf7f-38b819f3a846\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1210\",\"name\":\"Exploitation of Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1210/\"}]}],\"to\":\"now\",\"references\":[\"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wsus-spoofing\"],\"version\":103,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-system.security-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"wuauclt.exe\\\" and\\nprocess.executable : \\\"?:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\Install\\\\\\\\*\\\" and\\n(process.name : \\\"psexec64.exe\\\" or ?process.pe.original_file_name : \\\"psexec.c\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential WSUS Abuse for Lateral Movement\",\"description\":\"Identifies a potential Windows Server Update Services (WSUS) abuse to execute psexec to enable for lateral movement. WSUS is limited to executing Microsoft signed binaries, which limits the executables that can be used to tools published by Microsoft.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":205,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wsus-spoofing\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1210\",\"name\":\"Exploitation of Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1210/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"739563fe-bb9c-47f7-a516-781749766d68\",\"rule_id\":\"8e2485b6-a74f-411b-bf7f-38b819f3a846\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.021Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.094Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"wuauclt.exe\\\" and\\nprocess.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\Install\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\Install\\\\\\\\*\\\"\\n) and\\n(process.name : \\\"psexec64.exe\\\" or ?process.pe.original_file_name : \\\"psexec.c\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-system.security-*\",\"winlogbeat-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":103,\"target_version\":205,\"merged_version\":205,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"wuauclt.exe\\\" and\\nprocess.executable : \\\"?:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\Install\\\\\\\\*\\\" and\\n(process.name : \\\"psexec64.exe\\\" or ?process.pe.original_file_name : \\\"psexec.c\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"wuauclt.exe\\\" and\\nprocess.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\Install\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\Install\\\\\\\\*\\\"\\n) and\\n(process.name : \\\"psexec64.exe\\\" or ?process.pe.original_file_name : \\\"psexec.c\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"wuauclt.exe\\\" and\\nprocess.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\Install\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\Install\\\\\\\\*\\\"\\n) and\\n(process.name : \\\"psexec64.exe\\\" or ?process.pe.original_file_name : \\\"psexec.c\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-system.security-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-system.security-*\",\"winlogbeat-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-system.security-*\",\"winlogbeat-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5bdd1a90-f0c4-424f-9f73-80b99e176da1\",\"rule_id\":\"8e39f54e-910b-4adb-a87e-494fbba5fb65\",\"revision\":0,\"current_rule\":{\"id\":\"5bdd1a90-f0c4-424f-9f73-80b99e176da1\",\"updated_at\":\"2024-12-04T19:45:53.097Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.097Z\",\"created_by\":\"elastic\",\"name\":\"Potential Outgoing RDP Connection by Unusual Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Adversaries may attempt to connect to a remote system over Windows Remote Desktop Protocol (RDP) to achieve lateral movement. Adversaries may avoid using the Microsoft Terminal Services Client (mstsc.exe) binary to establish an RDP connection to evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"8e39f54e-910b-4adb-a87e-494fbba5fb65\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.network-*\"],\"query\":\"network where host.os.type == \\\"windows\\\" and\\n event.action == \\\"connection_attempted\\\" and destination.port == 3389 and\\n destination.ip != \\\"::1\\\" and destination.ip != \\\"127.0.0.1\\\" and\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\mRemoteNG\\\\\\\\mRemoteNG.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\PRTG Network Monitor\\\\\\\\PRTG Probe.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Azure Advanced Threat Protection Sensor\\\\\\\\*\\\\\\\\Microsoft.Tri.Sensor.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Remote Desktop Connection Manager\\\\\\\\RDCMan.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\SentinelOne\\\\\\\\Sentinel Agent*\\\\\\\\Ranger\\\\\\\\SentinelRanger.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Devolutions\\\\\\\\Remote Desktop Manager\\\\\\\\RemoteDesktopManager.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Devolutions\\\\\\\\Remote Desktop Manager\\\\\\\\RemoteDesktopManager.exe\\\"\\n ) and process.code_signature.trusted == true\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Outgoing RDP Connection by Unusual Process\",\"description\":\"Adversaries may attempt to connect to a remote system over Windows Remote Desktop Protocol (RDP) to achieve lateral movement. Adversaries may avoid using the Microsoft Terminal Services Client (mstsc.exe) binary to establish an RDP connection to evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"5bdd1a90-f0c4-424f-9f73-80b99e176da1\",\"rule_id\":\"8e39f54e-910b-4adb-a87e-494fbba5fb65\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.021Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.097Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"network where host.os.type == \\\"windows\\\" and\\n event.action == \\\"connection_attempted\\\" and destination.port == 3389 and\\n destination.ip != \\\"::1\\\" and destination.ip != \\\"127.0.0.1\\\" and\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\mRemoteNG\\\\\\\\mRemoteNG.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\PRTG Network Monitor\\\\\\\\PRTG Probe.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Azure Advanced Threat Protection Sensor\\\\\\\\*\\\\\\\\Microsoft.Tri.Sensor.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Remote Desktop Connection Manager\\\\\\\\RDCMan.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\SentinelOne\\\\\\\\Sentinel Agent*\\\\\\\\Ranger\\\\\\\\SentinelRanger.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Devolutions\\\\\\\\Remote Desktop Manager\\\\\\\\RemoteDesktopManager.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Devolutions\\\\\\\\Remote Desktop Manager\\\\\\\\RemoteDesktopManager.exe\\\"\\n ) and process.code_signature.trusted == true\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.network-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"05a63a89-e1b5-458d-a1c3-9a2c2307371f\",\"rule_id\":\"8eec4df1-4b4b-4502-b6c3-c788714604c9\",\"revision\":0,\"current_rule\":{\"id\":\"05a63a89-e1b5-458d-a1c3-9a2c2307371f\",\"updated_at\":\"2024-12-04T19:45:53.099Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.099Z\",\"created_by\":\"elastic\",\"name\":\"Bitsadmin Activity\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism. Adversaries may abuse BITS to persist, download, execute, and even clean up after running malicious code.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"8eec4df1-4b4b-4502-b6c3-c788714604c9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1197\",\"name\":\"BITS Jobs\",\"reference\":\"https://attack.mitre.org/techniques/T1197/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1197\",\"name\":\"BITS Jobs\",\"reference\":\"https://attack.mitre.org/techniques/T1197/\"}]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n (process.name : \\\"bitsadmin.exe\\\" and process.args : (\\n \\\"*Transfer*\\\", \\\"*Create*\\\", \\\"AddFile\\\", \\\"*SetNotifyFlags*\\\", \\\"*SetNotifyCmdLine*\\\",\\n \\\"*SetMinRetryDelay*\\\", \\\"*SetCustomHeaders*\\\", \\\"*Resume*\\\")\\n ) or\\n (process.name : \\\"powershell.exe\\\" and process.args : (\\n \\\"*Start-BitsTransfer*\\\", \\\"*Add-BitsFile*\\\",\\n \\\"*Resume-BitsTransfer*\\\", \\\"*Set-BitsTransfer*\\\", \\\"*BITS.Manager*\\\")\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Bitsadmin Activity\",\"description\":\"Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism. Adversaries may abuse BITS to persist, download, execute, and even clean up after running malicious code.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1197\",\"name\":\"BITS Jobs\",\"reference\":\"https://attack.mitre.org/techniques/T1197/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1197\",\"name\":\"BITS Jobs\",\"reference\":\"https://attack.mitre.org/techniques/T1197/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"05a63a89-e1b5-458d-a1c3-9a2c2307371f\",\"rule_id\":\"8eec4df1-4b4b-4502-b6c3-c788714604c9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.021Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.099Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n (process.name : \\\"bitsadmin.exe\\\" and process.args : (\\n \\\"*Transfer*\\\", \\\"*Create*\\\", \\\"AddFile\\\", \\\"*SetNotifyFlags*\\\", \\\"*SetNotifyCmdLine*\\\",\\n \\\"*SetMinRetryDelay*\\\", \\\"*SetCustomHeaders*\\\", \\\"*Resume*\\\")\\n ) or\\n (process.name : \\\"powershell.exe\\\" and process.args : (\\n \\\"*Start-BitsTransfer*\\\", \\\"*Add-BitsFile*\\\",\\n \\\"*Resume-BitsTransfer*\\\", \\\"*Set-BitsTransfer*\\\", \\\"*BITS.Manager*\\\")\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"07339fb2-2fda-4bba-8bd0-6045548c8ed7\",\"rule_id\":\"8f242ffb-b191-4803-90ec-0f19942e17fd\",\"revision\":0,\"current_rule\":{\"id\":\"07339fb2-2fda-4bba-8bd0-6045548c8ed7\",\"updated_at\":\"2024-12-04T19:45:53.102Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.102Z\",\"created_by\":\"elastic\",\"name\":\"Potential ADIDNS Poisoning via Wildcard Record Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues, such as wildcard records, mainly because of the default permission (Any authenticated users) to create DNS-named records. Attackers can create wildcard records to redirect traffic that doesn't explicitly match records contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS spoofing.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"8f242ffb-b191-4803-90ec-0f19942e17fd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1557\",\"name\":\"Adversary-in-the-Middle\",\"reference\":\"https://attack.mitre.org/techniques/T1557/\"}]}],\"to\":\"now\",\"references\":[\"https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/\",\"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ObjectDN\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\\n\\n```\\nSet-AuditRule -AdObjectPath 'AD:\\\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\\n```\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"any where host.os.type == \\\"windows\\\" and event.action in (\\\"Directory Service Changes\\\", \\\"directory-service-object-modified\\\") and\\n event.code == \\\"5137\\\" and startsWith(winlog.event_data.ObjectDN, \\\"DC=*,\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential ADIDNS Poisoning via Wildcard Record Creation\",\"description\":\"Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues, such as wildcard records, mainly because of the default permission (Any authenticated users) to create DNS-named records. Attackers can create wildcard records to redirect traffic that doesn't explicitly match records contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS spoofing.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":103,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/\",\"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1557\",\"name\":\"Adversary-in-the-Middle\",\"reference\":\"https://attack.mitre.org/techniques/T1557/\"}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\\n\\n```\\nSet-AuditRule -AdObjectPath 'AD:\\\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ObjectDN\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"07339fb2-2fda-4bba-8bd0-6045548c8ed7\",\"rule_id\":\"8f242ffb-b191-4803-90ec-0f19942e17fd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.021Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.102Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and event.action in (\\\"Directory Service Changes\\\", \\\"directory-service-object-modified\\\") and\\n event.code == \\\"5137\\\" and startsWith(winlog.event_data.ObjectDN, \\\"DC=*,\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":103,\"merged_version\":103,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"69753afd-90f9-4c99-ab5b-a7e0d1955590\",\"rule_id\":\"8f3e91c7-d791-4704-80a1-42c160d7aa27\",\"revision\":0,\"current_rule\":{\"id\":\"69753afd-90f9-4c99-ab5b-a7e0d1955590\",\"updated_at\":\"2024-12-04T19:45:40.211Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.211Z\",\"created_by\":\"elastic\",\"name\":\"Potential Port Monitor or Print Processor Registration Abuse\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"8f3e91c7-d791-4704-80a1-42c160d7aa27\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.010\",\"name\":\"Port Monitors\",\"reference\":\"https://attack.mitre.org/techniques/T1547/010/\"},{\"id\":\"T1547.012\",\"name\":\"Print Processors\",\"reference\":\"https://attack.mitre.org/techniques/T1547/012/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.010\",\"name\":\"Port Monitors\",\"reference\":\"https://attack.mitre.org/techniques/T1547/010/\"},{\"id\":\"T1547.012\",\"name\":\"Print Processors\",\"reference\":\"https://attack.mitre.org/techniques/T1547/012/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Print\\\\\\\\Monitors\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Print\\\\\\\\Environments\\\\\\\\Windows*\\\\\\\\Print Processors\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Print\\\\\\\\Monitors\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Print\\\\\\\\Environments\\\\\\\\Windows*\\\\\\\\Print Processors\\\\\\\\*\\\"\\n ) and registry.data.strings : \\\"*.dll\\\" and\\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Port Monitor or Print Processor Registration Abuse\",\"description\":\"Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":108,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.010\",\"name\":\"Port Monitors\",\"reference\":\"https://attack.mitre.org/techniques/T1547/010/\"},{\"id\":\"T1547.012\",\"name\":\"Print Processors\",\"reference\":\"https://attack.mitre.org/techniques/T1547/012/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.010\",\"name\":\"Port Monitors\",\"reference\":\"https://attack.mitre.org/techniques/T1547/010/\"},{\"id\":\"T1547.012\",\"name\":\"Print Processors\",\"reference\":\"https://attack.mitre.org/techniques/T1547/012/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"69753afd-90f9-4c99-ab5b-a7e0d1955590\",\"rule_id\":\"8f3e91c7-d791-4704-80a1-42c160d7aa27\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.021Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.211Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Print\\\\\\\\Monitors\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Print\\\\\\\\Environments\\\\\\\\Windows*\\\\\\\\Print Processors\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Print\\\\\\\\Monitors\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Print\\\\\\\\Environments\\\\\\\\Windows*\\\\\\\\Print Processors\\\\\\\\*\\\"\\n ) and registry.data.strings : \\\"*.dll\\\" and\\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":108,\"merged_version\":108,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b4ece02c-6f96-438d-9216-e1575e6bf1be\",\"rule_id\":\"8f919d4b-a5af-47ca-a594-6be59cd924a4\",\"revision\":0,\"current_rule\":{\"id\":\"b4ece02c-6f96-438d-9216-e1575e6bf1be\",\"updated_at\":\"2024-12-04T19:45:53.104Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.104Z\",\"created_by\":\"elastic\",\"name\":\"Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"8f919d4b-a5af-47ca-a594-6be59cd924a4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.003\",\"name\":\"Distributed Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1021/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by host.id with maxspan=5s\\n [network where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"explorer.exe\\\" and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and network.transport == \\\"tcp\\\" and\\n source.port > 49151 and destination.port > 49151 and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"\\n ] by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"explorer.exe\\\"\\n ] by process.parent.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows\",\"description\":\"Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.003\",\"name\":\"Distributed Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1021/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true}],\"id\":\"b4ece02c-6f96-438d-9216-e1575e6bf1be\",\"rule_id\":\"8f919d4b-a5af-47ca-a594-6be59cd924a4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.021Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.104Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=5s\\n [network where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"explorer.exe\\\" and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and network.transport == \\\"tcp\\\" and\\n source.port > 49151 and destination.port > 49151 and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"\\n ] by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"explorer.exe\\\"\\n ] by process.parent.entity_id\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4d58da44-25f0-430d-8640-b34027155f5c\",\"rule_id\":\"90babaa8-5216-4568-992d-d4a01a105d98\",\"revision\":0,\"current_rule\":{\"id\":\"4d58da44-25f0-430d-8640-b34027155f5c\",\"updated_at\":\"2024-12-04T19:45:53.116Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.116Z\",\"created_by\":\"elastic\",\"name\":\"InstallUtil Activity\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. Adversaries may use InstallUtil to proxy the execution of code through a trusted Windows utility.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"90babaa8-5216-4568-992d-d4a01a105d98\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.004\",\"name\":\"InstallUtil\",\"reference\":\"https://attack.mitre.org/techniques/T1218/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-system.security*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"installutil.exe\\\" and not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"InstallUtil Activity\",\"description\":\"InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. Adversaries may use InstallUtil to proxy the execution of code through a trusted Windows utility.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.004\",\"name\":\"InstallUtil\",\"reference\":\"https://attack.mitre.org/techniques/T1218/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"4d58da44-25f0-430d-8640-b34027155f5c\",\"rule_id\":\"90babaa8-5216-4568-992d-d4a01a105d98\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.021Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.116Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"installutil.exe\\\" and not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-system.security*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"489a1318-efc1-4062-8659-90f6ebd56248\",\"rule_id\":\"92984446-aefb-4d5e-ad12-598042ca80ba\",\"revision\":0,\"current_rule\":{\"id\":\"489a1318-efc1-4062-8659-90f6ebd56248\",\"updated_at\":\"2024-12-04T19:45:53.134Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.134Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Suspicious Script with Clipboard Retrieval Capabilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: PowerShell Logs\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Suspicious Script with Clipboard Retrieval Capabilities\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can abuse PowerShell capabilities to get the contents of the clipboard with the goal of stealing credentials and other valuable information, such as credit card data and confidential conversations.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Determine whether the script stores the captured data locally.\\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\\n- Assess network data to determine if the host communicated with the exfiltration server.\\n\\n### False positive analysis\\n\\n- Regular users are unlikely to use scripting utilities to capture contents of the clipboard, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Related rules\\n\\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"92984446-aefb-4d5e-ad12-598042ca80ba\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1115\",\"name\":\"Clipboard Data\",\"reference\":\"https://attack.mitre.org/techniques/T1115/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard\",\"https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n (powershell.file.script_block_text : (\\n \\\"Windows.Clipboard\\\" or\\n \\\"Windows.Forms.Clipboard\\\" or\\n \\\"Windows.Forms.TextBox\\\"\\n ) and\\n powershell.file.script_block_text : (\\n \\\"]::GetText\\\" or\\n \\\".Paste()\\\"\\n )) or powershell.file.script_block_text : \\\"Get-Clipboard\\\" and\\n not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\" and \\\"PowerSploitIndicators\\\"\\n ) and\\n not user.id : \\\"S-1-5-18\\\" and\\n not (\\n file.path : C\\\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\*Modules*.ps1 and\\n file.name : (\\\"Convert-ExcelRangeToImage.ps1\\\" or \\\"Read-Clipboard.ps1\\\")\\n )\\n\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\program?files\\\\\\\\powershell\\\\\\\\?\\\\\\\\Modules\\\\\\\\*.psd1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\Modules\\\\\\\\*.psd1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.ps?1\"}}}}],\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Suspicious Script with Clipboard Retrieval Capabilities\",\"description\":\"Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Suspicious Script with Clipboard Retrieval Capabilities\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can abuse PowerShell capabilities to get the contents of the clipboard with the goal of stealing credentials and other valuable information, such as credit card data and confidential conversations.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Determine whether the script stores the captured data locally.\\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\\n- Assess network data to determine if the host communicated with the exfiltration server.\\n\\n### False positive analysis\\n\\n- Regular users are unlikely to use scripting utilities to capture contents of the clipboard, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Related rules\\n\\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: PowerShell Logs\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard\",\"https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1115\",\"name\":\"Clipboard Data\",\"reference\":\"https://attack.mitre.org/techniques/T1115/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"489a1318-efc1-4062-8659-90f6ebd56248\",\"rule_id\":\"92984446-aefb-4d5e-ad12-598042ca80ba\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.021Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.134Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\program?files\\\\\\\\powershell\\\\\\\\?\\\\\\\\Modules\\\\\\\\*.psd1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\Modules\\\\\\\\*.psd1\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.ps?1\"}}}}],\"query\":\"event.category:process and host.os.type:windows and\\n (powershell.file.script_block_text : (\\n \\\"Windows.Clipboard\\\" or\\n \\\"Windows.Forms.Clipboard\\\" or\\n \\\"Windows.Forms.TextBox\\\"\\n ) and\\n powershell.file.script_block_text : (\\n \\\"]::GetText\\\" or\\n \\\".Paste()\\\"\\n )) or powershell.file.script_block_text : \\\"Get-Clipboard\\\" and\\n not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\" and \\\"PowerSploitIndicators\\\"\\n ) and\\n not user.id : \\\"S-1-5-18\\\" and\\n not (\\n file.path : C\\\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\*Modules*.ps1 and\\n file.name : (\\\"Convert-ExcelRangeToImage.ps1\\\" or \\\"Read-Clipboard.ps1\\\")\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"65e8be83-ff82-45d5-983b-974819c436f7\",\"rule_id\":\"92a6faf5-78ec-4e25-bea1-73bacc9b59d9\",\"revision\":0,\"current_rule\":{\"id\":\"65e8be83-ff82-45d5-983b-974819c436f7\",\"updated_at\":\"2024-12-04T19:45:53.136Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.136Z\",\"created_by\":\"elastic\",\"name\":\"A scheduled task was created\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks may be created during installation of new software.\"],\"from\":\"now-9m\",\"rule_id\":\"92a6faf5-78ec-4e25-bea1-73bacc9b59d9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698\"],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.TaskName\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"iam where event.action == \\\"scheduled-task-created\\\" and\\n\\n /* excluding tasks created by the computer account */\\n not user.name : \\\"*$\\\" and\\n\\n /* TaskContent is not parsed, exclude by full taskname noisy ones */\\n not winlog.event_data.TaskName : (\\n \\\"\\\\\\\\CreateExplorerShellUnelevatedTask\\\",\\n \\\"\\\\\\\\Hewlett-Packard\\\\\\\\HPDeviceCheck\\\",\\n \\\"\\\\\\\\Hewlett-Packard\\\\\\\\HP Support Assistant\\\\\\\\WarrantyChecker\\\",\\n \\\"\\\\\\\\Hewlett-Packard\\\\\\\\HP Support Assistant\\\\\\\\WarrantyChecker_backup\\\",\\n \\\"\\\\\\\\Hewlett-Packard\\\\\\\\HP Web Products Detection\\\",\\n \\\"\\\\\\\\Microsoft\\\\\\\\VisualStudio\\\\\\\\Updates\\\\\\\\BackgroundDownload\\\",\\n \\\"\\\\\\\\OneDrive Standalone Update Task-S-1-5-21*\\\",\\n \\\"\\\\\\\\OneDrive Standalone Update Task-S-1-12-1-*\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"A scheduled task was created\",\"description\":\"Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":109,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks may be created during installation of new software.\"],\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.TaskName\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"65e8be83-ff82-45d5-983b-974819c436f7\",\"rule_id\":\"92a6faf5-78ec-4e25-bea1-73bacc9b59d9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.021Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.136Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where event.action == \\\"scheduled-task-created\\\" and\\n\\n /* excluding tasks created by the computer account */\\n not user.name : \\\"*$\\\" and\\n\\n /* TaskContent is not parsed, exclude by full taskname noisy ones */\\n not winlog.event_data.TaskName : (\\n \\\"\\\\\\\\CreateExplorerShellUnelevatedTask\\\",\\n \\\"\\\\\\\\Hewlett-Packard\\\\\\\\HPDeviceCheck\\\",\\n \\\"\\\\\\\\Hewlett-Packard\\\\\\\\HP Support Assistant\\\\\\\\WarrantyChecker\\\",\\n \\\"\\\\\\\\Hewlett-Packard\\\\\\\\HP Support Assistant\\\\\\\\WarrantyChecker_backup\\\",\\n \\\"\\\\\\\\Hewlett-Packard\\\\\\\\HP Web Products Detection\\\",\\n \\\"\\\\\\\\Microsoft\\\\\\\\VisualStudio\\\\\\\\Updates\\\\\\\\BackgroundDownload\\\",\\n \\\"\\\\\\\\OneDrive Standalone Update Task-S-1-5-21*\\\",\\n \\\"\\\\\\\\OneDrive Standalone Update Task-S-1-12-1-*\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":109,\"merged_version\":109,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"71b43b8f-9755-453e-8418-70b9d601e212\",\"rule_id\":\"92d3a04e-6487-4b62-892d-70e640a590dc\",\"revision\":0,\"current_rule\":{\"id\":\"71b43b8f-9755-453e-8418-70b9d601e212\",\"updated_at\":\"2024-12-04T19:45:53.139Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.139Z\",\"created_by\":\"elastic\",\"name\":\"Potential Evasion via Windows Filtering Platform\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies multiple Windows Filtering Platform block events and where the process name is related to an endpoint security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"92d3a04e-6487-4b62-892d-70e640a590dc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.004\",\"name\":\"Disable or Modify System Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/dsnezhkov/shutter/tree/main\",\"https://github.com/netero1010/EDRSilencer/tree/main\",\"https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/\",\"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157\",\"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152\"],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Filtering Platform Connection' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nObject Access >\\nFiltering Platform Connection (Success,Failure)\\n```\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.network-*\",\"logs-system.security-*\"],\"query\":\"sequence by winlog.computer_name with maxspan=1m\\n [network where host.os.type == \\\"windows\\\" and \\n event.action : (\\\"windows-firewall-packet-block\\\", \\\"windows-firewall-packet-drop\\\") and \\n process.name : (\\n \\\"bdagent.exe\\\", \\\"bdreinit.exe\\\", \\\"pdscan.exe\\\", \\\"pdiface.exe\\\", \\\"BDSubWiz.exe\\\", \\\"ProductAgentService.exe\\\",\\n \\\"ProductAgentUI.exe\\\", \\\"WatchDog.exe\\\", \\\"CarbonBlackClientSetup.exe\\\", \\\"TrGUI.exe\\\", \\\"TracCAPI.exe\\\", \\\"cpmsi_tool.exe\\\",\\n \\\"trac.exe\\\", \\\"vna_install64.exe\\\", \\\"vna_utils.exe\\\", \\\"TracSrvWrapper.exe\\\", \\\"vsmon.exe\\\", \\\"p95tray.exe\\\",\\n \\\"CybereasonRansomFreeServiceHost.exe\\\", \\\"CrAmTray.exe\\\", \\\"minionhost.exe\\\", \\\"CybereasonSensor.exe\\\", \\\"CylanceUI.exe\\\",\\n \\\"CylanceProtectSetup.exe\\\", \\\"cylancesvc.exe\\\", \\\"cyupdate.exe\\\", \\\"elastic-agent.exe\\\", \\\"elastic-endpoint.exe\\\",\\n \\\"egui.exe\\\", \\\"minodlogin.exe\\\", \\\"emu-rep.exe\\\", \\\"emu_install.exe\\\", \\\"emu-cci.exe\\\", \\\"emu-gui.exe\\\", \\\"emu-uninstall.exe\\\",\\n \\\"ndep.exe\\\", \\\"spike.exe\\\", \\\"ecls.exe\\\", \\\"ecmd.exe\\\", \\\"ecomserver.exe\\\", \\\"eeclnt.exe\\\", \\\"eh64.exe\\\", \\\"EHttpSrv.exe\\\",\\n \\\"xagt.exe\\\", \\\"collectoragent.exe\\\", \\\"FSAEConfig.exe\\\", \\\"uninstalldcagent.exe\\\", \\\"rmon.exe\\\", \\\"fccomint.exe\\\",\\n \\\"fclanguageselector.exe\\\", \\\"fortifw.exe\\\", \\\"fcreg.exe\\\", \\\"fortitray.exe\\\", \\\"fcappdb.exe\\\", \\\"fcwizard.exe\\\", \\\"submitv.exe\\\",\\n \\\"av_task.exe\\\", \\\"fortiwf.exe\\\", \\\"fortiwadbd.exe\\\", \\\"fcauth.exe\\\", \\\"fcdblog.exe\\\", \\\"fcmgr.exe\\\", \\\"fortiwad.exe\\\",\\n \\\"fortiproxy.exe\\\", \\\"fortiscand.exe\\\", \\\"fortivpnst.exe\\\", \\\"ipsec.exe\\\", \\\"fcwscd7.exe\\\", \\\"fcasc.exe\\\", \\\"fchelper.exe\\\",\\n \\\"forticlient.exe\\\",\\\"fcwsc.exe\\\", \\\"FortiClient.exe\\\", \\\"fmon.exe\\\", \\\"FSSOMA.exe\\\", \\\"FCVbltScan.exe\\\", \\\"FortiESNAC.exe\\\",\\n \\\"EPCUserAvatar.exe\\\", \\\"FortiAvatar.exe\\\", \\\"FortiClient_Diagnostic_Tool.exe\\\", \\\"FortiSSLVPNdaemon.exe\\\", \\\"avp.exe\\\",\\n \\\"FCConfig.exe\\\", \\\"avpsus.exe\\\", \\\"klnagent.exe\\\", \\\"klnsacwsrv.exe\\\", \\\"kl_platf.exe\\\", \\\"stpass.exe\\\", \\\"klnagwds.exe\\\",\\n \\\"mbae.exe\\\", \\\"mbae64.exe\\\", \\\"mbae-svc.exe\\\", \\\"mbae-uninstaller.exe\\\", \\\"mbaeLoader32.exe\\\", \\\"mbaeloader64.exe\\\",\\n \\\"mbam-dor.exe\\\", \\\"mbamgui.exe\\\", \\\"mbamservice.exe\\\", \\\"mbamtrayctrl.exe\\\", \\\"mbampt.exe\\\", \\\"mbamscheduler.exe\\\",\\n \\\"Coreinst.exe\\\", \\\"mbae-setup.exe\\\", \\\"mcupdate.exe\\\", \\\"ProtectedModuleHost.exe\\\", \\\"ESConfigTool.exe\\\", \\\"FWInstCheck.exe\\\",\\n \\\"FwWindowsFirewallHandler.exe\\\", \\\"mfeesp.exe\\\", \\\"mfefw.exe\\\", \\\"mfeProvisionModeUtility.exe\\\", \\\"mfetp.exe\\\", \\\"avpui.exe\\\", \\n \\\"WscAVExe.exe\\\", \\\"mcshield.exe\\\", \\\"McChHost.exe\\\", \\\"mfewc.exe\\\", \\\"mfewch.exe\\\", \\\"mfewcui.exe\\\", \\\"fwinfo.exe\\\",\\n \\\"mfecanary.exe\\\", \\\"mfefire.exe\\\", \\\"mfehidin.exe\\\", \\\"mfemms.exe\\\", \\\"mfevtps.exe\\\", \\\"mmsinfo.exe\\\", \\\"vtpinfo.exe\\\",\\n \\\"MarSetup.exe\\\", \\\"mctray.exe\\\", \\\"masvc.exe\\\", \\\"macmnsvc.exe\\\", \\\"McAPExe.exe\\\", \\\"McPvTray.exe\\\", \\\"mcods.exe\\\",\\n \\\"mcuicnt.exe\\\", \\\"mcuihost.exe\\\", \\\"xtray.exe\\\", \\\"McpService.exe\\\", \\\"epefprtrainer.exe\\\", \\\"mfeffcoreservice.exe\\\",\\n \\\"MfeEpeSvc.exe\\\", \\\"qualysagent.exe\\\", \\\"QualysProxy.exe\\\", \\\"QualysAgentUI.exe\\\", \\\"SVRTgui.exe\\\", \\\"SVRTcli.exe\\\",\\n \\\"SVRTcli.exe\\\", \\\"SVRTgui.exe\\\", \\\"SCTCleanupService.exe\\\", \\\"SVRTservice.exe\\\", \\\"native.exe\\\", \\\"SCTBootTasks.exe\\\",\\n \\\"ALMon.exe\\\", \\\"SAA.exe\\\", \\\"SUMService.exe\\\", \\\"ssp.exe\\\", \\\"SCFService.exe\\\", \\\"SCFManager.exe\\\", \\\"spa.exe\\\", \\\"cabarc.exe\\\",\\n \\\"sargui.exe\\\", \\\"sntpservice.exe\\\", \\\"McsClient.exe\\\", \\\"McsAgent.exe\\\", \\\"McsHeartbeat.exe\\\", \\\"SAVAdminService.exe\\\",\\n \\\"sav32cli.exe\\\", \\\"ForceUpdateAlongSideSGN.exe\\\", \\\"SAVCleanupService.exe\\\", \\\"SavMain.exe\\\", \\\"SavProgress.exe\\\", \\n \\\"SavProxy.exe\\\", \\\"SavService.exe\\\", \\\"swc_service.exe\\\", \\\"swi_di.exe\\\", \\\"swi_service.exe\\\", \\\"swi_filter.exe\\\",\\n \\\"ALUpdate.exe\\\", \\\"SophosUpdate.exe\\\", \\\"ALsvc.exe\\\", \\\"SophosAlert.exe\\\", \\\"osCheck.exe\\\", \\\"N360Downloader.exe\\\",\\n \\\"InstWrap.exe\\\", \\\"symbos.exe\\\", \\\"nss.exe\\\", \\\"symcorpui.exe\\\", \\\"isPwdSvc.exe\\\", \\\"ccsvchst.exe\\\", \\\"ntrmv.exe\\\",\\n \\\"pccntmon.exe\\\", \\\"AosUImanager.exe\\\", \\\"NTRTScan.exe\\\", \\\"TMAS_OL.exe\\\", \\\"TMAS_OLImp.exe\\\", \\\"TMAS_OLSentry.exe\\\",\\n \\\"ufnavi.exe\\\", \\\"Clnrbin.exe\\\", \\\"vizorhtmldialog.exe\\\", \\\"pwmConsole.exe\\\", \\\"PwmSvc.exe\\\", \\\"coreServiceShell.exe\\\",\\n \\\"ds_agent.exe\\\", \\\"SfCtlCom.exe\\\", \\\"MBAMHelper.exe\\\", \\\"cb.exe\\\", \\\"smc.exe\\\", \\\"tda.exe\\\", \\\"xagtnotif.exe\\\", \\\"ekrn.exe\\\",\\n \\\"dsa.exe\\\", \\\"Notifier.exe\\\", \\\"rphcp.exe\\\", \\\"lc_sensor.exe\\\", \\\"CSFalconService.exe\\\", \\\"CSFalconController.exe\\\",\\n \\\"SenseSampleUploader.exe\\\", \\\"windefend.exe\\\", \\\"MSASCui.exe\\\", \\\"MSASCuiL.exe\\\", \\\"msmpeng.exe\\\", \\\"msmpsvc.exe\\\",\\n \\\"MsSense.exe\\\", \\\"esensor.exe\\\", \\\"sentinelone.exe\\\", \\\"tmccsf.exe\\\", \\\"csfalconcontainer.exe\\\", \\\"sensecncproxy.exe\\\",\\n \\\"splunk.exe\\\", \\\"sysmon.exe\\\", \\\"sysmon64.exe\\\", \\\"taniumclient.exe\\\"\\n )] with runs=5\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Evasion via Windows Filtering Platform\",\"description\":\"Identifies multiple Windows Filtering Platform block events and where the process name is related to an endpoint security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/dsnezhkov/shutter/tree/main\",\"https://github.com/netero1010/EDRSilencer/tree/main\",\"https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/\",\"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157\",\"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.004\",\"name\":\"Disable or Modify System Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/004/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'Filtering Platform Connection' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nObject Access >\\nFiltering Platform Connection (Success,Failure)\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"71b43b8f-9755-453e-8418-70b9d601e212\",\"rule_id\":\"92d3a04e-6487-4b62-892d-70e640a590dc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.021Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.139Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by winlog.computer_name with maxspan=1m\\n [network where host.os.type == \\\"windows\\\" and \\n event.action : (\\\"windows-firewall-packet-block\\\", \\\"windows-firewall-packet-drop\\\") and \\n process.name : (\\n \\\"bdagent.exe\\\", \\\"bdreinit.exe\\\", \\\"pdscan.exe\\\", \\\"pdiface.exe\\\", \\\"BDSubWiz.exe\\\", \\\"ProductAgentService.exe\\\",\\n \\\"ProductAgentUI.exe\\\", \\\"WatchDog.exe\\\", \\\"CarbonBlackClientSetup.exe\\\", \\\"TrGUI.exe\\\", \\\"TracCAPI.exe\\\", \\\"cpmsi_tool.exe\\\",\\n \\\"trac.exe\\\", \\\"vna_install64.exe\\\", \\\"vna_utils.exe\\\", \\\"TracSrvWrapper.exe\\\", \\\"vsmon.exe\\\", \\\"p95tray.exe\\\",\\n \\\"CybereasonRansomFreeServiceHost.exe\\\", \\\"CrAmTray.exe\\\", \\\"minionhost.exe\\\", \\\"CybereasonSensor.exe\\\", \\\"CylanceUI.exe\\\",\\n \\\"CylanceProtectSetup.exe\\\", \\\"cylancesvc.exe\\\", \\\"cyupdate.exe\\\", \\\"elastic-agent.exe\\\", \\\"elastic-endpoint.exe\\\",\\n \\\"egui.exe\\\", \\\"minodlogin.exe\\\", \\\"emu-rep.exe\\\", \\\"emu_install.exe\\\", \\\"emu-cci.exe\\\", \\\"emu-gui.exe\\\", \\\"emu-uninstall.exe\\\",\\n \\\"ndep.exe\\\", \\\"spike.exe\\\", \\\"ecls.exe\\\", \\\"ecmd.exe\\\", \\\"ecomserver.exe\\\", \\\"eeclnt.exe\\\", \\\"eh64.exe\\\", \\\"EHttpSrv.exe\\\",\\n \\\"xagt.exe\\\", \\\"collectoragent.exe\\\", \\\"FSAEConfig.exe\\\", \\\"uninstalldcagent.exe\\\", \\\"rmon.exe\\\", \\\"fccomint.exe\\\",\\n \\\"fclanguageselector.exe\\\", \\\"fortifw.exe\\\", \\\"fcreg.exe\\\", \\\"fortitray.exe\\\", \\\"fcappdb.exe\\\", \\\"fcwizard.exe\\\", \\\"submitv.exe\\\",\\n \\\"av_task.exe\\\", \\\"fortiwf.exe\\\", \\\"fortiwadbd.exe\\\", \\\"fcauth.exe\\\", \\\"fcdblog.exe\\\", \\\"fcmgr.exe\\\", \\\"fortiwad.exe\\\",\\n \\\"fortiproxy.exe\\\", \\\"fortiscand.exe\\\", \\\"fortivpnst.exe\\\", \\\"ipsec.exe\\\", \\\"fcwscd7.exe\\\", \\\"fcasc.exe\\\", \\\"fchelper.exe\\\",\\n \\\"forticlient.exe\\\",\\\"fcwsc.exe\\\", \\\"FortiClient.exe\\\", \\\"fmon.exe\\\", \\\"FSSOMA.exe\\\", \\\"FCVbltScan.exe\\\", \\\"FortiESNAC.exe\\\",\\n \\\"EPCUserAvatar.exe\\\", \\\"FortiAvatar.exe\\\", \\\"FortiClient_Diagnostic_Tool.exe\\\", \\\"FortiSSLVPNdaemon.exe\\\", \\\"avp.exe\\\",\\n \\\"FCConfig.exe\\\", \\\"avpsus.exe\\\", \\\"klnagent.exe\\\", \\\"klnsacwsrv.exe\\\", \\\"kl_platf.exe\\\", \\\"stpass.exe\\\", \\\"klnagwds.exe\\\",\\n \\\"mbae.exe\\\", \\\"mbae64.exe\\\", \\\"mbae-svc.exe\\\", \\\"mbae-uninstaller.exe\\\", \\\"mbaeLoader32.exe\\\", \\\"mbaeloader64.exe\\\",\\n \\\"mbam-dor.exe\\\", \\\"mbamgui.exe\\\", \\\"mbamservice.exe\\\", \\\"mbamtrayctrl.exe\\\", \\\"mbampt.exe\\\", \\\"mbamscheduler.exe\\\",\\n \\\"Coreinst.exe\\\", \\\"mbae-setup.exe\\\", \\\"mcupdate.exe\\\", \\\"ProtectedModuleHost.exe\\\", \\\"ESConfigTool.exe\\\", \\\"FWInstCheck.exe\\\",\\n \\\"FwWindowsFirewallHandler.exe\\\", \\\"mfeesp.exe\\\", \\\"mfefw.exe\\\", \\\"mfeProvisionModeUtility.exe\\\", \\\"mfetp.exe\\\", \\\"avpui.exe\\\", \\n \\\"WscAVExe.exe\\\", \\\"mcshield.exe\\\", \\\"McChHost.exe\\\", \\\"mfewc.exe\\\", \\\"mfewch.exe\\\", \\\"mfewcui.exe\\\", \\\"fwinfo.exe\\\",\\n \\\"mfecanary.exe\\\", \\\"mfefire.exe\\\", \\\"mfehidin.exe\\\", \\\"mfemms.exe\\\", \\\"mfevtps.exe\\\", \\\"mmsinfo.exe\\\", \\\"vtpinfo.exe\\\",\\n \\\"MarSetup.exe\\\", \\\"mctray.exe\\\", \\\"masvc.exe\\\", \\\"macmnsvc.exe\\\", \\\"McAPExe.exe\\\", \\\"McPvTray.exe\\\", \\\"mcods.exe\\\",\\n \\\"mcuicnt.exe\\\", \\\"mcuihost.exe\\\", \\\"xtray.exe\\\", \\\"McpService.exe\\\", \\\"epefprtrainer.exe\\\", \\\"mfeffcoreservice.exe\\\",\\n \\\"MfeEpeSvc.exe\\\", \\\"qualysagent.exe\\\", \\\"QualysProxy.exe\\\", \\\"QualysAgentUI.exe\\\", \\\"SVRTgui.exe\\\", \\\"SVRTcli.exe\\\",\\n \\\"SVRTcli.exe\\\", \\\"SVRTgui.exe\\\", \\\"SCTCleanupService.exe\\\", \\\"SVRTservice.exe\\\", \\\"native.exe\\\", \\\"SCTBootTasks.exe\\\",\\n \\\"ALMon.exe\\\", \\\"SAA.exe\\\", \\\"SUMService.exe\\\", \\\"ssp.exe\\\", \\\"SCFService.exe\\\", \\\"SCFManager.exe\\\", \\\"spa.exe\\\", \\\"cabarc.exe\\\",\\n \\\"sargui.exe\\\", \\\"sntpservice.exe\\\", \\\"McsClient.exe\\\", \\\"McsAgent.exe\\\", \\\"McsHeartbeat.exe\\\", \\\"SAVAdminService.exe\\\",\\n \\\"sav32cli.exe\\\", \\\"ForceUpdateAlongSideSGN.exe\\\", \\\"SAVCleanupService.exe\\\", \\\"SavMain.exe\\\", \\\"SavProgress.exe\\\", \\n \\\"SavProxy.exe\\\", \\\"SavService.exe\\\", \\\"swc_service.exe\\\", \\\"swi_di.exe\\\", \\\"swi_service.exe\\\", \\\"swi_filter.exe\\\",\\n \\\"ALUpdate.exe\\\", \\\"SophosUpdate.exe\\\", \\\"ALsvc.exe\\\", \\\"SophosAlert.exe\\\", \\\"osCheck.exe\\\", \\\"N360Downloader.exe\\\",\\n \\\"InstWrap.exe\\\", \\\"symbos.exe\\\", \\\"nss.exe\\\", \\\"symcorpui.exe\\\", \\\"isPwdSvc.exe\\\", \\\"ccsvchst.exe\\\", \\\"ntrmv.exe\\\",\\n \\\"pccntmon.exe\\\", \\\"AosUImanager.exe\\\", \\\"NTRTScan.exe\\\", \\\"TMAS_OL.exe\\\", \\\"TMAS_OLImp.exe\\\", \\\"TMAS_OLSentry.exe\\\",\\n \\\"ufnavi.exe\\\", \\\"Clnrbin.exe\\\", \\\"vizorhtmldialog.exe\\\", \\\"pwmConsole.exe\\\", \\\"PwmSvc.exe\\\", \\\"coreServiceShell.exe\\\",\\n \\\"ds_agent.exe\\\", \\\"SfCtlCom.exe\\\", \\\"MBAMHelper.exe\\\", \\\"cb.exe\\\", \\\"smc.exe\\\", \\\"tda.exe\\\", \\\"xagtnotif.exe\\\", \\\"ekrn.exe\\\",\\n \\\"dsa.exe\\\", \\\"Notifier.exe\\\", \\\"rphcp.exe\\\", \\\"lc_sensor.exe\\\", \\\"CSFalconService.exe\\\", \\\"CSFalconController.exe\\\",\\n \\\"SenseSampleUploader.exe\\\", \\\"windefend.exe\\\", \\\"MSASCui.exe\\\", \\\"MSASCuiL.exe\\\", \\\"msmpeng.exe\\\", \\\"msmpsvc.exe\\\",\\n \\\"MsSense.exe\\\", \\\"esensor.exe\\\", \\\"sentinelone.exe\\\", \\\"tmccsf.exe\\\", \\\"csfalconcontainer.exe\\\", \\\"sensecncproxy.exe\\\",\\n \\\"splunk.exe\\\", \\\"sysmon.exe\\\", \\\"sysmon64.exe\\\", \\\"taniumclient.exe\\\"\\n )] with runs=5\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.network-*\",\"logs-system.security*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-windows.network-*\",\"logs-system.security-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-windows.network-*\",\"logs-system.security*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-windows.network-*\",\"logs-system.security*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6d126440-b8da-4619-8f7e-4c789853d32f\",\"rule_id\":\"93075852-b0f5-4b8b-89c3-a226efae5726\",\"revision\":0,\"current_rule\":{\"id\":\"6d126440-b8da-4619-8f7e-4c789853d32f\",\"updated_at\":\"2024-12-04T19:45:53.141Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.141Z\",\"created_by\":\"elastic\",\"name\":\"AWS Security Token Service (STS) AssumeRole Usage\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS STS\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Austin Songer\"],\"false_positives\":[\"Automated processes that use Terraform may lead to false positives.\"],\"from\":\"now-6m\",\"rule_id\":\"93075852-b0f5-4b8b-89c3-a226efae5726\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.001\",\"name\":\"Application Access Token\",\"reference\":\"https://attack.mitre.org/techniques/T1550/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html\"],\"version\":207,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"aws.cloudtrail.user_identity.session_context.session_issuer.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"query\":\"event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumeRole and\\naws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS STS Role Assumption by Service\",\"description\":\"Identifies when a service has assumed a role in AWS Security Token Service (STS). Services can assume a role to obtain temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege escalation. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that identifies when a service assumes a role in AWS Security Token Service (STS) to obtain temporary credentials and access AWS resources. While often legitimate, adversaries may use this technique for unauthorized access, privilege escalation, or lateral movement within an AWS environment.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and Analysis\\n\\n### Investigating AWS STS Role Assumption by Service\\n\\nThis rule identifies instances where AWS STS (Security Token Service) is used to assume a role, granting temporary credentials for AWS resource access. While this action is often legitimate, it can be exploited by adversaries to obtain unauthorized access, escalate privileges, or move laterally within an AWS environment.\\n\\n#### Possible Investigation Steps\\n\\n- **Identify the Actor and Assumed Role**:\\n - **User Identity**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type` fields to determine who initiated the `AssumeRole` action.\\n - **Role Assumed**: Check the `aws.cloudtrail.flattened.request_parameters.roleArn` field to confirm the assumed role and ensure it aligns with expected responsibilities.\\n - **Session Name**: Observe the `aws.cloudtrail.flattened.request_parameters.roleSessionName` for context on the session's intended purpose, if available.\\n\\n- **Analyze the Role Session and Duration**:\\n - **Session Context**: Look at the `aws.cloudtrail.user_identity.session_context.creation_date` to understand when the session began and check if multi-factor authentication (MFA) was used, indicated by the `aws.cloudtrail.user_identity.session_context.mfa_authenticated` field.\\n - **Credential Validity**: Examine the `aws.cloudtrail.flattened.request_parameters.durationSeconds` for the credential's validity period.\\n - **Expiration Time**: Verify `aws.cloudtrail.flattened.response_elements.credentials.expiration` to determine when the credentials expire or expired.\\n\\n- **Inspect the User Agent for Tooling Identification**:\\n - **User Agent Details**: Review the `user_agent.original` field to identify the tool or SDK used for the role assumption. Indicators include:\\n - **AWS SDKs (e.g., Boto3)**: Often used in automated workflows or scripts.\\n - **AWS CLI**: Suggests command-line access, potentially indicating direct user interaction.\\n - **Custom Tooling**: Unusual user agents may signify custom or suspicious tools.\\n - **Source IP and Location**: Evaluate the `source.address` and `source.geo` fields to confirm if the access source aligns with typical access locations for your environment.\\n\\n- **Contextualize with Related Events**:\\n - **Review Event Patterns**: Check surrounding CloudTrail events to see if other actions coincide with this `AssumeRole` activity, such as attempts to access sensitive resources.\\n - **Identify High-Volume Exceptions**: Due to the potential volume of `AssumeRole` events, determine common, legitimate `roleArn` values or `user_agent` patterns, and consider adding these as exceptions to reduce noise.\\n\\n- **Evaluate the Privilege Level of the Assumed Role**:\\n - **Permissions**: Inspect permissions associated with the assumed role to understand its access level.\\n - **Authorized Usage**: Confirm whether the role is typically used for administrative purposes and if the assuming entity frequently accesses it as part of regular responsibilities.\\n\\n### False Positive Analysis\\n\\n- **Automated Workflows and Applications**: Many applications or scheduled tasks may assume roles for standard operations. Check user agents and ARNs for consistency with known workflows.\\n- **Routine IAM Policy Actions**: Historical data may reveal if the same user or application assumes this specific role regularly as part of authorized operations.\\n\\n### Response and Remediation\\n\\n- **Revoke Unauthorized Sessions**: If unauthorized, consider revoking the session by adjusting IAM policies or permissions associated with the assumed role.\\n- **Enhance Monitoring and Alerts**: Set up enhanced monitoring for high-risk roles, especially those with elevated privileges.\\n- **Manage Exceptions**: Regularly review and manage high-frequency roles and user agent patterns, adding trusted ARNs and user agents to exception lists to minimize alert fatigue.\\n- **Incident Response**: If malicious behavior is identified, follow incident response protocols, including containment, investigation, and remediation.\\n\\n### Additional Information\\n\\nFor more information on managing and securing AWS STS, refer to the [AWS STS documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) and AWS security best practices.\\n\",\"output_index\":\"\",\"investigation_fields\":{\"field_names\":[\"@timestamp\",\"aws.cloudtrail.user_identity.type\",\"aws.cloudtrail.resources.arn\",\"aws.cloudtrail.resources.type\",\"source.address\",\"aws.cloudtrail.user_identity.invoked_by\",\"aws.cloudtrail.flattened.request_parameters.roleArn\",\"aws.cloudtrail.flattened.request_parameters.roleSessionName\",\"event.action\",\"event.outcome\",\"cloud.region\",\"aws.cloudtrail.request_parameters\",\"aws.cloudtrail.response_elements\"]},\"version\":209,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS STS\",\"Resources: Investigation Guide\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[\"AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes.\",\"AWS services might assume roles to access AWS resources as part of their standard operations.\",\"Automated workflows might assume roles to perform periodic tasks such as data backups, updates, or deployments.\"],\"references\":[\"https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.001\",\"name\":\"Application Access Token\",\"reference\":\"https://attack.mitre.org/techniques/T1550/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"aws.cloudtrail.user_identity.invoked_by\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"aws.cloudtrail.user_identity.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"6d126440-b8da-4619-8f7e-4c789853d32f\",\"rule_id\":\"93075852-b0f5-4b8b-89c3-a226efae5726\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.021Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.141Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"sts.amazonaws.com\\\"\\n and event.action: \\\"AssumeRole\\\"\\n and event.outcome: \\\"success\\\"\\n and aws.cloudtrail.user_identity.type: \\\"AWSService\\\"\\n and not aws.cloudtrail.user_identity.invoked_by: (\\n \\\"config.amazonaws.com\\\" or\\n \\\"securityhub.amazonaws.com\\\" or\\n \\\"sso.amazonaws.com\\\"\\n )\\n\",\"new_terms_fields\":[\"aws.cloudtrail.resources.arn\",\"aws.cloudtrail.user_identity.invoked_by\"],\"history_window_start\":\"now-14d\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":207,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"name\":{\"has_base_version\":false,\"current_version\":\"AWS Security Token Service (STS) AssumeRole Usage\",\"target_version\":\"AWS STS Role Assumption by Service\",\"merged_version\":\"AWS STS Role Assumption by Service\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS STS\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\"],\"target_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS STS\",\"Resources: Investigation Guide\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\"],\"merged_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS STS\",\"Resources: Investigation Guide\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"description\":{\"has_base_version\":false,\"current_version\":\"Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.\",\"target_version\":\"Identifies when a service has assumed a role in AWS Security Token Service (STS). Services can assume a role to obtain temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege escalation. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that identifies when a service assumes a role in AWS Security Token Service (STS) to obtain temporary credentials and access AWS resources. While often legitimate, adversaries may use this technique for unauthorized access, privilege escalation, or lateral movement within an AWS environment.\",\"merged_version\":\"Identifies when a service has assumed a role in AWS Security Token Service (STS). Services can assume a role to obtain temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege escalation. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that identifies when a service assumes a role in AWS Security Token Service (STS) to obtain temporary credentials and access AWS resources. While often legitimate, adversaries may use this technique for unauthorized access, privilege escalation, or lateral movement within an AWS environment.\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"false_positives\":{\"has_base_version\":false,\"current_version\":[\"Automated processes that use Terraform may lead to false positives.\"],\"target_version\":[\"AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes.\",\"AWS services might assume roles to access AWS resources as part of their standard operations.\",\"Automated workflows might assume roles to perform periodic tasks such as data backups, updates, or deployments.\"],\"merged_version\":[\"AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes.\",\"AWS services might assume roles to access AWS resources as part of their standard operations.\",\"Automated workflows might assume roles to perform periodic tasks such as data backups, updates, or deployments.\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"note\":{\"has_base_version\":false,\"current_version\":\"\",\"target_version\":\"## Triage and Analysis\\n\\n### Investigating AWS STS Role Assumption by Service\\n\\nThis rule identifies instances where AWS STS (Security Token Service) is used to assume a role, granting temporary credentials for AWS resource access. While this action is often legitimate, it can be exploited by adversaries to obtain unauthorized access, escalate privileges, or move laterally within an AWS environment.\\n\\n#### Possible Investigation Steps\\n\\n- **Identify the Actor and Assumed Role**:\\n - **User Identity**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type` fields to determine who initiated the `AssumeRole` action.\\n - **Role Assumed**: Check the `aws.cloudtrail.flattened.request_parameters.roleArn` field to confirm the assumed role and ensure it aligns with expected responsibilities.\\n - **Session Name**: Observe the `aws.cloudtrail.flattened.request_parameters.roleSessionName` for context on the session's intended purpose, if available.\\n\\n- **Analyze the Role Session and Duration**:\\n - **Session Context**: Look at the `aws.cloudtrail.user_identity.session_context.creation_date` to understand when the session began and check if multi-factor authentication (MFA) was used, indicated by the `aws.cloudtrail.user_identity.session_context.mfa_authenticated` field.\\n - **Credential Validity**: Examine the `aws.cloudtrail.flattened.request_parameters.durationSeconds` for the credential's validity period.\\n - **Expiration Time**: Verify `aws.cloudtrail.flattened.response_elements.credentials.expiration` to determine when the credentials expire or expired.\\n\\n- **Inspect the User Agent for Tooling Identification**:\\n - **User Agent Details**: Review the `user_agent.original` field to identify the tool or SDK used for the role assumption. Indicators include:\\n - **AWS SDKs (e.g., Boto3)**: Often used in automated workflows or scripts.\\n - **AWS CLI**: Suggests command-line access, potentially indicating direct user interaction.\\n - **Custom Tooling**: Unusual user agents may signify custom or suspicious tools.\\n - **Source IP and Location**: Evaluate the `source.address` and `source.geo` fields to confirm if the access source aligns with typical access locations for your environment.\\n\\n- **Contextualize with Related Events**:\\n - **Review Event Patterns**: Check surrounding CloudTrail events to see if other actions coincide with this `AssumeRole` activity, such as attempts to access sensitive resources.\\n - **Identify High-Volume Exceptions**: Due to the potential volume of `AssumeRole` events, determine common, legitimate `roleArn` values or `user_agent` patterns, and consider adding these as exceptions to reduce noise.\\n\\n- **Evaluate the Privilege Level of the Assumed Role**:\\n - **Permissions**: Inspect permissions associated with the assumed role to understand its access level.\\n - **Authorized Usage**: Confirm whether the role is typically used for administrative purposes and if the assuming entity frequently accesses it as part of regular responsibilities.\\n\\n### False Positive Analysis\\n\\n- **Automated Workflows and Applications**: Many applications or scheduled tasks may assume roles for standard operations. Check user agents and ARNs for consistency with known workflows.\\n- **Routine IAM Policy Actions**: Historical data may reveal if the same user or application assumes this specific role regularly as part of authorized operations.\\n\\n### Response and Remediation\\n\\n- **Revoke Unauthorized Sessions**: If unauthorized, consider revoking the session by adjusting IAM policies or permissions associated with the assumed role.\\n- **Enhance Monitoring and Alerts**: Set up enhanced monitoring for high-risk roles, especially those with elevated privileges.\\n- **Manage Exceptions**: Regularly review and manage high-frequency roles and user agent patterns, adding trusted ARNs and user agents to exception lists to minimize alert fatigue.\\n- **Incident Response**: If malicious behavior is identified, follow incident response protocols, including containment, investigation, and remediation.\\n\\n### Additional Information\\n\\nFor more information on managing and securing AWS STS, refer to the [AWS STS documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) and AWS security best practices.\\n\",\"merged_version\":\"## Triage and Analysis\\n\\n### Investigating AWS STS Role Assumption by Service\\n\\nThis rule identifies instances where AWS STS (Security Token Service) is used to assume a role, granting temporary credentials for AWS resource access. While this action is often legitimate, it can be exploited by adversaries to obtain unauthorized access, escalate privileges, or move laterally within an AWS environment.\\n\\n#### Possible Investigation Steps\\n\\n- **Identify the Actor and Assumed Role**:\\n - **User Identity**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type` fields to determine who initiated the `AssumeRole` action.\\n - **Role Assumed**: Check the `aws.cloudtrail.flattened.request_parameters.roleArn` field to confirm the assumed role and ensure it aligns with expected responsibilities.\\n - **Session Name**: Observe the `aws.cloudtrail.flattened.request_parameters.roleSessionName` for context on the session's intended purpose, if available.\\n\\n- **Analyze the Role Session and Duration**:\\n - **Session Context**: Look at the `aws.cloudtrail.user_identity.session_context.creation_date` to understand when the session began and check if multi-factor authentication (MFA) was used, indicated by the `aws.cloudtrail.user_identity.session_context.mfa_authenticated` field.\\n - **Credential Validity**: Examine the `aws.cloudtrail.flattened.request_parameters.durationSeconds` for the credential's validity period.\\n - **Expiration Time**: Verify `aws.cloudtrail.flattened.response_elements.credentials.expiration` to determine when the credentials expire or expired.\\n\\n- **Inspect the User Agent for Tooling Identification**:\\n - **User Agent Details**: Review the `user_agent.original` field to identify the tool or SDK used for the role assumption. Indicators include:\\n - **AWS SDKs (e.g., Boto3)**: Often used in automated workflows or scripts.\\n - **AWS CLI**: Suggests command-line access, potentially indicating direct user interaction.\\n - **Custom Tooling**: Unusual user agents may signify custom or suspicious tools.\\n - **Source IP and Location**: Evaluate the `source.address` and `source.geo` fields to confirm if the access source aligns with typical access locations for your environment.\\n\\n- **Contextualize with Related Events**:\\n - **Review Event Patterns**: Check surrounding CloudTrail events to see if other actions coincide with this `AssumeRole` activity, such as attempts to access sensitive resources.\\n - **Identify High-Volume Exceptions**: Due to the potential volume of `AssumeRole` events, determine common, legitimate `roleArn` values or `user_agent` patterns, and consider adding these as exceptions to reduce noise.\\n\\n- **Evaluate the Privilege Level of the Assumed Role**:\\n - **Permissions**: Inspect permissions associated with the assumed role to understand its access level.\\n - **Authorized Usage**: Confirm whether the role is typically used for administrative purposes and if the assuming entity frequently accesses it as part of regular responsibilities.\\n\\n### False Positive Analysis\\n\\n- **Automated Workflows and Applications**: Many applications or scheduled tasks may assume roles for standard operations. Check user agents and ARNs for consistency with known workflows.\\n- **Routine IAM Policy Actions**: Historical data may reveal if the same user or application assumes this specific role regularly as part of authorized operations.\\n\\n### Response and Remediation\\n\\n- **Revoke Unauthorized Sessions**: If unauthorized, consider revoking the session by adjusting IAM policies or permissions associated with the assumed role.\\n- **Enhance Monitoring and Alerts**: Set up enhanced monitoring for high-risk roles, especially those with elevated privileges.\\n- **Manage Exceptions**: Regularly review and manage high-frequency roles and user agent patterns, adding trusted ARNs and user agents to exception lists to minimize alert fatigue.\\n- **Incident Response**: If malicious behavior is identified, follow incident response protocols, including containment, investigation, and remediation.\\n\\n### Additional Information\\n\\nFor more information on managing and securing AWS STS, refer to the [AWS STS documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) and AWS security best practices.\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"aws.cloudtrail.user_identity.session_context.session_issuer.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"aws.cloudtrail.user_identity.invoked_by\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"aws.cloudtrail.user_identity.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"aws.cloudtrail.user_identity.invoked_by\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"aws.cloudtrail.user_identity.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"rule_schedule\":{\"has_base_version\":false,\"current_version\":{\"interval\":\"5m\",\"lookback\":\"60s\"},\"target_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merged_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"investigation_fields\":{\"has_base_version\":false,\"target_version\":{\"field_names\":[\"@timestamp\",\"aws.cloudtrail.user_identity.type\",\"aws.cloudtrail.resources.arn\",\"aws.cloudtrail.resources.type\",\"source.address\",\"aws.cloudtrail.user_identity.invoked_by\",\"aws.cloudtrail.flattened.request_parameters.roleArn\",\"aws.cloudtrail.flattened.request_parameters.roleSessionName\",\"event.action\",\"event.outcome\",\"cloud.region\",\"aws.cloudtrail.request_parameters\",\"aws.cloudtrail.response_elements\"]},\"merged_version\":{\"field_names\":[\"@timestamp\",\"aws.cloudtrail.user_identity.type\",\"aws.cloudtrail.resources.arn\",\"aws.cloudtrail.resources.type\",\"source.address\",\"aws.cloudtrail.user_identity.invoked_by\",\"aws.cloudtrail.flattened.request_parameters.roleArn\",\"aws.cloudtrail.flattened.request_parameters.roleSessionName\",\"event.action\",\"event.outcome\",\"cloud.region\",\"aws.cloudtrail.request_parameters\",\"aws.cloudtrail.response_elements\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"type\":{\"has_base_version\":false,\"current_version\":\"query\",\"target_version\":\"new_terms\",\"merged_version\":\"new_terms\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NON_SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumeRole and\\naws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"sts.amazonaws.com\\\"\\n and event.action: \\\"AssumeRole\\\"\\n and event.outcome: \\\"success\\\"\\n and aws.cloudtrail.user_identity.type: \\\"AWSService\\\"\\n and not aws.cloudtrail.user_identity.invoked_by: (\\n \\\"config.amazonaws.com\\\" or\\n \\\"securityhub.amazonaws.com\\\" or\\n \\\"sso.amazonaws.com\\\"\\n )\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset: \\\"aws.cloudtrail\\\"\\n and event.provider: \\\"sts.amazonaws.com\\\"\\n and event.action: \\\"AssumeRole\\\"\\n and event.outcome: \\\"success\\\"\\n and aws.cloudtrail.user_identity.type: \\\"AWSService\\\"\\n and not aws.cloudtrail.user_identity.invoked_by: (\\n \\\"config.amazonaws.com\\\" or\\n \\\"securityhub.amazonaws.com\\\" or\\n \\\"sso.amazonaws.com\\\"\\n )\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"new_terms_fields\":{\"has_base_version\":false,\"target_version\":[\"aws.cloudtrail.resources.arn\",\"aws.cloudtrail.user_identity.invoked_by\"],\"merged_version\":[\"aws.cloudtrail.resources.arn\",\"aws.cloudtrail.user_identity.invoked_by\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"history_window_start\":{\"has_base_version\":false,\"target_version\":\"now-14d\",\"merged_version\":\"now-14d\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":14,\"num_fields_with_conflicts\":13,\"num_fields_with_non_solvable_conflicts\":1}},{\"id\":\"5d8737c5-34c4-4c0b-b597-61e651c1307c\",\"rule_id\":\"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4\",\"revision\":0,\"current_rule\":{\"id\":\"5d8737c5-34c4-4c0b-b597-61e651c1307c\",\"updated_at\":\"2024-12-04T19:45:53.144Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.144Z\",\"created_by\":\"elastic\",\"name\":\"Sudoers File Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.003\",\"name\":\"Sudo and Sudo Caching\",\"reference\":\"https://attack.mitre.org/techniques/T1548/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":204,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*) and\\nnot process.name:(dpkg or platform-python or puppet or yum or dnf) and \\nnot process.executable:(/opt/chef/embedded/bin/ruby or /opt/puppetlabs/puppet/bin/ruby or /usr/bin/dockerd)\\n\",\"new_terms_fields\":[\"host.id\",\"process.executable\",\"file.path\"],\"history_window_start\":\"now-7d\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Sudoers File Modification\",\"description\":\"A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":205,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.003\",\"name\":\"Sudo and Sudo Caching\",\"reference\":\"https://attack.mitre.org/techniques/T1548/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"5d8737c5-34c4-4c0b-b597-61e651c1307c\",\"rule_id\":\"931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.021Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.144Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*) and\\nnot process.name:(dpkg or platform-python or puppet or yum or dnf) and \\nnot process.executable:(/opt/chef/embedded/bin/ruby or /opt/puppetlabs/puppet/bin/ruby or /usr/bin/dockerd)\\n\",\"new_terms_fields\":[\"host.id\",\"process.executable\",\"file.path\"],\"history_window_start\":\"now-7d\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":204,\"target_version\":205,\"merged_version\":205,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6d608544-03e3-4de8-aaae-8719d1594dbb\",\"rule_id\":\"93b22c0a-06a0-4131-b830-b10d5e166ff4\",\"revision\":0,\"current_rule\":{\"id\":\"6d608544-03e3-4de8-aaae-8719d1594dbb\",\"updated_at\":\"2024-12-04T19:45:53.148Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.148Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious SolarWinds Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Trusted SolarWinds child processes, verify process details such as network connections and file writes.\"],\"from\":\"now-9m\",\"rule_id\":\"93b22c0a-06a0-4131-b830-b10d5e166ff4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\",\"https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name: (\\\"SolarWinds.BusinessLayerHost.exe\\\", \\\"SolarWinds.BusinessLayerHostx64.exe\\\") and\\n not (\\n process.name : (\\n \\\"APMServiceControl*.exe\\\",\\n \\\"ExportToPDFCmd*.Exe\\\",\\n \\\"SolarWinds.Credentials.Orion.WebApi*.exe\\\",\\n \\\"SolarWinds.Orion.Topology.Calculator*.exe\\\",\\n \\\"Database-Maint.exe\\\",\\n \\\"SolarWinds.Orion.ApiPoller.Service.exe\\\",\\n \\\"WerFault.exe\\\",\\n \\\"WerMgr.exe\\\",\\n \\\"SolarWinds.BusinessLayerHost.exe\\\",\\n \\\"SolarWinds.BusinessLayerHostx64.exe\\\",\\n \\\"SolarWinds.Topology.Calculator.exe\\\",\\n \\\"SolarWinds.Topology.Calculatorx64.exe\\\",\\n \\\"SolarWinds.APM.RealTimeProcessPoller.exe\\\") and\\n process.code_signature.trusted == true\\n ) and\\n not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\ARP.EXE\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\lodctr.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\unlodctr.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious SolarWinds Child Process\",\"description\":\"A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Trusted SolarWinds child processes, verify process details such as network connections and file writes.\"],\"references\":[\"https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\",\"https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"6d608544-03e3-4de8-aaae-8719d1594dbb\",\"rule_id\":\"93b22c0a-06a0-4131-b830-b10d5e166ff4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.021Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.148Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name: (\\\"SolarWinds.BusinessLayerHost.exe\\\", \\\"SolarWinds.BusinessLayerHostx64.exe\\\") and\\n not (\\n process.name : (\\n \\\"APMServiceControl*.exe\\\",\\n \\\"ExportToPDFCmd*.Exe\\\",\\n \\\"SolarWinds.Credentials.Orion.WebApi*.exe\\\",\\n \\\"SolarWinds.Orion.Topology.Calculator*.exe\\\",\\n \\\"Database-Maint.exe\\\",\\n \\\"SolarWinds.Orion.ApiPoller.Service.exe\\\",\\n \\\"WerFault.exe\\\",\\n \\\"WerMgr.exe\\\",\\n \\\"SolarWinds.BusinessLayerHost.exe\\\",\\n \\\"SolarWinds.BusinessLayerHostx64.exe\\\",\\n \\\"SolarWinds.Topology.Calculator.exe\\\",\\n \\\"SolarWinds.Topology.Calculatorx64.exe\\\",\\n \\\"SolarWinds.APM.RealTimeProcessPoller.exe\\\") and\\n process.code_signature.trusted == true\\n ) and\\n not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\ARP.EXE\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\lodctr.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\unlodctr.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2644352c-d5e4-4f5e-a8df-ebf001c118f3\",\"rule_id\":\"93c1ce76-494c-4f01-8167-35edfb52f7b1\",\"revision\":0,\"current_rule\":{\"id\":\"2644352c-d5e4-4f5e-a8df-ebf001c118f3\",\"updated_at\":\"2024-12-04T19:45:53.151Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.151Z\",\"created_by\":\"elastic\",\"name\":\"Encoded Executable Stored in the Registry\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"93c1ce76-494c-4f01-8167-35edfb52f7b1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1140\",\"name\":\"Deobfuscate/Decode Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1140/\"}]}],\"to\":\"now\",\"references\":[],\"version\":309,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"logs-sentinel_one_cloud_funnel.*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and\\n/* update here with encoding combinations */\\n registry.data.strings : \\\"TVqQAAMAAAAEAAAA*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Encoded Executable Stored in the Registry\",\"description\":\"Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":411,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1140\",\"name\":\"Deobfuscate/Decode Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1140/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true}],\"id\":\"2644352c-d5e4-4f5e-a8df-ebf001c118f3\",\"rule_id\":\"93c1ce76-494c-4f01-8167-35edfb52f7b1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.021Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.151Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and\\n/* update here with encoding combinations */\\n registry.data.strings : \\\"TVqQAAMAAAAEAAAA*\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"logs-sentinel_one_cloud_funnel.*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":309,\"target_version\":411,\"merged_version\":411,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"logs-sentinel_one_cloud_funnel.*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"logs-sentinel_one_cloud_funnel.*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"17692477-913f-43f3-a955-886cf6c2cf98\",\"rule_id\":\"93e63c3e-4154-4fc6-9f86-b411e0987bbf\",\"revision\":0,\"current_rule\":{\"id\":\"17692477-913f-43f3-a955-886cf6c2cf98\",\"updated_at\":\"2024-12-04T19:45:53.153Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.153Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace Admin Role Deletion\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Tactic: Impact\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Admin Role Deletion\\n\\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where further domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred.\\n\\nDeleted administrator roles may render some user accounts inaccessible or cause operational failure where these roles are relied upon to perform daily administrative tasks. The deletion of roles may also hinder the response and remediation actions of administrators responding to security-related alerts and events. Without specific roles assigned, users will inherit the permissions and privileges of the root organizational unit.\\n\\nThis rule identifies when a Google Workspace administrative role is deleted within the Google Admin console.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- Identify the role deleted by reviewing `google_workspace.admin.role.name` in the alert.\\n- With the user identified, verify if he has administrative privileges to disable or delete administrative roles.\\n- To identify other users affected by this role removed, search for `event.action: ASSIGN_ROLE`.\\n - Add `google_workspace.admin.role.name` with the role deleted as an additional filter.\\n - Adjust the relative time accordingly to identify all users that were assigned this admin role.\\n\\n### False positive analysis\\n\\n- After identifying the user account that disabled the admin role, verify the action was intentional.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Discuss with the user the affected users as a result of this action to mitigate operational discrepencies.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Google Workspace admin roles may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-130m\",\"rule_id\":\"93e63c3e-4154-4fc6-9f86-b411e0987bbf\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/2406043?hl=en\"],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace Admin Role Deletion\",\"description\":\"Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Admin Role Deletion\\n\\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where further domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred.\\n\\nDeleted administrator roles may render some user accounts inaccessible or cause operational failure where these roles are relied upon to perform daily administrative tasks. The deletion of roles may also hinder the response and remediation actions of administrators responding to security-related alerts and events. Without specific roles assigned, users will inherit the permissions and privileges of the root organizational unit.\\n\\nThis rule identifies when a Google Workspace administrative role is deleted within the Google Admin console.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- Identify the role deleted by reviewing `google_workspace.admin.role.name` in the alert.\\n- With the user identified, verify if he has administrative privileges to disable or delete administrative roles.\\n- To identify other users affected by this role removed, search for `event.action: ASSIGN_ROLE`.\\n - Add `google_workspace.admin.role.name` with the role deleted as an additional filter.\\n - Adjust the relative time accordingly to identify all users that were assigned this admin role.\\n\\n### False positive analysis\\n\\n- After identifying the user account that disabled the admin role, verify the action was intentional.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Discuss with the user the affected users as a result of this action to mitigate operational discrepencies.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Tactic: Impact\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Google Workspace admin roles may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://support.google.com/a/answer/2406043?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"17692477-913f-43f3-a955-886cf6c2cf98\",\"rule_id\":\"93e63c3e-4154-4fc6-9f86-b411e0987bbf\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.022Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.153Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/2406043?hl=en\"],\"target_version\":[\"https://support.google.com/a/answer/2406043?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/2406043?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c32d7cb7-ff00-4bba-b5a6-2574dd72ca85\",\"rule_id\":\"94418745-529f-4259-8d25-a713a6feb6ae\",\"revision\":0,\"current_rule\":{\"id\":\"c32d7cb7-ff00-4bba-b5a6-2574dd72ca85\",\"updated_at\":\"2024-12-04T19:45:40.227Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.227Z\",\"created_by\":\"elastic\",\"name\":\"Executable Bit Set for Potential Persistence Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for the addition of an executable bit for scripts that are located in directories which are commonly abused for persistence. An alert of this rule is an indicator that a persistence mechanism is being set up within your environment. Adversaries may create these scripts to execute malicious code at start-up, or at a set interval to gain persistence onto the system.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"94418745-529f-4259-8d25-a713a6feb6ae\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]},{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]},{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.013\",\"name\":\"XDG Autostart Entries\",\"reference\":\"https://attack.mitre.org/techniques/T1547/013/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\"],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\nprocess.args : (\\n // Misc.\\n \\\"/etc/rc.local\\\", \\\"/etc/rc.common\\\", \\\"/etc/rc.d/rc.local\\\", \\\"/etc/init.d/*\\\", \\\"/etc/update-motd.d/*\\\",\\n \\\"/etc/apt/apt.conf.d/*\\\", \\\"/etc/cron*\\\", \\\"/etc/init/*\\\",\\n\\n // XDG\\n \\\"/etc/xdg/autostart/*\\\", \\\"/home/*/.config/autostart/*\\\", \\\"/root/.config/autostart/*\\\",\\n \\\"/home/*/.local/share/autostart/*\\\", \\\"/root/.local/share/autostart/*\\\", \\\"/home/*/.config/autostart-scripts/*\\\",\\n \\\"/root/.config/autostart-scripts/*\\\", \\\"/etc/xdg/autostart/*\\\", \\\"/usr/share/autostart/*\\\",\\n \\n // udev\\n \\\"/lib/udev/*\\\", \\\"/etc/udev/rules.d/*\\\", \\\"/usr/lib/udev/rules.d/*\\\", \\\"/run/udev/rules.d/*\\\"\\n\\n) and (\\n (process.name == \\\"chmod\\\" and process.args : (\\\"+x*\\\", \\\"1*\\\", \\\"3*\\\", \\\"5*\\\", \\\"7*\\\")) or\\n (process.name == \\\"install\\\" and process.args : \\\"-m*\\\" and process.args : (\\\"7*\\\", \\\"5*\\\", \\\"3*\\\", \\\"1*\\\"))\\n) and not process.parent.executable : \\\"/var/lib/dpkg/*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Executable Bit Set for Potential Persistence Script\",\"description\":\"This rule monitors for the addition of an executable bit for scripts that are located in directories which are commonly abused for persistence. An alert of this rule is an indicator that a persistence mechanism is being set up within your environment. Adversaries may create these scripts to execute malicious code at start-up, or at a set interval to gain persistence onto the system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]},{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]},{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.013\",\"name\":\"XDG Autostart Entries\",\"reference\":\"https://attack.mitre.org/techniques/T1547/013/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c32d7cb7-ff00-4bba-b5a6-2574dd72ca85\",\"rule_id\":\"94418745-529f-4259-8d25-a713a6feb6ae\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.022Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.227Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\nprocess.args : (\\n // Misc.\\n \\\"/etc/rc.local\\\", \\\"/etc/rc.common\\\", \\\"/etc/rc.d/rc.local\\\", \\\"/etc/init.d/*\\\", \\\"/etc/update-motd.d/*\\\",\\n \\\"/etc/apt/apt.conf.d/*\\\", \\\"/etc/cron*\\\", \\\"/etc/init/*\\\",\\n\\n // XDG\\n \\\"/etc/xdg/autostart/*\\\", \\\"/home/*/.config/autostart/*\\\", \\\"/root/.config/autostart/*\\\",\\n \\\"/home/*/.local/share/autostart/*\\\", \\\"/root/.local/share/autostart/*\\\", \\\"/home/*/.config/autostart-scripts/*\\\",\\n \\\"/root/.config/autostart-scripts/*\\\", \\\"/etc/xdg/autostart/*\\\", \\\"/usr/share/autostart/*\\\",\\n \\n // udev\\n \\\"/lib/udev/*\\\", \\\"/etc/udev/rules.d/*\\\", \\\"/usr/lib/udev/rules.d/*\\\", \\\"/run/udev/rules.d/*\\\"\\n\\n) and (\\n (process.name == \\\"chmod\\\" and process.args : (\\\"+x*\\\", \\\"1*\\\", \\\"3*\\\", \\\"5*\\\", \\\"7*\\\")) or\\n (process.name == \\\"install\\\" and process.args : \\\"-m*\\\" and process.args : (\\\"7*\\\", \\\"5*\\\", \\\"3*\\\", \\\"1*\\\"))\\n) and not process.parent.executable : \\\"/var/lib/dpkg/*\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\"],\"target_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/\",\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts\",\"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"eedfd206-3685-4a8b-a372-7d29f8975b34\",\"rule_id\":\"94a401ba-4fa2-455c-b7ae-b6e037afc0b7\",\"revision\":0,\"current_rule\":{\"id\":\"eedfd206-3685-4a8b-a372-7d29f8975b34\",\"updated_at\":\"2024-12-04T19:45:53.164Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.164Z\",\"created_by\":\"elastic\",\"name\":\"Group Policy Discovery via Microsoft GPResult Utility\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and possible methods to escalate privileges or move laterally.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Group Policy Discovery via Microsoft GPResult Utility\\n\\nGroup Policy is a Windows feature that allows administrators to manage and configure settings for users and computers in an Active Directory environment. The Microsoft GPResult utility (gpresult.exe) is a command-line tool used to query and display Group Policy Objects (GPOs) applied to a system. Attackers may abuse this utility to gain insights into the active directory environment and identify potential privilege escalation or lateral movement opportunities.\\n\\nThe detection rule 'Group Policy Discovery via Microsoft GPResult Utility' is designed to identify the usage of gpresult.exe with specific arguments (\\\"/z\\\", \\\"/v\\\", \\\"/r\\\", \\\"/x\\\") that are commonly used by adversaries during the reconnaissance phase to perform group policy discovery.\\n\\n#### Possible investigation steps\\n\\n- Review the alert details to understand the context of the gpresult.exe usage, such as the user account, system, and time of execution.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate any abnormal behavior by the parent process, such as network connections, registry or file modifications, and any other spawned child processes.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"94a401ba-4fa2-455c-b7ae-b6e037afc0b7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1615\",\"name\":\"Group Policy Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1615/\"}]}],\"to\":\"now\",\"references\":[],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(process.name: \\\"gpresult.exe\\\" or ?process.pe.original_file_name == \\\"gprslt.exe\\\") and process.args: (\\\"/z\\\", \\\"/v\\\", \\\"/r\\\", \\\"/x\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Group Policy Discovery via Microsoft GPResult Utility\",\"description\":\"Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and possible methods to escalate privileges or move laterally.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Group Policy Discovery via Microsoft GPResult Utility\\n\\nGroup Policy is a Windows feature that allows administrators to manage and configure settings for users and computers in an Active Directory environment. The Microsoft GPResult utility (gpresult.exe) is a command-line tool used to query and display Group Policy Objects (GPOs) applied to a system. Attackers may abuse this utility to gain insights into the active directory environment and identify potential privilege escalation or lateral movement opportunities.\\n\\nThe detection rule 'Group Policy Discovery via Microsoft GPResult Utility' is designed to identify the usage of gpresult.exe with specific arguments (\\\"/z\\\", \\\"/v\\\", \\\"/r\\\", \\\"/x\\\") that are commonly used by adversaries during the reconnaissance phase to perform group policy discovery.\\n\\n#### Possible investigation steps\\n\\n- Review the alert details to understand the context of the gpresult.exe usage, such as the user account, system, and time of execution.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate any abnormal behavior by the parent process, such as network connections, registry or file modifications, and any other spawned child processes.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1615\",\"name\":\"Group Policy Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1615/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"eedfd206-3685-4a8b-a372-7d29f8975b34\",\"rule_id\":\"94a401ba-4fa2-455c-b7ae-b6e037afc0b7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.022Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.164Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(process.name: \\\"gpresult.exe\\\" or ?process.pe.original_file_name == \\\"gprslt.exe\\\") and process.args: (\\\"/z\\\", \\\"/v\\\", \\\"/r\\\", \\\"/x\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"fe244d52-b50d-483a-9ab3-5d472d901b0a\",\"rule_id\":\"9510add4-3392-11ed-bd01-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"fe244d52-b50d-483a-9ab3-5d472d901b0a\",\"updated_at\":\"2024-12-04T19:45:53.167Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.167Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace Custom Gmail Route Created or Modified\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Tactic: Collection\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a custom Gmail route is added or modified in Google Workspace. Adversaries can add a custom e-mail route for outbound mail to route these e-mails to their own inbox of choice for data gathering. This allows adversaries to capture sensitive information from e-mail and potential attachments, such as invoices or payment documents. By default, all email from current Google Workspace users with accounts are routed through a domain's mail server for inbound and outbound mail.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Custom Gmail Route Created or Modified\\n\\nGmail is a popular cloud-based email service developed and managed by Google. Gmail is one of many services available for users with Google Workspace accounts.\\n\\nThreat actors often send phishing emails containing malicious URL links or attachments to corporate Gmail accounts. Google Workspace identity relies on the corporate user Gmail account and if stolen, allows threat actors to further their intrusion efforts from valid user accounts.\\n\\nThis rule identifies the creation of a custom global Gmail route by an administrator from the Google Workspace admin console. Custom email routes could indicate an attempt to secretly forward sensitive emails to unintentional recipients.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that created the custom email route and verify that they should have administrative privileges.\\n- Review the added recipients from the custom email route and confidentiality of potential email contents.\\n- Identify the user account, then review `event.action` values for related activity within the last 48 hours.\\n- If the Google Workspace license is Enterprise Plus or Education Plus, search for emails matching the route filters. To find the Gmail event logs, go to `Reporting > Audit and investigation > Gmail log events`.\\n- If existing emails have been sent and match the custom route criteria, review the sender and contents for malicious URL links and attachments.\\n- Identified URLs or attachments can be submitted to VirusTotal for reputational services.\\n\\n### False positive analysis\\n\\n- This rule searches for domain-wide custom email routes created in the admin console of Google Workspace. Administrators might create custom email routes to fulfill organizational requirements.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may create custom email routes in Google Workspace based on organizational policies, administrative preference or for security purposes regarding spam.\"],\"from\":\"now-130m\",\"rule_id\":\"9510add4-3392-11ed-bd01-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1114\",\"name\":\"Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/\",\"subtechnique\":[{\"id\":\"T1114.003\",\"name\":\"Email Forwarding Rule\",\"reference\":\"https://attack.mitre.org/techniques/T1114/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/2685650?hl=en\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.setting.name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.event.type\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.action:(\\\"CREATE_GMAIL_SETTING\\\" or \\\"CHANGE_GMAIL_SETTING\\\")\\n and google_workspace.event.type:\\\"EMAIL_SETTINGS\\\" and google_workspace.admin.setting.name:(\\\"EMAIL_ROUTE\\\" or \\\"MESSAGE_SECURITY_RULE\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace Custom Gmail Route Created or Modified\",\"description\":\"Detects when a custom Gmail route is added or modified in Google Workspace. Adversaries can add a custom e-mail route for outbound mail to route these e-mails to their own inbox of choice for data gathering. This allows adversaries to capture sensitive information from e-mail and potential attachments, such as invoices or payment documents. By default, all email from current Google Workspace users with accounts are routed through a domain's mail server for inbound and outbound mail.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Custom Gmail Route Created or Modified\\n\\nGmail is a popular cloud-based email service developed and managed by Google. Gmail is one of many services available for users with Google Workspace accounts.\\n\\nThreat actors often send phishing emails containing malicious URL links or attachments to corporate Gmail accounts. Google Workspace identity relies on the corporate user Gmail account and if stolen, allows threat actors to further their intrusion efforts from valid user accounts.\\n\\nThis rule identifies the creation of a custom global Gmail route by an administrator from the Google Workspace admin console. Custom email routes could indicate an attempt to secretly forward sensitive emails to unintentional recipients.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that created the custom email route and verify that they should have administrative privileges.\\n- Review the added recipients from the custom email route and confidentiality of potential email contents.\\n- Identify the user account, then review `event.action` values for related activity within the last 48 hours.\\n- If the Google Workspace license is Enterprise Plus or Education Plus, search for emails matching the route filters. To find the Gmail event logs, go to `Reporting > Audit and investigation > Gmail log events`.\\n- If existing emails have been sent and match the custom route criteria, review the sender and contents for malicious URL links and attachments.\\n- Identified URLs or attachments can be submitted to VirusTotal for reputational services.\\n\\n### False positive analysis\\n\\n- This rule searches for domain-wide custom email routes created in the admin console of Google Workspace. Administrators might create custom email routes to fulfill organizational requirements.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Tactic: Collection\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may create custom email routes in Google Workspace based on organizational policies, administrative preference or for security purposes regarding spam.\"],\"references\":[\"https://support.google.com/a/answer/2685650?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1114\",\"name\":\"Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/\",\"subtechnique\":[{\"id\":\"T1114.003\",\"name\":\"Email Forwarding Rule\",\"reference\":\"https://attack.mitre.org/techniques/T1114/003/\"}]}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.setting.name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.event.type\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"fe244d52-b50d-483a-9ab3-5d472d901b0a\",\"rule_id\":\"9510add4-3392-11ed-bd01-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.022Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.167Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.action:(\\\"CREATE_GMAIL_SETTING\\\" or \\\"CHANGE_GMAIL_SETTING\\\")\\n and google_workspace.event.type:\\\"EMAIL_SETTINGS\\\" and google_workspace.admin.setting.name:(\\\"EMAIL_ROUTE\\\" or \\\"MESSAGE_SECURITY_RULE\\\")\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/2685650?hl=en\"],\"target_version\":[\"https://support.google.com/a/answer/2685650?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/2685650?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3ed55975-37b5-423b-aad3-ab842d890039\",\"rule_id\":\"951779c2-82ad-4a6c-82b8-296c1f691449\",\"revision\":0,\"current_rule\":{\"id\":\"3ed55975-37b5-423b-aad3-ab842d890039\",\"updated_at\":\"2024-12-04T19:45:53.169Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.169Z\",\"created_by\":\"elastic\",\"name\":\"Potential PowerShell Pass-the-Hash/Relay Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects PowerShell scripts that can execute pass-the-hash (PtH) attacks, intercept and relay NTLM challenges, and carry out other man-in-the-middle (MitM) attacks.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"951779c2-82ad-4a6c-82b8-296c1f691449\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1557\",\"name\":\"Adversary-in-the-Middle\",\"reference\":\"https://attack.mitre.org/techniques/T1557/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.002\",\"name\":\"Pass the Hash\",\"reference\":\"https://attack.mitre.org/techniques/T1550/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1\",\"https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1\",\"https://github.com/dafthack/Check-LocalAdminHash/blob/master/Check-LocalAdminHash.ps1\",\"https://github.com/nettitude/PoshC2/blob/master/resources/modules/Invoke-Tater.ps1\",\"https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\\"NTLMSSPNegotiate\\\" and (\\\"NegotiateSMB\\\" or \\\"NegotiateSMB2\\\")) or\\n \\\"4E544C4D53535000\\\" or\\n \\\"0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50\\\" or\\n \\\"0x4e,0x54,0x20,0x4c,0x4d\\\" or\\n \\\"0x53,0x4d,0x42,0x20,0x32\\\" or\\n \\\"0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38\\\"\\n ) and\\n not file.directory : \\\"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential PowerShell Pass-the-Hash/Relay Script\",\"description\":\"Detects PowerShell scripts that can execute pass-the-hash (PtH) attacks, intercept and relay NTLM challenges, and carry out other man-in-the-middle (MitM) attacks.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1\",\"https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1\",\"https://github.com/dafthack/Check-LocalAdminHash/blob/master/Check-LocalAdminHash.ps1\",\"https://github.com/nettitude/PoshC2/blob/master/resources/modules/Invoke-Tater.ps1\",\"https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1557\",\"name\":\"Adversary-in-the-Middle\",\"reference\":\"https://attack.mitre.org/techniques/T1557/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.002\",\"name\":\"Pass the Hash\",\"reference\":\"https://attack.mitre.org/techniques/T1550/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.directory\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"3ed55975-37b5-423b-aad3-ab842d890039\",\"rule_id\":\"951779c2-82ad-4a6c-82b8-296c1f691449\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.022Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.169Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n (\\\"NTLMSSPNegotiate\\\" and (\\\"NegotiateSMB\\\" or \\\"NegotiateSMB2\\\")) or\\n \\\"4E544C4D53535000\\\" or\\n \\\"0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50\\\" or\\n \\\"0x4e,0x54,0x20,0x4c,0x4d\\\" or\\n \\\"0x53,0x4d,0x42,0x20,0x32\\\" or\\n \\\"0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38\\\"\\n ) and\\n not file.directory : \\\"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"90bb6388-f9f3-4215-a69d-26809d5195c8\",\"rule_id\":\"954ee7c8-5437-49ae-b2d6-2960883898e9\",\"revision\":0,\"current_rule\":{\"id\":\"90bb6388-f9f3-4215-a69d-26809d5195c8\",\"updated_at\":\"2024-12-04T19:45:40.217Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.217Z\",\"created_by\":\"elastic\",\"name\":\"Remote Scheduled Task Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote Scheduled Task Creation\\n\\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\\n\\n#### Possible investigation steps\\n\\n- Review the base64 encoded tasks actions registry value to investigate the task configured action.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\\n\\n### False positive analysis\\n\\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\\n\\n### Related rules\\n\\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Remove scheduled task and any other related artifacts.\\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"954ee7c8-5437-49ae-b2d6-2960883898e9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"/* Task Scheduler service incoming connection followed by TaskCache registry modification */\\n\\nsequence by host.id, process.entity_id with maxspan = 1m\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"svchost.exe\\\" and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and source.port >= 49152 and destination.port >= 49152 and\\n source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"\\n ]\\n [registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Actions\\\" and\\n registry.path : \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\TaskCache\\\\\\\\Tasks\\\\\\\\*\\\\\\\\Actions\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Remote Scheduled Task Creation\",\"description\":\"Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote Scheduled Task Creation\\n\\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\\n\\n#### Possible investigation steps\\n\\n- Review the base64 encoded tasks actions registry value to investigate the task configured action.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\\n\\n### False positive analysis\\n\\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\\n\\n### Related rules\\n\\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Remove scheduled task and any other related artifacts.\\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true}],\"id\":\"90bb6388-f9f3-4215-a69d-26809d5195c8\",\"rule_id\":\"954ee7c8-5437-49ae-b2d6-2960883898e9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.022Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.217Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"/* Task Scheduler service incoming connection followed by TaskCache registry modification */\\n\\nsequence by host.id, process.entity_id with maxspan = 1m\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"svchost.exe\\\" and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and source.port >= 49152 and destination.port >= 49152 and\\n source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"\\n ]\\n [registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Actions\\\" and\\n registry.path : \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\TaskCache\\\\\\\\Tasks\\\\\\\\*\\\\\\\\Actions\\\"]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merged_version\":[\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d77ab255-3f31-4676-a0c6-4517dafa6aa4\",\"rule_id\":\"959a7353-1129-4aa7-9084-30746b256a70\",\"revision\":0,\"current_rule\":{\"id\":\"d77ab255-3f31-4676-a0c6-4517dafa6aa4\",\"updated_at\":\"2024-12-04T19:45:53.172Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.172Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Suspicious Script with Screenshot Capabilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects PowerShell scripts that can take screenshots, which is a common feature in post-exploitation kits and remote access tools (RATs).\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Suspicious Script with Screenshot Capabilities\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, which makes it available for use in various environments and creates an attractive way for attackers to execute code.\\n\\nAttackers can abuse PowerShell capabilities and take screen captures of desktops to gather information over the course of an operation.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Determine whether the script stores the captured data locally.\\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\\n- Assess network data to determine if the host communicated with the exfiltration server.\\n\\n### False positive analysis\\n\\n- Regular users do not have a business justification for using scripting utilities to take screenshots, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Related rules\\n\\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"959a7353-1129-4aa7-9084-30746b256a70\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1113\",\"name\":\"Screen Capture\",\"reference\":\"https://attack.mitre.org/techniques/T1113/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n CopyFromScreen and\\n (\\\"System.Drawing.Bitmap\\\" or \\\"Drawing.Bitmap\\\")\\n ) and not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Suspicious Script with Screenshot Capabilities\",\"description\":\"Detects PowerShell scripts that can take screenshots, which is a common feature in post-exploitation kits and remote access tools (RATs).\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Suspicious Script with Screenshot Capabilities\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, which makes it available for use in various environments and creates an attractive way for attackers to execute code.\\n\\nAttackers can abuse PowerShell capabilities and take screen captures of desktops to gather information over the course of an operation.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Determine whether the script stores the captured data locally.\\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\\n- Assess network data to determine if the host communicated with the exfiltration server.\\n\\n### False positive analysis\\n\\n- Regular users do not have a business justification for using scripting utilities to take screenshots, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Related rules\\n\\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1113\",\"name\":\"Screen Capture\",\"reference\":\"https://attack.mitre.org/techniques/T1113/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d77ab255-3f31-4676-a0c6-4517dafa6aa4\",\"rule_id\":\"959a7353-1129-4aa7-9084-30746b256a70\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.022Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.172Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n CopyFromScreen and\\n (\\\"System.Drawing.Bitmap\\\" or \\\"Drawing.Bitmap\\\")\\n ) and not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0bcb9872-af70-473c-9b06-420a759925aa\",\"rule_id\":\"968ccab9-da51-4a87-9ce2-d3c9782fd759\",\"revision\":0,\"current_rule\":{\"id\":\"0bcb9872-af70-473c-9b06-420a759925aa\",\"updated_at\":\"2024-12-04T19:45:53.176Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.176Z\",\"created_by\":\"elastic\",\"name\":\"File made Immutable by Chattr\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"968ccab9-da51-4a87-9ce2-d3c9782fd759\",\"max_signals\":33,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1222\",\"name\":\"File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/\",\"subtechnique\":[{\"id\":\"T1222.002\",\"name\":\"Linux and Mac File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n#### Custom Ingest Pipeline\\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and user.id == \\\"0\\\" and\\n process.executable : \\\"/usr/bin/chattr\\\" and process.args : (\\\"-*i*\\\", \\\"+*i*\\\") and\\n not process.parent.executable: (\\\"/lib/systemd/systemd\\\", \\\"/usr/local/uems_agent/bin/*\\\", \\\"/usr/lib/systemd/systemd\\\") and\\n not process.parent.name in (\\\"systemd\\\", \\\"cf-agent\\\", \\\"ntpdate\\\", \\\"xargs\\\", \\\"px\\\", \\\"preinst\\\", \\\"auth\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"File made Immutable by Chattr\",\"description\":\"Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":112,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":33,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1222\",\"name\":\"File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/\",\"subtechnique\":[{\"id\":\"T1222.002\",\"name\":\"Linux and Mac File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n#### Custom Ingest Pipeline\\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0bcb9872-af70-473c-9b06-420a759925aa\",\"rule_id\":\"968ccab9-da51-4a87-9ce2-d3c9782fd759\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.022Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.176Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and process.parent.executable != null and\\nprocess.executable : \\\"/usr/bin/chattr\\\" and process.args : (\\\"-*i*\\\", \\\"+*i*\\\") and not (\\n process.parent.executable: (\\\"/lib/systemd/systemd\\\", \\\"/usr/local/uems_agent/bin/*\\\", \\\"/usr/lib/systemd/systemd\\\") or\\n process.parent.name in (\\n \\\"systemd\\\", \\\"cf-agent\\\", \\\"ntpdate\\\", \\\"xargs\\\", \\\"px\\\", \\\"preinst\\\", \\\"auth\\\", \\\"cf-agent\\\", \\\"dcservice\\\", \\\"dcagentupgrader\\\",\\n \\\"sudo\\\", \\\"ephemeral-disk-warning\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":112,\"merged_version\":112,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and user.id == \\\"0\\\" and\\n process.executable : \\\"/usr/bin/chattr\\\" and process.args : (\\\"-*i*\\\", \\\"+*i*\\\") and\\n not process.parent.executable: (\\\"/lib/systemd/systemd\\\", \\\"/usr/local/uems_agent/bin/*\\\", \\\"/usr/lib/systemd/systemd\\\") and\\n not process.parent.name in (\\\"systemd\\\", \\\"cf-agent\\\", \\\"ntpdate\\\", \\\"xargs\\\", \\\"px\\\", \\\"preinst\\\", \\\"auth\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and process.parent.executable != null and\\nprocess.executable : \\\"/usr/bin/chattr\\\" and process.args : (\\\"-*i*\\\", \\\"+*i*\\\") and not (\\n process.parent.executable: (\\\"/lib/systemd/systemd\\\", \\\"/usr/local/uems_agent/bin/*\\\", \\\"/usr/lib/systemd/systemd\\\") or\\n process.parent.name in (\\n \\\"systemd\\\", \\\"cf-agent\\\", \\\"ntpdate\\\", \\\"xargs\\\", \\\"px\\\", \\\"preinst\\\", \\\"auth\\\", \\\"cf-agent\\\", \\\"dcservice\\\", \\\"dcagentupgrader\\\",\\n \\\"sudo\\\", \\\"ephemeral-disk-warning\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and process.parent.executable != null and\\nprocess.executable : \\\"/usr/bin/chattr\\\" and process.args : (\\\"-*i*\\\", \\\"+*i*\\\") and not (\\n process.parent.executable: (\\\"/lib/systemd/systemd\\\", \\\"/usr/local/uems_agent/bin/*\\\", \\\"/usr/lib/systemd/systemd\\\") or\\n process.parent.name in (\\n \\\"systemd\\\", \\\"cf-agent\\\", \\\"ntpdate\\\", \\\"xargs\\\", \\\"px\\\", \\\"preinst\\\", \\\"auth\\\", \\\"cf-agent\\\", \\\"dcservice\\\", \\\"dcagentupgrader\\\",\\n \\\"sudo\\\", \\\"ephemeral-disk-warning\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2f130261-43b4-4479-85ee-6204e4fcca49\",\"rule_id\":\"96d11d31-9a79-480f-8401-da28b194608f\",\"revision\":0,\"current_rule\":{\"id\":\"2f130261-43b4-4479-85ee-6204e4fcca49\",\"updated_at\":\"2024-12-04T19:45:53.181Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.181Z\",\"created_by\":\"elastic\",\"name\":\"Message-of-the-Day (MOTD) File Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects the creation of potentially malicious files within the default MOTD file directories. Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \\\"/etc/update-motd.d/\\\" directory. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Message-of-the-Day (MOTD) File Creation\\n\\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\\n\\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` directory. Executable files in these directories automatically run with root privileges.\\n\\nThis rule identifies the creation of new files within the `/etc/update-motd.d/` directory.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate whether any other files in the `/etc/update-motd.d/` directory have been altered.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path LIKE '/etc/update-motd.d/%'\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path LIKE '/etc/update-motd.d/%'\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system.\\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n\\n### Related Rules\\n\\n- Process Spawned from Message-of-the-Day (MOTD) - 4ec47004-b34a-42e6-8003-376a123ea447\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the MOTD files or restore their original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"96d11d31-9a79-480f-8401-da28b194608f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\"}]}],\"to\":\"now\",\"references\":[\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd\"],\"version\":11,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : \\\"/etc/update-motd.d/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Message-of-the-Day (MOTD) File Creation\",\"description\":\"This rule detects the creation of potentially malicious files within the default MOTD file directories. Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \\\"/etc/update-motd.d/\\\" directory. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Message-of-the-Day (MOTD) File Creation\\n\\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\\n\\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` directory. Executable files in these directories automatically run with root privileges.\\n\\nThis rule identifies the creation of new files within the `/etc/update-motd.d/` directory.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\"}}\\n- Investigate whether any other files in the `/etc/update-motd.d/` directory have been altered.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path LIKE '/etc/update-motd.d/%'\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path LIKE '/etc/update-motd.d/%'\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system.\\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n\\n### Related Rules\\n\\n- Process Spawned from Message-of-the-Day (MOTD) - 4ec47004-b34a-42e6-8003-376a123ea447\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the MOTD files or restore their original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":12,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2f130261-43b4-4479-85ee-6204e4fcca49\",\"rule_id\":\"96d11d31-9a79-480f-8401-da28b194608f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.022Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.181Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.action in (\\\"rename\\\", \\\"creation\\\") and\\nfile.path : \\\"/etc/update-motd.d/*\\\" and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/lib/virtualbox/*\\\"\\n ) or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":11,\"target_version\":12,\"merged_version\":12,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd\"],\"target_version\":[\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"51c218ae-0fbe-4ff0-a9de-697dd9194b4d\",\"rule_id\":\"97020e61-e591-4191-8a3b-2861a2b887cd\",\"revision\":0,\"current_rule\":{\"id\":\"51c218ae-0fbe-4ff0-a9de-697dd9194b4d\",\"updated_at\":\"2024-12-04T19:45:53.186Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.186Z\",\"created_by\":\"elastic\",\"name\":\"SeDebugPrivilege Enabled by a Suspicious Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"97020e61-e591-4191-8a3b-2861a2b887cd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\"}]}],\"to\":\"now\",\"references\":[\"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703\",\"https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e\"],\"version\":7,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.EnabledPrivilegeList\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ProcessName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nWindows Event 4703 logs Token Privileges changes and need to be configured (Enable).\\n\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDetailed Tracking >\\nToken Right Adjusted Events (Success)\\n```\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.*\",\"logs-system.security*\"],\"query\":\"any where host.os.type == \\\"windows\\\" and event.provider: \\\"Microsoft-Windows-Security-Auditing\\\" and\\n event.action : \\\"Token Right Adjusted Events\\\" and\\n\\n winlog.event_data.EnabledPrivilegeList : \\\"SeDebugPrivilege\\\" and\\n\\n /* exclude processes with System Integrity */\\n not winlog.event_data.SubjectUserSid : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n\\n not winlog.event_data.ProcessName :\\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MRT.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cleanmgr.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*-*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\auditpol.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSe.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbem\\\\\\\\WmiPrvSe.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"SeDebugPrivilege Enabled by a Suspicious Process\",\"description\":\"Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":108,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703\",\"https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\"}]}],\"setup\":\"## Setup\\n\\nWindows Event 4703 logs Token Privileges changes and need to be configured (Enable).\\n\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDetailed Tracking >\\nToken Right Adjusted Events (Success)\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.EnabledPrivilegeList\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ProcessName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"51c218ae-0fbe-4ff0-a9de-697dd9194b4d\",\"rule_id\":\"97020e61-e591-4191-8a3b-2861a2b887cd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.022Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.186Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and event.provider: \\\"Microsoft-Windows-Security-Auditing\\\" and\\n event.action : \\\"Token Right Adjusted Events\\\" and\\n\\n winlog.event_data.EnabledPrivilegeList : \\\"SeDebugPrivilege\\\" and\\n\\n /* exclude processes with System Integrity */\\n not winlog.event_data.SubjectUserSid : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n\\n not winlog.event_data.ProcessName :\\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MRT.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cleanmgr.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*-*\\\\\\\\DismHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\auditpol.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSe.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbem\\\\\\\\WmiPrvSe.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.*\",\"logs-system.security*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":7,\"target_version\":108,\"merged_version\":108,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"88311378-166c-443a-bfdc-a341fc2beb51\",\"rule_id\":\"979729e7-0c52-4c4c-b71e-88103304a79f\",\"revision\":0,\"current_rule\":{\"id\":\"88311378-166c-443a-bfdc-a341fc2beb51\",\"updated_at\":\"2024-12-04T19:45:53.193Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.193Z\",\"created_by\":\"elastic\",\"name\":\"AWS SAML Activity\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Use Case: Identity and Access Audit\",\"Tactic: Defense Evasion\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Austin Songer\"],\"false_positives\":[\"SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\"],\"from\":\"now-25m\",\"rule_id\":\"979729e7-0c52-4c4c-b71e-88103304a79f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.001\",\"name\":\"Application Access Token\",\"reference\":\"https://attack.mitre.org/techniques/T1550/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]}],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html\",\"https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"query\":\"event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or\\nUpdateSAMLProvider) and event.outcome:success\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS IAM SAML Provider Updated\",\"description\":\"Identifies when a user has updated a SAML provider in AWS. SAML providers are used to enable federated access to the AWS Management Console. This activity could be an indication of an attacker attempting to escalate privileges.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[\"SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\"],\"references\":[\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1484\",\"name\":\"Domain or Tenant Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/\",\"subtechnique\":[{\"id\":\"T1484.002\",\"name\":\"Trust Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/002/\"}]}]}],\"setup\":\"The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"88311378-166c-443a-bfdc-a341fc2beb51\",\"rule_id\":\"979729e7-0c52-4c4c-b71e-88103304a79f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.022Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:53.193Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"query\":\"event.dataset:aws.cloudtrail\\n and event.provider: iam.amazonaws.com\\n and event.action: UpdateSAMLProvider\\n and event.outcome:success\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"name\":{\"has_base_version\":false,\"current_version\":\"AWS SAML Activity\",\"target_version\":\"AWS IAM SAML Provider Updated\",\"merged_version\":\"AWS IAM SAML Provider Updated\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Use Case: Identity and Access Audit\",\"Tactic: Defense Evasion\"],\"target_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\"],\"merged_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"description\":{\"has_base_version\":false,\"current_version\":\"Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target.\",\"target_version\":\"Identifies when a user has updated a SAML provider in AWS. SAML providers are used to enable federated access to the AWS Management Console. This activity could be an indication of an attacker attempting to escalate privileges.\",\"merged_version\":\"Identifies when a user has updated a SAML provider in AWS. SAML providers are used to enable federated access to the AWS Management Console. This activity could be an indication of an attacker attempting to escalate privileges.\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"severity\":{\"has_base_version\":false,\"current_version\":\"low\",\"target_version\":\"medium\",\"merged_version\":\"medium\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"risk_score\":{\"has_base_version\":false,\"current_version\":21,\"target_version\":47,\"merged_version\":47,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html\",\"https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html\"],\"target_version\":[\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html\"],\"merged_version\":[\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.001\",\"name\":\"Application Access Token\",\"reference\":\"https://attack.mitre.org/techniques/T1550/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\"}]}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1484\",\"name\":\"Domain or Tenant Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/\",\"subtechnique\":[{\"id\":\"T1484.002\",\"name\":\"Trust Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/002/\"}]}]}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1484\",\"name\":\"Domain or Tenant Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/\",\"subtechnique\":[{\"id\":\"T1484.002\",\"name\":\"Trust Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/002/\"}]}]}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"rule_schedule\":{\"has_base_version\":false,\"current_version\":{\"interval\":\"5m\",\"lookback\":\"1200s\"},\"target_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merged_version\":{\"interval\":\"5m\",\"lookback\":\"240s\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or\\nUpdateSAMLProvider) and event.outcome:success\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset:aws.cloudtrail\\n and event.provider: iam.amazonaws.com\\n and event.action: UpdateSAMLProvider\\n and event.outcome:success\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"event.dataset:aws.cloudtrail\\n and event.provider: iam.amazonaws.com\\n and event.action: UpdateSAMLProvider\\n and event.outcome:success\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":10,\"num_fields_with_conflicts\":9,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b4afd030-5d26-4510-913c-5f69e08d436d\",\"rule_id\":\"97aba1ef-6034-4bd3-8c1a-1e0996b27afa\",\"revision\":0,\"current_rule\":{\"id\":\"b4afd030-5d26-4510-913c-5f69e08d436d\",\"updated_at\":\"2024-12-04T19:45:54.278Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.278Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Zoom Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Zoom Child Process\\n\\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation.\\n\\nThis rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the command line of the child process to determine which commands or scripts were executed.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"97aba1ef-6034-4bd3-8c1a-1e0996b27afa\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"},{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1203\",\"name\":\"Exploitation for Client Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1203/\"}]}],\"to\":\"now\",\"references\":[],\"version\":313,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"Zoom.exe\\\" and process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Zoom Child Process\",\"description\":\"A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Zoom Child Process\\n\\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation.\\n\\nThis rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the command line of the child process to determine which commands or scripts were executed.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":416,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"},{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1203\",\"name\":\"Exploitation for Client Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1203/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b4afd030-5d26-4510-913c-5f69e08d436d\",\"rule_id\":\"97aba1ef-6034-4bd3-8c1a-1e0996b27afa\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.022Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.278Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"Zoom.exe\\\" and process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":313,\"target_version\":416,\"merged_version\":416,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a9f26fba-1fcb-4034-8d8e-f1b7363ae814\",\"rule_id\":\"97fc44d3-8dae-4019-ae83-298c3015600f\",\"revision\":0,\"current_rule\":{\"id\":\"a9f26fba-1fcb-4034-8d8e-f1b7363ae814\",\"updated_at\":\"2024-12-04T19:45:40.225Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.225Z\",\"created_by\":\"elastic\",\"name\":\"Startup or Run Key Registry Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Startup or Run Key Registry Modification\\n\\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\\n\\n### Related rules\\n\\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timeline_id\":\"3e47ef71-ebfc-4520-975c-cb27fc090799\",\"timeline_title\":\"Comprehensive Registry Timeline\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"97fc44d3-8dae-4019-ae83-298c3015600f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.hive\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and \\n registry.data.strings != null and registry.hive : (\\\"HKEY_USERS\\\", \\\"HKLM\\\") and\\n registry.path : (\\n /* Machine Hive */\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnce\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnceEx\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell\\\\\\\\*\\\",\\n /* Users Hive */\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnce\\\\\\\\*\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnceEx\\\\\\\\*\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell\\\\\\\\*\\\"\\n ) and\\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\\n not registry.data.strings : \\\"ctfmon.exe /n\\\" and\\n not (registry.value : \\\"Application Restart #*\\\" and process.name : \\\"csrss.exe\\\") and\\n not user.id : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n not registry.data.strings : (\\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\") and\\n not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\") and\\n not (\\n /* Logitech G Hub */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Logitech Inc\\\" and\\n (\\n process.name : \\\"lghub_agent.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\LGHUB\\\\\\\\lghub.exe\\\\\\\" --background\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\LGHUB\\\\\\\\system_tray\\\\\\\\lghub_system_tray.exe\\\\\\\" --minimized\\\"\\n )\\n ) or\\n (\\n process.name : \\\"LogiBolt.exe\\\" and registry.data.strings : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Logi\\\\\\\\LogiBolt\\\\\\\\LogiBolt.exe --startup\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Logi\\\\\\\\LogiBolt\\\\\\\\LogiBolt.exe --startup\\\"\\n )\\n )\\n ) or\\n\\n /* Google Drive File Stream, Chrome, and Google Update */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Google LLC\\\" and\\n (\\n process.name : \\\"GoogleDriveFS.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\Google\\\\\\\\Drive File Stream\\\\\\\\*\\\\\\\\GoogleDriveFS.exe\\\\\\\" --startup_mode\\\"\\n ) or\\n\\n process.name : \\\"chrome.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\\\\\" --no-startup-window /prefetch:5\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\\\\\" --no-startup-window /prefetch:5\\\"\\n ) or\\n\\n process.name : \\\"GoogleUpdate.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Google\\\\\\\\Update\\\\\\\\*\\\\\\\\GoogleUpdateCore.exe\\\\\\\"\\\"\\n )\\n )\\n ) or\\n\\n /* MS Programs */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name in (\\\"Microsoft Windows\\\", \\\"Microsoft Corporation\\\") and\\n (\\n process.name : \\\"msedge.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\\\\\\\" --no-startup-window --win-session-start /prefetch:5\\\",\\n \\\"\\\\\\\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\\\\\\\" --win-session-start\\\",\\n \\\"\\\\\\\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\\\\\\\" --no-startup-window --win-session-start\\\"\\n ) or\\n\\n process.name : (\\\"Update.exe\\\", \\\"Teams.exe\\\") and registry.data.strings : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Teams\\\\\\\\Update.exe --processStart \\\\\\\"Teams.exe\\\\\\\" --process-start-args \\\\\\\"--system-initiated\\\\\\\"\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\\\\\\Microsoft\\\\\\\\Teams\\\\\\\\Update.exe --processStart \\\\\\\"Teams.exe\\\\\\\" --process-start-args \\\\\\\"--system-initiated\\\\\\\"\\\"\\n ) or\\n\\n process.name : \\\"OneDriveStandaloneUpdater.exe\\\" and registry.data.strings : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\*\\\\\\\\Microsoft.SharePoint.exe\\\"\\n ) or\\n\\n process.name : \\\"OneDriveSetup.exe\\\" and\\n registry.data.strings : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\cmd.exe /q /c * \\\\\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\*\\\\\\\"\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft OneDrive\\\\\\\\OneDrive.exe /background*\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft OneDrive\\\\\\\\OneDrive.exe\\\\\\\" /background*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft OneDrive\\\\\\\\OneDrive.exe /background *\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\??.???.????.????\\\\\\\\Microsoft.SharePoint.exe\\\"\\n ) or\\n \\n process.name : \\\"OneDrive.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft OneDrive\\\\\\\\OneDrive.exe\\\\\\\" /background\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft OneDrive\\\\\\\\OneDrive.exe\\\\\\\" /background\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\OneDrive.exe\\\\\\\" /background\\\"\\n ) or\\n \\n process.name : \\\"Microsoft.SharePoint.exe\\\" and registry.data.strings : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\??.???.????.????\\\\\\\\Microsoft.SharePoint.exe\\\"\\n ) or\\n \\n process.name : \\\"MicrosoftEdgeUpdate.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Users\\\\\\\\Expedient\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\EdgeUpdate\\\\\\\\*\\\\\\\\MicrosoftEdgeUpdateCore.exe\\\\\\\"\\\"\\n ) or\\n \\n process.executable : \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\EdgeWebView\\\\\\\\Application\\\\\\\\*\\\\\\\\Installer\\\\\\\\setup.exe\\\" and\\n registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\EdgeWebView\\\\\\\\Application\\\\\\\\*\\\\\\\\Installer\\\\\\\\setup.exe\\\\\\\" --msedgewebview --delete-old-versions --system-level --verbose-logging --on-logon\\\"\\n )\\n )\\n ) or\\n\\n /* Slack */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name in (\\n \\\"Slack Technologies, Inc.\\\", \\\"Slack Technologies, LLC\\\"\\n ) and process.name : \\\"slack.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\slack\\\\\\\\slack.exe\\\\\\\" --process-start-args --startup\\\",\\n \\\"\\\\\\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\\\\\\slack\\\\\\\\slack.exe\\\\\\\" --process-start-args --startup\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\Slack\\\\\\\\slack.exe\\\\\\\" --process-start-args --startup\\\"\\n )\\n ) or\\n\\n /* Cisco */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name in (\\\"Cisco WebEx LLC\\\", \\\"Cisco Systems, Inc.\\\") and\\n (\\n process.name : \\\"WebexHost.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\WebEx\\\\\\\\WebexHost.exe\\\\\\\" /daemon /runFrom=autorun\\\"\\n )\\n ) or\\n (\\n process.name : \\\"CiscoJabber.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Cisco Systems\\\\\\\\Cisco Jabber\\\\\\\\CiscoJabber.exe\\\\\\\" /min\\\"\\n )\\n )\\n ) or\\n\\n /* Loom */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Loom, Inc.\\\" and\\n process.name : \\\"Loom.exe\\\" and registry.data.strings : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Loom\\\\\\\\Loom.exe --process-start-args \\\\\\\"--loomHidden\\\\\\\"\\\"\\n )\\n ) or\\n\\n /* Adobe */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Adobe Inc.\\\" and\\n process.name : (\\\"Acrobat.exe\\\", \\\"FlashUtil32_*_Plugin.exe\\\") and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\Adobe\\\\\\\\Acrobat DC\\\\\\\\Acrobat\\\\\\\\AdobeCollabSync.exe\\\\\\\"\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Adobe\\\\\\\\Acrobat DC\\\\\\\\Acrobat\\\\\\\\AdobeCollabSync.exe\\\\\\\"\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\SysWOW64\\\\\\\\Macromed\\\\\\\\Flash\\\\\\\\FlashUtil32_*_Plugin.exe -update plugin\\\"\\n )\\n ) or\\n\\n /* CCleaner */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"PIRIFORM SOFTWARE LIMITED\\\" and\\n process.name : (\\\"CCleanerBrowser.exe\\\", \\\"CCleaner64.exe\\\") and registry.data.strings : (\\n \\\"\\\\\\\"C:\\\\\\\\Program Files (x86)\\\\\\\\CCleaner Browser\\\\\\\\Application\\\\\\\\CCleanerBrowser.exe\\\\\\\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\\\\\\\"Default\\\\\\\"\\\",\\n \\\"\\\\\\\"C:\\\\\\\\Program Files\\\\\\\\CCleaner\\\\\\\\CCleaner64.exe\\\\\\\" /MONITOR\\\"\\n )\\n ) or\\n\\n /* Opera */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Opera Norway AS\\\" and\\n process.name : \\\"opera.exe\\\" and registry.data.strings : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Opera\\\\\\\\launcher.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Opera GX\\\\\\\\launcher.exe\\\"\\n )\\n ) or\\n\\n /* Avast */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Avast Software s.r.o.\\\" and\\n process.name : \\\"AvastBrowser.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\AVAST Software\\\\\\\\Browser\\\\\\\\Application\\\\\\\\AvastBrowser.exe\\\\\\\" --check-run=src=logon --auto-launch-at-startup*\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\AVAST Software\\\\\\\\Browser\\\\\\\\Application\\\\\\\\AvastBrowser.exe\\\\\\\" --check-run=src=logon --auto-launch-at-startup*\\\",\\n \\\"\\\"\\n )\\n ) or\\n\\n /* Grammarly */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Grammarly, Inc.\\\" and\\n process.name : \\\"GrammarlyInstaller.exe\\\" and registry.data.strings : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Grammarly\\\\\\\\DesktopIntegrations\\\\\\\\Grammarly.Desktop.exe\\\"\\n )\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Startup or Run Key Registry Modification\",\"description\":\"Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"timeline_id\":\"3e47ef71-ebfc-4520-975c-cb27fc090799\",\"timeline_title\":\"Comprehensive Registry Timeline\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Startup or Run Key Registry Modification\\n\\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\\n\\n### Related rules\\n\\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":113,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.hive\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a9f26fba-1fcb-4034-8d8e-f1b7363ae814\",\"rule_id\":\"97fc44d3-8dae-4019-ae83-298c3015600f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.022Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.225Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and \\n registry.data.strings != null and registry.hive : (\\\"HKEY_USERS\\\", \\\"HKLM\\\") and\\n registry.path : (\\n /* Machine Hive */\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnce\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnceEx\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell\\\\\\\\*\\\",\\n /* Users Hive */\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnce\\\\\\\\*\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnceEx\\\\\\\\*\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\*\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell\\\\\\\\*\\\"\\n ) and\\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\\n not registry.data.strings : \\\"ctfmon.exe /n\\\" and\\n not (registry.value : \\\"Application Restart #*\\\" and process.name : \\\"csrss.exe\\\") and\\n not user.id : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n not registry.data.strings : (\\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\") and\\n not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\") and\\n not (\\n /* Logitech G Hub */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Logitech Inc\\\" and\\n (\\n process.name : \\\"lghub_agent.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\LGHUB\\\\\\\\lghub.exe\\\\\\\" --background\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\LGHUB\\\\\\\\system_tray\\\\\\\\lghub_system_tray.exe\\\\\\\" --minimized\\\"\\n )\\n ) or\\n (\\n process.name : \\\"LogiBolt.exe\\\" and registry.data.strings : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Logi\\\\\\\\LogiBolt\\\\\\\\LogiBolt.exe --startup\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Logi\\\\\\\\LogiBolt\\\\\\\\LogiBolt.exe --startup\\\"\\n )\\n )\\n ) or\\n\\n /* Google Drive File Stream, Chrome, and Google Update */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Google LLC\\\" and\\n (\\n process.name : \\\"GoogleDriveFS.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\Google\\\\\\\\Drive File Stream\\\\\\\\*\\\\\\\\GoogleDriveFS.exe\\\\\\\" --startup_mode\\\"\\n ) or\\n\\n process.name : \\\"chrome.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\\\\\" --no-startup-window /prefetch:5\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\Application\\\\\\\\chrome.exe\\\\\\\" --no-startup-window /prefetch:5\\\"\\n ) or\\n\\n process.name : \\\"GoogleUpdate.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Google\\\\\\\\Update\\\\\\\\*\\\\\\\\GoogleUpdateCore.exe\\\\\\\"\\\"\\n )\\n )\\n ) or\\n\\n /* MS Programs */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name in (\\\"Microsoft Windows\\\", \\\"Microsoft Corporation\\\") and\\n (\\n process.name : \\\"msedge.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\\\\\\\" --no-startup-window --win-session-start /prefetch:5\\\",\\n \\\"\\\\\\\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\\\\\\\" --win-session-start\\\",\\n \\\"\\\\\\\"C:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\Application\\\\\\\\msedge.exe\\\\\\\" --no-startup-window --win-session-start\\\"\\n ) or\\n\\n process.name : (\\\"Update.exe\\\", \\\"Teams.exe\\\") and registry.data.strings : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Teams\\\\\\\\Update.exe --processStart \\\\\\\"Teams.exe\\\\\\\" --process-start-args \\\\\\\"--system-initiated\\\\\\\"\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\\\\\\Microsoft\\\\\\\\Teams\\\\\\\\Update.exe --processStart \\\\\\\"Teams.exe\\\\\\\" --process-start-args \\\\\\\"--system-initiated\\\\\\\"\\\"\\n ) or\\n\\n process.name : \\\"OneDriveStandaloneUpdater.exe\\\" and registry.data.strings : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\*\\\\\\\\Microsoft.SharePoint.exe\\\"\\n ) or\\n\\n process.name : \\\"OneDriveSetup.exe\\\" and\\n registry.data.strings : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\cmd.exe /q /c * \\\\\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\*\\\\\\\"\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft OneDrive\\\\\\\\OneDrive.exe /background*\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft OneDrive\\\\\\\\OneDrive.exe\\\\\\\" /background*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft OneDrive\\\\\\\\OneDrive.exe /background *\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\??.???.????.????\\\\\\\\Microsoft.SharePoint.exe\\\"\\n ) or\\n \\n process.name : \\\"OneDrive.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft OneDrive\\\\\\\\OneDrive.exe\\\\\\\" /background\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft OneDrive\\\\\\\\OneDrive.exe\\\\\\\" /background\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\OneDrive.exe\\\\\\\" /background\\\"\\n ) or\\n \\n process.name : \\\"Microsoft.SharePoint.exe\\\" and registry.data.strings : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\OneDrive\\\\\\\\??.???.????.????\\\\\\\\Microsoft.SharePoint.exe\\\"\\n ) or\\n \\n process.name : \\\"MicrosoftEdgeUpdate.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Users\\\\\\\\Expedient\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\EdgeUpdate\\\\\\\\*\\\\\\\\MicrosoftEdgeUpdateCore.exe\\\\\\\"\\\"\\n ) or\\n \\n process.executable : \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\EdgeWebView\\\\\\\\Application\\\\\\\\*\\\\\\\\Installer\\\\\\\\setup.exe\\\" and\\n registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Microsoft\\\\\\\\EdgeWebView\\\\\\\\Application\\\\\\\\*\\\\\\\\Installer\\\\\\\\setup.exe\\\\\\\" --msedgewebview --delete-old-versions --system-level --verbose-logging --on-logon\\\"\\n )\\n )\\n ) or\\n\\n /* Slack */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name in (\\n \\\"Slack Technologies, Inc.\\\", \\\"Slack Technologies, LLC\\\"\\n ) and process.name : \\\"slack.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\slack\\\\\\\\slack.exe\\\\\\\" --process-start-args --startup\\\",\\n \\\"\\\\\\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\\\\\\slack\\\\\\\\slack.exe\\\\\\\" --process-start-args --startup\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\Slack\\\\\\\\slack.exe\\\\\\\" --process-start-args --startup\\\"\\n )\\n ) or\\n\\n /* Cisco */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name in (\\\"Cisco WebEx LLC\\\", \\\"Cisco Systems, Inc.\\\") and\\n (\\n process.name : \\\"WebexHost.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\WebEx\\\\\\\\WebexHost.exe\\\\\\\" /daemon /runFrom=autorun\\\"\\n )\\n ) or\\n (\\n process.name : \\\"CiscoJabber.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Cisco Systems\\\\\\\\Cisco Jabber\\\\\\\\CiscoJabber.exe\\\\\\\" /min\\\"\\n )\\n )\\n ) or\\n\\n /* Loom */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Loom, Inc.\\\" and\\n process.name : \\\"Loom.exe\\\" and registry.data.strings : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Loom\\\\\\\\Loom.exe --process-start-args \\\\\\\"--loomHidden\\\\\\\"\\\"\\n )\\n ) or\\n\\n /* Adobe */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Adobe Inc.\\\" and\\n process.name : (\\\"Acrobat.exe\\\", \\\"FlashUtil32_*_Plugin.exe\\\") and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Program Files\\\\\\\\Adobe\\\\\\\\Acrobat DC\\\\\\\\Acrobat\\\\\\\\AdobeCollabSync.exe\\\\\\\"\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Adobe\\\\\\\\Acrobat DC\\\\\\\\Acrobat\\\\\\\\AdobeCollabSync.exe\\\\\\\"\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\SysWOW64\\\\\\\\Macromed\\\\\\\\Flash\\\\\\\\FlashUtil32_*_Plugin.exe -update plugin\\\"\\n )\\n ) or\\n\\n /* CCleaner */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"PIRIFORM SOFTWARE LIMITED\\\" and\\n process.name : (\\\"CCleanerBrowser.exe\\\", \\\"CCleaner64.exe\\\") and registry.data.strings : (\\n \\\"\\\\\\\"C:\\\\\\\\Program Files (x86)\\\\\\\\CCleaner Browser\\\\\\\\Application\\\\\\\\CCleanerBrowser.exe\\\\\\\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\\\\\\\"Default\\\\\\\"\\\",\\n \\\"\\\\\\\"C:\\\\\\\\Program Files\\\\\\\\CCleaner\\\\\\\\CCleaner64.exe\\\\\\\" /MONITOR\\\"\\n )\\n ) or\\n\\n /* Opera */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Opera Norway AS\\\" and\\n process.name : \\\"opera.exe\\\" and registry.data.strings : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Opera\\\\\\\\launcher.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Programs\\\\\\\\Opera GX\\\\\\\\launcher.exe\\\"\\n )\\n ) or\\n\\n /* Avast */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Avast Software s.r.o.\\\" and\\n process.name : \\\"AvastBrowser.exe\\\" and registry.data.strings : (\\n \\\"\\\\\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\AVAST Software\\\\\\\\Browser\\\\\\\\Application\\\\\\\\AvastBrowser.exe\\\\\\\" --check-run=src=logon --auto-launch-at-startup*\\\",\\n \\\"\\\\\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\AVAST Software\\\\\\\\Browser\\\\\\\\Application\\\\\\\\AvastBrowser.exe\\\\\\\" --check-run=src=logon --auto-launch-at-startup*\\\",\\n \\\"\\\"\\n )\\n ) or\\n\\n /* Grammarly */\\n (\\n process.code_signature.trusted == true and process.code_signature.subject_name == \\\"Grammarly, Inc.\\\" and\\n process.name : \\\"GrammarlyInstaller.exe\\\" and registry.data.strings : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Grammarly\\\\\\\\DesktopIntegrations\\\\\\\\Grammarly.Desktop.exe\\\"\\n )\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":113,\"merged_version\":113,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\"],\"merged_version\":[\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3f5e0115-4c6c-4ad7-a147-5380134f5a30\",\"rule_id\":\"980b70a0-c820-11ed-8799-f661ea17fbcc\",\"revision\":0,\"current_rule\":{\"id\":\"3f5e0115-4c6c-4ad7-a147-5380134f5a30\",\"updated_at\":\"2024-12-04T19:45:54.149Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.149Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace Drive Encryption Key(s) Accessed from Anonymous User\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Credential Access\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when an external (anonymous) user has viewed, copied or downloaded an encryption key file from a Google Workspace drive. Adversaries may gain access to encryption keys stored in private drives from rogue access links that do not have an expiration. Access to encryption keys may allow adversaries to access sensitive data or authenticate on behalf of users.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"A user may generate a shared access link to encryption key files to share with others. It is unlikely that the intended recipient is an external or anonymous user.\"],\"from\":\"now-130m\",\"rule_id\":\"980b70a0-c820-11ed-8799-f661ea17fbcc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\",\"subtechnique\":[{\"id\":\"T1552.004\",\"name\":\"Private Keys\",\"reference\":\"https://attack.mitre.org/techniques/T1552/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/drive/answer/2494822\"],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.drive.visibility\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"source.user.email\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"file where event.dataset == \\\"google_workspace.drive\\\" and event.action : (\\\"copy\\\", \\\"view\\\", \\\"download\\\") and\\n google_workspace.drive.visibility: \\\"people_with_link\\\" and source.user.email == \\\"\\\" and\\n file.extension: (\\n \\\"token\\\",\\\"assig\\\", \\\"pssc\\\", \\\"keystore\\\", \\\"pub\\\", \\\"pgp.asc\\\", \\\"ps1xml\\\", \\\"pem\\\", \\\"gpg.sig\\\", \\\"der\\\", \\\"key\\\",\\n \\\"p7r\\\", \\\"p12\\\", \\\"asc\\\", \\\"jks\\\", \\\"p7b\\\", \\\"signature\\\", \\\"gpg\\\", \\\"pgp.sig\\\", \\\"sst\\\", \\\"pgp\\\", \\\"gpgz\\\", \\\"pfx\\\", \\\"crt\\\",\\n \\\"p8\\\", \\\"sig\\\", \\\"pkcs7\\\", \\\"jceks\\\", \\\"pkcs8\\\", \\\"psc1\\\", \\\"p7c\\\", \\\"csr\\\", \\\"cer\\\", \\\"spc\\\", \\\"ps2xml\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace Drive Encryption Key(s) Accessed from Anonymous User\",\"description\":\"Detects when an external (anonymous) user has viewed, copied or downloaded an encryption key file from a Google Workspace drive. Adversaries may gain access to encryption keys stored in private drives from rogue access links that do not have an expiration. Access to encryption keys may allow adversaries to access sensitive data or authenticate on behalf of users.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Credential Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"A user may generate a shared access link to encryption key files to share with others. It is unlikely that the intended recipient is an external or anonymous user.\"],\"references\":[\"https://support.google.com/drive/answer/2494822\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\",\"subtechnique\":[{\"id\":\"T1552.004\",\"name\":\"Private Keys\",\"reference\":\"https://attack.mitre.org/techniques/T1552/004/\"}]}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.drive.visibility\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"source.user.email\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3f5e0115-4c6c-4ad7-a147-5380134f5a30\",\"rule_id\":\"980b70a0-c820-11ed-8799-f661ea17fbcc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.022Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.149Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where event.dataset == \\\"google_workspace.drive\\\" and event.action : (\\\"copy\\\", \\\"view\\\", \\\"download\\\") and\\n google_workspace.drive.visibility: \\\"people_with_link\\\" and source.user.email == \\\"\\\" and\\n file.extension: (\\n \\\"token\\\",\\\"assig\\\", \\\"pssc\\\", \\\"keystore\\\", \\\"pub\\\", \\\"pgp.asc\\\", \\\"ps1xml\\\", \\\"pem\\\", \\\"gpg.sig\\\", \\\"der\\\", \\\"key\\\",\\n \\\"p7r\\\", \\\"p12\\\", \\\"asc\\\", \\\"jks\\\", \\\"p7b\\\", \\\"signature\\\", \\\"gpg\\\", \\\"pgp.sig\\\", \\\"sst\\\", \\\"pgp\\\", \\\"gpgz\\\", \\\"pfx\\\", \\\"crt\\\",\\n \\\"p8\\\", \\\"sig\\\", \\\"pkcs7\\\", \\\"jceks\\\", \\\"pkcs8\\\", \\\"psc1\\\", \\\"p7c\\\", \\\"csr\\\", \\\"cer\\\", \\\"spc\\\", \\\"ps2xml\\\")\\n\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/drive/answer/2494822\"],\"target_version\":[\"https://support.google.com/drive/answer/2494822\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/drive/answer/2494822\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d910f370-3669-46a6-abe4-eb608ffea8f6\",\"rule_id\":\"9822c5a1-1494-42de-b197-487197bb540c\",\"revision\":0,\"current_rule\":{\"id\":\"d910f370-3669-46a6-abe4-eb608ffea8f6\",\"updated_at\":\"2024-12-04T19:46:04.731Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.731Z\",\"created_by\":\"elastic\",\"name\":\"Git Hook Egress Network Connection\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects a suspicious egress network connection attempt from a Git hook script. Git hooks are scripts that Git executes before or after events such as: commit, push, and receive. An attacker can abuse these features to execute arbitrary commands on the system, establish persistence or to initialize a network connection to a remote server and exfiltrate data or download additional payloads.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"9822c5a1-1494-42de-b197-487197bb540c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process*\",\"logs-endpoint.events.network*\"],\"query\":\"sequence by host.id with maxspan=3s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name == \\\"git\\\" and process.args : \\\".git/hooks/*\\\" and\\n process.name in (\\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\", \\\"172.31.0.0/16\\\"\\n )\\n )\\n ] by process.parent.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Git Hook Egress Network Connection\",\"description\":\"This rule detects a suspicious egress network connection attempt from a Git hook script. Git hooks are scripts that Git executes before or after events such as: commit, push, and receive. An attacker can abuse these features to execute arbitrary commands on the system, establish persistence or to initialize a network connection to a remote server and exfiltrate data or download additional payloads.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d910f370-3669-46a6-abe4-eb608ffea8f6\",\"rule_id\":\"9822c5a1-1494-42de-b197-487197bb540c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.023Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.731Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=3s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name == \\\"git\\\" and process.args : \\\".git/hooks/*\\\" and\\n process.name in (\\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\", \\\"172.31.0.0/16\\\"\\n )\\n )\\n ] by process.parent.entity_id\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process*\",\"logs-endpoint.events.network*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git\"],\"target_version\":[\"https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3356179c-95ea-4598-870b-307847fc7e67\",\"rule_id\":\"98843d35-645e-4e66-9d6a-5049acd96ce1\",\"revision\":0,\"current_rule\":{\"id\":\"3356179c-95ea-4598-870b-307847fc7e67\",\"updated_at\":\"2024-12-04T19:45:54.151Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.151Z\",\"created_by\":\"elastic\",\"name\":\"Indirect Command Execution via Forfiles/Pcalua\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies indirect command execution via Program Compatibility Assistant (pcalua.exe) or forfiles.exe.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"98843d35-645e-4e66-9d6a-5049acd96ce1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-system.security*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"pcalua.exe\\\", \\\"forfiles.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Indirect Command Execution via Forfiles/Pcalua\",\"description\":\"Identifies indirect command execution via Program Compatibility Assistant (pcalua.exe) or forfiles.exe.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3356179c-95ea-4598-870b-307847fc7e67\",\"rule_id\":\"98843d35-645e-4e66-9d6a-5049acd96ce1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.023Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.151Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"pcalua.exe\\\", \\\"forfiles.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-system.security*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5399a191-96a2-4efe-8eb0-2f1ee567cec8\",\"rule_id\":\"994e40aa-8c85-43de-825e-15f665375ee8\",\"revision\":0,\"current_rule\":{\"id\":\"5399a191-96a2-4efe-8eb0-2f1ee567cec8\",\"updated_at\":\"2024-12-04T19:45:54.169Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.169Z\",\"created_by\":\"elastic\",\"name\":\"Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score\",\"tags\":[\"OS: Windows\",\"Data Source: Elastic Endgame\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-10m\",\"rule_id\":\"994e40aa-8c85-43de-825e-15f665375ee8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.004\",\"name\":\"Masquerade Task or Service\",\"reference\":\"https://attack.mitre.org/techniques/T1036/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"blocklist_label\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"problemchild.prediction\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"problemchild.prediction_probability\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"endgame-*\",\"logs-endpoint.events.process-*\",\"winlogbeat-*\"],\"query\":\"process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or\\nblocklist_label == 1) and not process.args : (\\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.txt*\\\", \\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.tmp*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score\",\"description\":\"A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":110,\"tags\":[\"OS: Windows\",\"Data Source: Elastic Endgame\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-10m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.004\",\"name\":\"Masquerade Task or Service\",\"reference\":\"https://attack.mitre.org/techniques/T1036/004/\"}]}]}],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\\n\",\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"blocklist_label\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"problemchild.prediction\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"problemchild.prediction_probability\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"5399a191-96a2-4efe-8eb0-2f1ee567cec8\",\"rule_id\":\"994e40aa-8c85-43de-825e-15f665375ee8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.023Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.169Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or\\nblocklist_label == 1) and not process.args : (\\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.txt*\\\", \\\"*C:\\\\\\\\WINDOWS\\\\\\\\temp\\\\\\\\nessus_*.tmp*\\\")\\n\",\"language\":\"eql\",\"index\":[\"endgame-*\",\"logs-endpoint.events.process-*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":110,\"merged_version\":110,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"OS: Windows\",\"Data Source: Elastic Endgame\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"target_version\":[\"OS: Windows\",\"Data Source: Elastic Endgame\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"merged_version\":[\"OS: Windows\",\"Data Source: Elastic Endgame\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"severity\":{\"has_base_version\":false,\"current_version\":\"low\",\"target_version\":\"high\",\"merged_version\":\"high\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"risk_score\":{\"has_base_version\":false,\"current_version\":21,\"target_version\":73,\"merged_version\":73,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3f8a9ca3-a184-4f51-8a48-a0a8c5203703\",\"rule_id\":\"9960432d-9b26-409f-972b-839a959e79e2\",\"revision\":0,\"current_rule\":{\"id\":\"3f8a9ca3-a184-4f51-8a48-a0a8c5203703\",\"updated_at\":\"2024-12-04T19:45:54.172Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.172Z\",\"created_by\":\"elastic\",\"name\":\"Potential Credential Access via LSASS Memory Dump\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic:Execution\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"9960432d-9b26-409f-972b-839a959e79e2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"to\":\"now\",\"references\":[\"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"version\":209,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallTrace\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetImage\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n winlog.event_data.TargetImage : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\lsass.exe\\\" and\\n\\n /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/\\n winlog.event_data.CallTrace : (\\\"*dbghelp*\\\", \\\"*dbgcore*\\\") and\\n\\n /* case of lsass crashing */\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFaultSecure.exe\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Credential Access via LSASS Memory Dump\",\"description\":\"Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic:Execution\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz\",\"https://www.elastic.co/security-labs/detect-credential-access\",\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.CallTrace\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetImage\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"3f8a9ca3-a184-4f51-8a48-a0a8c5203703\",\"rule_id\":\"9960432d-9b26-409f-972b-839a959e79e2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.023Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.172Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.code == \\\"10\\\" and\\n winlog.event_data.TargetImage : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\lsass.exe\\\" and\\n\\n /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/\\n winlog.event_data.CallTrace : (\\\"*dbghelp*\\\", \\\"*dbgcore*\\\") and\\n\\n /* case of lsass crashing */\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFaultSecure.exe\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":209,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"target_version\":[\"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz\",\"https://www.elastic.co/security-labs/detect-credential-access\",\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"merged_version\":[\"https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz\",\"https://www.elastic.co/security-labs/detect-credential-access\",\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f4df0e36-cde6-42af-8a76-8dd689a3e4c2\",\"rule_id\":\"9a3a3689-8ed1-4cdb-83fb-9506db54c61f\",\"revision\":0,\"current_rule\":{\"id\":\"f4df0e36-cde6-42af-8a76-8dd689a3e4c2\",\"updated_at\":\"2024-12-04T19:45:54.179Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.179Z\",\"created_by\":\"elastic\",\"name\":\"Potential Shadow File Read via Command Line Utilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may utilize these to move laterally undetected and access additional resources.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"9a3a3689-8ed1-4cdb-83fb-9506db54c61f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.008\",\"name\":\"/etc/passwd and /etc/shadow\",\"reference\":\"https://attack.mitre.org/techniques/T1003/008/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/\"],\"version\":208,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type : \\\"linux\\\" and event.category : \\\"process\\\" and event.action : (\\\"exec\\\" or \\\"exec_event\\\") and\\n(process.args : \\\"/etc/shadow\\\" or (process.working_directory: \\\"/etc\\\" and process.args: \\\"shadow\\\")) and not \\n(process.executable : (\\\"/bin/chown\\\" or \\\"/usr/bin/chown\\\") and process.args : \\\"root:shadow\\\") and not \\n(process.executable : (\\\"/bin/chmod\\\" or \\\"/usr/bin/chmod\\\") and process.args : \\\"640\\\")\\n\",\"new_terms_fields\":[\"process.command_line\",\"host.id\",\"process.executable\"],\"history_window_start\":\"now-10d\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Shadow File Read via Command Line Utilities\",\"description\":\"Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may utilize these to move laterally undetected and access additional resources.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.008\",\"name\":\"/etc/passwd and /etc/shadow\",\"reference\":\"https://attack.mitre.org/techniques/T1003/008/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f4df0e36-cde6-42af-8a76-8dd689a3e4c2\",\"rule_id\":\"9a3a3689-8ed1-4cdb-83fb-9506db54c61f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.023Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.179Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type : \\\"linux\\\" and event.category : \\\"process\\\" and event.action : (\\\"exec\\\" or \\\"exec_event\\\") and\\n(process.args : \\\"/etc/shadow\\\" or (process.working_directory: \\\"/etc\\\" and process.args: \\\"shadow\\\")) and not (\\n (process.executable : (\\\"/bin/chown\\\" or \\\"/usr/bin/chown\\\") and process.args : \\\"root:shadow\\\") or\\n (process.executable : (\\\"/bin/chmod\\\" or \\\"/usr/bin/chmod\\\") and process.args : \\\"640\\\") or\\n process.executable:(/vz/* or /var/lib/docker/* or /run/containerd/* or /tmp/.criu* or /tmp/newroot/*) or\\n process.parent.name:(gen_passwd_sets or scc_* or wazuh-modulesd)\\n)\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-10d\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":208,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type : \\\"linux\\\" and event.category : \\\"process\\\" and event.action : (\\\"exec\\\" or \\\"exec_event\\\") and\\n(process.args : \\\"/etc/shadow\\\" or (process.working_directory: \\\"/etc\\\" and process.args: \\\"shadow\\\")) and not \\n(process.executable : (\\\"/bin/chown\\\" or \\\"/usr/bin/chown\\\") and process.args : \\\"root:shadow\\\") and not \\n(process.executable : (\\\"/bin/chmod\\\" or \\\"/usr/bin/chmod\\\") and process.args : \\\"640\\\")\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type : \\\"linux\\\" and event.category : \\\"process\\\" and event.action : (\\\"exec\\\" or \\\"exec_event\\\") and\\n(process.args : \\\"/etc/shadow\\\" or (process.working_directory: \\\"/etc\\\" and process.args: \\\"shadow\\\")) and not (\\n (process.executable : (\\\"/bin/chown\\\" or \\\"/usr/bin/chown\\\") and process.args : \\\"root:shadow\\\") or\\n (process.executable : (\\\"/bin/chmod\\\" or \\\"/usr/bin/chmod\\\") and process.args : \\\"640\\\") or\\n process.executable:(/vz/* or /var/lib/docker/* or /run/containerd/* or /tmp/.criu* or /tmp/newroot/*) or\\n process.parent.name:(gen_passwd_sets or scc_* or wazuh-modulesd)\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type : \\\"linux\\\" and event.category : \\\"process\\\" and event.action : (\\\"exec\\\" or \\\"exec_event\\\") and\\n(process.args : \\\"/etc/shadow\\\" or (process.working_directory: \\\"/etc\\\" and process.args: \\\"shadow\\\")) and not (\\n (process.executable : (\\\"/bin/chown\\\" or \\\"/usr/bin/chown\\\") and process.args : \\\"root:shadow\\\") or\\n (process.executable : (\\\"/bin/chmod\\\" or \\\"/usr/bin/chmod\\\") and process.args : \\\"640\\\") or\\n process.executable:(/vz/* or /var/lib/docker/* or /run/containerd/* or /tmp/.criu* or /tmp/newroot/*) or\\n process.parent.name:(gen_passwd_sets or scc_* or wazuh-modulesd)\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"new_terms_fields\":{\"has_base_version\":false,\"current_version\":[\"process.command_line\",\"host.id\",\"process.executable\"],\"target_version\":[\"process.executable\"],\"merged_version\":[\"process.executable\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2f6adb09-70e1-477e-be45-93edb455db95\",\"rule_id\":\"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b\",\"revision\":0,\"current_rule\":{\"id\":\"2f6adb09-70e1-477e-be45-93edb455db95\",\"updated_at\":\"2024-12-04T19:45:54.181Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.181Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Explorer Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"},{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"powershell.exe\\\", \\\"rundll32.exe\\\", \\\"cmd.exe\\\", \\\"mshta.exe\\\", \\\"regsvr32.exe\\\") or\\n process.pe.original_file_name in (\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"PowerShell.EXE\\\", \\\"RUNDLL32.EXE\\\", \\\"Cmd.Exe\\\", \\\"MSHTA.EXE\\\", \\\"REGSVR32.EXE\\\")\\n ) and\\n /* Explorer started via DCOM */\\n process.parent.name : \\\"explorer.exe\\\" and process.parent.args : \\\"-Embedding\\\" and\\n not process.parent.args:\\n (\\n /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */\\n \\\"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\\\",\\n \\\"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Explorer Child Process\",\"description\":\"Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"},{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2f6adb09-70e1-477e-be45-93edb455db95\",\"rule_id\":\"9a5b4e31-6cde-4295-9ff7-6be1b8567e1b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.023Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.181Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"powershell.exe\\\", \\\"rundll32.exe\\\", \\\"cmd.exe\\\", \\\"mshta.exe\\\", \\\"regsvr32.exe\\\") or\\n ?process.pe.original_file_name in (\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"PowerShell.EXE\\\", \\\"RUNDLL32.EXE\\\", \\\"Cmd.Exe\\\", \\\"MSHTA.EXE\\\", \\\"REGSVR32.EXE\\\")\\n ) and\\n /* Explorer started via DCOM */\\n process.parent.name : \\\"explorer.exe\\\" and process.parent.args : \\\"-Embedding\\\" and\\n not process.parent.args:\\n (\\n /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */\\n \\\"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\\\",\\n \\\"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"powershell.exe\\\", \\\"rundll32.exe\\\", \\\"cmd.exe\\\", \\\"mshta.exe\\\", \\\"regsvr32.exe\\\") or\\n process.pe.original_file_name in (\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"PowerShell.EXE\\\", \\\"RUNDLL32.EXE\\\", \\\"Cmd.Exe\\\", \\\"MSHTA.EXE\\\", \\\"REGSVR32.EXE\\\")\\n ) and\\n /* Explorer started via DCOM */\\n process.parent.name : \\\"explorer.exe\\\" and process.parent.args : \\\"-Embedding\\\" and\\n not process.parent.args:\\n (\\n /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */\\n \\\"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\\\",\\n \\\"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"powershell.exe\\\", \\\"rundll32.exe\\\", \\\"cmd.exe\\\", \\\"mshta.exe\\\", \\\"regsvr32.exe\\\") or\\n ?process.pe.original_file_name in (\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"PowerShell.EXE\\\", \\\"RUNDLL32.EXE\\\", \\\"Cmd.Exe\\\", \\\"MSHTA.EXE\\\", \\\"REGSVR32.EXE\\\")\\n ) and\\n /* Explorer started via DCOM */\\n process.parent.name : \\\"explorer.exe\\\" and process.parent.args : \\\"-Embedding\\\" and\\n not process.parent.args:\\n (\\n /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */\\n \\\"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\\\",\\n \\\"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"powershell.exe\\\", \\\"rundll32.exe\\\", \\\"cmd.exe\\\", \\\"mshta.exe\\\", \\\"regsvr32.exe\\\") or\\n ?process.pe.original_file_name in (\\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"PowerShell.EXE\\\", \\\"RUNDLL32.EXE\\\", \\\"Cmd.Exe\\\", \\\"MSHTA.EXE\\\", \\\"REGSVR32.EXE\\\")\\n ) and\\n /* Explorer started via DCOM */\\n process.parent.name : \\\"explorer.exe\\\" and process.parent.args : \\\"-Embedding\\\" and\\n not process.parent.args:\\n (\\n /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */\\n \\\"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\\\",\\n \\\"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d50db8b1-d5db-4ee8-bc67-8af3d1515cd9\",\"rule_id\":\"9aa0e1f6-52ce-42e1-abb3-09657cee2698\",\"revision\":0,\"current_rule\":{\"id\":\"d50db8b1-d5db-4ee8-bc67-8af3d1515cd9\",\"updated_at\":\"2024-12-04T19:45:40.219Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.219Z\",\"created_by\":\"elastic\",\"name\":\"Scheduled Tasks AT Command Enabled\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"9aa0e1f6-52ce-42e1-abb3-09657cee2698\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.002\",\"name\":\"At\",\"reference\":\"https://attack.mitre.org/techniques/T1053/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\Configuration\\\\\\\\EnableAt\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\Configuration\\\\\\\\EnableAt\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Scheduled Tasks AT Command Enabled\",\"description\":\"Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.002\",\"name\":\"At\",\"reference\":\"https://attack.mitre.org/techniques/T1053/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d50db8b1-d5db-4ee8-bc67-8af3d1515cd9\",\"rule_id\":\"9aa0e1f6-52ce-42e1-abb3-09657cee2698\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.023Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.219Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\Configuration\\\\\\\\EnableAt\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\Configuration\\\\\\\\EnableAt\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\Configuration\\\\\\\\EnableAt\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\Configuration\\\\\\\\EnableAt\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\Configuration\\\\\\\\EnableAt\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\Configuration\\\\\\\\EnableAt\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\Configuration\\\\\\\\EnableAt\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\Configuration\\\\\\\\EnableAt\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\Configuration\\\\\\\\EnableAt\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\Configuration\\\\\\\\EnableAt\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Schedule\\\\\\\\Configuration\\\\\\\\EnableAt\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9707f06f-2da8-40ba-b2f4-7e1ca4167503\",\"rule_id\":\"9aa4be8d-5828-417d-9f54-7cd304571b24\",\"revision\":0,\"current_rule\":{\"id\":\"9707f06f-2da8-40ba-b2f4-7e1ca4167503\",\"updated_at\":\"2024-12-04T19:45:54.184Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.184Z\",\"created_by\":\"elastic\",\"name\":\"AWS IAM AdministratorAccess Policy Attached to User\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to compromised user accounts. This rule looks for use of the IAM `AttachUserPolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM user.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to User\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources. \\nWith access to the `iam:AttachUserPolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to the current user for privilege escalation or another user as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachUserPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected user(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachUserPolicy` API operation to attach the `AdministratorAccess` policy to the target user.\"],\"from\":\"now-6m\",\"rule_id\":\"9aa4be8d-5828-417d-9f54-7cd304571b24\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html\",\"https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html\",\"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-*\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachUserPolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?userName}=%{target.userName}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS IAM AdministratorAccess Policy Attached to User\",\"description\":\"An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to compromised user accounts. This rule looks for use of the IAM `AttachUserPolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM user.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to User\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources.\\nWith access to the `iam:AttachUserPolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to the current user for privilege escalation or another user as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachUserPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected user(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment.\\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"investigation_fields\":{\"field_names\":[\"@timestamp\",\"user.name\",\"source.address\",\"aws.cloudtrail.user_identity.arn\",\"user_agent.original\",\"target.userName\",\"event.action\",\"policyName\",\"event.outcome\",\"cloud.region\",\"event.provider\",\"aws.cloudtrail.request_parameters\"]},\"version\":4,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachUserPolicy` API operation to attach the `AdministratorAccess` policy to the target user.\"],\"references\":[\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html\",\"https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html\",\"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"9707f06f-2da8-40ba-b2f4-7e1ca4167503\",\"rule_id\":\"9aa4be8d-5828-417d-9f54-7cd304571b24\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.023Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.184Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachUserPolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?userName}=%{target.userName}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n| keep\\n @timestamp,\\n cloud.region,\\n event.provider,\\n event.action,\\n event.outcome,\\n policyName,\\n target.userName,\\n aws.cloudtrail.request_parameters,\\n aws.cloudtrail.user_identity.arn,\\n related.user,\\n user_agent.original,\\n user.name,\\n source.address\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"note\":{\"has_base_version\":false,\"current_version\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to User\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources. \\nWith access to the `iam:AttachUserPolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to the current user for privilege escalation or another user as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachUserPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected user(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to User\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources.\\nWith access to the `iam:AttachUserPolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to the current user for privilege escalation or another user as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachUserPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected user(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment.\\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to User\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources.\\nWith access to the `iam:AttachUserPolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to the current user for privilege escalation or another user as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachUserPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected user(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment.\\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"investigation_fields\":{\"has_base_version\":false,\"target_version\":{\"field_names\":[\"@timestamp\",\"user.name\",\"source.address\",\"aws.cloudtrail.user_identity.arn\",\"user_agent.original\",\"target.userName\",\"event.action\",\"policyName\",\"event.outcome\",\"cloud.region\",\"event.provider\",\"aws.cloudtrail.request_parameters\"]},\"merged_version\":{\"field_names\":[\"@timestamp\",\"user.name\",\"source.address\",\"aws.cloudtrail.user_identity.arn\",\"user_agent.original\",\"target.userName\",\"event.action\",\"policyName\",\"event.outcome\",\"cloud.region\",\"event.provider\",\"aws.cloudtrail.request_parameters\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-aws.cloudtrail-*\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachUserPolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?userName}=%{target.userName}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachUserPolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?userName}=%{target.userName}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n| keep\\n @timestamp,\\n cloud.region,\\n event.provider,\\n event.action,\\n event.outcome,\\n policyName,\\n target.userName,\\n aws.cloudtrail.request_parameters,\\n aws.cloudtrail.user_identity.arn,\\n related.user,\\n user_agent.original,\\n user.name,\\n source.address\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachUserPolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?userName}=%{target.userName}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n| keep\\n @timestamp,\\n cloud.region,\\n event.provider,\\n event.action,\\n event.outcome,\\n policyName,\\n target.userName,\\n aws.cloudtrail.request_parameters,\\n aws.cloudtrail.user_identity.arn,\\n related.user,\\n user_agent.original,\\n user.name,\\n source.address\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f1738911-166f-4856-a6b4-abab6de603e4\",\"rule_id\":\"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c\",\"revision\":0,\"current_rule\":{\"id\":\"f1738911-166f-4856-a6b4-abab6de603e4\",\"updated_at\":\"2024-12-04T19:45:54.188Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.188Z\",\"created_by\":\"elastic\",\"name\":\"Persistence via WMI Event Subscription\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.003\",\"name\":\"Windows Management Instrumentation Event Subscription\",\"reference\":\"https://attack.mitre.org/techniques/T1546/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"wmic.exe\\\" or ?process.pe.original_file_name == \\\"wmic.exe\\\") and\\n process.args : \\\"create\\\" and\\n process.args : (\\\"ActiveScriptEventConsumer\\\", \\\"CommandLineEventConsumer\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Persistence via WMI Event Subscription\",\"description\":\"An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.003\",\"name\":\"Windows Management Instrumentation Event Subscription\",\"reference\":\"https://attack.mitre.org/techniques/T1546/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f1738911-166f-4856-a6b4-abab6de603e4\",\"rule_id\":\"9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.023Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.188Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"wmic.exe\\\" or ?process.pe.original_file_name == \\\"wmic.exe\\\") and\\n process.args : \\\"create\\\" and\\n process.args : (\\\"ActiveScriptEventConsumer\\\", \\\"CommandLineEventConsumer\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5a0b3b08-a172-463b-9c1c-738364b31d39\",\"rule_id\":\"9b80cb26-9966-44b5-abbf-764fbdbc3586\",\"revision\":0,\"current_rule\":{\"id\":\"5a0b3b08-a172-463b-9c1c-738364b31d39\",\"updated_at\":\"2024-12-04T19:45:54.191Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.191Z\",\"created_by\":\"elastic\",\"name\":\"Privilege Escalation via CAP_SETUID/SETGID Capabilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies instances where a process (granted CAP_SETUID and/or CAP_SETGID capabilities) is executed, after which the user's access is elevated to UID/GID 0 (root). In Linux, the CAP_SETUID and CAP_SETGID capabilities allow a process to change its UID and GID, respectively, providing control over user and group identity management. Attackers may leverage a misconfiguration for exploitation in order to escalate their privileges to root.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"9b80cb26-9966-44b5-abbf-764fbdbc3586\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.001\",\"name\":\"Setuid and Setgid\",\"reference\":\"https://attack.mitre.org/techniques/T1548/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.effective\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.permitted\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"sequence by host.id, process.entity_id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name != null and\\n (process.thread.capabilities.effective : \\\"CAP_SET?ID\\\" or process.thread.capabilities.permitted : \\\"CAP_SET?ID\\\") and \\n user.id != \\\"0\\\" and not (\\n process.parent.executable : (\\\"/tmp/newroot/*\\\", \\\"/opt/carbonblack*\\\") or\\n process.parent.executable in (\\n \\\"/opt/SolarWinds/Agent/bin/Plugins/JobEngine/SolarWinds.Agent.JobEngine.Plugin\\\", \\\"/usr/bin/vmware-toolbox-cmd\\\",\\n \\\"/usr/bin/dbus-daemon\\\", \\\"/usr/bin/update-notifier\\\", \\\"/usr/share/language-tools/language-options\\\"\\n ) or\\n process.executable : (\\\"/opt/dynatrace/*\\\", \\\"/tmp/newroot/*\\\") or\\n process.executable in (\\n \\\"/bin/fgrep\\\", \\\"/usr/bin/sudo\\\", \\\"/usr/bin/pkexec\\\", \\\"/usr/lib/cockpit/cockpit-session\\\", \\\"/usr/sbin/suexec\\\"\\n )\\n )]\\n [process where host.os.type == \\\"linux\\\" and event.action == \\\"uid_change\\\" and event.type == \\\"change\\\" and \\n (process.thread.capabilities.effective : \\\"CAP_SET?ID\\\" or process.thread.capabilities.permitted : \\\"CAP_SET?ID\\\")\\n and user.id == \\\"0\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Privilege Escalation via CAP_SETUID/SETGID Capabilities\",\"description\":\"Identifies instances where a process (granted CAP_SETUID and/or CAP_SETGID capabilities) is executed, after which the user's access is elevated to UID/GID 0 (root). In Linux, the CAP_SETUID and CAP_SETGID capabilities allow a process to change its UID and GID, respectively, providing control over user and group identity management. Attackers may leverage a misconfiguration for exploitation in order to escalate their privileges to root.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.001\",\"name\":\"Setuid and Setgid\",\"reference\":\"https://attack.mitre.org/techniques/T1548/001/\"}]}]}],\"setup\":\"## Setup\\n\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.effective\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.permitted\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"5a0b3b08-a172-463b-9c1c-738364b31d39\",\"rule_id\":\"9b80cb26-9966-44b5-abbf-764fbdbc3586\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.023Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.191Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id, process.entity_id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name != null and\\n (process.thread.capabilities.effective : \\\"CAP_SET?ID\\\" or process.thread.capabilities.permitted : \\\"CAP_SET?ID\\\") and \\n user.id != \\\"0\\\" and not (\\n process.parent.executable : (\\\"/tmp/newroot/*\\\", \\\"/opt/carbonblack*\\\") or\\n process.parent.executable in (\\n \\\"/opt/SolarWinds/Agent/bin/Plugins/JobEngine/SolarWinds.Agent.JobEngine.Plugin\\\", \\\"/usr/bin/vmware-toolbox-cmd\\\",\\n \\\"/usr/bin/dbus-daemon\\\", \\\"/usr/bin/update-notifier\\\", \\\"/usr/share/language-tools/language-options\\\",\\n \\\"/opt/SolarWinds/Agent/*\\\", \\\"/usr/local/sbin/lynis.sh\\\"\\n ) or\\n process.executable : (\\\"/opt/dynatrace/*\\\", \\\"/tmp/newroot/*\\\", \\\"/opt/SolarWinds/Agent/*\\\") or\\n process.executable in (\\n \\\"/bin/fgrep\\\", \\\"/usr/bin/sudo\\\", \\\"/usr/bin/pkexec\\\", \\\"/usr/lib/cockpit/cockpit-session\\\", \\\"/usr/sbin/suexec\\\"\\n ) or\\n process.parent.name in (\\\"update-notifier\\\", \\\"language-options\\\", \\\"osqueryd\\\", \\\"saposcol\\\", \\\"dbus-daemon\\\", \\\"osqueryi\\\", \\\"sdbrun\\\") or\\n process.command_line like (\\\"sudo*BECOME-SUCCESS*\\\", \\\"/bin/sh*sapsysinfo.sh*\\\", \\\"sudo su\\\", \\\"sudo su -\\\") or\\n process.name == \\\"sudo\\\" or\\n process.parent.command_line like \\\"/usr/bin/python*ansible*\\\"\\n )]\\n [process where host.os.type == \\\"linux\\\" and event.action == \\\"uid_change\\\" and event.type == \\\"change\\\" and \\n (process.thread.capabilities.effective : \\\"CAP_SET?ID\\\" or process.thread.capabilities.permitted : \\\"CAP_SET?ID\\\")\\n and user.id == \\\"0\\\"]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.effective\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.permitted\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.effective\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.permitted\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.effective\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.permitted\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by host.id, process.entity_id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name != null and\\n (process.thread.capabilities.effective : \\\"CAP_SET?ID\\\" or process.thread.capabilities.permitted : \\\"CAP_SET?ID\\\") and \\n user.id != \\\"0\\\" and not (\\n process.parent.executable : (\\\"/tmp/newroot/*\\\", \\\"/opt/carbonblack*\\\") or\\n process.parent.executable in (\\n \\\"/opt/SolarWinds/Agent/bin/Plugins/JobEngine/SolarWinds.Agent.JobEngine.Plugin\\\", \\\"/usr/bin/vmware-toolbox-cmd\\\",\\n \\\"/usr/bin/dbus-daemon\\\", \\\"/usr/bin/update-notifier\\\", \\\"/usr/share/language-tools/language-options\\\"\\n ) or\\n process.executable : (\\\"/opt/dynatrace/*\\\", \\\"/tmp/newroot/*\\\") or\\n process.executable in (\\n \\\"/bin/fgrep\\\", \\\"/usr/bin/sudo\\\", \\\"/usr/bin/pkexec\\\", \\\"/usr/lib/cockpit/cockpit-session\\\", \\\"/usr/sbin/suexec\\\"\\n )\\n )]\\n [process where host.os.type == \\\"linux\\\" and event.action == \\\"uid_change\\\" and event.type == \\\"change\\\" and \\n (process.thread.capabilities.effective : \\\"CAP_SET?ID\\\" or process.thread.capabilities.permitted : \\\"CAP_SET?ID\\\")\\n and user.id == \\\"0\\\"]\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by host.id, process.entity_id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name != null and\\n (process.thread.capabilities.effective : \\\"CAP_SET?ID\\\" or process.thread.capabilities.permitted : \\\"CAP_SET?ID\\\") and \\n user.id != \\\"0\\\" and not (\\n process.parent.executable : (\\\"/tmp/newroot/*\\\", \\\"/opt/carbonblack*\\\") or\\n process.parent.executable in (\\n \\\"/opt/SolarWinds/Agent/bin/Plugins/JobEngine/SolarWinds.Agent.JobEngine.Plugin\\\", \\\"/usr/bin/vmware-toolbox-cmd\\\",\\n \\\"/usr/bin/dbus-daemon\\\", \\\"/usr/bin/update-notifier\\\", \\\"/usr/share/language-tools/language-options\\\",\\n \\\"/opt/SolarWinds/Agent/*\\\", \\\"/usr/local/sbin/lynis.sh\\\"\\n ) or\\n process.executable : (\\\"/opt/dynatrace/*\\\", \\\"/tmp/newroot/*\\\", \\\"/opt/SolarWinds/Agent/*\\\") or\\n process.executable in (\\n \\\"/bin/fgrep\\\", \\\"/usr/bin/sudo\\\", \\\"/usr/bin/pkexec\\\", \\\"/usr/lib/cockpit/cockpit-session\\\", \\\"/usr/sbin/suexec\\\"\\n ) or\\n process.parent.name in (\\\"update-notifier\\\", \\\"language-options\\\", \\\"osqueryd\\\", \\\"saposcol\\\", \\\"dbus-daemon\\\", \\\"osqueryi\\\", \\\"sdbrun\\\") or\\n process.command_line like (\\\"sudo*BECOME-SUCCESS*\\\", \\\"/bin/sh*sapsysinfo.sh*\\\", \\\"sudo su\\\", \\\"sudo su -\\\") or\\n process.name == \\\"sudo\\\" or\\n process.parent.command_line like \\\"/usr/bin/python*ansible*\\\"\\n )]\\n [process where host.os.type == \\\"linux\\\" and event.action == \\\"uid_change\\\" and event.type == \\\"change\\\" and \\n (process.thread.capabilities.effective : \\\"CAP_SET?ID\\\" or process.thread.capabilities.permitted : \\\"CAP_SET?ID\\\")\\n and user.id == \\\"0\\\"]\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by host.id, process.entity_id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name != null and\\n (process.thread.capabilities.effective : \\\"CAP_SET?ID\\\" or process.thread.capabilities.permitted : \\\"CAP_SET?ID\\\") and \\n user.id != \\\"0\\\" and not (\\n process.parent.executable : (\\\"/tmp/newroot/*\\\", \\\"/opt/carbonblack*\\\") or\\n process.parent.executable in (\\n \\\"/opt/SolarWinds/Agent/bin/Plugins/JobEngine/SolarWinds.Agent.JobEngine.Plugin\\\", \\\"/usr/bin/vmware-toolbox-cmd\\\",\\n \\\"/usr/bin/dbus-daemon\\\", \\\"/usr/bin/update-notifier\\\", \\\"/usr/share/language-tools/language-options\\\",\\n \\\"/opt/SolarWinds/Agent/*\\\", \\\"/usr/local/sbin/lynis.sh\\\"\\n ) or\\n process.executable : (\\\"/opt/dynatrace/*\\\", \\\"/tmp/newroot/*\\\", \\\"/opt/SolarWinds/Agent/*\\\") or\\n process.executable in (\\n \\\"/bin/fgrep\\\", \\\"/usr/bin/sudo\\\", \\\"/usr/bin/pkexec\\\", \\\"/usr/lib/cockpit/cockpit-session\\\", \\\"/usr/sbin/suexec\\\"\\n ) or\\n process.parent.name in (\\\"update-notifier\\\", \\\"language-options\\\", \\\"osqueryd\\\", \\\"saposcol\\\", \\\"dbus-daemon\\\", \\\"osqueryi\\\", \\\"sdbrun\\\") or\\n process.command_line like (\\\"sudo*BECOME-SUCCESS*\\\", \\\"/bin/sh*sapsysinfo.sh*\\\", \\\"sudo su\\\", \\\"sudo su -\\\") or\\n process.name == \\\"sudo\\\" or\\n process.parent.command_line like \\\"/usr/bin/python*ansible*\\\"\\n )]\\n [process where host.os.type == \\\"linux\\\" and event.action == \\\"uid_change\\\" and event.type == \\\"change\\\" and \\n (process.thread.capabilities.effective : \\\"CAP_SET?ID\\\" or process.thread.capabilities.permitted : \\\"CAP_SET?ID\\\")\\n and user.id == \\\"0\\\"]\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c8ad01fc-7bce-485c-9112-55615ba32106\",\"rule_id\":\"9c260313-c811-4ec8-ab89-8f6530e0246c\",\"revision\":0,\"current_rule\":{\"id\":\"c8ad01fc-7bce-485c-9112-55615ba32106\",\"updated_at\":\"2024-12-04T19:45:54.193Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.193Z\",\"created_by\":\"elastic\",\"name\":\"Hosts File Modified\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Hosts File Modified\\n\\nOperating systems use the hosts file to map a connection between an IP address and domain names before going to domain name servers. Attackers can abuse this mechanism to route traffic to malicious infrastructure or disrupt security that depends on server communications. For example, Russian threat actors modified this file on a domain controller to redirect Duo MFA calls to localhost instead of the Duo server, which prevented the MFA service from contacting its server to validate MFA login. This effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to \\\"Fail open\\\" if the MFA server is unreachable. This can happen in any MFA implementation and is not exclusive to Duo. Find more details in this [CISA Alert](https://www.cisa.gov/uscert/ncas/alerts/aa22-074a).\\n\\nThis rule identifies modifications in the hosts file across multiple operating systems using process creation events for Linux and file events in Windows and macOS.\\n\\n#### Possible investigation steps\\n\\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the changes to the hosts file by comparing it against file backups, volume shadow copies, and other restoration mechanisms.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and the configuration was justified.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider isolating the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Review the privileges of the administrator account that performed the action.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timeline_id\":\"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c\",\"timeline_title\":\"Comprehensive File Timeline\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"9c260313-c811-4ec8-ab89-8f6530e0246c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1565\",\"name\":\"Data Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1565/\",\"subtechnique\":[{\"id\":\"T1565.001\",\"name\":\"Stored Data Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1565/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nFor Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"winlogbeat-*\",\"logs-endpoint.events.*\",\"logs-windows.*\"],\"query\":\"any where\\n\\n /* file events for creation; file change events are not captured by some of the included sources for linux and so may\\n miss this, which is the purpose of the process + command line args logic below */\\n (\\n event.category == \\\"file\\\" and event.type in (\\\"change\\\", \\\"creation\\\") and\\n file.path : (\\\"/private/etc/hosts\\\", \\\"/etc/hosts\\\", \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\etc\\\\\\\\hosts\\\") and \\n not process.name in (\\\"dockerd\\\", \\\"rootlesskit\\\", \\\"podman\\\", \\\"crio\\\")\\n )\\n or\\n\\n /* process events for change targeting linux only */\\n (\\n event.category == \\\"process\\\" and event.type in (\\\"start\\\") and\\n process.name in (\\\"nano\\\", \\\"vim\\\", \\\"vi\\\", \\\"emacs\\\", \\\"echo\\\", \\\"sed\\\") and\\n process.args : (\\\"/etc/hosts\\\") and \\n not process.parent.name in (\\\"dhclient-script\\\", \\\"google_set_hostname\\\")\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Hosts File Modified\",\"description\":\"The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"timeline_id\":\"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c\",\"timeline_title\":\"Comprehensive File Timeline\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Hosts File Modified\\n\\nOperating systems use the hosts file to map a connection between an IP address and domain names before going to domain name servers. Attackers can abuse this mechanism to route traffic to malicious infrastructure or disrupt security that depends on server communications. For example, Russian threat actors modified this file on a domain controller to redirect Duo MFA calls to localhost instead of the Duo server, which prevented the MFA service from contacting its server to validate MFA login. This effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to \\\"Fail open\\\" if the MFA server is unreachable. This can happen in any MFA implementation and is not exclusive to Duo. Find more details in this [CISA Alert](https://www.cisa.gov/uscert/ncas/alerts/aa22-074a).\\n\\nThis rule identifies modifications in the hosts file across multiple operating systems using process creation events for Linux and file events in Windows and macOS.\\n\\n#### Possible investigation steps\\n\\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the changes to the hosts file by comparing it against file backups, volume shadow copies, and other restoration mechanisms.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and the configuration was justified.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider isolating the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Review the privileges of the administrator account that performed the action.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1565\",\"name\":\"Data Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1565/\",\"subtechnique\":[{\"id\":\"T1565.001\",\"name\":\"Stored Data Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1565/001/\"}]}]}],\"setup\":\"## Setup\\n\\nFor Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c8ad01fc-7bce-485c-9112-55615ba32106\",\"rule_id\":\"9c260313-c811-4ec8-ab89-8f6530e0246c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.023Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.193Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where\\n\\n /* file events for creation; file change events are not captured by some of the included sources for linux and so may\\n miss this, which is the purpose of the process + command line args logic below */\\n (\\n event.category == \\\"file\\\" and event.type in (\\\"change\\\", \\\"creation\\\") and\\n file.path : (\\\"/private/etc/hosts\\\", \\\"/etc/hosts\\\", \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\etc\\\\\\\\hosts\\\") and \\n not process.name in (\\\"dockerd\\\", \\\"rootlesskit\\\", \\\"podman\\\", \\\"crio\\\")\\n )\\n or\\n\\n /* process events for change targeting linux only */\\n (\\n event.category == \\\"process\\\" and event.type in (\\\"start\\\") and\\n process.name in (\\\"nano\\\", \\\"vim\\\", \\\"vi\\\", \\\"emacs\\\", \\\"echo\\\", \\\"sed\\\") and\\n process.args : (\\\"/etc/hosts\\\") and \\n not process.parent.name in (\\\"dhclient-script\\\", \\\"google_set_hostname\\\")\\n )\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"winlogbeat-*\",\"logs-endpoint.events.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a8cdde6f-ad21-4a0b-888a-1cb674e6083b\",\"rule_id\":\"9c865691-5599-447a-bac9-b3f2df5f9a9d\",\"revision\":0,\"current_rule\":{\"id\":\"a8cdde6f-ad21-4a0b-888a-1cb674e6083b\",\"updated_at\":\"2024-12-04T19:45:54.196Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.196Z\",\"created_by\":\"elastic\",\"name\":\"Remote Scheduled Task Creation via RPC\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote Scheduled Task Creation\\n\\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\\n\\n#### Possible investigation steps\\n\\n- Review the TaskContent value to investigate the task configured action.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\\n\\n### False positive analysis\\n\\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\\n\\n### Related rules\\n\\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\\n- Remote Scheduled Task Creation - 954ee7c8-5437-49ae-b2d6-2960883898e9\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Remove scheduled task and any other related artifacts.\\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"9c865691-5599-447a-bac9-b3f2df5f9a9d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ClientProcessId\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.RpcCallClientLocality\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"],\"query\":\"iam where event.action == \\\"scheduled-task-created\\\" and \\n winlog.event_data.RpcCallClientLocality : \\\"0\\\" and winlog.event_data.ClientProcessId : \\\"0\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Remote Scheduled Task Creation via RPC\",\"description\":\"Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote Scheduled Task Creation\\n\\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\\n\\n#### Possible investigation steps\\n\\n- Review the TaskContent value to investigate the task configured action.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\\n\\n### False positive analysis\\n\\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\\n\\n### Related rules\\n\\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\\n- Remote Scheduled Task Creation - 954ee7c8-5437-49ae-b2d6-2960883898e9\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Remove scheduled task and any other related artifacts.\\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\\n\",\"output_index\":\"\",\"version\":109,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ClientProcessId\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.RpcCallClientLocality\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"a8cdde6f-ad21-4a0b-888a-1cb674e6083b\",\"rule_id\":\"9c865691-5599-447a-bac9-b3f2df5f9a9d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.023Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.196Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where event.action == \\\"scheduled-task-created\\\" and \\n winlog.event_data.RpcCallClientLocality : \\\"0\\\" and winlog.event_data.ClientProcessId : \\\"0\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":109,\"merged_version\":109,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6e66aaea-6fad-4849-84b6-ad7d5d4735f2\",\"rule_id\":\"9ccf3ce0-0057-440a-91f5-870c6ad39093\",\"revision\":0,\"current_rule\":{\"id\":\"6e66aaea-6fad-4849-84b6-ad7d5d4735f2\",\"updated_at\":\"2024-12-04T19:45:54.205Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.205Z\",\"created_by\":\"elastic\",\"name\":\"Command Shell Activity Started via RunDLL32\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Microsoft Windows installers leveraging RunDLL32 for installation.\"],\"from\":\"now-9m\",\"rule_id\":\"9ccf3ce0-0057-440a-91f5-870c6ad39093\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\") and\\n process.parent.name : \\\"rundll32.exe\\\" and process.parent.command_line != null and\\n /* common FPs can be added here */\\n not process.parent.args : (\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SHELL32.dll,RunAsNewUser_RunDLL\\\",\\n \\\"C:\\\\\\\\WINDOWS\\\\\\\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Command Shell Activity Started via RunDLL32\",\"description\":\"Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Microsoft Windows installers leveraging RunDLL32 for installation.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"6e66aaea-6fad-4849-84b6-ad7d5d4735f2\",\"rule_id\":\"9ccf3ce0-0057-440a-91f5-870c6ad39093\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.023Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.205Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\") and\\n process.parent.name : \\\"rundll32.exe\\\" and process.parent.command_line != null and\\n /* common FPs can be added here */\\n not process.parent.args : (\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SHELL32.dll,RunAsNewUser_RunDLL\\\",\\n \\\"C:\\\\\\\\WINDOWS\\\\\\\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c5bfb1d5-6729-40f2-bc03-dd86bba7d76a\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2\",\"revision\":0,\"current_rule\":{\"id\":\"c5bfb1d5-6729-40f2-bc03-dd86bba7d76a\",\"updated_at\":\"2024-12-04T19:45:54.207Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.207Z\",\"created_by\":\"elastic\",\"name\":\"Microsoft Build Engine Started by a Script Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual.\"],\"from\":\"now-9m\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"},{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":209,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name.caseless\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:windows and event.category:process and event.type:start and (\\n process.name.caseless:\\\"msbuild.exe\\\" or process.pe.original_file_name:\\\"MSBuild.exe\\\") and \\n process.parent.name:(\\\"cmd.exe\\\" or \\\"powershell.exe\\\" or \\\"pwsh.exe\\\" or \\\"powershell_ise.exe\\\" or \\\"cscript.exe\\\" or\\n \\\"wscript.exe\\\" or \\\"mshta.exe\\\")\\n\",\"new_terms_fields\":[\"host.id\",\"user.name\",\"process.command_line\"],\"history_window_start\":\"now-14d\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Microsoft Build Engine Started by a Script Process\",\"description\":\"An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"},{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name.caseless\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c5bfb1d5-6729-40f2-bc03-dd86bba7d76a\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.023Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.207Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:windows and event.category:process and event.type:start and (\\n process.name.caseless:\\\"msbuild.exe\\\" or process.pe.original_file_name:\\\"MSBuild.exe\\\") and \\n process.parent.name:(\\\"cmd.exe\\\" or \\\"powershell.exe\\\" or \\\"pwsh.exe\\\" or \\\"powershell_ise.exe\\\" or \\\"cscript.exe\\\" or\\n \\\"wscript.exe\\\" or \\\"mshta.exe\\\")\\n\",\"new_terms_fields\":[\"host.id\",\"user.name\",\"process.command_line\"],\"history_window_start\":\"now-14d\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":209,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b8d062b8-cfea-4cc8-9617-c12067450833\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3\",\"revision\":0,\"current_rule\":{\"id\":\"b8d062b8-cfea-4cc8-9617-c12067450833\",\"updated_at\":\"2024-12-04T19:45:54.209Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.209Z\",\"created_by\":\"elastic\",\"name\":\"Microsoft Build Engine Started by a System Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual.\"],\"from\":\"now-9m\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"MSBuild.exe\\\" and\\n process.parent.name : (\\\"explorer.exe\\\", \\\"wmiprvse.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Microsoft Build Engine Started by a System Process\",\"description\":\"An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b8d062b8-cfea-4cc8-9617-c12067450833\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.023Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.209Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"MSBuild.exe\\\" and\\n process.parent.name : (\\\"explorer.exe\\\", \\\"wmiprvse.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d298624e-ffd1-4892-a111-35313cd74cbd\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4\",\"revision\":0,\"current_rule\":{\"id\":\"d298624e-ffd1-4892-a111-35313cd74cbd\",\"updated_at\":\"2024-12-04T19:45:54.212Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.212Z\",\"created_by\":\"elastic\",\"name\":\"Microsoft Build Engine Using an Alternate Name\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Microsoft Build Engine Using an Alternate Name\\n\\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\\n\\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\\n\\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual.\"],\"from\":\"now-9m\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.003\",\"name\":\"Rename System Utilities\",\"reference\":\"https://attack.mitre.org/techniques/T1036/003/\"}]},{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.pe.original_file_name == \\\"MSBuild.exe\\\" and\\n not process.name : \\\"MSBuild.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Microsoft Build Engine Using an Alternate Name\",\"description\":\"An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Microsoft Build Engine Using an Alternate Name\\n\\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\\n\\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\\n\\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.003\",\"name\":\"Rename System Utilities\",\"reference\":\"https://attack.mitre.org/techniques/T1036/003/\"}]},{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d298624e-ffd1-4892-a111-35313cd74cbd\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.023Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.212Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.pe.original_file_name == \\\"MSBuild.exe\\\" and\\n not process.name : \\\"MSBuild.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8627eb62-30f7-4150-afef-57c8a8e681a2\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5\",\"revision\":0,\"current_rule\":{\"id\":\"8627eb62-30f7-4150-afef-57c8a8e681a2\",\"updated_at\":\"2024-12-04T19:45:54.214Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.214Z\",\"created_by\":\"elastic\",\"name\":\"Potential Credential Access via Trusted Developer Utility\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Credential Access via Trusted Developer Utility\\n\\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\\n\\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\\n\\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the command line to identify the `.csproj` file location.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual.\"],\"from\":\"now-9m\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"}]},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\",\"subtechnique\":[{\"id\":\"T1555.004\",\"name\":\"Windows Credential Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1555/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and (process.name : \\\"MSBuild.exe\\\" or process.pe.original_file_name == \\\"MSBuild.exe\\\")]\\n [any where host.os.type == \\\"windows\\\" and (event.category == \\\"library\\\" or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n (?dll.name : (\\\"vaultcli.dll\\\", \\\"SAMLib.DLL\\\") or file.name : (\\\"vaultcli.dll\\\", \\\"SAMLib.DLL\\\"))]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Credential Access via Trusted Developer Utility\",\"description\":\"An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Credential Access via Trusted Developer Utility\\n\\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\\n\\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\\n\\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the command line to identify the `.csproj` file location.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"}]},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\",\"subtechnique\":[{\"id\":\"T1555.004\",\"name\":\"Windows Credential Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1555/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"8627eb62-30f7-4150-afef-57c8a8e681a2\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.024Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.214Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and (process.name : \\\"MSBuild.exe\\\" or process.pe.original_file_name == \\\"MSBuild.exe\\\")]\\n [any where host.os.type == \\\"windows\\\" and (event.category == \\\"library\\\" or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n (?dll.name : (\\\"vaultcli.dll\\\", \\\"SAMLib.DLL\\\") or file.name : (\\\"vaultcli.dll\\\", \\\"SAMLib.DLL\\\"))]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"55e9be51-2736-4ae0-ba13-70c750530a07\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6\",\"revision\":0,\"current_rule\":{\"id\":\"55e9be51-2736-4ae0-ba13-70c750530a07\",\"updated_at\":\"2024-12-04T19:45:54.217Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.217Z\",\"created_by\":\"elastic\",\"name\":\"Microsoft Build Engine Started an Unusual Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name.\"],\"from\":\"now-9m\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1027\",\"name\":\"Obfuscated Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1027/\",\"subtechnique\":[{\"id\":\"T1027.004\",\"name\":\"Compile After Delivery\",\"reference\":\"https://attack.mitre.org/techniques/T1027/004/\"}]},{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html\"],\"version\":211,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:windows and event.category:process and event.type:start and process.parent.name:(\\\"MSBuild.exe\\\" or \\\"msbuild.exe\\\") and\\nprocess.name:(\\\"csc.exe\\\" or \\\"iexplore.exe\\\" or \\\"powershell.exe\\\")\\n\",\"new_terms_fields\":[\"host.id\",\"user.name\"],\"history_window_start\":\"now-14d\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"logs-system.security*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Microsoft Build Engine Started an Unusual Process\",\"description\":\"An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name.\"],\"references\":[\"https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1027\",\"name\":\"Obfuscated Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1027/\",\"subtechnique\":[{\"id\":\"T1027.004\",\"name\":\"Compile After Delivery\",\"reference\":\"https://attack.mitre.org/techniques/T1027/004/\"}]},{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"55e9be51-2736-4ae0-ba13-70c750530a07\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.024Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.217Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:windows and event.category:process and event.type:start and process.parent.name:(\\\"MSBuild.exe\\\" or \\\"msbuild.exe\\\") and\\nprocess.name:(\\\"csc.exe\\\" or \\\"iexplore.exe\\\" or \\\"powershell.exe\\\")\\n\",\"new_terms_fields\":[\"host.id\",\"user.name\"],\"history_window_start\":\"now-14d\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"logs-system.security*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":211,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c02d737d-2559-45f3-a1bd-f8e9570ed2f7\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9\",\"revision\":0,\"current_rule\":{\"id\":\"c02d737d-2559-45f3-a1bd-f8e9570ed2f7\",\"updated_at\":\"2024-12-04T19:45:54.219Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.219Z\",\"created_by\":\"elastic\",\"name\":\"Process Injection by the Microsoft Build Engine\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual.\"],\"from\":\"now-6m\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"},{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]}],\"to\":\"now\",\"references\":[],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"process.name:MSBuild.exe and host.os.type:windows and event.action:\\\"CreateRemoteThread detected (rule: CreateRemoteThread)\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Process Injection by the Microsoft Build Engine\",\"description\":\"An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"},{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c02d737d-2559-45f3-a1bd-f8e9570ed2f7\",\"rule_id\":\"9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.024Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.219Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and process.name: \\\"MSBuild.exe\\\" and\\n event.action:(\\\"CreateRemoteThread detected (rule: CreateRemoteThread)\\\", \\\"CreateRemoteThread\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"type\":{\"has_base_version\":false,\"current_version\":\"query\",\"target_version\":\"eql\",\"merged_version\":\"eql\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NON_SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"process.name:MSBuild.exe and host.os.type:windows and event.action:\\\"CreateRemoteThread detected (rule: CreateRemoteThread)\\\"\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and process.name: \\\"MSBuild.exe\\\" and\\n event.action:(\\\"CreateRemoteThread detected (rule: CreateRemoteThread)\\\", \\\"CreateRemoteThread\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and process.name: \\\"MSBuild.exe\\\" and\\n event.action:(\\\"CreateRemoteThread detected (rule: CreateRemoteThread)\\\", \\\"CreateRemoteThread\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":1}},{\"id\":\"dcadc2bb-566b-4d71-8349-1301a8c32a40\",\"rule_id\":\"9f962927-1a4f-45f3-a57b-287f2c7029c1\",\"revision\":0,\"current_rule\":{\"id\":\"dcadc2bb-566b-4d71-8349-1301a8c32a40\",\"updated_at\":\"2024-12-04T19:45:54.231Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.231Z\",\"created_by\":\"elastic\",\"name\":\"Potential Credential Access via DCSync\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Credential Access via DCSync\\n\\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\\n\\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\\n\\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\\n\\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\\n\\nThis rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\\n\\n### False positive analysis\\n\\n- Administrators may use custom accounts on Azure AD Connect, investigate if it is the case, and if it is properly secured. If noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. If this rule is noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the entire domain or the `krbtgt` user was compromised:\\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"9f962927-1a4f-45f3-a57b-287f2c7029c1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.006\",\"name\":\"DCSync\",\"reference\":\"https://attack.mitre.org/techniques/T1003/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md\",\"https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync\",\"https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync\"],\"version\":113,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessMask\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.Properties\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Access (Success,Failure)\\n```\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"any where event.action : (\\\"Directory Service Access\\\", \\\"object-operation-performed\\\") and\\n event.code == \\\"4662\\\" and winlog.event_data.Properties : (\\n\\n /* Control Access Rights/Permissions Symbol */\\n\\n \\\"*DS-Replication-Get-Changes*\\\",\\n \\\"*DS-Replication-Get-Changes-All*\\\",\\n \\\"*DS-Replication-Get-Changes-In-Filtered-Set*\\\",\\n\\n /* Identifying GUID used in ACE */\\n\\n \\\"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*\\\",\\n \\\"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*\\\",\\n \\\"*89e95b76-444d-4c62-991a-0facbeda640c*\\\")\\n\\n /* The right to perform an operation controlled by an extended access right. */\\n\\n and winlog.event_data.AccessMask : \\\"0x100\\\" and\\n not winlog.event_data.SubjectUserName : (\\n \\\"*$\\\", \\\"MSOL_*\\\", \\\"OpenDNS_Connector\\\", \\\"adconnect\\\", \\\"SyncADConnect\\\",\\n \\\"SyncADConnectCM\\\", \\\"aadsync\\\", \\\"svcAzureADSync\\\", \\\"-\\\"\\n )\\n\\n /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Credential Access via DCSync\",\"description\":\"This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Credential Access via DCSync\\n\\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\\n\\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\\n\\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\\n\\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\\n\\nThis rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account and system owners and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\\n\\n### False positive analysis\\n\\n- Administrators may use custom accounts on Azure AD Connect, investigate if it is the case, and if it is properly secured. If noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. If this rule is noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the entire domain or the `krbtgt` user was compromised:\\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":215,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md\",\"https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync\",\"https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.006\",\"name\":\"DCSync\",\"reference\":\"https://attack.mitre.org/techniques/T1003/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Access (Success,Failure)\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessMask\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.Properties\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"dcadc2bb-566b-4d71-8349-1301a8c32a40\",\"rule_id\":\"9f962927-1a4f-45f3-a57b-287f2c7029c1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.024Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.231Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where event.action : (\\\"Directory Service Access\\\", \\\"object-operation-performed\\\") and\\n event.code == \\\"4662\\\" and winlog.event_data.Properties : (\\n\\n /* Control Access Rights/Permissions Symbol */\\n\\n \\\"*DS-Replication-Get-Changes*\\\",\\n \\\"*DS-Replication-Get-Changes-All*\\\",\\n \\\"*DS-Replication-Get-Changes-In-Filtered-Set*\\\",\\n\\n /* Identifying GUID used in ACE */\\n\\n \\\"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*\\\",\\n \\\"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*\\\",\\n \\\"*89e95b76-444d-4c62-991a-0facbeda640c*\\\")\\n\\n /* The right to perform an operation controlled by an extended access right. */\\n\\n and winlog.event_data.AccessMask : \\\"0x100\\\" and\\n not winlog.event_data.SubjectUserName : (\\n \\\"*$\\\", \\\"MSOL_*\\\", \\\"OpenDNS_Connector\\\", \\\"adconnect\\\", \\\"SyncADConnect\\\",\\n \\\"SyncADConnectCM\\\", \\\"aadsync\\\", \\\"svcAzureADSync\\\", \\\"-\\\"\\n )\\n\\n /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":113,\"target_version\":215,\"merged_version\":215,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md\",\"https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync\",\"https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync\"],\"target_version\":[\"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md\",\"https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync\",\"https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merged_version\":[\"https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html\",\"https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md\",\"https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync\",\"https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"389a9945-b70a-4bf6-94fe-582cfb2beb41\",\"rule_id\":\"9f9a2a82-93a8-4b1a-8778-1780895626d4\",\"revision\":0,\"current_rule\":{\"id\":\"389a9945-b70a-4bf6-94fe-582cfb2beb41\",\"updated_at\":\"2024-12-04T19:45:54.233Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.233Z\",\"created_by\":\"elastic\",\"name\":\"File Permission Modification in Writable Directory\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username.\"],\"from\":\"now-9m\",\"rule_id\":\"9f9a2a82-93a8-4b1a-8778-1780895626d4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1222\",\"name\":\"File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/\"}]}],\"to\":\"now\",\"references\":[],\"version\":210,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:process and event.type:start and\\nprocess.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and\\nnot process.parent.name:(apt-key or update-motd-updates-available)\\n\",\"new_terms_fields\":[\"host.id\",\"process.parent.executable\",\"process.command_line\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"File Permission Modification in Writable Directory\",\"description\":\"Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1222\",\"name\":\"File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"389a9945-b70a-4bf6-94fe-582cfb2beb41\",\"rule_id\":\"9f9a2a82-93a8-4b1a-8778-1780895626d4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.024Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.233Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:process and event.type:start and\\nprocess.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and\\nnot process.parent.name:(apt-key or update-motd-updates-available or apt-get)\\n\",\"new_terms_fields\":[\"host.id\",\"process.parent.executable\",\"process.command_line\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":210,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:process and event.type:start and\\nprocess.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and\\nnot process.parent.name:(apt-key or update-motd-updates-available)\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:process and event.type:start and\\nprocess.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and\\nnot process.parent.name:(apt-key or update-motd-updates-available or apt-get)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:process and event.type:start and\\nprocess.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and\\nnot process.parent.name:(apt-key or update-motd-updates-available or apt-get)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4b7e3391-d96b-4676-a316-7667f900ff09\",\"rule_id\":\"a02cb68e-7c93-48d1-93b2-2c39023308eb\",\"revision\":0,\"current_rule\":{\"id\":\"4b7e3391-d96b-4676-a316-7667f900ff09\",\"updated_at\":\"2024-12-04T19:45:54.242Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.242Z\",\"created_by\":\"elastic\",\"name\":\"A scheduled task was updated\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks may be created during installation of new software.\"],\"from\":\"now-9m\",\"rule_id\":\"a02cb68e-7c93-48d1-93b2-2c39023308eb\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698\"],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TaskName\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"iam where event.action == \\\"scheduled-task-updated\\\" and\\n\\n /* excluding tasks created by the computer account */\\n not user.name : \\\"*$\\\" and \\n not winlog.event_data.TaskName : \\\"*Microsoft*\\\" and \\n not winlog.event_data.TaskName :\\n (\\\"\\\\\\\\User_Feed_Synchronization-*\\\",\\n \\\"\\\\\\\\OneDrive Reporting Task-S-1-5-21*\\\",\\n \\\"\\\\\\\\OneDrive Reporting Task-S-1-12-1-*\\\",\\n \\\"\\\\\\\\Hewlett-Packard\\\\\\\\HP Web Products Detection\\\",\\n \\\"\\\\\\\\Hewlett-Packard\\\\\\\\HPDeviceCheck\\\", \\n \\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateOrchestrator\\\\\\\\UpdateAssistant\\\", \\n \\\"\\\\\\\\IpamDnsProvisioning\\\", \\n \\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateOrchestrator\\\\\\\\UpdateAssistantAllUsersRun\\\", \\n \\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateOrchestrator\\\\\\\\UpdateAssistantCalendarRun\\\", \\n \\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateOrchestrator\\\\\\\\UpdateAssistantWakeupRun\\\", \\n \\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\.NET Framework\\\\\\\\.NET Framework NGEN v*\\\", \\n \\\"\\\\\\\\Microsoft\\\\\\\\VisualStudio\\\\\\\\Updates\\\\\\\\BackgroundDownload\\\") and \\n not winlog.event_data.SubjectUserSid : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"A scheduled task was updated\",\"description\":\"Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":109,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks may be created during installation of new software.\"],\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TaskName\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"4b7e3391-d96b-4676-a316-7667f900ff09\",\"rule_id\":\"a02cb68e-7c93-48d1-93b2-2c39023308eb\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.024Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.242Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where event.action == \\\"scheduled-task-updated\\\" and\\n\\n /* excluding tasks created by the computer account */\\n not user.name : \\\"*$\\\" and \\n not winlog.event_data.TaskName : \\\"*Microsoft*\\\" and \\n not winlog.event_data.TaskName :\\n (\\\"\\\\\\\\User_Feed_Synchronization-*\\\",\\n \\\"\\\\\\\\OneDrive Reporting Task-S-1-5-21*\\\",\\n \\\"\\\\\\\\OneDrive Reporting Task-S-1-12-1-*\\\",\\n \\\"\\\\\\\\Hewlett-Packard\\\\\\\\HP Web Products Detection\\\",\\n \\\"\\\\\\\\Hewlett-Packard\\\\\\\\HPDeviceCheck\\\", \\n \\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateOrchestrator\\\\\\\\UpdateAssistant\\\", \\n \\\"\\\\\\\\IpamDnsProvisioning\\\", \\n \\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateOrchestrator\\\\\\\\UpdateAssistantAllUsersRun\\\", \\n \\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateOrchestrator\\\\\\\\UpdateAssistantCalendarRun\\\", \\n \\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UpdateOrchestrator\\\\\\\\UpdateAssistantWakeupRun\\\", \\n \\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\.NET Framework\\\\\\\\.NET Framework NGEN v*\\\", \\n \\\"\\\\\\\\Microsoft\\\\\\\\VisualStudio\\\\\\\\Updates\\\\\\\\BackgroundDownload\\\") and \\n not winlog.event_data.SubjectUserSid : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":109,\"merged_version\":109,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1bf38c84-3cee-4bbb-bd14-f6be30d2f587\",\"rule_id\":\"a13167f1-eec2-4015-9631-1fee60406dcf\",\"revision\":0,\"current_rule\":{\"id\":\"1bf38c84-3cee-4bbb-bd14-f6be30d2f587\",\"updated_at\":\"2024-12-04T19:45:54.250Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.250Z\",\"created_by\":\"elastic\",\"name\":\"InstallUtil Process Making Network Connections\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a13167f1-eec2-4015-9631-1fee60406dcf\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.004\",\"name\":\"InstallUtil\",\"reference\":\"https://attack.mitre.org/techniques/T1218/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\\n\\nsequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"installutil.exe\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"installutil.exe\\\" and network.direction : (\\\"outgoing\\\", \\\"egress\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"InstallUtil Process Making Network Connections\",\"description\":\"Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.004\",\"name\":\"InstallUtil\",\"reference\":\"https://attack.mitre.org/techniques/T1218/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1bf38c84-3cee-4bbb-bd14-f6be30d2f587\",\"rule_id\":\"a13167f1-eec2-4015-9631-1fee60406dcf\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.024Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.250Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\\n\\nsequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"installutil.exe\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"installutil.exe\\\" and network.direction : (\\\"outgoing\\\", \\\"egress\\\")]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0ccfe8d8-9281-4d1d-8a11-1877a21d772a\",\"rule_id\":\"a16612dd-b30e-4d41-86a0-ebe70974ec00\",\"revision\":0,\"current_rule\":{\"id\":\"0ccfe8d8-9281-4d1d-8a11-1877a21d772a\",\"updated_at\":\"2024-12-04T19:45:54.254Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.254Z\",\"created_by\":\"elastic\",\"name\":\"Potential LSASS Clone Creation via PssCaptureSnapShot\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a16612dd-b30e-4d41-86a0-ebe70974ec00\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/\",\"https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.code:\\\"4688\\\" and\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and\\n process.parent.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential LSASS Clone Creation via PssCaptureSnapShot\",\"description\":\"Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Sysmon\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/\",\"https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0ccfe8d8-9281-4d1d-8a11-1877a21d772a\",\"rule_id\":\"a16612dd-b30e-4d41-86a0-ebe70974ec00\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.024Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.254Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.code:\\\"4688\\\" and\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\" and\\n process.parent.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lsass.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Sysmon\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Sysmon\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e80f4583-77aa-49a5-9b13-c23ad160e7cd\",\"rule_id\":\"a1699af0-8e1e-4ed0-8ec1-89783538a061\",\"revision\":0,\"current_rule\":{\"id\":\"e80f4583-77aa-49a5-9b13-c23ad160e7cd\",\"updated_at\":\"2024-12-04T19:45:40.230Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.230Z\",\"created_by\":\"elastic\",\"name\":\"Windows Subsystem for Linux Distribution Installed\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux distribution by name. Adversaries may enable and use WSL for Linux to avoid detection.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Subsystem for Linux Distribution Installed\\n\\nThe Windows Subsystem for Linux (WSL) lets developers install a Linux distribution (such as Ubuntu, OpenSUSE, Kali, Debian, Arch Linux, etc) and use Linux applications, utilities, and Bash command-line tools directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup. Attackers may abuse WSL to avoid security protections on a Windows host and perform a wide range of attacks.\\n\\nThis rule identifies the installation of a new Windows Subsystem for Linux distribution via registry events.\\n\\n### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Examine which distribution was installed. Some distributions such as Kali Linux can facilitate the compromise of the environment.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and the WSL distribution is homologated and approved in the environment.\\n\\n### Related Rules\\n\\n- Host Files System Changes via Windows Subsystem for Linux - e88d1fe9-b2f4-48d4-bace-a026dc745d4b\\n- Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\\n- Suspicious Execution via Windows Subsystem for Linux - 3e0eeb75-16e8-4f2f-9826-62461ca128b7\\n- Windows Subsystem for Linux Enabled via Dism Utility - e2e0537d-7d8f-4910-a11d-559bcf61295a\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timeline_id\":\"3e47ef71-ebfc-4520-975c-cb27fc090799\",\"timeline_title\":\"Comprehensive Registry Timeline\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a1699af0-8e1e-4ed0-8ec1-89783538a061\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]}],\"to\":\"now\",\"references\":[\"https://learn.microsoft.com/en-us/windows/wsl/wsl-config\"],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"PackageFamilyName\\\" and\\n registry.path : \\n (\\\"HK*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Lxss\\\\\\\\*\\\\\\\\PackageFamilyName\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Lxss\\\\\\\\*\\\\\\\\PackageFamilyName\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Windows Subsystem for Linux Distribution Installed\",\"description\":\"Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux distribution by name. Adversaries may enable and use WSL for Linux to avoid detection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"timeline_id\":\"3e47ef71-ebfc-4520-975c-cb27fc090799\",\"timeline_title\":\"Comprehensive Registry Timeline\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Subsystem for Linux Distribution Installed\\n\\nThe Windows Subsystem for Linux (WSL) lets developers install a Linux distribution (such as Ubuntu, OpenSUSE, Kali, Debian, Arch Linux, etc) and use Linux applications, utilities, and Bash command-line tools directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup. Attackers may abuse WSL to avoid security protections on a Windows host and perform a wide range of attacks.\\n\\nThis rule identifies the installation of a new Windows Subsystem for Linux distribution via registry events.\\n\\n### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Examine which distribution was installed. Some distributions such as Kali Linux can facilitate the compromise of the environment.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and the WSL distribution is homologated and approved in the environment.\\n\\n### Related Rules\\n\\n- Host Files System Changes via Windows Subsystem for Linux - e88d1fe9-b2f4-48d4-bace-a026dc745d4b\\n- Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\\n- Suspicious Execution via Windows Subsystem for Linux - 3e0eeb75-16e8-4f2f-9826-62461ca128b7\\n- Windows Subsystem for Linux Enabled via Dism Utility - e2e0537d-7d8f-4910-a11d-559bcf61295a\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://learn.microsoft.com/en-us/windows/wsl/wsl-config\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e80f4583-77aa-49a5-9b13-c23ad160e7cd\",\"rule_id\":\"a1699af0-8e1e-4ed0-8ec1-89783538a061\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.024Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.230Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"PackageFamilyName\\\" and\\n registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Lxss\\\\\\\\*\\\\\\\\PackageFamilyName\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"PackageFamilyName\\\" and\\n registry.path : \\n (\\\"HK*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Lxss\\\\\\\\*\\\\\\\\PackageFamilyName\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Lxss\\\\\\\\*\\\\\\\\PackageFamilyName\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"PackageFamilyName\\\" and\\n registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Lxss\\\\\\\\*\\\\\\\\PackageFamilyName\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"PackageFamilyName\\\" and\\n registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Lxss\\\\\\\\*\\\\\\\\PackageFamilyName\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c6c648dc-5ae4-442a-8ff5-a73d1e71daf8\",\"rule_id\":\"a1a0375f-22c2-48c0-81a4-7c2d11cc6856\",\"revision\":0,\"current_rule\":{\"id\":\"c6c648dc-5ae4-442a-8ff5-a73d1e71daf8\",\"updated_at\":\"2024-12-04T19:45:54.262Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.262Z\",\"created_by\":\"elastic\",\"name\":\"Potential Reverse Shell Activity via Terminal\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Reverse Shell Activity via Terminal\\n\\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing. This activity is typically the result of vulnerability exploitation, malware infection, or penetration testing.\\n\\nThis rule identifies commands that are potentially related to reverse shell activities using shell applications.\\n\\n#### Possible investigation steps\\n\\n- Examine the command line and extract the target domain or IP address information.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Take actions to terminate processes and connections used by the attacker.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a1a0375f-22c2-48c0-81a4-7c2d11cc6856\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md\",\"https://github.com/WangYihang/Reverse-Shell-Manager\",\"https://www.netsparker.com/blog/web-security/understanding-reverse-shells/\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\"],\"query\":\"process where event.type in (\\\"start\\\", \\\"process_started\\\") and\\n process.name in (\\\"sh\\\", \\\"bash\\\", \\\"zsh\\\", \\\"dash\\\", \\\"zmodload\\\") and\\n process.args : (\\\"*/dev/tcp/*\\\", \\\"*/dev/udp/*\\\", \\\"*zsh/net/tcp*\\\", \\\"*zsh/net/udp*\\\") and\\n\\n /* noisy FPs */\\n not (process.parent.name : \\\"timeout\\\" and process.executable : \\\"/var/lib/docker/overlay*\\\") and\\n not process.command_line : (\\n \\\"*/dev/tcp/sirh_db/*\\\", \\\"*/dev/tcp/remoteiot.com/*\\\", \\\"*dev/tcp/elk.stag.one/*\\\", \\\"*dev/tcp/kafka/*\\\",\\n \\\"*/dev/tcp/$0/$1*\\\", \\\"*/dev/tcp/127.*\\\", \\\"*/dev/udp/127.*\\\", \\\"*/dev/tcp/localhost/*\\\", \\\"*/dev/tcp/itom-vault/*\\\") and\\n not process.parent.command_line : \\\"runc init\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Reverse Shell Activity via Terminal\",\"description\":\"Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Reverse Shell Activity via Terminal\\n\\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing. This activity is typically the result of vulnerability exploitation, malware infection, or penetration testing.\\n\\nThis rule identifies commands that are potentially related to reverse shell activities using shell applications.\\n\\n#### Possible investigation steps\\n\\n- Examine the command line and extract the target domain or IP address information.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Take actions to terminate processes and connections used by the attacker.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":109,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md\",\"https://github.com/WangYihang/Reverse-Shell-Manager\",\"https://www.netsparker.com/blog/web-security/understanding-reverse-shells/\",\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c6c648dc-5ae4-442a-8ff5-a73d1e71daf8\",\"rule_id\":\"a1a0375f-22c2-48c0-81a4-7c2d11cc6856\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.024Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.262Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where event.type in (\\\"start\\\", \\\"process_started\\\") and\\n process.name in (\\\"sh\\\", \\\"bash\\\", \\\"zsh\\\", \\\"dash\\\", \\\"zmodload\\\") and\\n process.args : (\\\"*/dev/tcp/*\\\", \\\"*/dev/udp/*\\\", \\\"*zsh/net/tcp*\\\", \\\"*zsh/net/udp*\\\") and\\n\\n /* noisy FPs */\\n not (process.parent.name : \\\"timeout\\\" and process.executable : \\\"/var/lib/docker/overlay*\\\") and\\n not process.command_line : (\\n \\\"*/dev/tcp/sirh_db/*\\\", \\\"*/dev/tcp/remoteiot.com/*\\\", \\\"*dev/tcp/elk.stag.one/*\\\", \\\"*dev/tcp/kafka/*\\\",\\n \\\"*/dev/tcp/$0/$1*\\\", \\\"*/dev/tcp/127.*\\\", \\\"*/dev/udp/127.*\\\", \\\"*/dev/tcp/localhost/*\\\", \\\"*/dev/tcp/itom-vault/*\\\") and\\n not process.parent.command_line : \\\"runc init\\\"\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":109,\"merged_version\":109,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md\",\"https://github.com/WangYihang/Reverse-Shell-Manager\",\"https://www.netsparker.com/blog/web-security/understanding-reverse-shells/\"],\"target_version\":[\"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md\",\"https://github.com/WangYihang/Reverse-Shell-Manager\",\"https://www.netsparker.com/blog/web-security/understanding-reverse-shells/\",\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"merged_version\":[\"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md\",\"https://github.com/WangYihang/Reverse-Shell-Manager\",\"https://www.netsparker.com/blog/web-security/understanding-reverse-shells/\",\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0fefb51d-25c2-400a-b422-bba11308e90c\",\"rule_id\":\"a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f\",\"revision\":0,\"current_rule\":{\"id\":\"0fefb51d-25c2-400a-b422-bba11308e90c\",\"updated_at\":\"2024-12-04T19:45:54.264Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.264Z\",\"created_by\":\"elastic\",\"name\":\"Linux Group Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Linux Group Creation\\n\\nThe `groupadd` and `addgroup` commands are used to create new user groups in Linux-based operating systems.\\n\\nAttackers may create new groups to maintain access to victim systems or escalate privileges by assigning a compromised account to a privileged group.\\n\\nThis rule identifies the usages of `groupadd` and `addgroup` to create new groups.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n\\n- Investigate whether the group was created succesfully.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific Group\\\",\\\"query\\\":\\\"SELECT * FROM groups WHERE groupname = {{group.name}}\\\"}}\\n- Identify if a user account was added to this group after creation.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Group creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Delete the created group and, in case an account was added to this group, delete the account.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Filebeat.\\n\\n### Filebeat Setup\\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\\n\\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\\n- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\\n\\n#### Rule Specific Setup Note\\n- This rule requires the “Filebeat System Module” to be enabled.\\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-system.auth-*\"],\"query\":\"iam where host.os.type == \\\"linux\\\" and (event.type == \\\"group\\\" and event.type == \\\"creation\\\") and\\nprocess.name in (\\\"groupadd\\\", \\\"addgroup\\\") and group.name != null\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Linux Group Creation\",\"description\":\"Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Linux Group Creation\\n\\nThe `groupadd` and `addgroup` commands are used to create new user groups in Linux-based operating systems.\\n\\nAttackers may create new groups to maintain access to victim systems or escalate privileges by assigning a compromised account to a privileged group.\\n\\nThis rule identifies the usages of `groupadd` and `addgroup` to create new groups.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n\\n- Investigate whether the group was created succesfully.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific Group\\\",\\\"query\\\":\\\"SELECT * FROM groups WHERE groupname = {{group.name}}\\\"}}\\n- Identify if a user account was added to this group after creation.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Group creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Delete the created group and, in case an account was added to this group, delete the account.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":6,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Filebeat.\\n\\n### Filebeat Setup\\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\\n\\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\\n- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\\n\\n#### Rule Specific Setup Note\\n- This rule requires the “Filebeat System Module” to be enabled.\\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"group.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0fefb51d-25c2-400a-b422-bba11308e90c\",\"rule_id\":\"a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.024Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.264Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where host.os.type == \\\"linux\\\" and (event.type == \\\"group\\\" and event.type == \\\"creation\\\") and\\nprocess.name in (\\\"groupadd\\\", \\\"addgroup\\\") and group.name != null\\n\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-system.auth-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":6,\"merged_version\":6,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4b5aa05f-0552-4cd3-9ec8-0a6f2e4e73e0\",\"rule_id\":\"a22a09c2-2162-4df0-a356-9aacbeb56a04\",\"revision\":0,\"current_rule\":{\"id\":\"4b5aa05f-0552-4cd3-9ec8-0a6f2e4e73e0\",\"updated_at\":\"2024-12-04T19:45:40.233Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.233Z\",\"created_by\":\"elastic\",\"name\":\"DNS-over-HTTPS Enabled via Registry\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Austin Songer\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a22a09c2-2162-4df0-a356-9aacbeb56a04\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\"}]}],\"to\":\"now\",\"references\":[\"https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html\",\"https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\BuiltInDnsClientEnabled\\\" and\\n registry.data.strings : \\\"1\\\") or\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\DnsOverHttpsMode\\\" and\\n registry.data.strings : \\\"secure\\\") or\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Mozilla\\\\\\\\Firefox\\\\\\\\DNSOverHTTPS\\\" and\\n registry.data.strings : \\\"1\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"DNS-over-HTTPS Enabled via Registry\",\"description\":\"Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Austin Songer\"],\"false_positives\":[],\"references\":[\"https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html\",\"https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"4b5aa05f-0552-4cd3-9ec8-0a6f2e4e73e0\",\"rule_id\":\"a22a09c2-2162-4df0-a356-9aacbeb56a04\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.024Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.233Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\BuiltInDnsClientEnabled\\\" and\\n registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")) or\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\DnsOverHttpsMode\\\" and\\n registry.data.strings : \\\"secure\\\") or\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Mozilla\\\\\\\\Firefox\\\\\\\\DNSOverHTTPS\\\" and\\n registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\"))\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\BuiltInDnsClientEnabled\\\" and\\n registry.data.strings : \\\"1\\\") or\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\DnsOverHttpsMode\\\" and\\n registry.data.strings : \\\"secure\\\") or\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Mozilla\\\\\\\\Firefox\\\\\\\\DNSOverHTTPS\\\" and\\n registry.data.strings : \\\"1\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\BuiltInDnsClientEnabled\\\" and\\n registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")) or\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\DnsOverHttpsMode\\\" and\\n registry.data.strings : \\\"secure\\\") or\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Mozilla\\\\\\\\Firefox\\\\\\\\DNSOverHTTPS\\\" and\\n registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\"))\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Edge\\\\\\\\BuiltInDnsClientEnabled\\\" and\\n registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")) or\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Google\\\\\\\\Chrome\\\\\\\\DnsOverHttpsMode\\\" and\\n registry.data.strings : \\\"secure\\\") or\\n (registry.path : \\\"*\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Mozilla\\\\\\\\Firefox\\\\\\\\DNSOverHTTPS\\\" and\\n registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\"))\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"236c267d-3f7d-4466-9c8f-b280119474ef\",\"rule_id\":\"a2795334-2499-11ed-9e1a-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"236c267d-3f7d-4466-9c8f-b280119474ef\",\"updated_at\":\"2024-12-04T19:45:54.266Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.266Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace Restrictions for Marketplace Modified to Allow Any App\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace. Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google Workspace environment prior to distributing the malicious APK to the end user.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Restrictions for Marketplace Modified to Allow Any App\\n\\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\\n\\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\\n\\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\\n\\nThis rule identifies when the global allow-all setting is enabled for Google Workspace Marketplace applications.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\\n- Search for `event.action` is `ADD_APPLICATION` to identify applications installed after these changes were made.\\n - The `google_workspace.admin.application.name` field will help identify what applications were added.\\n- With the user account, review other potentially related events within the last 48 hours.\\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\\n\\n### False positive analysis\\n\\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\\n- Google Workspace administrators may intentionally add an application from the marketplace based on organizational needs.\\n - Follow up with the user who added the application to ensure this was intended.\\n- Verify the application identified has been assessed thoroughly by an administrator.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Applications can be added and removed from blocklists by Google Workspace administrators, but they can all be explicitly allowed for users. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-9m\",\"rule_id\":\"a2795334-2499-11ed-9e1a-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/6089179?hl=en\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.application.name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.admin.new_value\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.admin.setting.name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.event.type\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.action:\\\"CHANGE_APPLICATION_SETTING\\\" and event.category:(iam or configuration)\\n and google_workspace.event.type:\\\"APPLICATION_SETTINGS\\\" and google_workspace.admin.application.name:\\\"Google Workspace Marketplace\\\"\\n and google_workspace.admin.setting.name:\\\"Apps Access Setting Allowlist access\\\" and google_workspace.admin.new_value:\\\"ALLOW_ALL\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace Restrictions for Marketplace Modified to Allow Any App\",\"description\":\"Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace. Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google Workspace environment prior to distributing the malicious APK to the end user.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Restrictions for Marketplace Modified to Allow Any App\\n\\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\\n\\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\\n\\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\\n\\nThis rule identifies when the global allow-all setting is enabled for Google Workspace Marketplace applications.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\\n- Search for `event.action` is `ADD_APPLICATION` to identify applications installed after these changes were made.\\n - The `google_workspace.admin.application.name` field will help identify what applications were added.\\n- With the user account, review other potentially related events within the last 48 hours.\\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\\n\\n### False positive analysis\\n\\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\\n- Google Workspace administrators may intentionally add an application from the marketplace based on organizational needs.\\n - Follow up with the user who added the application to ensure this was intended.\\n- Verify the application identified has been assessed thoroughly by an administrator.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":108,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Applications can be added and removed from blocklists by Google Workspace administrators, but they can all be explicitly allowed for users. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://support.google.com/a/answer/6089179?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.application.name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.admin.new_value\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.admin.setting.name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.event.type\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"236c267d-3f7d-4466-9c8f-b280119474ef\",\"rule_id\":\"a2795334-2499-11ed-9e1a-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.024Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.266Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.action:\\\"CHANGE_APPLICATION_SETTING\\\" and event.category:(iam or configuration)\\n and google_workspace.event.type:\\\"APPLICATION_SETTINGS\\\" and google_workspace.admin.application.name:\\\"Google Workspace Marketplace\\\"\\n and google_workspace.admin.setting.name:\\\"Apps Access Setting Allowlist access\\\" and google_workspace.admin.new_value:\\\"ALLOW_ALL\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":108,\"merged_version\":108,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/6089179?hl=en\"],\"target_version\":[\"https://support.google.com/a/answer/6089179?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/6089179?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b2b21564-8d4a-4c9a-ae86-ec25529b27ec\",\"rule_id\":\"a2d04374-187c-4fd9-b513-3ad4e7fdd67a\",\"revision\":0,\"current_rule\":{\"id\":\"b2b21564-8d4a-4c9a-ae86-ec25529b27ec\",\"updated_at\":\"2024-12-04T19:45:54.269Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.269Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Mailbox Collection Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: PowerShell Logs\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects PowerShell scripts that can be used to collect data from mailboxes. Adversaries may target user email to collect sensitive information.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Mailbox Collection Script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\\n\\nThis rule identifies scripts that contains methods and classes that can be abused to collect emails from local and remote mailboxes.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Determine whether the script stores the captured data locally.\\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\\n - Assess network data to determine if the host communicated with the exfiltration server.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\\n\\n### Related rules\\n\\n- Exporting Exchange Mailbox via PowerShell - 6aace640-e631-4870-ba8e-5fdda09325db\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a2d04374-187c-4fd9-b513-3ad4e7fdd67a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1114\",\"name\":\"Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/\",\"subtechnique\":[{\"id\":\"T1114.001\",\"name\":\"Local Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/001/\"},{\"id\":\"T1114.002\",\"name\":\"Remote Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/dafthack/MailSniper/blob/master/MailSniper.ps1\",\"https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1\"],\"version\":7,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n (\\n powershell.file.script_block_text : (\\n \\\"Microsoft.Office.Interop.Outlook\\\" or\\n \\\"Interop.Outlook.olDefaultFolders\\\" or\\n \\\"::olFolderInBox\\\"\\n ) or\\n powershell.file.script_block_text : (\\n \\\"Microsoft.Exchange.WebServices.Data.Folder\\\" or\\n \\\"Microsoft.Exchange.WebServices.Data.FileAttachment\\\"\\n )\\n ) and not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Mailbox Collection Script\",\"description\":\"Detects PowerShell scripts that can be used to collect data from mailboxes. Adversaries may target user email to collect sensitive information.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Mailbox Collection Script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\\n\\nThis rule identifies scripts that contains methods and classes that can be abused to collect emails from local and remote mailboxes.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Determine whether the script stores the captured data locally.\\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\\n - Assess network data to determine if the host communicated with the exfiltration server.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\\n\\n### Related rules\\n\\n- Exporting Exchange Mailbox via PowerShell - 6aace640-e631-4870-ba8e-5fdda09325db\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":109,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: PowerShell Logs\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/dafthack/MailSniper/blob/master/MailSniper.ps1\",\"https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1114\",\"name\":\"Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/\",\"subtechnique\":[{\"id\":\"T1114.001\",\"name\":\"Local Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/001/\"},{\"id\":\"T1114.002\",\"name\":\"Remote Email Collection\",\"reference\":\"https://attack.mitre.org/techniques/T1114/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b2b21564-8d4a-4c9a-ae86-ec25529b27ec\",\"rule_id\":\"a2d04374-187c-4fd9-b513-3ad4e7fdd67a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.024Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.269Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n (\\n powershell.file.script_block_text : (\\n \\\"Microsoft.Office.Interop.Outlook\\\" or\\n \\\"Interop.Outlook.olDefaultFolders\\\" or\\n \\\"::olFolderInBox\\\"\\n ) or\\n powershell.file.script_block_text : (\\n \\\"Microsoft.Exchange.WebServices.Data.Folder\\\" or\\n \\\"Microsoft.Exchange.WebServices.Data.FileAttachment\\\"\\n )\\n ) and not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":7,\"target_version\":109,\"merged_version\":109,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7833a787-adce-4263-b246-27e3d576b5e3\",\"rule_id\":\"a3ea12f3-0d4e-4667-8b44-4230c63f3c75\",\"revision\":0,\"current_rule\":{\"id\":\"7833a787-adce-4263-b246-27e3d576b5e3\",\"updated_at\":\"2024-12-04T19:45:54.275Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.275Z\",\"created_by\":\"elastic\",\"name\":\"Execution via local SxS Shared Module\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\nThe SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a3ea12f3-0d4e-4667-8b44-4230c63f3c75\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1129\",\"name\":\"Shared Modules\",\"reference\":\"https://attack.mitre.org/techniques/T1129/\"}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and file.extension : \\\"dll\\\" and file.path : \\\"C:\\\\\\\\*\\\\\\\\*.exe.local\\\\\\\\*.dll\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Execution via local SxS Shared Module\",\"description\":\"Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\nThe SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.\\n\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1129\",\"name\":\"Shared Modules\",\"reference\":\"https://attack.mitre.org/techniques/T1129/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"7833a787-adce-4263-b246-27e3d576b5e3\",\"rule_id\":\"a3ea12f3-0d4e-4667-8b44-4230c63f3c75\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.024Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:54.275Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and file.extension : \\\"dll\\\" and file.path : \\\"C:\\\\\\\\*\\\\\\\\*.exe.local\\\\\\\\*.dll\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9035a3a8-7c17-474e-8420-bc43a69775cf\",\"rule_id\":\"a44bcb58-5109-4870-a7c6-11f5fe7dd4b1\",\"revision\":0,\"current_rule\":{\"id\":\"9035a3a8-7c17-474e-8420-bc43a69775cf\",\"updated_at\":\"2024-12-04T19:46:04.733Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.733Z\",\"created_by\":\"elastic\",\"name\":\"AWS EC2 Instance Interaction with IAM Service\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS EC2\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies when an EC2 instance interacts with the AWS IAM service via an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. For example, an assumed role could be used to create new users for persistence or add permissions for privilege escalation. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern \\\"i-\\\" which is the beginning pattern for assumed role sessions started by an EC2 instance.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may use EC2 instances to interact with IAM services as part of an automation workflow, ensure validity of the triggered event and include exceptions where necessary.\"],\"from\":\"now-6m\",\"rule_id\":\"a44bcb58-5109-4870-a7c6-11f5fe7dd4b1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.001\",\"name\":\"Additional Cloud Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1098/001/\"},{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]},{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://redcanary.com/blog/aws-sts/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"aws.cloudtrail.user_identity.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"query\":\"any where event.dataset == \\\"aws.cloudtrail\\\"\\n and event.provider == \\\"iam.amazonaws.com\\\"\\n and aws.cloudtrail.user_identity.type == \\\"AssumedRole\\\"\\n and stringContains (user.id, \\\":i-\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS EC2 Instance Interaction with IAM Service\",\"description\":\"Identifies when an EC2 instance interacts with the AWS IAM service via an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. For example, an assumed role could be used to create new users for persistence or add permissions for privilege escalation. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern \\\"i-\\\" which is the beginning pattern for assumed role sessions started by an EC2 instance. This is a [building block](https://www.elastic.co/guide/en/security/current/building-block-rule.html) rule and does not generate alerts on its own. It is meant to be used for correlation with other rules to detect suspicious activity.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"investigation_fields\":{\"field_names\":[\"@timestamp\",\"source.address\",\"user.name\",\"user.id\",\"aws.cloudtrail.user_identity.arn\",\"aws.cloudtrail.user_identity.type\",\"user_agent.original\",\"user.target.name\",\"event.action\",\"event.outcome\",\"cloud.region\",\"event.provider\",\"aws.cloudtrail.request_parameters\",\"aws.cloudtrail.response_elements\"]},\"version\":2,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS EC2\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators may use EC2 instances to interact with IAM services as part of an automation workflow, ensure validity of the triggered event and include exceptions where necessary.\"],\"references\":[\"https://redcanary.com/blog/aws-sts/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]},{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.001\",\"name\":\"Additional Cloud Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1098/001/\"},{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"aws.cloudtrail.user_identity.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"9035a3a8-7c17-474e-8420-bc43a69775cf\",\"rule_id\":\"a44bcb58-5109-4870-a7c6-11f5fe7dd4b1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.024Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.733Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where event.dataset == \\\"aws.cloudtrail\\\"\\n and event.provider == \\\"iam.amazonaws.com\\\"\\n and aws.cloudtrail.user_identity.type == \\\"AssumedRole\\\"\\n and stringContains(user.id, \\\":i-\\\")\\n and (\\n startsWith(event.action, \\\"Update\\\")\\n or startsWith(event.action, \\\"Attach\\\")\\n or startsWith(event.action, \\\"Detach\\\")\\n or startsWith(event.action, \\\"Create\\\")\\n or startsWith(event.action, \\\"Delete\\\")\\n or startsWith(event.action, \\\"Add\\\")\\n or startsWith(event.action, \\\"Remove\\\")\\n or startsWith(event.action, \\\"Put\\\")\\n or startsWith(event.action, \\\"Tag\\\")\\n )\\n\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS EC2\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\"],\"target_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS EC2\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Rule Type: BBR\"],\"merged_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS EC2\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Rule Type: BBR\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"description\":{\"has_base_version\":false,\"current_version\":\"Identifies when an EC2 instance interacts with the AWS IAM service via an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. For example, an assumed role could be used to create new users for persistence or add permissions for privilege escalation. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern \\\"i-\\\" which is the beginning pattern for assumed role sessions started by an EC2 instance.\",\"target_version\":\"Identifies when an EC2 instance interacts with the AWS IAM service via an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. For example, an assumed role could be used to create new users for persistence or add permissions for privilege escalation. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern \\\"i-\\\" which is the beginning pattern for assumed role sessions started by an EC2 instance. This is a [building block](https://www.elastic.co/guide/en/security/current/building-block-rule.html) rule and does not generate alerts on its own. It is meant to be used for correlation with other rules to detect suspicious activity.\",\"merged_version\":\"Identifies when an EC2 instance interacts with the AWS IAM service via an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. For example, an assumed role could be used to create new users for persistence or add permissions for privilege escalation. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern \\\"i-\\\" which is the beginning pattern for assumed role sessions started by an EC2 instance. This is a [building block](https://www.elastic.co/guide/en/security/current/building-block-rule.html) rule and does not generate alerts on its own. It is meant to be used for correlation with other rules to detect suspicious activity.\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"severity\":{\"has_base_version\":false,\"current_version\":\"medium\",\"target_version\":\"low\",\"merged_version\":\"low\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"risk_score\":{\"has_base_version\":false,\"current_version\":47,\"target_version\":21,\"merged_version\":21,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.001\",\"name\":\"Additional Cloud Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1098/001/\"},{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]},{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"}}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]},{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.001\",\"name\":\"Additional Cloud Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1098/001/\"},{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"}}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}]},{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.001\",\"name\":\"Additional Cloud Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1098/001/\"},{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"}}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"aws.cloudtrail.user_identity.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"aws.cloudtrail.user_identity.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"aws.cloudtrail.user_identity.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"building_block\":{\"has_base_version\":false,\"target_version\":{\"type\":\"default\"},\"merged_version\":{\"type\":\"default\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"investigation_fields\":{\"has_base_version\":false,\"target_version\":{\"field_names\":[\"@timestamp\",\"source.address\",\"user.name\",\"user.id\",\"aws.cloudtrail.user_identity.arn\",\"aws.cloudtrail.user_identity.type\",\"user_agent.original\",\"user.target.name\",\"event.action\",\"event.outcome\",\"cloud.region\",\"event.provider\",\"aws.cloudtrail.request_parameters\",\"aws.cloudtrail.response_elements\"]},\"merged_version\":{\"field_names\":[\"@timestamp\",\"source.address\",\"user.name\",\"user.id\",\"aws.cloudtrail.user_identity.arn\",\"aws.cloudtrail.user_identity.type\",\"user_agent.original\",\"user.target.name\",\"event.action\",\"event.outcome\",\"cloud.region\",\"event.provider\",\"aws.cloudtrail.request_parameters\",\"aws.cloudtrail.response_elements\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"any where event.dataset == \\\"aws.cloudtrail\\\"\\n and event.provider == \\\"iam.amazonaws.com\\\"\\n and aws.cloudtrail.user_identity.type == \\\"AssumedRole\\\"\\n and stringContains (user.id, \\\":i-\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"any where event.dataset == \\\"aws.cloudtrail\\\"\\n and event.provider == \\\"iam.amazonaws.com\\\"\\n and aws.cloudtrail.user_identity.type == \\\"AssumedRole\\\"\\n and stringContains(user.id, \\\":i-\\\")\\n and (\\n startsWith(event.action, \\\"Update\\\")\\n or startsWith(event.action, \\\"Attach\\\")\\n or startsWith(event.action, \\\"Detach\\\")\\n or startsWith(event.action, \\\"Create\\\")\\n or startsWith(event.action, \\\"Delete\\\")\\n or startsWith(event.action, \\\"Add\\\")\\n or startsWith(event.action, \\\"Remove\\\")\\n or startsWith(event.action, \\\"Put\\\")\\n or startsWith(event.action, \\\"Tag\\\")\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"any where event.dataset == \\\"aws.cloudtrail\\\"\\n and event.provider == \\\"iam.amazonaws.com\\\"\\n and aws.cloudtrail.user_identity.type == \\\"AssumedRole\\\"\\n and stringContains(user.id, \\\":i-\\\")\\n and (\\n startsWith(event.action, \\\"Update\\\")\\n or startsWith(event.action, \\\"Attach\\\")\\n or startsWith(event.action, \\\"Detach\\\")\\n or startsWith(event.action, \\\"Create\\\")\\n or startsWith(event.action, \\\"Delete\\\")\\n or startsWith(event.action, \\\"Add\\\")\\n or startsWith(event.action, \\\"Remove\\\")\\n or startsWith(event.action, \\\"Put\\\")\\n or startsWith(event.action, \\\"Tag\\\")\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":10,\"num_fields_with_conflicts\":9,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"912dc10b-85c9-45fe-8aa4-966d0296edc9\",\"rule_id\":\"a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\",\"revision\":0,\"current_rule\":{\"id\":\"912dc10b-85c9-45fe-8aa4-966d0296edc9\",\"updated_at\":\"2024-12-04T19:45:55.340Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.340Z\",\"created_by\":\"elastic\",\"name\":\"Windows Registry File Creation in SMB Share\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation or modification of a medium-size registry hive file on a Server Message Block (SMB) share, which may indicate an exfiltration attempt of a previously dumped Security Account Manager (SAM) registry hive for credential extraction on an attacker-controlled system.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Registry File Creation in SMB Share\\n\\nDumping registry hives is a common way to access credential information. Some hives store credential material, as is the case for the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\\n\\nAttackers can try to evade detection on the host by transferring this data to a system that is not monitored to be parsed and decrypted. This rule identifies the creation or modification of a medium-size registry hive file on an SMB share, which may indicate this kind of exfiltration attempt.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/source host during the past 48 hours.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Inspect the source host for suspicious or abnormal behaviors in the alert timeframe.\\n- Capture the registry file(s) to determine the extent of the credential compromise in an eventual incident response.\\n\\n### False positive analysis\\n\\n- Administrators can export registry hives for backup purposes. Check whether the user should be performing this kind of activity and is aware of it.\\n\\n### Related rules\\n\\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reimage the host operating system and restore compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/security-labs/detect-credential-access\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.header_bytes\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.size\",\"type\":\"long\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n /* regf file header */\\n file.Ext.header_bytes : \\\"72656766*\\\" and file.size >= 30000 and\\n process.pid == 4 and user.id : (\\\"S-1-5-21*\\\", \\\"S-1-12-1-*\\\") and\\n not file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\UPM_Profile\\\\\\\\NTUSER.DAT\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\UPM_Profile\\\\\\\\NTUSER.DAT.LASTGOOD.LOAD\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Netwrix\\\\\\\\Temp\\\\\\\\????????.???.offreg\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Packages\\\\\\\\Microsoft.*\\\\\\\\Settings\\\\\\\\settings.dat*\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Windows Registry File Creation in SMB Share\",\"description\":\"Identifies the creation or modification of a medium-size registry hive file on a Server Message Block (SMB) share, which may indicate an exfiltration attempt of a previously dumped Security Account Manager (SAM) registry hive for credential extraction on an attacker-controlled system.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Registry File Creation in SMB Share\\n\\nDumping registry hives is a common way to access credential information. Some hives store credential material, as is the case for the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\\n\\nAttackers can try to evade detection on the host by transferring this data to a system that is not monitored to be parsed and decrypted. This rule identifies the creation or modification of a medium-size registry hive file on an SMB share, which may indicate this kind of exfiltration attempt.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/source host during the past 48 hours.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Inspect the source host for suspicious or abnormal behaviors in the alert timeframe.\\n- Capture the registry file(s) to determine the extent of the credential compromise in an eventual incident response.\\n\\n### False positive analysis\\n\\n- Administrators can export registry hives for backup purposes. Check whether the user should be performing this kind of activity and is aware of it.\\n\\n### Related rules\\n\\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reimage the host operating system and restore compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":109,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/detect-credential-access\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.header_bytes\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.size\",\"type\":\"long\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"912dc10b-85c9-45fe-8aa4-966d0296edc9\",\"rule_id\":\"a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.025Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.340Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n /* regf file header */\\n file.Ext.header_bytes : \\\"72656766*\\\" and file.size >= 30000 and\\n process.pid == 4 and user.id : (\\\"S-1-5-21*\\\", \\\"S-1-12-1-*\\\") and\\n not file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\UPM_Profile\\\\\\\\NTUSER.DAT\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\UPM_Profile\\\\\\\\NTUSER.DAT.LASTGOOD.LOAD\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\UPM_Profile\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UsrClass.dat*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Netwrix\\\\\\\\Temp\\\\\\\\????????.???.offreg\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Packages\\\\\\\\Microsoft.*\\\\\\\\Settings\\\\\\\\settings.dat*\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":109,\"merged_version\":109,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n /* regf file header */\\n file.Ext.header_bytes : \\\"72656766*\\\" and file.size >= 30000 and\\n process.pid == 4 and user.id : (\\\"S-1-5-21*\\\", \\\"S-1-12-1-*\\\") and\\n not file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\UPM_Profile\\\\\\\\NTUSER.DAT\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\UPM_Profile\\\\\\\\NTUSER.DAT.LASTGOOD.LOAD\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Netwrix\\\\\\\\Temp\\\\\\\\????????.???.offreg\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Packages\\\\\\\\Microsoft.*\\\\\\\\Settings\\\\\\\\settings.dat*\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n /* regf file header */\\n file.Ext.header_bytes : \\\"72656766*\\\" and file.size >= 30000 and\\n process.pid == 4 and user.id : (\\\"S-1-5-21*\\\", \\\"S-1-12-1-*\\\") and\\n not file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\UPM_Profile\\\\\\\\NTUSER.DAT\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\UPM_Profile\\\\\\\\NTUSER.DAT.LASTGOOD.LOAD\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\UPM_Profile\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UsrClass.dat*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Netwrix\\\\\\\\Temp\\\\\\\\????????.???.offreg\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Packages\\\\\\\\Microsoft.*\\\\\\\\Settings\\\\\\\\settings.dat*\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n /* regf file header */\\n file.Ext.header_bytes : \\\"72656766*\\\" and file.size >= 30000 and\\n process.pid == 4 and user.id : (\\\"S-1-5-21*\\\", \\\"S-1-12-1-*\\\") and\\n not file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\UPM_Profile\\\\\\\\NTUSER.DAT\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\UPM_Profile\\\\\\\\NTUSER.DAT.LASTGOOD.LOAD\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\UPM_Profile\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\UsrClass.dat*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Netwrix\\\\\\\\Temp\\\\\\\\????????.???.offreg\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Packages\\\\\\\\Microsoft.*\\\\\\\\Settings\\\\\\\\settings.dat*\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"12e7546b-2b12-4789-83ea-21190eac9f36\",\"rule_id\":\"a5eb21b7-13cc-4b94-9fe2-29bb2914e037\",\"revision\":0,\"current_rule\":{\"id\":\"12e7546b-2b12-4789-83ea-21190eac9f36\",\"updated_at\":\"2024-12-04T19:45:55.217Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.217Z\",\"created_by\":\"elastic\",\"name\":\"Potential Reverse Shell via UDP\",\"tags\":[\"Data Source: Auditd Manager\",\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a5eb21b7-13cc-4b94-9fe2-29bb2914e037\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md\"],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"auditd.data.a1\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.syscall\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Auditbeat\\n- Auditd Manager\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n### Auditd Manager Integration Setup\\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"auditd_manager\\\" on a Linux System:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.\\n- Click “Add Auditd Manager”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\\n\\n#### Rule Specific Setup Note\\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\n- For this detection rule no additional audit rules are required to be added to the integration.\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"sample by host.id, process.pid, process.parent.pid\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"executed\\\" and process.name : (\\n \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\", \\\"perl\\\", \\\"python*\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"php*\\\",\\n \\\"ruby\\\", \\\"openssl\\\", \\\"awk\\\", \\\"telnet\\\", \\\"lua*\\\", \\\"socat\\\"\\n )]\\n [process where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"socket\\\" and process.name : (\\n \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\", \\\"perl\\\", \\\"python*\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"php*\\\",\\n \\\"ruby\\\", \\\"openssl\\\", \\\"awk\\\", \\\"telnet\\\", \\\"lua*\\\", \\\"socat\\\"\\n ) and auditd.data.a1 == \\\"2\\\"]\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connected-to\\\" and\\n process.name : (\\n \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\", \\\"perl\\\", \\\"python*\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"php*\\\",\\n \\\"ruby\\\", \\\"openssl\\\", \\\"awk\\\", \\\"telnet\\\", \\\"lua*\\\", \\\"socat\\\"\\n ) and network.direction == \\\"egress\\\" and destination.ip != null and\\n not cidrmatch(destination.ip, \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"224.0.0.0/4\\\", \\\"::1\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Reverse Shell via UDP\",\"description\":\"This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Data Source: Auditd Manager\",\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\",\"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1071\",\"name\":\"Application Layer Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1071/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Auditbeat\\n- Auditd Manager\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n### Auditd Manager Integration Setup\\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"auditd_manager\\\" on a Linux System:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.\\n- Click “Add Auditd Manager”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\\n\\n#### Rule Specific Setup Note\\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\n- For this detection rule no additional audit rules are required to be added to the integration.\\n\",\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"auditd.data.a1\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.syscall\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"id\":\"12e7546b-2b12-4789-83ea-21190eac9f36\",\"rule_id\":\"a5eb21b7-13cc-4b94-9fe2-29bb2914e037\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.025Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.217Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sample by host.id, process.pid, process.parent.pid\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"executed\\\" and process.name : (\\n \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\", \\\"perl\\\", \\\"python*\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"php*\\\",\\n \\\"ruby\\\", \\\"openssl\\\", \\\"awk\\\", \\\"telnet\\\", \\\"lua*\\\", \\\"socat\\\"\\n )]\\n [process where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"socket\\\" and process.name : (\\n \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\", \\\"perl\\\", \\\"python*\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"php*\\\",\\n \\\"ruby\\\", \\\"openssl\\\", \\\"awk\\\", \\\"telnet\\\", \\\"lua*\\\", \\\"socat\\\"\\n ) and auditd.data.a1 == \\\"2\\\"]\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connected-to\\\" and\\n process.name : (\\n \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\", \\\"perl\\\", \\\"python*\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"php*\\\",\\n \\\"ruby\\\", \\\"openssl\\\", \\\"awk\\\", \\\"telnet\\\", \\\"lua*\\\", \\\"socat\\\"\\n ) and network.direction == \\\"egress\\\" and destination.ip != null and\\n not cidrmatch(destination.ip, \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"224.0.0.0/4\\\", \\\"::1\\\")]\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md\"],\"target_version\":[\"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\",\"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd\"],\"merged_version\":[\"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\",\"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"088b8902-a3db-48df-928d-cb5abd616aa0\",\"rule_id\":\"a624863f-a70d-417f-a7d2-7a404638d47f\",\"revision\":0,\"current_rule\":{\"id\":\"088b8902-a3db-48df-928d-cb5abd616aa0\",\"updated_at\":\"2024-12-04T19:45:55.226Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.226Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious MS Office Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious MS Office Child Process\\n\\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\\n\\nThis rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of malicious documents.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\\n- Determine if the collected files are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a624863f-a70d-417f-a7d2-7a404638d47f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/blog/vulnerability-summary-follina\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\n \\\"eqnedt32.exe\\\", \\\"excel.exe\\\", \\\"fltldr.exe\\\", \\\"msaccess.exe\\\",\\n \\\"mspub.exe\\\", \\\"powerpnt.exe\\\", \\\"winword.exe\\\", \\\"outlook.exe\\\"\\n ) and\\n process.name : (\\n \\\"Microsoft.Workflow.Compiler.exe\\\", \\\"arp.exe\\\", \\\"atbroker.exe\\\", \\\"bginfo.exe\\\", \\\"bitsadmin.exe\\\", \\\"cdb.exe\\\",\\n \\\"certutil.exe\\\", \\\"cmd.exe\\\", \\\"cmstp.exe\\\", \\\"control.exe\\\", \\\"cscript.exe\\\", \\\"csi.exe\\\", \\\"dnx.exe\\\", \\\"dsget.exe\\\",\\n \\\"dsquery.exe\\\", \\\"forfiles.exe\\\", \\\"fsi.exe\\\", \\\"ftp.exe\\\", \\\"gpresult.exe\\\", \\\"hostname.exe\\\", \\\"ieexec.exe\\\", \\\"iexpress.exe\\\",\\n \\\"installutil.exe\\\", \\\"ipconfig.exe\\\", \\\"mshta.exe\\\", \\\"msxsl.exe\\\", \\\"nbtstat.exe\\\", \\\"net.exe\\\", \\\"net1.exe\\\", \\\"netsh.exe\\\",\\n \\\"netstat.exe\\\", \\\"nltest.exe\\\", \\\"odbcconf.exe\\\", \\\"ping.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"qprocess.exe\\\",\\n \\\"quser.exe\\\", \\\"qwinsta.exe\\\", \\\"rcsi.exe\\\", \\\"reg.exe\\\", \\\"regasm.exe\\\", \\\"regsvcs.exe\\\", \\\"regsvr32.exe\\\", \\\"sc.exe\\\",\\n \\\"schtasks.exe\\\", \\\"systeminfo.exe\\\", \\\"tasklist.exe\\\", \\\"tracert.exe\\\", \\\"whoami.exe\\\", \\\"wmic.exe\\\", \\\"wscript.exe\\\",\\n \\\"xwizard.exe\\\", \\\"explorer.exe\\\", \\\"rundll32.exe\\\", \\\"hh.exe\\\", \\\"msdt.exe\\\"\\n ) and\\n not (\\n process.parent.name : \\\"outlook.exe\\\" and\\n process.name : \\\"rundll32.exe\\\" and\\n process.args : \\\"shell32.dll,Control_RunDLL\\\" and\\n process.args : \\\"srchadmin.dll\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious MS Office Child Process\",\"description\":\"Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious MS Office Child Process\\n\\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\\n\\nThis rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of malicious documents.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\\n- Determine if the collected files are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/blog/vulnerability-summary-follina\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"088b8902-a3db-48df-928d-cb5abd616aa0\",\"rule_id\":\"a624863f-a70d-417f-a7d2-7a404638d47f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.025Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.226Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\n \\\"eqnedt32.exe\\\", \\\"excel.exe\\\", \\\"fltldr.exe\\\", \\\"msaccess.exe\\\",\\n \\\"mspub.exe\\\", \\\"powerpnt.exe\\\", \\\"winword.exe\\\", \\\"outlook.exe\\\"\\n ) and\\n process.name : (\\n \\\"Microsoft.Workflow.Compiler.exe\\\", \\\"arp.exe\\\", \\\"atbroker.exe\\\", \\\"bginfo.exe\\\", \\\"bitsadmin.exe\\\", \\\"cdb.exe\\\",\\n \\\"certutil.exe\\\", \\\"cmd.exe\\\", \\\"cmstp.exe\\\", \\\"control.exe\\\", \\\"cscript.exe\\\", \\\"csi.exe\\\", \\\"dnx.exe\\\", \\\"dsget.exe\\\",\\n \\\"dsquery.exe\\\", \\\"forfiles.exe\\\", \\\"fsi.exe\\\", \\\"ftp.exe\\\", \\\"gpresult.exe\\\", \\\"hostname.exe\\\", \\\"ieexec.exe\\\", \\\"iexpress.exe\\\",\\n \\\"installutil.exe\\\", \\\"ipconfig.exe\\\", \\\"mshta.exe\\\", \\\"msxsl.exe\\\", \\\"nbtstat.exe\\\", \\\"net.exe\\\", \\\"net1.exe\\\", \\\"netsh.exe\\\",\\n \\\"netstat.exe\\\", \\\"nltest.exe\\\", \\\"odbcconf.exe\\\", \\\"ping.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"qprocess.exe\\\",\\n \\\"quser.exe\\\", \\\"qwinsta.exe\\\", \\\"rcsi.exe\\\", \\\"reg.exe\\\", \\\"regasm.exe\\\", \\\"regsvcs.exe\\\", \\\"regsvr32.exe\\\", \\\"sc.exe\\\",\\n \\\"schtasks.exe\\\", \\\"systeminfo.exe\\\", \\\"tasklist.exe\\\", \\\"tracert.exe\\\", \\\"whoami.exe\\\", \\\"wmic.exe\\\", \\\"wscript.exe\\\",\\n \\\"xwizard.exe\\\", \\\"explorer.exe\\\", \\\"rundll32.exe\\\", \\\"hh.exe\\\", \\\"msdt.exe\\\"\\n ) and\\n not (\\n process.parent.name : \\\"outlook.exe\\\" and\\n process.name : \\\"rundll32.exe\\\" and\\n process.args : \\\"shell32.dll,Control_RunDLL\\\" and\\n process.args : \\\"srchadmin.dll\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"06f6ce5c-7b90-4740-a50e-304961a15f8b\",\"rule_id\":\"a7ccae7b-9d2c-44b2-a061-98e5946971fa\",\"revision\":0,\"current_rule\":{\"id\":\"06f6ce5c-7b90-4740-a50e-304961a15f8b\",\"updated_at\":\"2024-12-04T19:45:55.234Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.234Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Print Spooler SPL File Created\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Print Spooler SPL File Created\\n\\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\\n\\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\`, which is an essential step in exploiting these vulnerabilities.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of process executable and file conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a7ccae7b-9d2c-44b2-a061-98e5946971fa\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"to\":\"now\",\"references\":[\"https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.extension : \\\"spl\\\" and\\n file.path : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\PRINTERS\\\\\\\\*\\\" and\\n not process.name : (\\\"spoolsv.exe\\\",\\n \\\"printfilterpipelinesvc.exe\\\",\\n \\\"PrintIsolationHost.exe\\\",\\n \\\"splwow64.exe\\\",\\n \\\"msiexec.exe\\\",\\n \\\"poqexec.exe\\\",\\n \\\"System\\\") and\\n not user.id : \\\"S-1-5-18\\\" and\\n not process.executable :\\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\Mup\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\printui.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\PROGRA~1\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\PROGRA~2\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\rundll32.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Print Spooler SPL File Created\",\"description\":\"Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Print Spooler SPL File Created\\n\\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\\n\\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\`, which is an essential step in exploiting these vulnerabilities.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of process executable and file conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":113,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"06f6ce5c-7b90-4740-a50e-304961a15f8b\",\"rule_id\":\"a7ccae7b-9d2c-44b2-a061-98e5946971fa\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.025Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.234Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.extension : \\\"spl\\\" and\\n file.path : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\PRINTERS\\\\\\\\*\\\" and\\n not process.name : (\\\"spoolsv.exe\\\",\\n \\\"printfilterpipelinesvc.exe\\\",\\n \\\"PrintIsolationHost.exe\\\",\\n \\\"splwow64.exe\\\",\\n \\\"msiexec.exe\\\",\\n \\\"poqexec.exe\\\",\\n \\\"System\\\") and\\n not user.id : \\\"S-1-5-18\\\" and\\n not process.executable :\\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\Mup\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\printui.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\PROGRA~1\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\PROGRA~2\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\rundll32.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":113,\"merged_version\":113,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"severity\":{\"has_base_version\":false,\"current_version\":\"medium\",\"target_version\":\"low\",\"merged_version\":\"low\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"risk_score\":{\"has_base_version\":false,\"current_version\":47,\"target_version\":21,\"merged_version\":21,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a741c633-2356-4b83-b461-513661eb6d6d\",\"rule_id\":\"a7e7bfa3-088e-4f13-b29e-3986e0e756b8\",\"revision\":0,\"current_rule\":{\"id\":\"a741c633-2356-4b83-b461-513661eb6d6d\",\"updated_at\":\"2024-12-04T19:45:55.236Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.236Z\",\"created_by\":\"elastic\",\"name\":\"Credential Acquisition via Registry Hive Dumping\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Credential Acquisition via Registry Hive Dumping\\n\\nDumping registry hives is a common way to access credential information as some hives store credential material.\\n\\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached credentials (LSA secrets).\\n\\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\\n\\nThis rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the compromise of the credentials stored in the host.\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\\n\\n### False positive analysis\\n\\n- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether the user is legitamitely performing this kind of activity.\\n\\n### Related rules\\n\\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reimage the host operating system and restore compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a7e7bfa3-088e-4f13-b29e-3986e0e756b8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"},{\"id\":\"T1003.004\",\"name\":\"LSA Secrets\",\"reference\":\"https://attack.mitre.org/techniques/T1003/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (?process.pe.original_file_name == \\\"reg.exe\\\" or process.name : \\\"reg.exe\\\") and\\n process.args : (\\\"save\\\", \\\"export\\\") and\\n process.args : (\\\"hklm\\\\\\\\sam\\\", \\\"hklm\\\\\\\\security\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Credential Acquisition via Registry Hive Dumping\",\"description\":\"Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Credential Acquisition via Registry Hive Dumping\\n\\nDumping registry hives is a common way to access credential information as some hives store credential material.\\n\\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached credentials (LSA secrets).\\n\\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\\n\\nThis rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the compromise of the credentials stored in the host.\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\\n\\n### False positive analysis\\n\\n- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether the user is legitamitely performing this kind of activity.\\n\\n### Related rules\\n\\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reimage the host operating system and restore compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"},{\"id\":\"T1003.004\",\"name\":\"LSA Secrets\",\"reference\":\"https://attack.mitre.org/techniques/T1003/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a741c633-2356-4b83-b461-513661eb6d6d\",\"rule_id\":\"a7e7bfa3-088e-4f13-b29e-3986e0e756b8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.025Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.236Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (?process.pe.original_file_name == \\\"reg.exe\\\" or process.name : \\\"reg.exe\\\") and\\n process.args : (\\\"save\\\", \\\"export\\\") and\\n process.args : (\\\"hklm\\\\\\\\sam\\\", \\\"hklm\\\\\\\\security\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4e577316-2d24-40a4-8dd7-768319d448cb\",\"rule_id\":\"a80d96cd-1164-41b3-9852-ef58724be496\",\"revision\":0,\"current_rule\":{\"id\":\"4e577316-2d24-40a4-8dd7-768319d448cb\",\"updated_at\":\"2024-12-04T19:46:04.738Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.738Z\",\"created_by\":\"elastic\",\"name\":\"Privileged Docker Container Creation\",\"tags\":[\"Domain: Endpoint\",\"Domain: Container\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule leverages the new_terms rule type to identify the creation of a potentially unsafe docker container from an unusual parent process. Attackers can use the `--privileged` flag to create containers with escalated privileges, which can lead to trivial privilege escalation, docker escaping and persistence. access.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a80d96cd-1164-41b3-9852-ef58724be496\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1609\",\"name\":\"Container Administration Command\",\"reference\":\"https://attack.mitre.org/techniques/T1609/\"},{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1611\",\"name\":\"Escape to Host\",\"reference\":\"https://attack.mitre.org/techniques/T1611/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\nThis rule requires data coming in from Elastic Defend.\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:docker and\\nprocess.args:(run and --privileged)\\n\",\"new_terms_fields\":[\"process.parent.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.process*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Privileged Docker Container Creation\",\"description\":\"This rule leverages the new_terms rule type to identify the creation of a potentially unsafe docker container from an unusual parent process. Attackers can use the `--privileged` flag to create containers with escalated privileges, which can lead to trivial privilege escalation, docker escaping and persistence. access.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"Domain: Container\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]},{\"id\":\"T1609\",\"name\":\"Container Administration Command\",\"reference\":\"https://attack.mitre.org/techniques/T1609/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1611\",\"name\":\"Escape to Host\",\"reference\":\"https://attack.mitre.org/techniques/T1611/\"}]}],\"setup\":\"## Setup\\nThis rule requires data coming in from Elastic Defend.\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"4e577316-2d24-40a4-8dd7-768319d448cb\",\"rule_id\":\"a80d96cd-1164-41b3-9852-ef58724be496\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.025Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.738Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:docker and\\nprocess.args:(run and --privileged)\\n\",\"new_terms_fields\":[\"process.parent.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.process*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1609\",\"name\":\"Container Administration Command\",\"reference\":\"https://attack.mitre.org/techniques/T1609/\"},{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1611\",\"name\":\"Escape to Host\",\"reference\":\"https://attack.mitre.org/techniques/T1611/\"}]}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]},{\"id\":\"T1609\",\"name\":\"Container Administration Command\",\"reference\":\"https://attack.mitre.org/techniques/T1609/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1611\",\"name\":\"Escape to Host\",\"reference\":\"https://attack.mitre.org/techniques/T1611/\"}]}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]},{\"id\":\"T1609\",\"name\":\"Container Administration Command\",\"reference\":\"https://attack.mitre.org/techniques/T1609/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1611\",\"name\":\"Escape to Host\",\"reference\":\"https://attack.mitre.org/techniques/T1611/\"}]}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"05f0d7e7-7f12-4587-b946-ab4682c3ab40\",\"rule_id\":\"a8afdce2-0ec1-11ee-b843-f661ea17fbcd\",\"revision\":0,\"current_rule\":{\"id\":\"05f0d7e7-7f12-4587-b946-ab4682c3ab40\",\"updated_at\":\"2024-12-04T19:45:55.245Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.245Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious File Downloaded from Google Drive\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing payloads via a trusted webservice.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Approved third-party applications that use Google Drive download URLs.\",\"Legitimate publicly shared files from Google Drive.\"],\"from\":\"now-9m\",\"rule_id\":\"a8afdce2-0ec1-11ee-b843-f661ea17fbcd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"to\":\"now\",\"references\":[\"https://intelligence.abnormalsecurity.com/blog/google-drive-matanbuchus-malware\"],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint*\",\"logs-system.security*\"],\"query\":\"process where\\n\\n /* common browser processes */\\n event.action in (\\\"exec\\\", \\\"fork\\\", \\\"start\\\") and \\n\\n process.name : (\\\"Microsoft Edge\\\", \\\"chrome.exe\\\", \\\"Google Chrome\\\", \\\"google-chrome-stable\\\", \\n \\\"google-chrome-beta\\\", \\\"google-chrome\\\", \\\"msedge.exe\\\", \\\"firefox.exe\\\", \\\"brave.exe\\\", \\n \\\"whale.exe\\\", \\\"browser.exe\\\", \\\"dragon.exe\\\", \\\"vivaldi.exe\\\", \\\"opera.exe\\\", \\\"firefox\\\", \\n \\\"powershell.exe\\\", \\\"curl\\\", \\\"curl.exe\\\", \\\"wget\\\", \\\"wget.exe\\\") and \\n\\n /* Look for Google Drive download URL with AV flag skipping */\\n (process.command_line : \\\"*drive.google.com*\\\" and process.command_line : \\\"*export=download*\\\" and process.command_line : \\\"*confirm=no_antivirus*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious File Downloaded from Google Drive\",\"description\":\"Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing payloads via a trusted webservice.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Approved third-party applications that use Google Drive download URLs.\",\"Legitimate publicly shared files from Google Drive.\"],\"references\":[\"https://intelligence.abnormalsecurity.com/blog/google-drive-matanbuchus-malware\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"05f0d7e7-7f12-4587-b946-ab4682c3ab40\",\"rule_id\":\"a8afdce2-0ec1-11ee-b843-f661ea17fbcd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.025Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.245Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where\\n\\n /* common browser processes */\\n event.action in (\\\"exec\\\", \\\"fork\\\", \\\"start\\\") and \\n\\n process.name : (\\\"Microsoft Edge\\\", \\\"chrome.exe\\\", \\\"Google Chrome\\\", \\\"google-chrome-stable\\\", \\n \\\"google-chrome-beta\\\", \\\"google-chrome\\\", \\\"msedge.exe\\\", \\\"firefox.exe\\\", \\\"brave.exe\\\", \\n \\\"whale.exe\\\", \\\"browser.exe\\\", \\\"dragon.exe\\\", \\\"vivaldi.exe\\\", \\\"opera.exe\\\", \\\"firefox\\\", \\n \\\"powershell.exe\\\", \\\"curl\\\", \\\"curl.exe\\\", \\\"wget\\\", \\\"wget.exe\\\") and \\n\\n /* Look for Google Drive download URL with AV flag skipping */\\n (process.command_line : \\\"*drive.google.com*\\\" and process.command_line : \\\"*export=download*\\\" and process.command_line : \\\"*confirm=no_antivirus*\\\")\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"auditbeat-*\",\"logs-endpoint*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"auditbeat-*\",\"logs-endpoint*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"auditbeat-*\",\"logs-endpoint*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"91021177-887a-46b4-a83f-6477e1dde2ab\",\"rule_id\":\"a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73\",\"revision\":0,\"current_rule\":{\"id\":\"91021177-887a-46b4-a83f-6477e1dde2ab\",\"updated_at\":\"2024-12-04T19:45:55.252Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.252Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace Password Policy Modified\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Password Policy Modified\\n\\nGoogle Workspace administrators manage password policies to enforce password requirements for an organization's compliance needs. Administrators have the capability to set restrictions on password length, reset frequency, reuse capability, expiration, and much more. Google Workspace also allows multi-factor authentication (MFA) and 2-step verification (2SV) for authentication.\\n\\nThreat actors might rely on weak password policies or restrictions to attempt credential access by using password stuffing or spraying techniques for cloud-based user accounts. Administrators might introduce increased risk to credential access from a third-party by weakening the password restrictions for an organization.\\n\\nThis rule detects when a Google Workspace password policy is modified to decrease password complexity or to adjust the reuse and reset frequency.\\n\\n#### Possible investigation steps\\n\\n- Identify associated user account(s) by reviewing the `user.name` or `source.user.email` fields in the alert.\\n- Identify the password setting that was created or adjusted by reviewing `google_workspace.admin.setting.name` field.\\n- Check if a password setting was enabled or disabled by reviewing the `google_workspace.admin.new_value` and `google_workspace.admin.old_value` fields.\\n- After identifying the involved user, verify administrative privileges are scoped properly to change.\\n- Filter `event.dataset` for `google_workspace.login` and aggregate by `user.name`, `event.action`.\\n - The `google_workspace.login.challenge_method` field can be used to identify the challenge method used for failed and successful logins.\\n\\n### False positive analysis\\n\\n- After identifying the user account that updated the password policy, verify whether the action was intentional.\\n- Verify whether the user should have administrative privileges in Google Workspace to modify password policies.\\n- Review organizational units or groups the role may have been added to and ensure the new privileges align properly.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider resetting passwords for potentially affected users.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Reactivate multi-factor authentication for the user.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators might observe lag times ranging from several minutes to 3 days between the event occurrence time and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Password policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-130m\",\"rule_id\":\"a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.setting.name\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Google Workspace Fleet integration, the Filebeat module, or data that's similarly structured is required for this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and\\n event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and\\n google_workspace.admin.setting.name:(\\n \\\"Password Management - Enforce strong password\\\" or\\n \\\"Password Management - Password reset frequency\\\" or\\n \\\"Password Management - Enable password reuse\\\" or\\n \\\"Password Management - Enforce password policy at next login\\\" or\\n \\\"Password Management - Minimum password length\\\" or\\n \\\"Password Management - Maximum password length\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace Password Policy Modified\",\"description\":\"Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Password Policy Modified\\n\\nGoogle Workspace administrators manage password policies to enforce password requirements for an organization's compliance needs. Administrators have the capability to set restrictions on password length, reset frequency, reuse capability, expiration, and much more. Google Workspace also allows multi-factor authentication (MFA) and 2-step verification (2SV) for authentication.\\n\\nThreat actors might rely on weak password policies or restrictions to attempt credential access by using password stuffing or spraying techniques for cloud-based user accounts. Administrators might introduce increased risk to credential access from a third-party by weakening the password restrictions for an organization.\\n\\nThis rule detects when a Google Workspace password policy is modified to decrease password complexity or to adjust the reuse and reset frequency.\\n\\n#### Possible investigation steps\\n\\n- Identify associated user account(s) by reviewing the `user.name` or `source.user.email` fields in the alert.\\n- Identify the password setting that was created or adjusted by reviewing `google_workspace.admin.setting.name` field.\\n- Check if a password setting was enabled or disabled by reviewing the `google_workspace.admin.new_value` and `google_workspace.admin.old_value` fields.\\n- After identifying the involved user, verify administrative privileges are scoped properly to change.\\n- Filter `event.dataset` for `google_workspace.login` and aggregate by `user.name`, `event.action`.\\n - The `google_workspace.login.challenge_method` field can be used to identify the challenge method used for failed and successful logins.\\n\\n### False positive analysis\\n\\n- After identifying the user account that updated the password policy, verify whether the action was intentional.\\n- Verify whether the user should have administrative privileges in Google Workspace to modify password policies.\\n- Review organizational units or groups the role may have been added to and ensure the new privileges align properly.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider resetting passwords for potentially affected users.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Reactivate multi-factor authentication for the user.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators might observe lag times ranging from several minutes to 3 days between the event occurrence time and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Password policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://support.google.com/a/answer/7061566\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"The Google Workspace Fleet integration, the Filebeat module, or data that's similarly structured is required for this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.setting.name\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"91021177-887a-46b4-a83f-6477e1dde2ab\",\"rule_id\":\"a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.025Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.252Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and\\n event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and\\n google_workspace.admin.setting.name:(\\n \\\"Password Management - Enforce strong password\\\" or\\n \\\"Password Management - Password reset frequency\\\" or\\n \\\"Password Management - Enable password reuse\\\" or\\n \\\"Password Management - Enforce password policy at next login\\\" or\\n \\\"Password Management - Minimum password length\\\" or\\n \\\"Password Management - Maximum password length\\\"\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://support.google.com/a/answer/7061566\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/7061566\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bdf96f45-7acf-4f20-b584-0c5321001619\",\"rule_id\":\"a9b05c3b-b304-4bf9-970d-acdfaef2944c\",\"revision\":0,\"current_rule\":{\"id\":\"bdf96f45-7acf-4f20-b584-0c5321001619\",\"updated_at\":\"2024-12-04T19:45:40.240Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.240Z\",\"created_by\":\"elastic\",\"name\":\"Persistence via Hidden Run Key Detected\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"a9b05c3b-b304-4bf9-970d-acdfaef2944c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/outflanknl/SharpHide\",\"https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"/* Registry Path ends with backslash */\\nregistry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and length(registry.data.strings) > 0 and\\n registry.path : (\\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Persistence via Hidden Run Key Detected\",\"description\":\"Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/outflanknl/SharpHide\",\"https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"bdf96f45-7acf-4f20-b584-0c5321001619\",\"rule_id\":\"a9b05c3b-b304-4bf9-970d-acdfaef2944c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.025Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.240Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"/* Registry Path ends with backslash */\\nregistry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and length(registry.data.strings) > 0 and\\n registry.path : (\\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run\\\\\\\\\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2e092754-39c3-4284-8a49-28bd8bdfc950\",\"rule_id\":\"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7\",\"revision\":0,\"current_rule\":{\"id\":\"2e092754-39c3-4284-8a49-28bd8bdfc950\",\"updated_at\":\"2024-12-04T19:45:55.254Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.254Z\",\"created_by\":\"elastic\",\"name\":\"IPSEC NAT Traversal Port Activity\",\"tags\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded.\"],\"from\":\"now-9m\",\"rule_id\":\"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[],\"version\":104,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:udp and destination.port:4500\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"IPSEC NAT Traversal Port Activity\",\"description\":\"This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2e092754-39c3-4284-8a49-28bd8bdfc950\",\"rule_id\":\"a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.025Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.254Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:udp and destination.port:4500\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":104,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"target_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"target_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merged_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"72d7d7ed-ec56-4e31-a822-bcb096b7ca8b\",\"rule_id\":\"aa895aea-b69c-4411-b110-8d7599634b30\",\"revision\":0,\"current_rule\":{\"id\":\"72d7d7ed-ec56-4e31-a822-bcb096b7ca8b\",\"updated_at\":\"2024-12-04T19:45:55.259Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.259Z\",\"created_by\":\"elastic\",\"name\":\"System Log File Deletion\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"aa895aea-b69c-4411-b110-8d7599634b30\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.002\",\"name\":\"Clear Linux or Mac System Logs\",\"reference\":\"https://attack.mitre.org/techniques/T1070/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n#### Custom Ingest Pipeline\\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"deletion\\\" and\\n file.path :\\n (\\n \\\"/var/run/utmp\\\",\\n \\\"/var/log/wtmp\\\",\\n \\\"/var/log/btmp\\\",\\n \\\"/var/log/lastlog\\\",\\n \\\"/var/log/faillog\\\",\\n \\\"/var/log/syslog\\\",\\n \\\"/var/log/messages\\\",\\n \\\"/var/log/secure\\\",\\n \\\"/var/log/auth.log\\\",\\n \\\"/var/log/boot.log\\\",\\n \\\"/var/log/kern.log\\\"\\n ) and\\n not process.name in (\\\"gzip\\\", \\\"executor\\\", \\\"dockerd\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"System Log File Deletion\",\"description\":\"Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":112,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html\",\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.002\",\"name\":\"Clear Linux or Mac System Logs\",\"reference\":\"https://attack.mitre.org/techniques/T1070/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n#### Custom Ingest Pipeline\\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"72d7d7ed-ec56-4e31-a822-bcb096b7ca8b\",\"rule_id\":\"aa895aea-b69c-4411-b110-8d7599634b30\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.025Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.259Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"deletion\\\" and\\n file.path :\\n (\\n \\\"/var/run/utmp\\\",\\n \\\"/var/log/wtmp\\\",\\n \\\"/var/log/btmp\\\",\\n \\\"/var/log/lastlog\\\",\\n \\\"/var/log/faillog\\\",\\n \\\"/var/log/syslog\\\",\\n \\\"/var/log/messages\\\",\\n \\\"/var/log/secure\\\",\\n \\\"/var/log/auth.log\\\",\\n \\\"/var/log/boot.log\\\",\\n \\\"/var/log/kern.log\\\",\\n \\\"/var/log/dmesg\\\"\\n ) and\\n not process.name in (\\\"gzip\\\", \\\"executor\\\", \\\"dockerd\\\")\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":112,\"merged_version\":112,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html\"],\"target_version\":[\"https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html\",\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"merged_version\":[\"https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html\",\"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"deletion\\\" and\\n file.path :\\n (\\n \\\"/var/run/utmp\\\",\\n \\\"/var/log/wtmp\\\",\\n \\\"/var/log/btmp\\\",\\n \\\"/var/log/lastlog\\\",\\n \\\"/var/log/faillog\\\",\\n \\\"/var/log/syslog\\\",\\n \\\"/var/log/messages\\\",\\n \\\"/var/log/secure\\\",\\n \\\"/var/log/auth.log\\\",\\n \\\"/var/log/boot.log\\\",\\n \\\"/var/log/kern.log\\\"\\n ) and\\n not process.name in (\\\"gzip\\\", \\\"executor\\\", \\\"dockerd\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"deletion\\\" and\\n file.path :\\n (\\n \\\"/var/run/utmp\\\",\\n \\\"/var/log/wtmp\\\",\\n \\\"/var/log/btmp\\\",\\n \\\"/var/log/lastlog\\\",\\n \\\"/var/log/faillog\\\",\\n \\\"/var/log/syslog\\\",\\n \\\"/var/log/messages\\\",\\n \\\"/var/log/secure\\\",\\n \\\"/var/log/auth.log\\\",\\n \\\"/var/log/boot.log\\\",\\n \\\"/var/log/kern.log\\\",\\n \\\"/var/log/dmesg\\\"\\n ) and\\n not process.name in (\\\"gzip\\\", \\\"executor\\\", \\\"dockerd\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"deletion\\\" and\\n file.path :\\n (\\n \\\"/var/run/utmp\\\",\\n \\\"/var/log/wtmp\\\",\\n \\\"/var/log/btmp\\\",\\n \\\"/var/log/lastlog\\\",\\n \\\"/var/log/faillog\\\",\\n \\\"/var/log/syslog\\\",\\n \\\"/var/log/messages\\\",\\n \\\"/var/log/secure\\\",\\n \\\"/var/log/auth.log\\\",\\n \\\"/var/log/boot.log\\\",\\n \\\"/var/log/kern.log\\\",\\n \\\"/var/log/dmesg\\\"\\n ) and\\n not process.name in (\\\"gzip\\\", \\\"executor\\\", \\\"dockerd\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"50f2d299-be20-41eb-b105-47eb0b9626fc\",\"rule_id\":\"aa9a274d-6b53-424d-ac5e-cb8ca4251650\",\"revision\":0,\"current_rule\":{\"id\":\"50f2d299-be20-41eb-b105-47eb0b9626fc\",\"updated_at\":\"2024-12-04T19:45:55.261Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.261Z\",\"created_by\":\"elastic\",\"name\":\"Remotely Started Services via RPC\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remotely Started Services via RPC\\n\\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\\n\\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"aa9a274d-6b53-424d-ac5e-cb8ca4251650\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence with maxspan=1s\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"services.exe\\\" and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and network.transport == \\\"tcp\\\" and\\n source.port >= 49152 and destination.port >= 49152 and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"\\n ] by host.id, process.entity_id\\n [process where host.os.type == \\\"windows\\\" and \\n event.type == \\\"start\\\" and process.parent.name : \\\"services.exe\\\" and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\" and process.args : \\\"/V\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Pella Corporation\\\\\\\\OSCToGPAutoService\\\\\\\\OSCToGPAutoSvc.exe\\\",\\n \\\"?:\\\\\\\\Pella Corporation\\\\\\\\Pella Order Management\\\\\\\\GPAutoSvc.exe\\\",\\n \\\"?:\\\\\\\\Pella Corporation\\\\\\\\Pella Order Management\\\\\\\\GPAutoSvc.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ADCR_Agent\\\\\\\\adcrsvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\AdminArsenal\\\\\\\\PDQ*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CAInvokerService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ccmsetup\\\\\\\\ccmsetup.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\eset-remote-install-service.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ProPatches\\\\\\\\Scheduler\\\\\\\\STSchedEx.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PSEXESVC.EXE\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\RemoteAuditService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\TrustedInstaller.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\certsrv.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sppsvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\srmhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostex.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\upfc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vds.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VSSVC.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\NwxExeSvc\\\\\\\\NwxExeSvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Veeam\\\\\\\\Backup\\\\\\\\VeeamDeploymentSvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\VeeamLogShipper\\\\\\\\VeeamLogShipper.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe\\\"\\n )] by host.id, process.parent.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Remotely Started Services via RPC\",\"description\":\"Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remotely Started Services via RPC\\n\\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\\n\\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f\",\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true}],\"id\":\"50f2d299-be20-41eb-b105-47eb0b9626fc\",\"rule_id\":\"aa9a274d-6b53-424d-ac5e-cb8ca4251650\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.025Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.261Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence with maxspan=1s\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"services.exe\\\" and\\n network.direction : (\\\"incoming\\\", \\\"ingress\\\") and network.transport == \\\"tcp\\\" and\\n source.port >= 49152 and destination.port >= 49152 and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"\\n ] by host.id, process.entity_id\\n [process where host.os.type == \\\"windows\\\" and \\n event.type == \\\"start\\\" and process.parent.name : \\\"services.exe\\\" and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\" and process.args : \\\"/V\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Pella Corporation\\\\\\\\OSCToGPAutoService\\\\\\\\OSCToGPAutoSvc.exe\\\",\\n \\\"?:\\\\\\\\Pella Corporation\\\\\\\\Pella Order Management\\\\\\\\GPAutoSvc.exe\\\",\\n \\\"?:\\\\\\\\Pella Corporation\\\\\\\\Pella Order Management\\\\\\\\GPAutoSvc.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ADCR_Agent\\\\\\\\adcrsvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\AdminArsenal\\\\\\\\PDQ*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CAInvokerService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ccmsetup\\\\\\\\ccmsetup.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\eset-remote-install-service.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ProPatches\\\\\\\\Scheduler\\\\\\\\STSchedEx.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PSEXESVC.EXE\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\RemoteAuditService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\TrustedInstaller.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\certsrv.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sppsvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\srmhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostex.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\upfc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vds.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VSSVC.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\NwxExeSvc\\\\\\\\NwxExeSvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Veeam\\\\\\\\Backup\\\\\\\\VeeamDeploymentSvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\VeeamLogShipper\\\\\\\\VeeamLogShipper.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe\\\"\\n )] by host.id, process.parent.entity_id\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f\"],\"target_version\":[\"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f\",\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"merged_version\":[\"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f\",\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2968a2ec-8287-43f4-916f-b09faed35ccf\",\"rule_id\":\"ab75c24b-2502-43a0-bf7c-e60e662c811e\",\"revision\":0,\"current_rule\":{\"id\":\"2968a2ec-8287-43f4-916f-b09faed35ccf\",\"updated_at\":\"2024-12-04T19:45:55.269Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.269Z\",\"created_by\":\"elastic\",\"name\":\"Remote Execution via File Shares\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote Execution via File Shares\\n\\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Review the privileges needed to write to the network share and restrict write access as needed.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ab75c24b-2502-43a0-bf7c-e60e662c811e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]}],\"to\":\"now\",\"references\":[\"http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.header_bytes\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\"],\"query\":\"sequence with maxspan=1m\\n [file where host.os.type == \\\"windows\\\" and event.type in (\\\"creation\\\", \\\"change\\\") and \\n process.pid == 4 and (file.extension : \\\"exe\\\" or file.Ext.header_bytes : \\\"4d5a*\\\")] by host.id, file.path\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n not (\\n /* Veeam related processes */\\n (\\n process.name : (\\n \\\"VeeamGuestHelper.exe\\\", \\\"VeeamGuestIndexer.exe\\\", \\\"VeeamAgent.exe\\\", \\\"VeeamLogShipper.exe\\\", \\\"Veeam.VSS.Sharepoint2010.exe\\\"\\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Veeam Software Group GmbH\\\"\\n ) or\\n /* PDQ related processes */\\n (\\n process.name : (\\n \\\"PDQInventoryScanner.exe\\\", \\\"PDQInventoryMonitor.exe\\\", \\\"PDQInventory-Scanner-?.exe\\\", \\\"PDQInventoryWakeCommand-?.exe\\\"\\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \\\"PDQ.com Corporation\\\"\\n )\\n )\\n ] by host.id, process.executable\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Remote Execution via File Shares\",\"description\":\"Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote Execution via File Shares\\n\\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Review the privileges needed to write to the network share and restrict write access as needed.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":114,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.header_bytes\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"id\":\"2968a2ec-8287-43f4-916f-b09faed35ccf\",\"rule_id\":\"ab75c24b-2502-43a0-bf7c-e60e662c811e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.025Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.269Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence with maxspan=1m\\n [file where host.os.type == \\\"windows\\\" and event.type in (\\\"creation\\\", \\\"change\\\") and \\n process.pid == 4 and (file.extension : \\\"exe\\\" or file.Ext.header_bytes : \\\"4d5a*\\\")] by host.id, file.path\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n not (\\n /* Veeam related processes */\\n (\\n process.name : (\\n \\\"VeeamGuestHelper.exe\\\", \\\"VeeamGuestIndexer.exe\\\", \\\"VeeamAgent.exe\\\", \\\"VeeamLogShipper.exe\\\", \\\"Veeam.VSS.Sharepoint20??.exe\\\"\\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Veeam Software Group GmbH\\\"\\n ) or\\n /* PDQ related processes */\\n (\\n process.name : (\\n \\\"PDQInventoryScanner.exe\\\", \\\"PDQInventoryMonitor.exe\\\", \\\"PDQInventory-Scanner-?.exe\\\",\\n \\\"PDQInventoryWakeCommand-?.exe\\\", \\\"PDQDeployRunner-?.exe\\\"\\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \\\"PDQ.com Corporation\\\"\\n ) or\\n /* CrowdStrike related processes */\\n (\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\CrowdStrike\\\\\\\\*-WindowsSensor.*.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"CrowdStrike, Inc.\\\") or\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\CrowdStrike\\\\\\\\*-CsInstallerService.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Microsoft Windows Hardware Compatibility Publisher\\\")\\n ) or\\n /* MS related processes */\\n (\\n process.executable == \\\"System\\\" or\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\ccmsetup\\\\\\\\ccmsetup.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Microsoft Corporation\\\")\\n ) or\\n /* CyberArk processes */\\n (\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\CAInvokerService.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"CyberArk Software Ltd.\\\"\\n ) or\\n /* Sophos processes */\\n (\\n process.executable : \\\"?:\\\\\\\\ProgramData\\\\\\\\Sophos\\\\\\\\AutoUpdate\\\\\\\\Cache\\\\\\\\sophos_autoupdate1.dir\\\\\\\\SophosUpdate.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Sophos Ltd\\\"\\n ) \\n )\\n ] by host.id, process.executable\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":114,\"merged_version\":114,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html\"],\"target_version\":[\"http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merged_version\":[\"http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence with maxspan=1m\\n [file where host.os.type == \\\"windows\\\" and event.type in (\\\"creation\\\", \\\"change\\\") and \\n process.pid == 4 and (file.extension : \\\"exe\\\" or file.Ext.header_bytes : \\\"4d5a*\\\")] by host.id, file.path\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n not (\\n /* Veeam related processes */\\n (\\n process.name : (\\n \\\"VeeamGuestHelper.exe\\\", \\\"VeeamGuestIndexer.exe\\\", \\\"VeeamAgent.exe\\\", \\\"VeeamLogShipper.exe\\\", \\\"Veeam.VSS.Sharepoint2010.exe\\\"\\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Veeam Software Group GmbH\\\"\\n ) or\\n /* PDQ related processes */\\n (\\n process.name : (\\n \\\"PDQInventoryScanner.exe\\\", \\\"PDQInventoryMonitor.exe\\\", \\\"PDQInventory-Scanner-?.exe\\\", \\\"PDQInventoryWakeCommand-?.exe\\\"\\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \\\"PDQ.com Corporation\\\"\\n )\\n )\\n ] by host.id, process.executable\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence with maxspan=1m\\n [file where host.os.type == \\\"windows\\\" and event.type in (\\\"creation\\\", \\\"change\\\") and \\n process.pid == 4 and (file.extension : \\\"exe\\\" or file.Ext.header_bytes : \\\"4d5a*\\\")] by host.id, file.path\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n not (\\n /* Veeam related processes */\\n (\\n process.name : (\\n \\\"VeeamGuestHelper.exe\\\", \\\"VeeamGuestIndexer.exe\\\", \\\"VeeamAgent.exe\\\", \\\"VeeamLogShipper.exe\\\", \\\"Veeam.VSS.Sharepoint20??.exe\\\"\\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Veeam Software Group GmbH\\\"\\n ) or\\n /* PDQ related processes */\\n (\\n process.name : (\\n \\\"PDQInventoryScanner.exe\\\", \\\"PDQInventoryMonitor.exe\\\", \\\"PDQInventory-Scanner-?.exe\\\",\\n \\\"PDQInventoryWakeCommand-?.exe\\\", \\\"PDQDeployRunner-?.exe\\\"\\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \\\"PDQ.com Corporation\\\"\\n ) or\\n /* CrowdStrike related processes */\\n (\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\CrowdStrike\\\\\\\\*-WindowsSensor.*.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"CrowdStrike, Inc.\\\") or\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\CrowdStrike\\\\\\\\*-CsInstallerService.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Microsoft Windows Hardware Compatibility Publisher\\\")\\n ) or\\n /* MS related processes */\\n (\\n process.executable == \\\"System\\\" or\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\ccmsetup\\\\\\\\ccmsetup.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Microsoft Corporation\\\")\\n ) or\\n /* CyberArk processes */\\n (\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\CAInvokerService.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"CyberArk Software Ltd.\\\"\\n ) or\\n /* Sophos processes */\\n (\\n process.executable : \\\"?:\\\\\\\\ProgramData\\\\\\\\Sophos\\\\\\\\AutoUpdate\\\\\\\\Cache\\\\\\\\sophos_autoupdate1.dir\\\\\\\\SophosUpdate.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Sophos Ltd\\\"\\n ) \\n )\\n ] by host.id, process.executable\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence with maxspan=1m\\n [file where host.os.type == \\\"windows\\\" and event.type in (\\\"creation\\\", \\\"change\\\") and \\n process.pid == 4 and (file.extension : \\\"exe\\\" or file.Ext.header_bytes : \\\"4d5a*\\\")] by host.id, file.path\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n not (\\n /* Veeam related processes */\\n (\\n process.name : (\\n \\\"VeeamGuestHelper.exe\\\", \\\"VeeamGuestIndexer.exe\\\", \\\"VeeamAgent.exe\\\", \\\"VeeamLogShipper.exe\\\", \\\"Veeam.VSS.Sharepoint20??.exe\\\"\\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Veeam Software Group GmbH\\\"\\n ) or\\n /* PDQ related processes */\\n (\\n process.name : (\\n \\\"PDQInventoryScanner.exe\\\", \\\"PDQInventoryMonitor.exe\\\", \\\"PDQInventory-Scanner-?.exe\\\",\\n \\\"PDQInventoryWakeCommand-?.exe\\\", \\\"PDQDeployRunner-?.exe\\\"\\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \\\"PDQ.com Corporation\\\"\\n ) or\\n /* CrowdStrike related processes */\\n (\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\CrowdStrike\\\\\\\\*-WindowsSensor.*.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"CrowdStrike, Inc.\\\") or\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\drivers\\\\\\\\CrowdStrike\\\\\\\\*-CsInstallerService.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Microsoft Windows Hardware Compatibility Publisher\\\")\\n ) or\\n /* MS related processes */\\n (\\n process.executable == \\\"System\\\" or\\n (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\ccmsetup\\\\\\\\ccmsetup.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Microsoft Corporation\\\")\\n ) or\\n /* CyberArk processes */\\n (\\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\CAInvokerService.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"CyberArk Software Ltd.\\\"\\n ) or\\n /* Sophos processes */\\n (\\n process.executable : \\\"?:\\\\\\\\ProgramData\\\\\\\\Sophos\\\\\\\\AutoUpdate\\\\\\\\Cache\\\\\\\\sophos_autoupdate1.dir\\\\\\\\SophosUpdate.exe\\\" and \\n process.code_signature.trusted == true and process.code_signature.subject_name : \\\"Sophos Ltd\\\"\\n ) \\n )\\n ] by host.id, process.executable\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d29fa7b7-c2e2-4217-b77c-0dfdf52db3f8\",\"rule_id\":\"ab8f074c-5565-4bc4-991c-d49770e19fc9\",\"revision\":0,\"current_rule\":{\"id\":\"d29fa7b7-c2e2-4217-b77c-0dfdf52db3f8\",\"updated_at\":\"2024-12-04T19:46:04.746Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.746Z\",\"created_by\":\"elastic\",\"name\":\"AWS S3 Object Encryption Using External KMS Key\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS S3\",\"Data Source: AWS KMS\",\"Use Case: Threat Detection\",\"Tactic: Impact\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies `CopyObject` events within an S3 bucket using an AWS KMS key from an external account for encryption. Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS key to deny their victims access to their own data.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"\\n## Triage and Analysis\\n\\n### Investigating AWS S3 Object Encryption Using External KMS Key\\n\\nThis rule detects the use of an external AWS KMS key to encrypt objects within an S3 bucket. Adversaries with access to a misconfigured S3 bucket may use an external key to copy objects within a bucket and deny victims the ability to access their own data.\\nThis rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule) to look for use of the `CopyObject` operation where the target bucket's `cloud.account.id` is different from the `key.account.id` dissected from the AWS KMS key used for encryption.\\n\\n#### Possible Investigation Steps:\\n\\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.\\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the `CopyObject` action. Look for any unusual parameters that could suggest unauthorized or malicious modifications or usage of an unknown KMS keyId.\\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the object was copied. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.\\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.\\n- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects including older object versions.\\n- **Interview Relevant Personnel**: If the copy event was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing S3 buckets.\\n\\n### False Positive Analysis:\\n\\n- **Legitimate Administrative Actions**: Confirm if the `CopyObject` action aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management systems.\\n- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\\n\\n### Response and Remediation:\\n\\n- **Immediate Review**: If the activity was unauthorized, search for potential ransom note placed in S3 bucket and review the bucket's access logs for any suspicious activity.\\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar `CopyObject` actions, especially those involving sensitive data or unusual file extensions.\\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware.\\n- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege.\\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\\n\\n### Additional Information:\\n\\nFor further guidance on managing S3 bucket security and protecting against ransomware, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection:\\n- [ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild](https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf)\\n- [S3 Ransomware Part 1: Attack Vector](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators within an AWS Organization structure may legitimately encrypt bucket objects with a key from an account different from the target bucket. Ensure that this behavior is not part of a legitimate operation before taking action.\"],\"from\":\"now-9m\",\"rule_id\":\"ab8f074c-5565-4bc4-991c-d49770e19fc9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1486\",\"name\":\"Data Encrypted for Impact\",\"reference\":\"https://attack.mitre.org/techniques/T1486/\"}]}],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html/\",\"https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html/\",\"https://www.gem.security/post/cloud-ransomware-a-new-take-on-an-old-attack-pattern/\",\"https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"AWS S3 data event types need to be enabled in the CloudTrail trail configuration.\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-*\\n\\n// any successful copy event\\n| where event.dataset == \\\"aws.cloudtrail\\\" \\n and event.provider == \\\"s3.amazonaws.com\\\" \\n and event.action == \\\"CopyObject\\\" \\n and event.outcome == \\\"success\\\"\\n\\n// abstract key account id, key id, encrypted object bucket name and object name\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?bucketName}=%{target.bucketName},%{?x-amz-server-side-encryption-aws-kms-key-id}=%{?arn}:%{?aws}:%{?kms}:%{?region}:%{key.account.id}:%{?key}/%{keyId},%{?Host}=%{?tls.client.server_name},%{?x-amz-server-side-encryption}=%{?server-side-encryption},%{?x-amz-copy-source}=%{?bucket.objectName},%{?key}=%{target.objectName}}\\\"\\n\\n// filter for s3 objects whose account id is different from the encryption key's account id\\n// add exceptions based on key.account.id or keyId for known external accounts or encryption keys\\n| where cloud.account.id != key.account.id \\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS S3 Object Encryption Using External KMS Key\",\"description\":\"Identifies `CopyObject` events within an S3 bucket using an AWS KMS key from an external account for encryption. Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS key to deny their victims access to their own data.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\\n## Triage and Analysis\\n\\n### Investigating AWS S3 Object Encryption Using External KMS Key\\n\\nThis rule detects the use of an external AWS KMS key to encrypt objects within an S3 bucket. Adversaries with access to a misconfigured S3 bucket may use an external key to copy objects within a bucket and deny victims the ability to access their own data.\\nThis rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule) to look for use of the `CopyObject` operation where the target bucket's `cloud.account.id` is different from the `key.account.id` dissected from the AWS KMS key used for encryption.\\n\\n#### Possible Investigation Steps:\\n\\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.\\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the `CopyObject` action. Look for any unusual parameters that could suggest unauthorized or malicious modifications or usage of an unknown KMS keyId.\\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the object was copied. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.\\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.\\n- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects including older object versions.\\n- **Interview Relevant Personnel**: If the copy event was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing S3 buckets.\\n\\n### False Positive Analysis:\\n\\n- **Legitimate Administrative Actions**: Confirm if the `CopyObject` action aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management systems.\\n- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\\n\\n### Response and Remediation:\\n\\n- **Immediate Review**: If the activity was unauthorized, search for potential ransom note placed in S3 bucket and review the bucket's access logs for any suspicious activity.\\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar `CopyObject` actions, especially those involving sensitive data or unusual file extensions.\\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware.\\n- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege.\\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\\n\\n### Additional Information:\\n\\nFor further guidance on managing S3 bucket security and protecting against ransomware, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection:\\n- [ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild](https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf)\\n- [S3 Ransomware Part 1: Attack Vector](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)\\n\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS S3\",\"Data Source: AWS KMS\",\"Use Case: Threat Detection\",\"Tactic: Impact\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Administrators within an AWS Organization structure may legitimately encrypt bucket objects with a key from an account different from the target bucket. Ensure that this behavior is not part of a legitimate operation before taking action.\"],\"references\":[\"https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html/\",\"https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html/\",\"https://www.gem.security/post/cloud-ransomware-a-new-take-on-an-old-attack-pattern/\",\"https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1486\",\"name\":\"Data Encrypted for Impact\",\"reference\":\"https://attack.mitre.org/techniques/T1486/\"}]}],\"setup\":\"AWS S3 data event types need to be enabled in the CloudTrail trail configuration.\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"d29fa7b7-c2e2-4217-b77c-0dfdf52db3f8\",\"rule_id\":\"ab8f074c-5565-4bc4-991c-d49770e19fc9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.027Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.746Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n\\n// any successful copy event\\n| where event.dataset == \\\"aws.cloudtrail\\\"\\n and event.provider == \\\"s3.amazonaws.com\\\"\\n and event.action == \\\"CopyObject\\\"\\n and event.outcome == \\\"success\\\"\\n\\n// abstract key account id, key id, encrypted object bucket name and object name\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?bucketName}=%{target.bucketName},%{?x-amz-server-side-encryption-aws-kms-key-id}=%{?arn}:%{?aws}:%{?kms}:%{?region}:%{key.account.id}:%{?key}/%{keyId},%{?Host}=%{?tls.client.server_name},%{?x-amz-server-side-encryption}=%{?server-side-encryption},%{?x-amz-copy-source}=%{?bucket.objectName},%{?key}=%{target.objectName}}\\\"\\n\\n// filter for s3 objects whose account id is different from the encryption key's account id\\n// add exceptions based on key.account.id or keyId for known external accounts or encryption keys\\n| where cloud.account.id != key.account.id\\n\\n// keep relevant fields\\n| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, target.bucketName, key.account.id, keyId, target.objectName\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-aws.cloudtrail-*\\n\\n// any successful copy event\\n| where event.dataset == \\\"aws.cloudtrail\\\" \\n and event.provider == \\\"s3.amazonaws.com\\\" \\n and event.action == \\\"CopyObject\\\" \\n and event.outcome == \\\"success\\\"\\n\\n// abstract key account id, key id, encrypted object bucket name and object name\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?bucketName}=%{target.bucketName},%{?x-amz-server-side-encryption-aws-kms-key-id}=%{?arn}:%{?aws}:%{?kms}:%{?region}:%{key.account.id}:%{?key}/%{keyId},%{?Host}=%{?tls.client.server_name},%{?x-amz-server-side-encryption}=%{?server-side-encryption},%{?x-amz-copy-source}=%{?bucket.objectName},%{?key}=%{target.objectName}}\\\"\\n\\n// filter for s3 objects whose account id is different from the encryption key's account id\\n// add exceptions based on key.account.id or keyId for known external accounts or encryption keys\\n| where cloud.account.id != key.account.id \\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n\\n// any successful copy event\\n| where event.dataset == \\\"aws.cloudtrail\\\"\\n and event.provider == \\\"s3.amazonaws.com\\\"\\n and event.action == \\\"CopyObject\\\"\\n and event.outcome == \\\"success\\\"\\n\\n// abstract key account id, key id, encrypted object bucket name and object name\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?bucketName}=%{target.bucketName},%{?x-amz-server-side-encryption-aws-kms-key-id}=%{?arn}:%{?aws}:%{?kms}:%{?region}:%{key.account.id}:%{?key}/%{keyId},%{?Host}=%{?tls.client.server_name},%{?x-amz-server-side-encryption}=%{?server-side-encryption},%{?x-amz-copy-source}=%{?bucket.objectName},%{?key}=%{target.objectName}}\\\"\\n\\n// filter for s3 objects whose account id is different from the encryption key's account id\\n// add exceptions based on key.account.id or keyId for known external accounts or encryption keys\\n| where cloud.account.id != key.account.id\\n\\n// keep relevant fields\\n| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, target.bucketName, key.account.id, keyId, target.objectName\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n\\n// any successful copy event\\n| where event.dataset == \\\"aws.cloudtrail\\\"\\n and event.provider == \\\"s3.amazonaws.com\\\"\\n and event.action == \\\"CopyObject\\\"\\n and event.outcome == \\\"success\\\"\\n\\n// abstract key account id, key id, encrypted object bucket name and object name\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?bucketName}=%{target.bucketName},%{?x-amz-server-side-encryption-aws-kms-key-id}=%{?arn}:%{?aws}:%{?kms}:%{?region}:%{key.account.id}:%{?key}/%{keyId},%{?Host}=%{?tls.client.server_name},%{?x-amz-server-side-encryption}=%{?server-side-encryption},%{?x-amz-copy-source}=%{?bucket.objectName},%{?key}=%{target.objectName}}\\\"\\n\\n// filter for s3 objects whose account id is different from the encryption key's account id\\n// add exceptions based on key.account.id or keyId for known external accounts or encryption keys\\n| where cloud.account.id != key.account.id\\n\\n// keep relevant fields\\n| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, target.bucketName, key.account.id, keyId, target.objectName\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8253b2b1-c650-49af-922f-b2a8021c5d8d\",\"rule_id\":\"abae61a8-c560-4dbd-acca-1e1438bff36b\",\"revision\":0,\"current_rule\":{\"id\":\"8253b2b1-c650-49af-922f-b2a8021c5d8d\",\"updated_at\":\"2024-12-04T19:45:55.271Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.271Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Windows Process Calling the Metadata Service\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Credential Access\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule.\"],\"from\":\"now-45m\",\"rule_id\":\"abae61a8-c560-4dbd-acca-1e1438bff36b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\",\"subtechnique\":[{\"id\":\"T1552.005\",\"name\":\"Cloud Instance Metadata API\",\"reference\":\"https://attack.mitre.org/techniques/T1552/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":104,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_rare_metadata_process\"],\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Windows Process Calling the Metadata Service\",\"description\":\"Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Credential Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\",\"subtechnique\":[{\"id\":\"T1552.005\",\"name\":\"Cloud Instance Metadata API\",\"reference\":\"https://attack.mitre.org/techniques/T1552/005/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"8253b2b1-c650-49af-922f-b2a8021c5d8d\",\"rule_id\":\"abae61a8-c560-4dbd-acca-1e1438bff36b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.027Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.271Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_rare_metadata_process\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":104,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"055a0b05-90e5-40bb-87a5-e5012a95fed4\",\"rule_id\":\"ac5012b8-8da8-440b-aaaf-aedafdea2dff\",\"revision\":0,\"current_rule\":{\"id\":\"055a0b05-90e5-40bb-87a5-e5012a95fed4\",\"updated_at\":\"2024-12-04T19:45:55.280Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.280Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious WerFault Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Custom Windows error reporting debugger or applications restarted by WerFault after a crash.\"],\"from\":\"now-9m\",\"rule_id\":\"ac5012b8-8da8-440b-aaaf-aedafdea2dff\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.012\",\"name\":\"Image File Execution Options Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1546/012/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.012\",\"name\":\"Image File Execution Options Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1546/012/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/\",\"https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/\",\"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx\",\"http://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/\"],\"version\":314,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n\\n process.parent.name : \\\"WerFault.exe\\\" and\\n\\n /* args -s and -t used to execute a process via SilentProcessExit mechanism */\\n (process.parent.args : \\\"-s\\\" and process.parent.args : \\\"-t\\\" and process.parent.args : \\\"-c\\\") and\\n\\n not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\Initcrypt.exe\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Heimdal\\\\\\\\Heimdal.Guard.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious WerFault Child Process\",\"description\":\"A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":415,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Custom Windows error reporting debugger or applications restarted by WerFault after a crash.\"],\"references\":[\"https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/\",\"https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/\",\"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx\",\"http://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.012\",\"name\":\"Image File Execution Options Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1546/012/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.012\",\"name\":\"Image File Execution Options Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1546/012/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"055a0b05-90e5-40bb-87a5-e5012a95fed4\",\"rule_id\":\"ac5012b8-8da8-440b-aaaf-aedafdea2dff\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.027Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.280Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n\\n process.parent.name : \\\"WerFault.exe\\\" and\\n\\n /* args -s and -t used to execute a process via SilentProcessExit mechanism */\\n (process.parent.args : \\\"-s\\\" and process.parent.args : \\\"-t\\\" and process.parent.args : \\\"-c\\\") and\\n\\n not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\Initcrypt.exe\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Heimdal\\\\\\\\Heimdal.Guard.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":314,\"target_version\":415,\"merged_version\":415,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0297e525-aac3-4b18-b06e-0ebc0db89723\",\"rule_id\":\"ac531fcc-1d3b-476d-bbb5-1357728c9a37\",\"revision\":0,\"current_rule\":{\"id\":\"0297e525-aac3-4b18-b06e-0ebc0db89723\",\"updated_at\":\"2024-12-04T19:46:04.748Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.748Z\",\"created_by\":\"elastic\",\"name\":\"Git Hook Created or Modified\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects the creation or modification of a Git hook file on a Linux system. Git hooks are scripts that Git executes before or after events such as commit, push, and receive. They are used to automate tasks, enforce policies, and customize Git's behavior. Attackers can abuse Git hooks to maintain persistence on a system by executing malicious code whenever a specific Git event occurs.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ac531fcc-1d3b-476d-bbb5-1357728c9a37\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://git-scm.com/docs/githooks/2.26.0\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"creation\\\" and file.path : \\\"*.git/hooks/*\\\" and\\nfile.extension == null and process.executable != null and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/usr/bin/pamac-daemon\\\", \\\"/bin/pamac-daemon\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/sbin/dockerd\\\"\\n ) or\\n process.executable : (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\") or\\n process.name in (\\\"git\\\", \\\"dirname\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Git Hook Created or Modified\",\"description\":\"This rule detects the creation or modification of a Git hook file on a Linux system. Git hooks are scripts that Git executes before or after events such as commit, push, and receive. They are used to automate tasks, enforce policies, and customize Git's behavior. Attackers can abuse Git hooks to maintain persistence on a system by executing malicious code whenever a specific Git event occurs.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://git-scm.com/docs/githooks/2.26.0\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0297e525-aac3-4b18-b06e-0ebc0db89723\",\"rule_id\":\"ac531fcc-1d3b-476d-bbb5-1357728c9a37\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.027Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.748Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"creation\\\" and file.path : \\\"*.git/hooks/*\\\" and\\nfile.extension == null and process.executable != null and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/usr/bin/pamac-daemon\\\", \\\"/bin/pamac-daemon\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/sbin/dockerd\\\"\\n ) or\\n process.executable : (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\") or\\n process.name in (\\\"git\\\", \\\"dirname\\\", \\\"tar\\\", \\\"gitea\\\", \\\"git-lfs\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://git-scm.com/docs/githooks/2.26.0\"],\"target_version\":[\"https://git-scm.com/docs/githooks/2.26.0\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://git-scm.com/docs/githooks/2.26.0\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"creation\\\" and file.path : \\\"*.git/hooks/*\\\" and\\nfile.extension == null and process.executable != null and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/usr/bin/pamac-daemon\\\", \\\"/bin/pamac-daemon\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/sbin/dockerd\\\"\\n ) or\\n process.executable : (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\") or\\n process.name in (\\\"git\\\", \\\"dirname\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"creation\\\" and file.path : \\\"*.git/hooks/*\\\" and\\nfile.extension == null and process.executable != null and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/usr/bin/pamac-daemon\\\", \\\"/bin/pamac-daemon\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/sbin/dockerd\\\"\\n ) or\\n process.executable : (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\") or\\n process.name in (\\\"git\\\", \\\"dirname\\\", \\\"tar\\\", \\\"gitea\\\", \\\"git-lfs\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"creation\\\" and file.path : \\\"*.git/hooks/*\\\" and\\nfile.extension == null and process.executable != null and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/usr/bin/pamac-daemon\\\", \\\"/bin/pamac-daemon\\\",\\n \\\"/usr/local/bin/dockerd\\\", \\\"/sbin/dockerd\\\"\\n ) or\\n process.executable : (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\") or\\n process.name in (\\\"git\\\", \\\"dirname\\\", \\\"tar\\\", \\\"gitea\\\", \\\"git-lfs\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"624a407a-3483-45a4-a55b-d9a7b312b13c\",\"rule_id\":\"ac5a2759-5c34-440a-b0c4-51fe674611d6\",\"revision\":0,\"current_rule\":{\"id\":\"624a407a-3483-45a4-a55b-d9a7b312b13c\",\"updated_at\":\"2024-12-04T19:46:04.750Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.750Z\",\"created_by\":\"elastic\",\"name\":\"Outlook Home Page Registry Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies modifications in registry keys associated with abuse of the Outlook Home Page functionality for command and control or persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ac5a2759-5c34-440a-b0c4-51fe674611d6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1137\",\"name\":\"Office Application Startup\",\"reference\":\"https://attack.mitre.org/techniques/T1137/\",\"subtechnique\":[{\"id\":\"T1137.004\",\"name\":\"Outlook Home Page\",\"reference\":\"https://attack.mitre.org/techniques/T1137/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://cloud.google.com/blog/topics/threat-intelligence/breaking-the-rules-tough-outlook-for-home-page-attacks/\",\"https://github.com/trustedsec/specula\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and registry.value : \\\"URL\\\" and\\n registry.path : (\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\"\\n ) and registry.data.strings : \\\"*http*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Outlook Home Page Registry Modification\",\"description\":\"Identifies modifications in registry keys associated with abuse of the Outlook Home Page functionality for command and control or persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":201,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://cloud.google.com/blog/topics/threat-intelligence/breaking-the-rules-tough-outlook-for-home-page-attacks/\",\"https://github.com/trustedsec/specula\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1137\",\"name\":\"Office Application Startup\",\"reference\":\"https://attack.mitre.org/techniques/T1137/\",\"subtechnique\":[{\"id\":\"T1137.004\",\"name\":\"Outlook Home Page\",\"reference\":\"https://attack.mitre.org/techniques/T1137/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"624a407a-3483-45a4-a55b-d9a7b312b13c\",\"rule_id\":\"ac5a2759-5c34-440a-b0c4-51fe674611d6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.027Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.750Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and registry.value : \\\"URL\\\" and\\n registry.path : (\\n \\\"HKCU\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\"\\n ) and registry.data.strings : \\\"*http*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":201,\"merged_version\":201,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and registry.value : \\\"URL\\\" and\\n registry.path : (\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\"\\n ) and registry.data.strings : \\\"*http*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and registry.value : \\\"URL\\\" and\\n registry.path : (\\n \\\"HKCU\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\"\\n ) and registry.data.strings : \\\"*http*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and registry.value : \\\"URL\\\" and\\n registry.path : (\\n \\\"HKCU\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Outlook\\\\\\\\Webview\\\\\\\\Inbox\\\\\\\\URL\\\"\\n ) and registry.data.strings : \\\"*http*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"28328685-944c-4a61-9a58-380eb71c7016\",\"rule_id\":\"ac96ceb8-4399-4191-af1d-4feeac1f1f46\",\"revision\":0,\"current_rule\":{\"id\":\"28328685-944c-4a61-9a58-380eb71c7016\",\"updated_at\":\"2024-12-04T19:45:55.287Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.287Z\",\"created_by\":\"elastic\",\"name\":\"Potential Invoke-Mimikatz PowerShell Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. This rule detects Invoke-Mimikatz PowerShell script and alike.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Mimikatz PowerShell Activity\\n\\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to move laterally and pivot across a network.\\n\\nThis rule looks for PowerShell scripts that load mimikatz in memory, like Invoke-Mimikataz, which are used to dump credentials from the Local Security Authority Subsystem Service (LSASS). Any activity triggered from this rule should be treated with high priority as it typically represents an active adversary.\\n\\nMore information about Mimikatz components and how to detect/prevent them can be found on [ADSecurity](https://adsecurity.org/?page_id=1821).\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Invoke-Mimitakz and alike scripts heavily use other capabilities covered by other detections described in the \\\"Related Rules\\\" section.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host.\\n - Examine network and security events in the environment to identify potential lateral movement using compromised credentials.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n- Mimikatz Memssp Log File Detected - ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\\n- Modification of WDigest Security Provider - d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Validate that cleartext passwords are disabled in memory for use with `WDigest`.\\n- Look into preventing access to `LSASS` using capabilities such as LSA protection or antivirus/EDR tools that provide this capability.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ac96ceb8-4399-4191-af1d-4feeac1f1f46\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://attack.mitre.org/software/S0002/\",\"https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\\n\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\npowershell.file.script_block_text:(\\n (DumpCreds and\\n DumpCerts) or\\n \\\"sekurlsa::logonpasswords\\\" or\\n (\\\"crypto::certificates\\\" and\\n \\\"CERT_SYSTEM_STORE_LOCAL_MACHINE\\\")\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Invoke-Mimikatz PowerShell Script\",\"description\":\"Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. This rule detects Invoke-Mimikatz PowerShell script and alike.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Mimikatz PowerShell Activity\\n\\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to move laterally and pivot across a network.\\n\\nThis rule looks for PowerShell scripts that load mimikatz in memory, like Invoke-Mimikataz, which are used to dump credentials from the Local Security Authority Subsystem Service (LSASS). Any activity triggered from this rule should be treated with high priority as it typically represents an active adversary.\\n\\nMore information about Mimikatz components and how to detect/prevent them can be found on [ADSecurity](https://adsecurity.org/?page_id=1821).\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Invoke-Mimitakz and alike scripts heavily use other capabilities covered by other detections described in the \\\"Related Rules\\\" section.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host.\\n - Examine network and security events in the environment to identify potential lateral movement using compromised credentials.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n- Mimikatz Memssp Log File Detected - ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\\n- Modification of WDigest Security Provider - d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Validate that cleartext passwords are disabled in memory for use with `WDigest`.\\n- Look into preventing access to `LSASS` using capabilities such as LSA protection or antivirus/EDR tools that provide this capability.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://attack.mitre.org/software/S0002/\",\"https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\\n\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"28328685-944c-4a61-9a58-380eb71c7016\",\"rule_id\":\"ac96ceb8-4399-4191-af1d-4feeac1f1f46\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.027Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.287Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\npowershell.file.script_block_text:(\\n (DumpCreds and\\n DumpCerts) or\\n \\\"sekurlsa::logonpasswords\\\" or\\n (\\\"crypto::certificates\\\" and\\n \\\"CERT_SYSTEM_STORE_LOCAL_MACHINE\\\")\\n)\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"467b2038-97a2-41d8-bf73-ac861bc7900d\",\"rule_id\":\"acbc8bb9-2486-49a8-8779-45fb5f9a93ee\",\"revision\":0,\"current_rule\":{\"id\":\"467b2038-97a2-41d8-bf73-ac861bc7900d\",\"updated_at\":\"2024-12-04T19:45:55.290Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.290Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace API Access Granted via Domain-Wide Delegation\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Resources: Investigation Guide\",\"Tactic: Persistence\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target’s data.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace API Access Granted via Domain-Wide Delegation\\n\\nDomain-wide delegation is a feature that allows apps to access users' data across an organization's Google Workspace environment. Only super admins can manage domain-wide delegation, and they must specify each API scope that the application can access. Google Workspace services all have APIs that can be interacted with after domain-wide delegation is established with an OAuth2 client ID of the application. Typically, GCP service accounts and applications are created where the Google Workspace APIs are enabled, thus allowing the application to access resources and services in Google Workspace.\\n\\nApplications authorized to interact with Google Workspace resources and services through APIs have a wide range of capabilities depending on the scopes applied. If the principle of least privilege (PoLP) is not practiced when setting API scopes, threat actors could abuse additional privileges if the application is compromised. New applications created and given API access could indicate an attempt by a threat actor to register their malicious application with the Google Workspace domain in an attempt to establish a command and control foothold.\\n\\nThis rule identifies when an application is authorized API client access.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n - Only users with super admin privileges can authorize API client access.\\n- Identify the API client name by reviewing the `google_workspace.admin.api.client.name` field in the alert.\\n - If GCP audit logs are ingested, pivot to reviewing the last 48 hours of activity related to the service account ID.\\n - Search for the `google_workspace.admin.api.client.name` value with wildcards in the `gcp.audit.resource_name` field.\\n - Search for API client name and aggregated results on `event.action` to determine what the service account is being used for in GWS.\\n- After identifying the involved user, verify super administrative privileges to access domain-wide delegation settings.\\n\\n### False positive analysis\\n\\n- Changes to domain-wide delegation require super admin privileges. Check with the user to ensure these changes were expected.\\n- Review scheduled maintenance notes related to expected API access changes.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Review the scope of the authorized API client access in Google Workspace.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Domain-wide delegation of authority may be granted to service accounts by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-9m\",\"rule_id\":\"acbc8bb9-2486-49a8-8779-45fb5f9a93ee\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[\"https://developers.google.com/admin-sdk/directory/v1/guides/delegation\"],\"version\":206,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin\\n and event.provider:admin\\n and event.category:iam\\n and event.action:AUTHORIZE_API_CLIENT_ACCESS\\n and event.outcome:success\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace API Access Granted via Domain-Wide Delegation\",\"description\":\"Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target’s data.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace API Access Granted via Domain-Wide Delegation\\n\\nDomain-wide delegation is a feature that allows apps to access users' data across an organization's Google Workspace environment. Only super admins can manage domain-wide delegation, and they must specify each API scope that the application can access. Google Workspace services all have APIs that can be interacted with after domain-wide delegation is established with an OAuth2 client ID of the application. Typically, GCP service accounts and applications are created where the Google Workspace APIs are enabled, thus allowing the application to access resources and services in Google Workspace.\\n\\nApplications authorized to interact with Google Workspace resources and services through APIs have a wide range of capabilities depending on the scopes applied. If the principle of least privilege (PoLP) is not practiced when setting API scopes, threat actors could abuse additional privileges if the application is compromised. New applications created and given API access could indicate an attempt by a threat actor to register their malicious application with the Google Workspace domain in an attempt to establish a command and control foothold.\\n\\nThis rule identifies when an application is authorized API client access.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n - Only users with super admin privileges can authorize API client access.\\n- Identify the API client name by reviewing the `google_workspace.admin.api.client.name` field in the alert.\\n - If GCP audit logs are ingested, pivot to reviewing the last 48 hours of activity related to the service account ID.\\n - Search for the `google_workspace.admin.api.client.name` value with wildcards in the `gcp.audit.resource_name` field.\\n - Search for API client name and aggregated results on `event.action` to determine what the service account is being used for in GWS.\\n- After identifying the involved user, verify super administrative privileges to access domain-wide delegation settings.\\n\\n### False positive analysis\\n\\n- Changes to domain-wide delegation require super admin privileges. Check with the user to ensure these changes were expected.\\n- Review scheduled maintenance notes related to expected API access changes.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Review the scope of the authorized API client access in Google Workspace.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Resources: Investigation Guide\",\"Tactic: Persistence\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Domain-wide delegation of authority may be granted to service accounts by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://developers.google.com/admin-sdk/directory/v1/guides/delegation\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"467b2038-97a2-41d8-bf73-ac861bc7900d\",\"rule_id\":\"acbc8bb9-2486-49a8-8779-45fb5f9a93ee\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.027Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.290Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin\\n and event.provider:admin\\n and event.category:iam\\n and event.action:AUTHORIZE_API_CLIENT_ACCESS\\n and event.outcome:success\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":206,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://developers.google.com/admin-sdk/directory/v1/guides/delegation\"],\"target_version\":[\"https://developers.google.com/admin-sdk/directory/v1/guides/delegation\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://developers.google.com/admin-sdk/directory/v1/guides/delegation\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"55f0ef79-b468-445b-bf36-8078272140a4\",\"rule_id\":\"acf738b5-b5b2-4acc-bad9-1e18ee234f40\",\"revision\":0,\"current_rule\":{\"id\":\"55f0ef79-b468-445b-bf36-8078272140a4\",\"updated_at\":\"2024-12-04T19:45:55.297Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.297Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Managed Code Hosting Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"acf738b5-b5b2-4acc-bad9-1e18ee234f40\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]}],\"to\":\"now\",\"references\":[\"http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.name : (\\\"wscript.exe.log\\\",\\n \\\"cscript.exe.log\\\",\\n \\\"mshta.exe.log\\\",\\n \\\"wmic.exe.log\\\",\\n \\\"svchost.exe.log\\\",\\n \\\"dllhost.exe.log\\\",\\n \\\"cmstp.exe.log\\\",\\n \\\"regsvr32.exe.log\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Managed Code Hosting Process\",\"description\":\"Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"55f0ef79-b468-445b-bf36-8078272140a4\",\"rule_id\":\"acf738b5-b5b2-4acc-bad9-1e18ee234f40\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.027Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.297Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.name : (\\\"wscript.exe.log\\\",\\n \\\"cscript.exe.log\\\",\\n \\\"mshta.exe.log\\\",\\n \\\"wmic.exe.log\\\",\\n \\\"svchost.exe.log\\\",\\n \\\"dllhost.exe.log\\\",\\n \\\"cmstp.exe.log\\\",\\n \\\"regsvr32.exe.log\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6afcaf5a-fb46-49e8-9ff4-b0b5dd710eb8\",\"rule_id\":\"ad0d2742-9a49-11ec-8d6b-acde48001122\",\"revision\":0,\"current_rule\":{\"id\":\"6afcaf5a-fb46-49e8-9ff4-b0b5dd710eb8\",\"updated_at\":\"2024-12-04T19:45:55.299Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.299Z\",\"created_by\":\"elastic\",\"name\":\"Signed Proxy Execution via MS Work Folders\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of Windows Work Folders to execute a potentially masqueraded control.exe file in the current working directory. Misuse of Windows Work Folders could indicate malicious activity.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Signed Proxy Execution via MS Work Folders\\n\\nWork Folders is a role service for file servers running Windows Server that provides a consistent way for users to access their work files from their PCs and devices. This allows users to store work files and access them from anywhere. When called, Work Folders will automatically execute any Portable Executable (PE) named control.exe as an argument before accessing the synced share.\\n\\nUsing Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and increase privileges.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe binary. It resides in the System32 directory by default.\\n- Trace the activity related to the control.exe binary to identify any continuing intrusion activity on the host.\\n- Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity or network traffic.\\n- Determine if control.exe was synced to sync share, indicating potential lateral movement.\\n- Review how control.exe was originally delivered on the host, such as emailed, downloaded from the web, or written to\\ndisk from a separate binary.\\n\\n### False positive analysis\\n\\n- Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the instance where a suspicious control.exe is passed as an argument.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Review the Work Folders synced share to determine if the control.exe was shared and if so remove it.\\n- If no lateral movement was identified during investigation, take the affected host offline if possible and remove the control.exe binary as well as any additional artifacts identified during investigation.\\n- Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using Work Folders.\\n- Confirm with the user whether this was expected or not, and reset their password.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ad0d2742-9a49-11ec-8d6b-acde48001122\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview\",\"https://twitter.com/ElliotKillick/status/1449812843772227588\",\"https://lolbas-project.github.io/lolbas/Binaries/WorkFolders/\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\"\\n and process.name : \\\"control.exe\\\" and process.parent.name : \\\"WorkFolders.exe\\\"\\n and not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\control.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\control.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Signed Proxy Execution via MS Work Folders\",\"description\":\"Identifies the use of Windows Work Folders to execute a potentially masqueraded control.exe file in the current working directory. Misuse of Windows Work Folders could indicate malicious activity.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Signed Proxy Execution via MS Work Folders\\n\\nWork Folders is a role service for file servers running Windows Server that provides a consistent way for users to access their work files from their PCs and devices. This allows users to store work files and access them from anywhere. When called, Work Folders will automatically execute any Portable Executable (PE) named control.exe as an argument before accessing the synced share.\\n\\nUsing Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and increase privileges.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe binary. It resides in the System32 directory by default.\\n- Trace the activity related to the control.exe binary to identify any continuing intrusion activity on the host.\\n- Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity or network traffic.\\n- Determine if control.exe was synced to sync share, indicating potential lateral movement.\\n- Review how control.exe was originally delivered on the host, such as emailed, downloaded from the web, or written to\\ndisk from a separate binary.\\n\\n### False positive analysis\\n\\n- Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the instance where a suspicious control.exe is passed as an argument.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Review the Work Folders synced share to determine if the control.exe was shared and if so remove it.\\n- If no lateral movement was identified during investigation, take the affected host offline if possible and remove the control.exe binary as well as any additional artifacts identified during investigation.\\n- Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using Work Folders.\\n- Confirm with the user whether this was expected or not, and reset their password.\\n\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview\",\"https://twitter.com/ElliotKillick/status/1449812843772227588\",\"https://lolbas-project.github.io/lolbas/Binaries/WorkFolders/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"6afcaf5a-fb46-49e8-9ff4-b0b5dd710eb8\",\"rule_id\":\"ad0d2742-9a49-11ec-8d6b-acde48001122\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.028Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.299Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"control.exe\\\" and process.parent.name : \\\"WorkFolders.exe\\\" and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\control.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\control.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\control.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\control.exe\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\"\\n and process.name : \\\"control.exe\\\" and process.parent.name : \\\"WorkFolders.exe\\\"\\n and not process.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\control.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\control.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"control.exe\\\" and process.parent.name : \\\"WorkFolders.exe\\\" and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\control.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\control.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\control.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\control.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"control.exe\\\" and process.parent.name : \\\"WorkFolders.exe\\\" and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\control.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\control.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\control.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\control.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"66f82658-1756-40a2-9d99-54050e9e85df\",\"rule_id\":\"ad3f2807-2b3e-47d7-b282-f84acbbe14be\",\"revision\":0,\"current_rule\":{\"id\":\"66f82658-1756-40a2-9d99-54050e9e85df\",\"updated_at\":\"2024-12-04T19:45:55.302Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.302Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace Custom Admin Role Created\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Resources: Investigation Guide\",\"Tactic: Persistence\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Custom Admin Role Created\\n\\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred.\\n\\nRoles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Threat actors might create new admin roles with privileges to advance their intrusion efforts and laterally move throughout the organization if existing roles or users do not have privileges aligned with their modus operandi. Users with unexpected privileges from new admin roles may also cause operational dysfunction if unfamiliar settings are adjusted without warning. Instead of modifying existing roles, administrators might create new roles to accomplish short-term goals and unintentionally introduce additional risk exposure.\\n\\nThis rule identifies when a Google Workspace administrative role is added within the Google Workspace admin console.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- Identify the role added by reviewing the `google_workspace.admin.role.name` field in the alert.\\n- After identifying the involved user, verify if they should have administrative privileges to add administrative roles.\\n- To identify if users have been assigned this role, search for `event.action: ASSIGN_ROLE`.\\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\\n - Adjust the relative time accordingly to identify all users that were possibly assigned this admin role.\\n- Monitor users assigned the admin role for the next 24 hours and look for attempts to use related privileges.\\n - The `event.provider` field will help filter for specific services in Google Workspace such as Drive or Admin.\\n - The `event.action` field will help trace what actions are being taken by users.\\n\\n### False positive analysis\\n\\n- After identifying the user account that created the role, verify whether the action was intentional.\\n- Verify that the user who created the role should have administrative privileges in Google Workspace to create custom roles.\\n- Review organizational units or groups the role may have been added to and ensure the new privileges align properly.\\n- Create a filter with the user's `user.name` and filter for `event.action`. In the results, check if there are multiple `CREATE_ROLE` actions and note whether they are new or historical.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Custom Google Workspace admin roles may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-130m\",\"rule_id\":\"ad3f2807-2b3e-47d7-b282-f84acbbe14be\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/2406043?hl=en\"],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace Custom Admin Role Created\",\"description\":\"Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target’s environment.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Custom Admin Role Created\\n\\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred.\\n\\nRoles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Threat actors might create new admin roles with privileges to advance their intrusion efforts and laterally move throughout the organization if existing roles or users do not have privileges aligned with their modus operandi. Users with unexpected privileges from new admin roles may also cause operational dysfunction if unfamiliar settings are adjusted without warning. Instead of modifying existing roles, administrators might create new roles to accomplish short-term goals and unintentionally introduce additional risk exposure.\\n\\nThis rule identifies when a Google Workspace administrative role is added within the Google Workspace admin console.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- Identify the role added by reviewing the `google_workspace.admin.role.name` field in the alert.\\n- After identifying the involved user, verify if they should have administrative privileges to add administrative roles.\\n- To identify if users have been assigned this role, search for `event.action: ASSIGN_ROLE`.\\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\\n - Adjust the relative time accordingly to identify all users that were possibly assigned this admin role.\\n- Monitor users assigned the admin role for the next 24 hours and look for attempts to use related privileges.\\n - The `event.provider` field will help filter for specific services in Google Workspace such as Drive or Admin.\\n - The `event.action` field will help trace what actions are being taken by users.\\n\\n### False positive analysis\\n\\n- After identifying the user account that created the role, verify whether the action was intentional.\\n- Verify that the user who created the role should have administrative privileges in Google Workspace to create custom roles.\\n- Review organizational units or groups the role may have been added to and ensure the new privileges align properly.\\n- Create a filter with the user's `user.name` and filter for `event.action`. In the results, check if there are multiple `CREATE_ROLE` actions and note whether they are new or historical.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Resources: Investigation Guide\",\"Tactic: Persistence\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Custom Google Workspace admin roles may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://support.google.com/a/answer/2406043?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"66f82658-1756-40a2-9d99-54050e9e85df\",\"rule_id\":\"ad3f2807-2b3e-47d7-b282-f84acbbe14be\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.028Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.302Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/2406043?hl=en\"],\"target_version\":[\"https://support.google.com/a/answer/2406043?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/2406043?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b668875e-bdc5-4552-8969-5b619e2bdaae\",\"rule_id\":\"ad84d445-b1ce-4377-82d9-7c633f28bf9a\",\"revision\":0,\"current_rule\":{\"id\":\"b668875e-bdc5-4552-8969-5b619e2bdaae\",\"updated_at\":\"2024-12-04T19:45:55.304Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.304Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Portable Executable Encoded in Powershell Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the presence of a portable executable (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts to inject them into memory, avoiding defences by not writing to disk.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ad84d445-b1ce-4377-82d9-7c633f28bf9a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n TVqQAAMAAAAEAAAA\\n ) and not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Portable Executable Encoded in Powershell Script\",\"description\":\"Detects the presence of a portable executable (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts to inject them into memory, avoiding defences by not writing to disk.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":212,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b668875e-bdc5-4552-8969-5b619e2bdaae\",\"rule_id\":\"ad84d445-b1ce-4377-82d9-7c633f28bf9a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.028Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.304Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n TVqQAAMAAAAEAAAA\\n ) and not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":212,\"merged_version\":212,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"540bca9e-22ba-4d56-9428-071e7e5c8f61\",\"rule_id\":\"ad959eeb-2b7b-4722-ba08-a45f6622f005\",\"revision\":0,\"current_rule\":{\"id\":\"540bca9e-22ba-4d56-9428-071e7e5c8f61\",\"updated_at\":\"2024-12-04T19:45:55.309Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.309Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious APT Package Manager Execution\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects suspicious process events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ad959eeb-2b7b-4722-ba08-a45f6622f005\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name == \\\"apt\\\" and process.args == \\\"-c\\\" and process.name in (\\n \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\"\\n )\\n ] by process.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name : (\\n \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\", \\\"python*\\\", \\\"php*\\\",\\n \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\", \\\"openssl\\\", \\\"nc\\\", \\\"netcat\\\", \\\"ncat\\\", \\\"telnet\\\", \\\"awk\\\"\\n )\\n ] by process.parent.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious APT Package Manager Execution\",\"description\":\"Detects suspicious process events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"540bca9e-22ba-4d56-9428-071e7e5c8f61\",\"rule_id\":\"ad959eeb-2b7b-4722-ba08-a45f6622f005\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.028Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.309Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name == \\\"apt\\\" and process.args == \\\"-c\\\" and process.name in (\\n \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\"\\n )\\n ] by process.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name : (\\n \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\", \\\"python*\\\", \\\"php*\\\",\\n \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\", \\\"openssl\\\", \\\"nc\\\", \\\"netcat\\\", \\\"ncat\\\", \\\"telnet\\\", \\\"awk\\\"\\n )\\n ] by process.parent.entity_id\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3bd35567-73fa-47d7-b061-c62aefc9eb90\",\"rule_id\":\"ae8a142c-6a1d-4918-bea7-0b617e99ecfa\",\"revision\":0,\"current_rule\":{\"id\":\"3bd35567-73fa-47d7-b061-c62aefc9eb90\",\"updated_at\":\"2024-12-04T19:45:55.323Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.323Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Execution via Microsoft Office Add-Ins\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ae8a142c-6a1d-4918-bea7-0b617e99ecfa\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1137\",\"name\":\"Office Application Startup\",\"reference\":\"https://attack.mitre.org/techniques/T1137/\",\"subtechnique\":[{\"id\":\"T1137.006\",\"name\":\"Add-ins\",\"reference\":\"https://attack.mitre.org/techniques/T1137/006/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/Octoberfest7/XLL_Phishing\",\"https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/\"],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where \\n \\n host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n \\n process.name : (\\\"WINWORD.EXE\\\", \\\"EXCEL.EXE\\\", \\\"POWERPNT.EXE\\\", \\\"MSACCESS.EXE\\\", \\\"VSTOInstaller.exe\\\") and \\n \\n process.args regex~ \\\"\\\"\\\".+\\\\.(wll|xll|ppa|ppam|xla|xlam|vsto)\\\"\\\"\\\" and \\n \\n /* Office Add-In from suspicious paths */\\n (process.args :\\n (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Temp\\\\\\\\7z*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Temp\\\\\\\\Rar$*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Temp\\\\\\\\Temp?_*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Temp\\\\\\\\BNZ.*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\*\\\",\\n \\\"http*\\\") or\\n\\t \\n process.parent.name : (\\\"explorer.exe\\\", \\\"OpenWith.exe\\\") or \\n \\n /* Office Add-In from suspicious parent */\\n process.parent.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\")) and\\n\\t \\n /* False Positives */\\n not (process.args : \\\"*.vsto\\\" and\\n process.parent.executable :\\n (\\\"?:\\\\\\\\Program Files\\\\\\\\Logitech\\\\\\\\LogiOptions\\\\\\\\PlugInInstallerUtility*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Logishrd\\\\\\\\LogiOptions\\\\\\\\Plugins\\\\\\\\VSTO\\\\\\\\*\\\\\\\\VSTOInstaller.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Logitech\\\\\\\\LogiOptions\\\\\\\\PlugInInstallerUtility.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\LogiOptionsPlus\\\\\\\\PlugInInstallerUtility*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Logishrd\\\\\\\\LogiOptionsPlus\\\\\\\\Plugins\\\\\\\\VSTO\\\\\\\\*\\\\\\\\VSTOInstaller.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Common Files\\\\\\\\microsoft shared\\\\\\\\VSTO\\\\\\\\*\\\\\\\\VSTOInstaller.exe\\\")) and\\n not (process.args : \\\"/Uninstall\\\" and process.name : \\\"VSTOInstaller.exe\\\") and\\n not (process.parent.name : \\\"rundll32.exe\\\" and\\n process.parent.args : \\\"?:\\\\\\\\WINDOWS\\\\\\\\Installer\\\\\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\\\") and\\n not (process.name : \\\"VSTOInstaller.exe\\\" and process.args : \\\"https://dl.getsidekick.com/outlook/vsto/Sidekick.vsto\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Execution via Microsoft Office Add-Ins\",\"description\":\"Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":205,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/Octoberfest7/XLL_Phishing\",\"https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1137\",\"name\":\"Office Application Startup\",\"reference\":\"https://attack.mitre.org/techniques/T1137/\",\"subtechnique\":[{\"id\":\"T1137.006\",\"name\":\"Add-ins\",\"reference\":\"https://attack.mitre.org/techniques/T1137/006/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3bd35567-73fa-47d7-b061-c62aefc9eb90\",\"rule_id\":\"ae8a142c-6a1d-4918-bea7-0b617e99ecfa\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.028Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.323Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where \\n \\n host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n \\n process.name : (\\\"WINWORD.EXE\\\", \\\"EXCEL.EXE\\\", \\\"POWERPNT.EXE\\\", \\\"MSACCESS.EXE\\\", \\\"VSTOInstaller.exe\\\") and \\n \\n process.args regex~ \\\"\\\"\\\".+\\\\.(wll|xll|ppa|ppam|xla|xlam|vsto)\\\"\\\"\\\" and \\n \\n /* Office Add-In from suspicious paths */\\n (process.args :\\n (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Temp\\\\\\\\7z*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Temp\\\\\\\\Rar$*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Temp\\\\\\\\Temp?_*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Temp\\\\\\\\BNZ.*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\*\\\",\\n \\\"http*\\\") or\\n\\t \\n process.parent.name : (\\\"explorer.exe\\\", \\\"OpenWith.exe\\\") or \\n \\n /* Office Add-In from suspicious parent */\\n process.parent.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\")) and\\n\\t \\n /* False Positives */\\n not (process.args : \\\"*.vsto\\\" and\\n process.parent.executable :\\n (\\\"?:\\\\\\\\Program Files\\\\\\\\Logitech\\\\\\\\LogiOptions\\\\\\\\PlugInInstallerUtility*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Logishrd\\\\\\\\LogiOptions\\\\\\\\Plugins\\\\\\\\VSTO\\\\\\\\*\\\\\\\\VSTOInstaller.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Logitech\\\\\\\\LogiOptions\\\\\\\\PlugInInstallerUtility.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\LogiOptionsPlus\\\\\\\\PlugInInstallerUtility*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Logishrd\\\\\\\\LogiOptionsPlus\\\\\\\\Plugins\\\\\\\\VSTO\\\\\\\\*\\\\\\\\VSTOInstaller.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Common Files\\\\\\\\microsoft shared\\\\\\\\VSTO\\\\\\\\*\\\\\\\\VSTOInstaller.exe\\\")) and\\n not (process.args : \\\"/Uninstall\\\" and process.name : \\\"VSTOInstaller.exe\\\") and\\n not (process.parent.name : \\\"rundll32.exe\\\" and\\n process.parent.args : \\\"?:\\\\\\\\WINDOWS\\\\\\\\Installer\\\\\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\\\") and\\n not (process.name : \\\"VSTOInstaller.exe\\\" and process.args : \\\"https://dl.getsidekick.com/outlook/vsto/Sidekick.vsto\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":205,\"merged_version\":205,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"fd26d9e3-7b42-4efa-aaf9-1fe5b8463ca3\",\"rule_id\":\"aebaa51f-2a91-4f6a-850b-b601db2293f4\",\"revision\":0,\"current_rule\":{\"id\":\"fd26d9e3-7b42-4efa-aaf9-1fe5b8463ca3\",\"updated_at\":\"2024-12-04T19:45:55.325Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.325Z\",\"created_by\":\"elastic\",\"name\":\"Shared Object Created or Changed by Previously Unknown Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Shared Object Created or Changed by Previously Unknown Process\\n\\nA shared object file is a compiled library file (typically with a .so extension) that can be dynamically linked to executable programs at runtime, allowing for code reuse and efficient memory usage. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime.\\n\\nMalicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data.\\n\\nThis rule monitors the creation of shared object files by previously unknown processes through the usage of the new terms rule type.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the shared object that was created or modified through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path = {{file.path}}\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"aebaa51f-2a91-4f6a-850b-b601db2293f4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.006\",\"name\":\"Dynamic Linker Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1574/006/\"}]}]}],\"to\":\"now\",\"references\":[\"https://threatpost.com/sneaky-malware-backdoors-linux/180158/\"],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and \\nfile.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not (\\n process.name:(\\\"dockerd\\\" or \\\"dpkg\\\" or \\\"rpm\\\" or \\\"snapd\\\" or \\\"yum\\\" or \\\"vmis-launcher\\\" or \\\"pacman\\\" or\\n \\\"apt-get\\\" or \\\"dnf\\\" or \\\"podman\\\" or \\\"platform-python\\\") or \\n (process.name:vmware-install.pl and file.path:/usr/lib/vmware-tools/*)\\n)\\n\",\"new_terms_fields\":[\"host.id\",\"file.path\",\"process.executable\"],\"history_window_start\":\"now-10d\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Shared Object Created or Changed by Previously Unknown Process\",\"description\":\"This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Shared Object Created or Changed by Previously Unknown Process\\n\\nA shared object file is a compiled library file (typically with a .so extension) that can be dynamically linked to executable programs at runtime, allowing for code reuse and efficient memory usage. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime.\\n\\nMalicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data.\\n\\nThis rule monitors the creation of shared object files by previously unknown processes through the usage of the new terms rule type.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the shared object that was created or modified through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE path = {{file.path}}\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path = {{file.path}}\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":9,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://threatpost.com/sneaky-malware-backdoors-linux/180158/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.006\",\"name\":\"Dynamic Linker Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1574/006/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"fd26d9e3-7b42-4efa-aaf9-1fe5b8463ca3\",\"rule_id\":\"aebaa51f-2a91-4f6a-850b-b601db2293f4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.028Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.325Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and \\nfile.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not (\\n process.name:(\\n \\\"dockerd\\\" or \\\"dpkg\\\" or \\\"rpm\\\" or \\\"snapd\\\" or \\\"yum\\\" or \\\"vmis-launcher\\\" or \\\"pacman\\\" or \\\"apt-get\\\" or \\\"dnf\\\" or \\\"podman\\\" or\\n platform-python* or \\\"dnf-automatic\\\" or \\\"unattended-upgrade\\\" or \\\"apk\\\" or \\\"snap-update-ns\\\" or \\\"install\\\" or \\\"exe\\\" or\\n \\\"systemd\\\" or \\\"root\\\" or \\\"sshd\\\" or \\\"pip\\\" or \\\"jlink\\\" or python* or \\\"update-alternatives\\\" or pip* or\\n \\\"installer.bin.inst\\\" or \\\"uninstall-bin\\\" or \\\"linux_agent.inst\\\"\\n ) or \\n (process.name:vmware-install.pl and file.path:/usr/lib/vmware-tools/*) or\\n process.executable : (/dev/fd/* or \\\"/\\\" or \\\"/kaniko/executor\\\" or \\\"/usr/bin/buildah\\\")\\n)\\n\",\"new_terms_fields\":[\"file.path\",\"process.executable\"],\"history_window_start\":\"now-10d\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":9,\"merged_version\":9,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and \\nfile.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not (\\n process.name:(\\\"dockerd\\\" or \\\"dpkg\\\" or \\\"rpm\\\" or \\\"snapd\\\" or \\\"yum\\\" or \\\"vmis-launcher\\\" or \\\"pacman\\\" or\\n \\\"apt-get\\\" or \\\"dnf\\\" or \\\"podman\\\" or \\\"platform-python\\\") or \\n (process.name:vmware-install.pl and file.path:/usr/lib/vmware-tools/*)\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and \\nfile.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not (\\n process.name:(\\n \\\"dockerd\\\" or \\\"dpkg\\\" or \\\"rpm\\\" or \\\"snapd\\\" or \\\"yum\\\" or \\\"vmis-launcher\\\" or \\\"pacman\\\" or \\\"apt-get\\\" or \\\"dnf\\\" or \\\"podman\\\" or\\n platform-python* or \\\"dnf-automatic\\\" or \\\"unattended-upgrade\\\" or \\\"apk\\\" or \\\"snap-update-ns\\\" or \\\"install\\\" or \\\"exe\\\" or\\n \\\"systemd\\\" or \\\"root\\\" or \\\"sshd\\\" or \\\"pip\\\" or \\\"jlink\\\" or python* or \\\"update-alternatives\\\" or pip* or\\n \\\"installer.bin.inst\\\" or \\\"uninstall-bin\\\" or \\\"linux_agent.inst\\\"\\n ) or \\n (process.name:vmware-install.pl and file.path:/usr/lib/vmware-tools/*) or\\n process.executable : (/dev/fd/* or \\\"/\\\" or \\\"/kaniko/executor\\\" or \\\"/usr/bin/buildah\\\")\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and \\nfile.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not (\\n process.name:(\\n \\\"dockerd\\\" or \\\"dpkg\\\" or \\\"rpm\\\" or \\\"snapd\\\" or \\\"yum\\\" or \\\"vmis-launcher\\\" or \\\"pacman\\\" or \\\"apt-get\\\" or \\\"dnf\\\" or \\\"podman\\\" or\\n platform-python* or \\\"dnf-automatic\\\" or \\\"unattended-upgrade\\\" or \\\"apk\\\" or \\\"snap-update-ns\\\" or \\\"install\\\" or \\\"exe\\\" or\\n \\\"systemd\\\" or \\\"root\\\" or \\\"sshd\\\" or \\\"pip\\\" or \\\"jlink\\\" or python* or \\\"update-alternatives\\\" or pip* or\\n \\\"installer.bin.inst\\\" or \\\"uninstall-bin\\\" or \\\"linux_agent.inst\\\"\\n ) or \\n (process.name:vmware-install.pl and file.path:/usr/lib/vmware-tools/*) or\\n process.executable : (/dev/fd/* or \\\"/\\\" or \\\"/kaniko/executor\\\" or \\\"/usr/bin/buildah\\\")\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"new_terms_fields\":{\"has_base_version\":false,\"current_version\":[\"host.id\",\"file.path\",\"process.executable\"],\"target_version\":[\"file.path\",\"process.executable\"],\"merged_version\":[\"file.path\",\"process.executable\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f682fdcf-a387-4ece-b0be-b0195e0de9a1\",\"rule_id\":\"afcce5ad-65de-4ed2-8516-5e093d3ac99a\",\"revision\":0,\"current_rule\":{\"id\":\"f682fdcf-a387-4ece-b0be-b0195e0de9a1\",\"updated_at\":\"2024-12-04T19:45:55.330Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.330Z\",\"created_by\":\"elastic\",\"name\":\"Local Scheduled Task Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Indicates the creation of a scheduled task. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks may be created during installation of new software.\"],\"from\":\"now-9m\",\"rule_id\":\"afcce5ad-65de-4ed2-8516-5e093d3ac99a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\",\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.token.integrity_level_name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.type != \\\"end\\\" and\\n ((process.name : (\\\"cmd.exe\\\", \\\"wscript.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\", \\\"wmic.exe\\\", \\\"mshta.exe\\\",\\n \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\", \\\"WmiPrvSe.exe\\\", \\\"wsmprovhost.exe\\\", \\\"winrshost.exe\\\") or\\n process.pe.original_file_name : (\\\"cmd.exe\\\", \\\"wscript.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\", \\\"wmic.exe\\\", \\\"mshta.exe\\\",\\n \\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\", \\\"WmiPrvSe.exe\\\", \\\"wsmprovhost.exe\\\",\\n \\\"winrshost.exe\\\")) or\\n ?process.code_signature.trusted == false)] by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"schtasks.exe\\\" or process.pe.original_file_name == \\\"schtasks.exe\\\") and\\n process.args : (\\\"/create\\\", \\\"-create\\\") and process.args : (\\\"/RU\\\", \\\"/SC\\\", \\\"/TN\\\", \\\"/TR\\\", \\\"/F\\\", \\\"/XML\\\") and\\n /* exclude SYSTEM Integrity Level - look for task creations by non-SYSTEM user */\\n not (?process.Ext.token.integrity_level_name : \\\"System\\\" or ?winlog.event_data.IntegrityLevel : \\\"System\\\")\\n ] by process.parent.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Local Scheduled Task Creation\",\"description\":\"Indicates the creation of a scheduled task. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate scheduled tasks may be created during installation of new software.\"],\"references\":[\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\",\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2\",\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\",\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.token.integrity_level_name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"f682fdcf-a387-4ece-b0be-b0195e0de9a1\",\"rule_id\":\"afcce5ad-65de-4ed2-8516-5e093d3ac99a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.028Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:55.330Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.type != \\\"end\\\" and\\n ((process.name : (\\\"cmd.exe\\\", \\\"wscript.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\", \\\"wmic.exe\\\", \\\"mshta.exe\\\",\\n \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\", \\\"WmiPrvSe.exe\\\", \\\"wsmprovhost.exe\\\", \\\"winrshost.exe\\\") or\\n process.pe.original_file_name : (\\\"cmd.exe\\\", \\\"wscript.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\", \\\"wmic.exe\\\", \\\"mshta.exe\\\",\\n \\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\", \\\"WmiPrvSe.exe\\\", \\\"wsmprovhost.exe\\\",\\n \\\"winrshost.exe\\\")) or\\n ?process.code_signature.trusted == false)] by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"schtasks.exe\\\" or process.pe.original_file_name == \\\"schtasks.exe\\\") and\\n process.args : (\\\"/create\\\", \\\"-create\\\") and process.args : (\\\"/RU\\\", \\\"/SC\\\", \\\"/TN\\\", \\\"/TR\\\", \\\"/F\\\", \\\"/XML\\\") and\\n /* exclude SYSTEM Integrity Level - look for task creations by non-SYSTEM user */\\n not (?process.Ext.token.integrity_level_name : \\\"System\\\" or ?winlog.event_data.IntegrityLevel : \\\"System\\\")\\n ] by process.parent.entity_id\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\",\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2\"],\"target_version\":[\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\",\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2\",\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\",\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"merged_version\":[\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1\",\"https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2\",\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\",\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b05ab49b-a71b-4b36-ad18-75ca5b1d5d79\",\"rule_id\":\"b0638186-4f12-48ac-83d2-47e686d08e82\",\"revision\":0,\"current_rule\":{\"id\":\"b05ab49b-a71b-4b36-ad18-75ca5b1d5d79\",\"updated_at\":\"2024-12-04T19:45:56.473Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.473Z\",\"created_by\":\"elastic\",\"name\":\"Netsh Helper DLL\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its functionality. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed, which can be done by administrators or a scheduled task.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b0638186-4f12-48ac-83d2-47e686d08e82\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.007\",\"name\":\"Netsh Helper DLL\",\"reference\":\"https://attack.mitre.org/techniques/T1546/007/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\netsh\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\netsh\\\\\\\\*\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Netsh Helper DLL\",\"description\":\"Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its functionality. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed, which can be done by administrators or a scheduled task.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":202,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.007\",\"name\":\"Netsh Helper DLL\",\"reference\":\"https://attack.mitre.org/techniques/T1546/007/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b05ab49b-a71b-4b36-ad18-75ca5b1d5d79\",\"rule_id\":\"b0638186-4f12-48ac-83d2-47e686d08e82\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.028Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.473Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\netsh\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\netsh\\\\\\\\*\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\netsh\\\\\\\\*\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":202,\"merged_version\":202,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\netsh\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\netsh\\\\\\\\*\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\netsh\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\netsh\\\\\\\\*\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\netsh\\\\\\\\*\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\netsh\\\\\\\\*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\netsh\\\\\\\\*\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\netsh\\\\\\\\*\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-windows.sysmon_operational-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-windows.sysmon_operational-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"56ed8f5e-ae6a-4efc-859e-6fa144794f2c\",\"rule_id\":\"b1773d05-f349-45fb-9850-287b8f92f02d\",\"revision\":0,\"current_rule\":{\"id\":\"56ed8f5e-ae6a-4efc-859e-6fa144794f2c\",\"updated_at\":\"2024-12-04T19:46:04.753Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.753Z\",\"created_by\":\"elastic\",\"name\":\"Potential Abuse of Resources by High Token Count and Large Response Sizes\",\"tags\":[\"Domain: LLM\",\"Data Source: AWS Bedrock\",\"Data Source: Amazon Web Services\",\"Data Source: AWS S3\",\"Use Case: Potential Overload\",\"Use Case: Resource Exhaustion\",\"Mitre Atlas: LLM04\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects potential resource exhaustion or data breach attempts by monitoring for users who consistently generate high input token counts, submit numerous requests, and receive large responses. This behavior could indicate an attempt to overload the system or extract an unusually large amount of data, possibly revealing sensitive information or causing service disruptions.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Authorized heavy usage of the system that is business justified and monitored.\"],\"from\":\"now-60m\",\"rule_id\":\"b1773d05-f349-45fb-9850-287b8f92f02d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[],\"to\":\"now\",\"references\":[\"https://atlas.mitre.org/techniques/AML.T0051\",\"https://owasp.org/www-project-top-10-for-large-language-model-applications/\",\"https://www.elastic.co/security-labs/elastic-advances-llm-security\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\\n\\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\\n\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws_bedrock.invocation-*\\n| stats max_tokens = max(gen_ai.usage.prompt_tokens),\\n total_requests = count(*),\\n avg_response_size = avg(gen_ai.usage.completion_tokens)\\n by user.id\\n// tokens count depends on specific LLM, as is related to how embeddings are generated.\\n| where max_tokens > 5000 and total_requests > 10 and avg_response_size > 500\\n| eval risk_factor = (max_tokens / 1000) * total_requests * (avg_response_size / 500)\\n| where risk_factor > 10\\n| sort risk_factor desc\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Abuse of Resources by High Token Count and Large Response Sizes\",\"description\":\"Detects potential resource exhaustion or data breach attempts by monitoring for users who consistently generate high input token counts, submit numerous requests, and receive large responses. This behavior could indicate an attempt to overload the system or extract an unusually large amount of data, possibly revealing sensitive information or causing service disruptions.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Amazon Bedrock Models High Token Count and Large Response Sizes.\\n\\nAmazon Bedrock is AWS’s managed service that enables developers to build and scale generative AI applications using large foundation models (FMs) from top providers.\\n\\nBedrock offers a variety of pretrained models from Amazon (such as the Titan series), as well as models from providers like Anthropic, Meta, Cohere, and AI21 Labs.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that used high prompt token counts and whether it should perform this kind of action.\\n- Investigate large response sizes and the number of requests made by the user account.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's prompts and responses in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that used high prompt and large response sizes, has a business justification for the heavy usage of the system.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n - Identify potential resource exhaustion and impact on billing.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: LLM\",\"Data Source: AWS Bedrock\",\"Data Source: Amazon Web Services\",\"Data Source: AWS S3\",\"Use Case: Potential Overload\",\"Use Case: Resource Exhaustion\",\"Mitre Atlas: LLM04\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-60m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Authorized heavy usage of the system that is business justified and monitored.\"],\"references\":[\"https://atlas.mitre.org/techniques/AML.T0051\",\"https://owasp.org/www-project-top-10-for-large-language-model-applications/\",\"https://www.elastic.co/security-labs/elastic-advances-llm-security\"],\"max_signals\":100,\"threat\":[],\"setup\":\"## Setup\\n\\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\\n\\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\\n\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"56ed8f5e-ae6a-4efc-859e-6fa144794f2c\",\"rule_id\":\"b1773d05-f349-45fb-9850-287b8f92f02d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.028Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.753Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws_bedrock.invocation-*\\n| keep user.id, gen_ai.usage.prompt_tokens, gen_ai.usage.completion_tokens\\n| stats max_tokens = max(gen_ai.usage.prompt_tokens),\\n total_requests = count(*),\\n avg_response_size = avg(gen_ai.usage.completion_tokens)\\n by user.id\\n// tokens count depends on specific LLM, as is related to how embeddings are generated.\\n| where max_tokens > 5000 and total_requests > 10 and avg_response_size > 500\\n| eval risk_factor = (max_tokens / 1000) * total_requests * (avg_response_size / 500)\\n| where risk_factor > 10\\n| sort risk_factor desc\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"note\":{\"has_base_version\":false,\"current_version\":\"\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating Amazon Bedrock Models High Token Count and Large Response Sizes.\\n\\nAmazon Bedrock is AWS’s managed service that enables developers to build and scale generative AI applications using large foundation models (FMs) from top providers.\\n\\nBedrock offers a variety of pretrained models from Amazon (such as the Titan series), as well as models from providers like Anthropic, Meta, Cohere, and AI21 Labs.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that used high prompt token counts and whether it should perform this kind of action.\\n- Investigate large response sizes and the number of requests made by the user account.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's prompts and responses in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that used high prompt and large response sizes, has a business justification for the heavy usage of the system.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n - Identify potential resource exhaustion and impact on billing.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating Amazon Bedrock Models High Token Count and Large Response Sizes.\\n\\nAmazon Bedrock is AWS’s managed service that enables developers to build and scale generative AI applications using large foundation models (FMs) from top providers.\\n\\nBedrock offers a variety of pretrained models from Amazon (such as the Titan series), as well as models from providers like Anthropic, Meta, Cohere, and AI21 Labs.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that used high prompt token counts and whether it should perform this kind of action.\\n- Investigate large response sizes and the number of requests made by the user account.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's prompts and responses in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that used high prompt and large response sizes, has a business justification for the heavy usage of the system.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n - Identify potential resource exhaustion and impact on billing.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| stats max_tokens = max(gen_ai.usage.prompt_tokens),\\n total_requests = count(*),\\n avg_response_size = avg(gen_ai.usage.completion_tokens)\\n by user.id\\n// tokens count depends on specific LLM, as is related to how embeddings are generated.\\n| where max_tokens > 5000 and total_requests > 10 and avg_response_size > 500\\n| eval risk_factor = (max_tokens / 1000) * total_requests * (avg_response_size / 500)\\n| where risk_factor > 10\\n| sort risk_factor desc\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| keep user.id, gen_ai.usage.prompt_tokens, gen_ai.usage.completion_tokens\\n| stats max_tokens = max(gen_ai.usage.prompt_tokens),\\n total_requests = count(*),\\n avg_response_size = avg(gen_ai.usage.completion_tokens)\\n by user.id\\n// tokens count depends on specific LLM, as is related to how embeddings are generated.\\n| where max_tokens > 5000 and total_requests > 10 and avg_response_size > 500\\n| eval risk_factor = (max_tokens / 1000) * total_requests * (avg_response_size / 500)\\n| where risk_factor > 10\\n| sort risk_factor desc\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| keep user.id, gen_ai.usage.prompt_tokens, gen_ai.usage.completion_tokens\\n| stats max_tokens = max(gen_ai.usage.prompt_tokens),\\n total_requests = count(*),\\n avg_response_size = avg(gen_ai.usage.completion_tokens)\\n by user.id\\n// tokens count depends on specific LLM, as is related to how embeddings are generated.\\n| where max_tokens > 5000 and total_requests > 10 and avg_response_size > 500\\n| eval risk_factor = (max_tokens / 1000) * total_requests * (avg_response_size / 500)\\n| where risk_factor > 10\\n| sort risk_factor desc\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bfec04f8-be07-437a-a342-0e8fc9a5c085\",\"rule_id\":\"b2318c71-5959-469a-a3ce-3a0768e63b9c\",\"revision\":0,\"current_rule\":{\"id\":\"bfec04f8-be07-437a-a342-0e8fc9a5c085\",\"updated_at\":\"2024-12-04T19:45:56.477Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.477Z\",\"created_by\":\"elastic\",\"name\":\"Potential Network Share Discovery\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Collection\",\"Rule Type: BBR\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Adversaries may look for folders and drives shared on remote systems to identify sources of information to gather as a precursor for collection and identify potential systems of interest for Lateral Movement.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"b2318c71-5959-469a-a3ce-3a0768e63b9c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1135\",\"name\":\"Network Share Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1135/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1039\",\"name\":\"Data from Network Shared Drive\",\"reference\":\"https://attack.mitre.org/techniques/T1039/\"}]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ShareName\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.*\",\"logs-system.security*\"],\"query\":\"sequence by user.name, source.port, source.ip with maxspan=15s \\n [file where event.action == \\\"network-share-object-access-checked\\\" and \\n winlog.event_data.ShareName in (\\\"\\\\\\\\\\\\\\\\*\\\\\\\\ADMIN$\\\", \\\"\\\\\\\\\\\\\\\\*\\\\\\\\C$\\\") and \\n source.ip != null and source.ip != \\\"0.0.0.0\\\" and source.ip != \\\"::1\\\" and source.ip != \\\"::\\\" and source.ip != \\\"127.0.0.1\\\"]\\n [file where event.action == \\\"network-share-object-access-checked\\\" and \\n winlog.event_data.ShareName in (\\\"\\\\\\\\\\\\\\\\*\\\\\\\\ADMIN$\\\", \\\"\\\\\\\\\\\\\\\\*\\\\\\\\C$\\\") and \\n source.ip != null and source.ip != \\\"0.0.0.0\\\" and source.ip != \\\"::1\\\" and source.ip != \\\"::\\\" and source.ip != \\\"127.0.0.1\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Network Share Discovery\",\"description\":\"Adversaries may look for folders and drives shared on remote systems to identify sources of information to gather as a precursor for collection and identify potential systems of interest for Lateral Movement.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":106,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Collection\",\"Rule Type: BBR\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1135\",\"name\":\"Network Share Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1135/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1039\",\"name\":\"Data from Network Shared Drive\",\"reference\":\"https://attack.mitre.org/techniques/T1039/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ShareName\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"bfec04f8-be07-437a-a342-0e8fc9a5c085\",\"rule_id\":\"b2318c71-5959-469a-a3ce-3a0768e63b9c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.028Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.477Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by user.name, source.port, source.ip with maxspan=15s \\n [file where event.action == \\\"network-share-object-access-checked\\\" and \\n winlog.event_data.ShareName in (\\\"\\\\\\\\\\\\\\\\*\\\\\\\\ADMIN$\\\", \\\"\\\\\\\\\\\\\\\\*\\\\\\\\C$\\\") and \\n source.ip != null and source.ip != \\\"0.0.0.0\\\" and source.ip != \\\"::1\\\" and source.ip != \\\"::\\\" and source.ip != \\\"127.0.0.1\\\"]\\n [file where event.action == \\\"network-share-object-access-checked\\\" and \\n winlog.event_data.ShareName in (\\\"\\\\\\\\\\\\\\\\*\\\\\\\\ADMIN$\\\", \\\"\\\\\\\\\\\\\\\\*\\\\\\\\C$\\\") and \\n source.ip != null and source.ip != \\\"0.0.0.0\\\" and source.ip != \\\"::1\\\" and source.ip != \\\"::\\\" and source.ip != \\\"127.0.0.1\\\"]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.*\",\"logs-system.security*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":106,\"merged_version\":106,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Collection\",\"Rule Type: BBR\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Collection\",\"Rule Type: BBR\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Collection\",\"Rule Type: BBR\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d122adc4-1737-4c10-b405-9f9e7cc0605d\",\"rule_id\":\"b25a7df2-120a-4db2-bd3f-3e4b86b24bee\",\"revision\":0,\"current_rule\":{\"id\":\"d122adc4-1737-4c10-b405-9f9e7cc0605d\",\"updated_at\":\"2024-12-04T19:45:56.486Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.486Z\",\"created_by\":\"elastic\",\"name\":\"Remote File Copy via TeamViewer\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote File Copy via TeamViewer\\n\\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\\n\\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Contact the user to gather information about who and why was conducting the remote access.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b25a7df2-120a-4db2-bd3f-3e4b86b24bee\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"},{\"id\":\"T1219\",\"name\":\"Remote Access Software\",\"reference\":\"https://attack.mitre.org/techniques/T1219/\"}]}],\"to\":\"now\",\"references\":[\"http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and process.name : \\\"TeamViewer.exe\\\" and\\n file.extension : (\\\"exe\\\", \\\"dll\\\", \\\"scr\\\", \\\"com\\\", \\\"bat\\\", \\\"ps1\\\", \\\"vbs\\\", \\\"vbe\\\", \\\"js\\\", \\\"wsh\\\", \\\"hta\\\") and\\n not \\n (\\n file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\*.js\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\TeamViewer\\\\\\\\update.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\?\\\\\\\\TeamViewer\\\\\\\\update.exe\\\"\\n ) and process.code_signature.trusted == true\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Remote File Copy via TeamViewer\",\"description\":\"Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote File Copy via TeamViewer\\n\\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\\n\\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Contact the user to gather information about who and why was conducting the remote access.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":212,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"},{\"id\":\"T1219\",\"name\":\"Remote Access Software\",\"reference\":\"https://attack.mitre.org/techniques/T1219/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d122adc4-1737-4c10-b405-9f9e7cc0605d\",\"rule_id\":\"b25a7df2-120a-4db2-bd3f-3e4b86b24bee\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.028Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.486Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and process.name : \\\"TeamViewer.exe\\\" and\\n file.extension : (\\\"exe\\\", \\\"dll\\\", \\\"scr\\\", \\\"com\\\", \\\"bat\\\", \\\"ps1\\\", \\\"vbs\\\", \\\"vbe\\\", \\\"js\\\", \\\"wsh\\\", \\\"hta\\\") and\\n not \\n (\\n file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\*.js\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\TeamViewer\\\\\\\\update.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\?\\\\\\\\TeamViewer\\\\\\\\update.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\TeamViewer\\\\\\\\CustomConfigs\\\\\\\\???????\\\\\\\\TeamViewer_Resource_??.dll\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\TeamViewer\\\\\\\\CustomConfigs\\\\\\\\???????\\\\\\\\TeamViewer*.exe\\\"\\n ) and process.code_signature.trusted == true\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":212,\"merged_version\":212,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and process.name : \\\"TeamViewer.exe\\\" and\\n file.extension : (\\\"exe\\\", \\\"dll\\\", \\\"scr\\\", \\\"com\\\", \\\"bat\\\", \\\"ps1\\\", \\\"vbs\\\", \\\"vbe\\\", \\\"js\\\", \\\"wsh\\\", \\\"hta\\\") and\\n not \\n (\\n file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\*.js\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\TeamViewer\\\\\\\\update.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\?\\\\\\\\TeamViewer\\\\\\\\update.exe\\\"\\n ) and process.code_signature.trusted == true\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and process.name : \\\"TeamViewer.exe\\\" and\\n file.extension : (\\\"exe\\\", \\\"dll\\\", \\\"scr\\\", \\\"com\\\", \\\"bat\\\", \\\"ps1\\\", \\\"vbs\\\", \\\"vbe\\\", \\\"js\\\", \\\"wsh\\\", \\\"hta\\\") and\\n not \\n (\\n file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\*.js\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\TeamViewer\\\\\\\\update.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\?\\\\\\\\TeamViewer\\\\\\\\update.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\TeamViewer\\\\\\\\CustomConfigs\\\\\\\\???????\\\\\\\\TeamViewer_Resource_??.dll\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\TeamViewer\\\\\\\\CustomConfigs\\\\\\\\???????\\\\\\\\TeamViewer*.exe\\\"\\n ) and process.code_signature.trusted == true\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and process.name : \\\"TeamViewer.exe\\\" and\\n file.extension : (\\\"exe\\\", \\\"dll\\\", \\\"scr\\\", \\\"com\\\", \\\"bat\\\", \\\"ps1\\\", \\\"vbs\\\", \\\"vbe\\\", \\\"js\\\", \\\"wsh\\\", \\\"hta\\\") and\\n not \\n (\\n file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\*.js\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\TeamViewer\\\\\\\\update.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\?\\\\\\\\TeamViewer\\\\\\\\update.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\TeamViewer\\\\\\\\CustomConfigs\\\\\\\\???????\\\\\\\\TeamViewer_Resource_??.dll\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\TeamViewer\\\\\\\\CustomConfigs\\\\\\\\???????\\\\\\\\TeamViewer*.exe\\\"\\n ) and process.code_signature.trusted == true\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c5b27c40-f5a2-4e69-9584-47938e05bfea\",\"rule_id\":\"b29ee2be-bf99-446c-ab1a-2dc0183394b8\",\"revision\":0,\"current_rule\":{\"id\":\"c5b27c40-f5a2-4e69-9584-47938e05bfea\",\"updated_at\":\"2024-12-04T19:45:56.493Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.493Z\",\"created_by\":\"elastic\",\"name\":\"Network Connection via Compiled HTML File\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Network Connection via Compiled HTML File\\n\\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\\n\\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\\n\\nThis rule identifies network connections done by `hh.exe`, which can potentially indicate abuse to download malicious files or tooling, or masquerading.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Examine the command lines for suspicious activities.\\n - Retrieve `.chm`, `.ps1`, and other files that were involved for further examination.\\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\\n- Investigate the target host that the signed binary is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b29ee2be-bf99-446c-ab1a-2dc0183394b8\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.001\",\"name\":\"Compiled HTML File\",\"reference\":\"https://attack.mitre.org/techniques/T1218/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and process.name : \\\"hh.exe\\\" and event.type == \\\"start\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"hh.exe\\\" and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\",\\n \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\",\\n \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\",\\n \\\"FE80::/10\\\", \\\"FF00::/8\\\") and\\n not dns.question.name : \\\"localhost\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Network Connection via Compiled HTML File\",\"description\":\"Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Network Connection via Compiled HTML File\\n\\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\\n\\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\\n\\nThis rule identifies network connections done by `hh.exe`, which can potentially indicate abuse to download malicious files or tooling, or masquerading.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Examine the command lines for suspicious activities.\\n - Retrieve `.chm`, `.ps1`, and other files that were involved for further examination.\\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\\n- Investigate the target host that the signed binary is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.001\",\"name\":\"Compiled HTML File\",\"reference\":\"https://attack.mitre.org/techniques/T1218/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c5b27c40-f5a2-4e69-9584-47938e05bfea\",\"rule_id\":\"b29ee2be-bf99-446c-ab1a-2dc0183394b8\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.028Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.493Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and process.name : \\\"hh.exe\\\" and event.type == \\\"start\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"hh.exe\\\" and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\",\\n \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\",\\n \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\",\\n \\\"FE80::/10\\\", \\\"FF00::/8\\\") and\\n not dns.question.name : \\\"localhost\\\"]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4653e112-f4ad-4088-9b31-a007c7b11b63\",\"rule_id\":\"b41a13c6-ba45-4bab-a534-df53d0cfed6a\",\"revision\":0,\"current_rule\":{\"id\":\"4653e112-f4ad-4088-9b31-a007c7b11b63\",\"updated_at\":\"2024-12-04T19:45:56.505Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.505Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Endpoint Security Parent Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b41a13c6-ba45-4bab-a534-df53d0cfed6a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"esensor.exe\\\", \\\"elastic-endpoint.exe\\\") and\\n process.parent.executable != null and\\n /* add FPs here */\\n not process.parent.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wermgr.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\"\\n ) and\\n not (\\n process.parent.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SecurityHealthHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\"\\n ) and\\n process.args : (\\n \\\"test\\\", \\\"version\\\",\\n \\\"top\\\", \\\"run\\\",\\n \\\"*help\\\", \\\"status\\\",\\n \\\"upgrade\\\", \\\"/launch\\\",\\n \\\"/enable\\\"\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Endpoint Security Parent Process\",\"description\":\"A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"4653e112-f4ad-4088-9b31-a007c7b11b63\",\"rule_id\":\"b41a13c6-ba45-4bab-a534-df53d0cfed6a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.028Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.505Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"esensor.exe\\\", \\\"elastic-endpoint.exe\\\") and\\n process.parent.executable != null and\\n /* add FPs here */\\n not process.parent.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wermgr.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\explorer.exe\\\"\\n ) and\\n not (\\n process.parent.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SecurityHealthHost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\powershell.exe\\\"\\n ) and\\n process.args : (\\n \\\"test\\\", \\\"version\\\",\\n \\\"top\\\", \\\"run\\\",\\n \\\"*help\\\", \\\"status\\\",\\n \\\"upgrade\\\", \\\"/launch\\\",\\n \\\"/enable\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"cb34eb5e-e593-4d61-93ca-a6c4677e89b1\",\"rule_id\":\"b43570de-a908-4f7f-8bdb-b2df6ffd8c80\",\"revision\":0,\"current_rule\":{\"id\":\"cb34eb5e-e593-4d61-93ca-a6c4677e89b1\",\"updated_at\":\"2024-12-04T19:45:56.548Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.548Z\",\"created_by\":\"elastic\",\"name\":\"Code Signing Policy Modification Through Built-in tools\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Code Signing Policy Modification Through Built-in tools\\n\\nWindows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded.\\n\\nThis protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system.\\n\\nThis rule identifies commands that can disable the Driver Signature Enforcement feature.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Use Osquery and endpoint driver events (`event.category = \\\"driver\\\"`) to investigate if suspicious drivers were loaded into the system after the command was executed.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\\\\\"Microsoft\\\\\\\" AND signed == \\\\\\\"1\\\\\\\")\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\\\\\"0\\\\\\\"\\\\n\\\"}}\\n- Identify the driver's `Device Name` and `Service Name`.\\n- Check for alerts from the rules specified in the `Related Rules` section.\\n\\n### False positive analysis\\n\\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\\n\\n### Related Rules\\n\\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\\n - This can be done via PowerShell `Remove-Service` cmdlet.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Remove and block malicious artifacts identified during triage.\\n- Ensure that the Driver Signature Enforcement is enabled on the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b43570de-a908-4f7f-8bdb-b2df6ffd8c80\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1553\",\"name\":\"Subvert Trust Controls\",\"reference\":\"https://attack.mitre.org/techniques/T1553/\",\"subtechnique\":[{\"id\":\"T1553.006\",\"name\":\"Code Signing Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1553/006/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name: \\\"bcdedit.exe\\\" or ?process.pe.original_file_name == \\\"bcdedit.exe\\\") and process.args: (\\\"-set\\\", \\\"/set\\\") and \\n process.args: (\\\"TESTSIGNING\\\", \\\"nointegritychecks\\\", \\\"loadoptions\\\", \\\"DISABLE_INTEGRITY_CHECKS\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Code Signing Policy Modification Through Built-in tools\",\"description\":\"Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Code Signing Policy Modification Through Built-in tools\\n\\nWindows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded.\\n\\nThis protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system.\\n\\nThis rule identifies commands that can disable the Driver Signature Enforcement feature.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Use Osquery and endpoint driver events (`event.category = \\\"driver\\\"`) to investigate if suspicious drivers were loaded into the system after the command was executed.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\\\\\"Microsoft\\\\\\\" AND signed == \\\\\\\"1\\\\\\\")\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\\\\\"0\\\\\\\"\\\\n\\\"}}\\n- Identify the driver's `Device Name` and `Service Name`.\\n- Check for alerts from the rules specified in the `Related Rules` section.\\n\\n### False positive analysis\\n\\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\\n\\n### Related Rules\\n\\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\\n - This can be done via PowerShell `Remove-Service` cmdlet.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Remove and block malicious artifacts identified during triage.\\n- Ensure that the Driver Signature Enforcement is enabled on the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1553\",\"name\":\"Subvert Trust Controls\",\"reference\":\"https://attack.mitre.org/techniques/T1553/\",\"subtechnique\":[{\"id\":\"T1553.006\",\"name\":\"Code Signing Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1553/006/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"cb34eb5e-e593-4d61-93ca-a6c4677e89b1\",\"rule_id\":\"b43570de-a908-4f7f-8bdb-b2df6ffd8c80\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.028Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.548Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name: \\\"bcdedit.exe\\\" or ?process.pe.original_file_name == \\\"bcdedit.exe\\\") and process.args: (\\\"-set\\\", \\\"/set\\\") and \\n process.args: (\\\"TESTSIGNING\\\", \\\"nointegritychecks\\\", \\\"loadoptions\\\", \\\"DISABLE_INTEGRITY_CHECKS\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"55ab0206-6119-417c-9e7a-fb877394ee16\",\"rule_id\":\"b483365c-98a8-40c0-92d8-0458ca25058a\",\"revision\":0,\"current_rule\":{\"id\":\"55ab0206-6119-417c-9e7a-fb877394ee16\",\"updated_at\":\"2024-12-04T19:45:56.557Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.557Z\",\"created_by\":\"elastic\",\"name\":\"At.exe Command Lateral Movement\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of at.exe to interact with the task scheduler on remote hosts. Remote task creations, modifications or execution could be indicative of adversary lateral movement.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"b483365c-98a8-40c0-92d8-0458ca25058a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.002\",\"name\":\"At\",\"reference\":\"https://attack.mitre.org/techniques/T1053/002/\"},{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"at.exe\\\" and process.args : \\\"\\\\\\\\\\\\\\\\*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"At.exe Command Lateral Movement\",\"description\":\"Identifies use of at.exe to interact with the task scheduler on remote hosts. Remote task creations, modifications or execution could be indicative of adversary lateral movement.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.002\",\"name\":\"At\",\"reference\":\"https://attack.mitre.org/techniques/T1053/002/\"},{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"55ab0206-6119-417c-9e7a-fb877394ee16\",\"rule_id\":\"b483365c-98a8-40c0-92d8-0458ca25058a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.029Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.557Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"at.exe\\\" and process.args : \\\"\\\\\\\\\\\\\\\\*\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"958b541e-e820-43c1-a408-61a2cc40e8d0\",\"rule_id\":\"b5877334-677f-4fb9-86d5-a9721274223b\",\"revision\":0,\"current_rule\":{\"id\":\"958b541e-e820-43c1-a408-61a2cc40e8d0\",\"updated_at\":\"2024-12-04T19:45:56.565Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.565Z\",\"created_by\":\"elastic\",\"name\":\"Clearing Windows Console History\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Clearing Windows Console History\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of logging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the execution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Verify if any other anti-forensics behaviors were observed.\\n- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be trying to cover up.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Austin Songer\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b5877334-677f-4fb9-86d5-a9721274223b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.003\",\"name\":\"Clear Command History\",\"reference\":\"https://attack.mitre.org/techniques/T1070/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/\",\"https://www.shellhacks.com/clear-history-powershell/\",\"https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or ?process.pe.original_file_name == \\\"PowerShell.EXE\\\") and\\n (process.args : \\\"*Clear-History*\\\" or\\n (process.args : (\\\"*Remove-Item*\\\", \\\"rm\\\") and process.args : (\\\"*ConsoleHost_history.txt*\\\", \\\"*(Get-PSReadlineOption).HistorySavePath*\\\")) or\\n (process.args : \\\"*Set-PSReadlineOption*\\\" and process.args : \\\"*SaveNothing*\\\"))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Clearing Windows Console History\",\"description\":\"Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Clearing Windows Console History\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of logging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the execution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Verify if any other anti-forensics behaviors were observed.\\n- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be trying to cover up.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility.\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Austin Songer\"],\"false_positives\":[],\"references\":[\"https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/\",\"https://www.shellhacks.com/clear-history-powershell/\",\"https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.003\",\"name\":\"Clear Command History\",\"reference\":\"https://attack.mitre.org/techniques/T1070/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"958b541e-e820-43c1-a408-61a2cc40e8d0\",\"rule_id\":\"b5877334-677f-4fb9-86d5-a9721274223b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.029Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.565Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n (\\n process.args : \\\"*Clear-History*\\\" or\\n (process.args : (\\\"*Remove-Item*\\\", \\\"rm\\\") and process.args : (\\\"*ConsoleHost_history.txt*\\\", \\\"*(Get-PSReadlineOption).HistorySavePath*\\\")) or\\n (process.args : \\\"*Set-PSReadlineOption*\\\" and process.args : \\\"*SaveNothing*\\\")\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or ?process.pe.original_file_name == \\\"PowerShell.EXE\\\") and\\n (process.args : \\\"*Clear-History*\\\" or\\n (process.args : (\\\"*Remove-Item*\\\", \\\"rm\\\") and process.args : (\\\"*ConsoleHost_history.txt*\\\", \\\"*(Get-PSReadlineOption).HistorySavePath*\\\")) or\\n (process.args : \\\"*Set-PSReadlineOption*\\\" and process.args : \\\"*SaveNothing*\\\"))\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n (\\n process.args : \\\"*Clear-History*\\\" or\\n (process.args : (\\\"*Remove-Item*\\\", \\\"rm\\\") and process.args : (\\\"*ConsoleHost_history.txt*\\\", \\\"*(Get-PSReadlineOption).HistorySavePath*\\\")) or\\n (process.args : \\\"*Set-PSReadlineOption*\\\" and process.args : \\\"*SaveNothing*\\\")\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n (\\n process.args : \\\"*Clear-History*\\\" or\\n (process.args : (\\\"*Remove-Item*\\\", \\\"rm\\\") and process.args : (\\\"*ConsoleHost_history.txt*\\\", \\\"*(Get-PSReadlineOption).HistorySavePath*\\\")) or\\n (process.args : \\\"*Set-PSReadlineOption*\\\" and process.args : \\\"*SaveNothing*\\\")\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1ca66e44-1f41-42dc-876c-6a0c8a883225\",\"rule_id\":\"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\",\"revision\":0,\"current_rule\":{\"id\":\"1ca66e44-1f41-42dc-876c-6a0c8a883225\",\"updated_at\":\"2024-12-04T19:45:56.568Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.568Z\",\"created_by\":\"elastic\",\"name\":\"Volume Shadow Copy Deleted or Resized via VssAdmin\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin\\n\\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\\n\\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\\n\\nThis rule monitors the execution of Vssadmin.exe to either delete or resize shadow copies.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Use process name, command line, and file hash to search for occurrences in other hosts.\\n- Check if any files on the host machine have been encrypted.\\n\\n\\n### False positive analysis\\n\\n- This rule may produce benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Related rules\\n\\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- Priority should be given due to the advanced stage of this activity on the attack.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1490\",\"name\":\"Inhibit System Recovery\",\"reference\":\"https://attack.mitre.org/techniques/T1490/\"}]}],\"to\":\"now\",\"references\":[],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\"\\n and (process.name : \\\"vssadmin.exe\\\" or ?process.pe.original_file_name == \\\"VSSADMIN.EXE\\\") and\\n process.args in (\\\"delete\\\", \\\"resize\\\") and process.args : \\\"shadows*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Volume Shadow Copy Deleted or Resized via VssAdmin\",\"description\":\"Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin\\n\\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\\n\\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\\n\\nThis rule monitors the execution of Vssadmin.exe to either delete or resize shadow copies.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Use process name, command line, and file hash to search for occurrences in other hosts.\\n- Check if any files on the host machine have been encrypted.\\n\\n\\n### False positive analysis\\n\\n- This rule may produce benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Related rules\\n\\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- Priority should be given due to the advanced stage of this activity on the attack.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1490\",\"name\":\"Inhibit System Recovery\",\"reference\":\"https://attack.mitre.org/techniques/T1490/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1ca66e44-1f41-42dc-876c-6a0c8a883225\",\"rule_id\":\"b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.029Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.568Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"vssadmin.exe\\\" or ?process.pe.original_file_name == \\\"VSSADMIN.EXE\\\") and\\n process.args : (\\\"delete\\\", \\\"resize\\\") and process.args : \\\"shadows*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\"\\n and (process.name : \\\"vssadmin.exe\\\" or ?process.pe.original_file_name == \\\"VSSADMIN.EXE\\\") and\\n process.args in (\\\"delete\\\", \\\"resize\\\") and process.args : \\\"shadows*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"vssadmin.exe\\\" or ?process.pe.original_file_name == \\\"VSSADMIN.EXE\\\") and\\n process.args : (\\\"delete\\\", \\\"resize\\\") and process.args : \\\"shadows*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"vssadmin.exe\\\" or ?process.pe.original_file_name == \\\"VSSADMIN.EXE\\\") and\\n process.args : (\\\"delete\\\", \\\"resize\\\") and process.args : \\\"shadows*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"47a17a33-3363-498f-bb7c-0cd78e04c8b9\",\"rule_id\":\"b605f262-f7dc-41b5-9ebc-06bafe7a83b6\",\"revision\":0,\"current_rule\":{\"id\":\"47a17a33-3363-498f-bb7c-0cd78e04c8b9\",\"updated_at\":\"2024-12-04T19:45:56.570Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.570Z\",\"created_by\":\"elastic\",\"name\":\"Systemd Service Started by Unusual Parent Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Systemctl is a process used in Linux systems to manage systemd processes through service configuration files. Malicious actors can leverage systemd services to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Systemd Service Started by Unusual Parent Process\\n\\nSystemd service files are configuration files in Linux systems used to define and manage systemd services.\\n\\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\\n\\nThis rule monitors the execution of the systemctl binary to start, enable or reenable a systemd service, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE\\\\n'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE '/home/user/.config/systemd/user/%' )\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' )\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b605f262-f7dc-41b5-9ebc-06bafe7a83b6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage\",\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.entry_leader.entry_meta.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.pid\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:process and event.type:start and event.action:exec and\\nprocess.executable:/usr/bin/systemctl and process.args:(enable or reenable or start) and \\nprocess.entry_leader.entry_meta.type:* and\\nnot (\\n process.entry_leader.entry_meta.type:(container or init or unknown) or\\n process.parent.pid:1 or\\n process.parent.executable:(\\n /bin/adduser or /bin/dnf or /bin/dnf-automatic or /bin/dockerd or /bin/dpkg or /bin/microdnf or /bin/pacman or\\n /bin/podman or /bin/rpm or /bin/snapd or /bin/sudo or /bin/useradd or /bin/yum or /usr/bin/dnf or\\n /usr/bin/dnf-automatic or /usr/bin/dockerd or /usr/bin/dpkg or /usr/bin/microdnf or /usr/bin/pacman or\\n /usr/bin/podman or /usr/bin/rpm or /usr/bin/snapd or /usr/bin/sudo or /usr/bin/yum or /usr/sbin/adduser or\\n /usr/sbin/invoke-rc.d or /usr/sbin/useradd or /var/lib/dpkg/*\\n ) or\\n process.args_count >= 5\\n)\\n\",\"new_terms_fields\":[\"process.parent.executable\"],\"history_window_start\":\"now-7d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Systemd Service Started by Unusual Parent Process\",\"description\":\"Systemctl is a process used in Linux systems to manage systemd processes through service configuration files. Malicious actors can leverage systemd services to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Systemd Service Started by Unusual Parent Process\\n\\nSystemd service files are configuration files in Linux systems used to define and manage systemd services.\\n\\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\\n\\nThis rule monitors the execution of the systemctl binary to start, enable or reenable a systemd service, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE\\\\n'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE '/home/user/.config/systemd/user/%' )\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' )\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage\",\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.entry_leader.entry_meta.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.pid\",\"type\":\"long\",\"ecs\":true}],\"id\":\"47a17a33-3363-498f-bb7c-0cd78e04c8b9\",\"rule_id\":\"b605f262-f7dc-41b5-9ebc-06bafe7a83b6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.029Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.570Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:process and event.type:start and event.action:exec and\\nprocess.executable:/usr/bin/systemctl and process.args:(enable or reenable or start) and \\nprocess.entry_leader.entry_meta.type:* and\\nnot (\\n process.entry_leader.entry_meta.type:(container or init or unknown) or\\n process.parent.pid:1 or\\n process.parent.executable:(\\n /bin/adduser or /bin/dnf or /bin/dnf-automatic or /bin/dockerd or /bin/dpkg or /bin/microdnf or /bin/pacman or\\n /bin/podman or /bin/rpm or /bin/snapd or /bin/sudo or /bin/useradd or /bin/yum or /usr/bin/dnf or\\n /usr/bin/dnf-automatic or /usr/bin/dockerd or /usr/bin/dpkg or /usr/bin/microdnf or /usr/bin/pacman or\\n /usr/bin/podman or /usr/bin/rpm or /usr/bin/snapd or /usr/bin/sudo or /usr/bin/yum or /usr/sbin/adduser or\\n /usr/sbin/invoke-rc.d or /usr/sbin/useradd or /var/lib/dpkg/*\\n ) or\\n process.args_count >= 5\\n)\\n\",\"new_terms_fields\":[\"process.parent.executable\"],\"history_window_start\":\"now-7d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage\",\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\"],\"target_version\":[\"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage\",\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage\",\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2843b86c-f844-4f82-b1e5-43264fa468c5\",\"rule_id\":\"b627cd12-dac4-11ec-9582-f661ea17fbcd\",\"revision\":0,\"current_rule\":{\"id\":\"2843b86c-f844-4f82-b1e5-43264fa468c5\",\"updated_at\":\"2024-12-04T19:45:56.573Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.573Z\",\"created_by\":\"elastic\",\"name\":\"Elastic Agent Service Terminated\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b627cd12-dac4-11ec-9582-f661ea17fbcd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"process where\\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\\n(event.type == \\\"start\\\" and\\n process.name : (\\\"net.exe\\\", \\\"sc.exe\\\", \\\"wmic.exe\\\",\\\"powershell.exe\\\",\\\"taskkill.exe\\\",\\\"PsKill.exe\\\",\\\"ProcessHacker.exe\\\") and\\n process.args : (\\\"stopservice\\\",\\\"uninstall\\\", \\\"stop\\\", \\\"disabled\\\",\\\"Stop-Process\\\",\\\"terminate\\\",\\\"suspend\\\") and\\n process.args : (\\\"elasticendpoint\\\", \\\"Elastic Agent\\\",\\\"elastic-agent\\\",\\\"elastic-endpoint\\\"))\\nor\\n/* service or systemctl used to stop Elastic Agent on Linux */\\n(event.type == \\\"end\\\" and\\n (process.name : (\\\"systemctl\\\", \\\"service\\\") and\\n process.args : \\\"elastic-agent\\\" and\\n process.args : \\\"stop\\\")\\n or\\n /* pkill , killall used to stop Elastic Agent on Linux */\\n ( event.type == \\\"end\\\" and process.name : (\\\"pkill\\\", \\\"killall\\\") and process.args: \\\"elastic-agent\\\")\\n or\\n /* Unload Elastic Agent extension on MacOS */\\n (process.name : \\\"kextunload\\\" and\\n process.args : \\\"com.apple.iokit.EndpointSecurity\\\" and\\n event.action : \\\"end\\\"))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Elastic Agent Service Terminated\",\"description\":\"Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: Windows\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2843b86c-f844-4f82-b1e5-43264fa468c5\",\"rule_id\":\"b627cd12-dac4-11ec-9582-f661ea17fbcd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.029Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.573Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where\\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\\n(event.type == \\\"start\\\" and\\n process.name : (\\\"net.exe\\\", \\\"sc.exe\\\", \\\"wmic.exe\\\",\\\"powershell.exe\\\",\\\"taskkill.exe\\\",\\\"PsKill.exe\\\",\\\"ProcessHacker.exe\\\") and\\n process.args : (\\\"stopservice\\\",\\\"uninstall\\\", \\\"stop\\\", \\\"disabled\\\",\\\"Stop-Process\\\",\\\"terminate\\\",\\\"suspend\\\") and\\n process.args : (\\\"elasticendpoint\\\", \\\"Elastic Agent\\\",\\\"elastic-agent\\\",\\\"elastic-endpoint\\\"))\\nor\\n/* service or systemctl used to stop Elastic Agent on Linux */\\n(event.type == \\\"end\\\" and\\n (process.name : (\\\"systemctl\\\", \\\"service\\\") and\\n process.args : \\\"elastic-agent\\\" and\\n process.args : (\\\"stop\\\", \\\"disable\\\"))\\n or\\n /* pkill , killall used to stop Elastic Agent on Linux */\\n ( event.type == \\\"end\\\" and process.name : (\\\"pkill\\\", \\\"killall\\\") and process.args: \\\"elastic-agent\\\")\\n or\\n /* Unload Elastic Agent extension on MacOS */\\n (process.name : \\\"kextunload\\\" and\\n process.args : \\\"com.apple.iokit.EndpointSecurity\\\" and\\n event.action : \\\"end\\\"))\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where\\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\\n(event.type == \\\"start\\\" and\\n process.name : (\\\"net.exe\\\", \\\"sc.exe\\\", \\\"wmic.exe\\\",\\\"powershell.exe\\\",\\\"taskkill.exe\\\",\\\"PsKill.exe\\\",\\\"ProcessHacker.exe\\\") and\\n process.args : (\\\"stopservice\\\",\\\"uninstall\\\", \\\"stop\\\", \\\"disabled\\\",\\\"Stop-Process\\\",\\\"terminate\\\",\\\"suspend\\\") and\\n process.args : (\\\"elasticendpoint\\\", \\\"Elastic Agent\\\",\\\"elastic-agent\\\",\\\"elastic-endpoint\\\"))\\nor\\n/* service or systemctl used to stop Elastic Agent on Linux */\\n(event.type == \\\"end\\\" and\\n (process.name : (\\\"systemctl\\\", \\\"service\\\") and\\n process.args : \\\"elastic-agent\\\" and\\n process.args : \\\"stop\\\")\\n or\\n /* pkill , killall used to stop Elastic Agent on Linux */\\n ( event.type == \\\"end\\\" and process.name : (\\\"pkill\\\", \\\"killall\\\") and process.args: \\\"elastic-agent\\\")\\n or\\n /* Unload Elastic Agent extension on MacOS */\\n (process.name : \\\"kextunload\\\" and\\n process.args : \\\"com.apple.iokit.EndpointSecurity\\\" and\\n event.action : \\\"end\\\"))\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where\\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\\n(event.type == \\\"start\\\" and\\n process.name : (\\\"net.exe\\\", \\\"sc.exe\\\", \\\"wmic.exe\\\",\\\"powershell.exe\\\",\\\"taskkill.exe\\\",\\\"PsKill.exe\\\",\\\"ProcessHacker.exe\\\") and\\n process.args : (\\\"stopservice\\\",\\\"uninstall\\\", \\\"stop\\\", \\\"disabled\\\",\\\"Stop-Process\\\",\\\"terminate\\\",\\\"suspend\\\") and\\n process.args : (\\\"elasticendpoint\\\", \\\"Elastic Agent\\\",\\\"elastic-agent\\\",\\\"elastic-endpoint\\\"))\\nor\\n/* service or systemctl used to stop Elastic Agent on Linux */\\n(event.type == \\\"end\\\" and\\n (process.name : (\\\"systemctl\\\", \\\"service\\\") and\\n process.args : \\\"elastic-agent\\\" and\\n process.args : (\\\"stop\\\", \\\"disable\\\"))\\n or\\n /* pkill , killall used to stop Elastic Agent on Linux */\\n ( event.type == \\\"end\\\" and process.name : (\\\"pkill\\\", \\\"killall\\\") and process.args: \\\"elastic-agent\\\")\\n or\\n /* Unload Elastic Agent extension on MacOS */\\n (process.name : \\\"kextunload\\\" and\\n process.args : \\\"com.apple.iokit.EndpointSecurity\\\" and\\n event.action : \\\"end\\\"))\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where\\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\\n(event.type == \\\"start\\\" and\\n process.name : (\\\"net.exe\\\", \\\"sc.exe\\\", \\\"wmic.exe\\\",\\\"powershell.exe\\\",\\\"taskkill.exe\\\",\\\"PsKill.exe\\\",\\\"ProcessHacker.exe\\\") and\\n process.args : (\\\"stopservice\\\",\\\"uninstall\\\", \\\"stop\\\", \\\"disabled\\\",\\\"Stop-Process\\\",\\\"terminate\\\",\\\"suspend\\\") and\\n process.args : (\\\"elasticendpoint\\\", \\\"Elastic Agent\\\",\\\"elastic-agent\\\",\\\"elastic-endpoint\\\"))\\nor\\n/* service or systemctl used to stop Elastic Agent on Linux */\\n(event.type == \\\"end\\\" and\\n (process.name : (\\\"systemctl\\\", \\\"service\\\") and\\n process.args : \\\"elastic-agent\\\" and\\n process.args : (\\\"stop\\\", \\\"disable\\\"))\\n or\\n /* pkill , killall used to stop Elastic Agent on Linux */\\n ( event.type == \\\"end\\\" and process.name : (\\\"pkill\\\", \\\"killall\\\") and process.args: \\\"elastic-agent\\\")\\n or\\n /* Unload Elastic Agent extension on MacOS */\\n (process.name : \\\"kextunload\\\" and\\n process.args : \\\"com.apple.iokit.EndpointSecurity\\\" and\\n event.action : \\\"end\\\"))\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b2f3f81f-b564-4936-9eff-fe8a10782e32\",\"rule_id\":\"b64b183e-1a76-422d-9179-7b389513e74d\",\"revision\":0,\"current_rule\":{\"id\":\"b2f3f81f-b564-4936-9eff-fe8a10782e32\",\"updated_at\":\"2024-12-04T19:45:56.576Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.576Z\",\"created_by\":\"elastic\",\"name\":\"Windows Script Interpreter Executing Process via WMI\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b64b183e-1a76-422d-9179-7b389513e74d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"},{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.domain\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"sequence by host.id with maxspan = 5s\\n [any where host.os.type == \\\"windows\\\" and \\n (event.category : (\\\"library\\\", \\\"driver\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n (?dll.name : \\\"wmiutils.dll\\\" or file.name : \\\"wmiutils.dll\\\") and process.name : (\\\"wscript.exe\\\", \\\"cscript.exe\\\")]\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"wmiprvse.exe\\\" and\\n user.domain != \\\"NT AUTHORITY\\\" and\\n (process.pe.original_file_name :\\n (\\n \\\"cscript.exe\\\",\\n \\\"wscript.exe\\\",\\n \\\"PowerShell.EXE\\\",\\n \\\"Cmd.Exe\\\",\\n \\\"MSHTA.EXE\\\",\\n \\\"RUNDLL32.EXE\\\",\\n \\\"REGSVR32.EXE\\\",\\n \\\"MSBuild.exe\\\",\\n \\\"InstallUtil.exe\\\",\\n \\\"RegAsm.exe\\\",\\n \\\"RegSvcs.exe\\\",\\n \\\"msxsl.exe\\\",\\n \\\"CONTROL.EXE\\\",\\n \\\"EXPLORER.EXE\\\",\\n \\\"Microsoft.Workflow.Compiler.exe\\\",\\n \\\"msiexec.exe\\\"\\n ) or\\n process.executable : (\\\"C:\\\\\\\\Users\\\\\\\\*.exe\\\", \\\"C:\\\\\\\\ProgramData\\\\\\\\*.exe\\\")\\n )\\n ]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Windows Script Interpreter Executing Process via WMI\",\"description\":\"Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"},{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.domain\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b2f3f81f-b564-4936-9eff-fe8a10782e32\",\"rule_id\":\"b64b183e-1a76-422d-9179-7b389513e74d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.029Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.576Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan = 5s\\n [any where host.os.type == \\\"windows\\\" and \\n (event.category : (\\\"library\\\", \\\"driver\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n (?dll.name : \\\"wmiutils.dll\\\" or file.name : \\\"wmiutils.dll\\\") and process.name : (\\\"wscript.exe\\\", \\\"cscript.exe\\\")]\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"wmiprvse.exe\\\" and\\n user.domain != \\\"NT AUTHORITY\\\" and\\n (process.pe.original_file_name :\\n (\\n \\\"cscript.exe\\\",\\n \\\"wscript.exe\\\",\\n \\\"PowerShell.EXE\\\",\\n \\\"Cmd.Exe\\\",\\n \\\"MSHTA.EXE\\\",\\n \\\"RUNDLL32.EXE\\\",\\n \\\"REGSVR32.EXE\\\",\\n \\\"MSBuild.exe\\\",\\n \\\"InstallUtil.exe\\\",\\n \\\"RegAsm.exe\\\",\\n \\\"RegSvcs.exe\\\",\\n \\\"msxsl.exe\\\",\\n \\\"CONTROL.EXE\\\",\\n \\\"EXPLORER.EXE\\\",\\n \\\"Microsoft.Workflow.Compiler.exe\\\",\\n \\\"msiexec.exe\\\"\\n ) or\\n process.executable : (\\\"C:\\\\\\\\Users\\\\\\\\*.exe\\\", \\\"C:\\\\\\\\ProgramData\\\\\\\\*.exe\\\")\\n )\\n ]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9a026aef-f571-4c11-a392-cd139bc374b8\",\"rule_id\":\"b661f86d-1c23-4ce7-a59e-2edbdba28247\",\"revision\":0,\"current_rule\":{\"id\":\"9a026aef-f571-4c11-a392-cd139bc374b8\",\"updated_at\":\"2024-12-04T19:46:04.755Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.755Z\",\"created_by\":\"elastic\",\"name\":\"Potential Veeam Credential Access Command\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies commands that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b661f86d-1c23-4ce7-a59e-2edbdba28247\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://thedfirreport.com/2021/12/13/diavol-ransomware/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n (process.name : \\\"sqlcmd.exe\\\" or process.pe.original_file_name : \\\"sqlcmd.exe\\\") or\\n process.args : (\\\"Invoke-Sqlcmd\\\", \\\"Invoke-SqlExecute\\\", \\\"Invoke-DbaQuery\\\", \\\"Invoke-SqlQuery\\\")\\n ) and\\n process.args : \\\"*[VeeamBackup].[dbo].[Credentials]*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Veeam Credential Access Command\",\"description\":\"Identifies commands that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":203,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://thedfirreport.com/2021/12/13/diavol-ransomware/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"9a026aef-f571-4c11-a392-cd139bc374b8\",\"rule_id\":\"b661f86d-1c23-4ce7-a59e-2edbdba28247\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.029Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.755Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n (process.name : \\\"sqlcmd.exe\\\" or ?process.pe.original_file_name : \\\"sqlcmd.exe\\\") or\\n process.args : (\\\"Invoke-Sqlcmd\\\", \\\"Invoke-SqlExecute\\\", \\\"Invoke-DbaQuery\\\", \\\"Invoke-SqlQuery\\\")\\n ) and\\n process.args : \\\"*[VeeamBackup].[dbo].[Credentials]*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":203,\"merged_version\":203,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n (process.name : \\\"sqlcmd.exe\\\" or process.pe.original_file_name : \\\"sqlcmd.exe\\\") or\\n process.args : (\\\"Invoke-Sqlcmd\\\", \\\"Invoke-SqlExecute\\\", \\\"Invoke-DbaQuery\\\", \\\"Invoke-SqlQuery\\\")\\n ) and\\n process.args : \\\"*[VeeamBackup].[dbo].[Credentials]*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n (process.name : \\\"sqlcmd.exe\\\" or ?process.pe.original_file_name : \\\"sqlcmd.exe\\\") or\\n process.args : (\\\"Invoke-Sqlcmd\\\", \\\"Invoke-SqlExecute\\\", \\\"Invoke-DbaQuery\\\", \\\"Invoke-SqlQuery\\\")\\n ) and\\n process.args : \\\"*[VeeamBackup].[dbo].[Credentials]*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n (process.name : \\\"sqlcmd.exe\\\" or ?process.pe.original_file_name : \\\"sqlcmd.exe\\\") or\\n process.args : (\\\"Invoke-Sqlcmd\\\", \\\"Invoke-SqlExecute\\\", \\\"Invoke-DbaQuery\\\", \\\"Invoke-SqlQuery\\\")\\n ) and\\n process.args : \\\"*[VeeamBackup].[dbo].[Credentials]*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"324ac927-e192-4a44-bcad-5489e0996fca\",\"rule_id\":\"b66b7e2b-d50a-49b9-a6fc-3a383baedc6b\",\"revision\":0,\"current_rule\":{\"id\":\"324ac927-e192-4a44-bcad-5489e0996fca\",\"updated_at\":\"2024-12-04T19:46:04.757Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.757Z\",\"created_by\":\"elastic\",\"name\":\"Potential Privilege Escalation via Service ImagePath Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies registry modifications to default services that could enable privilege escalation to SYSTEM. Attackers with privileges from groups like Server Operators may change the ImagePath of services to executables under their control or to execute commands.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b66b7e2b-d50a-49b9-a6fc-3a383baedc6b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.011\",\"name\":\"Services Registry Permissions Weakness\",\"reference\":\"https://attack.mitre.org/techniques/T1574/011/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1569\",\"name\":\"System Services\",\"reference\":\"https://attack.mitre.org/techniques/T1569/\",\"subtechnique\":[{\"id\":\"T1569.002\",\"name\":\"Service Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1569/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://cube0x0.github.io/Pocing-Beyond-DA/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.key\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and process.executable != null and \\n event.action == \\\"modification\\\" and registry.value == \\\"ImagePath\\\" and\\n registry.key : (\\n \\\"*\\\\\\\\ADWS\\\", \\\"*\\\\\\\\AppHostSvc\\\", \\\"*\\\\\\\\AppReadiness\\\", \\\"*\\\\\\\\AudioEndpointBuilder\\\", \\\"*\\\\\\\\AxInstSV\\\", \\\"*\\\\\\\\camsvc\\\", \\\"*\\\\\\\\CertSvc\\\",\\n \\\"*\\\\\\\\COMSysApp\\\", \\\"*\\\\\\\\CscService\\\", \\\"*\\\\\\\\defragsvc\\\", \\\"*\\\\\\\\DeviceAssociationService\\\", \\\"*\\\\\\\\DeviceInstall\\\", \\\"*\\\\\\\\DevQueryBroker\\\",\\n \\\"*\\\\\\\\Dfs\\\", \\\"*\\\\\\\\DFSR\\\", \\\"*\\\\\\\\diagnosticshub.standardcollector.service\\\", \\\"*\\\\\\\\DiagTrack\\\", \\\"*\\\\\\\\DmEnrollmentSvc\\\", \\\"*\\\\\\\\DNS\\\",\\n \\\"*\\\\\\\\dot3svc\\\", \\\"*\\\\\\\\Eaphost\\\", \\\"*\\\\\\\\GraphicsPerfSvc\\\", \\\"*\\\\\\\\hidserv\\\", \\\"*\\\\\\\\HvHost\\\", \\\"*\\\\\\\\IISADMIN\\\", \\\"*\\\\\\\\IKEEXT\\\",\\n \\\"*\\\\\\\\InstallService\\\", \\\"*\\\\\\\\iphlpsvc\\\", \\\"*\\\\\\\\IsmServ\\\", \\\"*\\\\\\\\LanmanServer\\\", \\\"*\\\\\\\\MSiSCSI\\\", \\\"*\\\\\\\\NcbService\\\", \\\"*\\\\\\\\Netlogon\\\",\\n \\\"*\\\\\\\\Netman\\\", \\\"*\\\\\\\\NtFrs\\\", \\\"*\\\\\\\\PlugPlay\\\", \\\"*\\\\\\\\Power\\\", \\\"*\\\\\\\\PrintNotify\\\", \\\"*\\\\\\\\ProfSvc\\\", \\\"*\\\\\\\\PushToInstall\\\", \\\"*\\\\\\\\RSoPProv\\\",\\n \\\"*\\\\\\\\sacsvr\\\", \\\"*\\\\\\\\SENS\\\", \\\"*\\\\\\\\SensorDataService\\\", \\\"*\\\\\\\\SgrmBroker\\\", \\\"*\\\\\\\\ShellHWDetection\\\", \\\"*\\\\\\\\shpamsvc\\\", \\\"*\\\\\\\\StorSvc\\\",\\n \\\"*\\\\\\\\svsvc\\\", \\\"*\\\\\\\\swprv\\\", \\\"*\\\\\\\\SysMain\\\", \\\"*\\\\\\\\Themes\\\", \\\"*\\\\\\\\TieringEngineService\\\", \\\"*\\\\\\\\TokenBroker\\\", \\\"*\\\\\\\\TrkWks\\\",\\n \\\"*\\\\\\\\UALSVC\\\", \\\"*\\\\\\\\UserManager\\\", \\\"*\\\\\\\\vm3dservice\\\", \\\"*\\\\\\\\vmicguestinterface\\\", \\\"*\\\\\\\\vmicheartbeat\\\", \\\"*\\\\\\\\vmickvpexchange\\\",\\n \\\"*\\\\\\\\vmicrdv\\\", \\\"*\\\\\\\\vmicshutdown\\\", \\\"*\\\\\\\\vmicvmsession\\\", \\\"*\\\\\\\\vmicvss\\\", \\\"*\\\\\\\\vmvss\\\", \\\"*\\\\\\\\VSS\\\", \\\"*\\\\\\\\w3logsvc\\\", \\\"*\\\\\\\\W3SVC\\\",\\n \\\"*\\\\\\\\WalletService\\\", \\\"*\\\\\\\\WAS\\\", \\\"*\\\\\\\\wercplsupport\\\", \\\"*\\\\\\\\WerSvc\\\", \\\"*\\\\\\\\Winmgmt\\\", \\\"*\\\\\\\\wisvc\\\", \\\"*\\\\\\\\wmiApSrv\\\",\\n \\\"*\\\\\\\\WPDBusEnum\\\", \\\"*\\\\\\\\WSearch\\\"\\n ) and\\n not (\\n registry.data.strings : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\*.exe\\\",\\n \\\"%systemroot%\\\\\\\\system32\\\\\\\\*.exe\\\",\\n \\\"%windir%\\\\\\\\system32\\\\\\\\*.exe\\\",\\n \\\"%SystemRoot%\\\\\\\\system32\\\\\\\\svchost.exe -k *\\\",\\n \\\"%windir%\\\\\\\\system32\\\\\\\\svchost.exe -k *\\\"\\n ) and\\n not registry.data.strings : (\\n \\\"*\\\\\\\\cmd.exe\\\",\\n \\\"*\\\\\\\\cscript.exe\\\",\\n \\\"*\\\\\\\\ieexec.exe\\\",\\n \\\"*\\\\\\\\iexpress.exe\\\",\\n \\\"*\\\\\\\\installutil.exe\\\",\\n \\\"*\\\\\\\\Microsoft.Workflow.Compiler.exe\\\",\\n \\\"*\\\\\\\\msbuild.exe\\\",\\n \\\"*\\\\\\\\mshta.exe\\\",\\n \\\"*\\\\\\\\msiexec.exe\\\",\\n \\\"*\\\\\\\\msxsl.exe\\\",\\n \\\"*\\\\\\\\net.exe\\\",\\n \\\"*\\\\\\\\powershell.exe\\\",\\n \\\"*\\\\\\\\pwsh.exe\\\",\\n \\\"*\\\\\\\\reg.exe\\\",\\n \\\"*\\\\\\\\RegAsm.exe\\\",\\n \\\"*\\\\\\\\RegSvcs.exe\\\",\\n \\\"*\\\\\\\\regsvr32.exe\\\",\\n \\\"*\\\\\\\\rundll32.exe\\\",\\n \\\"*\\\\\\\\vssadmin.exe\\\",\\n \\\"*\\\\\\\\wbadmin.exe\\\",\\n \\\"*\\\\\\\\wmic.exe\\\",\\n \\\"*\\\\\\\\wscript.exe\\\"\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Privilege Escalation via Service ImagePath Modification\",\"description\":\"Identifies registry modifications to default services that could enable privilege escalation to SYSTEM. Attackers with privileges from groups like Server Operators may change the ImagePath of services to executables under their control or to execute commands.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":102,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://cube0x0.github.io/Pocing-Beyond-DA/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.011\",\"name\":\"Services Registry Permissions Weakness\",\"reference\":\"https://attack.mitre.org/techniques/T1574/011/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1569\",\"name\":\"System Services\",\"reference\":\"https://attack.mitre.org/techniques/T1569/\",\"subtechnique\":[{\"id\":\"T1569.002\",\"name\":\"Service Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1569/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.key\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"324ac927-e192-4a44-bcad-5489e0996fca\",\"rule_id\":\"b66b7e2b-d50a-49b9-a6fc-3a383baedc6b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.029Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.757Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and process.executable != null and \\n event.action == \\\"modification\\\" and registry.value == \\\"ImagePath\\\" and\\n registry.key : (\\n \\\"*\\\\\\\\ADWS\\\", \\\"*\\\\\\\\AppHostSvc\\\", \\\"*\\\\\\\\AppReadiness\\\", \\\"*\\\\\\\\AudioEndpointBuilder\\\", \\\"*\\\\\\\\AxInstSV\\\", \\\"*\\\\\\\\camsvc\\\", \\\"*\\\\\\\\CertSvc\\\",\\n \\\"*\\\\\\\\COMSysApp\\\", \\\"*\\\\\\\\CscService\\\", \\\"*\\\\\\\\defragsvc\\\", \\\"*\\\\\\\\DeviceAssociationService\\\", \\\"*\\\\\\\\DeviceInstall\\\", \\\"*\\\\\\\\DevQueryBroker\\\",\\n \\\"*\\\\\\\\Dfs\\\", \\\"*\\\\\\\\DFSR\\\", \\\"*\\\\\\\\diagnosticshub.standardcollector.service\\\", \\\"*\\\\\\\\DiagTrack\\\", \\\"*\\\\\\\\DmEnrollmentSvc\\\", \\\"*\\\\\\\\DNS\\\",\\n \\\"*\\\\\\\\dot3svc\\\", \\\"*\\\\\\\\Eaphost\\\", \\\"*\\\\\\\\GraphicsPerfSvc\\\", \\\"*\\\\\\\\hidserv\\\", \\\"*\\\\\\\\HvHost\\\", \\\"*\\\\\\\\IISADMIN\\\", \\\"*\\\\\\\\IKEEXT\\\",\\n \\\"*\\\\\\\\InstallService\\\", \\\"*\\\\\\\\iphlpsvc\\\", \\\"*\\\\\\\\IsmServ\\\", \\\"*\\\\\\\\LanmanServer\\\", \\\"*\\\\\\\\MSiSCSI\\\", \\\"*\\\\\\\\NcbService\\\", \\\"*\\\\\\\\Netlogon\\\",\\n \\\"*\\\\\\\\Netman\\\", \\\"*\\\\\\\\NtFrs\\\", \\\"*\\\\\\\\PlugPlay\\\", \\\"*\\\\\\\\Power\\\", \\\"*\\\\\\\\PrintNotify\\\", \\\"*\\\\\\\\ProfSvc\\\", \\\"*\\\\\\\\PushToInstall\\\", \\\"*\\\\\\\\RSoPProv\\\",\\n \\\"*\\\\\\\\sacsvr\\\", \\\"*\\\\\\\\SENS\\\", \\\"*\\\\\\\\SensorDataService\\\", \\\"*\\\\\\\\SgrmBroker\\\", \\\"*\\\\\\\\ShellHWDetection\\\", \\\"*\\\\\\\\shpamsvc\\\", \\\"*\\\\\\\\StorSvc\\\",\\n \\\"*\\\\\\\\svsvc\\\", \\\"*\\\\\\\\swprv\\\", \\\"*\\\\\\\\SysMain\\\", \\\"*\\\\\\\\Themes\\\", \\\"*\\\\\\\\TieringEngineService\\\", \\\"*\\\\\\\\TokenBroker\\\", \\\"*\\\\\\\\TrkWks\\\",\\n \\\"*\\\\\\\\UALSVC\\\", \\\"*\\\\\\\\UserManager\\\", \\\"*\\\\\\\\vm3dservice\\\", \\\"*\\\\\\\\vmicguestinterface\\\", \\\"*\\\\\\\\vmicheartbeat\\\", \\\"*\\\\\\\\vmickvpexchange\\\",\\n \\\"*\\\\\\\\vmicrdv\\\", \\\"*\\\\\\\\vmicshutdown\\\", \\\"*\\\\\\\\vmicvmsession\\\", \\\"*\\\\\\\\vmicvss\\\", \\\"*\\\\\\\\vmvss\\\", \\\"*\\\\\\\\VSS\\\", \\\"*\\\\\\\\w3logsvc\\\", \\\"*\\\\\\\\W3SVC\\\",\\n \\\"*\\\\\\\\WalletService\\\", \\\"*\\\\\\\\WAS\\\", \\\"*\\\\\\\\wercplsupport\\\", \\\"*\\\\\\\\WerSvc\\\", \\\"*\\\\\\\\Winmgmt\\\", \\\"*\\\\\\\\wisvc\\\", \\\"*\\\\\\\\wmiApSrv\\\",\\n \\\"*\\\\\\\\WPDBusEnum\\\", \\\"*\\\\\\\\WSearch\\\"\\n ) and\\n not (\\n registry.data.strings : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\*.exe\\\",\\n \\\"%systemroot%\\\\\\\\system32\\\\\\\\*.exe\\\",\\n \\\"%windir%\\\\\\\\system32\\\\\\\\*.exe\\\",\\n \\\"%SystemRoot%\\\\\\\\system32\\\\\\\\svchost.exe -k *\\\",\\n \\\"%windir%\\\\\\\\system32\\\\\\\\svchost.exe -k *\\\"\\n ) and\\n not registry.data.strings : (\\n \\\"*\\\\\\\\cmd.exe\\\",\\n \\\"*\\\\\\\\cscript.exe\\\",\\n \\\"*\\\\\\\\ieexec.exe\\\",\\n \\\"*\\\\\\\\iexpress.exe\\\",\\n \\\"*\\\\\\\\installutil.exe\\\",\\n \\\"*\\\\\\\\Microsoft.Workflow.Compiler.exe\\\",\\n \\\"*\\\\\\\\msbuild.exe\\\",\\n \\\"*\\\\\\\\mshta.exe\\\",\\n \\\"*\\\\\\\\msiexec.exe\\\",\\n \\\"*\\\\\\\\msxsl.exe\\\",\\n \\\"*\\\\\\\\net.exe\\\",\\n \\\"*\\\\\\\\powershell.exe\\\",\\n \\\"*\\\\\\\\pwsh.exe\\\",\\n \\\"*\\\\\\\\reg.exe\\\",\\n \\\"*\\\\\\\\RegAsm.exe\\\",\\n \\\"*\\\\\\\\RegSvcs.exe\\\",\\n \\\"*\\\\\\\\regsvr32.exe\\\",\\n \\\"*\\\\\\\\rundll32.exe\\\",\\n \\\"*\\\\\\\\vssadmin.exe\\\",\\n \\\"*\\\\\\\\wbadmin.exe\\\",\\n \\\"*\\\\\\\\wmic.exe\\\",\\n \\\"*\\\\\\\\wscript.exe\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":102,\"merged_version\":102,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"14611e80-616a-40d5-aa15-480c281553f1\",\"rule_id\":\"b8386923-b02c-4b94-986a-d223d9b01f88\",\"revision\":0,\"current_rule\":{\"id\":\"14611e80-616a-40d5-aa15-480c281553f1\",\"updated_at\":\"2024-12-04T19:45:56.597Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.597Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Invoke-NinjaCopy script\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: PowerShell Logs\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects PowerShell scripts that contain the default exported functions used on Invoke-NinjaCopy. Attackers can use Invoke-NinjaCopy to read SYSTEM files that are normally locked, such as the NTDS.dit file or registry hives.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Invoke-NinjaCopy script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\\n\\nInvoke-NinjaCopy is a PowerShell script capable of reading SYSTEM files that were normally locked, such as `NTDS.dit` or sensitive registry locations. It does so by using the direct volume access technique, which enables attackers to bypass access control mechanisms and file system monitoring by reading the raw data directly from the disk and extracting the file by parsing the file system structures.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Determine whether the script stores the captured data locally.\\n- Check if the imported function was executed and which file it targeted.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b8386923-b02c-4b94-986a-d223d9b01f88\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"},{\"id\":\"T1003.003\",\"name\":\"NTDS\",\"reference\":\"https://attack.mitre.org/techniques/T1003/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1006\",\"name\":\"Direct Volume Access\",\"reference\":\"https://attack.mitre.org/techniques/T1006/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1\"],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"StealthReadFile\\\" or\\n \\\"StealthReadFileAddr\\\" or\\n \\\"StealthCloseFileDelegate\\\" or\\n \\\"StealthOpenFile\\\" or\\n \\\"StealthCloseFile\\\" or\\n \\\"StealthReadFile\\\" or\\n \\\"Invoke-NinjaCopy\\\"\\n )\\n and not user.id : \\\"S-1-5-18\\\"\\n and not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\" and \\\"PowerSploitIndicators\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Invoke-NinjaCopy script\",\"description\":\"Detects PowerShell scripts that contain the default exported functions used on Invoke-NinjaCopy. Attackers can use Invoke-NinjaCopy to read SYSTEM files that are normally locked, such as the NTDS.dit file or registry hives.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Invoke-NinjaCopy script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\\n\\nInvoke-NinjaCopy is a PowerShell script capable of reading SYSTEM files that were normally locked, such as `NTDS.dit` or sensitive registry locations. It does so by using the direct volume access technique, which enables attackers to bypass access control mechanisms and file system monitoring by reading the raw data directly from the disk and extracting the file by parsing the file system structures.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Determine whether the script stores the captured data locally.\\n- Check if the imported function was executed and which file it targeted.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":108,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: PowerShell Logs\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"},{\"id\":\"T1003.003\",\"name\":\"NTDS\",\"reference\":\"https://attack.mitre.org/techniques/T1003/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1006\",\"name\":\"Direct Volume Access\",\"reference\":\"https://attack.mitre.org/techniques/T1006/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"14611e80-616a-40d5-aa15-480c281553f1\",\"rule_id\":\"b8386923-b02c-4b94-986a-d223d9b01f88\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.029Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.597Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"StealthReadFile\\\" or\\n \\\"StealthReadFileAddr\\\" or\\n \\\"StealthCloseFileDelegate\\\" or\\n \\\"StealthOpenFile\\\" or\\n \\\"StealthCloseFile\\\" or\\n \\\"StealthReadFile\\\" or\\n \\\"Invoke-NinjaCopy\\\"\\n )\\n and not user.id : \\\"S-1-5-18\\\"\\n and not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\" and \\\"PowerSploitIndicators\\\"\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":108,\"merged_version\":108,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"38ebc6d5-be0b-4fab-886f-fc88ec800282\",\"rule_id\":\"b83a7e96-2eb3-4edf-8346-427b6858d3bd\",\"revision\":0,\"current_rule\":{\"id\":\"38ebc6d5-be0b-4fab-886f-fc88ec800282\",\"updated_at\":\"2024-12-04T19:45:56.600Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.600Z\",\"created_by\":\"elastic\",\"name\":\"Creation or Modification of Domain Backup DPAPI private key\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b83a7e96-2eb3-4edf-8346-427b6858d3bd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\",\"subtechnique\":[{\"id\":\"T1552.004\",\"name\":\"Private Keys\",\"reference\":\"https://attack.mitre.org/techniques/T1552/004/\"}]},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\"}]}],\"to\":\"now\",\"references\":[\"https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/\",\"https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107\"],\"version\":311,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.name : (\\\"ntds_capi_*.pfx\\\", \\\"ntds_capi_*.pvk\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Creation or Modification of Domain Backup DPAPI private key\",\"description\":\"Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.\\n\",\"output_index\":\"\",\"version\":412,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/\",\"https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\",\"subtechnique\":[{\"id\":\"T1552.004\",\"name\":\"Private Keys\",\"reference\":\"https://attack.mitre.org/techniques/T1552/004/\"}]},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"38ebc6d5-be0b-4fab-886f-fc88ec800282\",\"rule_id\":\"b83a7e96-2eb3-4edf-8346-427b6858d3bd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.029Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.600Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.name : (\\\"ntds_capi_*.pfx\\\", \\\"ntds_capi_*.pvk\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":311,\"target_version\":412,\"merged_version\":412,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6e607c94-f11c-42c9-8253-3fe76627de1d\",\"rule_id\":\"b86afe07-0d98-4738-b15d-8d7465f95ff5\",\"revision\":0,\"current_rule\":{\"id\":\"6e607c94-f11c-42c9-8253-3fe76627de1d\",\"updated_at\":\"2024-12-04T19:45:56.607Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.607Z\",\"created_by\":\"elastic\",\"name\":\"Network Connection via MsXsl\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b86afe07-0d98-4738-b15d-8d7465f95ff5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1220\",\"name\":\"XSL Script Processing\",\"reference\":\"https://attack.mitre.org/techniques/T1220/\"}]}],\"to\":\"now\",\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and process.name : \\\"msxsl.exe\\\" and event.type == \\\"start\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"msxsl.exe\\\" and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\",\\n \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\",\\n \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\",\\n \\\"FE80::/10\\\", \\\"FF00::/8\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Network Connection via MsXsl\",\"description\":\"Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1220\",\"name\":\"XSL Script Processing\",\"reference\":\"https://attack.mitre.org/techniques/T1220/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"6e607c94-f11c-42c9-8253-3fe76627de1d\",\"rule_id\":\"b86afe07-0d98-4738-b15d-8d7465f95ff5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.029Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.607Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and process.name : \\\"msxsl.exe\\\" and event.type == \\\"start\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"msxsl.exe\\\" and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\",\\n \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\",\\n \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\",\\n \\\"FE80::/10\\\", \\\"FF00::/8\\\")]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a883f16c-b92d-4511-a30e-6bb31ed1029b\",\"rule_id\":\"b8f8da2d-a9dc-48c0-90e4-955c0aa1259a\",\"revision\":0,\"current_rule\":{\"id\":\"a883f16c-b92d-4511-a30e-6bb31ed1029b\",\"updated_at\":\"2024-12-04T19:45:56.610Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.610Z\",\"created_by\":\"elastic\",\"name\":\"Kirbi File Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b8f8da2d-a9dc-48c0-90e4-955c0aa1259a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\"}]}],\"to\":\"now\",\"references\":[],\"version\":208,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and file.extension : \\\"kirbi\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Kirbi File Creation\",\"description\":\"Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Elastic Endgame\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a883f16c-b92d-4511-a30e-6bb31ed1029b\",\"rule_id\":\"b8f8da2d-a9dc-48c0-90e4-955c0aa1259a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.029Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.610Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and file.extension : \\\"kirbi\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"winlogbeat-*\",\"endgame-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":208,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Elastic Endgame\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Elastic Endgame\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"severity\":{\"has_base_version\":false,\"current_version\":\"medium\",\"target_version\":\"high\",\"merged_version\":\"high\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"risk_score\":{\"has_base_version\":false,\"current_version\":47,\"target_version\":73,\"merged_version\":73,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"winlogbeat-*\",\"endgame-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\",\"winlogbeat-*\",\"endgame-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"be2bd438-6daf-4c5e-8274-28cc345c3b6d\",\"rule_id\":\"b90cdde7-7e0d-4359-8bf0-2c112ce2008a\",\"revision\":0,\"current_rule\":{\"id\":\"be2bd438-6daf-4c5e-8274-28cc345c3b6d\",\"updated_at\":\"2024-12-04T19:45:56.613Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.613Z\",\"created_by\":\"elastic\",\"name\":\"UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b90cdde7-7e0d-4359-8bf0-2c112ce2008a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1559\",\"name\":\"Inter-Process Communication\",\"reference\":\"https://attack.mitre.org/techniques/T1559/\",\"subtechnique\":[{\"id\":\"T1559.001\",\"name\":\"Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1559/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/hfiref0x/UACME\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"Clipup.exe\\\" and\\n not process.executable : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\ClipUp.exe\\\" and process.parent.name : \\\"dllhost.exe\\\" and\\n /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\\n process.parent.args : \\\"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface\",\"description\":\"Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/hfiref0x/UACME\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1559\",\"name\":\"Inter-Process Communication\",\"reference\":\"https://attack.mitre.org/techniques/T1559/\",\"subtechnique\":[{\"id\":\"T1559.001\",\"name\":\"Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1559/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"be2bd438-6daf-4c5e-8274-28cc345c3b6d\",\"rule_id\":\"b90cdde7-7e0d-4359-8bf0-2c112ce2008a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.029Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.613Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"Clipup.exe\\\" and\\n not process.executable : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\ClipUp.exe\\\" and process.parent.name : \\\"dllhost.exe\\\" and\\n /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\\n process.parent.args : \\\"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bf1dc797-8be7-4044-bcf9-202ffabc541d\",\"rule_id\":\"b910f25a-2d44-47f2-a873-aabdc0d355e6\",\"revision\":0,\"current_rule\":{\"id\":\"bf1dc797-8be7-4044-bcf9-202ffabc541d\",\"updated_at\":\"2024-12-04T19:45:56.615Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.615Z\",\"created_by\":\"elastic\",\"name\":\"Chkconfig Service Add\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Threat: Lightning Framework\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Chkconfig Service Add\\nService files are configuration files in Linux systems used to define and manage system services. The `Chkconfig` binary can be used to manually add, delete or modify a service. \\n\\nMalicious actors can leverage services to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\\n\\nThis rule monitors the usage of the `chkconfig` binary to manually add a service for management by `chkconfig`, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the service that was created or modified.\\n- Investigate the currently enabled system services through the following commands `sudo chkconfig --list | grep on` and `sudo systemctl list-unit-files`.\\n- Investigate the status of potentially suspicious services through the `chkconfig --list service_name` command. \\n- Search for the `rc.d` or `init.d` service files that were created or modified, and analyze their contents.\\n- Investigate whether any other files in any of the available `rc.d` or `init.d` directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/rc%.d/%')\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/init.d/%' OR path LIKE\\\\n'/etc/rc%.d/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses the `chkconfig` binary for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b910f25a-2d44-47f2-a873-aabdc0d355e6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\n( \\n (process.executable : \\\"/usr/sbin/chkconfig\\\" and process.args : \\\"--add\\\") or\\n (process.args : \\\"*chkconfig\\\" and process.args : \\\"--add\\\")\\n) and \\nnot process.parent.name in (\\\"rpm\\\", \\\"qualys-scan-util\\\", \\\"qualys-cloud-agent\\\", \\\"update-alternatives\\\") and\\nnot process.parent.args : (\\\"/var/tmp/rpm*\\\", \\\"/var/lib/waagent/*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Chkconfig Service Add\",\"description\":\"Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Chkconfig Service Add\\nService files are configuration files in Linux systems used to define and manage system services. The `Chkconfig` binary can be used to manually add, delete or modify a service. \\n\\nMalicious actors can leverage services to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\\n\\nThis rule monitors the usage of the `chkconfig` binary to manually add a service for management by `chkconfig`, potentially indicating the creation of a persistence mechanism.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the service that was created or modified.\\n- Investigate the currently enabled system services through the following commands `sudo chkconfig --list | grep on` and `sudo systemctl list-unit-files`.\\n- Investigate the status of potentially suspicious services through the `chkconfig --list service_name` command. \\n- Search for the `rc.d` or `init.d` service files that were created or modified, and analyze their contents.\\n- Investigate whether any other files in any of the available `rc.d` or `init.d` directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/rc%.d/%')\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/init.d/%' OR path LIKE\\\\n'/etc/rc%.d/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses the `chkconfig` binary for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":113,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Threat: Lightning Framework\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"bf1dc797-8be7-4044-bcf9-202ffabc541d\",\"rule_id\":\"b910f25a-2d44-47f2-a873-aabdc0d355e6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.029Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.615Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\n( \\n (process.executable : \\\"/usr/sbin/chkconfig\\\" and process.args : \\\"--add\\\") or\\n (process.args : \\\"*chkconfig\\\" and process.args : \\\"--add\\\")\\n) and not (\\n process.parent.name in (\\\"rpm\\\", \\\"qualys-scan-util\\\", \\\"qualys-cloud-agent\\\", \\\"update-alternatives\\\") or\\n process.parent.args : (\\\"/var/tmp/rpm*\\\", \\\"/var/lib/waagent/*\\\") or\\n process.args in (\\\"jexec\\\", \\\"sapinit\\\", \\\"httpd\\\", \\\"dbora\\\")\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":113,\"merged_version\":113,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\",\"subtechnique\":[{\"id\":\"T1037.004\",\"name\":\"RC Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/004/\"}]}]}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\"}]}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1037\",\"name\":\"Boot or Logon Initialization Scripts\",\"reference\":\"https://attack.mitre.org/techniques/T1037/\"}]}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\n( \\n (process.executable : \\\"/usr/sbin/chkconfig\\\" and process.args : \\\"--add\\\") or\\n (process.args : \\\"*chkconfig\\\" and process.args : \\\"--add\\\")\\n) and \\nnot process.parent.name in (\\\"rpm\\\", \\\"qualys-scan-util\\\", \\\"qualys-cloud-agent\\\", \\\"update-alternatives\\\") and\\nnot process.parent.args : (\\\"/var/tmp/rpm*\\\", \\\"/var/lib/waagent/*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\n( \\n (process.executable : \\\"/usr/sbin/chkconfig\\\" and process.args : \\\"--add\\\") or\\n (process.args : \\\"*chkconfig\\\" and process.args : \\\"--add\\\")\\n) and not (\\n process.parent.name in (\\\"rpm\\\", \\\"qualys-scan-util\\\", \\\"qualys-cloud-agent\\\", \\\"update-alternatives\\\") or\\n process.parent.args : (\\\"/var/tmp/rpm*\\\", \\\"/var/lib/waagent/*\\\") or\\n process.args in (\\\"jexec\\\", \\\"sapinit\\\", \\\"httpd\\\", \\\"dbora\\\")\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\n( \\n (process.executable : \\\"/usr/sbin/chkconfig\\\" and process.args : \\\"--add\\\") or\\n (process.args : \\\"*chkconfig\\\" and process.args : \\\"--add\\\")\\n) and not (\\n process.parent.name in (\\\"rpm\\\", \\\"qualys-scan-util\\\", \\\"qualys-cloud-agent\\\", \\\"update-alternatives\\\") or\\n process.parent.args : (\\\"/var/tmp/rpm*\\\", \\\"/var/lib/waagent/*\\\") or\\n process.args in (\\\"jexec\\\", \\\"sapinit\\\", \\\"httpd\\\", \\\"dbora\\\")\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c1eb5905-df0c-41d9-82ce-de6da641eddf\",\"rule_id\":\"b9554892-5e0e-424b-83a0-5aef95aa43bf\",\"revision\":0,\"current_rule\":{\"id\":\"c1eb5905-df0c-41d9-82ce-de6da641eddf\",\"updated_at\":\"2024-12-04T19:45:56.622Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.622Z\",\"created_by\":\"elastic\",\"name\":\"Group Policy Abuse for Privilege Addition\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Group Policy Abuse for Privilege Addition\\n\\nGroup Policy Objects (GPOs) can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO. This file is unique for each GPO, and only exists if the GPO contains security settings. Example Path: \\\"\\\\\\\\DC.com\\\\SysVol\\\\DC.com\\\\Policies\\\\{PolicyGUID}\\\\Machine\\\\Microsoft\\\\Windows NT\\\\SecEdit\\\\GptTmpl.inf\\\"\\n\\n#### Possible investigation steps\\n\\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\\n- Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.\\n- Inspect the user security identifiers (SIDs) associated with these privileges, and if they should have these privileges.\\n\\n### False positive analysis\\n\\n- Inspect whether the user that has done the modifications should be allowed to. The user name can be found in the `winlog.event_data.SubjectUserName` field.\\n\\n### Related rules\\n\\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\\n- Remove the script from the GPO.\\n- Check if other GPOs have suspicious scripts attached.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-6m\",\"rule_id\":\"b9554892-5e0e-424b-83a0-5aef95aa43bf\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1484\",\"name\":\"Domain or Tenant Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/\",\"subtechnique\":[{\"id\":\"T1484.001\",\"name\":\"Group Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md\",\"https://labs.f-secure.com/tools/sharpgpoabuse\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.code: \\\"5136\\\" and\\n winlog.event_data.AttributeLDAPDisplayName:\\\"gPCMachineExtensionNames\\\" and\\n winlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Group Policy Abuse for Privilege Addition\",\"description\":\"Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Group Policy Abuse for Privilege Addition\\n\\nGroup Policy Objects (GPOs) can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO. This file is unique for each GPO, and only exists if the GPO contains security settings. Example Path: \\\"\\\\\\\\DC.com\\\\SysVol\\\\DC.com\\\\Policies\\\\{PolicyGUID}\\\\Machine\\\\Microsoft\\\\Windows NT\\\\SecEdit\\\\GptTmpl.inf\\\"\\n\\n#### Possible investigation steps\\n\\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\\n- Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.\\n- Inspect the user security identifiers (SIDs) associated with these privileges, and if they should have these privileges.\\n\\n### False positive analysis\\n\\n- Inspect whether the user that has done the modifications should be allowed to. The user name can be found in the `winlog.event_data.SubjectUserName` field.\\n\\n### Related rules\\n\\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\\n- Remove the script from the GPO.\\n- Check if other GPOs have suspicious scripts attached.\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md\",\"https://labs.f-secure.com/tools/sharpgpoabuse\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1484\",\"name\":\"Domain or Tenant Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/\",\"subtechnique\":[{\"id\":\"T1484.001\",\"name\":\"Group Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"c1eb5905-df0c-41d9-82ce-de6da641eddf\",\"rule_id\":\"b9554892-5e0e-424b-83a0-5aef95aa43bf\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.029Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.622Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and event.code: \\\"5136\\\" and\\n winlog.event_data.AttributeLDAPDisplayName: \\\"gPCMachineExtensionNames\\\" and\\n winlog.event_data.AttributeValue: \\\"*827D319E-6EAC-11D2-A4EA-00C04F79F83A*\\\" and\\n winlog.event_data.AttributeValue: \\\"*803E14A0-B4FB-11D0-A0D0-00A0C90F574B*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false}],\"target_version\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false}],\"merged_version\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"type\":{\"has_base_version\":false,\"current_version\":\"query\",\"target_version\":\"eql\",\"merged_version\":\"eql\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NON_SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"event.code: \\\"5136\\\" and\\n winlog.event_data.AttributeLDAPDisplayName:\\\"gPCMachineExtensionNames\\\" and\\n winlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"target_version\":{\"query\":\"any where host.os.type == \\\"windows\\\" and event.code: \\\"5136\\\" and\\n winlog.event_data.AttributeLDAPDisplayName: \\\"gPCMachineExtensionNames\\\" and\\n winlog.event_data.AttributeValue: \\\"*827D319E-6EAC-11D2-A4EA-00C04F79F83A*\\\" and\\n winlog.event_data.AttributeValue: \\\"*803E14A0-B4FB-11D0-A0D0-00A0C90F574B*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"any where host.os.type == \\\"windows\\\" and event.code: \\\"5136\\\" and\\n winlog.event_data.AttributeLDAPDisplayName: \\\"gPCMachineExtensionNames\\\" and\\n winlog.event_data.AttributeValue: \\\"*827D319E-6EAC-11D2-A4EA-00C04F79F83A*\\\" and\\n winlog.event_data.AttributeValue: \\\"*803E14A0-B4FB-11D0-A0D0-00A0C90F574B*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":1}},{\"id\":\"cfa0950c-2cf3-4ce8-8e55-875364e8daf6\",\"rule_id\":\"b9666521-4742-49ce-9ddc-b8e84c35acae\",\"revision\":0,\"current_rule\":{\"id\":\"cfa0950c-2cf3-4ce8-8e55-875364e8daf6\",\"updated_at\":\"2024-12-04T19:45:56.625Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.625Z\",\"created_by\":\"elastic\",\"name\":\"Creation of Hidden Files and Directories via CommandLine\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Users can mark specific files as hidden simply by putting a \\\".\\\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values.\"],\"from\":\"now-9m\",\"rule_id\":\"b9666521-4742-49ce-9ddc-b8e84c35acae\",\"max_signals\":33,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\",\"subtechnique\":[{\"id\":\"T1564.001\",\"name\":\"Hidden Files and Directories\",\"reference\":\"https://attack.mitre.org/techniques/T1564/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n#### Custom Ingest Pipeline\\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\nprocess.working_directory in (\\\"/tmp\\\", \\\"/var/tmp\\\", \\\"/dev/shm\\\") and\\nprocess.args regex~ \\\"\\\"\\\"\\\\.[a-z0-9_\\\\-][a-z0-9_\\\\-\\\\.]{1,254}\\\"\\\"\\\" and\\nnot process.name in (\\\"ls\\\", \\\"find\\\", \\\"grep\\\", \\\"git\\\", \\\"jq\\\", \\\"basename\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Creation of Hidden Files and Directories via CommandLine\",\"description\":\"Users can mark specific files as hidden simply by putting a \\\".\\\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":111,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values.\"],\"references\":[],\"max_signals\":33,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\",\"subtechnique\":[{\"id\":\"T1564.001\",\"name\":\"Hidden Files and Directories\",\"reference\":\"https://attack.mitre.org/techniques/T1564/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n#### Custom Ingest Pipeline\\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.working_directory\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"cfa0950c-2cf3-4ce8-8e55-875364e8daf6\",\"rule_id\":\"b9666521-4742-49ce-9ddc-b8e84c35acae\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.029Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.625Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\nprocess.working_directory in (\\\"/tmp\\\", \\\"/var/tmp\\\", \\\"/dev/shm\\\") and\\nprocess.args regex~ \\\"\\\"\\\"\\\\.[a-z0-9_\\\\-][a-z0-9_\\\\-\\\\.]{1,254}\\\"\\\"\\\" and\\nnot process.name in (\\n \\\"ls\\\", \\\"find\\\", \\\"grep\\\", \\\"git\\\", \\\"jq\\\", \\\"basename\\\", \\\"check_snmp\\\", \\\"snmpget\\\", \\\"snmpwalk\\\", \\\"cc1plus\\\", \\\"snap\\\",\\n \\\"command-not-found\\\"\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":111,\"merged_version\":111,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\nprocess.working_directory in (\\\"/tmp\\\", \\\"/var/tmp\\\", \\\"/dev/shm\\\") and\\nprocess.args regex~ \\\"\\\"\\\"\\\\.[a-z0-9_\\\\-][a-z0-9_\\\\-\\\\.]{1,254}\\\"\\\"\\\" and\\nnot process.name in (\\\"ls\\\", \\\"find\\\", \\\"grep\\\", \\\"git\\\", \\\"jq\\\", \\\"basename\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\nprocess.working_directory in (\\\"/tmp\\\", \\\"/var/tmp\\\", \\\"/dev/shm\\\") and\\nprocess.args regex~ \\\"\\\"\\\"\\\\.[a-z0-9_\\\\-][a-z0-9_\\\\-\\\\.]{1,254}\\\"\\\"\\\" and\\nnot process.name in (\\n \\\"ls\\\", \\\"find\\\", \\\"grep\\\", \\\"git\\\", \\\"jq\\\", \\\"basename\\\", \\\"check_snmp\\\", \\\"snmpget\\\", \\\"snmpwalk\\\", \\\"cc1plus\\\", \\\"snap\\\",\\n \\\"command-not-found\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\nprocess.working_directory in (\\\"/tmp\\\", \\\"/var/tmp\\\", \\\"/dev/shm\\\") and\\nprocess.args regex~ \\\"\\\"\\\"\\\\.[a-z0-9_\\\\-][a-z0-9_\\\\-\\\\.]{1,254}\\\"\\\"\\\" and\\nnot process.name in (\\n \\\"ls\\\", \\\"find\\\", \\\"grep\\\", \\\"git\\\", \\\"jq\\\", \\\"basename\\\", \\\"check_snmp\\\", \\\"snmpget\\\", \\\"snmpwalk\\\", \\\"cc1plus\\\", \\\"snap\\\",\\n \\\"command-not-found\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bb74b5fe-d219-4a42-964f-e13b597144b6\",\"rule_id\":\"b9960fef-82c6-4816-befa-44745030e917\",\"revision\":0,\"current_rule\":{\"id\":\"bb74b5fe-d219-4a42-964f-e13b597144b6\",\"updated_at\":\"2024-12-04T19:45:40.246Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.246Z\",\"created_by\":\"elastic\",\"name\":\"SolarWinds Process Disabling Services via Registry\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"b9960fef-82c6-4816-befa-44745030e917\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Start\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\Start\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\Start\\\"\\n ) and\\n registry.data.strings : (\\\"4\\\", \\\"0x00000004\\\") and\\n process.name : (\\n \\\"SolarWinds.BusinessLayerHost*.exe\\\",\\n \\\"ConfigurationWizard*.exe\\\",\\n \\\"NetflowDatabaseMaintenance*.exe\\\",\\n \\\"NetFlowService*.exe\\\",\\n \\\"SolarWinds.Administration*.exe\\\",\\n \\\"SolarWinds.Collector.Service*.exe\\\",\\n \\\"SolarwindsDiagnostics*.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"SolarWinds Process Disabling Services via Registry\",\"description\":\"Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"bb74b5fe-d219-4a42-964f-e13b597144b6\",\"rule_id\":\"b9960fef-82c6-4816-befa-44745030e917\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.030Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.246Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Start\\\" and\\n process.name : (\\n \\\"SolarWinds.BusinessLayerHost*.exe\\\",\\n \\\"ConfigurationWizard*.exe\\\",\\n \\\"NetflowDatabaseMaintenance*.exe\\\",\\n \\\"NetFlowService*.exe\\\",\\n \\\"SolarWinds.Administration*.exe\\\",\\n \\\"SolarWinds.Collector.Service*.exe\\\",\\n \\\"SolarwindsDiagnostics*.exe\\\"\\n ) and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\Start\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\Start\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\Start\\\"\\n ) and\\n registry.data.strings : (\\\"4\\\", \\\"0x00000004\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Start\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\Start\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\Start\\\"\\n ) and\\n registry.data.strings : (\\\"4\\\", \\\"0x00000004\\\") and\\n process.name : (\\n \\\"SolarWinds.BusinessLayerHost*.exe\\\",\\n \\\"ConfigurationWizard*.exe\\\",\\n \\\"NetflowDatabaseMaintenance*.exe\\\",\\n \\\"NetFlowService*.exe\\\",\\n \\\"SolarWinds.Administration*.exe\\\",\\n \\\"SolarWinds.Collector.Service*.exe\\\",\\n \\\"SolarwindsDiagnostics*.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Start\\\" and\\n process.name : (\\n \\\"SolarWinds.BusinessLayerHost*.exe\\\",\\n \\\"ConfigurationWizard*.exe\\\",\\n \\\"NetflowDatabaseMaintenance*.exe\\\",\\n \\\"NetFlowService*.exe\\\",\\n \\\"SolarWinds.Administration*.exe\\\",\\n \\\"SolarWinds.Collector.Service*.exe\\\",\\n \\\"SolarwindsDiagnostics*.exe\\\"\\n ) and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\Start\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\Start\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\Start\\\"\\n ) and\\n registry.data.strings : (\\\"4\\\", \\\"0x00000004\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"Start\\\" and\\n process.name : (\\n \\\"SolarWinds.BusinessLayerHost*.exe\\\",\\n \\\"ConfigurationWizard*.exe\\\",\\n \\\"NetflowDatabaseMaintenance*.exe\\\",\\n \\\"NetFlowService*.exe\\\",\\n \\\"SolarWinds.Administration*.exe\\\",\\n \\\"SolarWinds.Collector.Service*.exe\\\",\\n \\\"SolarwindsDiagnostics*.exe\\\"\\n ) and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\Start\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\Start\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\Start\\\"\\n ) and\\n registry.data.strings : (\\\"4\\\", \\\"0x00000004\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b6c6d9d3-5ff6-4fef-9143-5667428b008a\",\"rule_id\":\"ba342eb2-583c-439f-b04d-1fdd7c1417cc\",\"revision\":0,\"current_rule\":{\"id\":\"b6c6d9d3-5ff6-4fef-9143-5667428b008a\",\"updated_at\":\"2024-12-04T19:45:56.627Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.627Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Windows Network Activity\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Network Activity\\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:\\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"A newly installed program or one that rarely uses the network could trigger this alert.\"],\"from\":\"now-45m\",\"rule_id\":\"ba342eb2-583c-439f-b04d-1fdd7c1417cc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"version\":104,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_network_activity\"],\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Windows Network Activity\",\"description\":\"Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Network Activity\\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:\\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"A newly installed program or one that rarely uses the network could trigger this alert.\"],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"],\"max_signals\":100,\"threat\":[],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"b6c6d9d3-5ff6-4fef-9143-5667428b008a\",\"rule_id\":\"ba342eb2-583c-439f-b04d-1fdd7c1417cc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.030Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.627Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":50,\"machine_learning_job_id\":[\"v3_windows_anomalous_network_activity\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":104,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e37821ae-340f-4721-b5a0-55182be3c309\",\"rule_id\":\"baa5d22c-5e1c-4f33-bfc9-efa73bb53022\",\"revision\":0,\"current_rule\":{\"id\":\"e37821ae-340f-4721-b5a0-55182be3c309\",\"updated_at\":\"2024-12-04T19:45:56.632Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.632Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Image Load (taskschd.dll) from MS Office\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Image Load (taskschd.dll) from MS Office\\n\\nMicrosoft Office, a widely used suite of productivity applications, is frequently targeted by attackers due to its popularity in corporate environments. These attackers exploit its extensive capabilities, like macro scripts in Word and Excel, to gain initial access to systems. They often use Office documents as delivery mechanisms for malware or phishing attempts, taking advantage of their trusted status in professional settings.\\n\\n`taskschd.dll` provides Command Object Model (COM) interfaces for the Windows Task Scheduler service, allowing developers to programmatically manage scheduled tasks.\\n\\nThis rule looks for an MS Office process loading `taskschd.dll`, which may indicate an adversary abusing COM to configure a scheduled task. This can happen as part of a phishing attack, when a malicious office document registers the scheduled task to download the malware \\\"stage 2\\\" or to establish persistent access.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Analyze the host's scheduled tasks and explore the related Windows events to determine if tasks were created or deleted (Event IDs 4698 and 4699).\\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Examine the files downloaded during the past 24 hours.\\n - Identify files that are related or can be executed in MS Office.\\n - Identify and analyze macros that these documents contain.\\n - Identify suspicious traits in the office macros, such as encoded or encrypted sections.\\n- Retrieve the suspicious files identified in the previous step and determine if they are malicious:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Related Rules\\n\\n- Suspicious WMI Image Load from MS Office - 891cb88e-441a-4c3e-be2d-120d99fe7b0d\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"baa5d22c-5e1c-4f33-bfc9-efa73bb53022\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"to\":\"now\",\"references\":[\"https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\",\"https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"any where host.os.type == \\\"windows\\\" and\\n (event.category : (\\\"library\\\", \\\"driver\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n process.name : (\\\"WINWORD.EXE\\\", \\\"EXCEL.EXE\\\", \\\"POWERPNT.EXE\\\", \\\"MSPUB.EXE\\\", \\\"MSACCESS.EXE\\\") and\\n (?dll.name : \\\"taskschd.dll\\\" or file.name : \\\"taskschd.dll\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Image Load (taskschd.dll) from MS Office\",\"description\":\"Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Image Load (taskschd.dll) from MS Office\\n\\nMicrosoft Office, a widely used suite of productivity applications, is frequently targeted by attackers due to its popularity in corporate environments. These attackers exploit its extensive capabilities, like macro scripts in Word and Excel, to gain initial access to systems. They often use Office documents as delivery mechanisms for malware or phishing attempts, taking advantage of their trusted status in professional settings.\\n\\n`taskschd.dll` provides Command Object Model (COM) interfaces for the Windows Task Scheduler service, allowing developers to programmatically manage scheduled tasks.\\n\\nThis rule looks for an MS Office process loading `taskschd.dll`, which may indicate an adversary abusing COM to configure a scheduled task. This can happen as part of a phishing attack, when a malicious office document registers the scheduled task to download the malware \\\"stage 2\\\" or to establish persistent access.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Analyze the host's scheduled tasks and explore the related Windows events to determine if tasks were created or deleted (Event IDs 4698 and 4699).\\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Examine the files downloaded during the past 24 hours.\\n - Identify files that are related or can be executed in MS Office.\\n - Identify and analyze macros that these documents contain.\\n - Identify suspicious traits in the office macros, such as encoded or encrypted sections.\\n- Retrieve the suspicious files identified in the previous step and determine if they are malicious:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Related Rules\\n\\n- Suspicious WMI Image Load from MS Office - 891cb88e-441a-4c3e-be2d-120d99fe7b0d\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\",\"https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e37821ae-340f-4721-b5a0-55182be3c309\",\"rule_id\":\"baa5d22c-5e1c-4f33-bfc9-efa73bb53022\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.030Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.632Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and\\n (event.category : (\\\"library\\\", \\\"driver\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n process.name : (\\\"WINWORD.EXE\\\", \\\"EXCEL.EXE\\\", \\\"POWERPNT.EXE\\\", \\\"MSPUB.EXE\\\", \\\"MSACCESS.EXE\\\") and\\n (?dll.name : \\\"taskschd.dll\\\" or file.name : \\\"taskschd.dll\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.library-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"45ab17ee-ec9b-401d-b249-a6fb1f2e3f1b\",\"rule_id\":\"bbaa96b9-f36c-4898-ace2-581acb00a409\",\"revision\":0,\"current_rule\":{\"id\":\"45ab17ee-ec9b-401d-b249-a6fb1f2e3f1b\",\"updated_at\":\"2024-12-04T19:45:56.647Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.647Z\",\"created_by\":\"elastic\",\"name\":\"Potential SYN-Based Network Scan Detected\",\"tags\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"bbaa96b9-f36c-4898-ace2-581acb00a409\",\"max_signals\":5,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1046\",\"name\":\"Network Service Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1046/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0043\",\"name\":\"Reconnaissance\",\"reference\":\"https://attack.mitre.org/tactics/TA0043/\"},\"technique\":[{\"id\":\"T1595\",\"name\":\"Active Scanning\",\"reference\":\"https://attack.mitre.org/techniques/T1595/\",\"subtechnique\":[{\"id\":\"T1595.001\",\"name\":\"Scanning IP Blocks\",\"reference\":\"https://attack.mitre.org/techniques/T1595/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"network.packets\",\"type\":\"long\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"threshold\",\"language\":\"kuery\",\"index\":[\"logs-endpoint.events.network-*\",\"logs-network_traffic.*\",\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\"],\"query\":\"destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\\n\",\"threshold\":{\"field\":[\"destination.ip\",\"source.ip\"],\"value\":1,\"cardinality\":[{\"field\":\"destination.port\",\"value\":250}]},\"actions\":[]},\"target_rule\":{\"name\":\"Potential SYN-Based Network Scan Detected\",\"description\":\"This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\",\"Data Source: Elastic Defend\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":5,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1046\",\"name\":\"Network Service Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1046/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0043\",\"name\":\"Reconnaissance\",\"reference\":\"https://attack.mitre.org/tactics/TA0043/\"},\"technique\":[{\"id\":\"T1595\",\"name\":\"Active Scanning\",\"reference\":\"https://attack.mitre.org/techniques/T1595/\",\"subtechnique\":[{\"id\":\"T1595.001\",\"name\":\"Scanning IP Blocks\",\"reference\":\"https://attack.mitre.org/techniques/T1595/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"network.packets\",\"type\":\"long\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"45ab17ee-ec9b-401d-b249-a6fb1f2e3f1b\",\"rule_id\":\"bbaa96b9-f36c-4898-ace2-581acb00a409\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.030Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:56.647Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"threshold\",\"query\":\"destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\\n\",\"threshold\":{\"field\":[\"destination.ip\",\"source.ip\"],\"value\":1,\"cardinality\":[{\"field\":\"destination.port\",\"value\":250}]},\"index\":[\"logs-endpoint.events.network-*\",\"logs-network_traffic.*\",\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-panw.panos*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\"],\"target_version\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\",\"Data Source: Elastic Defend\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Domain: Network\",\"Tactic: Discovery\",\"Tactic: Reconnaissance\",\"Use Case: Network Security Monitoring\",\"Data Source: Elastic Defend\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"logs-network_traffic.*\",\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"logs-network_traffic.*\",\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-panw.panos*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"logs-network_traffic.*\",\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-panw.panos*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"abb45831-f0c8-4351-a4c2-8189e2a45bfb\",\"rule_id\":\"bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9\",\"revision\":0,\"current_rule\":{\"id\":\"abb45831-f0c8-4351-a4c2-8189e2a45bfb\",\"updated_at\":\"2024-12-04T19:45:57.485Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.485Z\",\"created_by\":\"elastic\",\"name\":\"Potential Non-Standard Port SSH connection\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"OS: macOS\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"SSH over ports apart from the traditional port 22 is highly uncommon. This rule alerts the usage of the such uncommon ports by the ssh service. Tuning is needed to have higher confidence. If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination whitelisted ports for such legitimate ssh activities.\"],\"from\":\"now-9m\",\"rule_id\":\"bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1571\",\"name\":\"Non-Standard Port\",\"reference\":\"https://attack.mitre.org/techniques/T1571/\"}]}],\"to\":\"now\",\"references\":[\"https://attack.mitre.org/techniques/T1571/\"],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"sequence by process.entity_id with maxspan=1m\\n [process where event.action == \\\"exec\\\" and process.name:\\\"ssh\\\" and not process.parent.name in (\\n \\\"rsync\\\", \\\"pyznap\\\", \\\"git\\\", \\\"ansible-playbook\\\", \\\"scp\\\", \\\"pgbackrest\\\", \\\"git-lfs\\\", \\\"expect\\\", \\\"Sourcetree\\\", \\\"ssh-copy-id\\\",\\n \\\"run\\\"\\n )\\n ]\\n [network where process.name:\\\"ssh\\\" and event.action in (\\\"connection_attempted\\\", \\\"connection_accepted\\\") and \\n destination.port != 22 and destination.ip != \\\"127.0.0.1\\\" and network.transport: \\\"tcp\\\"\\n ]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Non-Standard Port SSH connection\",\"description\":\"Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":6,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"OS: macOS\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"SSH over ports apart from the traditional port 22 is highly uncommon. This rule alerts the usage of the such uncommon ports by the ssh service. Tuning is needed to have higher confidence. If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination whitelisted ports for such legitimate ssh activities.\"],\"references\":[\"https://attack.mitre.org/techniques/T1571/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1571\",\"name\":\"Non-Standard Port\",\"reference\":\"https://attack.mitre.org/techniques/T1571/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"abb45831-f0c8-4351-a4c2-8189e2a45bfb\",\"rule_id\":\"bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.030Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.485Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id with maxspan=1m\\n [process where event.action == \\\"exec\\\" and process.name in (\\\"ssh\\\", \\\"sshd\\\") and not process.parent.name in (\\n \\\"rsync\\\", \\\"pyznap\\\", \\\"git\\\", \\\"ansible-playbook\\\", \\\"scp\\\", \\\"pgbackrest\\\", \\\"git-lfs\\\", \\\"expect\\\", \\\"Sourcetree\\\", \\\"ssh-copy-id\\\",\\n \\\"run\\\"\\n )\\n ]\\n [network where process.name:\\\"ssh\\\" and event.action in (\\\"connection_attempted\\\", \\\"connection_accepted\\\") and \\n destination.port != 22 and network.transport == \\\"tcp\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\"\\n )\\n )\\n ]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":6,\"merged_version\":6,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by process.entity_id with maxspan=1m\\n [process where event.action == \\\"exec\\\" and process.name:\\\"ssh\\\" and not process.parent.name in (\\n \\\"rsync\\\", \\\"pyznap\\\", \\\"git\\\", \\\"ansible-playbook\\\", \\\"scp\\\", \\\"pgbackrest\\\", \\\"git-lfs\\\", \\\"expect\\\", \\\"Sourcetree\\\", \\\"ssh-copy-id\\\",\\n \\\"run\\\"\\n )\\n ]\\n [network where process.name:\\\"ssh\\\" and event.action in (\\\"connection_attempted\\\", \\\"connection_accepted\\\") and \\n destination.port != 22 and destination.ip != \\\"127.0.0.1\\\" and network.transport: \\\"tcp\\\"\\n ]\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by process.entity_id with maxspan=1m\\n [process where event.action == \\\"exec\\\" and process.name in (\\\"ssh\\\", \\\"sshd\\\") and not process.parent.name in (\\n \\\"rsync\\\", \\\"pyznap\\\", \\\"git\\\", \\\"ansible-playbook\\\", \\\"scp\\\", \\\"pgbackrest\\\", \\\"git-lfs\\\", \\\"expect\\\", \\\"Sourcetree\\\", \\\"ssh-copy-id\\\",\\n \\\"run\\\"\\n )\\n ]\\n [network where process.name:\\\"ssh\\\" and event.action in (\\\"connection_attempted\\\", \\\"connection_accepted\\\") and \\n destination.port != 22 and network.transport == \\\"tcp\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\"\\n )\\n )\\n ]\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by process.entity_id with maxspan=1m\\n [process where event.action == \\\"exec\\\" and process.name in (\\\"ssh\\\", \\\"sshd\\\") and not process.parent.name in (\\n \\\"rsync\\\", \\\"pyznap\\\", \\\"git\\\", \\\"ansible-playbook\\\", \\\"scp\\\", \\\"pgbackrest\\\", \\\"git-lfs\\\", \\\"expect\\\", \\\"Sourcetree\\\", \\\"ssh-copy-id\\\",\\n \\\"run\\\"\\n )\\n ]\\n [network where process.name:\\\"ssh\\\" and event.action in (\\\"connection_attempted\\\", \\\"connection_accepted\\\") and \\n destination.port != 22 and network.transport == \\\"tcp\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\"\\n )\\n )\\n ]\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6016afa8-76bf-4ade-bb4e-475057f8d85f\",\"rule_id\":\"bd2c86a0-8b61-4457-ab38-96943984e889\",\"revision\":0,\"current_rule\":{\"id\":\"6016afa8-76bf-4ade-bb4e-475057f8d85f\",\"updated_at\":\"2024-12-04T19:45:57.360Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.360Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Keylogging Script\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Keylogging Script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other valuable information as credit card data and confidential conversations.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Determine whether the script stores the captured data locally.\\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\\n- Assess network data to determine if the host communicated with the exfiltration server.\\n\\n### False positive analysis\\n\\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"bd2c86a0-8b61-4457-ab38-96943984e889\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1056\",\"name\":\"Input Capture\",\"reference\":\"https://attack.mitre.org/techniques/T1056/\",\"subtechnique\":[{\"id\":\"T1056.001\",\"name\":\"Keylogging\",\"reference\":\"https://attack.mitre.org/techniques/T1056/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1\",\"https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1\"],\"version\":113,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n (\\n powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or \\\"Get-Keystrokes\\\") or\\n powershell.file.script_block_text : (\\n (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and\\n (GetForegroundWindow or GetWindowTextA or GetWindowTextW or \\\"WM_KEYBOARD_LL\\\" or \\\"WH_MOUSE_LL\\\")\\n )\\n ) and not user.id : \\\"S-1-5-18\\\"\\n and not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Keylogging Script\",\"description\":\"Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Keylogging Script\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other valuable information as credit card data and confidential conversations.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Determine whether the script stores the captured data locally.\\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\\n- Assess network data to determine if the host communicated with the exfiltration server.\\n\\n### False positive analysis\\n\\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":215,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1\",\"https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1056\",\"name\":\"Input Capture\",\"reference\":\"https://attack.mitre.org/techniques/T1056/\",\"subtechnique\":[{\"id\":\"T1056.001\",\"name\":\"Keylogging\",\"reference\":\"https://attack.mitre.org/techniques/T1056/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]},{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"6016afa8-76bf-4ade-bb4e-475057f8d85f\",\"rule_id\":\"bd2c86a0-8b61-4457-ab38-96943984e889\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.030Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.360Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n (\\n powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or \\\"Get-Keystrokes\\\") or\\n powershell.file.script_block_text : (\\n (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and\\n (GetForegroundWindow or GetWindowTextA or GetWindowTextW or \\\"WM_KEYBOARD_LL\\\" or \\\"WH_MOUSE_LL\\\")\\n )\\n ) and not user.id : \\\"S-1-5-18\\\"\\n and not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\"\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":113,\"target_version\":215,\"merged_version\":215,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d0d90d07-57a3-4b1e-b604-b685460cb996\",\"rule_id\":\"bd3d058d-5405-4cee-b890-337f09366ba2\",\"revision\":0,\"current_rule\":{\"id\":\"d0d90d07-57a3-4b1e-b604-b685460cb996\",\"updated_at\":\"2024-12-04T19:45:57.366Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.366Z\",\"created_by\":\"elastic\",\"name\":\"Potential Defense Evasion via CMSTP.exe\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program to install Connection Manager service profiles, which accept installation information file (INF) files. Adversaries may abuse CMSTP to proxy the execution of malicious code by supplying INF files that contain malicious commands.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"bd3d058d-5405-4cee-b890-337f09366ba2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.003\",\"name\":\"CMSTP\",\"reference\":\"https://attack.mitre.org/techniques/T1218/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://attack.mitre.org/techniques/T1218/003/\"],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"cmstp.exe\\\" and process.args == \\\"/s\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Defense Evasion via CMSTP.exe\",\"description\":\"The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program to install Connection Manager service profiles, which accept installation information file (INF) files. Adversaries may abuse CMSTP to proxy the execution of malicious code by supplying INF files that contain malicious commands.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://attack.mitre.org/techniques/T1218/003/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.003\",\"name\":\"CMSTP\",\"reference\":\"https://attack.mitre.org/techniques/T1218/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d0d90d07-57a3-4b1e-b604-b685460cb996\",\"rule_id\":\"bd3d058d-5405-4cee-b890-337f09366ba2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.030Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.366Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"cmstp.exe\\\" and process.args == \\\"/s\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"37fde093-6f46-41ef-83a4-b17aa20b3faa\",\"rule_id\":\"bd7eefee-f671-494e-98df-f01daf9e5f17\",\"revision\":0,\"current_rule\":{\"id\":\"37fde093-6f46-41ef-83a4-b17aa20b3faa\",\"updated_at\":\"2024-12-04T19:45:57.369Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.369Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Print Spooler Point and Print DLL\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"bd7eefee-f671-494e-98df-f01daf9e5f17\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"to\":\"now\",\"references\":[\"https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability\",\"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx\",\"https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by host.id with maxspan=30s\\n[registry where host.os.type == \\\"windows\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Print\\\\\\\\Printers\\\\\\\\*\\\\\\\\SpoolDirectory\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Print\\\\\\\\Printers\\\\\\\\*\\\\\\\\SpoolDirectory\\\"\\n ) and\\n registry.data.strings : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\x64\\\\\\\\4\\\"]\\n[registry where host.os.type == \\\"windows\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Print\\\\\\\\Printers\\\\\\\\*\\\\\\\\CopyFiles\\\\\\\\Payload\\\\\\\\Module\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Print\\\\\\\\Printers\\\\\\\\*\\\\\\\\CopyFiles\\\\\\\\Payload\\\\\\\\Module\\\"\\n ) and\\n registry.data.strings : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\x64\\\\\\\\4\\\\\\\\*\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Print Spooler Point and Print DLL\",\"description\":\"Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability\",\"https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx\",\"https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"37fde093-6f46-41ef-83a4-b17aa20b3faa\",\"rule_id\":\"bd7eefee-f671-494e-98df-f01daf9e5f17\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.030Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.369Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=30s\\n[registry where host.os.type == \\\"windows\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Print\\\\\\\\Printers\\\\\\\\*\\\\\\\\SpoolDirectory\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Print\\\\\\\\Printers\\\\\\\\*\\\\\\\\SpoolDirectory\\\"\\n ) and\\n registry.data.strings : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\x64\\\\\\\\4\\\"]\\n[registry where host.os.type == \\\"windows\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Print\\\\\\\\Printers\\\\\\\\*\\\\\\\\CopyFiles\\\\\\\\Payload\\\\\\\\Module\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Print\\\\\\\\Printers\\\\\\\\*\\\\\\\\CopyFiles\\\\\\\\Payload\\\\\\\\Module\\\"\\n ) and\\n registry.data.strings : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\x64\\\\\\\\4\\\\\\\\*\\\"]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5684f629-d22d-4c93-85fb-7192c36b72d8\",\"rule_id\":\"bdb04043-f0e3-4efa-bdee-7d9d13fa9edc\",\"revision\":0,\"current_rule\":{\"id\":\"5684f629-d22d-4c93-85fb-7192c36b72d8\",\"updated_at\":\"2024-12-04T19:45:57.371Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.371Z\",\"created_by\":\"elastic\",\"name\":\"Potential Pspy Process Monitoring Detected\",\"tags\":[\"Data Source: Auditd Manager\",\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege escalation vectors.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"bdb04043-f0e3-4efa-bdee-7d9d13fa9edc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1057\",\"name\":\"Process Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1057/\"},{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/DominicBreuker/pspy\"],\"version\":7,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"auditd.data.a0\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.a2\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.syscall\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Auditd Manager.\\n\\n### Auditd Manager Integration Setup\\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"auditd_manager\\\" on a Linux System:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.\\n- Click “Add Auditd Manager”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\\n\\n#### Rule Specific Setup Note\\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\n- For this detection rule the following additional audit rules are required to be added to the integration:\\n -- \\\"-w /proc/ -p r -k audit_proc\\\"\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-auditd_manager.auditd-*\"],\"query\":\"sequence by process.pid, host.id with maxspan=5s\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"openat\\\" and file.path == \\\"/proc\\\" and\\n auditd.data.a0 : (\\\"ffffffffffffff9c\\\", \\\"ffffff9c\\\") and auditd.data.a2 : (\\\"80000\\\", \\\"88000\\\") ] with runs=10\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Pspy Process Monitoring Detected\",\"description\":\"This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege escalation vectors.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":8,\"tags\":[\"Data Source: Auditd Manager\",\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/DominicBreuker/pspy\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1057\",\"name\":\"Process Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1057/\"},{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Auditd Manager.\\n\\n### Auditd Manager Integration Setup\\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"auditd_manager\\\" on a Linux System:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.\\n- Click “Add Auditd Manager”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\\n\\n#### Rule Specific Setup Note\\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\n- For this detection rule the following additional audit rules are required to be added to the integration:\\n -- \\\"-w /proc/ -p r -k audit_proc\\\"\\n\",\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"auditd.data.a0\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.a2\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.syscall\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"id\":\"5684f629-d22d-4c93-85fb-7192c36b72d8\",\"rule_id\":\"bdb04043-f0e3-4efa-bdee-7d9d13fa9edc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.030Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.371Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.pid, host.id with maxspan=5s\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"openat\\\" and file.path == \\\"/proc\\\" and\\n auditd.data.a0 : (\\\"ffffffffffffff9c\\\", \\\"ffffff9c\\\") and auditd.data.a2 : (\\\"80000\\\", \\\"88000\\\") and\\n not process.name == \\\"agentbeat\\\"\\n ] with runs=10\\n\",\"language\":\"eql\",\"index\":[\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":7,\"target_version\":8,\"merged_version\":8,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"auditd.data.a0\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.a2\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.syscall\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"target_version\":[{\"name\":\"auditd.data.a0\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.a2\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.syscall\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"merged_version\":[{\"name\":\"auditd.data.a0\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.a2\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"auditd.data.syscall\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by process.pid, host.id with maxspan=5s\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"openat\\\" and file.path == \\\"/proc\\\" and\\n auditd.data.a0 : (\\\"ffffffffffffff9c\\\", \\\"ffffff9c\\\") and auditd.data.a2 : (\\\"80000\\\", \\\"88000\\\") ] with runs=10\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by process.pid, host.id with maxspan=5s\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"openat\\\" and file.path == \\\"/proc\\\" and\\n auditd.data.a0 : (\\\"ffffffffffffff9c\\\", \\\"ffffff9c\\\") and auditd.data.a2 : (\\\"80000\\\", \\\"88000\\\") and\\n not process.name == \\\"agentbeat\\\"\\n ] with runs=10\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by process.pid, host.id with maxspan=5s\\n [file where host.os.type == \\\"linux\\\" and auditd.data.syscall == \\\"openat\\\" and file.path == \\\"/proc\\\" and\\n auditd.data.a0 : (\\\"ffffffffffffff9c\\\", \\\"ffffff9c\\\") and auditd.data.a2 : (\\\"80000\\\", \\\"88000\\\") and\\n not process.name == \\\"agentbeat\\\"\\n ] with runs=10\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7c0346c7-6204-4cb3-91d8-5e933a4867b0\",\"rule_id\":\"bdcf646b-08d4-492c-870a-6c04e3700034\",\"revision\":0,\"current_rule\":{\"id\":\"7c0346c7-6204-4cb3-91d8-5e933a4867b0\",\"updated_at\":\"2024-12-04T19:45:57.374Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.374Z\",\"created_by\":\"elastic\",\"name\":\"Potential Privileged Escalation via SamAccountName Spoofing\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Use Case: Vulnerability\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"bdcf646b-08d4-492c-870a-6c04e3700034\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"},{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[\"https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e\",\"https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/\",\"https://github.com/cube0x0/noPac\",\"https://twitter.com/exploitph/status/1469157138928914432\",\"https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.NewTargetUserName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.OldTargetUserName\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"iam where event.action == \\\"renamed-user-account\\\" and\\n /* machine account name renamed to user like account name */\\n winlog.event_data.OldTargetUserName : \\\"*$\\\" and not winlog.event_data.NewTargetUserName : \\\"*$\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Privileged Escalation via SamAccountName Spoofing\",\"description\":\"Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Use Case: Vulnerability\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e\",\"https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/\",\"https://github.com/cube0x0/noPac\",\"https://twitter.com/exploitph/status/1469157138928914432\",\"https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"},{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.NewTargetUserName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.OldTargetUserName\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"7c0346c7-6204-4cb3-91d8-5e933a4867b0\",\"rule_id\":\"bdcf646b-08d4-492c-870a-6c04e3700034\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.030Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.374Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where event.action == \\\"renamed-user-account\\\" and\\n /* machine account name renamed to user like account name */\\n winlog.event_data.OldTargetUserName : \\\"*$\\\" and not winlog.event_data.NewTargetUserName : \\\"*$\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Use Case: Vulnerability\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Use Case: Vulnerability\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Use Case: Vulnerability\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b0c4f16a-a9fb-49d8-9ecc-f8ad13c3370e\",\"rule_id\":\"bdfebe11-e169-42e3-b344-c5d2015533d3\",\"revision\":0,\"current_rule\":{\"id\":\"b0c4f16a-a9fb-49d8-9ecc-f8ad13c3370e\",\"updated_at\":\"2024-12-04T19:45:57.376Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.376Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Windows Process Cluster Spawned by a Host\",\"tags\":[\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-45m\",\"rule_id\":\"bdfebe11-e169-42e3-b344-c5d2015533d3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"problem_child_high_sum_by_host\"],\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Windows Process Cluster Spawned by a Host\",\"description\":\"A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\\n\",\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"b0c4f16a-a9fb-49d8-9ecc-f8ad13c3370e\",\"rule_id\":\"bdfebe11-e169-42e3-b344-c5d2015533d3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.030Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.376Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"problem_child_high_sum_by_host\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c8afd79d-788b-45e5-bd70-30061b8be45a\",\"rule_id\":\"be8afaed-4bcd-4e0a-b5f9-5562003dde81\",\"revision\":0,\"current_rule\":{\"id\":\"c8afd79d-788b-45e5-bd70-30061b8be45a\",\"updated_at\":\"2024-12-04T19:45:57.381Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.381Z\",\"created_by\":\"elastic\",\"name\":\"Searching for Saved Credentials via VaultCmd\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"be8afaed-4bcd-4e0a-b5f9-5562003dde81\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\",\"subtechnique\":[{\"id\":\"T1555.004\",\"name\":\"Windows Credential Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1555/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\",\"https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (?process.pe.original_file_name:\\\"vaultcmd.exe\\\" or process.name:\\\"vaultcmd.exe\\\") and\\n process.args:\\\"/list*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Searching for Saved Credentials via VaultCmd\",\"description\":\"Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16\",\"https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1555\",\"name\":\"Credentials from Password Stores\",\"reference\":\"https://attack.mitre.org/techniques/T1555/\",\"subtechnique\":[{\"id\":\"T1555.004\",\"name\":\"Windows Credential Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1555/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c8afd79d-788b-45e5-bd70-30061b8be45a\",\"rule_id\":\"be8afaed-4bcd-4e0a-b5f9-5562003dde81\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.030Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.381Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (?process.pe.original_file_name:\\\"vaultcmd.exe\\\" or process.name:\\\"vaultcmd.exe\\\") and\\n process.args:\\\"/list*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"ff2fdf6f-a084-413d-8a9b-bc0fe7f37335\",\"rule_id\":\"bfeaf89b-a2a7-48a3-817f-e41829dc61ee\",\"revision\":0,\"current_rule\":{\"id\":\"ff2fdf6f-a084-413d-8a9b-bc0fe7f37335\",\"updated_at\":\"2024-12-04T19:45:57.390Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.390Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious DLL Loaded for Persistence or Privilege Escalation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious DLL Loaded for Persistence or Privilege Escalation\\n\\nAttackers can execute malicious code by abusing missing modules that processes try to load, enabling them to escalate privileges or gain persistence. This rule identifies the loading of a non-Microsoft-signed DLL that is missing on a default Windows installation or one that can be loaded from a different location by a native Windows process.\\n\\n#### Possible investigation steps\\n\\n- Examine the DLL signature and identify the process that created it.\\n - Investigate any abnormal behaviors by the process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve the DLL and determine if it is malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"bfeaf89b-a2a7-48a3-817f-e41829dc61ee\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.002\",\"name\":\"DLL Side-Loading\",\"reference\":\"https://attack.mitre.org/techniques/T1574/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.001\",\"name\":\"DLL Search Order Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1574/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.001\",\"name\":\"Invalid Code Signature\",\"reference\":\"https://attack.mitre.org/techniques/T1036/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://itm4n.github.io/windows-dll-hijacking-clarified/\",\"http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html\",\"https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html\",\"https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html\",\"https://windows-internals.com/faxing-your-way-to-system/\",\"http://waleedassar.blogspot.com/2013/01/wow64logdll.html\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"dll.code_signature.exists\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"dll.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.hash.sha256\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.library*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"any where host.os.type == \\\"windows\\\" and\\n(event.category : (\\\"driver\\\", \\\"library\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n(\\n /* compatible with Elastic Endpoint Library Events */\\n (\\n ?dll.name : (\\n \\\"wlbsctrl.dll\\\", \\\"wbemcomn.dll\\\", \\\"WptsExtensions.dll\\\", \\\"Tsmsisrv.dll\\\", \\\"TSVIPSrv.dll\\\", \\\"Msfte.dll\\\",\\n \\\"wow64log.dll\\\", \\\"WindowsCoreDeviceInfo.dll\\\", \\\"Ualapi.dll\\\", \\\"wlanhlp.dll\\\", \\\"phoneinfo.dll\\\", \\\"EdgeGdi.dll\\\",\\n \\\"cdpsgshims.dll\\\", \\\"windowsperformancerecordercontrol.dll\\\", \\\"diagtrack_win.dll\\\", \\\"oci.dll\\\", \\\"TPPCOIPW32.dll\\\", \\n \\\"tpgenlic.dll\\\", \\\"thinmon.dll\\\", \\\"fxsst.dll\\\", \\\"msTracer.dll\\\"\\n )\\n and (\\n ?dll.code_signature.trusted != true or\\n ?dll.code_signature.exists != true or\\n (\\n dll.code_signature.trusted == true and\\n not dll.code_signature.subject_name : (\\\"Microsoft Windows\\\", \\\"Microsoft Corporation\\\", \\\"Microsoft Windows Publisher\\\")\\n )\\n ) or\\n\\n /* compatible with Sysmon EventID 7 - Image Load */\\n (file.name : (\\\"wlbsctrl.dll\\\", \\\"wbemcomn.dll\\\", \\\"WptsExtensions.dll\\\", \\\"Tsmsisrv.dll\\\", \\\"TSVIPSrv.dll\\\", \\\"Msfte.dll\\\",\\n \\\"wow64log.dll\\\", \\\"WindowsCoreDeviceInfo.dll\\\", \\\"Ualapi.dll\\\", \\\"wlanhlp.dll\\\", \\\"phoneinfo.dll\\\", \\\"EdgeGdi.dll\\\",\\n \\\"cdpsgshims.dll\\\", \\\"windowsperformancerecordercontrol.dll\\\", \\\"diagtrack_win.dll\\\", \\\"oci.dll\\\", \\\"TPPCOIPW32.dll\\\", \\n \\\"tpgenlic.dll\\\", \\\"thinmon.dll\\\", \\\"fxsst.dll\\\", \\\"msTracer.dll\\\") and \\n not file.hash.sha256 : \\n (\\\"6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f\\\", \\n \\\"b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4\\\", \\n \\\"c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662\\\") and \\n not file.code_signature.status == \\\"Valid\\\")\\n ) and\\n not\\n (\\n ?dll.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wlanhlp.dll\\\"\\n ) or\\n file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wlanhlp.dll\\\"\\n )\\n )\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious DLL Loaded for Persistence or Privilege Escalation\",\"description\":\"Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious DLL Loaded for Persistence or Privilege Escalation\\n\\nAttackers can execute malicious code by abusing missing modules that processes try to load, enabling them to escalate privileges or gain persistence. This rule identifies the loading of a non-Microsoft-signed DLL that is missing on a default Windows installation or one that can be loaded from a different location by a native Windows process.\\n\\n#### Possible investigation steps\\n\\n- Examine the DLL signature and identify the process that created it.\\n - Investigate any abnormal behaviors by the process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve the DLL and determine if it is malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://itm4n.github.io/windows-dll-hijacking-clarified/\",\"http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html\",\"https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html\",\"https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html\",\"https://windows-internals.com/faxing-your-way-to-system/\",\"http://waleedassar.blogspot.com/2013/01/wow64logdll.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.002\",\"name\":\"DLL Side-Loading\",\"reference\":\"https://attack.mitre.org/techniques/T1574/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.001\",\"name\":\"DLL Search Order Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1574/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.001\",\"name\":\"Invalid Code Signature\",\"reference\":\"https://attack.mitre.org/techniques/T1036/001/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"dll.code_signature.exists\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"dll.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.hash.sha256\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"ff2fdf6f-a084-413d-8a9b-bc0fe7f37335\",\"rule_id\":\"bfeaf89b-a2a7-48a3-817f-e41829dc61ee\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.030Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.390Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and\\n(event.category : (\\\"driver\\\", \\\"library\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n(\\n /* compatible with Elastic Endpoint Library Events */\\n (\\n ?dll.name : (\\n \\\"wlbsctrl.dll\\\", \\\"wbemcomn.dll\\\", \\\"WptsExtensions.dll\\\", \\\"Tsmsisrv.dll\\\", \\\"TSVIPSrv.dll\\\", \\\"Msfte.dll\\\",\\n \\\"wow64log.dll\\\", \\\"WindowsCoreDeviceInfo.dll\\\", \\\"Ualapi.dll\\\", \\\"wlanhlp.dll\\\", \\\"phoneinfo.dll\\\", \\\"EdgeGdi.dll\\\",\\n \\\"cdpsgshims.dll\\\", \\\"windowsperformancerecordercontrol.dll\\\", \\\"diagtrack_win.dll\\\", \\\"TPPCOIPW32.dll\\\", \\n \\\"tpgenlic.dll\\\", \\\"thinmon.dll\\\", \\\"fxsst.dll\\\", \\\"msTracer.dll\\\"\\n )\\n and (\\n ?dll.code_signature.trusted != true or\\n ?dll.code_signature.exists != true or\\n (\\n dll.code_signature.trusted == true and\\n not dll.code_signature.subject_name : (\\\"Microsoft Windows\\\", \\\"Microsoft Corporation\\\", \\\"Microsoft Windows Publisher\\\")\\n )\\n ) or\\n /* oci.dll is too noisy due to unsigned Oracle related DLL loaded from random dirs */\\n (\\n (?dll.path : \\\"?:\\\\\\\\Windows\\\\\\\\*\\\\\\\\oci.dll\\\" and process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\*.exe\\\" and \\n (?dll.code_signature.trusted != true or ?dll.code_signature.exists != true)) or \\n \\n (file.path : \\\"?:\\\\\\\\Windows\\\\\\\\*\\\\\\\\oci.dll\\\" and not file.code_signature.status == \\\"Valid\\\" and process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\*.exe\\\")\\n ) or \\n\\n /* compatible with Sysmon EventID 7 - Image Load */\\n (file.name : (\\\"wlbsctrl.dll\\\", \\\"wbemcomn.dll\\\", \\\"WptsExtensions.dll\\\", \\\"Tsmsisrv.dll\\\", \\\"TSVIPSrv.dll\\\", \\\"Msfte.dll\\\",\\n \\\"wow64log.dll\\\", \\\"WindowsCoreDeviceInfo.dll\\\", \\\"Ualapi.dll\\\", \\\"wlanhlp.dll\\\", \\\"phoneinfo.dll\\\", \\\"EdgeGdi.dll\\\",\\n \\\"cdpsgshims.dll\\\", \\\"windowsperformancerecordercontrol.dll\\\", \\\"diagtrack_win.dll\\\", \\\"TPPCOIPW32.dll\\\", \\n \\\"tpgenlic.dll\\\", \\\"thinmon.dll\\\", \\\"fxsst.dll\\\", \\\"msTracer.dll\\\") and \\n not file.hash.sha256 : \\n (\\\"6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f\\\", \\n \\\"b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4\\\", \\n \\\"c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662\\\") and \\n not file.code_signature.status == \\\"Valid\\\")\\n ) and\\n not\\n (\\n ?dll.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wlanhlp.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbemcomn.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wlanhlp.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wlanhlp.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\docker\\\\\\\\windowsfilter\\\\\\\\*\\\\\\\\Files\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\docker\\\\\\\\windowsfilter\\\\\\\\*\\\\\\\\Files\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\vmsmb\\\\\\\\VSMB-{*}\\\\\\\\os\\\\\\\\windows\\\\\\\\system32\\\\\\\\*.dll\\\"\\n ) or\\n file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wlanhlp.dll\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\docker\\\\\\\\windowsfilter\\\\\\\\*\\\\\\\\Files\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\docker\\\\\\\\windowsfilter\\\\\\\\*\\\\\\\\Files\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\vmsmb\\\\\\\\VSMB-{*}\\\\\\\\os\\\\\\\\windows\\\\\\\\system32\\\\\\\\*.dll\\\"\\n )\\n )\\n)\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.library*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"dll.code_signature.exists\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"dll.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.hash.sha256\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"dll.code_signature.exists\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"dll.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.hash.sha256\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"dll.code_signature.exists\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"dll.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.hash.sha256\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"any where host.os.type == \\\"windows\\\" and\\n(event.category : (\\\"driver\\\", \\\"library\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n(\\n /* compatible with Elastic Endpoint Library Events */\\n (\\n ?dll.name : (\\n \\\"wlbsctrl.dll\\\", \\\"wbemcomn.dll\\\", \\\"WptsExtensions.dll\\\", \\\"Tsmsisrv.dll\\\", \\\"TSVIPSrv.dll\\\", \\\"Msfte.dll\\\",\\n \\\"wow64log.dll\\\", \\\"WindowsCoreDeviceInfo.dll\\\", \\\"Ualapi.dll\\\", \\\"wlanhlp.dll\\\", \\\"phoneinfo.dll\\\", \\\"EdgeGdi.dll\\\",\\n \\\"cdpsgshims.dll\\\", \\\"windowsperformancerecordercontrol.dll\\\", \\\"diagtrack_win.dll\\\", \\\"oci.dll\\\", \\\"TPPCOIPW32.dll\\\", \\n \\\"tpgenlic.dll\\\", \\\"thinmon.dll\\\", \\\"fxsst.dll\\\", \\\"msTracer.dll\\\"\\n )\\n and (\\n ?dll.code_signature.trusted != true or\\n ?dll.code_signature.exists != true or\\n (\\n dll.code_signature.trusted == true and\\n not dll.code_signature.subject_name : (\\\"Microsoft Windows\\\", \\\"Microsoft Corporation\\\", \\\"Microsoft Windows Publisher\\\")\\n )\\n ) or\\n\\n /* compatible with Sysmon EventID 7 - Image Load */\\n (file.name : (\\\"wlbsctrl.dll\\\", \\\"wbemcomn.dll\\\", \\\"WptsExtensions.dll\\\", \\\"Tsmsisrv.dll\\\", \\\"TSVIPSrv.dll\\\", \\\"Msfte.dll\\\",\\n \\\"wow64log.dll\\\", \\\"WindowsCoreDeviceInfo.dll\\\", \\\"Ualapi.dll\\\", \\\"wlanhlp.dll\\\", \\\"phoneinfo.dll\\\", \\\"EdgeGdi.dll\\\",\\n \\\"cdpsgshims.dll\\\", \\\"windowsperformancerecordercontrol.dll\\\", \\\"diagtrack_win.dll\\\", \\\"oci.dll\\\", \\\"TPPCOIPW32.dll\\\", \\n \\\"tpgenlic.dll\\\", \\\"thinmon.dll\\\", \\\"fxsst.dll\\\", \\\"msTracer.dll\\\") and \\n not file.hash.sha256 : \\n (\\\"6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f\\\", \\n \\\"b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4\\\", \\n \\\"c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662\\\") and \\n not file.code_signature.status == \\\"Valid\\\")\\n ) and\\n not\\n (\\n ?dll.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wlanhlp.dll\\\"\\n ) or\\n file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wlanhlp.dll\\\"\\n )\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"any where host.os.type == \\\"windows\\\" and\\n(event.category : (\\\"driver\\\", \\\"library\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n(\\n /* compatible with Elastic Endpoint Library Events */\\n (\\n ?dll.name : (\\n \\\"wlbsctrl.dll\\\", \\\"wbemcomn.dll\\\", \\\"WptsExtensions.dll\\\", \\\"Tsmsisrv.dll\\\", \\\"TSVIPSrv.dll\\\", \\\"Msfte.dll\\\",\\n \\\"wow64log.dll\\\", \\\"WindowsCoreDeviceInfo.dll\\\", \\\"Ualapi.dll\\\", \\\"wlanhlp.dll\\\", \\\"phoneinfo.dll\\\", \\\"EdgeGdi.dll\\\",\\n \\\"cdpsgshims.dll\\\", \\\"windowsperformancerecordercontrol.dll\\\", \\\"diagtrack_win.dll\\\", \\\"TPPCOIPW32.dll\\\", \\n \\\"tpgenlic.dll\\\", \\\"thinmon.dll\\\", \\\"fxsst.dll\\\", \\\"msTracer.dll\\\"\\n )\\n and (\\n ?dll.code_signature.trusted != true or\\n ?dll.code_signature.exists != true or\\n (\\n dll.code_signature.trusted == true and\\n not dll.code_signature.subject_name : (\\\"Microsoft Windows\\\", \\\"Microsoft Corporation\\\", \\\"Microsoft Windows Publisher\\\")\\n )\\n ) or\\n /* oci.dll is too noisy due to unsigned Oracle related DLL loaded from random dirs */\\n (\\n (?dll.path : \\\"?:\\\\\\\\Windows\\\\\\\\*\\\\\\\\oci.dll\\\" and process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\*.exe\\\" and \\n (?dll.code_signature.trusted != true or ?dll.code_signature.exists != true)) or \\n \\n (file.path : \\\"?:\\\\\\\\Windows\\\\\\\\*\\\\\\\\oci.dll\\\" and not file.code_signature.status == \\\"Valid\\\" and process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\*.exe\\\")\\n ) or \\n\\n /* compatible with Sysmon EventID 7 - Image Load */\\n (file.name : (\\\"wlbsctrl.dll\\\", \\\"wbemcomn.dll\\\", \\\"WptsExtensions.dll\\\", \\\"Tsmsisrv.dll\\\", \\\"TSVIPSrv.dll\\\", \\\"Msfte.dll\\\",\\n \\\"wow64log.dll\\\", \\\"WindowsCoreDeviceInfo.dll\\\", \\\"Ualapi.dll\\\", \\\"wlanhlp.dll\\\", \\\"phoneinfo.dll\\\", \\\"EdgeGdi.dll\\\",\\n \\\"cdpsgshims.dll\\\", \\\"windowsperformancerecordercontrol.dll\\\", \\\"diagtrack_win.dll\\\", \\\"TPPCOIPW32.dll\\\", \\n \\\"tpgenlic.dll\\\", \\\"thinmon.dll\\\", \\\"fxsst.dll\\\", \\\"msTracer.dll\\\") and \\n not file.hash.sha256 : \\n (\\\"6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f\\\", \\n \\\"b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4\\\", \\n \\\"c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662\\\") and \\n not file.code_signature.status == \\\"Valid\\\")\\n ) and\\n not\\n (\\n ?dll.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wlanhlp.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbemcomn.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wlanhlp.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wlanhlp.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\docker\\\\\\\\windowsfilter\\\\\\\\*\\\\\\\\Files\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\docker\\\\\\\\windowsfilter\\\\\\\\*\\\\\\\\Files\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\vmsmb\\\\\\\\VSMB-{*}\\\\\\\\os\\\\\\\\windows\\\\\\\\system32\\\\\\\\*.dll\\\"\\n ) or\\n file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wlanhlp.dll\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\docker\\\\\\\\windowsfilter\\\\\\\\*\\\\\\\\Files\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\docker\\\\\\\\windowsfilter\\\\\\\\*\\\\\\\\Files\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\vmsmb\\\\\\\\VSMB-{*}\\\\\\\\os\\\\\\\\windows\\\\\\\\system32\\\\\\\\*.dll\\\"\\n )\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"any where host.os.type == \\\"windows\\\" and\\n(event.category : (\\\"driver\\\", \\\"library\\\") or (event.category == \\\"process\\\" and event.action : \\\"Image loaded*\\\")) and\\n(\\n /* compatible with Elastic Endpoint Library Events */\\n (\\n ?dll.name : (\\n \\\"wlbsctrl.dll\\\", \\\"wbemcomn.dll\\\", \\\"WptsExtensions.dll\\\", \\\"Tsmsisrv.dll\\\", \\\"TSVIPSrv.dll\\\", \\\"Msfte.dll\\\",\\n \\\"wow64log.dll\\\", \\\"WindowsCoreDeviceInfo.dll\\\", \\\"Ualapi.dll\\\", \\\"wlanhlp.dll\\\", \\\"phoneinfo.dll\\\", \\\"EdgeGdi.dll\\\",\\n \\\"cdpsgshims.dll\\\", \\\"windowsperformancerecordercontrol.dll\\\", \\\"diagtrack_win.dll\\\", \\\"TPPCOIPW32.dll\\\", \\n \\\"tpgenlic.dll\\\", \\\"thinmon.dll\\\", \\\"fxsst.dll\\\", \\\"msTracer.dll\\\"\\n )\\n and (\\n ?dll.code_signature.trusted != true or\\n ?dll.code_signature.exists != true or\\n (\\n dll.code_signature.trusted == true and\\n not dll.code_signature.subject_name : (\\\"Microsoft Windows\\\", \\\"Microsoft Corporation\\\", \\\"Microsoft Windows Publisher\\\")\\n )\\n ) or\\n /* oci.dll is too noisy due to unsigned Oracle related DLL loaded from random dirs */\\n (\\n (?dll.path : \\\"?:\\\\\\\\Windows\\\\\\\\*\\\\\\\\oci.dll\\\" and process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\*.exe\\\" and \\n (?dll.code_signature.trusted != true or ?dll.code_signature.exists != true)) or \\n \\n (file.path : \\\"?:\\\\\\\\Windows\\\\\\\\*\\\\\\\\oci.dll\\\" and not file.code_signature.status == \\\"Valid\\\" and process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\*.exe\\\")\\n ) or \\n\\n /* compatible with Sysmon EventID 7 - Image Load */\\n (file.name : (\\\"wlbsctrl.dll\\\", \\\"wbemcomn.dll\\\", \\\"WptsExtensions.dll\\\", \\\"Tsmsisrv.dll\\\", \\\"TSVIPSrv.dll\\\", \\\"Msfte.dll\\\",\\n \\\"wow64log.dll\\\", \\\"WindowsCoreDeviceInfo.dll\\\", \\\"Ualapi.dll\\\", \\\"wlanhlp.dll\\\", \\\"phoneinfo.dll\\\", \\\"EdgeGdi.dll\\\",\\n \\\"cdpsgshims.dll\\\", \\\"windowsperformancerecordercontrol.dll\\\", \\\"diagtrack_win.dll\\\", \\\"TPPCOIPW32.dll\\\", \\n \\\"tpgenlic.dll\\\", \\\"thinmon.dll\\\", \\\"fxsst.dll\\\", \\\"msTracer.dll\\\") and \\n not file.hash.sha256 : \\n (\\\"6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f\\\", \\n \\\"b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4\\\", \\n \\\"c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662\\\") and \\n not file.code_signature.status == \\\"Valid\\\")\\n ) and\\n not\\n (\\n ?dll.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wlanhlp.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbemcomn.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wlanhlp.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wlanhlp.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\docker\\\\\\\\windowsfilter\\\\\\\\*\\\\\\\\Files\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\docker\\\\\\\\windowsfilter\\\\\\\\*\\\\\\\\Files\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\vmsmb\\\\\\\\VSMB-{*}\\\\\\\\os\\\\\\\\windows\\\\\\\\system32\\\\\\\\*.dll\\\"\\n ) or\\n file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbemcomn.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wlanhlp.dll\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\docker\\\\\\\\windowsfilter\\\\\\\\*\\\\\\\\Files\\\\\\\\Windows\\\\\\\\System32\\\\\\\\windowsperformancerecordercontrol.dll\\\", \\n \\\"C:\\\\\\\\ProgramData\\\\\\\\docker\\\\\\\\windowsfilter\\\\\\\\*\\\\\\\\Files\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbemcomn.dll\\\", \\n \\\"\\\\\\\\Device\\\\\\\\vmsmb\\\\\\\\VSMB-{*}\\\\\\\\os\\\\\\\\windows\\\\\\\\system32\\\\\\\\*.dll\\\"\\n )\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c42fcf27-2763-4609-876b-bf5ddcc2f92c\",\"rule_id\":\"c0429aa8-9974-42da-bfb6-53a0a515a145\",\"revision\":0,\"current_rule\":{\"id\":\"c42fcf27-2763-4609-876b-bf5ddcc2f92c\",\"updated_at\":\"2024-12-04T19:45:57.395Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.395Z\",\"created_by\":\"elastic\",\"name\":\"Creation or Modification of a new GPO Scheduled Task or Service\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c0429aa8-9974-42da-bfb6-53a0a515a145\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1484\",\"name\":\"Domain or Tenant Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/\",\"subtechnique\":[{\"id\":\"T1484.001\",\"name\":\"Group Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.path : (\\\"?:\\\\\\\\Windows\\\\\\\\SYSVOL\\\\\\\\domain\\\\\\\\Policies\\\\\\\\*\\\\\\\\MACHINE\\\\\\\\Preferences\\\\\\\\ScheduledTasks\\\\\\\\ScheduledTasks.xml\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SYSVOL\\\\\\\\domain\\\\\\\\Policies\\\\\\\\*\\\\\\\\MACHINE\\\\\\\\Preferences\\\\\\\\Services\\\\\\\\Services.xml\\\") and\\n not process.name : \\\"dfsrs.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Creation or Modification of a new GPO Scheduled Task or Service\",\"description\":\"Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1484\",\"name\":\"Domain or Tenant Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/\",\"subtechnique\":[{\"id\":\"T1484.001\",\"name\":\"Group Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1484/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.005\",\"name\":\"Scheduled Task\",\"reference\":\"https://attack.mitre.org/techniques/T1053/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c42fcf27-2763-4609-876b-bf5ddcc2f92c\",\"rule_id\":\"c0429aa8-9974-42da-bfb6-53a0a515a145\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.030Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.395Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and event.action != \\\"open\\\" and \\n file.name : (\\\"ScheduledTasks.xml\\\", \\\"Services.xml\\\") and \\n file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\SYSVOL\\\\\\\\domain\\\\\\\\Policies\\\\\\\\*\\\\\\\\MACHINE\\\\\\\\Preferences\\\\\\\\ScheduledTasks\\\\\\\\ScheduledTasks.xml\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SYSVOL\\\\\\\\domain\\\\\\\\Policies\\\\\\\\*\\\\\\\\MACHINE\\\\\\\\Preferences\\\\\\\\Services\\\\\\\\Services.xml\\\"\\n ) and\\n not process.executable : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dfsrs.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.path : (\\\"?:\\\\\\\\Windows\\\\\\\\SYSVOL\\\\\\\\domain\\\\\\\\Policies\\\\\\\\*\\\\\\\\MACHINE\\\\\\\\Preferences\\\\\\\\ScheduledTasks\\\\\\\\ScheduledTasks.xml\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SYSVOL\\\\\\\\domain\\\\\\\\Policies\\\\\\\\*\\\\\\\\MACHINE\\\\\\\\Preferences\\\\\\\\Services\\\\\\\\Services.xml\\\") and\\n not process.name : \\\"dfsrs.exe\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and event.action != \\\"open\\\" and \\n file.name : (\\\"ScheduledTasks.xml\\\", \\\"Services.xml\\\") and \\n file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\SYSVOL\\\\\\\\domain\\\\\\\\Policies\\\\\\\\*\\\\\\\\MACHINE\\\\\\\\Preferences\\\\\\\\ScheduledTasks\\\\\\\\ScheduledTasks.xml\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SYSVOL\\\\\\\\domain\\\\\\\\Policies\\\\\\\\*\\\\\\\\MACHINE\\\\\\\\Preferences\\\\\\\\Services\\\\\\\\Services.xml\\\"\\n ) and\\n not process.executable : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dfsrs.exe\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and event.action != \\\"open\\\" and \\n file.name : (\\\"ScheduledTasks.xml\\\", \\\"Services.xml\\\") and \\n file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\SYSVOL\\\\\\\\domain\\\\\\\\Policies\\\\\\\\*\\\\\\\\MACHINE\\\\\\\\Preferences\\\\\\\\ScheduledTasks\\\\\\\\ScheduledTasks.xml\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SYSVOL\\\\\\\\domain\\\\\\\\Policies\\\\\\\\*\\\\\\\\MACHINE\\\\\\\\Preferences\\\\\\\\Services\\\\\\\\Services.xml\\\"\\n ) and\\n not process.executable : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dfsrs.exe\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e5a29126-2205-4781-97e5-80b1d41b98bc\",\"rule_id\":\"c24e9a43-f67e-431d-991b-09cdb83b3c0c\",\"revision\":0,\"current_rule\":{\"id\":\"e5a29126-2205-4781-97e5-80b1d41b98bc\",\"updated_at\":\"2024-12-04T19:46:04.760Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.760Z\",\"created_by\":\"elastic\",\"name\":\"Active Directory Forced Authentication from Linux Host - SMB Named Pipes\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a potential forced authentication using related SMB named pipes. Attackers may attempt to force targets to authenticate to a host controlled by them to capture hashes or enable relay attacks.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c24e9a43-f67e-431d-991b-09cdb83b3c0c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1187\",\"name\":\"Forced Authentication\",\"reference\":\"https://attack.mitre.org/techniques/T1187/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/p0dalirius/windows-coerced-authentication-methods\",\"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications\",\"https://attack.mitre.org/techniques/T1187/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule uses Elastic Endpoint network events from Linux hosts and system integration events from Domain controllers\\nfor correlation. Both data sources should be collected from the hosts for this detection to work.\\n\\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nObject Access >\\nAudit Detailed File Share (Success,Failure)\\n```\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.network-*\",\"logs-system.security-*\"],\"query\":\"sequence with maxspan=15s\\n[network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and destination.port == 445] by host.ip\\n[file where host.os.type == \\\"windows\\\" and event.code == \\\"5145\\\" and file.name : (\\\"Spoolss\\\", \\\"netdfs\\\", \\\"lsarpc\\\", \\\"lsass\\\", \\\"netlogon\\\", \\\"samr\\\", \\\"efsrpc\\\", \\\"FssagentRpc\\\")] by source.ip\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Active Directory Forced Authentication from Linux Host - SMB Named Pipes\",\"description\":\"Identifies a potential forced authentication using related SMB named pipes. Attackers may attempt to force targets to authenticate to a host controlled by them to capture hashes or enable relay attacks.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/p0dalirius/windows-coerced-authentication-methods\",\"https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications\",\"https://attack.mitre.org/techniques/T1187/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1187\",\"name\":\"Forced Authentication\",\"reference\":\"https://attack.mitre.org/techniques/T1187/\"}]}],\"setup\":\"## Setup\\n\\nThis rule uses Elastic Endpoint network events from Linux hosts and system integration events from Domain controllers\\nfor correlation. Both data sources should be collected from the hosts for this detection to work.\\n\\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nObject Access >\\nAudit Detailed File Share (Success,Failure)\\n```\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"data_stream.namespace\",\"type\":\"constant_keyword\",\"ecs\":false},{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"e5a29126-2205-4781-97e5-80b1d41b98bc\",\"rule_id\":\"c24e9a43-f67e-431d-991b-09cdb83b3c0c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.031Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.760Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence with maxspan=15s\\n[network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and destination.port == 445 and not startswith~(string(destination.ip), string(host.ip))] by host.ip, data_stream.namespace\\n[file where host.os.type == \\\"windows\\\" and event.code == \\\"5145\\\" and file.name : (\\\"Spoolss\\\", \\\"netdfs\\\", \\\"lsarpc\\\", \\\"lsass\\\", \\\"netlogon\\\", \\\"samr\\\", \\\"efsrpc\\\", \\\"FssagentRpc\\\")] by source.ip, data_stream.namespace\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.network-*\",\"logs-system.security-*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"target_version\":[{\"name\":\"data_stream.namespace\",\"type\":\"constant_keyword\",\"ecs\":false},{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"merged_version\":[{\"name\":\"data_stream.namespace\",\"type\":\"constant_keyword\",\"ecs\":false},{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence with maxspan=15s\\n[network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and destination.port == 445] by host.ip\\n[file where host.os.type == \\\"windows\\\" and event.code == \\\"5145\\\" and file.name : (\\\"Spoolss\\\", \\\"netdfs\\\", \\\"lsarpc\\\", \\\"lsass\\\", \\\"netlogon\\\", \\\"samr\\\", \\\"efsrpc\\\", \\\"FssagentRpc\\\")] by source.ip\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence with maxspan=15s\\n[network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and destination.port == 445 and not startswith~(string(destination.ip), string(host.ip))] by host.ip, data_stream.namespace\\n[file where host.os.type == \\\"windows\\\" and event.code == \\\"5145\\\" and file.name : (\\\"Spoolss\\\", \\\"netdfs\\\", \\\"lsarpc\\\", \\\"lsass\\\", \\\"netlogon\\\", \\\"samr\\\", \\\"efsrpc\\\", \\\"FssagentRpc\\\")] by source.ip, data_stream.namespace\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence with maxspan=15s\\n[network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and destination.port == 445 and not startswith~(string(destination.ip), string(host.ip))] by host.ip, data_stream.namespace\\n[file where host.os.type == \\\"windows\\\" and event.code == \\\"5145\\\" and file.name : (\\\"Spoolss\\\", \\\"netdfs\\\", \\\"lsarpc\\\", \\\"lsass\\\", \\\"netlogon\\\", \\\"samr\\\", \\\"efsrpc\\\", \\\"FssagentRpc\\\")] by source.ip, data_stream.namespace\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"logs-system.security-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"logs-system.security-*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"logs-system.security-*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"18aa6b86-bc36-4811-bb11-ff76a53c8834\",\"rule_id\":\"c25e9c87-95e1-4368-bfab-9fd34cf867ec\",\"revision\":0,\"current_rule\":{\"id\":\"18aa6b86-bc36-4811-bb11-ff76a53c8834\",\"updated_at\":\"2024-12-04T19:45:57.415Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.415Z\",\"created_by\":\"elastic\",\"name\":\"Microsoft IIS Connection Strings Decryption\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c25e9c87-95e1-4368-bfab-9fd34cf867ec\",\"max_signals\":33,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"}]}],\"to\":\"now\",\"references\":[\"https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/\",\"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"aspnet_regiis.exe\\\" or ?process.pe.original_file_name == \\\"aspnet_regiis.exe\\\") and\\n process.args : \\\"connectionStrings\\\" and process.args : \\\"-pdf\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Microsoft IIS Connection Strings Decryption\",\"description\":\"Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/\",\"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia\"],\"max_signals\":33,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"18aa6b86-bc36-4811-bb11-ff76a53c8834\",\"rule_id\":\"c25e9c87-95e1-4368-bfab-9fd34cf867ec\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.031Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.415Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"aspnet_regiis.exe\\\" or ?process.pe.original_file_name == \\\"aspnet_regiis.exe\\\") and\\n process.args : \\\"connectionStrings\\\" and process.args : \\\"-pdf\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8717cf04-fb92-4f0f-9088-5d7ddba5a019\",\"rule_id\":\"c2d90150-0133-451c-a783-533e736c12d7\",\"revision\":0,\"current_rule\":{\"id\":\"8717cf04-fb92-4f0f-9088-5d7ddba5a019\",\"updated_at\":\"2024-12-04T19:45:57.425Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.425Z\",\"created_by\":\"elastic\",\"name\":\"Mshta Making Network Connections\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-20m\",\"rule_id\":\"c2d90150-0133-451c-a783-533e736c12d7\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.005\",\"name\":\"Mshta\",\"reference\":\"https://attack.mitre.org/techniques/T1218/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id with maxspan=10m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"mshta.exe\\\" and\\n not process.parent.name : \\\"Microsoft.ConfigurationManagement.exe\\\" and\\n not (process.parent.executable : \\\"C:\\\\\\\\Amazon\\\\\\\\Amazon Assistant\\\\\\\\amazonAssistantService.exe\\\" or\\n process.parent.executable : \\\"C:\\\\\\\\TeamViewer\\\\\\\\TeamViewer.exe\\\") and\\n not process.args : \\\"ADSelfService_Enroll.hta\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"mshta.exe\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Mshta Making Network Connections\",\"description\":\"Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-20m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.005\",\"name\":\"Mshta\",\"reference\":\"https://attack.mitre.org/techniques/T1218/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"8717cf04-fb92-4f0f-9088-5d7ddba5a019\",\"rule_id\":\"c2d90150-0133-451c-a783-533e736c12d7\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.031Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.425Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id with maxspan=10m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"mshta.exe\\\" and\\n not process.parent.name : \\\"Microsoft.ConfigurationManagement.exe\\\" and\\n not (process.parent.executable : \\\"C:\\\\\\\\Amazon\\\\\\\\Amazon Assistant\\\\\\\\amazonAssistantService.exe\\\" or\\n process.parent.executable : \\\"C:\\\\\\\\TeamViewer\\\\\\\\TeamViewer.exe\\\") and\\n not process.args : \\\"ADSelfService_Enroll.hta\\\"]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"mshta.exe\\\"]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"merged_version\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1dc15276-a33a-4dcb-8ee2-0750e165ade3\",\"rule_id\":\"c3b915e0-22f3-4bf7-991d-b643513c722f\",\"revision\":0,\"current_rule\":{\"id\":\"1dc15276-a33a-4dcb-8ee2-0750e165ade3\",\"updated_at\":\"2024-12-04T19:45:57.429Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.429Z\",\"created_by\":\"elastic\",\"name\":\"Persistence via BITS Job Notify Cmdline\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c3b915e0-22f3-4bf7-991d-b643513c722f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1197\",\"name\":\"BITS Jobs\",\"reference\":\"https://attack.mitre.org/techniques/T1197/\"}]}],\"to\":\"now\",\"references\":[\"https://pentestlab.blog/2019/10/30/persistence-bits-jobs/\",\"https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline\",\"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline\",\"https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2\"],\"version\":309,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"svchost.exe\\\" and process.parent.args : \\\"BITS\\\" and\\n not process.executable :\\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFaultSecure.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wermgr.exe\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\directxdatabaseupdater.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Persistence via BITS Job Notify Cmdline\",\"description\":\"An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":410,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://pentestlab.blog/2019/10/30/persistence-bits-jobs/\",\"https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline\",\"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline\",\"https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1197\",\"name\":\"BITS Jobs\",\"reference\":\"https://attack.mitre.org/techniques/T1197/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1dc15276-a33a-4dcb-8ee2-0750e165ade3\",\"rule_id\":\"c3b915e0-22f3-4bf7-991d-b643513c722f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.031Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.429Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"svchost.exe\\\" and process.parent.args : \\\"BITS\\\" and\\n not process.executable :\\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFaultSecure.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wermgr.exe\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\directxdatabaseupdater.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":309,\"target_version\":410,\"merged_version\":410,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f177bd68-7ed4-468f-9a7a-9c9f48d78d59\",\"rule_id\":\"c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14\",\"revision\":0,\"current_rule\":{\"id\":\"f177bd68-7ed4-468f-9a7a-9c9f48d78d59\",\"updated_at\":\"2024-12-04T19:45:57.438Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.438Z\",\"created_by\":\"elastic\",\"name\":\"Mounting Hidden or WebDav Remote Shares\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.003\",\"name\":\"Local Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\",\"subtechnique\":[{\"id\":\"T1087.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/001/\"},{\"id\":\"T1087.002\",\"name\":\"Domain Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n ((process.name : \\\"net.exe\\\" or ?process.pe.original_file_name == \\\"net.exe\\\") or ((process.name : \\\"net1.exe\\\" or ?process.pe.original_file_name == \\\"net1.exe\\\") and\\n not process.parent.name : \\\"net.exe\\\")) and\\n process.args : \\\"use\\\" and\\n /* including hidden and webdav based online shares such as onedrive */\\n process.args : (\\\"\\\\\\\\\\\\\\\\*\\\\\\\\*$*\\\", \\\"\\\\\\\\\\\\\\\\*@SSL\\\\\\\\*\\\", \\\"http*\\\") and\\n /* excluding shares deletion operation */\\n not process.args : \\\"/d*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Mounting Hidden or WebDav Remote Shares\",\"description\":\"Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.003\",\"name\":\"Local Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\",\"subtechnique\":[{\"id\":\"T1087.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/001/\"},{\"id\":\"T1087.002\",\"name\":\"Domain Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f177bd68-7ed4-468f-9a7a-9c9f48d78d59\",\"rule_id\":\"c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.031Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.438Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n ((process.name : \\\"net.exe\\\" or ?process.pe.original_file_name == \\\"net.exe\\\") or ((process.name : \\\"net1.exe\\\" or ?process.pe.original_file_name == \\\"net1.exe\\\") and\\n not process.parent.name : \\\"net.exe\\\")) and\\n process.args : \\\"use\\\" and\\n /* including hidden and webdav based online shares such as onedrive */\\n process.args : (\\\"\\\\\\\\\\\\\\\\*\\\\\\\\*$*\\\", \\\"\\\\\\\\\\\\\\\\*@SSL\\\\\\\\*\\\", \\\"http*\\\") and\\n /* excluding shares deletion operation */\\n not process.args : \\\"/d*\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"4298dbc2-212c-4339-9fab-b355408587a6\",\"rule_id\":\"c4818812-d44f-47be-aaef-4cfb2f9cc799\",\"revision\":0,\"current_rule\":{\"id\":\"4298dbc2-212c-4339-9fab-b355408587a6\",\"updated_at\":\"2024-12-04T19:45:57.440Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.440Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Print Spooler File Deletion\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as manufacturer and signature information.\"],\"from\":\"now-9m\",\"rule_id\":\"c4818812-d44f-47be-aaef-4cfb2f9cc799\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"to\":\"now\",\"references\":[\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type : \\\"deletion\\\" and\\n not process.name : (\\\"spoolsv.exe\\\", \\\"dllhost.exe\\\", \\\"explorer.exe\\\") and\\n file.path : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\x64\\\\\\\\3\\\\\\\\*.dll\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Print Spooler File Deletion\",\"description\":\"Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":307,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as manufacturer and signature information.\"],\"references\":[\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"4298dbc2-212c-4339-9fab-b355408587a6\",\"rule_id\":\"c4818812-d44f-47be-aaef-4cfb2f9cc799\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.031Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.440Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"deletion\\\" and\\n file.extension : \\\"dll\\\" and file.path : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\x64\\\\\\\\3\\\\\\\\*.dll\\\" and\\n not process.name : (\\\"spoolsv.exe\\\", \\\"dllhost.exe\\\", \\\"explorer.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":307,\"merged_version\":307,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type : \\\"deletion\\\" and\\n not process.name : (\\\"spoolsv.exe\\\", \\\"dllhost.exe\\\", \\\"explorer.exe\\\") and\\n file.path : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\x64\\\\\\\\3\\\\\\\\*.dll\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"deletion\\\" and\\n file.extension : \\\"dll\\\" and file.path : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\x64\\\\\\\\3\\\\\\\\*.dll\\\" and\\n not process.name : (\\\"spoolsv.exe\\\", \\\"dllhost.exe\\\", \\\"explorer.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"deletion\\\" and\\n file.extension : \\\"dll\\\" and file.path : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\x64\\\\\\\\3\\\\\\\\*.dll\\\" and\\n not process.name : (\\\"spoolsv.exe\\\", \\\"dllhost.exe\\\", \\\"explorer.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9d8725db-723b-455d-a6c1-e082ed9d71de\",\"rule_id\":\"c55badd3-3e61-4292-836f-56209dc8a601\",\"revision\":0,\"current_rule\":{\"id\":\"9d8725db-723b-455d-a6c1-e082ed9d71de\",\"updated_at\":\"2024-12-04T19:45:57.445Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.445Z\",\"created_by\":\"elastic\",\"name\":\"Attempted Private Key Access\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"c55badd3-3e61-4292-836f-56209dc8a601\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\",\"subtechnique\":[{\"id\":\"T1552.004\",\"name\":\"Private Keys\",\"reference\":\"https://attack.mitre.org/techniques/T1552/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":4,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.args : (\\\"*.pem *\\\", \\\"*.pem\\\", \\\"*.id_rsa*\\\") and\\n not process.args: (\\\"--tls-cert\\\", \\\"--ssl-cert\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Logishrd\\\\\\\\LogiOptions\\\\\\\\Software\\\\\\\\*\\\\\\\\LogiLuUpdater.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\*\\\\\\\\osqueryd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Guardicore\\\\\\\\gc-controller.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Guardicore\\\\\\\\gc-deception-agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Guardicore\\\\\\\\gc-detection-agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Guardicore\\\\\\\\gc-enforcement-agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Guardicore\\\\\\\\gc-guest-agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Logi\\\\\\\\LogiBolt\\\\\\\\LogiBoltUpdater.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Schneider Electric EcoStruxure\\\\\\\\Building Operation 5.0\\\\\\\\Device Administrator\\\\\\\\Python\\\\\\\\python.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Splunk\\\\\\\\bin\\\\\\\\openssl.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\SplunkUniversalForwarder\\\\\\\\bin\\\\\\\\openssl.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Logi\\\\\\\\LogiBolt\\\\\\\\LogiBoltUpdater.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\icacls.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\OpenSSH\\\\\\\\*\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempted Private Key Access\",\"description\":\"Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":106,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\",\"subtechnique\":[{\"id\":\"T1552.004\",\"name\":\"Private Keys\",\"reference\":\"https://attack.mitre.org/techniques/T1552/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"9d8725db-723b-455d-a6c1-e082ed9d71de\",\"rule_id\":\"c55badd3-3e61-4292-836f-56209dc8a601\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.031Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.445Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.args : (\\\"*.pem *\\\", \\\"*.pem\\\", \\\"*.id_rsa*\\\") and\\n not process.args: (\\\"--tls-cert\\\", \\\"--ssl-cert\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Logishrd\\\\\\\\LogiOptions\\\\\\\\Software\\\\\\\\*\\\\\\\\LogiLuUpdater.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\*\\\\\\\\osqueryd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Guardicore\\\\\\\\gc-controller.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Guardicore\\\\\\\\gc-deception-agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Guardicore\\\\\\\\gc-detection-agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Guardicore\\\\\\\\gc-enforcement-agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Guardicore\\\\\\\\gc-guest-agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Logi\\\\\\\\LogiBolt\\\\\\\\LogiBoltUpdater.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Schneider Electric EcoStruxure\\\\\\\\Building Operation 5.0\\\\\\\\Device Administrator\\\\\\\\Python\\\\\\\\python.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Splunk\\\\\\\\bin\\\\\\\\openssl.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\SplunkUniversalForwarder\\\\\\\\bin\\\\\\\\openssl.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Logi\\\\\\\\LogiBolt\\\\\\\\LogiBoltUpdater.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\icacls.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\OpenSSH\\\\\\\\*\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":4,\"target_version\":106,\"merged_version\":106,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"dee21b62-9ced-4822-b323-4fc0a4ec1de1\",\"rule_id\":\"c5677997-f75b-4cda-b830-a75920514096\",\"revision\":0,\"current_rule\":{\"id\":\"dee21b62-9ced-4822-b323-4fc0a4ec1de1\",\"updated_at\":\"2024-12-04T19:45:57.447Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.447Z\",\"created_by\":\"elastic\",\"name\":\"Service Path Modification via sc.exe\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to modify a service path setting using sc.exe. Attackers may attempt to modify existing services for persistence or privilege escalation.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"c5677997-f75b-4cda-b830-a75920514096\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":4,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where event.type == \\\"start\\\" and process.name : \\\"sc.exe\\\" and\\n process.args : \\\"*config*\\\" and process.args : \\\"*binPath*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Service Path Modification via sc.exe\",\"description\":\"Identifies attempts to modify a service path setting using sc.exe. Attackers may attempt to modify existing services for persistence or privilege escalation.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":106,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"dee21b62-9ced-4822-b323-4fc0a4ec1de1\",\"rule_id\":\"c5677997-f75b-4cda-b830-a75920514096\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.031Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.447Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where event.type == \\\"start\\\" and process.name : \\\"sc.exe\\\" and\\n process.args : \\\"*config*\\\" and process.args : \\\"*binPath*\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":4,\"target_version\":106,\"merged_version\":106,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b9bf3a78-6e00-4b19-b546-42b42b228667\",\"rule_id\":\"c57f8579-e2a5-4804-847f-f2732edc5156\",\"revision\":0,\"current_rule\":{\"id\":\"b9bf3a78-6e00-4b19-b546-42b42b228667\",\"updated_at\":\"2024-12-04T19:45:57.450Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.450Z\",\"created_by\":\"elastic\",\"name\":\"Potential Remote Desktop Shadowing Activity\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c57f8579-e2a5-4804-847f-f2732edc5156\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing\",\"https://swarm.ptsecurity.com/remote-desktop-services-shadowing/\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"/* Identifies the modification of RDP Shadow registry or\\n the execution of processes indicative of active shadow RDP session */\\n\\nany where host.os.type == \\\"windows\\\" and\\n(\\n (event.category == \\\"registry\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Terminal Services\\\\\\\\Shadow\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Terminal Services\\\\\\\\Shadow\\\"\\n )\\n ) or\\n (event.category == \\\"process\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"RdpSaUacHelper.exe\\\", \\\"RdpSaProxy.exe\\\") and process.parent.name : \\\"svchost.exe\\\") or\\n (process.pe.original_file_name : \\\"mstsc.exe\\\" and process.args : \\\"/shadow:*\\\")\\n )\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Remote Desktop Shadowing Activity\",\"description\":\"Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing\",\"https://swarm.ptsecurity.com/remote-desktop-services-shadowing/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.001\",\"name\":\"Remote Desktop Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1021/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b9bf3a78-6e00-4b19-b546-42b42b228667\",\"rule_id\":\"c57f8579-e2a5-4804-847f-f2732edc5156\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.031Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.450Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"/* Identifies the modification of RDP Shadow registry or\\n the execution of processes indicative of active shadow RDP session */\\n\\nany where host.os.type == \\\"windows\\\" and\\n(\\n (event.category == \\\"registry\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Terminal Services\\\\\\\\Shadow\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Terminal Services\\\\\\\\Shadow\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Terminal Services\\\\\\\\Shadow\\\"\\n )\\n ) or\\n (event.category == \\\"process\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"RdpSaUacHelper.exe\\\", \\\"RdpSaProxy.exe\\\") and process.parent.name : \\\"svchost.exe\\\") or\\n (?process.pe.original_file_name : \\\"mstsc.exe\\\" and process.args : \\\"/shadow:*\\\")\\n )\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"/* Identifies the modification of RDP Shadow registry or\\n the execution of processes indicative of active shadow RDP session */\\n\\nany where host.os.type == \\\"windows\\\" and\\n(\\n (event.category == \\\"registry\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Terminal Services\\\\\\\\Shadow\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Terminal Services\\\\\\\\Shadow\\\"\\n )\\n ) or\\n (event.category == \\\"process\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"RdpSaUacHelper.exe\\\", \\\"RdpSaProxy.exe\\\") and process.parent.name : \\\"svchost.exe\\\") or\\n (process.pe.original_file_name : \\\"mstsc.exe\\\" and process.args : \\\"/shadow:*\\\")\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"/* Identifies the modification of RDP Shadow registry or\\n the execution of processes indicative of active shadow RDP session */\\n\\nany where host.os.type == \\\"windows\\\" and\\n(\\n (event.category == \\\"registry\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Terminal Services\\\\\\\\Shadow\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Terminal Services\\\\\\\\Shadow\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Terminal Services\\\\\\\\Shadow\\\"\\n )\\n ) or\\n (event.category == \\\"process\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"RdpSaUacHelper.exe\\\", \\\"RdpSaProxy.exe\\\") and process.parent.name : \\\"svchost.exe\\\") or\\n (?process.pe.original_file_name : \\\"mstsc.exe\\\" and process.args : \\\"/shadow:*\\\")\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"/* Identifies the modification of RDP Shadow registry or\\n the execution of processes indicative of active shadow RDP session */\\n\\nany where host.os.type == \\\"windows\\\" and\\n(\\n (event.category == \\\"registry\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Terminal Services\\\\\\\\Shadow\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Terminal Services\\\\\\\\Shadow\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Terminal Services\\\\\\\\Shadow\\\"\\n )\\n ) or\\n (event.category == \\\"process\\\" and event.type == \\\"start\\\" and\\n (process.name : (\\\"RdpSaUacHelper.exe\\\", \\\"RdpSaProxy.exe\\\") and process.parent.name : \\\"svchost.exe\\\") or\\n (?process.pe.original_file_name : \\\"mstsc.exe\\\" and process.args : \\\"/shadow:*\\\")\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f14ba7d8-898e-4246-bd0d-f010037416e7\",\"rule_id\":\"c5c9f591-d111-4cf8-baec-c26a39bc31ef\",\"revision\":0,\"current_rule\":{\"id\":\"f14ba7d8-898e-4246-bd0d-f010037416e7\",\"updated_at\":\"2024-12-04T19:45:57.455Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.455Z\",\"created_by\":\"elastic\",\"name\":\"Potential Credential Access via Renamed COM+ Services DLL\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Credential Access via Renamed COM+ Services DLL\\n\\nCOMSVCS.DLL is a Windows library that exports the MiniDump function, which can be used to dump a process memory. Adversaries may attempt to dump LSASS memory using a renamed COMSVCS.DLL to bypass command-line based detection and gain unauthorized access to credentials.\\n\\nThis rule identifies suspicious instances of rundll32.exe loading a renamed COMSVCS.DLL image, which can indicate potential abuse of the MiniDump function for credential theft.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Identify the process that created the DLL using file creation events.\\n - Inspect the file for useful metadata, such as file size and creation or modification time.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable and DLL using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\\n\\n### False positive analysis\\n\\n- False positives may include legitimate instances of rundll32.exe loading a renamed COMSVCS.DLL image for non-malicious purposes, such as during software development, testing, or troubleshooting.\\n\\n### Related Rules\\n\\n- Potential Credential Access via LSASS Memory Dump - 9960432d-9b26-409f-972b-839a959e79e2\\n- Suspicious Module Loaded by LSASS - 3a6001a0-0939-4bbe-86f4-47d8faeb7b97\\n- Suspicious Lsass Process Access - 128468bf-cab1-4637-99ea-fdf3780a4609\\n- LSASS Process Access via Windows API - ff4599cb-409f-4910-a239-52e4e6f532ff\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Implement Elastic Endpoint Security to detect and prevent further post exploitation activities in the environment.\\n - Contain the affected system by isolating it from the network to prevent further spread of the attack.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c5c9f591-d111-4cf8-baec-c26a39bc31ef\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]}],\"to\":\"now\",\"references\":[\"https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.pe.imphash\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nYou will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original\\nFile Name.\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.category == \\\"process\\\" and\\n process.name : \\\"rundll32.exe\\\"]\\n [process where host.os.type == \\\"windows\\\" and event.category == \\\"process\\\" and event.dataset : \\\"windows.sysmon_operational\\\" and event.code == \\\"7\\\" and\\n (file.pe.original_file_name : \\\"COMSVCS.DLL\\\" or file.pe.imphash : \\\"EADBCCBB324829ACB5F2BBE87E5549A8\\\") and\\n /* renamed COMSVCS */\\n not file.name : \\\"COMSVCS.DLL\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Credential Access via Renamed COM+ Services DLL\",\"description\":\"Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential Credential Access via Renamed COM+ Services DLL\\n\\nCOMSVCS.DLL is a Windows library that exports the MiniDump function, which can be used to dump a process memory. Adversaries may attempt to dump LSASS memory using a renamed COMSVCS.DLL to bypass command-line based detection and gain unauthorized access to credentials.\\n\\nThis rule identifies suspicious instances of rundll32.exe loading a renamed COMSVCS.DLL image, which can indicate potential abuse of the MiniDump function for credential theft.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Identify the process that created the DLL using file creation events.\\n - Inspect the file for useful metadata, such as file size and creation or modification time.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable and DLL using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\\n\\n### False positive analysis\\n\\n- False positives may include legitimate instances of rundll32.exe loading a renamed COMSVCS.DLL image for non-malicious purposes, such as during software development, testing, or troubleshooting.\\n\\n### Related Rules\\n\\n- Potential Credential Access via LSASS Memory Dump - 9960432d-9b26-409f-972b-839a959e79e2\\n- Suspicious Module Loaded by LSASS - 3a6001a0-0939-4bbe-86f4-47d8faeb7b97\\n- Suspicious Lsass Process Access - 128468bf-cab1-4637-99ea-fdf3780a4609\\n- LSASS Process Access via Windows API - ff4599cb-409f-4910-a239-52e4e6f532ff\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Implement Elastic Endpoint Security to detect and prevent further post exploitation activities in the environment.\\n - Contain the affected system by isolating it from the network to prevent further spread of the attack.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]}],\"setup\":\"## Setup\\n\\nYou will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original\\nFile Name.\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.pe.imphash\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f14ba7d8-898e-4246-bd0d-f010037416e7\",\"rule_id\":\"c5c9f591-d111-4cf8-baec-c26a39bc31ef\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.031Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.455Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.category == \\\"process\\\" and\\n process.name : \\\"rundll32.exe\\\"]\\n [process where host.os.type == \\\"windows\\\" and event.category == \\\"process\\\" and event.dataset : \\\"windows.sysmon_operational\\\" and event.code == \\\"7\\\" and\\n (file.pe.original_file_name : \\\"COMSVCS.DLL\\\" or file.pe.imphash : \\\"EADBCCBB324829ACB5F2BBE87E5549A8\\\") and\\n /* renamed COMSVCS */\\n not file.name : \\\"COMSVCS.DLL\\\"]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7d4c7514-7e50-4439-81fb-61d24071332f\",\"rule_id\":\"c5ce48a6-7f57-4ee8-9313-3d0024caee10\",\"revision\":0,\"current_rule\":{\"id\":\"7d4c7514-7e50-4439-81fb-61d24071332f\",\"updated_at\":\"2024-12-04T19:45:40.243Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.243Z\",\"created_by\":\"elastic\",\"name\":\"Installation of Custom Shim Databases\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c5ce48a6-7f57-4ee8-9313-3d0024caee10\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.011\",\"name\":\"Application Shimming\",\"reference\":\"https://attack.mitre.org/techniques/T1546/011/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Custom\\\\\\\\*.sdb\\\" and \\n not process.executable : \\n (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\DesktopCentral_Agent\\\\\\\\swrepository\\\\\\\\1\\\\\\\\swuploads\\\\\\\\SAP-SLC\\\\\\\\SAPSetupSLC02_14-80001954\\\\\\\\Setup\\\\\\\\NwSapSetup.exe\\\", \\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\SetupPlatform.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SAP\\\\\\\\SAPsetup\\\\\\\\setup\\\\\\\\NwSapSetup.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SAP\\\\\\\\SapSetup\\\\\\\\OnRebootSvc\\\\\\\\NWSAPSetupOnRebootInstSvc.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky Lab\\\\\\\\Kaspersky Security for Windows Server\\\\\\\\kavfs.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Installation of Custom Shim Databases\",\"description\":\"Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.011\",\"name\":\"Application Shimming\",\"reference\":\"https://attack.mitre.org/techniques/T1546/011/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"7d4c7514-7e50-4439-81fb-61d24071332f\",\"rule_id\":\"c5ce48a6-7f57-4ee8-9313-3d0024caee10\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.031Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.243Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Custom\\\\\\\\*.sdb\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Custom\\\\\\\\*.sdb\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Custom\\\\\\\\*.sdb\\\"\\n ) and\\n not process.executable : \\n (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\DesktopCentral_Agent\\\\\\\\swrepository\\\\\\\\1\\\\\\\\swuploads\\\\\\\\SAP-SLC\\\\\\\\SAPSetupSLC02_14-80001954\\\\\\\\Setup\\\\\\\\NwSapSetup.exe\\\", \\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\SetupPlatform.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SAP\\\\\\\\SAPsetup\\\\\\\\setup\\\\\\\\NwSapSetup.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SAP\\\\\\\\SapSetup\\\\\\\\OnRebootSvc\\\\\\\\NWSAPSetupOnRebootInstSvc.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky Lab\\\\\\\\Kaspersky Security for Windows Server\\\\\\\\kavfs.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Custom\\\\\\\\*.sdb\\\" and \\n not process.executable : \\n (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\DesktopCentral_Agent\\\\\\\\swrepository\\\\\\\\1\\\\\\\\swuploads\\\\\\\\SAP-SLC\\\\\\\\SAPSetupSLC02_14-80001954\\\\\\\\Setup\\\\\\\\NwSapSetup.exe\\\", \\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\SetupPlatform.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SAP\\\\\\\\SAPsetup\\\\\\\\setup\\\\\\\\NwSapSetup.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SAP\\\\\\\\SapSetup\\\\\\\\OnRebootSvc\\\\\\\\NWSAPSetupOnRebootInstSvc.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky Lab\\\\\\\\Kaspersky Security for Windows Server\\\\\\\\kavfs.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Custom\\\\\\\\*.sdb\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Custom\\\\\\\\*.sdb\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Custom\\\\\\\\*.sdb\\\"\\n ) and\\n not process.executable : \\n (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\DesktopCentral_Agent\\\\\\\\swrepository\\\\\\\\1\\\\\\\\swuploads\\\\\\\\SAP-SLC\\\\\\\\SAPSetupSLC02_14-80001954\\\\\\\\Setup\\\\\\\\NwSapSetup.exe\\\", \\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\SetupPlatform.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SAP\\\\\\\\SAPsetup\\\\\\\\setup\\\\\\\\NwSapSetup.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SAP\\\\\\\\SapSetup\\\\\\\\OnRebootSvc\\\\\\\\NWSAPSetupOnRebootInstSvc.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky Lab\\\\\\\\Kaspersky Security for Windows Server\\\\\\\\kavfs.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Custom\\\\\\\\*.sdb\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Custom\\\\\\\\*.sdb\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\AppCompatFlags\\\\\\\\Custom\\\\\\\\*.sdb\\\"\\n ) and\\n not process.executable : \\n (\\\"?:\\\\\\\\Program Files (x86)\\\\\\\\DesktopCentral_Agent\\\\\\\\swrepository\\\\\\\\1\\\\\\\\swuploads\\\\\\\\SAP-SLC\\\\\\\\SAPSetupSLC02_14-80001954\\\\\\\\Setup\\\\\\\\NwSapSetup.exe\\\", \\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\SetupPlatform.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SAP\\\\\\\\SAPsetup\\\\\\\\setup\\\\\\\\NwSapSetup.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\SAP\\\\\\\\SapSetup\\\\\\\\OnRebootSvc\\\\\\\\NWSAPSetupOnRebootInstSvc.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky Lab\\\\\\\\Kaspersky Security for Windows Server\\\\\\\\kavfs.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"eb62de09-87c2-4bcf-9c70-23f420b93bc4\",\"rule_id\":\"c5dc3223-13a2-44a2-946c-e9dc0aa0449c\",\"revision\":0,\"current_rule\":{\"id\":\"eb62de09-87c2-4bcf-9c70-23f420b93bc4\",\"updated_at\":\"2024-12-04T19:45:57.457Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.457Z\",\"created_by\":\"elastic\",\"name\":\"Microsoft Build Engine Started by an Office Application\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Microsoft Build Engine Started by an Office Application\\n\\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\\n\\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\\n\\nThis rule looks for the `Msbuild.exe` utility spawned by MS Office programs. This is generally the result of the execution of malicious documents.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\\n- Determine if the collected files are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel.\"],\"from\":\"now-9m\",\"rule_id\":\"c5dc3223-13a2-44a2-946c-e9dc0aa0449c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"MSBuild.exe\\\" and\\n process.parent.name : (\\\"eqnedt32.exe\\\",\\n \\\"excel.exe\\\",\\n \\\"fltldr.exe\\\",\\n \\\"msaccess.exe\\\",\\n \\\"mspub.exe\\\",\\n \\\"outlook.exe\\\",\\n \\\"powerpnt.exe\\\",\\n \\\"winword.exe\\\" )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Microsoft Build Engine Started by an Office Application\",\"description\":\"An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Microsoft Build Engine Started by an Office Application\\n\\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\\n\\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\\n\\nThis rule looks for the `Msbuild.exe` utility spawned by MS Office programs. This is generally the result of the execution of malicious documents.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\\n- Determine if the collected files are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n - If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel.\"],\"references\":[\"https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1127\",\"name\":\"Trusted Developer Utilities Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1127/\",\"subtechnique\":[{\"id\":\"T1127.001\",\"name\":\"MSBuild\",\"reference\":\"https://attack.mitre.org/techniques/T1127/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"eb62de09-87c2-4bcf-9c70-23f420b93bc4\",\"rule_id\":\"c5dc3223-13a2-44a2-946c-e9dc0aa0449c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.031Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.457Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"MSBuild.exe\\\" and\\n process.parent.name : (\\\"eqnedt32.exe\\\",\\n \\\"excel.exe\\\",\\n \\\"fltldr.exe\\\",\\n \\\"msaccess.exe\\\",\\n \\\"mspub.exe\\\",\\n \\\"outlook.exe\\\",\\n \\\"powerpnt.exe\\\",\\n \\\"winword.exe\\\" )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1852ade3-f245-4002-aaa8-9046b9b8effa\",\"rule_id\":\"c6453e73-90eb-4fe7-a98c-cde7bbfc504a\",\"revision\":0,\"current_rule\":{\"id\":\"1852ade3-f245-4002-aaa8-9046b9b8effa\",\"updated_at\":\"2024-12-04T19:45:57.462Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.462Z\",\"created_by\":\"elastic\",\"name\":\"Remote File Download via MpCmdRun\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote File Download via MpCmdRun\\n\\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\\n\\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the user in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"user.id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{user.id}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the host in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"host.name\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{host.name}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n- Check the reputation of the domain or IP address used to host the downloaded file.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - !{investigate{\\\"label\\\":\\\"Investigate the Subject Process Network Events\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"process.entity_id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{process.entity_id}}\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"event.category\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"network\\\",\\\"valueType\\\":\\\"string\\\"}]]}}\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c6453e73-90eb-4fe7-a98c-cde7bbfc504a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"to\":\"now\",\"references\":[\"https://twitter.com/mohammadaskar2/status/1301263551638761477\",\"https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"MpCmdRun.exe\\\" or ?process.pe.original_file_name == \\\"MpCmdRun.exe\\\") and\\n process.args : \\\"-DownloadFile\\\" and process.args : \\\"-url\\\" and process.args : \\\"-path\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Remote File Download via MpCmdRun\",\"description\":\"Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Remote File Download via MpCmdRun\\n\\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\\n\\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the user in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"user.id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{user.id}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n - !{investigate{\\\"label\\\":\\\"Alerts associated with the host in the last 48h\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"event.kind\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"signal\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"host.name\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{host.name}}\\\",\\\"valueType\\\":\\\"string\\\"}]],\\\"relativeFrom\\\":\\\"now-48h/h\\\",\\\"relativeTo\\\":\\\"now\\\"}}\\n- Check the reputation of the domain or IP address used to host the downloaded file.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - !{investigate{\\\"label\\\":\\\"Investigate the Subject Process Network Events\\\",\\\"providers\\\":[[{\\\"excluded\\\":false,\\\"field\\\":\\\"process.entity_id\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"{{process.entity_id}}\\\",\\\"valueType\\\":\\\"string\\\"},{\\\"excluded\\\":false,\\\"field\\\":\\\"event.category\\\",\\\"queryType\\\":\\\"phrase\\\",\\\"value\\\":\\\"network\\\",\\\"valueType\\\":\\\"string\\\"}]]}}\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://twitter.com/mohammadaskar2/status/1301263551638761477\",\"https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1852ade3-f245-4002-aaa8-9046b9b8effa\",\"rule_id\":\"c6453e73-90eb-4fe7-a98c-cde7bbfc504a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.031Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.462Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"MpCmdRun.exe\\\" or ?process.pe.original_file_name == \\\"MpCmdRun.exe\\\") and\\n process.args : \\\"-DownloadFile\\\" and process.args : \\\"-url\\\" and process.args : \\\"-path\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d35301fd-b86e-4b43-a001-9168b080d2e4\",\"rule_id\":\"c7894234-7814-44c2-92a9-f7d851ea246a\",\"revision\":0,\"current_rule\":{\"id\":\"d35301fd-b86e-4b43-a001-9168b080d2e4\",\"updated_at\":\"2024-12-04T19:45:57.472Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.472Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Network Connection via DllHost\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command and Control activity.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c7894234-7814-44c2-92a9-f7d851ea246a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"to\":\"now\",\"references\":[\"https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/\",\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by host.id, process.entity_id with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"dllhost.exe\\\" and process.args_count == 1]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"dllhost.exe\\\" and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\", \\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Network Connection via DllHost\",\"description\":\"Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command and Control activity.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/\",\"https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/\",\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d35301fd-b86e-4b43-a001-9168b080d2e4\",\"rule_id\":\"c7894234-7814-44c2-92a9-f7d851ea246a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.032Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.472Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id, process.entity_id with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"dllhost.exe\\\" and process.args_count == 1]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"dllhost.exe\\\" and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\", \\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\")]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a8e0b0be-c298-43e7-b22f-5257ff0be5f1\",\"rule_id\":\"c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9\",\"revision\":0,\"current_rule\":{\"id\":\"a8e0b0be-c298-43e7-b22f-5257ff0be5f1\",\"updated_at\":\"2024-12-04T19:45:57.477Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.477Z\",\"created_by\":\"elastic\",\"name\":\"Unusual File Modification by dns.exe\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual File Write\\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1210\",\"name\":\"Exploitation of Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1210/\"}]}],\"to\":\"now\",\"references\":[\"https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/\",\"https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/\",\"https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and process.name : \\\"dns.exe\\\" and event.type in (\\\"creation\\\", \\\"deletion\\\", \\\"change\\\") and\\n not file.name : \\\"dns.log\\\" and not\\n (file.extension : (\\\"old\\\", \\\"temp\\\", \\\"bak\\\", \\\"dns\\\", \\\"arpa\\\") and file.path : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dns\\\\\\\\*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual File Modification by dns.exe\",\"description\":\"Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual File Write\\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/\",\"https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/\",\"https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1210\",\"name\":\"Exploitation of Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1210/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.header_bytes\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a8e0b0be-c298-43e7-b22f-5257ff0be5f1\",\"rule_id\":\"c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.032Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:57.477Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and process.name : \\\"dns.exe\\\" and event.type in (\\\"creation\\\", \\\"deletion\\\", \\\"change\\\") and\\n not file.name : \\\"dns.log\\\" and not\\n (file.extension : (\\\"old\\\", \\\"temp\\\", \\\"bak\\\", \\\"dns\\\", \\\"arpa\\\") and file.path : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dns\\\\\\\\*\\\") and\\n\\n /* DNS logs with custom names, header converts to \\\"DNS Server log\\\" */\\n not ?file.Ext.header_bytes : \\\"444e5320536572766572206c6f67*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.header_bytes\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.header_bytes\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and process.name : \\\"dns.exe\\\" and event.type in (\\\"creation\\\", \\\"deletion\\\", \\\"change\\\") and\\n not file.name : \\\"dns.log\\\" and not\\n (file.extension : (\\\"old\\\", \\\"temp\\\", \\\"bak\\\", \\\"dns\\\", \\\"arpa\\\") and file.path : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dns\\\\\\\\*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and process.name : \\\"dns.exe\\\" and event.type in (\\\"creation\\\", \\\"deletion\\\", \\\"change\\\") and\\n not file.name : \\\"dns.log\\\" and not\\n (file.extension : (\\\"old\\\", \\\"temp\\\", \\\"bak\\\", \\\"dns\\\", \\\"arpa\\\") and file.path : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dns\\\\\\\\*\\\") and\\n\\n /* DNS logs with custom names, header converts to \\\"DNS Server log\\\" */\\n not ?file.Ext.header_bytes : \\\"444e5320536572766572206c6f67*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and process.name : \\\"dns.exe\\\" and event.type in (\\\"creation\\\", \\\"deletion\\\", \\\"change\\\") and\\n not file.name : \\\"dns.log\\\" and not\\n (file.extension : (\\\"old\\\", \\\"temp\\\", \\\"bak\\\", \\\"dns\\\", \\\"arpa\\\") and file.path : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dns\\\\\\\\*\\\") and\\n\\n /* DNS logs with custom names, header converts to \\\"DNS Server log\\\" */\\n not ?file.Ext.header_bytes : \\\"444e5320536572766572206c6f67*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"03c34e69-2fdd-4f02-8b24-9fe54c3516fa\",\"rule_id\":\"c82b2bd8-d701-420c-ba43-f11a155b681a\",\"revision\":0,\"current_rule\":{\"id\":\"03c34e69-2fdd-4f02-8b24-9fe54c3516fa\",\"updated_at\":\"2024-12-04T19:45:58.370Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.370Z\",\"created_by\":\"elastic\",\"name\":\"SMB (Windows File Sharing) Activity to the Internet\",\"tags\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector or for data exfiltration.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c82b2bd8-d701-420c-ba43-f11a155b681a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1048\",\"name\":\"Exfiltration Over Alternative Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1048/\"}]}],\"to\":\"now\",\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"version\":103,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\\n network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and\\n source.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n ) and\\n not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"SMB (Windows File Sharing) Activity to the Internet\",\"description\":\"This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector or for data exfiltration.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1048\",\"name\":\"Exfiltration Over Alternative Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1048/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"03c34e69-2fdd-4f02-8b24-9fe54c3516fa\",\"rule_id\":\"c82b2bd8-d701-420c-ba43-f11a155b681a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.032Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.370Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"],\"query\":\"(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\\n network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and\\n source.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n ) and\\n not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":103,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"target_version\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Tactic: Initial Access\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"target_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merged_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"61a6e07e-c84d-48cc-bade-e3e404a7a11d\",\"rule_id\":\"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1\",\"revision\":0,\"current_rule\":{\"id\":\"61a6e07e-c84d-48cc-bade-e3e404a7a11d\",\"updated_at\":\"2024-12-04T19:45:58.373Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.373Z\",\"created_by\":\"elastic\",\"name\":\"Direct Outbound SMB Connection\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Direct Outbound SMB Connection\\n\\nThis rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\"],\"query\":\"sequence by process.entity_id with maxspan=2m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.pid != 4 and \\n not user.id : (\\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and \\n not (process.code_signature.trusted == true and not process.code_signature.subject_name : \\\"Microsoft *\\\") and \\n not (process.name : \\\"powershell.exe\\\" and process.args : \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\Downloads\\\\\\\\PSScript_*.ps1\\\")]\\n [network where host.os.type == \\\"windows\\\" and destination.port == 445 and process.pid != 4 and\\n not cidrmatch(destination.ip, \\\"127.0.0.1\\\", \\\"::1\\\")]\\nuntil [process where host.os.type == \\\"windows\\\" and event.type == \\\"end\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"SMB Connections via LOLBin or Untrusted Process\",\"description\":\"Identifies potentially suspicious processes that are not trusted or living-off-the-land binaries (LOLBin) making Server Message Block (SMB) network connections over port 445. Windows File Sharing is typically implemented over SMB, which communicates between hosts using port 445. Legitimate connections are generally established by the kernel (PID 4). This rule helps to detect processes that might be port scanners, exploits, or user-level processes attempting lateral movement within the network by leveraging SMB connections.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Performance\\n\\nThis rule may have low to medium performance impact due to filtering for LOLBins processes starting, followed by network connections over port 445. Additional filtering is applied to reduce the volume of matching events and improve performance.\\n\\n### Investigating Untrusted Non-Microsoft or LOLBin SMB Connections\\n\\nThis rule looks for unexpected processes or LOLBins making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- In hybrid environments, SMB may be used for legitimate purposes if operations are performed in Azure. In such cases, consider adding exceptions for known Azure services and operations.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":112,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"61a6e07e-c84d-48cc-bade-e3e404a7a11d\",\"rule_id\":\"c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.032Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.373Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id with maxspan=1m\\n\\n /* first sequence to capture the start of Windows processes */\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.pid != 4 and\\n\\n /* ignore NT Authority and Network Service accounts */\\n not user.id : (\\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n\\n /* filter out anything trusted but not from Microsoft */\\n /* LOLBins will be inherently trusted and signed, so ignore everything else trusted */\\n not (process.code_signature.trusted == true and not startsWith(process.code_signature.subject_name, \\\"Microsoft\\\")) and\\n\\n /* filter out PowerShell scripts from Windows Defender ATP */\\n not (\\n process.name : \\\"powershell.exe\\\" and\\n process.args :\\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\Downloads\\\\\\\\PSScript_*.ps1\\\")]\\n\\n /* second sequence to capture network connections over port 445 related to SMB */\\n [network where host.os.type == \\\"windows\\\" and destination.port == 445 and process.pid != 4]\\n\\n/* end the sequence when the process ends where joining was on process.entity_id */\\nuntil [process where host.os.type == \\\"windows\\\" and event.type == \\\"end\\\"]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":112,\"merged_version\":112,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"name\":{\"has_base_version\":false,\"current_version\":\"Direct Outbound SMB Connection\",\"target_version\":\"SMB Connections via LOLBin or Untrusted Process\",\"merged_version\":\"SMB Connections via LOLBin or Untrusted Process\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"description\":{\"has_base_version\":false,\"current_version\":\"Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.\",\"target_version\":\"Identifies potentially suspicious processes that are not trusted or living-off-the-land binaries (LOLBin) making Server Message Block (SMB) network connections over port 445. Windows File Sharing is typically implemented over SMB, which communicates between hosts using port 445. Legitimate connections are generally established by the kernel (PID 4). This rule helps to detect processes that might be port scanners, exploits, or user-level processes attempting lateral movement within the network by leveraging SMB connections.\",\"merged_version\":\"Identifies potentially suspicious processes that are not trusted or living-off-the-land binaries (LOLBin) making Server Message Block (SMB) network connections over port 445. Windows File Sharing is typically implemented over SMB, which communicates between hosts using port 445. Legitimate connections are generally established by the kernel (PID 4). This rule helps to detect processes that might be port scanners, exploits, or user-level processes attempting lateral movement within the network by leveraging SMB connections.\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merged_version\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"note\":{\"has_base_version\":false,\"current_version\":\"## Triage and analysis\\n\\n### Investigating Direct Outbound SMB Connection\\n\\nThis rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"target_version\":\"## Triage and analysis\\n\\n### Performance\\n\\nThis rule may have low to medium performance impact due to filtering for LOLBins processes starting, followed by network connections over port 445. Additional filtering is applied to reduce the volume of matching events and improve performance.\\n\\n### Investigating Untrusted Non-Microsoft or LOLBin SMB Connections\\n\\nThis rule looks for unexpected processes or LOLBins making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- In hybrid environments, SMB may be used for legitimate purposes if operations are performed in Azure. In such cases, consider adding exceptions for known Azure services and operations.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Performance\\n\\nThis rule may have low to medium performance impact due to filtering for LOLBins processes starting, followed by network connections over port 445. Additional filtering is applied to reduce the volume of matching events and improve performance.\\n\\n### Investigating Untrusted Non-Microsoft or LOLBin SMB Connections\\n\\nThis rule looks for unexpected processes or LOLBins making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- In hybrid environments, SMB may be used for legitimate purposes if operations are performed in Azure. In such cases, consider adding exceptions for known Azure services and operations.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by process.entity_id with maxspan=2m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.pid != 4 and \\n not user.id : (\\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and \\n not (process.code_signature.trusted == true and not process.code_signature.subject_name : \\\"Microsoft *\\\") and \\n not (process.name : \\\"powershell.exe\\\" and process.args : \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\Downloads\\\\\\\\PSScript_*.ps1\\\")]\\n [network where host.os.type == \\\"windows\\\" and destination.port == 445 and process.pid != 4 and\\n not cidrmatch(destination.ip, \\\"127.0.0.1\\\", \\\"::1\\\")]\\nuntil [process where host.os.type == \\\"windows\\\" and event.type == \\\"end\\\"]\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by process.entity_id with maxspan=1m\\n\\n /* first sequence to capture the start of Windows processes */\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.pid != 4 and\\n\\n /* ignore NT Authority and Network Service accounts */\\n not user.id : (\\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n\\n /* filter out anything trusted but not from Microsoft */\\n /* LOLBins will be inherently trusted and signed, so ignore everything else trusted */\\n not (process.code_signature.trusted == true and not startsWith(process.code_signature.subject_name, \\\"Microsoft\\\")) and\\n\\n /* filter out PowerShell scripts from Windows Defender ATP */\\n not (\\n process.name : \\\"powershell.exe\\\" and\\n process.args :\\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\Downloads\\\\\\\\PSScript_*.ps1\\\")]\\n\\n /* second sequence to capture network connections over port 445 related to SMB */\\n [network where host.os.type == \\\"windows\\\" and destination.port == 445 and process.pid != 4]\\n\\n/* end the sequence when the process ends where joining was on process.entity_id */\\nuntil [process where host.os.type == \\\"windows\\\" and event.type == \\\"end\\\"]\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by process.entity_id with maxspan=1m\\n\\n /* first sequence to capture the start of Windows processes */\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.pid != 4 and\\n\\n /* ignore NT Authority and Network Service accounts */\\n not user.id : (\\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n\\n /* filter out anything trusted but not from Microsoft */\\n /* LOLBins will be inherently trusted and signed, so ignore everything else trusted */\\n not (process.code_signature.trusted == true and not startsWith(process.code_signature.subject_name, \\\"Microsoft\\\")) and\\n\\n /* filter out PowerShell scripts from Windows Defender ATP */\\n not (\\n process.name : \\\"powershell.exe\\\" and\\n process.args :\\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\Downloads\\\\\\\\PSScript_*.ps1\\\")]\\n\\n /* second sequence to capture network connections over port 445 related to SMB */\\n [network where host.os.type == \\\"windows\\\" and destination.port == 445 and process.pid != 4]\\n\\n/* end the sequence when the process ends where joining was on process.entity_id */\\nuntil [process where host.os.type == \\\"windows\\\" and event.type == \\\"end\\\"]\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6297b922-ff34-4ced-bdb8-49125db3dec6\",\"rule_id\":\"c88d4bd0-5649-4c52-87ea-9be59dbfbcf2\",\"revision\":0,\"current_rule\":{\"id\":\"6297b922-ff34-4ced-bdb8-49125db3dec6\",\"updated_at\":\"2024-12-04T19:45:58.381Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.381Z\",\"created_by\":\"elastic\",\"name\":\"Parent Process PID Spoofing\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c88d4bd0-5649-4c52-87ea-9be59dbfbcf2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\",\"subtechnique\":[{\"id\":\"T1134.004\",\"name\":\"Parent PID Spoofing\",\"reference\":\"https://attack.mitre.org/techniques/T1134/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\",\"subtechnique\":[{\"id\":\"T1134.004\",\"name\":\"Parent PID Spoofing\",\"reference\":\"https://attack.mitre.org/techniques/T1134/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://blog.didierstevens.com/2017/03/20/\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.token.integrity_level_name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.code_signature.exists\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.Ext.real.pid\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\"],\"query\":\"/* This rule is compatible with Elastic Endpoint only */\\n\\nsequence by host.id, user.id with maxspan=3m \\n\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.Ext.token.integrity_level_name != \\\"system\\\" and \\n (\\n process.pe.original_file_name : (\\\"winword.exe\\\", \\\"excel.exe\\\", \\\"outlook.exe\\\", \\\"powerpnt.exe\\\", \\\"eqnedt32.exe\\\",\\n \\\"fltldr.exe\\\", \\\"mspub.exe\\\", \\\"msaccess.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\",\\n \\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\", \\\"msbuild.exe\\\",\\n \\\"mshta.exe\\\", \\\"wmic.exe\\\", \\\"cmstp.exe\\\", \\\"msxsl.exe\\\") or \\n \\n (process.executable : (\\\"?:\\\\\\\\Users\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\") and \\n (process.code_signature.exists == false or process.code_signature.status : \\\"errorBadDigest\\\")) or \\n \\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\*.exe\\\" \\n ) and \\n \\n not process.executable : \\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFaultSecure.exe\\\", \\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\SysWOW64\\\\\\\\WerFaultSecure.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe\\\")\\n ] by process.pid\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.Ext.real.pid > 0 and \\n \\n /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */\\n not (process.name : \\\"msedge.exe\\\" and process.parent.name : \\\"sihost.exe\\\") and \\n \\n not process.executable : \\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFaultSecure.exe\\\", \\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\SysWOW64\\\\\\\\WerFaultSecure.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe\\\")\\n ] by process.parent.Ext.real.pid\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Parent Process PID Spoofing\",\"description\":\"Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blog.didierstevens.com/2017/03/20/\",\"https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\",\"subtechnique\":[{\"id\":\"T1134.004\",\"name\":\"Parent PID Spoofing\",\"reference\":\"https://attack.mitre.org/techniques/T1134/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\",\"subtechnique\":[{\"id\":\"T1134.004\",\"name\":\"Parent PID Spoofing\",\"reference\":\"https://attack.mitre.org/techniques/T1134/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.token.integrity_level_name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.code_signature.exists\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.Ext.real.pid\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"6297b922-ff34-4ced-bdb8-49125db3dec6\",\"rule_id\":\"c88d4bd0-5649-4c52-87ea-9be59dbfbcf2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.032Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.381Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"/* This rule is compatible with Elastic Endpoint only */\\n\\nsequence by host.id, user.id with maxspan=3m \\n\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.Ext.token.integrity_level_name != \\\"system\\\" and \\n (\\n process.pe.original_file_name : (\\\"winword.exe\\\", \\\"excel.exe\\\", \\\"outlook.exe\\\", \\\"powerpnt.exe\\\", \\\"eqnedt32.exe\\\",\\n \\\"fltldr.exe\\\", \\\"mspub.exe\\\", \\\"msaccess.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\",\\n \\\"cscript.exe\\\", \\\"wscript.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\", \\\"msbuild.exe\\\",\\n \\\"mshta.exe\\\", \\\"wmic.exe\\\", \\\"cmstp.exe\\\", \\\"msxsl.exe\\\") or \\n \\n (process.executable : (\\\"?:\\\\\\\\Users\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\") and \\n (process.code_signature.exists == false or process.code_signature.status : \\\"errorBadDigest\\\")) or \\n \\n process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\*.exe\\\" \\n ) and \\n \\n not process.executable : \\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFaultSecure.exe\\\", \\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\SysWOW64\\\\\\\\WerFaultSecure.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe\\\")\\n ] by process.pid\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.Ext.real.pid > 0 and \\n \\n /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */\\n not (process.name : \\\"msedge.exe\\\" and process.parent.name : \\\"sihost.exe\\\") and \\n \\n not process.executable : \\n (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFaultSecure.exe\\\", \\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\SysWOW64\\\\\\\\WerFaultSecure.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\WerFault.exe\\\")\\n ] by process.parent.Ext.real.pid\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://blog.didierstevens.com/2017/03/20/\"],\"target_version\":[\"https://blog.didierstevens.com/2017/03/20/\",\"https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit\"],\"merged_version\":[\"https://blog.didierstevens.com/2017/03/20/\",\"https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b61ce0eb-9730-42bc-adf8-42c07a16b996\",\"rule_id\":\"c8935a8b-634a-4449-98f7-bb24d3b2c0af\",\"revision\":0,\"current_rule\":{\"id\":\"b61ce0eb-9730-42bc-adf8-42c07a16b996\",\"updated_at\":\"2024-12-04T19:45:58.383Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.383Z\",\"created_by\":\"elastic\",\"name\":\"Potential Linux Ransomware Note Creation Detected\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c8935a8b-634a-4449-98f7-bb24d3b2c0af\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1486\",\"name\":\"Data Encrypted for Impact\",\"reference\":\"https://attack.mitre.org/techniques/T1486/\"}]}],\"to\":\"now\",\"references\":[],\"version\":9,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"sequence by process.entity_id, host.id with maxspan=1s \\n [file where host.os.type == \\\"linux\\\" and event.type == \\\"change\\\" and event.action == \\\"rename\\\" and file.extension : \\\"?*\\\" \\n and process.executable : (\\\"./*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\", \\\"/dev/shm/*\\\", \\\"/var/run/*\\\", \\\"/boot/*\\\") and\\n file.path : (\\n \\\"/home/*/Downloads/*\\\", \\\"/home/*/Documents/*\\\", \\\"/root/*\\\", \\\"/bin/*\\\", \\\"/usr/bin/*\\\", \\\"/var/log/*\\\", \\\"/var/lib/log/*\\\",\\n \\\"/var/backup/*\\\", \\\"/var/www/*\\\") and\\n not process.name : (\\n \\\"dpkg\\\", \\\"yum\\\", \\\"dnf\\\", \\\"rpm\\\", \\\"dockerd\\\", \\\"go\\\", \\\"java\\\", \\\"pip*\\\", \\\"python*\\\", \\\"node\\\", \\\"containerd\\\", \\\"php\\\", \\\"p4d\\\",\\n \\\"conda\\\", \\\"chrome\\\", \\\"imap\\\", \\\"cmake\\\", \\\"firefox\\\", \\\"semanage\\\", \\\"semodule\\\", \\\"ansible-galaxy\\\", \\\"fc-cache\\\", \\\"jammy\\\", \\\"git\\\",\\n \\\"systemsettings\\\", \\\"vmis-launcher\\\", \\\"bundle\\\", \\\"kudu-tserver\\\", \\\"suldownloader\\\", \\\"rustup-init\\\"\\n )\\n ] with runs=25\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and file.name : (\\n \\\"*crypt*\\\", \\\"*restore*\\\", \\\"*lock*\\\", \\\"*recovery*\\\", \\\"*data*\\\", \\\"*read*\\\", \\\"*instruction*\\\", \\\"*how_to*\\\", \\\"*ransom*\\\"\\n )\\n ]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Linux Ransomware Note Creation Detected\",\"description\":\"This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":10,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1486\",\"name\":\"Data Encrypted for Impact\",\"reference\":\"https://attack.mitre.org/techniques/T1486/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b61ce0eb-9730-42bc-adf8-42c07a16b996\",\"rule_id\":\"c8935a8b-634a-4449-98f7-bb24d3b2c0af\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.032Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.383Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id, host.id with maxspan=1s \\n [file where host.os.type == \\\"linux\\\" and event.type == \\\"change\\\" and event.action == \\\"rename\\\" and file.extension : \\\"?*\\\" \\n and process.executable : (\\\"./*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\", \\\"/dev/shm/*\\\", \\\"/var/run/*\\\", \\\"/boot/*\\\") and\\n file.path : (\\n \\\"/home/*/Downloads/*\\\", \\\"/home/*/Documents/*\\\", \\\"/root/*\\\", \\\"/bin/*\\\", \\\"/usr/bin/*\\\", \\\"/var/log/*\\\", \\\"/var/lib/log/*\\\",\\n \\\"/var/backup/*\\\", \\\"/var/www/*\\\") and\\n not process.name : (\\n \\\"dpkg\\\", \\\"yum\\\", \\\"dnf\\\", \\\"rpm\\\", \\\"dockerd\\\", \\\"go\\\", \\\"java\\\", \\\"pip*\\\", \\\"python*\\\", \\\"node\\\", \\\"containerd\\\", \\\"php\\\", \\\"p4d\\\",\\n \\\"conda\\\", \\\"chrome\\\", \\\"imap\\\", \\\"cmake\\\", \\\"firefox\\\", \\\"semanage\\\", \\\"semodule\\\", \\\"ansible-galaxy\\\", \\\"fc-cache\\\", \\\"jammy\\\", \\\"git\\\",\\n \\\"systemsettings\\\", \\\"vmis-launcher\\\", \\\"bundle\\\", \\\"kudu-tserver\\\", \\\"suldownloader\\\", \\\"rustup-init\\\"\\n )\\n ] with runs=25\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and\\n file.name : (\\\"*restore*\\\", \\\"*lock*\\\", \\\"*recovery*\\\", \\\"*read*\\\", \\\"*instruction*\\\", \\\"*how_to*\\\", \\\"*ransom*\\\")\\n ]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":9,\"target_version\":10,\"merged_version\":10,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by process.entity_id, host.id with maxspan=1s \\n [file where host.os.type == \\\"linux\\\" and event.type == \\\"change\\\" and event.action == \\\"rename\\\" and file.extension : \\\"?*\\\" \\n and process.executable : (\\\"./*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\", \\\"/dev/shm/*\\\", \\\"/var/run/*\\\", \\\"/boot/*\\\") and\\n file.path : (\\n \\\"/home/*/Downloads/*\\\", \\\"/home/*/Documents/*\\\", \\\"/root/*\\\", \\\"/bin/*\\\", \\\"/usr/bin/*\\\", \\\"/var/log/*\\\", \\\"/var/lib/log/*\\\",\\n \\\"/var/backup/*\\\", \\\"/var/www/*\\\") and\\n not process.name : (\\n \\\"dpkg\\\", \\\"yum\\\", \\\"dnf\\\", \\\"rpm\\\", \\\"dockerd\\\", \\\"go\\\", \\\"java\\\", \\\"pip*\\\", \\\"python*\\\", \\\"node\\\", \\\"containerd\\\", \\\"php\\\", \\\"p4d\\\",\\n \\\"conda\\\", \\\"chrome\\\", \\\"imap\\\", \\\"cmake\\\", \\\"firefox\\\", \\\"semanage\\\", \\\"semodule\\\", \\\"ansible-galaxy\\\", \\\"fc-cache\\\", \\\"jammy\\\", \\\"git\\\",\\n \\\"systemsettings\\\", \\\"vmis-launcher\\\", \\\"bundle\\\", \\\"kudu-tserver\\\", \\\"suldownloader\\\", \\\"rustup-init\\\"\\n )\\n ] with runs=25\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and file.name : (\\n \\\"*crypt*\\\", \\\"*restore*\\\", \\\"*lock*\\\", \\\"*recovery*\\\", \\\"*data*\\\", \\\"*read*\\\", \\\"*instruction*\\\", \\\"*how_to*\\\", \\\"*ransom*\\\"\\n )\\n ]\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by process.entity_id, host.id with maxspan=1s \\n [file where host.os.type == \\\"linux\\\" and event.type == \\\"change\\\" and event.action == \\\"rename\\\" and file.extension : \\\"?*\\\" \\n and process.executable : (\\\"./*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\", \\\"/dev/shm/*\\\", \\\"/var/run/*\\\", \\\"/boot/*\\\") and\\n file.path : (\\n \\\"/home/*/Downloads/*\\\", \\\"/home/*/Documents/*\\\", \\\"/root/*\\\", \\\"/bin/*\\\", \\\"/usr/bin/*\\\", \\\"/var/log/*\\\", \\\"/var/lib/log/*\\\",\\n \\\"/var/backup/*\\\", \\\"/var/www/*\\\") and\\n not process.name : (\\n \\\"dpkg\\\", \\\"yum\\\", \\\"dnf\\\", \\\"rpm\\\", \\\"dockerd\\\", \\\"go\\\", \\\"java\\\", \\\"pip*\\\", \\\"python*\\\", \\\"node\\\", \\\"containerd\\\", \\\"php\\\", \\\"p4d\\\",\\n \\\"conda\\\", \\\"chrome\\\", \\\"imap\\\", \\\"cmake\\\", \\\"firefox\\\", \\\"semanage\\\", \\\"semodule\\\", \\\"ansible-galaxy\\\", \\\"fc-cache\\\", \\\"jammy\\\", \\\"git\\\",\\n \\\"systemsettings\\\", \\\"vmis-launcher\\\", \\\"bundle\\\", \\\"kudu-tserver\\\", \\\"suldownloader\\\", \\\"rustup-init\\\"\\n )\\n ] with runs=25\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and\\n file.name : (\\\"*restore*\\\", \\\"*lock*\\\", \\\"*recovery*\\\", \\\"*read*\\\", \\\"*instruction*\\\", \\\"*how_to*\\\", \\\"*ransom*\\\")\\n ]\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by process.entity_id, host.id with maxspan=1s \\n [file where host.os.type == \\\"linux\\\" and event.type == \\\"change\\\" and event.action == \\\"rename\\\" and file.extension : \\\"?*\\\" \\n and process.executable : (\\\"./*\\\", \\\"/tmp/*\\\", \\\"/var/tmp/*\\\", \\\"/dev/shm/*\\\", \\\"/var/run/*\\\", \\\"/boot/*\\\") and\\n file.path : (\\n \\\"/home/*/Downloads/*\\\", \\\"/home/*/Documents/*\\\", \\\"/root/*\\\", \\\"/bin/*\\\", \\\"/usr/bin/*\\\", \\\"/var/log/*\\\", \\\"/var/lib/log/*\\\",\\n \\\"/var/backup/*\\\", \\\"/var/www/*\\\") and\\n not process.name : (\\n \\\"dpkg\\\", \\\"yum\\\", \\\"dnf\\\", \\\"rpm\\\", \\\"dockerd\\\", \\\"go\\\", \\\"java\\\", \\\"pip*\\\", \\\"python*\\\", \\\"node\\\", \\\"containerd\\\", \\\"php\\\", \\\"p4d\\\",\\n \\\"conda\\\", \\\"chrome\\\", \\\"imap\\\", \\\"cmake\\\", \\\"firefox\\\", \\\"semanage\\\", \\\"semodule\\\", \\\"ansible-galaxy\\\", \\\"fc-cache\\\", \\\"jammy\\\", \\\"git\\\",\\n \\\"systemsettings\\\", \\\"vmis-launcher\\\", \\\"bundle\\\", \\\"kudu-tserver\\\", \\\"suldownloader\\\", \\\"rustup-init\\\"\\n )\\n ] with runs=25\\n [file where host.os.type == \\\"linux\\\" and event.action == \\\"creation\\\" and\\n file.name : (\\\"*restore*\\\", \\\"*lock*\\\", \\\"*recovery*\\\", \\\"*read*\\\", \\\"*instruction*\\\", \\\"*how_to*\\\", \\\"*ransom*\\\")\\n ]\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"ae303b2e-8e7f-4bee-929f-9202f608281f\",\"rule_id\":\"c8b150f0-0164-475b-a75e-74b47800a9ff\",\"revision\":0,\"current_rule\":{\"id\":\"ae303b2e-8e7f-4bee-929f-9202f608281f\",\"updated_at\":\"2024-12-04T19:45:40.248Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.248Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Startup Shell Folder Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Startup Shell Folder Modification\\n\\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Review the source process and related file tied to the Windows Registry entry.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\\n\\n### Related rules\\n\\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"c8b150f0-0164-475b-a75e-74b47800a9ff\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"Common Startup\\\", \\\"Startup\\\") and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\"\\n ) and\\n registry.data.strings != null and\\n /* Normal Startup Folder Paths */\\n not registry.data.strings : (\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"%ProgramData%\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"%USERPROFILE%\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Startup Shell Folder Modification\",\"description\":\"Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Startup Shell Folder Modification\\n\\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Review the source process and related file tied to the Windows Registry entry.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\\n\\n### Related rules\\n\\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\",\"https://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"ae303b2e-8e7f-4bee-929f-9202f608281f\",\"rule_id\":\"c8b150f0-0164-475b-a75e-74b47800a9ff\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.032Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.248Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"Common Startup\\\", \\\"Startup\\\") and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKCU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKCU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\"\\n ) and\\n registry.data.strings != null and\\n /* Normal Startup Folder Paths */\\n not registry.data.strings : (\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"%ProgramData%\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"%USERPROFILE%\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\",\"https://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader\"],\"merged_version\":[\"https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign\",\"https://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"Common Startup\\\", \\\"Startup\\\") and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\"\\n ) and\\n registry.data.strings != null and\\n /* Normal Startup Folder Paths */\\n not registry.data.strings : (\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"%ProgramData%\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"%USERPROFILE%\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"Common Startup\\\", \\\"Startup\\\") and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKCU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKCU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\"\\n ) and\\n registry.data.strings != null and\\n /* Normal Startup Folder Paths */\\n not registry.data.strings : (\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"%ProgramData%\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"%USERPROFILE%\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : (\\\"Common Startup\\\", \\\"Startup\\\") and\\n registry.path : (\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"HKLM\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKCU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"HKCU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Common Startup\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\User Shell Folders\\\\\\\\Startup\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Explorer\\\\\\\\Shell Folders\\\\\\\\Startup\\\"\\n ) and\\n registry.data.strings != null and\\n /* Normal Startup Folder Paths */\\n not registry.data.strings : (\\n \\\"C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"%ProgramData%\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"%USERPROFILE%\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b14af299-f772-48f1-b892-4e200d757fd4\",\"rule_id\":\"c8cccb06-faf2-4cd5-886e-2c9636cfcb87\",\"revision\":0,\"current_rule\":{\"id\":\"b14af299-f772-48f1-b892-4e200d757fd4\",\"updated_at\":\"2024-12-04T19:45:58.386Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.386Z\",\"created_by\":\"elastic\",\"name\":\"Disabling Windows Defender Security Settings via PowerShell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Disabling Windows Defender Security Settings via PowerShell\\n\\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\\n\\nThis rule monitors the execution of commands that can tamper the Windows Defender antivirus features.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the command line to determine which action was executed. Based on that, examine exceptions, antivirus state, sample submission, etc.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\\n\\n### Related rules\\n\\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Based on the command line, take actions to restore the appropriate Windows Defender antivirus configurations.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Planned Windows Defender configuration changes.\"],\"from\":\"now-9m\",\"rule_id\":\"c8cccb06-faf2-4cd5-886e-2c9636cfcb87\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n process.args : \\\"Set-MpPreference\\\" and process.args : (\\\"-Disable*\\\", \\\"Disabled\\\", \\\"NeverSend\\\", \\\"-Exclusion*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Disabling Windows Defender Security Settings via PowerShell\",\"description\":\"Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Disabling Windows Defender Security Settings via PowerShell\\n\\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\\n\\nThis rule monitors the execution of commands that can tamper the Windows Defender antivirus features.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the command line to determine which action was executed. Based on that, examine exceptions, antivirus state, sample submission, etc.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\\n\\n### Related rules\\n\\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Based on the command line, take actions to restore the appropriate Windows Defender antivirus configurations.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Planned Windows Defender configuration changes.\"],\"references\":[\"https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps\",\"https://www.elastic.co/security-labs/operation-bleeding-bear\",\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b14af299-f772-48f1-b892-4e200d757fd4\",\"rule_id\":\"c8cccb06-faf2-4cd5-886e-2c9636cfcb87\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.032Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.386Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n process.args : \\\"Set-MpPreference\\\" and process.args : (\\\"-Disable*\\\", \\\"Disabled\\\", \\\"NeverSend\\\", \\\"-Exclusion*\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps\"],\"target_version\":[\"https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps\",\"https://www.elastic.co/security-labs/operation-bleeding-bear\",\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"merged_version\":[\"https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps\",\"https://www.elastic.co/security-labs/operation-bleeding-bear\",\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2e36aaab-53b0-4306-932e-485d9663c617\",\"rule_id\":\"ca98c7cf-a56e-4057-a4e8-39603f7f0389\",\"revision\":0,\"current_rule\":{\"id\":\"2e36aaab-53b0-4306-932e-485d9663c617\",\"updated_at\":\"2024-12-04T19:45:58.399Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.399Z\",\"created_by\":\"elastic\",\"name\":\"Unsigned DLL Side-Loading from a Suspicious Folder\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ca98c7cf-a56e-4057-a4e8-39603f7f0389\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.001\",\"name\":\"Invalid Code Signature\",\"reference\":\"https://attack.mitre.org/techniques/T1036/001/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.002\",\"name\":\"DLL Side-Loading\",\"reference\":\"https://attack.mitre.org/techniques/T1574/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"dll.Ext.relative_file_creation_time\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"dll.Ext.relative_file_name_modify_time\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"dll.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.library-*\"],\"query\":\"library where host.os.type == \\\"windows\\\" and\\n\\n process.code_signature.trusted == true and \\n \\n (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and \\n \\n not dll.code_signature.status : (\\\"trusted\\\", \\\"errorExpired\\\", \\\"errorCode_endpoint*\\\", \\\"errorChaining\\\") and \\n \\n /* Suspicious Paths */\\n dll.path : (\\\"?:\\\\\\\\PerfLogs\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Pictures\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Music\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Documents\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\AMD\\\\\\\\Temp\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\AppReadiness\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ServiceState\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*.dll\\\",\\n\\t\\t \\\"?:\\\\\\\\Windows\\\\\\\\System\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\IdentityCRL\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Branding\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\csc\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\DigitalLocker\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\en-US\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\wlansvc\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Prefetch\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\diagnostics\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\INF\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\tracing\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\IME\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Performance\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\intel\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\ms\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\dot3svc\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ServiceProfiles\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\panther\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\RemotePackages\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\OCR\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\appcompat\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\apppatch\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\addins\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SKB\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Vss\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Web\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CbsTemp\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Logs\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WaaS\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\twain_32\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ShellExperiences\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ShellComponents\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PLA\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Migration\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\debug\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Cursors\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Containers\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Boot\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\bcastdvr\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\TextInput\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\schemas\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SchCache\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Resources\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\rescache\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Provisioning\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PrintDialog\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PolicyDefinitions\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\media\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Globalization\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\L2Schemas\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LiveKernelReports\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ModemLogs\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\$Recycle.Bin\\\\\\\\*.dll\\\") and \\n\\t \\n\\t /* DLL loaded from the process.executable current directory */\\n\\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unsigned DLL Side-Loading from a Suspicious Folder\",\"description\":\"Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":9,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.001\",\"name\":\"Invalid Code Signature\",\"reference\":\"https://attack.mitre.org/techniques/T1036/001/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.002\",\"name\":\"DLL Side-Loading\",\"reference\":\"https://attack.mitre.org/techniques/T1574/002/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"dll.Ext.relative_file_creation_time\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"dll.Ext.relative_file_name_modify_time\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"dll.code_signature.status\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"dll.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2e36aaab-53b0-4306-932e-485d9663c617\",\"rule_id\":\"ca98c7cf-a56e-4057-a4e8-39603f7f0389\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.032Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.399Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"library where host.os.type == \\\"windows\\\" and\\n\\n process.code_signature.trusted == true and \\n \\n (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and \\n \\n not dll.code_signature.status : (\\\"trusted\\\", \\\"errorExpired\\\", \\\"errorCode_endpoint*\\\", \\\"errorChaining\\\") and \\n \\n /* Suspicious Paths */\\n dll.path : (\\\"?:\\\\\\\\PerfLogs\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Pictures\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Music\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Documents\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\AMD\\\\\\\\Temp\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\AppReadiness\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ServiceState\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*.dll\\\",\\n\\t\\t \\\"?:\\\\\\\\Windows\\\\\\\\System\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\IdentityCRL\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Branding\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\csc\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\DigitalLocker\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\en-US\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\wlansvc\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Prefetch\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\diagnostics\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\INF\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\tracing\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\IME\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Performance\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\intel\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\ms\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\dot3svc\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ServiceProfiles\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\panther\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\RemotePackages\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\OCR\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\appcompat\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\apppatch\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\addins\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SKB\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Vss\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Web\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CbsTemp\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Logs\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WaaS\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\twain_32\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ShellExperiences\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ShellComponents\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PLA\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Migration\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\debug\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Cursors\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Containers\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Boot\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\bcastdvr\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\TextInput\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\schemas\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SchCache\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Resources\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\rescache\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Provisioning\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PrintDialog\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PolicyDefinitions\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\media\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Globalization\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\L2Schemas\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LiveKernelReports\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ModemLogs\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\*.dll\\\",\\n \\\"?:\\\\\\\\$Recycle.Bin\\\\\\\\*.dll\\\") and \\n\\t \\n\\t /* DLL loaded from the process.executable current directory */\\n\\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.library-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":9,\"merged_version\":9,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion\"],\"merged_version\":[\"https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"ca0af71a-e575-4694-aae3-f2ab4708e2d1\",\"rule_id\":\"cac91072-d165-11ec-a764-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"ca0af71a-e575-4694-aae3-f2ab4708e2d1\",\"updated_at\":\"2024-12-04T19:45:58.401Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.401Z\",\"created_by\":\"elastic\",\"name\":\"Abnormal Process ID or Lock File Created\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Threat: BPFDoor\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Abnormal Process ID or Lock File Created\\n\\nLinux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value.\\n\\nLinux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented.\\n\\nThis rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files.\\n\\n#### Possible investigation steps\\n\\n- Retrieve the file and determine if it is malicious:\\n - Check the contents of the PID files. They should only contain integer strings.\\n - Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files.\\n - Check the size of the subject file. Legitimate PID files should be under 10 bytes.\\n - Check if the lock or PID file has high entropy. This typically indicates an encrypted payload.\\n - Analysts can use tools like `ent` to measure entropy.\\n - Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation.\\n- Trace the file's creation to ensure it came from a legitimate or authorized process.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\\n\\n### False positive analysis\\n\\n- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious.\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of file name and process executable conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Block the identified indicators of compromise (IoCs).\\n- Take actions to terminate processes and connections used by the attacker.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"False-Positives (FP) can appear if the PID file is legitimate and holding a process ID as intended. To differentiate, if the PID file is an executable or larger than 10 bytes, it should be ruled suspicious.\"],\"from\":\"now-9m\",\"rule_id\":\"cac91072-d165-11ec-a764-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"to\":\"now\",\"references\":[\"https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/\",\"https://twitter.com/GossiTheDog/status/1522964028284411907\",\"https://exatrack.com/public/Tricephalic_Hellkeeper.pdf\",\"https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor\"],\"version\":213,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:file and event.action:(creation or file_create_event) and\\nuser.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and (\\n (process.name : (\\n bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp)\\n ) or (\\n process.executable : (\\n ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*\\n ))\\n) and not process.name : (go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or \\nvzctl or ifup or rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat) and\\nnot file.name : (jem.*.pid)\\n\",\"new_terms_fields\":[\"host.id\",\"process.executable\",\"file.path\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Abnormal Process ID or Lock File Created\",\"description\":\"Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Abnormal Process ID or Lock File Created\\n\\nLinux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value.\\n\\nLinux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented.\\n\\nThis rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files.\\n\\n#### Possible investigation steps\\n\\n- Retrieve the file and determine if it is malicious:\\n - Check the contents of the PID files. They should only contain integer strings.\\n - Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files.\\n - Check the size of the subject file. Legitimate PID files should be under 10 bytes.\\n - Check if the lock or PID file has high entropy. This typically indicates an encrypted payload.\\n - Analysts can use tools like `ent` to measure entropy.\\n - Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation.\\n- Trace the file's creation to ensure it came from a legitimate or authorized process.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\\n\\n### False positive analysis\\n\\n- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious.\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of file name and process executable conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Block the identified indicators of compromise (IoCs).\\n- Take actions to terminate processes and connections used by the attacker.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":214,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Threat: BPFDoor\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"False-Positives (FP) can appear if the PID file is legitimate and holding a process ID as intended. To differentiate, if the PID file is an executable or larger than 10 bytes, it should be ruled suspicious.\"],\"references\":[\"https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/\",\"https://twitter.com/GossiTheDog/status/1522964028284411907\",\"https://exatrack.com/public/Tricephalic_Hellkeeper.pdf\",\"https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"ca0af71a-e575-4694-aae3-f2ab4708e2d1\",\"rule_id\":\"cac91072-d165-11ec-a764-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.032Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.401Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:file and event.action:(creation or file_create_event) and\\nfile.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and (\\n (process.name : (\\n bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp)\\n ) or (\\n process.executable : (\\n ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*\\n ))\\n) and not (\\n process.executable : (\\n /tmp/newroot/* or /run/containerd/* or /run/k3s/containerd/* or /run/k0s/container* or /snap/* or /vz/* or\\n /var/lib/docker/* or /etc/*/universal-hooks/pkgs/mysql-community-server/* or /var/lib/snapd/* or /etc/rubrik/* or\\n /run/udev/data/*\\n ) or\\n process.name : (\\n go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or vzctl or ifup or\\n rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat or redis-server or\\n s6-ipcserver-socketbinder or xinetd\\n ) or\\n file.name : (\\n jem.*.pid or lynis.pid or redis.pid or yum.pid or MFS.pid or jenkins.pid or nvmupdate.pid or openlitespeed.pid or\\n rhnsd.pid\\n ) or\\n file.path : (/run/containerd/* or /var/run/docker/containerd/* or /var/run/jem*.pid)\\n)\\n\",\"new_terms_fields\":[\"process.executable\",\"file.name\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":213,\"target_version\":214,\"merged_version\":214,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:file and event.action:(creation or file_create_event) and\\nuser.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and (\\n (process.name : (\\n bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp)\\n ) or (\\n process.executable : (\\n ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*\\n ))\\n) and not process.name : (go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or \\nvzctl or ifup or rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat) and\\nnot file.name : (jem.*.pid)\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:file and event.action:(creation or file_create_event) and\\nfile.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and (\\n (process.name : (\\n bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp)\\n ) or (\\n process.executable : (\\n ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*\\n ))\\n) and not (\\n process.executable : (\\n /tmp/newroot/* or /run/containerd/* or /run/k3s/containerd/* or /run/k0s/container* or /snap/* or /vz/* or\\n /var/lib/docker/* or /etc/*/universal-hooks/pkgs/mysql-community-server/* or /var/lib/snapd/* or /etc/rubrik/* or\\n /run/udev/data/*\\n ) or\\n process.name : (\\n go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or vzctl or ifup or\\n rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat or redis-server or\\n s6-ipcserver-socketbinder or xinetd\\n ) or\\n file.name : (\\n jem.*.pid or lynis.pid or redis.pid or yum.pid or MFS.pid or jenkins.pid or nvmupdate.pid or openlitespeed.pid or\\n rhnsd.pid\\n ) or\\n file.path : (/run/containerd/* or /var/run/docker/containerd/* or /var/run/jem*.pid)\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:file and event.action:(creation or file_create_event) and\\nfile.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and (\\n (process.name : (\\n bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp)\\n ) or (\\n process.executable : (\\n ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*\\n ))\\n) and not (\\n process.executable : (\\n /tmp/newroot/* or /run/containerd/* or /run/k3s/containerd/* or /run/k0s/container* or /snap/* or /vz/* or\\n /var/lib/docker/* or /etc/*/universal-hooks/pkgs/mysql-community-server/* or /var/lib/snapd/* or /etc/rubrik/* or\\n /run/udev/data/*\\n ) or\\n process.name : (\\n go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or vzctl or ifup or\\n rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat or redis-server or\\n s6-ipcserver-socketbinder or xinetd\\n ) or\\n file.name : (\\n jem.*.pid or lynis.pid or redis.pid or yum.pid or MFS.pid or jenkins.pid or nvmupdate.pid or openlitespeed.pid or\\n rhnsd.pid\\n ) or\\n file.path : (/run/containerd/* or /var/run/docker/containerd/* or /var/run/jem*.pid)\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"new_terms_fields\":{\"has_base_version\":false,\"current_version\":[\"host.id\",\"process.executable\",\"file.path\"],\"target_version\":[\"process.executable\",\"file.name\"],\"merged_version\":[\"process.executable\",\"file.name\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1792879f-b83c-44c5-b2d7-f0c3c17be4d6\",\"rule_id\":\"cad4500a-abd7-4ef3-b5d3-95524de7cfe1\",\"revision\":0,\"current_rule\":{\"id\":\"1792879f-b83c-44c5-b2d7-f0c3c17be4d6\",\"updated_at\":\"2024-12-04T19:45:58.404Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.404Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace MFA Enforcement Disabled\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Impact\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization’s security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace MFA Enforcement Disabled\\n\\nMulti-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan.\\n\\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, an attacker could be using it to gain access. When you require a second form of authentication, security is increased because this additional factor isn't something that's easy for an attacker to obtain or duplicate.\\n\\nFor more information about using MFA in Google Workspace, access the [official documentation](https://support.google.com/a/answer/175197).\\n\\nThis rule identifies the disabling of MFA enforcement in Google Workspace. This modification weakens the security of the accounts and can lead to the compromise of accounts and other assets.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Contact the account and resource owners and confirm whether they are aware of this activity.\\n- Check if this operation was approved and performed according to the organization's change management policy.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Reactivate the multi-factor authentication enforcement.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"MFA policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-130m\",\"rule_id\":\"cad4500a-abd7-4ef3-b5d3-95524de7cfe1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/9176657?hl=en#\"],\"version\":207,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.new_value\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin\\n and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION\\n and google_workspace.admin.new_value:false\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace MFA Enforcement Disabled\",\"description\":\"Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization’s security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace MFA Enforcement Disabled\\n\\nMulti-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan.\\n\\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, an attacker could be using it to gain access. When you require a second form of authentication, security is increased because this additional factor isn't something that's easy for an attacker to obtain or duplicate.\\n\\nFor more information about using MFA in Google Workspace, access the [official documentation](https://support.google.com/a/answer/175197).\\n\\nThis rule identifies the disabling of MFA enforcement in Google Workspace. This modification weakens the security of the accounts and can lead to the compromise of accounts and other assets.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Contact the account and resource owners and confirm whether they are aware of this activity.\\n- Check if this operation was approved and performed according to the organization's change management policy.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Reactivate the multi-factor authentication enforcement.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Impact\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"MFA policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://support.google.com/a/answer/9176657?hl=en#\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.new_value\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"1792879f-b83c-44c5-b2d7-f0c3c17be4d6\",\"rule_id\":\"cad4500a-abd7-4ef3-b5d3-95524de7cfe1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.032Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.404Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin\\n and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION\\n and google_workspace.admin.new_value:false\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":207,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/9176657?hl=en#\"],\"target_version\":[\"https://support.google.com/a/answer/9176657?hl=en#\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/9176657?hl=en#\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e5b916a2-f71b-4b62-9e2f-c95599f5c9ed\",\"rule_id\":\"cc6a8a20-2df2-11ed-8378-f661ea17fbce\",\"revision\":0,\"current_rule\":{\"id\":\"e5b916a2-f71b-4b62-9e2f-c95599f5c9ed\",\"updated_at\":\"2024-12-04T19:45:58.416Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.416Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace User Organizational Unit Changed\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Users in Google Workspace are typically assigned a specific organizational unit that grants them permissions to certain services and roles that are inherited from this organizational unit. Adversaries may compromise a valid account and change which organizational account the user belongs to which then could allow them to inherit permissions to applications and resources inaccessible prior to.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace User Organizational Unit Changed\\n\\nAn organizational unit is a group that an administrator can create in the Google Admin console to apply settings to a specific set of users for Google Workspace. By default, all users are placed in the top-level (parent) organizational unit. Child organizational units inherit the settings from the parent but can be changed to fit the needs of the child organizational unit.\\n\\nPermissions and privileges for users are often inherited from the organizational unit they are placed in. Therefore, if a user is changed to a separate organizational unit, they will inherit all privileges and permissions. User accounts may have unexpected privileges when switching organizational units that would allow a threat actor to gain a stronger foothold within the organization. The principle of least privileged (PoLP) should be followed when users are switched to different groups in Google Workspace.\\n\\nThis rule identifies when a user has been moved to a different organizational unit.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n - The `user.target.email` field contains the user that had their assigned organizational unit switched.\\n- Identify the user's previously assigned unit and new organizational unit by checking the `google_workspace.admin.org_unit.name` and `google_workspace.admin.new_value` fields.\\n- Identify Google Workspace applications whose settings were explicitly set for this organizational unit.\\n - Search for `event.action` is `CREATE_APPLICATION_SETTING` where `google_workspace.admin.org_unit.name` is the new organizational unit.\\n- After identifying the involved user, verify administrative privileges are scoped properly to allow changing user organizational units.\\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\\n - Add `user.email` with the target user account that recently had their organizational unit changed.\\n- Filter on `user.name` or `user.target.email` of the user who took this action and review the last 48 hours of activity for anything that may indicate a compromise.\\n\\n### False positive analysis\\n\\n- After identifying the user account that changed another user's organizational unit, verify the action was intentional.\\n- Verify whether the target user who received this update is expected to inherit privileges from the new organizational unit.\\n- Review potential maintenance notes or organizational changes. They might explain why a user's organization was changed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Google Workspace administrators may adjust change which organizational unit a user belongs to as a result of internal role adjustments.\"],\"from\":\"now-130m\",\"rule_id\":\"cc6a8a20-2df2-11ed-8378-f661ea17fbce\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/6328701?hl=en#\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.event.type\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.type:change and event.category:iam\\n and google_workspace.event.type:\\\"USER_SETTINGS\\\" and event.action:\\\"MOVE_USER_TO_ORG_UNIT\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace User Organizational Unit Changed\",\"description\":\"Users in Google Workspace are typically assigned a specific organizational unit that grants them permissions to certain services and roles that are inherited from this organizational unit. Adversaries may compromise a valid account and change which organizational account the user belongs to which then could allow them to inherit permissions to applications and resources inaccessible prior to.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace User Organizational Unit Changed\\n\\nAn organizational unit is a group that an administrator can create in the Google Admin console to apply settings to a specific set of users for Google Workspace. By default, all users are placed in the top-level (parent) organizational unit. Child organizational units inherit the settings from the parent but can be changed to fit the needs of the child organizational unit.\\n\\nPermissions and privileges for users are often inherited from the organizational unit they are placed in. Therefore, if a user is changed to a separate organizational unit, they will inherit all privileges and permissions. User accounts may have unexpected privileges when switching organizational units that would allow a threat actor to gain a stronger foothold within the organization. The principle of least privileged (PoLP) should be followed when users are switched to different groups in Google Workspace.\\n\\nThis rule identifies when a user has been moved to a different organizational unit.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n - The `user.target.email` field contains the user that had their assigned organizational unit switched.\\n- Identify the user's previously assigned unit and new organizational unit by checking the `google_workspace.admin.org_unit.name` and `google_workspace.admin.new_value` fields.\\n- Identify Google Workspace applications whose settings were explicitly set for this organizational unit.\\n - Search for `event.action` is `CREATE_APPLICATION_SETTING` where `google_workspace.admin.org_unit.name` is the new organizational unit.\\n- After identifying the involved user, verify administrative privileges are scoped properly to allow changing user organizational units.\\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\\n - Add `user.email` with the target user account that recently had their organizational unit changed.\\n- Filter on `user.name` or `user.target.email` of the user who took this action and review the last 48 hours of activity for anything that may indicate a compromise.\\n\\n### False positive analysis\\n\\n- After identifying the user account that changed another user's organizational unit, verify the action was intentional.\\n- Verify whether the target user who received this update is expected to inherit privileges from the new organizational unit.\\n- Review potential maintenance notes or organizational changes. They might explain why a user's organization was changed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Google Workspace administrators may adjust change which organizational unit a user belongs to as a result of internal role adjustments.\"],\"references\":[\"https://support.google.com/a/answer/6328701?hl=en#\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.event.type\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"e5b916a2-f71b-4b62-9e2f-c95599f5c9ed\",\"rule_id\":\"cc6a8a20-2df2-11ed-8378-f661ea17fbce\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.032Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.416Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:\\\"google_workspace.admin\\\" and event.type:change and event.category:iam\\n and google_workspace.event.type:\\\"USER_SETTINGS\\\" and event.action:\\\"MOVE_USER_TO_ORG_UNIT\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/6328701?hl=en#\"],\"target_version\":[\"https://support.google.com/a/answer/6328701?hl=en#\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/6328701?hl=en#\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e8ae7f9f-5e3c-4d3f-8064-9afe7a3b65d7\",\"rule_id\":\"cd66a5af-e34b-4bb0-8931-57d0a043f2ef\",\"revision\":0,\"current_rule\":{\"id\":\"e8ae7f9f-5e3c-4d3f-8064-9afe7a3b65d7\",\"updated_at\":\"2024-12-04T19:45:58.428Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.428Z\",\"created_by\":\"elastic\",\"name\":\"Kernel Module Removal\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all.\"],\"from\":\"now-9m\",\"rule_id\":\"cd66a5af-e34b-4bb0-8931-57d0a043f2ef\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.006\",\"name\":\"Kernel Modules and Extensions\",\"reference\":\"https://attack.mitre.org/techniques/T1547/006/\"}]}]}],\"to\":\"now\",\"references\":[\"http://man7.org/linux/man-pages/man8/modprobe.8.html\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\nprocess.name == \\\"rmmod\\\" or (process.name == \\\"modprobe\\\" and process.args in (\\\"--remove\\\", \\\"-r\\\")) and \\nprocess.parent.name in (\\\"sudo\\\", \\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Kernel Module Removal\",\"description\":\"Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":110,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all.\"],\"references\":[\"http://man7.org/linux/man-pages/man8/modprobe.8.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.006\",\"name\":\"Kernel Modules and Extensions\",\"reference\":\"https://attack.mitre.org/techniques/T1547/006/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e8ae7f9f-5e3c-4d3f-8064-9afe7a3b65d7\",\"rule_id\":\"cd66a5af-e34b-4bb0-8931-57d0a043f2ef\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.032Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.428Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and (\\n process.name == \\\"rmmod\\\" or\\n (process.name == \\\"modprobe\\\" and process.args in (\\\"--remove\\\", \\\"-r\\\"))\\n) and process.parent.name in (\\\"sudo\\\", \\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":110,\"merged_version\":110,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\nprocess.name == \\\"rmmod\\\" or (process.name == \\\"modprobe\\\" and process.args in (\\\"--remove\\\", \\\"-r\\\")) and \\nprocess.parent.name in (\\\"sudo\\\", \\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and (\\n process.name == \\\"rmmod\\\" or\\n (process.name == \\\"modprobe\\\" and process.args in (\\\"--remove\\\", \\\"-r\\\"))\\n) and process.parent.name in (\\\"sudo\\\", \\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and (\\n process.name == \\\"rmmod\\\" or\\n (process.name == \\\"modprobe\\\" and process.args in (\\\"--remove\\\", \\\"-r\\\"))\\n) and process.parent.name in (\\\"sudo\\\", \\\"bash\\\", \\\"dash\\\", \\\"ash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0b02d296-eeea-41c5-a5f5-ca79978f807d\",\"rule_id\":\"cd82e3d6-1346-4afd-8f22-38388bbf34cb\",\"revision\":0,\"current_rule\":{\"id\":\"0b02d296-eeea-41c5-a5f5-ca79978f807d\",\"updated_at\":\"2024-12-04T19:45:58.430Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.430Z\",\"created_by\":\"elastic\",\"name\":\"Downloaded URL Files\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies .url shortcut files downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"cd82e3d6-1346-4afd-8f22-38388bbf34cb\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.windows.zone_identifier\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and file.extension == \\\"url\\\"\\n and file.Ext.windows.zone_identifier > 1 and not process.name : \\\"explorer.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Downloaded URL Files\",\"description\":\"Identifies .url shortcut files downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.windows.zone_identifier\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0b02d296-eeea-41c5-a5f5-ca79978f807d\",\"rule_id\":\"cd82e3d6-1346-4afd-8f22-38388bbf34cb\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.032Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.430Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and file.extension == \\\"url\\\"\\n and file.Ext.windows.zone_identifier > 1 and not process.name : \\\"explorer.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"severity\":{\"has_base_version\":false,\"current_version\":\"low\",\"target_version\":\"medium\",\"merged_version\":\"medium\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"risk_score\":{\"has_base_version\":false,\"current_version\":21,\"target_version\":47,\"merged_version\":47,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0386789c-c0e0-423d-9eaf-3abbd81b9d15\",\"rule_id\":\"cde1bafa-9f01-4f43-a872-605b678968b0\",\"revision\":0,\"current_rule\":{\"id\":\"0386789c-c0e0-423d-9eaf-3abbd81b9d15\",\"updated_at\":\"2024-12-04T19:45:58.441Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.441Z\",\"created_by\":\"elastic\",\"name\":\"Potential PowerShell HackTool Script by Function Names\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential PowerShell HackTool Script by Function Names\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAdversaries often exploit PowerShell's capabilities to execute malicious scripts and perform various attacks. This rule identifies known offensive tooling function names in PowerShell scripts, as attackers commonly use out-of-the-box tools without modifying the code. By monitoring these specific function names, the rule aims to detect and alert potential malicious PowerShell activity.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine the script's execution context, such as the user account, privileges, the role of the system on which it was executed, and any relevant timestamps.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Investigate the origin of the PowerShell script, including its source, download method, and any associated URLs or IP addresses.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This rule may generate false positives if legitimate scripts or tools used by administrators contain any of the listed function names. These function names are commonly associated with offensive tooling, but they may also be present in benign scripts or tools.\\n- To handle these false positives consider adding exceptions - preferably with a combination of full file path and users.\\n\\n### Related Rules\\n\\n- PowerShell Invoke-NinjaCopy script - b8386923-b02c-4b94-986a-d223d9b01f88\\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"cde1bafa-9f01-4f43-a872-605b678968b0\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\",\"https://github.com/BC-SECURITY/Empire\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"Add-DomainGroupMember\\\" or \\\"Add-DomainObjectAcl\\\" or\\n \\\"Add-RemoteConnection\\\" or \\\"Add-ServiceDacl\\\" or\\n \\\"Add-Win32Type\\\" or \\\"Convert-ADName\\\" or\\n \\\"Convert-LDAPProperty\\\" or \\\"ConvertFrom-LDAPLogonHours\\\" or\\n \\\"ConvertFrom-UACValue\\\" or \\\"Copy-ArrayOfMemAddresses\\\" or\\n \\\"Create-NamedPipe\\\" or \\\"Create-ProcessWithToken\\\" or\\n \\\"Create-RemoteThread\\\" or \\\"Create-SuspendedWinLogon\\\" or\\n \\\"Create-WinLogonProcess\\\" or \\\"Emit-CallThreadStub\\\" or\\n \\\"Enable-SeAssignPrimaryTokenPrivilege\\\" or \\\"Enable-SeDebugPrivilege\\\" or\\n \\\"Enum-AllTokens\\\" or \\\"Export-PowerViewCSV\\\" or\\n \\\"Find-AVSignature\\\" or \\\"Find-AppLockerLog\\\" or\\n \\\"Find-DomainLocalGroupMember\\\" or \\\"Find-DomainObjectPropertyOutlier\\\" or\\n \\\"Find-DomainProcess\\\" or \\\"Find-DomainShare\\\" or\\n \\\"Find-DomainUserEvent\\\" or \\\"Find-DomainUserLocation\\\" or\\n \\\"Find-InterestingDomainAcl\\\" or \\\"Find-InterestingDomainShareFile\\\" or\\n \\\"Find-InterestingFile\\\" or \\\"Find-LocalAdminAccess\\\" or\\n \\\"Find-PSScriptsInPSAppLog\\\" or \\\"Find-PathDLLHijack\\\" or\\n \\\"Find-ProcessDLLHijack\\\" or \\\"Find-RDPClientConnection\\\" or\\n \\\"Get-AllAttributesForClass\\\" or \\\"Get-CachedGPPPassword\\\" or\\n \\\"Get-DecryptedCpassword\\\" or \\\"Get-DecryptedSitelistPassword\\\" or\\n \\\"Get-DelegateType\\\" or \\\"New-RelayEnumObject\\\" or\\n \\\"Get-DomainDFSShare\\\" or \\\"Get-DomainDFSShareV1\\\" or\\n \\\"Get-DomainDFSShareV2\\\" or \\\"Get-DomainDNSRecord\\\" or\\n \\\"Get-DomainDNSZone\\\" or \\\"Get-DomainFileServer\\\" or\\n \\\"Get-DomainForeignGroupMember\\\" or \\\"Get-DomainForeignUser\\\" or\\n \\\"Get-DomainGPO\\\" or \\\"Get-DomainGPOComputerLocalGroupMapping\\\" or\\n \\\"Get-DomainGPOLocalGroup\\\" or \\\"Get-DomainGPOUserLocalGroupMapping\\\" or\\n \\\"Get-DomainGUIDMap\\\" or \\\"Get-DomainGroup\\\" or\\n \\\"Get-DomainGroupMember\\\" or \\\"Get-DomainGroupMemberDeleted\\\" or\\n \\\"Get-DomainManagedSecurityGroup\\\" or \\\"Get-DomainOU\\\" or\\n \\\"Get-DomainObject\\\" or \\\"Get-DomainObjectAcl\\\" or\\n \\\"Get-DomainObjectAttributeHistory\\\" or \\\"Get-DomainObjectLinkedAttributeHistory\\\" or\\n \\\"Get-DomainPolicyData\\\" or \\\"Get-DomainSID\\\" or\\n \\\"Get-DomainSPNTicket\\\" or \\\"Get-DomainSearcher\\\" or\\n \\\"Get-DomainSite\\\" or \\\"Get-DomainSubnet\\\" or\\n \\\"Get-DomainTrust\\\" or \\\"Get-DomainTrustMapping\\\" or\\n \\\"Get-DomainUser\\\" or \\\"Get-DomainUserEvent\\\" or\\n \\\"Get-Forest\\\" or \\\"Get-ForestDomain\\\" or\\n \\\"Get-ForestGlobalCatalog\\\" or \\\"Get-ForestSchemaClass\\\" or\\n \\\"Get-ForestTrust\\\" or \\\"Get-GPODelegation\\\" or\\n \\\"Get-GPPAutologon\\\" or \\\"Get-GPPInnerField\\\" or\\n \\\"Get-GPPInnerFields\\\" or \\\"Get-GPPPassword\\\" or\\n \\\"Get-GptTmpl\\\" or \\\"Get-GroupsXML\\\" or\\n \\\"Get-HttpStatus\\\" or \\\"Get-ImageNtHeaders\\\" or\\n \\\"Get-Keystrokes\\\" or \\\"New-SOASerialNumberArray\\\" or \\n \\\"Get-MemoryProcAddress\\\" or \\\"Get-MicrophoneAudio\\\" or\\n \\\"Get-ModifiablePath\\\" or \\\"Get-ModifiableRegistryAutoRun\\\" or\\n \\\"Get-ModifiableScheduledTaskFile\\\" or \\\"Get-ModifiableService\\\" or\\n \\\"Get-ModifiableServiceFile\\\" or \\\"Get-Name\\\" or\\n \\\"Get-NetComputerSiteName\\\" or \\\"Get-NetLocalGroup\\\" or\\n \\\"Get-NetLocalGroupMember\\\" or \\\"Get-NetLoggedon\\\" or\\n \\\"Get-NetRDPSession\\\" or \\\"Get-NetSession\\\" or\\n \\\"Get-NetShare\\\" or \\\"Get-PEArchitecture\\\" or\\n \\\"Get-PEBasicInfo\\\" or \\\"Get-PEDetailedInfo\\\" or\\n \\\"Get-PathAcl\\\" or \\\"Get-PrimaryToken\\\" or\\n \\\"Get-ProcAddress\\\" or \\\"Get-ProcessTokenGroup\\\" or\\n \\\"Get-ProcessTokenPrivilege\\\" or \\\"Get-ProcessTokenType\\\" or\\n \\\"Get-RegLoggedOn\\\" or \\\"Get-RegistryAlwaysInstallElevated\\\" or\\n \\\"Get-RegistryAutoLogon\\\" or \\\"Get-RemoteProcAddress\\\" or\\n \\\"Get-Screenshot\\\" or \\\"Get-ServiceDetail\\\" or\\n \\\"Get-SiteListPassword\\\" or \\\"Get-SitelistField\\\" or\\n \\\"Get-System\\\" or \\\"Get-SystemNamedPipe\\\" or\\n \\\"Get-SystemToken\\\" or \\\"Get-ThreadToken\\\" or\\n \\\"Get-TimedScreenshot\\\" or \\\"Get-TokenInformation\\\" or\\n \\\"Get-TopPort\\\" or \\\"Get-UnattendedInstallFile\\\" or\\n \\\"Get-UniqueTokens\\\" or \\\"Get-UnquotedService\\\" or\\n \\\"Get-VaultCredential\\\" or \\\"Get-VaultElementValue\\\" or\\n \\\"Get-VirtualProtectValue\\\" or \\\"Get-VolumeShadowCopy\\\" or\\n \\\"Get-WMIProcess\\\" or \\\"Get-WMIRegCachedRDPConnection\\\" or\\n \\\"Get-WMIRegLastLoggedOn\\\" or \\\"Get-WMIRegMountedDrive\\\" or\\n \\\"Get-WMIRegProxy\\\" or \\\"Get-WebConfig\\\" or\\n \\\"Get-Win32Constants\\\" or \\\"Get-Win32Functions\\\" or\\n \\\"Get-Win32Types\\\" or \\\"Import-DllImports\\\" or\\n \\\"Import-DllInRemoteProcess\\\" or \\\"Inject-LocalShellcode\\\" or\\n \\\"Inject-RemoteShellcode\\\" or \\\"Install-ServiceBinary\\\" or\\n \\\"Invoke-CompareAttributesForClass\\\" or \\\"Invoke-CreateRemoteThread\\\" or\\n \\\"Invoke-CredentialInjection\\\" or \\\"Invoke-DllInjection\\\" or\\n \\\"Invoke-EventVwrBypass\\\" or \\\"Invoke-ImpersonateUser\\\" or\\n \\\"Invoke-Kerberoast\\\" or \\\"Invoke-MemoryFreeLibrary\\\" or\\n \\\"Invoke-MemoryLoadLibrary\\\" or\\n \\\"Invoke-Mimikatz\\\" or \\\"Invoke-NinjaCopy\\\" or\\n \\\"Invoke-PatchDll\\\" or \\\"Invoke-Portscan\\\" or\\n \\\"Invoke-PrivescAudit\\\" or \\\"Invoke-ReflectivePEInjection\\\" or\\n \\\"Invoke-ReverseDnsLookup\\\" or \\\"Invoke-RevertToSelf\\\" or\\n \\\"Invoke-ServiceAbuse\\\" or \\\"Invoke-Shellcode\\\" or\\n \\\"Invoke-TokenManipulation\\\" or \\\"Invoke-UserImpersonation\\\" or\\n \\\"Invoke-WmiCommand\\\" or \\\"Mount-VolumeShadowCopy\\\" or\\n \\\"New-ADObjectAccessControlEntry\\\" or \\\"New-DomainGroup\\\" or\\n \\\"New-DomainUser\\\" or \\\"New-DynamicParameter\\\" or\\n \\\"New-InMemoryModule\\\" or\\n \\\"New-ThreadedFunction\\\" or \\\"New-VolumeShadowCopy\\\" or\\n \\\"Out-CompressedDll\\\" or \\\"Out-EncodedCommand\\\" or\\n \\\"Out-EncryptedScript\\\" or \\\"Out-Minidump\\\" or\\n \\\"PortScan-Alive\\\" or \\\"Portscan-Port\\\" or\\n \\\"Remove-DomainGroupMember\\\" or \\\"Remove-DomainObjectAcl\\\" or\\n \\\"Remove-RemoteConnection\\\" or \\\"Remove-VolumeShadowCopy\\\" or\\n \\\"Restore-ServiceBinary\\\" or \\\"Set-DesktopACLToAllowEveryone\\\" or\\n \\\"Set-DesktopACLs\\\" or \\\"Set-DomainObject\\\" or\\n \\\"Set-DomainObjectOwner\\\" or \\\"Set-DomainUserPassword\\\" or\\n \\\"Set-ServiceBinaryPath\\\" or \\\"Sub-SignedIntAsUnsigned\\\" or\\n \\\"Test-AdminAccess\\\" or \\\"Test-MemoryRangeValid\\\" or\\n \\\"Test-ServiceDaclPermission\\\" or \\\"Update-ExeFunctions\\\" or\\n \\\"Update-MemoryAddresses\\\" or \\\"Update-MemoryProtectionFlags\\\" or\\n \\\"Write-BytesToMemory\\\" or \\\"Write-HijackDll\\\" or\\n \\\"Write-PortscanOut\\\" or \\\"Write-ServiceBinary\\\" or\\n \\\"Write-UserAddMSI\\\" or \\\"Invoke-Privesc\\\" or\\n \\\"func_get_proc_address\\\" or \\\"Invoke-BloodHound\\\" or\\n \\\"Invoke-HostEnum\\\" or \\\"Get-BrowserInformation\\\" or\\n \\\"Get-DomainAccountPolicy\\\" or \\\"Get-DomainAdmins\\\" or\\n \\\"Get-AVProcesses\\\" or \\\"Get-AVInfo\\\" or\\n \\\"Get-RecycleBin\\\" or \\\"Invoke-BruteForce\\\" or\\n \\\"Get-PassHints\\\" or \\\"Invoke-SessionGopher\\\" or\\n \\\"Get-LSASecret\\\" or \\\"Get-PassHashes\\\" or\\n \\\"Invoke-WdigestDowngrade\\\" or \\\"Get-ChromeDump\\\" or\\n \\\"Invoke-DomainPasswordSpray\\\" or \\\"Get-FoxDump\\\" or\\n \\\"New-HoneyHash\\\" or \\\"Invoke-DCSync\\\" or\\n \\\"Invoke-PowerDump\\\" or \\\"Invoke-SSIDExfil\\\" or\\n \\\"Invoke-PowerShellTCP\\\" or \\\"Add-Exfiltration\\\" or\\n \\\"Do-Exfiltration\\\" or \\\"Invoke-DropboxUpload\\\" or\\n \\\"Invoke-ExfilDataToGitHub\\\" or \\\"Invoke-EgressCheck\\\" or\\n \\\"Invoke-PostExfil\\\" or \\\"Create-MultipleSessions\\\" or\\n \\\"Invoke-NetworkRelay\\\" or \\\"New-GPOImmediateTask\\\" or\\n \\\"Invoke-WMIDebugger\\\" or \\\"Invoke-SQLOSCMD\\\" or\\n \\\"Invoke-SMBExec\\\" or \\\"Invoke-PSRemoting\\\" or\\n \\\"Invoke-ExecuteMSBuild\\\" or \\\"Invoke-DCOM\\\" or\\n \\\"Invoke-InveighRelay\\\" or \\\"Invoke-PsExec\\\" or\\n \\\"Invoke-SSHCommand\\\" or \\\"Find-ActiveUsersWMI\\\" or\\n \\\"Get-SystemDrivesWMI\\\" or \\\"Get-ActiveNICSWMI\\\" or\\n \\\"Remove-Persistence\\\" or \\\"DNS_TXT_Pwnage\\\" or\\n \\\"Execute-OnTime\\\" or \\\"HTTP-Backdoor\\\" or\\n \\\"Add-ConstrainedDelegationBackdoor\\\" or \\\"Add-RegBackdoor\\\" or\\n \\\"Add-ScrnSaveBackdoor\\\" or \\\"Gupt-Backdoor\\\" or\\n \\\"Invoke-ADSBackdoor\\\" or \\\"Add-Persistence\\\" or\\n \\\"Invoke-ResolverBackdoor\\\" or \\\"Invoke-EventLogBackdoor\\\" or\\n \\\"Invoke-DeadUserBackdoor\\\" or \\\"Invoke-DisableMachineAcctChange\\\" or\\n \\\"Invoke-AccessBinary\\\" or \\\"Add-NetUser\\\" or\\n \\\"Invoke-Schtasks\\\" or \\\"Invoke-JSRatRegsvr\\\" or\\n \\\"Invoke-JSRatRundll\\\" or \\\"Invoke-PoshRatHttps\\\" or\\n \\\"Invoke-PsGcatAgent\\\" or \\\"Remove-PoshRat\\\" or\\n \\\"Install-SSP\\\" or \\\"Invoke-BackdoorLNK\\\" or\\n \\\"PowerBreach\\\" or \\\"InstallEXE-Persistence\\\" or\\n \\\"RemoveEXE-Persistence\\\" or \\\"Install-ServiceLevel-Persistence\\\" or\\n \\\"Remove-ServiceLevel-Persistence\\\" or \\\"Invoke-Prompt\\\" or\\n \\\"Invoke-PacketCapture\\\" or \\\"Start-WebcamRecorder\\\" or\\n \\\"Get-USBKeyStrokes\\\" or \\\"Invoke-KeeThief\\\" or\\n \\\"Get-Keystrokes\\\" or \\\"Invoke-NetRipper\\\" or\\n \\\"Get-EmailItems\\\" or \\\"Invoke-MailSearch\\\" or\\n \\\"Invoke-SearchGAL\\\" or \\\"Get-WebCredentials\\\" or\\n \\\"Start-CaptureServer\\\" or \\\"Invoke-PowerShellIcmp\\\" or\\n \\\"Invoke-PowerShellTcpOneLine\\\" or \\\"Invoke-PowerShellTcpOneLineBind\\\" or\\n \\\"Invoke-PowerShellUdp\\\" or \\\"Invoke-PowerShellUdpOneLine\\\" or\\n \\\"Run-EXEonRemote\\\" or \\\"Download-Execute-PS\\\" or\\n \\\"Out-RundllCommand\\\" or \\\"Set-RemoteWMI\\\" or\\n \\\"Set-DCShadowPermissions\\\" or \\\"Invoke-PowerShellWMI\\\" or\\n \\\"Invoke-Vnc\\\" or \\\"Invoke-LockWorkStation\\\" or\\n \\\"Invoke-EternalBlue\\\" or \\\"Invoke-ShellcodeMSIL\\\" or\\n \\\"Invoke-MetasploitPayload\\\" or \\\"Invoke-DowngradeAccount\\\" or\\n \\\"Invoke-RunAs\\\" or \\\"ExetoText\\\" or\\n \\\"Disable-SecuritySettings\\\" or \\\"Set-MacAttribute\\\" or\\n \\\"Invoke-MS16032\\\" or \\\"Invoke-BypassUACTokenManipulation\\\" or\\n \\\"Invoke-SDCLTBypass\\\" or \\\"Invoke-FodHelperBypass\\\" or\\n \\\"Invoke-EventVwrBypass\\\" or \\\"Invoke-EnvBypass\\\" or\\n \\\"Get-ServiceUnquoted\\\" or \\\"Get-ServiceFilePermission\\\" or\\n \\\"Get-ServicePermission\\\" or\\n \\\"Enable-DuplicateToken\\\" or \\\"Invoke-PsUaCme\\\" or\\n \\\"Invoke-Tater\\\" or \\\"Invoke-WScriptBypassUAC\\\" or\\n \\\"Invoke-AllChecks\\\" or \\\"Find-TrustedDocuments\\\" or\\n \\\"Invoke-Interceptor\\\" or \\\"Invoke-PoshRatHttp\\\" or\\n \\\"Invoke-ExecCommandWMI\\\" or \\\"Invoke-KillProcessWMI\\\" or\\n \\\"Invoke-CreateShareandExecute\\\" or \\\"Invoke-RemoteScriptWithOutput\\\" or\\n \\\"Invoke-SchedJobManipulation\\\" or \\\"Invoke-ServiceManipulation\\\" or\\n \\\"Invoke-PowerOptionsWMI\\\" or \\\"Invoke-DirectoryListing\\\" or\\n \\\"Invoke-FileTransferOverWMI\\\" or \\\"Invoke-WMImplant\\\" or\\n \\\"Invoke-WMIObfuscatedPSCommand\\\" or \\\"Invoke-WMIDuplicateClass\\\" or\\n \\\"Invoke-WMIUpload\\\" or \\\"Invoke-WMIRemoteExtract\\\" or \\\"Invoke-winPEAS\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\"\\n ) and\\n not user.id : (\\\"S-1-5-18\\\" or \\\"S-1-5-19\\\")\\n\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\DataCollection\\\\\\\\*\"}}}}],\"actions\":[]},\"target_rule\":{\"name\":\"Potential PowerShell HackTool Script by Function Names\",\"description\":\"Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Potential PowerShell HackTool Script by Function Names\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAdversaries often exploit PowerShell's capabilities to execute malicious scripts and perform various attacks. This rule identifies known offensive tooling function names in PowerShell scripts, as attackers commonly use out-of-the-box tools without modifying the code. By monitoring these specific function names, the rule aims to detect and alert potential malicious PowerShell activity.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine the script's execution context, such as the user account, privileges, the role of the system on which it was executed, and any relevant timestamps.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Investigate the origin of the PowerShell script, including its source, download method, and any associated URLs or IP addresses.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This rule may generate false positives if legitimate scripts or tools used by administrators contain any of the listed function names. These function names are commonly associated with offensive tooling, but they may also be present in benign scripts or tools.\\n- To handle these false positives consider adding exceptions - preferably with a combination of full file path and users.\\n\\n### Related Rules\\n\\n- PowerShell Invoke-NinjaCopy script - b8386923-b02c-4b94-986a-d223d9b01f88\\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md\",\"https://github.com/BC-SECURITY/Empire\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0386789c-c0e0-423d-9eaf-3abbd81b9d15\",\"rule_id\":\"cde1bafa-9f01-4f43-a872-605b678968b0\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.032Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.441Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\DataCollection\\\\\\\\*\"}}}}],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"Add-DomainGroupMember\\\" or \\\"Add-DomainObjectAcl\\\" or\\n \\\"Add-RemoteConnection\\\" or \\\"Add-ServiceDacl\\\" or\\n \\\"Add-Win32Type\\\" or \\\"Convert-ADName\\\" or\\n \\\"Convert-LDAPProperty\\\" or \\\"ConvertFrom-LDAPLogonHours\\\" or\\n \\\"ConvertFrom-UACValue\\\" or \\\"Copy-ArrayOfMemAddresses\\\" or\\n \\\"Create-NamedPipe\\\" or \\\"Create-ProcessWithToken\\\" or\\n \\\"Create-RemoteThread\\\" or \\\"Create-SuspendedWinLogon\\\" or\\n \\\"Create-WinLogonProcess\\\" or \\\"Emit-CallThreadStub\\\" or\\n \\\"Enable-SeAssignPrimaryTokenPrivilege\\\" or \\\"Enable-SeDebugPrivilege\\\" or\\n \\\"Enum-AllTokens\\\" or \\\"Export-PowerViewCSV\\\" or\\n \\\"Find-AVSignature\\\" or \\\"Find-AppLockerLog\\\" or\\n \\\"Find-DomainLocalGroupMember\\\" or \\\"Find-DomainObjectPropertyOutlier\\\" or\\n \\\"Find-DomainProcess\\\" or \\\"Find-DomainShare\\\" or\\n \\\"Find-DomainUserEvent\\\" or \\\"Find-DomainUserLocation\\\" or\\n \\\"Find-InterestingDomainAcl\\\" or \\\"Find-InterestingDomainShareFile\\\" or\\n \\\"Find-InterestingFile\\\" or \\\"Find-LocalAdminAccess\\\" or\\n \\\"Find-PSScriptsInPSAppLog\\\" or \\\"Find-PathDLLHijack\\\" or\\n \\\"Find-ProcessDLLHijack\\\" or \\\"Find-RDPClientConnection\\\" or\\n \\\"Get-AllAttributesForClass\\\" or \\\"Get-CachedGPPPassword\\\" or\\n \\\"Get-DecryptedCpassword\\\" or \\\"Get-DecryptedSitelistPassword\\\" or\\n \\\"Get-DelegateType\\\" or \\\"New-RelayEnumObject\\\" or\\n \\\"Get-DomainDFSShare\\\" or \\\"Get-DomainDFSShareV1\\\" or\\n \\\"Get-DomainDFSShareV2\\\" or \\\"Get-DomainDNSRecord\\\" or\\n \\\"Get-DomainDNSZone\\\" or \\\"Get-DomainFileServer\\\" or\\n \\\"Get-DomainForeignGroupMember\\\" or \\\"Get-DomainForeignUser\\\" or\\n \\\"Get-DomainGPO\\\" or \\\"Get-DomainGPOComputerLocalGroupMapping\\\" or\\n \\\"Get-DomainGPOLocalGroup\\\" or \\\"Get-DomainGPOUserLocalGroupMapping\\\" or\\n \\\"Get-DomainGUIDMap\\\" or \\\"Get-DomainGroup\\\" or\\n \\\"Get-DomainGroupMember\\\" or \\\"Get-DomainGroupMemberDeleted\\\" or\\n \\\"Get-DomainManagedSecurityGroup\\\" or \\\"Get-DomainOU\\\" or\\n \\\"Get-DomainObject\\\" or \\\"Get-DomainObjectAcl\\\" or\\n \\\"Get-DomainObjectAttributeHistory\\\" or \\\"Get-DomainObjectLinkedAttributeHistory\\\" or\\n \\\"Get-DomainPolicyData\\\" or \\\"Get-DomainSID\\\" or\\n \\\"Get-DomainSPNTicket\\\" or \\\"Get-DomainSearcher\\\" or\\n \\\"Get-DomainSite\\\" or \\\"Get-DomainSubnet\\\" or\\n \\\"Get-DomainTrust\\\" or \\\"Get-DomainTrustMapping\\\" or\\n \\\"Get-DomainUser\\\" or \\\"Get-DomainUserEvent\\\" or\\n \\\"Get-Forest\\\" or \\\"Get-ForestDomain\\\" or\\n \\\"Get-ForestGlobalCatalog\\\" or \\\"Get-ForestSchemaClass\\\" or\\n \\\"Get-ForestTrust\\\" or \\\"Get-GPODelegation\\\" or\\n \\\"Get-GPPAutologon\\\" or \\\"Get-GPPInnerField\\\" or\\n \\\"Get-GPPInnerFields\\\" or \\\"Get-GPPPassword\\\" or\\n \\\"Get-GptTmpl\\\" or \\\"Get-GroupsXML\\\" or\\n \\\"Get-HttpStatus\\\" or \\\"Get-ImageNtHeaders\\\" or\\n \\\"Get-Keystrokes\\\" or \\\"New-SOASerialNumberArray\\\" or \\n \\\"Get-MemoryProcAddress\\\" or \\\"Get-MicrophoneAudio\\\" or\\n \\\"Get-ModifiablePath\\\" or \\\"Get-ModifiableRegistryAutoRun\\\" or\\n \\\"Get-ModifiableScheduledTaskFile\\\" or \\\"Get-ModifiableService\\\" or\\n \\\"Get-ModifiableServiceFile\\\" or \\\"Get-Name\\\" or\\n \\\"Get-NetComputerSiteName\\\" or \\\"Get-NetLocalGroup\\\" or\\n \\\"Get-NetLocalGroupMember\\\" or \\\"Get-NetLoggedon\\\" or\\n \\\"Get-NetRDPSession\\\" or \\\"Get-NetSession\\\" or\\n \\\"Get-NetShare\\\" or \\\"Get-PEArchitecture\\\" or\\n \\\"Get-PEBasicInfo\\\" or \\\"Get-PEDetailedInfo\\\" or\\n \\\"Get-PathAcl\\\" or \\\"Get-PrimaryToken\\\" or\\n \\\"Get-ProcAddress\\\" or \\\"Get-ProcessTokenGroup\\\" or\\n \\\"Get-ProcessTokenPrivilege\\\" or \\\"Get-ProcessTokenType\\\" or\\n \\\"Get-RegLoggedOn\\\" or \\\"Get-RegistryAlwaysInstallElevated\\\" or\\n \\\"Get-RegistryAutoLogon\\\" or \\\"Get-RemoteProcAddress\\\" or\\n \\\"Get-Screenshot\\\" or \\\"Get-ServiceDetail\\\" or\\n \\\"Get-SiteListPassword\\\" or \\\"Get-SitelistField\\\" or\\n \\\"Get-System\\\" or \\\"Get-SystemNamedPipe\\\" or\\n \\\"Get-SystemToken\\\" or \\\"Get-ThreadToken\\\" or\\n \\\"Get-TimedScreenshot\\\" or \\\"Get-TokenInformation\\\" or\\n \\\"Get-TopPort\\\" or \\\"Get-UnattendedInstallFile\\\" or\\n \\\"Get-UniqueTokens\\\" or \\\"Get-UnquotedService\\\" or\\n \\\"Get-VaultCredential\\\" or \\\"Get-VaultElementValue\\\" or\\n \\\"Get-VirtualProtectValue\\\" or \\\"Get-VolumeShadowCopy\\\" or\\n \\\"Get-WMIProcess\\\" or \\\"Get-WMIRegCachedRDPConnection\\\" or\\n \\\"Get-WMIRegLastLoggedOn\\\" or \\\"Get-WMIRegMountedDrive\\\" or\\n \\\"Get-WMIRegProxy\\\" or \\\"Get-WebConfig\\\" or\\n \\\"Get-Win32Constants\\\" or \\\"Get-Win32Functions\\\" or\\n \\\"Get-Win32Types\\\" or \\\"Import-DllImports\\\" or\\n \\\"Import-DllInRemoteProcess\\\" or \\\"Inject-LocalShellcode\\\" or\\n \\\"Inject-RemoteShellcode\\\" or \\\"Install-ServiceBinary\\\" or\\n \\\"Invoke-CompareAttributesForClass\\\" or \\\"Invoke-CreateRemoteThread\\\" or\\n \\\"Invoke-CredentialInjection\\\" or \\\"Invoke-DllInjection\\\" or\\n \\\"Invoke-EventVwrBypass\\\" or \\\"Invoke-ImpersonateUser\\\" or\\n \\\"Invoke-Kerberoast\\\" or \\\"Invoke-MemoryFreeLibrary\\\" or\\n \\\"Invoke-MemoryLoadLibrary\\\" or\\n \\\"Invoke-Mimikatz\\\" or \\\"Invoke-NinjaCopy\\\" or\\n \\\"Invoke-PatchDll\\\" or \\\"Invoke-Portscan\\\" or\\n \\\"Invoke-PrivescAudit\\\" or \\\"Invoke-ReflectivePEInjection\\\" or\\n \\\"Invoke-ReverseDnsLookup\\\" or \\\"Invoke-RevertToSelf\\\" or\\n \\\"Invoke-ServiceAbuse\\\" or \\\"Invoke-Shellcode\\\" or\\n \\\"Invoke-TokenManipulation\\\" or \\\"Invoke-UserImpersonation\\\" or\\n \\\"Invoke-WmiCommand\\\" or \\\"Mount-VolumeShadowCopy\\\" or\\n \\\"New-ADObjectAccessControlEntry\\\" or \\\"New-DomainGroup\\\" or\\n \\\"New-DomainUser\\\" or \\\"New-DynamicParameter\\\" or\\n \\\"New-InMemoryModule\\\" or\\n \\\"New-ThreadedFunction\\\" or \\\"New-VolumeShadowCopy\\\" or\\n \\\"Out-CompressedDll\\\" or \\\"Out-EncodedCommand\\\" or\\n \\\"Out-EncryptedScript\\\" or \\\"Out-Minidump\\\" or\\n \\\"PortScan-Alive\\\" or \\\"Portscan-Port\\\" or\\n \\\"Remove-DomainGroupMember\\\" or \\\"Remove-DomainObjectAcl\\\" or\\n \\\"Remove-RemoteConnection\\\" or \\\"Remove-VolumeShadowCopy\\\" or\\n \\\"Restore-ServiceBinary\\\" or \\\"Set-DesktopACLToAllowEveryone\\\" or\\n \\\"Set-DesktopACLs\\\" or \\\"Set-DomainObject\\\" or\\n \\\"Set-DomainObjectOwner\\\" or \\\"Set-DomainUserPassword\\\" or\\n \\\"Set-ServiceBinaryPath\\\" or \\\"Sub-SignedIntAsUnsigned\\\" or\\n \\\"Test-AdminAccess\\\" or \\\"Test-MemoryRangeValid\\\" or\\n \\\"Test-ServiceDaclPermission\\\" or \\\"Update-ExeFunctions\\\" or\\n \\\"Update-MemoryAddresses\\\" or \\\"Update-MemoryProtectionFlags\\\" or\\n \\\"Write-BytesToMemory\\\" or \\\"Write-HijackDll\\\" or\\n \\\"Write-PortscanOut\\\" or \\\"Write-ServiceBinary\\\" or\\n \\\"Write-UserAddMSI\\\" or \\\"Invoke-Privesc\\\" or\\n \\\"func_get_proc_address\\\" or \\\"Invoke-BloodHound\\\" or\\n \\\"Invoke-HostEnum\\\" or \\\"Get-BrowserInformation\\\" or\\n \\\"Get-DomainAccountPolicy\\\" or \\\"Get-DomainAdmins\\\" or\\n \\\"Get-AVProcesses\\\" or \\\"Get-AVInfo\\\" or\\n \\\"Get-RecycleBin\\\" or \\\"Invoke-BruteForce\\\" or\\n \\\"Get-PassHints\\\" or \\\"Invoke-SessionGopher\\\" or\\n \\\"Get-LSASecret\\\" or \\\"Get-PassHashes\\\" or\\n \\\"Invoke-WdigestDowngrade\\\" or \\\"Get-ChromeDump\\\" or\\n \\\"Invoke-DomainPasswordSpray\\\" or \\\"Get-FoxDump\\\" or\\n \\\"New-HoneyHash\\\" or \\\"Invoke-DCSync\\\" or\\n \\\"Invoke-PowerDump\\\" or \\\"Invoke-SSIDExfil\\\" or\\n \\\"Invoke-PowerShellTCP\\\" or \\\"Add-Exfiltration\\\" or\\n \\\"Do-Exfiltration\\\" or \\\"Invoke-DropboxUpload\\\" or\\n \\\"Invoke-ExfilDataToGitHub\\\" or \\\"Invoke-EgressCheck\\\" or\\n \\\"Invoke-PostExfil\\\" or \\\"Create-MultipleSessions\\\" or\\n \\\"Invoke-NetworkRelay\\\" or \\\"New-GPOImmediateTask\\\" or\\n \\\"Invoke-WMIDebugger\\\" or \\\"Invoke-SQLOSCMD\\\" or\\n \\\"Invoke-SMBExec\\\" or \\\"Invoke-PSRemoting\\\" or\\n \\\"Invoke-ExecuteMSBuild\\\" or \\\"Invoke-DCOM\\\" or\\n \\\"Invoke-InveighRelay\\\" or \\\"Invoke-PsExec\\\" or\\n \\\"Invoke-SSHCommand\\\" or \\\"Find-ActiveUsersWMI\\\" or\\n \\\"Get-SystemDrivesWMI\\\" or \\\"Get-ActiveNICSWMI\\\" or\\n \\\"Remove-Persistence\\\" or \\\"DNS_TXT_Pwnage\\\" or\\n \\\"Execute-OnTime\\\" or \\\"HTTP-Backdoor\\\" or\\n \\\"Add-ConstrainedDelegationBackdoor\\\" or \\\"Add-RegBackdoor\\\" or\\n \\\"Add-ScrnSaveBackdoor\\\" or \\\"Gupt-Backdoor\\\" or\\n \\\"Invoke-ADSBackdoor\\\" or \\\"Add-Persistence\\\" or\\n \\\"Invoke-ResolverBackdoor\\\" or \\\"Invoke-EventLogBackdoor\\\" or\\n \\\"Invoke-DeadUserBackdoor\\\" or \\\"Invoke-DisableMachineAcctChange\\\" or\\n \\\"Invoke-AccessBinary\\\" or \\\"Add-NetUser\\\" or\\n \\\"Invoke-Schtasks\\\" or \\\"Invoke-JSRatRegsvr\\\" or\\n \\\"Invoke-JSRatRundll\\\" or \\\"Invoke-PoshRatHttps\\\" or\\n \\\"Invoke-PsGcatAgent\\\" or \\\"Remove-PoshRat\\\" or\\n \\\"Install-SSP\\\" or \\\"Invoke-BackdoorLNK\\\" or\\n \\\"PowerBreach\\\" or \\\"InstallEXE-Persistence\\\" or\\n \\\"RemoveEXE-Persistence\\\" or \\\"Install-ServiceLevel-Persistence\\\" or\\n \\\"Remove-ServiceLevel-Persistence\\\" or \\\"Invoke-Prompt\\\" or\\n \\\"Invoke-PacketCapture\\\" or \\\"Start-WebcamRecorder\\\" or\\n \\\"Get-USBKeyStrokes\\\" or \\\"Invoke-KeeThief\\\" or\\n \\\"Get-Keystrokes\\\" or \\\"Invoke-NetRipper\\\" or\\n \\\"Get-EmailItems\\\" or \\\"Invoke-MailSearch\\\" or\\n \\\"Invoke-SearchGAL\\\" or \\\"Get-WebCredentials\\\" or\\n \\\"Start-CaptureServer\\\" or \\\"Invoke-PowerShellIcmp\\\" or\\n \\\"Invoke-PowerShellTcpOneLine\\\" or \\\"Invoke-PowerShellTcpOneLineBind\\\" or\\n \\\"Invoke-PowerShellUdp\\\" or \\\"Invoke-PowerShellUdpOneLine\\\" or\\n \\\"Run-EXEonRemote\\\" or \\\"Download-Execute-PS\\\" or\\n \\\"Out-RundllCommand\\\" or \\\"Set-RemoteWMI\\\" or\\n \\\"Set-DCShadowPermissions\\\" or \\\"Invoke-PowerShellWMI\\\" or\\n \\\"Invoke-Vnc\\\" or \\\"Invoke-LockWorkStation\\\" or\\n \\\"Invoke-EternalBlue\\\" or \\\"Invoke-ShellcodeMSIL\\\" or\\n \\\"Invoke-MetasploitPayload\\\" or \\\"Invoke-DowngradeAccount\\\" or\\n \\\"Invoke-RunAs\\\" or \\\"ExetoText\\\" or\\n \\\"Disable-SecuritySettings\\\" or \\\"Set-MacAttribute\\\" or\\n \\\"Invoke-MS16032\\\" or \\\"Invoke-BypassUACTokenManipulation\\\" or\\n \\\"Invoke-SDCLTBypass\\\" or \\\"Invoke-FodHelperBypass\\\" or\\n \\\"Invoke-EventVwrBypass\\\" or \\\"Invoke-EnvBypass\\\" or\\n \\\"Get-ServiceUnquoted\\\" or \\\"Get-ServiceFilePermission\\\" or\\n \\\"Get-ServicePermission\\\" or\\n \\\"Enable-DuplicateToken\\\" or \\\"Invoke-PsUaCme\\\" or\\n \\\"Invoke-Tater\\\" or \\\"Invoke-WScriptBypassUAC\\\" or\\n \\\"Invoke-AllChecks\\\" or \\\"Find-TrustedDocuments\\\" or\\n \\\"Invoke-Interceptor\\\" or \\\"Invoke-PoshRatHttp\\\" or\\n \\\"Invoke-ExecCommandWMI\\\" or \\\"Invoke-KillProcessWMI\\\" or\\n \\\"Invoke-CreateShareandExecute\\\" or \\\"Invoke-RemoteScriptWithOutput\\\" or\\n \\\"Invoke-SchedJobManipulation\\\" or \\\"Invoke-ServiceManipulation\\\" or\\n \\\"Invoke-PowerOptionsWMI\\\" or \\\"Invoke-DirectoryListing\\\" or\\n \\\"Invoke-FileTransferOverWMI\\\" or \\\"Invoke-WMImplant\\\" or\\n \\\"Invoke-WMIObfuscatedPSCommand\\\" or \\\"Invoke-WMIDuplicateClass\\\" or\\n \\\"Invoke-WMIUpload\\\" or \\\"Invoke-WMIRemoteExtract\\\" or \\\"Invoke-winPEAS\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\"\\n ) and\\n not user.id : (\\\"S-1-5-18\\\" or \\\"S-1-5-19\\\")\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"10909350-5c6c-43bc-9e26-29ccefd8ee16\",\"rule_id\":\"cdf1a39b-1ca5-4e2a-9739-17fc4d026029\",\"revision\":0,\"current_rule\":{\"id\":\"10909350-5c6c-43bc-9e26-29ccefd8ee16\",\"updated_at\":\"2024-12-04T19:46:04.769Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.769Z\",\"created_by\":\"elastic\",\"name\":\"Shadow File Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for Linux Shadow file modifications. These modifications are indicative of a potential password change or user addition event. Threat actors may attempt to create new users or change the password of a user account to maintain access to a system.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"cdf1a39b-1ca5-4e2a-9739-17fc4d026029\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.path\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click Add integrations.\\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\\n- Click Add Elastic Defend.\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest to select \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click Save and Continue.\\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"change\\\" and event.action == \\\"rename\\\" and\\nfile.path == \\\"/etc/shadow\\\" and file.Ext.original.path != null\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Shadow File Modification\",\"description\":\"This rule monitors for Linux Shadow file modifications. These modifications are indicative of a potential password change or user addition event. Threat actors may attempt to create new users or change the password of a user account to maintain access to a system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click Add integrations.\\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\\n- Click Add Elastic Defend.\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest to select \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click Save and Continue.\\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.path\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"10909350-5c6c-43bc-9e26-29ccefd8ee16\",\"rule_id\":\"cdf1a39b-1ca5-4e2a-9739-17fc4d026029\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.033Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.769Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"change\\\" and event.action == \\\"rename\\\" and\\nfile.path == \\\"/etc/shadow\\\" and file.Ext.original.path != null\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"ec6b8751-cfc7-40c6-be4a-8c5c5ade68c3\",\"rule_id\":\"ce64d965-6cb0-466d-b74f-8d2c76f47f05\",\"revision\":0,\"current_rule\":{\"id\":\"ec6b8751-cfc7-40c6-be4a-8c5c5ade68c3\",\"updated_at\":\"2024-12-04T19:45:58.443Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.443Z\",\"created_by\":\"elastic\",\"name\":\"New ActiveSyncAllowedDeviceID Added via PowerShell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate exchange system administration activity.\"],\"from\":\"now-9m\",\"rule_id\":\"ce64d965-6cb0-466d-b74f-8d2c76f47f05\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.002\",\"name\":\"Additional Email Delegate Permissions\",\"reference\":\"https://attack.mitre.org/techniques/T1098/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\",\"https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name: (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") and process.args : \\\"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"New ActiveSyncAllowedDeviceID Added via PowerShell\",\"description\":\"Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate exchange system administration activity.\"],\"references\":[\"https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/\",\"https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.002\",\"name\":\"Additional Email Delegate Permissions\",\"reference\":\"https://attack.mitre.org/techniques/T1098/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"ec6b8751-cfc7-40c6-be4a-8c5c5ade68c3\",\"rule_id\":\"ce64d965-6cb0-466d-b74f-8d2c76f47f05\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.033Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.443Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name: (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") and process.args : \\\"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"68c8421a-1351-4d3b-82cb-e1b66573ede3\",\"rule_id\":\"cf549724-c577-4fd6-8f9b-d1b8ec519ec0\",\"revision\":0,\"current_rule\":{\"id\":\"68c8421a-1351-4d3b-82cb-e1b66573ede3\",\"updated_at\":\"2024-12-04T19:45:58.448Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.448Z\",\"created_by\":\"elastic\",\"name\":\"Domain Added to Google Workspace Trusted Domains\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target’s organization with less restrictive security controls.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Domain Added to Google Workspace Trusted Domains\\n\\nOrganizations use trusted domains in Google Workspace to give external users access to resources.\\n\\nA threat actor with administrative privileges may be able to add a malicious domain to the trusted domain list. Based on the configuration, potentially sensitive resources may be exposed or accessible by an unintended third-party.\\n\\nThis rule detects when a third-party domain is added to the list of trusted domains in Google Workspace.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- After identifying the user, verify if the user should have administrative privileges to add external domains.\\n- Check the `google_workspace.admin.domain.name` field to find the newly added domain.\\n- Use reputational services, such as VirusTotal, for the trusted domain's third-party intelligence reputation.\\n- Filter your data. Create a filter where `event.dataset` is `google_workspace.drive` and `google_workspace.drive.file.owner.email` is being compared to `user.email`.\\n - If mismatches are identified, this could indicate access from an external Google Workspace domain.\\n\\n### False positive analysis\\n\\n- Verify that the user account should have administrative privileges that allow them to edit trusted domains in Google Workspace.\\n- Talk to the user to evaluate why they added the third-party domain and if the domain has confidentiality risks.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Trusted domains may be added by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-130m\",\"rule_id\":\"cf549724-c577-4fd6-8f9b-d1b8ec519ec0\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://support.google.com/a/answer/6160020?hl=en\"],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Domain Added to Google Workspace Trusted Domains\",\"description\":\"Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target’s organization with less restrictive security controls.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Domain Added to Google Workspace Trusted Domains\\n\\nOrganizations use trusted domains in Google Workspace to give external users access to resources.\\n\\nA threat actor with administrative privileges may be able to add a malicious domain to the trusted domain list. Based on the configuration, potentially sensitive resources may be exposed or accessible by an unintended third-party.\\n\\nThis rule detects when a third-party domain is added to the list of trusted domains in Google Workspace.\\n\\n#### Possible investigation steps\\n\\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\\n- After identifying the user, verify if the user should have administrative privileges to add external domains.\\n- Check the `google_workspace.admin.domain.name` field to find the newly added domain.\\n- Use reputational services, such as VirusTotal, for the trusted domain's third-party intelligence reputation.\\n- Filter your data. Create a filter where `event.dataset` is `google_workspace.drive` and `google_workspace.drive.file.owner.email` is being compared to `user.email`.\\n - If mismatches are identified, this could indicate access from an external Google Workspace domain.\\n\\n### False positive analysis\\n\\n- Verify that the user account should have administrative privileges that allow them to edit trusted domains in Google Workspace.\\n- Talk to the user to evaluate why they added the third-party domain and if the domain has confidentiality risks.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Configuration Audit\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Trusted domains may be added by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://support.google.com/a/answer/6160020?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"68c8421a-1351-4d3b-82cb-e1b66573ede3\",\"rule_id\":\"cf549724-c577-4fd6-8f9b-d1b8ec519ec0\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.033Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.448Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://support.google.com/a/answer/6160020?hl=en\"],\"target_version\":[\"https://support.google.com/a/answer/6160020?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/6160020?hl=en\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"594a7b0c-0369-4e0d-8856-27a41cd705c6\",\"rule_id\":\"cf575427-0839-4c69-a9e6-99fde02606f3\",\"revision\":0,\"current_rule\":{\"id\":\"594a7b0c-0369-4e0d-8856-27a41cd705c6\",\"updated_at\":\"2024-12-04T19:46:04.774Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.774Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Discovery Activity by User\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: Higher-Order Rule\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique host.id and user.id entries.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"cf575427-0839-4c69-a9e6-99fde02606f3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[{\"name\":\"event.kind\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"kibana.alert.rule.rule_id\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:(\\n \\\"d68e95ad-1c82-4074-a12a-125fe10ac8ba\\\" or \\\"7b8bfc26-81d2-435e-965c-d722ee397ef1\\\" or\\n \\\"0635c542-1b96-4335-9b47-126582d2c19a\\\" or \\\"6ea55c81-e2ba-42f2-a134-bccf857ba922\\\" or\\n \\\"e0881d20-54ac-457f-8733-fe0bc5d44c55\\\" or \\\"06568a02-af29-4f20-929c-f3af281e41aa\\\" or\\n \\\"c4e9ed3e-55a2-4309-a012-bc3c78dad10a\\\" or \\\"51176ed2-2d90-49f2-9f3d-17196428b169\\\" or\\n \\\"1d72d014-e2ab-4707-b056-9b96abe7b511\\\"\\n)\\n\",\"new_terms_fields\":[\"host.id\",\"user.id\"],\"history_window_start\":\"now-14d\",\"index\":[\".alerts-security.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Discovery Activity by User\",\"description\":\"This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique host.id and user.id entries.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: Higher-Order Rule\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[]}],\"setup\":\"\",\"related_integrations\":[],\"required_fields\":[{\"name\":\"event.kind\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"kibana.alert.rule.rule_id\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"594a7b0c-0369-4e0d-8856-27a41cd705c6\",\"rule_id\":\"cf575427-0839-4c69-a9e6-99fde02606f3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.033Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.774Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:(\\n \\\"d68e95ad-1c82-4074-a12a-125fe10ac8ba\\\" or \\\"7b8bfc26-81d2-435e-965c-d722ee397ef1\\\" or\\n \\\"0635c542-1b96-4335-9b47-126582d2c19a\\\" or \\\"6ea55c81-e2ba-42f2-a134-bccf857ba922\\\" or\\n \\\"e0881d20-54ac-457f-8733-fe0bc5d44c55\\\" or \\\"06568a02-af29-4f20-929c-f3af281e41aa\\\" or\\n \\\"c4e9ed3e-55a2-4309-a012-bc3c78dad10a\\\" or \\\"51176ed2-2d90-49f2-9f3d-17196428b169\\\" or\\n \\\"1d72d014-e2ab-4707-b056-9b96abe7b511\\\"\\n)\\n\",\"new_terms_fields\":[\"host.id\",\"user.id\"],\"history_window_start\":\"now-14d\",\"index\":[\".alerts-security.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: Higher-Order Rule\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: Higher-Order Rule\",\"Rule Type: BBR\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: Higher-Order Rule\",\"Rule Type: BBR\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c9a3050d-5e17-4073-a163-94edd2f0d06b\",\"rule_id\":\"cff92c41-2225-4763-b4ce-6f71e5bda5e6\",\"revision\":0,\"current_rule\":{\"id\":\"c9a3050d-5e17-4073-a163-94edd2f0d06b\",\"updated_at\":\"2024-12-04T19:45:58.453Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.453Z\",\"created_by\":\"elastic\",\"name\":\"Execution from Unusual Directory - Command Line\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Execution from Unusual Directory - Command Line\\n\\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the command line to determine which commands or scripts were executed.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of parent process executable and command line conditions.\\n\\n### Related rules\\n\\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"cff92c41-2225-4763-b4ce-6f71e5bda5e6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"wscript.exe\\\",\\n \\\"cscript.exe\\\",\\n \\\"rundll32.exe\\\",\\n \\\"regsvr32.exe\\\",\\n \\\"cmstp.exe\\\",\\n \\\"RegAsm.exe\\\",\\n \\\"installutil.exe\\\",\\n \\\"mshta.exe\\\",\\n \\\"RegSvcs.exe\\\",\\n \\\"powershell.exe\\\",\\n \\\"pwsh.exe\\\",\\n \\\"cmd.exe\\\") and\\n\\n /* add suspicious execution paths here */\\n process.args : (\\\"C:\\\\\\\\PerfLogs\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Intel\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\AMD\\\\\\\\Temp\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\AppReadiness\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\ServiceState\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\IdentityCRL\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Branding\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\csc\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\DigitalLocker\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\en-US\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\wlansvc\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Prefetch\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\diagnostics\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\INF\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Speech\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\windows\\\\\\\\tracing\\\\\\\\*\\\",\\n \\\"c:\\\\\\\\windows\\\\\\\\IME\\\\\\\\*\\\",\\n \\\"c:\\\\\\\\Windows\\\\\\\\Performance\\\\\\\\*\\\",\\n \\\"c:\\\\\\\\windows\\\\\\\\intel\\\\\\\\*\\\",\\n \\\"c:\\\\\\\\windows\\\\\\\\ms\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\dot3svc\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\panther\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\RemotePackages\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\OCR\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\appcompat\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\apppatch\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\addins\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\SKB\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Vss\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\CbsTemp\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Logs\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\WaaS\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\twain_32\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\ShellExperiences\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\ShellComponents\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\PLA\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Migration\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\debug\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Cursors\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Containers\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Boot\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\bcastdvr\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\TextInput\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\schemas\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\SchCache\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Resources\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\rescache\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Provisioning\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\PrintDialog\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\PolicyDefinitions\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\media\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Globalization\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\L2Schemas\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\LiveKernelReports\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\ModemLogs\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\$Recycle.Bin\\\\\\\\*\\\") and\\n\\n /* noisy FP patterns */\\n\\n not process.parent.executable : (\\\"C:\\\\\\\\WINDOWS\\\\\\\\System32\\\\\\\\DriverStore\\\\\\\\FileRepository\\\\\\\\*\\\\\\\\igfxCUIService*.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spacedeskService.exe\\\",\\n \\\"C:\\\\\\\\Program Files\\\\\\\\Dell\\\\\\\\SupportAssistAgent\\\\\\\\SRE\\\\\\\\SRE.exe\\\") and\\n not (process.name : \\\"rundll32.exe\\\" and\\n process.args : (\\\"uxtheme.dll,#64\\\",\\n \\\"PRINTUI.DLL,PrintUIEntry\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\FirewallControlPanel.dll,ShowNotificationDialog\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\Speech\\\\\\\\SpeechUX\\\\\\\\sapi.cpl\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\shell32.dll,OpenAs_RunDLL\\\")) and\\n\\n not (process.name : \\\"cscript.exe\\\" and process.args : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\calluxxprovider.vbs\\\") and\\n\\n not (process.name : \\\"cmd.exe\\\" and process.args : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\powercfg.exe\\\" and process.args : \\\"?:\\\\\\\\WINDOWS\\\\\\\\inf\\\\\\\\PowerPlan.log\\\") and\\n\\n not (process.name : \\\"regsvr32.exe\\\" and process.args : \\\"?:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\OEM\\\\\\\\scripts\\\\\\\\checkmui.dll\\\") and\\n\\n not (process.name : \\\"cmd.exe\\\" and\\n process.parent.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\oobe\\\\\\\\windeploy.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\ossec-agent\\\\\\\\wazuh-agent.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\igfxCUIService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\IE*.tmp\\\\\\\\IE*-support\\\\\\\\ienrcore.exe\\\"))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Execution from Unusual Directory - Command Line\",\"description\":\"Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Execution from Unusual Directory - Command Line\\n\\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the command line to determine which commands or scripts were executed.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of parent process executable and command line conditions.\\n\\n### Related rules\\n\\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c9a3050d-5e17-4073-a163-94edd2f0d06b\",\"rule_id\":\"cff92c41-2225-4763-b4ce-6f71e5bda5e6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.033Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.453Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"wscript.exe\\\",\\n \\\"cscript.exe\\\",\\n \\\"rundll32.exe\\\",\\n \\\"regsvr32.exe\\\",\\n \\\"cmstp.exe\\\",\\n \\\"RegAsm.exe\\\",\\n \\\"installutil.exe\\\",\\n \\\"mshta.exe\\\",\\n \\\"RegSvcs.exe\\\",\\n \\\"powershell.exe\\\",\\n \\\"pwsh.exe\\\",\\n \\\"cmd.exe\\\") and\\n\\n /* add suspicious execution paths here */\\n process.args : (\\\"C:\\\\\\\\PerfLogs\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Intel\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\AMD\\\\\\\\Temp\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\AppReadiness\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\ServiceState\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\IdentityCRL\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Branding\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\csc\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\DigitalLocker\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\en-US\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\wlansvc\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Prefetch\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\diagnostics\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\INF\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Speech\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\windows\\\\\\\\tracing\\\\\\\\*\\\",\\n \\\"c:\\\\\\\\windows\\\\\\\\IME\\\\\\\\*\\\",\\n \\\"c:\\\\\\\\Windows\\\\\\\\Performance\\\\\\\\*\\\",\\n \\\"c:\\\\\\\\windows\\\\\\\\intel\\\\\\\\*\\\",\\n \\\"c:\\\\\\\\windows\\\\\\\\ms\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\dot3svc\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\panther\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\RemotePackages\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\OCR\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\appcompat\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\apppatch\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\addins\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\SKB\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Vss\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\CbsTemp\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Logs\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\WaaS\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\twain_32\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\ShellExperiences\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\ShellComponents\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\PLA\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Migration\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\debug\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Cursors\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Containers\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Boot\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\bcastdvr\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\TextInput\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\schemas\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\SchCache\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Resources\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\rescache\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Provisioning\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\PrintDialog\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\PolicyDefinitions\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\media\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\Globalization\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\L2Schemas\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\LiveKernelReports\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\ModemLogs\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\$Recycle.Bin\\\\\\\\*\\\") and\\n\\n /* noisy FP patterns */\\n\\n not process.parent.executable : (\\\"C:\\\\\\\\WINDOWS\\\\\\\\System32\\\\\\\\DriverStore\\\\\\\\FileRepository\\\\\\\\*\\\\\\\\igfxCUIService*.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spacedeskService.exe\\\",\\n \\\"C:\\\\\\\\Program Files\\\\\\\\Dell\\\\\\\\SupportAssistAgent\\\\\\\\SRE\\\\\\\\SRE.exe\\\") and\\n not (process.name : \\\"rundll32.exe\\\" and\\n process.args : (\\\"uxtheme.dll,#64\\\",\\n \\\"PRINTUI.DLL,PrintUIEntry\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\FirewallControlPanel.dll,ShowNotificationDialog\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\Speech\\\\\\\\SpeechUX\\\\\\\\sapi.cpl\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\shell32.dll,OpenAs_RunDLL\\\")) and\\n\\n not (process.name : \\\"cscript.exe\\\" and process.args : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\calluxxprovider.vbs\\\") and\\n\\n not (process.name : \\\"cmd.exe\\\" and process.args : \\\"?:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\powercfg.exe\\\" and process.args : \\\"?:\\\\\\\\WINDOWS\\\\\\\\inf\\\\\\\\PowerPlan.log\\\") and\\n\\n not (process.name : \\\"regsvr32.exe\\\" and process.args : \\\"?:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\OEM\\\\\\\\scripts\\\\\\\\checkmui.dll\\\") and\\n\\n not (process.name : \\\"cmd.exe\\\" and\\n process.parent.executable : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\oobe\\\\\\\\windeploy.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\ossec-agent\\\\\\\\wazuh-agent.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\igfxCUIService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\IE*.tmp\\\\\\\\IE*-support\\\\\\\\ienrcore.exe\\\"))\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merged_version\":[\"https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper\",\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"d8e9c974-16c1-4e6f-9cea-48c3f7ff6a8c\",\"rule_id\":\"d0e159cf-73e9-40d1-a9ed-077e3158a855\",\"revision\":0,\"current_rule\":{\"id\":\"d8e9c974-16c1-4e6f-9cea-48c3f7ff6a8c\",\"updated_at\":\"2024-12-04T19:45:40.251Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.251Z\",\"created_by\":\"elastic\",\"name\":\"Registry Persistence via AppInit DLL\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Registry Persistence via AppInit DLL\\n\\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\\n\\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\\n\\nThis rule identifies modifications on the AppInit registry keys.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Review the source process and related DLL file tied to the Windows Registry entry.\\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Retrieve all DLLs under the AppInit registry keys:\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve AppInit Registry Value\\\",\\\"query\\\":\\\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows' or\\\\nr.key == 'HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows') and r.name ==\\\\n'AppInit_DLLs'\\\\n\\\"}}\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"d0e159cf-73e9-40d1-a9ed-077e3158a855\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.010\",\"name\":\"AppInit DLLs\",\"reference\":\"https://attack.mitre.org/techniques/T1546/010/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\"\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DriverStore\\\\\\\\FileRepository\\\\\\\\*\\\\\\\\Display.NvContainer\\\\\\\\NVDisplay.Container.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Commvault\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Commvault\\\\\\\\ContentStore*\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Commvault\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Commvault\\\\\\\\ContentStore*\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\NVIDIA Corporation\\\\\\\\Display.NvContainer\\\\\\\\NVDisplay.Container.exe\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Registry Persistence via AppInit DLL\",\"description\":\"AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Registry Persistence via AppInit DLL\\n\\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\\n\\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\\n\\nThis rule identifies modifications on the AppInit registry keys.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Review the source process and related DLL file tied to the Windows Registry entry.\\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Retrieve all DLLs under the AppInit registry keys:\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve AppInit Registry Value\\\",\\\"query\\\":\\\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows' or\\\\nr.key == 'HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows') and r.name ==\\\\n'AppInit_DLLs'\\\\n\\\"}}\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.010\",\"name\":\"AppInit DLLs\",\"reference\":\"https://attack.mitre.org/techniques/T1546/010/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"d8e9c974-16c1-4e6f-9cea-48c3f7ff6a8c\",\"rule_id\":\"d0e159cf-73e9-40d1-a9ed-077e3158a855\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.033Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.251Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\"\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DriverStore\\\\\\\\FileRepository\\\\\\\\*\\\\\\\\Display.NvContainer\\\\\\\\NVDisplay.Container.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Commvault\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Commvault\\\\\\\\ContentStore*\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Commvault\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Commvault\\\\\\\\ContentStore*\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\NVIDIA Corporation\\\\\\\\Display.NvContainer\\\\\\\\NVDisplay.Container.exe\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\"\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DriverStore\\\\\\\\FileRepository\\\\\\\\*\\\\\\\\Display.NvContainer\\\\\\\\NVDisplay.Container.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Commvault\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Commvault\\\\\\\\ContentStore*\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Commvault\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Commvault\\\\\\\\ContentStore*\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\NVIDIA Corporation\\\\\\\\Display.NvContainer\\\\\\\\NVDisplay.Container.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\"\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DriverStore\\\\\\\\FileRepository\\\\\\\\*\\\\\\\\Display.NvContainer\\\\\\\\NVDisplay.Container.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Commvault\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Commvault\\\\\\\\ContentStore*\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Commvault\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Commvault\\\\\\\\ContentStore*\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\NVIDIA Corporation\\\\\\\\Display.NvContainer\\\\\\\\NVDisplay.Container.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Wow6432Node\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows\\\\\\\\AppInit_Dlls\\\"\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DriverStore\\\\\\\\FileRepository\\\\\\\\*\\\\\\\\Display.NvContainer\\\\\\\\NVDisplay.Container.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Commvault\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Commvault\\\\\\\\ContentStore*\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Commvault\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Commvault\\\\\\\\ContentStore*\\\\\\\\Base\\\\\\\\cvd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\NVIDIA Corporation\\\\\\\\Display.NvContainer\\\\\\\\NVDisplay.Container.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"33128964-faa3-4385-a305-60b0141bfb97\",\"rule_id\":\"d117cbb4-7d56-41b4-b999-bdf8c25648a0\",\"revision\":0,\"current_rule\":{\"id\":\"33128964-faa3-4385-a305-60b0141bfb97\",\"updated_at\":\"2024-12-04T19:45:58.460Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.460Z\",\"created_by\":\"elastic\",\"name\":\"Symbolic Link to Shadow Copy Created\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Symbolic Link to Shadow Copy Created\\n\\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Determine if a volume shadow copy was recently created on this endpoint.\\n- Review privileges of the end user as this requires administrative access.\\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\\n- Investigate recent deletions of volume shadow copies.\\n- Identify other files potentially copied from volume shadow copy paths directly.\\n\\n### False positive analysis\\n\\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the entire domain or the `krbtgt` user was compromised:\\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\\n- Locate and remove static files copied from volume shadow copies.\\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[\"Legitimate administrative activity related to shadow copies.\"],\"from\":\"now-9m\",\"rule_id\":\"d117cbb4-7d56-41b4-b999-bdf8c25648a0\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"},{\"id\":\"T1003.003\",\"name\":\"NTDS\",\"reference\":\"https://attack.mitre.org/techniques/T1003/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink\",\"https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf\",\"https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/\",\"https://www.hackingarticles.in/credential-dumping-ntds-dit/\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nEnsure advanced audit policies for Windows are enabled, specifically:\\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nSystem Audit Policies >\\nObject Access >\\nAudit File System (Success,Failure)\\nAudit Handle Manipulation (Success,Failure)\\n```\\n\\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n (?process.pe.original_file_name in (\\\"Cmd.Exe\\\",\\\"PowerShell.EXE\\\")) or\\n (process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\"))\\n ) and\\n\\n /* Create Symbolic Link to Shadow Copies */\\n process.args : (\\\"*mklink*\\\", \\\"*SymbolicLink*\\\") and process.command_line : (\\\"*HarddiskVolumeShadowCopy*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Symbolic Link to Shadow Copy Created\",\"description\":\"Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Symbolic Link to Shadow Copy Created\\n\\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Determine if a volume shadow copy was recently created on this endpoint.\\n- Review privileges of the end user as this requires administrative access.\\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\\n- Investigate recent deletions of volume shadow copies.\\n- Identify other files potentially copied from volume shadow copy paths directly.\\n\\n### False positive analysis\\n\\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- If the entire domain or the `krbtgt` user was compromised:\\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\\n- Locate and remove static files copied from volume shadow copies.\\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[\"Legitimate administrative activity related to shadow copies.\"],\"references\":[\"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink\",\"https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf\",\"https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/\",\"https://www.hackingarticles.in/credential-dumping-ntds-dit/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"},{\"id\":\"T1003.003\",\"name\":\"NTDS\",\"reference\":\"https://attack.mitre.org/techniques/T1003/003/\"}]}]}],\"setup\":\"## Setup\\n\\nEnsure advanced audit policies for Windows are enabled, specifically:\\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nSystem Audit Policies >\\nObject Access >\\nAudit File System (Success,Failure)\\nAudit Handle Manipulation (Success,Failure)\\n```\\n\\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"33128964-faa3-4385-a305-60b0141bfb97\",\"rule_id\":\"d117cbb4-7d56-41b4-b999-bdf8c25648a0\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.033Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.460Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n (?process.pe.original_file_name in (\\\"Cmd.Exe\\\",\\\"PowerShell.EXE\\\")) or\\n (process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\"))\\n ) and\\n\\n /* Create Symbolic Link to Shadow Copies */\\n process.args : (\\\"*mklink*\\\", \\\"*SymbolicLink*\\\") and process.command_line : (\\\"*HarddiskVolumeShadowCopy*\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nEnsure advanced audit policies for Windows are enabled, specifically:\\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nSystem Audit Policies >\\nObject Access >\\nAudit File System (Success,Failure)\\nAudit Handle Manipulation (Success,Failure)\\n```\\n\\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"## Setup\\n\\nEnsure advanced audit policies for Windows are enabled, specifically:\\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nSystem Audit Policies >\\nObject Access >\\nAudit File System (Success,Failure)\\nAudit Handle Manipulation (Success,Failure)\\n```\\n\\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\\n\",\"merged_version\":\"## Setup\\n\\nEnsure advanced audit policies for Windows are enabled, specifically:\\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nSystem Audit Policies >\\nObject Access >\\nAudit File System (Success,Failure)\\nAudit Handle Manipulation (Success,Failure)\\n```\\n\\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"833e9e6e-ead2-4fd4-b335-abc7f1c67860\",\"rule_id\":\"d31f183a-e5b1-451b-8534-ba62bca0b404\",\"revision\":0,\"current_rule\":{\"id\":\"833e9e6e-ead2-4fd4-b335-abc7f1c67860\",\"updated_at\":\"2024-12-04T19:45:58.473Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.473Z\",\"created_by\":\"elastic\",\"name\":\"Disabling User Account Control via Registry Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Disabling User Account Control via Registry Modification\\n\\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\\n\\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\\n\\nAttackers may disable UAC to execute code directly in high integrity. This rule identifies registry value changes to bypass the UAC protection.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Analyze non-system processes executed with high integrity after UAC was disabled for unknown or suspicious processes.\\n- Retrieve the suspicious processes' executables and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled tasks creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restore UAC settings to the desired state.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"d31f183a-e5b1-451b-8534-ba62bca0b404\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.greyhathacker.net/?p=796\",\"https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings\",\"https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path :\\n (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\EnableLUA\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\ConsentPromptBehaviorAdmin\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\PromptOnSecureDesktop\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\EnableLUA\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\ConsentPromptBehaviorAdmin\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\PromptOnSecureDesktop\\\"\\n ) and\\n registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Disabling User Account Control via Registry Modification\",\"description\":\"User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Disabling User Account Control via Registry Modification\\n\\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\\n\\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\\n\\nAttackers may disable UAC to execute code directly in high integrity. This rule identifies registry value changes to bypass the UAC protection.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Analyze non-system processes executed with high integrity after UAC was disabled for unknown or suspicious processes.\\n- Retrieve the suspicious processes' executables and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled tasks creation.\\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restore UAC settings to the desired state.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.greyhathacker.net/?p=796\",\"https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings\",\"https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview\",\"https://www.elastic.co/security-labs/dissecting-remcos-rat-part-four\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"833e9e6e-ead2-4fd4-b335-abc7f1c67860\",\"rule_id\":\"d31f183a-e5b1-451b-8534-ba62bca0b404\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.033Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.473Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path :\\n (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\EnableLUA\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\ConsentPromptBehaviorAdmin\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\PromptOnSecureDesktop\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\EnableLUA\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\ConsentPromptBehaviorAdmin\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\PromptOnSecureDesktop\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\EnableLUA\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\ConsentPromptBehaviorAdmin\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\PromptOnSecureDesktop\\\"\\n ) and\\n registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.greyhathacker.net/?p=796\",\"https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings\",\"https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview\"],\"target_version\":[\"https://www.greyhathacker.net/?p=796\",\"https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings\",\"https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview\",\"https://www.elastic.co/security-labs/dissecting-remcos-rat-part-four\"],\"merged_version\":[\"https://www.greyhathacker.net/?p=796\",\"https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings\",\"https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview\",\"https://www.elastic.co/security-labs/dissecting-remcos-rat-part-four\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path :\\n (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\EnableLUA\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\ConsentPromptBehaviorAdmin\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\PromptOnSecureDesktop\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\EnableLUA\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\ConsentPromptBehaviorAdmin\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\PromptOnSecureDesktop\\\"\\n ) and\\n registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path :\\n (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\EnableLUA\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\ConsentPromptBehaviorAdmin\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\PromptOnSecureDesktop\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\EnableLUA\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\ConsentPromptBehaviorAdmin\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\PromptOnSecureDesktop\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\EnableLUA\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\ConsentPromptBehaviorAdmin\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\PromptOnSecureDesktop\\\"\\n ) and\\n registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path :\\n (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\EnableLUA\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\ConsentPromptBehaviorAdmin\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\PromptOnSecureDesktop\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\EnableLUA\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\ConsentPromptBehaviorAdmin\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\PromptOnSecureDesktop\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\EnableLUA\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\ConsentPromptBehaviorAdmin\\\",\\n \\\"MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System\\\\\\\\PromptOnSecureDesktop\\\"\\n ) and\\n registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0e689fd9-2c5b-4096-8404-76cce264a283\",\"rule_id\":\"d331bbe2-6db4-4941-80a5-8270db72eb61\",\"revision\":0,\"current_rule\":{\"id\":\"0e689fd9-2c5b-4096-8404-76cce264a283\",\"updated_at\":\"2024-12-04T19:45:58.476Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.476Z\",\"created_by\":\"elastic\",\"name\":\"Clearing Windows Event Logs\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Clearing Windows Event Logs\\n\\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\\n\\nThis rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Verify if any other anti-forensics behaviors were observed.\\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for this action.\\n- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear non-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"d331bbe2-6db4-4941-80a5-8270db72eb61\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.001\",\"name\":\"Clear Windows Event Logs\",\"reference\":\"https://attack.mitre.org/techniques/T1070/001/\"},{\"id\":\"T1562.002\",\"name\":\"Disable Windows Event Logging\",\"reference\":\"https://attack.mitre.org/techniques/T1562/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (process.name : \\\"wevtutil.exe\\\" or ?process.pe.original_file_name == \\\"wevtutil.exe\\\") and\\n process.args : (\\\"/e:false\\\", \\\"cl\\\", \\\"clear-log\\\")\\n ) or\\n (\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") and\\n process.args : \\\"Clear-EventLog\\\"\\n )\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Clearing Windows Event Logs\",\"description\":\"Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Clearing Windows Event Logs\\n\\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\\n\\nThis rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Verify if any other anti-forensics behaviors were observed.\\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for this action.\\n- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear non-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":315,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.001\",\"name\":\"Clear Windows Event Logs\",\"reference\":\"https://attack.mitre.org/techniques/T1070/001/\"},{\"id\":\"T1562.002\",\"name\":\"Disable Windows Event Logging\",\"reference\":\"https://attack.mitre.org/techniques/T1562/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0e689fd9-2c5b-4096-8404-76cce264a283\",\"rule_id\":\"d331bbe2-6db4-4941-80a5-8270db72eb61\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.033Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.476Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (process.name : \\\"wevtutil.exe\\\" or ?process.pe.original_file_name == \\\"wevtutil.exe\\\") and\\n process.args : (\\\"/e:false\\\", \\\"cl\\\", \\\"clear-log\\\")\\n ) or\\n (\\n (\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n process.args : \\\"Clear-EventLog\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":315,\"merged_version\":315,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"merged_version\":[\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (process.name : \\\"wevtutil.exe\\\" or ?process.pe.original_file_name == \\\"wevtutil.exe\\\") and\\n process.args : (\\\"/e:false\\\", \\\"cl\\\", \\\"clear-log\\\")\\n ) or\\n (\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") and\\n process.args : \\\"Clear-EventLog\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (process.name : \\\"wevtutil.exe\\\" or ?process.pe.original_file_name == \\\"wevtutil.exe\\\") and\\n process.args : (\\\"/e:false\\\", \\\"cl\\\", \\\"clear-log\\\")\\n ) or\\n (\\n (\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n process.args : \\\"Clear-EventLog\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (\\n (process.name : \\\"wevtutil.exe\\\" or ?process.pe.original_file_name == \\\"wevtutil.exe\\\") and\\n process.args : (\\\"/e:false\\\", \\\"cl\\\", \\\"clear-log\\\")\\n ) or\\n (\\n (\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n process.args : \\\"Clear-EventLog\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"fc9425c7-279d-4083-abad-41bda97fa14d\",\"rule_id\":\"d33ea3bf-9a11-463e-bd46-f648f2a0f4b1\",\"revision\":0,\"current_rule\":{\"id\":\"fc9425c7-279d-4083-abad-41bda97fa14d\",\"updated_at\":\"2024-12-04T19:45:58.478Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.478Z\",\"created_by\":\"elastic\",\"name\":\"Remote Windows Service Installed\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Persistence\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\\\"\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"d33ea3bf-9a11-463e-bd46-f648f2a0f4b1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.ServiceFileName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.id\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"sequence by winlog.logon.id, winlog.computer_name with maxspan=1m\\n[authentication where event.action == \\\"logged-in\\\" and winlog.logon.type : \\\"Network\\\" and\\nevent.outcome==\\\"success\\\" and source.ip != null and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"]\\n[iam where event.action == \\\"service-installed\\\" and\\n not winlog.event_data.SubjectLogonId : \\\"0x3e7\\\" and\\n not winlog.event_data.ServiceFileName :\\n (\\\"?:\\\\\\\\Windows\\\\\\\\ADCR_Agent\\\\\\\\adcrsvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VSSVC.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\TrustedInstaller.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PSEXESVC.EXE\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sppsvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\RemoteAuditService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\VeeamLogShipper\\\\\\\\VeeamLogShipper.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CAInvokerService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\upfc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\AdminArsenal\\\\\\\\PDQ*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vds.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Veeam\\\\\\\\Backup\\\\\\\\VeeamDeploymentSvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ProPatches\\\\\\\\Scheduler\\\\\\\\STSchedEx.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\certsrv.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\eset-remote-install-service.exe\\\",\\n \\\"?:\\\\\\\\Pella Corporation\\\\\\\\Pella Order Management\\\\\\\\GPAutoSvc.exe\\\",\\n \\\"?:\\\\\\\\Pella Corporation\\\\\\\\OSCToGPAutoService\\\\\\\\OSCToGPAutoSvc.exe\\\",\\n \\\"?:\\\\\\\\Pella Corporation\\\\\\\\Pella Order Management\\\\\\\\GPAutoSvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\NwxExeSvc\\\\\\\\NwxExeSvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostex.exe\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Remote Windows Service Installed\",\"description\":\"Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\\\"\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Persistence\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.ServiceFileName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.id\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"fc9425c7-279d-4083-abad-41bda97fa14d\",\"rule_id\":\"d33ea3bf-9a11-463e-bd46-f648f2a0f4b1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.033Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.478Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by winlog.logon.id, winlog.computer_name with maxspan=1m\\n[authentication where event.action == \\\"logged-in\\\" and winlog.logon.type : \\\"Network\\\" and\\nevent.outcome==\\\"success\\\" and source.ip != null and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\"]\\n[iam where event.action == \\\"service-installed\\\" and\\n not winlog.event_data.SubjectLogonId : \\\"0x3e7\\\" and\\n not winlog.event_data.ServiceFileName :\\n (\\\"?:\\\\\\\\Windows\\\\\\\\ADCR_Agent\\\\\\\\adcrsvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VSSVC.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\TrustedInstaller.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\PSEXESVC.EXE\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\sppsvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiApSrv.exe\\\",\\n \\\"?:\\\\\\\\WINDOWS\\\\\\\\RemoteAuditService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\VeeamLogShipper\\\\\\\\VeeamLogShipper.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CAInvokerService.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\upfc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\AdminArsenal\\\\\\\\PDQ*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vds.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Veeam\\\\\\\\Backup\\\\\\\\VeeamDeploymentSvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ProPatches\\\\\\\\Scheduler\\\\\\\\STSchedEx.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\certsrv.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\eset-remote-install-service.exe\\\",\\n \\\"?:\\\\\\\\Pella Corporation\\\\\\\\Pella Order Management\\\\\\\\GPAutoSvc.exe\\\",\\n \\\"?:\\\\\\\\Pella Corporation\\\\\\\\OSCToGPAutoService\\\\\\\\OSCToGPAutoSvc.exe\\\",\\n \\\"?:\\\\\\\\Pella Corporation\\\\\\\\Pella Order Management\\\\\\\\GPAutoSvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\NwxExeSvc\\\\\\\\NwxExeSvc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostex.exe\\\")]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Persistence\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Persistence\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Persistence\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"ba0f24fd-ef0b-4e9a-8bcc-07be5baa9483\",\"rule_id\":\"d3551433-782f-4e22-bbea-c816af2d41c6\",\"revision\":0,\"current_rule\":{\"id\":\"ba0f24fd-ef0b-4e9a-8bcc-07be5baa9483\",\"updated_at\":\"2024-12-04T19:45:58.481Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.481Z\",\"created_by\":\"elastic\",\"name\":\"WMI WBEMTEST Utility Execution\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Adversaries may abuse the WMI diagnostic tool, wbemtest.exe, to enumerate WMI object instances or invoke methods against local or remote endpoints.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"d3551433-782f-4e22-bbea-c816af2d41c6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"wbemtest.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"WMI WBEMTEST Utility Execution\",\"description\":\"Adversaries may abuse the WMI diagnostic tool, wbemtest.exe, to enumerate WMI object instances or invoke methods against local or remote endpoints.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"ba0f24fd-ef0b-4e9a-8bcc-07be5baa9483\",\"rule_id\":\"d3551433-782f-4e22-bbea-c816af2d41c6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.033Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:58.481Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"wbemtest.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"61b0c2b3-5881-4740-bc54-e3d7027d0a6c\",\"rule_id\":\"d563aaba-2e72-462b-8658-3e5ea22db3a6\",\"revision\":0,\"current_rule\":{\"id\":\"61b0c2b3-5881-4740-bc54-e3d7027d0a6c\",\"updated_at\":\"2024-12-04T19:45:40.253Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.253Z\",\"created_by\":\"elastic\",\"name\":\"Privilege Escalation via Windir Environment Variable\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"d563aaba-2e72-462b-8658-3e5ea22db3a6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.007\",\"name\":\"Path Interception by PATH Environment Variable\",\"reference\":\"https://attack.mitre.org/techniques/T1574/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\nregistry.value : (\\\"windir\\\", \\\"systemroot\\\") and\\nregistry.path : (\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\"\\n ) and\\n not registry.data.strings : (\\\"C:\\\\\\\\windows\\\", \\\"%SystemRoot%\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Privilege Escalation via Windir Environment Variable\",\"description\":\"Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.007\",\"name\":\"Path Interception by PATH Environment Variable\",\"reference\":\"https://attack.mitre.org/techniques/T1574/007/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"61b0c2b3-5881-4740-bc54-e3d7027d0a6c\",\"rule_id\":\"d563aaba-2e72-462b-8658-3e5ea22db3a6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.033Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.253Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\nregistry.value : (\\\"windir\\\", \\\"systemroot\\\") and\\nregistry.path : (\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"HKCU\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"HKCU\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\"\\n ) and\\n not registry.data.strings : (\\\"C:\\\\\\\\windows\\\", \\\"%SystemRoot%\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\nregistry.value : (\\\"windir\\\", \\\"systemroot\\\") and\\nregistry.path : (\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\"\\n ) and\\n not registry.data.strings : (\\\"C:\\\\\\\\windows\\\", \\\"%SystemRoot%\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\nregistry.value : (\\\"windir\\\", \\\"systemroot\\\") and\\nregistry.path : (\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"HKCU\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"HKCU\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\"\\n ) and\\n not registry.data.strings : (\\\"C:\\\\\\\\windows\\\", \\\"%SystemRoot%\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\nregistry.value : (\\\"windir\\\", \\\"systemroot\\\") and\\nregistry.path : (\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"HKCU\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"HKCU\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\windir\\\",\\n \\\"USER\\\\\\\\*\\\\\\\\Environment\\\\\\\\systemroot\\\"\\n ) and\\n not registry.data.strings : (\\\"C:\\\\\\\\windows\\\", \\\"%SystemRoot%\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"87a39cab-3811-437c-880b-5261bbc1256f\",\"rule_id\":\"d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\",\"revision\":0,\"current_rule\":{\"id\":\"87a39cab-3811-437c-880b-5261bbc1256f\",\"updated_at\":\"2024-12-04T19:45:59.628Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.628Z\",\"created_by\":\"elastic\",\"name\":\"Service Command Lateral Movement\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1569\",\"name\":\"System Services\",\"reference\":\"https://attack.mitre.org/techniques/T1569/\",\"subtechnique\":[{\"id\":\"T1569.002\",\"name\":\"Service Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1569/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id with maxspan = 1m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"sc.exe\\\" or process.pe.original_file_name : \\\"sc.exe\\\") and\\n process.args : \\\"\\\\\\\\\\\\\\\\*\\\" and process.args : (\\\"binPath=*\\\", \\\"binpath=*\\\") and\\n process.args : (\\\"create\\\", \\\"config\\\", \\\"failure\\\", \\\"start\\\")]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"sc.exe\\\" and destination.ip != \\\"127.0.0.1\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Service Command Lateral Movement\",\"description\":\"Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1569\",\"name\":\"System Services\",\"reference\":\"https://attack.mitre.org/techniques/T1569/\",\"subtechnique\":[{\"id\":\"T1569.002\",\"name\":\"Service Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1569/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"87a39cab-3811-437c-880b-5261bbc1256f\",\"rule_id\":\"d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.033Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.628Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id with maxspan = 1m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"sc.exe\\\" or process.pe.original_file_name : \\\"sc.exe\\\") and\\n process.args : \\\"\\\\\\\\\\\\\\\\*\\\" and process.args : (\\\"binPath=*\\\", \\\"binpath=*\\\") and\\n process.args : (\\\"create\\\", \\\"config\\\", \\\"failure\\\", \\\"start\\\")]\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"sc.exe\\\" and destination.ip != \\\"127.0.0.1\\\"]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1621465c-c22b-49a5-8d69-b7b192c0998b\",\"rule_id\":\"d6241c90-99f2-44db-b50f-299b6ebd7ee9\",\"revision\":0,\"current_rule\":{\"id\":\"1621465c-c22b-49a5-8d69-b7b192c0998b\",\"updated_at\":\"2024-12-04T19:46:04.783Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.783Z\",\"created_by\":\"elastic\",\"name\":\"Unusual DPKG Execution\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects the execution of the DPKG command by processes not associated with the DPKG package manager. The DPKG command is used to install, remove, and manage Debian packages on a Linux system. Attackers can abuse the DPKG command to install malicious packages on a system.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"d6241c90-99f2-44db-b50f-299b6ebd7ee9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.makeuseof.com/how-deb-packages-are-backdoored-how-to-detect-it/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.group_leader.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.session_leader.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\nprocess.executable : \\\"/var/lib/dpkg/info/*\\\" and process.session_leader.name != null and\\nprocess.group_leader.name != null and not (\\n process.parent.name in (\\\"dpkg\\\", \\\"dpkg-reconfigure\\\") or\\n process.session_leader.name == \\\"dpkg\\\" or\\n process.group_leader.name == \\\"dpkg\\\"\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual DPKG Execution\",\"description\":\"This rule detects the execution of the DPKG command by processes not associated with the DPKG package manager. The DPKG command is used to install, remove, and manage Debian packages on a Linux system. Attackers can abuse the DPKG command to install malicious packages on a system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.makeuseof.com/how-deb-packages-are-backdoored-how-to-detect-it/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.group_leader.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.session_leader.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1621465c-c22b-49a5-8d69-b7b192c0998b\",\"rule_id\":\"d6241c90-99f2-44db-b50f-299b6ebd7ee9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.033Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.783Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\nprocess.executable : \\\"/var/lib/dpkg/info/*\\\" and process.session_leader.name != null and\\nprocess.group_leader.name != null and not (\\n process.parent.name in (\\\"dpkg\\\", \\\"dpkg-reconfigure\\\") or\\n process.session_leader.name == \\\"dpkg\\\" or\\n process.group_leader.name == \\\"dpkg\\\" or\\n process.parent.executable in (\\\"/usr/share/debconf/frontend\\\", \\\"/usr/bin/unattended-upgrade\\\")\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.group_leader.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.session_leader.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.group_leader.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.session_leader.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.group_leader.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.session_leader.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\nprocess.executable : \\\"/var/lib/dpkg/info/*\\\" and process.session_leader.name != null and\\nprocess.group_leader.name != null and not (\\n process.parent.name in (\\\"dpkg\\\", \\\"dpkg-reconfigure\\\") or\\n process.session_leader.name == \\\"dpkg\\\" or\\n process.group_leader.name == \\\"dpkg\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\nprocess.executable : \\\"/var/lib/dpkg/info/*\\\" and process.session_leader.name != null and\\nprocess.group_leader.name != null and not (\\n process.parent.name in (\\\"dpkg\\\", \\\"dpkg-reconfigure\\\") or\\n process.session_leader.name == \\\"dpkg\\\" or\\n process.group_leader.name == \\\"dpkg\\\" or\\n process.parent.executable in (\\\"/usr/share/debconf/frontend\\\", \\\"/usr/bin/unattended-upgrade\\\")\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\nprocess.executable : \\\"/var/lib/dpkg/info/*\\\" and process.session_leader.name != null and\\nprocess.group_leader.name != null and not (\\n process.parent.name in (\\\"dpkg\\\", \\\"dpkg-reconfigure\\\") or\\n process.session_leader.name == \\\"dpkg\\\" or\\n process.group_leader.name == \\\"dpkg\\\" or\\n process.parent.executable in (\\\"/usr/share/debconf/frontend\\\", \\\"/usr/bin/unattended-upgrade\\\")\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"33176669-3e96-40d2-bd02-447aec71fcb4\",\"rule_id\":\"d68e95ad-1c82-4074-a12a-125fe10ac8ba\",\"revision\":0,\"current_rule\":{\"id\":\"33176669-3e96-40d2-bd02-447aec71fcb4\",\"updated_at\":\"2024-12-04T19:45:59.503Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.503Z\",\"created_by\":\"elastic\",\"name\":\"System Information Discovery via Windows Command Shell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"note\":\"## Triage and analysis\\n\\n### Investigating System Information Discovery via Windows Command Shell\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule identifies commands to enumerate system information, files, and folders using the Windows Command Shell.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"d68e95ad-1c82-4074-a12a-125fe10ac8ba\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"},{\"id\":\"T1083\",\"name\":\"File and Directory Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1083/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":11,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.*\",\"logs-endpoint.events.process-*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"cmd.exe\\\" and process.args : \\\"/c\\\" and process.args : (\\\"set\\\", \\\"dir\\\") and\\n not process.parent.executable : (\\\"?:\\\\\\\\Program Files\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\", \\\"?:\\\\\\\\PROGRA~1\\\\\\\\*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"System Information Discovery via Windows Command Shell\",\"description\":\"Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating System Information Discovery via Windows Command Shell\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule identifies commands to enumerate system information, files, and folders using the Windows Command Shell.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":114,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1082\",\"name\":\"System Information Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1082/\"},{\"id\":\"T1083\",\"name\":\"File and Directory Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1083/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"33176669-3e96-40d2-bd02-447aec71fcb4\",\"rule_id\":\"d68e95ad-1c82-4074-a12a-125fe10ac8ba\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.033Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.503Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"cmd.exe\\\" and process.args : \\\"/c\\\" and process.args : (\\\"set\\\", \\\"dir\\\") and\\n not process.parent.executable : (\\\"?:\\\\\\\\Program Files\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\", \\\"?:\\\\\\\\PROGRA~1\\\\\\\\*\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.*\",\"logs-endpoint.events.process-*\",\"endgame-*\",\"logs-system.security*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":11,\"target_version\":114,\"merged_version\":114,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1394b0d4-5fec-4e43-91f6-93d11722fc4c\",\"rule_id\":\"d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\",\"revision\":0,\"current_rule\":{\"id\":\"1394b0d4-5fec-4e43-91f6-93d11722fc4c\",\"updated_at\":\"2024-12-04T19:45:40.256Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.256Z\",\"created_by\":\"elastic\",\"name\":\"Modification of WDigest Security Provider\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Modification of WDigest Security Provider\\n\\nIn Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol allows clients to send cleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications based on RFC 2617 and 2831. Windows versions up to 8 and 2012 store logon credentials in memory in plaintext by default, which is no longer the case with newer Windows versions.\\n\\nStill, attackers can force WDigest to store the passwords insecurely on the memory by modifying the `HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential` registry key. This activity is commonly related to the execution of credential dumping tools.\\n\\n#### Possible investigation steps\\n\\n- It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should treat any activity triggered from this rule with high priority as it typically represents an active adversary.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Determine if credential dumping tools were run on the host, and retrieve and analyze suspicious executables:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Use process name, command line, and file hash to search for occurrences on other hosts.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team, as these modifications expose the entire domain to credential compromises and consequently unauthorized access.\\n\\n### Related rules\\n\\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reimage the host operating system and restore compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html\",\"https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019\",\"https://frsecure.com/compromised-credentials-response-playbook\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\\\\\\\UseLogonCredential\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\\\\\\\UseLogonCredential\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\") and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\" and user.id : \\\"S-1-5-18\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Modification of WDigest Security Provider\",\"description\":\"Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Modification of WDigest Security Provider\\n\\nIn Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol allows clients to send cleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications based on RFC 2617 and 2831. Windows versions up to 8 and 2012 store logon credentials in memory in plaintext by default, which is no longer the case with newer Windows versions.\\n\\nStill, attackers can force WDigest to store the passwords insecurely on the memory by modifying the `HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential` registry key. This activity is commonly related to the execution of credential dumping tools.\\n\\n#### Possible investigation steps\\n\\n- It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should treat any activity triggered from this rule with high priority as it typically represents an active adversary.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Determine if credential dumping tools were run on the host, and retrieve and analyze suspicious executables:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Use process name, command line, and file hash to search for occurrences on other hosts.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team, as these modifications expose the entire domain to credential compromises and consequently unauthorized access.\\n\\n### Related rules\\n\\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reimage the host operating system and restore compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html\",\"https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019\",\"https://frsecure.com/compromised-credentials-response-playbook\",\"https://www.elastic.co/security-labs/detect-credential-access\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1394b0d4-5fec-4e43-91f6-93d11722fc4c\",\"rule_id\":\"d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.034Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.256Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"creation\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\\\\\\\UseLogonCredential\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\SecurityProviders\\\\\\\\WDigest\\\\\\\\UseLogonCredential\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\") and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe\\\" and user.id : \\\"S-1-5-18\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f2bffa4a-d691-4468-9679-1023de64900a\",\"rule_id\":\"d72e33fc-6e91-42ff-ac8b-e573268c5a87\",\"revision\":0,\"current_rule\":{\"id\":\"f2bffa4a-d691-4468-9679-1023de64900a\",\"updated_at\":\"2024-12-04T19:45:59.508Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.508Z\",\"created_by\":\"elastic\",\"name\":\"Command Execution via SolarWinds Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Trusted SolarWinds child processes. Verify process details such as network connections and file writes.\"],\"from\":\"now-9m\",\"rule_id\":\"d72e33fc-6e91-42ff-ac8b-e573268c5a87\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\",\"https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name: (\\\"cmd.exe\\\", \\\"powershell.exe\\\") and\\nprocess.parent.name: (\\n \\\"ConfigurationWizard*.exe\\\",\\n \\\"NetflowDatabaseMaintenance*.exe\\\",\\n \\\"NetFlowService*.exe\\\",\\n \\\"SolarWinds.Administration*.exe\\\",\\n \\\"SolarWinds.Collector.Service*.exe\\\",\\n \\\"SolarwindsDiagnostics*.exe\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Command Execution via SolarWinds Process\",\"description\":\"A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Trusted SolarWinds child processes. Verify process details such as network connections and file writes.\"],\"references\":[\"https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\",\"https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f2bffa4a-d691-4468-9679-1023de64900a\",\"rule_id\":\"d72e33fc-6e91-42ff-ac8b-e573268c5a87\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.034Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.508Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name: (\\\"cmd.exe\\\", \\\"powershell.exe\\\") and\\nprocess.parent.name: (\\n \\\"ConfigurationWizard*.exe\\\",\\n \\\"NetflowDatabaseMaintenance*.exe\\\",\\n \\\"NetFlowService*.exe\\\",\\n \\\"SolarWinds.Administration*.exe\\\",\\n \\\"SolarWinds.Collector.Service*.exe\\\",\\n \\\"SolarwindsDiagnostics*.exe\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"74c1b448-7b3f-4514-b5af-000a3eb7bd59\",\"rule_id\":\"d74d6506-427a-4790-b170-0c2a6ddac799\",\"revision\":0,\"current_rule\":{\"id\":\"74c1b448-7b3f-4514-b5af-000a3eb7bd59\",\"updated_at\":\"2024-12-04T19:45:59.512Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.512Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Memory grep Activity\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Monitors for grep activity related to memory mapping. The /proc/*/maps file in Linux provides a memory map for a specific process, detailing the memory segments, permissions, and what files are mapped to these segments. Attackers may read a process's memory map to identify memory addresses for code injection or process hijacking.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"d74d6506-427a-4790-b170-0c2a6ddac799\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1057\",\"name\":\"Process Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1057/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/arget13/DDexec\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\nprocess.name in (\\\"grep\\\", \\\"egrep\\\", \\\"fgrep\\\", \\\"rgrep\\\") and process.args in (\\\"[stack]\\\", \\\"[vdso]\\\", \\\"[heap]\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Memory grep Activity\",\"description\":\"Monitors for grep activity related to memory mapping. The /proc/*/maps file in Linux provides a memory map for a specific process, detailing the memory segments, permissions, and what files are mapped to these segments. Attackers may read a process's memory map to identify memory addresses for code injection or process hijacking.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/arget13/DDexec\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1057\",\"name\":\"Process Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1057/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"74c1b448-7b3f-4514-b5af-000a3eb7bd59\",\"rule_id\":\"d74d6506-427a-4790-b170-0c2a6ddac799\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.034Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.512Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and\\nprocess.name in (\\\"grep\\\", \\\"egrep\\\", \\\"fgrep\\\", \\\"rgrep\\\") and process.args in (\\\"[stack]\\\", \\\"[vdso]\\\", \\\"[heap]\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Rule Type: BBR\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"building_block\":{\"has_base_version\":false,\"current_version\":{\"type\":\"default\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a324c56b-91da-4e57-b65e-00c4dd3cbc42\",\"rule_id\":\"d7e62693-aab9-4f66-a21a-3d79ecdd603d\",\"revision\":0,\"current_rule\":{\"id\":\"a324c56b-91da-4e57-b65e-00c4dd3cbc42\",\"updated_at\":\"2024-12-04T19:45:59.528Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.528Z\",\"created_by\":\"elastic\",\"name\":\"SMTP on Port 26/TCP\",\"tags\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior.\"],\"from\":\"now-9m\",\"rule_id\":\"d7e62693-aab9-4f66-a21a-3d79ecdd603d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1048\",\"name\":\"Exfiltration Over Alternative Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1048/\"}]}],\"to\":\"now\",\"references\":[\"https://unit42.paloaltonetworks.com/unit42-badpatch/\",\"https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/\"],\"version\":104,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"],\"query\":\"(event.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"SMTP on Port 26/TCP\",\"description\":\"This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior.\"],\"references\":[\"https://unit42.paloaltonetworks.com/unit42-badpatch/\",\"https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1048\",\"name\":\"Exfiltration Over Alternative Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1048/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a324c56b-91da-4e57-b65e-00c4dd3cbc42\",\"rule_id\":\"d7e62693-aab9-4f66-a21a-3d79ecdd603d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.034Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.528Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"],\"query\":\"(event.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":104,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\"],\"target_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Use Case: Threat Detection\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"target_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merged_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"80c0743d-7c09-4988-b776-0c75fc10e100\",\"rule_id\":\"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958\",\"revision\":0,\"current_rule\":{\"id\":\"80c0743d-7c09-4988-b776-0c75fc10e100\",\"updated_at\":\"2024-12-04T19:45:59.533Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.533Z\",\"created_by\":\"elastic\",\"name\":\"AWS IAM Deactivation of MFA Device\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Resources: Investigation Guide\",\"Tactic: Impact\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS IAM Deactivation of MFA Device\\n\\nMulti-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password (the first factor—what they know), as well as for an authentication code from their AWS MFA device (the second factor—what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.\\n\\nFor more information about using MFA in AWS, access the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html).\\n\\nThis rule looks for the deactivation or deletion of AWS MFA devices. These modifications weaken account security and can lead to the compromise of accounts and other assets.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Contact the account and resource owners and confirm whether they are aware of this activity.\\n- Check if this operation was approved and performed according to the organization's change management policy.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Reactivate multi-factor authentication for the user.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[\"A MFA device may be deactivated by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. MFA device deactivations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\"],\"from\":\"now-60m\",\"rule_id\":\"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"to\":\"now\",\"references\":[\"https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html\",\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html\"],\"version\":209,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"query\":\"event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS IAM Deactivation of MFA Device\",\"description\":\"Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS IAM Deactivation of MFA Device\\n\\nMulti-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password (the first factor—what they know), as well as for an authentication code from their AWS MFA device (the second factor—what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.\\n\\nFor more information about using MFA in AWS, access the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html).\\n\\nThis rule looks for the deactivation or deletion of AWS MFA devices. These modifications weaken account security and can lead to the compromise of accounts and other assets.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Contact the account and resource owners and confirm whether they are aware of this activity.\\n- Check if this operation was approved and performed according to the organization's change management policy.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Reactivate multi-factor authentication for the user.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Resources: Investigation Guide\",\"Tactic: Impact\",\"Tactic: Persistence\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-60m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[\"A MFA device may be deactivated by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. MFA device deactivations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\"],\"references\":[\"https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html\",\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\",\"subtechnique\":[{\"id\":\"T1556.006\",\"name\":\"Multi-Factor Authentication\",\"reference\":\"https://attack.mitre.org/techniques/T1556/006/\"}]}]}],\"setup\":\"The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"aws\",\"version\":\"^2.0.0\",\"integration\":\"cloudtrail\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"80c0743d-7c09-4988-b776-0c75fc10e100\",\"rule_id\":\"d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.034Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.533Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-aws.cloudtrail-*\"],\"query\":\"event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":209,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Resources: Investigation Guide\",\"Tactic: Impact\"],\"target_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Resources: Investigation Guide\",\"Tactic: Impact\",\"Tactic: Persistence\"],\"merged_version\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Resources: Investigation Guide\",\"Tactic: Impact\",\"Tactic: Persistence\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\",\"subtechnique\":[{\"id\":\"T1556.006\",\"name\":\"Multi-Factor Authentication\",\"reference\":\"https://attack.mitre.org/techniques/T1556/006/\"}]}]}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1531\",\"name\":\"Account Access Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1531/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\",\"subtechnique\":[{\"id\":\"T1556.006\",\"name\":\"Multi-Factor Authentication\",\"reference\":\"https://attack.mitre.org/techniques/T1556/006/\"}]}]}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2e283175-35a4-4110-bac8-91703710af27\",\"rule_id\":\"d93e61db-82d6-4095-99aa-714988118064\",\"revision\":0,\"current_rule\":{\"id\":\"2e283175-35a4-4110-bac8-91703710af27\",\"updated_at\":\"2024-12-04T19:46:04.785Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.785Z\",\"created_by\":\"elastic\",\"name\":\"NTDS Dump via Wbadmin\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of wbadmin to access the NTDS.dit file in a domain controller. Attackers with privileges from groups like Backup Operators can abuse the utility to perform credential access and compromise the domain.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"d93e61db-82d6-4095-99aa-714988118064\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"},{\"id\":\"T1003.003\",\"name\":\"NTDS\",\"reference\":\"https://attack.mitre.org/techniques/T1003/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1006\",\"name\":\"Direct Volume Access\",\"reference\":\"https://attack.mitre.org/techniques/T1006/\"}]}],\"to\":\"now\",\"references\":[\"https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"wbadmin.exe\\\" or ?process.pe.original_file_name : \\\"wbadmin.exe\\\") and \\n process.args : \\\"recovery\\\" and process.command_line : \\\"*ntds.dit*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"NTDS Dump via Wbadmin\",\"description\":\"Identifies the execution of wbadmin to access the NTDS.dit file in a domain controller. Attackers with privileges from groups like Backup Operators can abuse the utility to perform credential access and compromise the domain.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":203,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.002\",\"name\":\"Security Account Manager\",\"reference\":\"https://attack.mitre.org/techniques/T1003/002/\"},{\"id\":\"T1003.003\",\"name\":\"NTDS\",\"reference\":\"https://attack.mitre.org/techniques/T1003/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1006\",\"name\":\"Direct Volume Access\",\"reference\":\"https://attack.mitre.org/techniques/T1006/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2e283175-35a4-4110-bac8-91703710af27\",\"rule_id\":\"d93e61db-82d6-4095-99aa-714988118064\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.034Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.785Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"wbadmin.exe\\\" or ?process.pe.original_file_name : \\\"wbadmin.exe\\\") and \\n process.args : \\\"recovery\\\" and process.command_line : \\\"*ntds.dit*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":203,\"merged_version\":203,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"03028b45-42f2-4493-a46b-0653238062c2\",\"rule_id\":\"d99a037b-c8e2-47a5-97b9-170d076827c4\",\"revision\":0,\"current_rule\":{\"id\":\"03028b45-42f2-4493-a46b-0653238062c2\",\"updated_at\":\"2024-12-04T19:45:59.535Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.535Z\",\"created_by\":\"elastic\",\"name\":\"Volume Shadow Copy Deletion via PowerShell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Volume Shadow Copy Deletion via PowerShell\\n\\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\\n\\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\\n\\nThis rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow copy objects, and delete them.\\n\\n#### Possible investigation steps\\n\\n- Investigate the program execution chain (parent process tree).\\n- Check whether the account is authorized to perform this operation.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Use process name, command line, and file hash to search for occurrences in other hosts.\\n- Check if any files on the host machine have been encrypted.\\n\\n\\n### False positive analysis\\n\\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Related rules\\n\\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- Priority should be given due to the advanced stage of this activity on the attack.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"d99a037b-c8e2-47a5-97b9-170d076827c4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1490\",\"name\":\"Inhibit System Recovery\",\"reference\":\"https://attack.mitre.org/techniques/T1490/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy\",\"https://powershell.one/wmi/root/cimv2/win32_shadowcopy\",\"https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") and\\n process.args : (\\\"*Get-WmiObject*\\\", \\\"*gwmi*\\\", \\\"*Get-CimInstance*\\\", \\\"*gcim*\\\") and\\n process.args : (\\\"*Win32_ShadowCopy*\\\") and\\n process.args : (\\\"*.Delete()*\\\", \\\"*Remove-WmiObject*\\\", \\\"*rwmi*\\\", \\\"*Remove-CimInstance*\\\", \\\"*rcim*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Volume Shadow Copy Deletion via PowerShell\",\"description\":\"Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Volume Shadow Copy Deletion via PowerShell\\n\\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\\n\\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\\n\\nThis rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow copy objects, and delete them.\\n\\n#### Possible investigation steps\\n\\n- Investigate the program execution chain (parent process tree).\\n- Check whether the account is authorized to perform this operation.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Use process name, command line, and file hash to search for occurrences in other hosts.\\n- Check if any files on the host machine have been encrypted.\\n\\n\\n### False positive analysis\\n\\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Related rules\\n\\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- Priority should be given due to the advanced stage of this activity on the attack.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy\",\"https://powershell.one/wmi/root/cimv2/win32_shadowcopy\",\"https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1490\",\"name\":\"Inhibit System Recovery\",\"reference\":\"https://attack.mitre.org/techniques/T1490/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"03028b45-42f2-4493-a46b-0653238062c2\",\"rule_id\":\"d99a037b-c8e2-47a5-97b9-170d076827c4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.034Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.535Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") and\\n process.args : (\\\"*Get-WmiObject*\\\", \\\"*gwmi*\\\", \\\"*Get-CimInstance*\\\", \\\"*gcim*\\\") and\\n process.args : (\\\"*Win32_ShadowCopy*\\\") and\\n process.args : (\\\"*.Delete()*\\\", \\\"*Remove-WmiObject*\\\", \\\"*rwmi*\\\", \\\"*Remove-CimInstance*\\\", \\\"*rcim*\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"27a55253-63bc-418c-b12a-7bed1c11980f\",\"rule_id\":\"da7733b1-fe08-487e-b536-0a04c6d8b0cd\",\"revision\":0,\"current_rule\":{\"id\":\"27a55253-63bc-418c-b12a-7bed1c11980f\",\"updated_at\":\"2024-12-04T19:45:40.259Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.259Z\",\"created_by\":\"elastic\",\"name\":\"Code Signing Policy Modification Through Registry\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to disable the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Code Signing Policy Modification Through Registry\\n\\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \\n\\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\\n\\nThis rule identifies registry modifications that can disable DSE.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Use Osquery and endpoint driver events (`event.category = \\\"driver\\\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\\\\\"Microsoft\\\\\\\" AND signed == \\\\\\\"1\\\\\\\")\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\\\\\"0\\\\\\\"\\\\n\\\"}}\\n- Identify the driver's `Device Name` and `Service Name`.\\n- Check for alerts from the rules specified in the `Related Rules` section.\\n\\n### False positive analysis\\n\\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\\n\\n### Related Rules\\n\\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\\n - This can be done via PowerShell `Remove-Service` cmdlet.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Remove and block malicious artifacts identified during triage.\\n- Ensure that the Driver Signature Enforcement is enabled on the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"da7733b1-fe08-487e-b536-0a04c6d8b0cd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1553\",\"name\":\"Subvert Trust Controls\",\"reference\":\"https://attack.mitre.org/techniques/T1553/\",\"subtechnique\":[{\"id\":\"T1553.006\",\"name\":\"Code Signing Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1553/006/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":11,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value: \\\"BehaviorOnFailedVerify\\\" and\\n registry.path : (\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Driver Signing\\\\\\\\BehaviorOnFailedVerify\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Driver Signing\\\\\\\\BehaviorOnFailedVerify\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Driver Signing\\\\\\\\BehaviorOnFailedVerify\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\", \\\"1\\\", \\\"0x00000001\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Code Signing Policy Modification Through Registry\",\"description\":\"Identifies attempts to disable the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Code Signing Policy Modification Through Registry\\n\\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \\n\\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\\n\\nThis rule identifies registry modifications that can disable DSE.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Use Osquery and endpoint driver events (`event.category = \\\"driver\\\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\\\\\"Microsoft\\\\\\\" AND signed == \\\\\\\"1\\\\\\\")\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\\\\\"0\\\\\\\"\\\\n\\\"}}\\n- Identify the driver's `Device Name` and `Service Name`.\\n- Check for alerts from the rules specified in the `Related Rules` section.\\n\\n### False positive analysis\\n\\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\\n\\n### Related Rules\\n\\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\\n - This can be done via PowerShell `Remove-Service` cmdlet.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Remove and block malicious artifacts identified during triage.\\n- Ensure that the Driver Signature Enforcement is enabled on the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":211,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1553\",\"name\":\"Subvert Trust Controls\",\"reference\":\"https://attack.mitre.org/techniques/T1553/\",\"subtechnique\":[{\"id\":\"T1553.006\",\"name\":\"Code Signing Policy Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1553/006/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"27a55253-63bc-418c-b12a-7bed1c11980f\",\"rule_id\":\"da7733b1-fe08-487e-b536-0a04c6d8b0cd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.034Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.259Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value: \\\"BehaviorOnFailedVerify\\\" and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\", \\\"1\\\", \\\"0x00000001\\\")\\n\\n /*\\n Full registry key path omitted due to data source variations:\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Driver Signing\\\\\\\\BehaviorOnFailedVerify\\\"\\n */\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":11,\"target_version\":211,\"merged_version\":211,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value: \\\"BehaviorOnFailedVerify\\\" and\\n registry.path : (\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Driver Signing\\\\\\\\BehaviorOnFailedVerify\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Driver Signing\\\\\\\\BehaviorOnFailedVerify\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Driver Signing\\\\\\\\BehaviorOnFailedVerify\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\", \\\"1\\\", \\\"0x00000001\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value: \\\"BehaviorOnFailedVerify\\\" and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\", \\\"1\\\", \\\"0x00000001\\\")\\n\\n /*\\n Full registry key path omitted due to data source variations:\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Driver Signing\\\\\\\\BehaviorOnFailedVerify\\\"\\n */\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value: \\\"BehaviorOnFailedVerify\\\" and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\", \\\"1\\\", \\\"0x00000001\\\")\\n\\n /*\\n Full registry key path omitted due to data source variations:\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\Driver Signing\\\\\\\\BehaviorOnFailedVerify\\\"\\n */\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"eca10c21-a412-4074-8fc1-2a26a1af6dc7\",\"rule_id\":\"da87eee1-129c-4661-a7aa-57d0b9645fad\",\"revision\":0,\"current_rule\":{\"id\":\"eca10c21-a412-4074-8fc1-2a26a1af6dc7\",\"updated_at\":\"2024-12-04T19:45:59.540Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.540Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Service was Installed in the System\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of a new Windows service with suspicious Service command values. Windows services typically run as SYSTEM and can be used for privilege escalation and persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Service was Installed in the System\\n\\nAttackers may create new services to execute system shells and other command execution utilities to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these utilities with persistence payloads.\\n\\nThis rule looks for suspicious services being created with suspicious traits compatible with the above behavior.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\\\\\"Microsoft\\\\\\\" AND signed == \\\\\\\"1\\\\\\\")\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\\\\\"0\\\\\\\"\\\\n\\\"}}\\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n\\n### False positive analysis\\n\\n- Certain services such as PSEXECSVC may happen legitimately. The security team should address any potential benign true positive (B-TP) by excluding the relevant FP by pattern.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"da87eee1-129c-4661-a7aa-57d0b9645fad\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":9,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ImagePath\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ServiceFileName\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"any where\\n (event.code : \\\"4697\\\" and\\n (winlog.event_data.ServiceFileName : \\n (\\\"*COMSPEC*\\\", \\\"*\\\\\\\\127.0.0.1*\\\", \\\"*Admin$*\\\", \\\"*powershell*\\\", \\\"*rundll32*\\\", \\\"*cmd.exe*\\\", \\\"*PSEXESVC*\\\", \\n \\\"*echo*\\\", \\\"*RemComSvc*\\\", \\\"*.bat*\\\", \\\"*.cmd*\\\", \\\"*certutil*\\\", \\\"*vssadmin*\\\", \\\"*certmgr*\\\", \\\"*bitsadmin*\\\", \\n \\\"*\\\\\\\\Users\\\\\\\\*\\\", \\\"*\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\", \\\"*\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\", \\\"*\\\\\\\\PerfLogs\\\\\\\\*\\\", \\\"*\\\\\\\\Windows\\\\\\\\Debug\\\\\\\\*\\\",\\n \\\"*regsvr32*\\\", \\\"*msbuild*\\\") or\\n winlog.event_data.ServiceFileName regex~ \\\"\\\"\\\"%systemroot%\\\\\\\\[a-z0-9]+\\\\.exe\\\"\\\"\\\")) or\\n\\n (event.code : \\\"7045\\\" and\\n winlog.event_data.ImagePath : (\\n \\\"*COMSPEC*\\\", \\\"*\\\\\\\\127.0.0.1*\\\", \\\"*Admin$*\\\", \\\"*powershell*\\\", \\\"*rundll32*\\\", \\\"*cmd.exe*\\\", \\\"*PSEXESVC*\\\",\\n \\\"*echo*\\\", \\\"*RemComSvc*\\\", \\\"*.bat*\\\", \\\"*.cmd*\\\", \\\"*certutil*\\\", \\\"*vssadmin*\\\", \\\"*certmgr*\\\", \\\"*bitsadmin*\\\",\\n \\\"*\\\\\\\\Users\\\\\\\\*\\\", \\\"*\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\", \\\"*\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\", \\\"*\\\\\\\\PerfLogs\\\\\\\\*\\\", \\\"*\\\\\\\\Windows\\\\\\\\Debug\\\\\\\\*\\\",\\n \\\"*regsvr32*\\\", \\\"*msbuild*\\\"))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Service was Installed in the System\",\"description\":\"Identifies the creation of a new Windows service with suspicious Service command values. Windows services typically run as SYSTEM and can be used for privilege escalation and persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Service was Installed in the System\\n\\nAttackers may create new services to execute system shells and other command execution utilities to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these utilities with persistence payloads.\\n\\nThis rule looks for suspicious services being created with suspicious traits compatible with the above behavior.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\\\\\"Microsoft\\\\\\\" AND signed == \\\\\\\"1\\\\\\\")\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\\\\\"0\\\\\\\"\\\\n\\\"}}\\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n\\n### False positive analysis\\n\\n- Certain services such as PSEXECSVC may happen legitimately. The security team should address any potential benign true positive (B-TP) by excluding the relevant FP by pattern.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":110,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.ImagePath\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.ServiceFileName\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"eca10c21-a412-4074-8fc1-2a26a1af6dc7\",\"rule_id\":\"da87eee1-129c-4661-a7aa-57d0b9645fad\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.034Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.540Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where\\n (event.code : \\\"4697\\\" and\\n (winlog.event_data.ServiceFileName : \\n (\\\"*COMSPEC*\\\", \\\"*\\\\\\\\127.0.0.1*\\\", \\\"*Admin$*\\\", \\\"*powershell*\\\", \\\"*rundll32*\\\", \\\"*cmd.exe*\\\", \\\"*PSEXESVC*\\\", \\n \\\"*echo*\\\", \\\"*RemComSvc*\\\", \\\"*.bat*\\\", \\\"*.cmd*\\\", \\\"*certutil*\\\", \\\"*vssadmin*\\\", \\\"*certmgr*\\\", \\\"*bitsadmin*\\\", \\n \\\"*\\\\\\\\Users\\\\\\\\*\\\", \\\"*\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\", \\\"*\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\", \\\"*\\\\\\\\PerfLogs\\\\\\\\*\\\", \\\"*\\\\\\\\Windows\\\\\\\\Debug\\\\\\\\*\\\",\\n \\\"*regsvr32*\\\", \\\"*msbuild*\\\") or\\n winlog.event_data.ServiceFileName regex~ \\\"\\\"\\\"%systemroot%\\\\\\\\[a-z0-9]+\\\\.exe\\\"\\\"\\\")) or\\n\\n (event.code : \\\"7045\\\" and\\n winlog.event_data.ImagePath : (\\n \\\"*COMSPEC*\\\", \\\"*\\\\\\\\127.0.0.1*\\\", \\\"*Admin$*\\\", \\\"*powershell*\\\", \\\"*rundll32*\\\", \\\"*cmd.exe*\\\", \\\"*PSEXESVC*\\\",\\n \\\"*echo*\\\", \\\"*RemComSvc*\\\", \\\"*.bat*\\\", \\\"*.cmd*\\\", \\\"*certutil*\\\", \\\"*vssadmin*\\\", \\\"*certmgr*\\\", \\\"*bitsadmin*\\\",\\n \\\"*\\\\\\\\Users\\\\\\\\*\\\", \\\"*\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\", \\\"*\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\", \\\"*\\\\\\\\PerfLogs\\\\\\\\*\\\", \\\"*\\\\\\\\Windows\\\\\\\\Debug\\\\\\\\*\\\",\\n \\\"*regsvr32*\\\", \\\"*msbuild*\\\"))\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":9,\"target_version\":110,\"merged_version\":110,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"16a5c92a-7a61-451e-9047-c2d0883727c1\",\"rule_id\":\"daafdf96-e7b1-4f14-b494-27e0d24b11f6\",\"revision\":0,\"current_rule\":{\"id\":\"16a5c92a-7a61-451e-9047-c2d0883727c1\",\"updated_at\":\"2024-12-04T19:45:59.543Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.543Z\",\"created_by\":\"elastic\",\"name\":\"Potential Pass-the-Hash (PtH) Attempt\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"daafdf96-e7b1-4f14-b494-27e0d24b11f6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.002\",\"name\":\"Pass the Hash\",\"reference\":\"https://attack.mitre.org/techniques/T1550/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://attack.mitre.org/techniques/T1550/002/\"],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.LogonProcessName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"host.os.type:\\\"windows\\\" and \\nevent.category : \\\"authentication\\\" and event.action : \\\"logged-in\\\" and \\nwinlog.logon.type : \\\"NewCredentials\\\" and event.outcome : \\\"success\\\" and \\nuser.id : (S-1-5-21-* or S-1-12-1-*) and winlog.event_data.LogonProcessName : \\\"seclogo\\\"\\n\",\"new_terms_fields\":[\"user.id\"],\"history_window_start\":\"now-10d\",\"index\":[\"winlogbeat-*\",\"logs-windows.*\",\"logs-system.security*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Pass-the-Hash (PtH) Attempt\",\"description\":\"Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":106,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://attack.mitre.org/techniques/T1550/002/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1550\",\"name\":\"Use Alternate Authentication Material\",\"reference\":\"https://attack.mitre.org/techniques/T1550/\",\"subtechnique\":[{\"id\":\"T1550.002\",\"name\":\"Pass the Hash\",\"reference\":\"https://attack.mitre.org/techniques/T1550/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.LogonProcessName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"16a5c92a-7a61-451e-9047-c2d0883727c1\",\"rule_id\":\"daafdf96-e7b1-4f14-b494-27e0d24b11f6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.034Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.543Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:\\\"windows\\\" and \\nevent.category : \\\"authentication\\\" and event.action : \\\"logged-in\\\" and \\nwinlog.logon.type : \\\"NewCredentials\\\" and event.outcome : \\\"success\\\" and \\nuser.id : (S-1-5-21-* or S-1-12-1-*) and winlog.event_data.LogonProcessName : \\\"seclogo\\\"\\n\",\"new_terms_fields\":[\"user.id\"],\"history_window_start\":\"now-10d\",\"index\":[\"winlogbeat-*\",\"logs-windows.*\",\"logs-system.security*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":106,\"merged_version\":106,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e215fe1f-5ca6-44ef-9c42-f6252e358301\",\"rule_id\":\"db65f5ba-d1ef-4944-b9e8-7e51060c2b42\",\"revision\":0,\"current_rule\":{\"id\":\"e215fe1f-5ca6-44ef-9c42-f6252e358301\",\"updated_at\":\"2024-12-04T19:45:59.547Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.547Z\",\"created_by\":\"elastic\",\"name\":\"Network-Level Authentication (NLA) Disabled\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the attempt to disable Network-Level Authentication (NLA) via registry modification. Network Level Authentication (NLA) is a feature on Windows that provides an extra layer of security for Remote Desktop (RDP) connections, as it requires users to authenticate before allowing a full RDP session. Attackers can disable NLA to enable persistence methods that require access to the Windows sign-in screen without authenticating, such as Accessibility Features persistence methods, like Sticky Keys.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"db65f5ba-d1ef-4944-b9e8-7e51060c2b42\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\"}]}],\"to\":\"now\",\"references\":[\"https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/\"],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and\\n registry.path :\\n (\\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\UserAuthentication\\\", \\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\UserAuthentication\\\" ) and\\n registry.data.strings : \\\"0\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Network-Level Authentication (NLA) Disabled\",\"description\":\"Identifies the attempt to disable Network-Level Authentication (NLA) via registry modification. Network Level Authentication (NLA) is a feature on Windows that provides an extra layer of security for Remote Desktop (RDP) connections, as it requires users to authenticate before allowing a full RDP session. Attackers can disable NLA to enable persistence methods that require access to the Windows sign-in screen without authenticating, such as Accessibility Features persistence methods, like Sticky Keys.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":203,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"e215fe1f-5ca6-44ef-9c42-f6252e358301\",\"rule_id\":\"db65f5ba-d1ef-4944-b9e8-7e51060c2b42\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.034Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.547Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and registry.value : \\\"UserAuthentication\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\UserAuthentication\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\UserAuthentication\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\UserAuthentication\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":203,\"merged_version\":203,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and\\n registry.path :\\n (\\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\UserAuthentication\\\", \\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\UserAuthentication\\\" ) and\\n registry.data.strings : \\\"0\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and registry.value : \\\"UserAuthentication\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\UserAuthentication\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\UserAuthentication\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\UserAuthentication\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and registry.value : \\\"UserAuthentication\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\UserAuthentication\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\UserAuthentication\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Terminal Server\\\\\\\\WinStations\\\\\\\\RDP-Tcp\\\\\\\\UserAuthentication\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-windows.sysmon_operational-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-windows.sysmon_operational-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7a743460-c43e-4d98-a6c3-6fe68a799a9b\",\"rule_id\":\"db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\",\"revision\":0,\"current_rule\":{\"id\":\"7a743460-c43e-4d98-a6c3-6fe68a799a9b\",\"updated_at\":\"2024-12-04T19:45:59.550Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.550Z\",\"created_by\":\"elastic\",\"name\":\"Execution via Windows Subsystem for Linux\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]}],\"to\":\"now\",\"references\":[\"https://learn.microsoft.com/en-us/windows/wsl/wsl-config\"],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type : \\\"start\\\" and\\n process.parent.name : (\\\"wsl.exe\\\", \\\"wslhost.exe\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\\\\\wsl*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lxss\\\\\\\\wslhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sys*\\\\\\\\wslconfig.exe\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Execution via Windows Subsystem for Linux\",\"description\":\"Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://learn.microsoft.com/en-us/windows/wsl/wsl-config\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"7a743460-c43e-4d98-a6c3-6fe68a799a9b\",\"rule_id\":\"db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.034Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.550Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type : \\\"start\\\" and\\n process.parent.name : (\\\"wsl.exe\\\", \\\"wslhost.exe\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\\\\\wsl*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lxss\\\\\\\\wslhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\wslconfig.exe\\\"\\n ) and\\n not (\\n event.dataset == \\\"crowdstrike.fdr\\\" and\\n process.executable : (\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\\\\\wsl*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lxss\\\\\\\\wslhost.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\wslconfig.exe\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type : \\\"start\\\" and\\n process.parent.name : (\\\"wsl.exe\\\", \\\"wslhost.exe\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\\\\\wsl*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lxss\\\\\\\\wslhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sys*\\\\\\\\wslconfig.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type : \\\"start\\\" and\\n process.parent.name : (\\\"wsl.exe\\\", \\\"wslhost.exe\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\\\\\wsl*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lxss\\\\\\\\wslhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\wslconfig.exe\\\"\\n ) and\\n not (\\n event.dataset == \\\"crowdstrike.fdr\\\" and\\n process.executable : (\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\\\\\wsl*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lxss\\\\\\\\wslhost.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\wslconfig.exe\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type : \\\"start\\\" and\\n process.parent.name : (\\\"wsl.exe\\\", \\\"wslhost.exe\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\\\\\wsl*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lxss\\\\\\\\wslhost.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\wslconfig.exe\\\"\\n ) and\\n not (\\n event.dataset == \\\"crowdstrike.fdr\\\" and\\n process.executable : (\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files (x86)\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\\\\\wsl*.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\conhost.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\lxss\\\\\\\\wslhost.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFault.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Windows\\\\\\\\Sys?????\\\\\\\\wslconfig.exe\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"62b2a6a2-0907-4698-90b3-a17f325fd1c0\",\"rule_id\":\"dc61f382-dc0c-4cc0-a845-069f2a071704\",\"revision\":0,\"current_rule\":{\"id\":\"62b2a6a2-0907-4698-90b3-a17f325fd1c0\",\"updated_at\":\"2024-12-04T19:46:04.788Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.788Z\",\"created_by\":\"elastic\",\"name\":\"Git Hook Command Execution\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects the execution of a potentially malicious process from a Git hook. Git hooks are scripts that Git executes before or after events such as: commit, push, and receive. An attacker can abuse Git hooks to execute arbitrary commands on the system and establish persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"dc61f382-dc0c-4cc0-a845-069f2a071704\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[\"https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process*\"],\"query\":\"sequence by host.id with maxspan=3s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name == \\\"git\\\" and process.args : \\\".git/hooks/*\\\" and\\n process.name in (\\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n ] by process.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")] by process.parent.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Git Hook Command Execution\",\"description\":\"This rule detects the execution of a potentially malicious process from a Git hook. Git hooks are scripts that Git executes before or after events such as: commit, push, and receive. An attacker can abuse Git hooks to execute arbitrary commands on the system and establish persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"62b2a6a2-0907-4698-90b3-a17f325fd1c0\",\"rule_id\":\"dc61f382-dc0c-4cc0-a845-069f2a071704\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.034Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.788Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=3s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name == \\\"git\\\" and process.args : \\\".git/hooks/*\\\" and\\n process.name in (\\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")\\n ] by process.entity_id\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name in (\\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\")] by process.parent.entity_id\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git\"],\"target_version\":[\"https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0c4380c6-1b40-4b8d-8b3d-697920439d55\",\"rule_id\":\"dc71c186-9fe4-4437-a4d0-85ebb32b8204\",\"revision\":0,\"current_rule\":{\"id\":\"0c4380c6-1b40-4b8d-8b3d-697920439d55\",\"updated_at\":\"2024-12-04T19:45:59.561Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.561Z\",\"created_by\":\"elastic\",\"name\":\"Potential Hidden Process via Mount Hidepid\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"dc71c186-9fe4-4437-a4d0-85ebb32b8204\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\"}]}],\"to\":\"now\",\"references\":[\"https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/\"],\"version\":8,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name == \\\"mount\\\" and process.args == \\\"/proc\\\" and process.args == \\\"-o\\\" and\\nprocess.args : \\\"*hidepid=2*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Hidden Process via Mount Hidepid\",\"description\":\"Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":9,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true}],\"id\":\"0c4380c6-1b40-4b8d-8b3d-697920439d55\",\"rule_id\":\"dc71c186-9fe4-4437-a4d0-85ebb32b8204\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.034Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.561Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and\\nprocess.name == \\\"mount\\\" and process.args == \\\"/proc\\\" and process.args == \\\"-o\\\" and process.args : \\\"*hidepid=2*\\\" and\\nnot process.parent.command_line like \\\"/opt/cloudlinux/*\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":8,\"target_version\":9,\"merged_version\":9,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.command_line\",\"type\":\"wildcard\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and process.name == \\\"mount\\\" and process.args == \\\"/proc\\\" and process.args == \\\"-o\\\" and\\nprocess.args : \\\"*hidepid=2*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and\\nprocess.name == \\\"mount\\\" and process.args == \\\"/proc\\\" and process.args == \\\"-o\\\" and process.args : \\\"*hidepid=2*\\\" and\\nnot process.parent.command_line like \\\"/opt/cloudlinux/*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and\\nevent.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\") and\\nprocess.name == \\\"mount\\\" and process.args == \\\"/proc\\\" and process.args == \\\"-o\\\" and process.args : \\\"*hidepid=2*\\\" and\\nnot process.parent.command_line like \\\"/opt/cloudlinux/*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"05eebead-22eb-4ea0-af5d-a4a2c5a725a3\",\"rule_id\":\"dc9c1f74-dac3-48e3-b47f-eb79db358f57\",\"revision\":0,\"current_rule\":{\"id\":\"05eebead-22eb-4ea0-af5d-a4a2c5a725a3\",\"updated_at\":\"2024-12-04T19:45:59.564Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.564Z\",\"created_by\":\"elastic\",\"name\":\"Volume Shadow Copy Deletion via WMIC\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Volume Shadow Copy Deletion via WMIC\\n\\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\\n\\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\\n\\nThis rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter.\\n\\n#### Possible investigation steps\\n\\n- Investigate the program execution chain (parent process tree).\\n- Check whether the account is authorized to perform this operation.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Use process name, command line, and file hash to search for occurrences in other hosts.\\n- Check if any files on the host machine have been encrypted.\\n\\n\\n### False positive analysis\\n\\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Related rules\\n\\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Priority should be given due to the advanced stage of this activity on the attack.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"dc9c1f74-dac3-48e3-b47f-eb79db358f57\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1490\",\"name\":\"Inhibit System Recovery\",\"reference\":\"https://attack.mitre.org/techniques/T1490/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"WMIC.exe\\\" or ?process.pe.original_file_name == \\\"wmic.exe\\\") and\\n process.args : \\\"delete\\\" and process.args : \\\"shadowcopy\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Volume Shadow Copy Deletion via WMIC\",\"description\":\"Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Volume Shadow Copy Deletion via WMIC\\n\\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\\n\\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\\n\\nThis rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter.\\n\\n#### Possible investigation steps\\n\\n- Investigate the program execution chain (parent process tree).\\n- Check whether the account is authorized to perform this operation.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Use process name, command line, and file hash to search for occurrences in other hosts.\\n- Check if any files on the host machine have been encrypted.\\n\\n\\n### False positive analysis\\n\\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Related rules\\n\\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Priority should be given due to the advanced stage of this activity on the attack.\\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0040\",\"name\":\"Impact\",\"reference\":\"https://attack.mitre.org/tactics/TA0040/\"},\"technique\":[{\"id\":\"T1490\",\"name\":\"Inhibit System Recovery\",\"reference\":\"https://attack.mitre.org/techniques/T1490/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"05eebead-22eb-4ea0-af5d-a4a2c5a725a3\",\"rule_id\":\"dc9c1f74-dac3-48e3-b47f-eb79db358f57\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.034Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.564Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"WMIC.exe\\\" or ?process.pe.original_file_name == \\\"wmic.exe\\\") and\\n process.args : \\\"delete\\\" and process.args : \\\"shadowcopy\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Impact\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0a25a1d5-8648-4765-9177-88c0fabecde0\",\"rule_id\":\"dca6b4b0-ae70-44eb-bb7a-ce6db502ee78\",\"revision\":0,\"current_rule\":{\"id\":\"0a25a1d5-8648-4765-9177-88c0fabecde0\",\"updated_at\":\"2024-12-04T19:45:59.568Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.568Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Execution from INET Cache\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Command and Control\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of a process with arguments pointing to the INetCache Folder. Adversaries may deliver malicious content via WININET during initial access.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"dca6b4b0-ae70-44eb-bb7a-ce6db502ee78\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"to\":\"now\",\"references\":[\"https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n process.parent.name : (\\\"explorer.exe\\\", \\\"winrar.exe\\\", \\\"7zFM.exe\\\", \\\"Bandizip.exe\\\") and\\n (process.args : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\*\\\" or\\n process.executable : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Execution from INET Cache\",\"description\":\"Identifies the execution of a process with arguments pointing to the INetCache Folder. Adversaries may deliver malicious content via WININET during initial access.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":204,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Command and Control\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0a25a1d5-8648-4765-9177-88c0fabecde0\",\"rule_id\":\"dca6b4b0-ae70-44eb-bb7a-ce6db502ee78\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.035Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.568Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n process.parent.name : (\\\"explorer.exe\\\", \\\"winrar.exe\\\", \\\"7zFM.exe\\\", \\\"Bandizip.exe\\\") and\\n (\\n process.args : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\*\\\" or\\n process.executable : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\*\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":204,\"merged_version\":204,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Command and Control\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Command and Control\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Command and Control\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n process.parent.name : (\\\"explorer.exe\\\", \\\"winrar.exe\\\", \\\"7zFM.exe\\\", \\\"Bandizip.exe\\\") and\\n (process.args : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\*\\\" or\\n process.executable : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n process.parent.name : (\\\"explorer.exe\\\", \\\"winrar.exe\\\", \\\"7zFM.exe\\\", \\\"Bandizip.exe\\\") and\\n (\\n process.args : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\*\\\" or\\n process.executable : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\*\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and \\n process.parent.name : (\\\"explorer.exe\\\", \\\"winrar.exe\\\", \\\"7zFM.exe\\\", \\\"Bandizip.exe\\\") and\\n (\\n process.args : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\*\\\" or\\n process.executable : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\*\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\INetCache\\\\\\\\IE\\\\\\\\*\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2e10c937-6c2f-485f-a1bd-7158bddb6850\",\"rule_id\":\"dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e\",\"revision\":0,\"current_rule\":{\"id\":\"2e10c937-6c2f-485f-a1bd-7158bddb6850\",\"updated_at\":\"2024-12-04T19:45:59.571Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.571Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Install Kali Linux via WSL\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]}],\"to\":\"now\",\"references\":[\"https://learn.microsoft.com/en-us/windows/wsl/wsl-config\"],\"version\":7,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (process.name : \\\"wsl.exe\\\" and process.args : (\\\"-d\\\", \\\"--distribution\\\", \\\"-i\\\", \\\"--install\\\") and process.args : \\\"kali*\\\") or \\n process.executable : \\n (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\packages\\\\\\\\kalilinux*\\\", \\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\WindowsApps\\\\\\\\kali.exe\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\KaliLinux.*\\\\\\\\kali.exe\\\")\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Attempt to Install Kali Linux via WSL\",\"description\":\"Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://learn.microsoft.com/en-us/windows/wsl/wsl-config\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2e10c937-6c2f-485f-a1bd-7158bddb6850\",\"rule_id\":\"dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.035Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.571Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (process.name : \\\"wsl.exe\\\" and process.args : (\\\"-d\\\", \\\"--distribution\\\", \\\"-i\\\", \\\"--install\\\") and process.args : \\\"kali*\\\") or \\n process.executable : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\packages\\\\\\\\kalilinux*\\\", \\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\WindowsApps\\\\\\\\kali.exe\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\KaliLinux.*\\\\\\\\kali.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\packages\\\\\\\\kalilinux*\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\WindowsApps\\\\\\\\kali.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\KaliLinux.*\\\\\\\\kali.exe\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":7,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (process.name : \\\"wsl.exe\\\" and process.args : (\\\"-d\\\", \\\"--distribution\\\", \\\"-i\\\", \\\"--install\\\") and process.args : \\\"kali*\\\") or \\n process.executable : \\n (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\packages\\\\\\\\kalilinux*\\\", \\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\WindowsApps\\\\\\\\kali.exe\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\KaliLinux.*\\\\\\\\kali.exe\\\")\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (process.name : \\\"wsl.exe\\\" and process.args : (\\\"-d\\\", \\\"--distribution\\\", \\\"-i\\\", \\\"--install\\\") and process.args : \\\"kali*\\\") or \\n process.executable : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\packages\\\\\\\\kalilinux*\\\", \\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\WindowsApps\\\\\\\\kali.exe\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\KaliLinux.*\\\\\\\\kali.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\packages\\\\\\\\kalilinux*\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\WindowsApps\\\\\\\\kali.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\KaliLinux.*\\\\\\\\kali.exe\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n(\\n (process.name : \\\"wsl.exe\\\" and process.args : (\\\"-d\\\", \\\"--distribution\\\", \\\"-i\\\", \\\"--install\\\") and process.args : \\\"kali*\\\") or \\n process.executable : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\packages\\\\\\\\kalilinux*\\\", \\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\WindowsApps\\\\\\\\kali.exe\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\KaliLinux.*\\\\\\\\kali.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\packages\\\\\\\\kalilinux*\\\", \\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft\\\\\\\\WindowsApps\\\\\\\\kali.exe\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume?\\\\\\\\Program Files*\\\\\\\\WindowsApps\\\\\\\\KaliLinux.*\\\\\\\\kali.exe\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"964edf62-5a23-43fa-a2a9-3fc9d03f35ad\",\"rule_id\":\"dd52d45a-4602-4195-9018-ebe0f219c273\",\"revision\":0,\"current_rule\":{\"id\":\"964edf62-5a23-43fa-a2a9-3fc9d03f35ad\",\"updated_at\":\"2024-12-04T19:45:59.573Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.573Z\",\"created_by\":\"elastic\",\"name\":\"Network Connections Initiated Through XDG Autostart Entry\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects network connections initiated through Cross-Desktop Group (XDG) autostart entries for GNOME and XFCE-based Linux distributions. XDG Autostart entries can be used to execute arbitrary commands or scripts when a user logs in. This rule helps to identify potential malicious activity where an attacker may have modified XDG autostart scripts to establish persistence on the system.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"dd52d45a-4602-4195-9018-ebe0f219c273\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.013\",\"name\":\"XDG Autostart Entries\",\"reference\":\"https://attack.mitre.org/techniques/T1547/013/\"}]}]}],\"to\":\"now\",\"references\":[\"https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html\",\"https://hadess.io/the-art-of-linux-persistence/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n#### Custom Ingest Pipeline\\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"sequence by host.id, process.entity_id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and (\\n (process.parent.executable == \\\"/usr/bin/xfce4-session\\\") or\\n (process.executable == \\\"/bin/sh\\\" and process.args == \\\"-e\\\" and process.args == \\\"-u\\\" and\\n process.args == \\\"-c\\\" and process.args : \\\"export GIO_LAUNCHED_DESKTOP_FILE_PID=$$;*\\\")\\n )\\n ]\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\", \\\"172.31.0.0/16\\\"\\n ) or\\n process.executable in (\\n \\\"/usr/lib64/firefox/firefox\\\", \\\"/usr/lib/firefox/firefox\\\", \\\"/opt/forticlient/fortitraylauncher\\\"\\n )\\n )\\n ]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Network Connections Initiated Through XDG Autostart Entry\",\"description\":\"Detects network connections initiated through Cross-Desktop Group (XDG) autostart entries for GNOME and XFCE-based Linux distributions. XDG Autostart entries can be used to execute arbitrary commands or scripts when a user logs in. This rule helps to identify potential malicious activity where an attacker may have modified XDG autostart scripts to establish persistence on the system.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html\",\"https://hadess.io/the-art-of-linux-persistence/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.013\",\"name\":\"XDG Autostart Entries\",\"reference\":\"https://attack.mitre.org/techniques/T1547/013/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n#### Custom Ingest Pipeline\\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"964edf62-5a23-43fa-a2a9-3fc9d03f35ad\",\"rule_id\":\"dd52d45a-4602-4195-9018-ebe0f219c273\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.035Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.573Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id, process.entity_id with maxspan=1s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and (\\n (process.parent.executable == \\\"/usr/bin/xfce4-session\\\") or\\n (process.executable == \\\"/bin/sh\\\" and process.args == \\\"-e\\\" and process.args == \\\"-u\\\" and\\n process.args == \\\"-c\\\" and process.args : \\\"export GIO_LAUNCHED_DESKTOP_FILE_PID=$$;*\\\")\\n )\\n ]\\n [network where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"connection_attempted\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\", \\\"172.31.0.0/16\\\"\\n ) or\\n process.executable in (\\n \\\"/usr/lib64/firefox/firefox\\\", \\\"/usr/lib/firefox/firefox\\\", \\\"/opt/forticlient/fortitraylauncher\\\"\\n )\\n )\\n ]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html\",\"https://hadess.io/the-art-of-linux-persistence/\"],\"target_version\":[\"https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html\",\"https://hadess.io/the-art-of-linux-persistence/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html\",\"https://hadess.io/the-art-of-linux-persistence/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0db9115e-a4be-4b91-a39a-1488df5d90ae\",\"rule_id\":\"ddab1f5f-7089-44f5-9fda-de5b11322e77\",\"revision\":0,\"current_rule\":{\"id\":\"0db9115e-a4be-4b91-a39a-1488df5d90ae\",\"updated_at\":\"2024-12-04T19:45:40.261Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.261Z\",\"created_by\":\"elastic\",\"name\":\"NullSessionPipe Registry Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ddab1f5f-7089-44f5-9fda-de5b11322e77\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[\"https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/\",\"https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\nregistry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\services\\\\\\\\LanmanServer\\\\\\\\Parameters\\\\\\\\NullSessionPipes\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\services\\\\\\\\LanmanServer\\\\\\\\Parameters\\\\\\\\NullSessionPipes\\\"\\n) and length(registry.data.strings) > 0 and\\nnot registry.data.strings : \\\"(empty)\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"NullSessionPipe Registry Modification\",\"description\":\"Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/\",\"https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0db9115e-a4be-4b91-a39a-1488df5d90ae\",\"rule_id\":\"ddab1f5f-7089-44f5-9fda-de5b11322e77\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.035Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.261Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\nregistry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\services\\\\\\\\LanmanServer\\\\\\\\Parameters\\\\\\\\NullSessionPipes\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\services\\\\\\\\LanmanServer\\\\\\\\Parameters\\\\\\\\NullSessionPipes\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\services\\\\\\\\LanmanServer\\\\\\\\Parameters\\\\\\\\NullSessionPipes\\\"\\n) and length(registry.data.strings) > 0 and\\nnot registry.data.strings : \\\"(empty)\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\nregistry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\services\\\\\\\\LanmanServer\\\\\\\\Parameters\\\\\\\\NullSessionPipes\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\services\\\\\\\\LanmanServer\\\\\\\\Parameters\\\\\\\\NullSessionPipes\\\"\\n) and length(registry.data.strings) > 0 and\\nnot registry.data.strings : \\\"(empty)\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\nregistry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\services\\\\\\\\LanmanServer\\\\\\\\Parameters\\\\\\\\NullSessionPipes\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\services\\\\\\\\LanmanServer\\\\\\\\Parameters\\\\\\\\NullSessionPipes\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\services\\\\\\\\LanmanServer\\\\\\\\Parameters\\\\\\\\NullSessionPipes\\\"\\n) and length(registry.data.strings) > 0 and\\nnot registry.data.strings : \\\"(empty)\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\nregistry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\services\\\\\\\\LanmanServer\\\\\\\\Parameters\\\\\\\\NullSessionPipes\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\services\\\\\\\\LanmanServer\\\\\\\\Parameters\\\\\\\\NullSessionPipes\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\services\\\\\\\\LanmanServer\\\\\\\\Parameters\\\\\\\\NullSessionPipes\\\"\\n) and length(registry.data.strings) > 0 and\\nnot registry.data.strings : \\\"(empty)\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"49794abf-8d09-4353-83d8-2fd3a7540618\",\"rule_id\":\"dde13d58-bc39-4aa0-87fd-b4bdbf4591da\",\"revision\":0,\"current_rule\":{\"id\":\"49794abf-8d09-4353-83d8-2fd3a7540618\",\"updated_at\":\"2024-12-04T19:45:59.576Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.576Z\",\"created_by\":\"elastic\",\"name\":\"AWS IAM AdministratorAccess Policy Attached to Role\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to compromised IAM roles. This rule looks for use of the IAM `AttachRolePolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM role.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to Role\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources. \\nWith access to the `iam:AttachRolePolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to a compromised role for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachRolePolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachRolePolicy` permission and that the `role.name` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected role(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachRolePolicy` API operation to attach the `AdministratorAccess` policy to the target role.\"],\"from\":\"now-6m\",\"rule_id\":\"dde13d58-bc39-4aa0-87fd-b4bdbf4591da\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html\",\"https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html\",\"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-*\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachRolePolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?roleName}=%{role.name}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS IAM AdministratorAccess Policy Attached to Role\",\"description\":\"An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to compromised IAM roles. This rule looks for use of the IAM `AttachRolePolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM role.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to Role\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources.\\nWith access to the `iam:AttachRolePolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to a compromised role for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachRolePolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachRolePolicy` permission and that the `role.name` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected role(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment.\\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachRolePolicy` API operation to attach the `AdministratorAccess` policy to the target role.\"],\"references\":[\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html\",\"https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html\",\"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"49794abf-8d09-4353-83d8-2fd3a7540618\",\"rule_id\":\"dde13d58-bc39-4aa0-87fd-b4bdbf4591da\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.035Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.576Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachRolePolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?roleName}=%{role.name}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n| keep @timestamp, event.provider, event.action, event.outcome, policyName, role.name\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"note\":{\"has_base_version\":false,\"current_version\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to Role\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources. \\nWith access to the `iam:AttachRolePolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to a compromised role for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachRolePolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachRolePolicy` permission and that the `role.name` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected role(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to Role\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources.\\nWith access to the `iam:AttachRolePolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to a compromised role for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachRolePolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachRolePolicy` permission and that the `role.name` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected role(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment.\\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to Role\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources.\\nWith access to the `iam:AttachRolePolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to a compromised role for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachRolePolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachRolePolicy` permission and that the `role.name` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected role(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment.\\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-aws.cloudtrail-*\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachRolePolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?roleName}=%{role.name}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachRolePolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?roleName}=%{role.name}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n| keep @timestamp, event.provider, event.action, event.outcome, policyName, role.name\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachRolePolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?roleName}=%{role.name}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n| keep @timestamp, event.provider, event.action, event.outcome, policyName, role.name\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"46a53b6c-22b7-41e0-ad5e-79f6fbf8ab75\",\"rule_id\":\"de9bd7e0-49e9-4e92-a64d-53ade2e66af1\",\"revision\":0,\"current_rule\":{\"id\":\"46a53b6c-22b7-41e0-ad5e-79f6fbf8ab75\",\"updated_at\":\"2024-12-04T19:45:59.578Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.578Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Child Process from a System Virtual Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"de9bd7e0-49e9-4e92-a64d-53ade2e66af1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.pid\",\"type\":\"long\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.pid == 4 and process.executable : \\\"?*\\\" and\\n not process.executable : (\\\"Registry\\\", \\\"MemCompression\\\", \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\smss.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Child Process from a System Virtual Process\",\"description\":\"Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.pid\",\"type\":\"long\",\"ecs\":true}],\"id\":\"46a53b6c-22b7-41e0-ad5e-79f6fbf8ab75\",\"rule_id\":\"de9bd7e0-49e9-4e92-a64d-53ade2e66af1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.035Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.578Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.pid == 4 and process.executable : \\\"?*\\\" and\\n not process.executable : (\\\"Registry\\\", \\\"MemCompression\\\", \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\smss.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9d8e98fc-fe44-4b92-a5e5-1f0ee310fe92\",\"rule_id\":\"df197323-72a8-46a9-a08e-3f5b04a4a97a\",\"revision\":0,\"current_rule\":{\"id\":\"9d8e98fc-fe44-4b92-a5e5-1f0ee310fe92\",\"updated_at\":\"2024-12-04T19:45:59.588Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.588Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Windows User Calling the Metadata Service\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Credential Access\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule.\"],\"from\":\"now-45m\",\"rule_id\":\"df197323-72a8-46a9-a08e-3f5b04a4a97a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\",\"subtechnique\":[{\"id\":\"T1552.005\",\"name\":\"Cloud Instance Metadata API\",\"reference\":\"https://attack.mitre.org/techniques/T1552/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":104,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"v3_windows_rare_metadata_user\"],\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Windows User Calling the Metadata Service\",\"description\":\"Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Credential Access\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1552\",\"name\":\"Unsecured Credentials\",\"reference\":\"https://attack.mitre.org/techniques/T1552/\",\"subtechnique\":[{\"id\":\"T1552.005\",\"name\":\"Cloud Instance Metadata API\",\"reference\":\"https://attack.mitre.org/techniques/T1552/005/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\\n- Elastic Defend\\n- Windows\\n\\n### Anomaly Detection Setup\\n\\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \\\"Definition\\\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Windows Integration Setup\\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"windows\\\" to your system:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Windows” and select the integration to see more details about it.\\n- Click “Add Windows”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"9d8e98fc-fe44-4b92-a5e5-1f0ee310fe92\",\"rule_id\":\"df197323-72a8-46a9-a08e-3f5b04a4a97a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.035Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.588Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"v3_windows_rare_metadata_user\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":104,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"279556ee-ac22-45c8-9b5f-2deb1972d1ef\",\"rule_id\":\"df919b5e-a0f6-4fd8-8598-e3ce79299e3b\",\"revision\":0,\"current_rule\":{\"id\":\"279556ee-ac22-45c8-9b5f-2deb1972d1ef\",\"updated_at\":\"2024-12-04T19:45:59.602Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.602Z\",\"created_by\":\"elastic\",\"name\":\"AWS IAM AdministratorAccess Policy Attached to Group\",\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to user groups the compromised user account belongs to. This rule looks for use of the IAM `AttachGroupPolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM user group.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to Group\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources. \\nWith access to the `iam:AttachGroupPolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to the current user's groups for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachGroupPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected group(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachGroupPolicy` API operation to attach the `AdministratorAccess` policy to the user group.\"],\"from\":\"now-6m\",\"rule_id\":\"df919b5e-a0f6-4fd8-8598-e3ce79299e3b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\",\"https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html\",\"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-*\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachGroupPolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?groupName}=%{group.name}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS IAM AdministratorAccess Policy Attached to Group\",\"description\":\"An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to user groups the compromised user account belongs to. This rule looks for use of the IAM `AttachGroupPolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM user group.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to Group\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources.\\nWith access to the `iam:AttachGroupPolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to the current user's groups for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachGroupPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected group(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment.\\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Cloud\",\"Data Source: AWS\",\"Data Source: Amazon Web Services\",\"Data Source: AWS IAM\",\"Use Case: Identity and Access Audit\",\"Tactic: Privilege Escalation\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-6m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachGroupPolicy` API operation to attach the `AdministratorAccess` policy to the user group.\"],\"references\":[\"https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\",\"https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html\",\"https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\",\"subtechnique\":[{\"id\":\"T1098.003\",\"name\":\"Additional Cloud Roles\",\"reference\":\"https://attack.mitre.org/techniques/T1098/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"279556ee-ac22-45c8-9b5f-2deb1972d1ef\",\"rule_id\":\"df919b5e-a0f6-4fd8-8598-e3ce79299e3b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.035Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.602Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachGroupPolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?groupName}=%{group.name}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n| keep @timestamp, event.provider, event.action, event.outcome, policyName, group.name\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"note\":{\"has_base_version\":false,\"current_version\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to Group\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources. \\nWith access to the `iam:AttachGroupPolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to the current user's groups for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachGroupPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected group(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to Group\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources.\\nWith access to the `iam:AttachGroupPolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to the current user's groups for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachGroupPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected group(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment.\\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating AWS IAM AdministratorAccess Policy Attached to Group\\n\\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources.\\nWith access to the `iam:AttachGroupPolicy` permission, a set of compromised credentials could be used to attach\\nthis policy to the current user's groups for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\\nto look for use of the `AttachGroupPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\\n\\n\\n#### Possible investigation steps\\n\\n- Identify the account and its role in the environment.\\n- Review IAM permission policies for the user identity.\\n- Identify the applications or users that should use this account.\\n- Investigate other alerts associated with the account during the past 48 hours.\\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Considering the source IP address and geolocation of the user who issued the command:\\n - Do they look normal for the calling user?\\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n - Determine what other API calls were made by the user.\\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\\n\\n### False positive analysis\\n\\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n - Rotate user credentials\\n - Remove the `AdministratorAccess` policy from the affected group(s)\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment.\\n - Work with your IT teams to minimize the impact on business operations during these actions.\\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\\n- Consider enabling multi-factor authentication for users.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-aws.cloudtrail-*\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachGroupPolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?groupName}=%{group.name}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachGroupPolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?groupName}=%{group.name}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n| keep @timestamp, event.provider, event.action, event.outcome, policyName, group.name\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-aws.cloudtrail-* metadata _id, _version, _index\\n| where event.provider == \\\"iam.amazonaws.com\\\" and event.action == \\\"AttachGroupPolicy\\\" and event.outcome == \\\"success\\\"\\n| dissect aws.cloudtrail.request_parameters \\\"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?groupName}=%{group.name}}\\\"\\n| where policyName == \\\"AdministratorAccess\\\"\\n| keep @timestamp, event.provider, event.action, event.outcome, policyName, group.name\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"14b7b1d4-dd0e-4df7-aada-e18adc399a8c\",\"rule_id\":\"dffbd37c-d4c5-46f8-9181-5afdd9172b4c\",\"revision\":0,\"current_rule\":{\"id\":\"14b7b1d4-dd0e-4df7-aada-e18adc399a8c\",\"updated_at\":\"2024-12-04T19:46:04.790Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.790Z\",\"created_by\":\"elastic\",\"name\":\"Potential privilege escalation via CVE-2022-38028\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"dffbd37c-d4c5-46f8-9181-5afdd9172b4c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"to\":\"now\",\"references\":[\"https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and\\n file.path : (\\\"?:\\\\\\\\*\\\\\\\\Windows\\\\\\\\system32\\\\\\\\DriVerStoRe\\\\\\\\FiLeRePoSiToRy\\\\\\\\*\\\\\\\\MPDW-constraints.js\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\amd64_microsoft-windows-printing-printtopdf_*\\\\\\\\MPDW-constraints.js\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential privilege escalation via CVE-2022-38028\",\"description\":\"Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":203,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"14b7b1d4-dd0e-4df7-aada-e18adc399a8c\",\"rule_id\":\"dffbd37c-d4c5-46f8-9181-5afdd9172b4c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.035Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.790Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.name : \\\"MPDW-constraints.js\\\" and\\n file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\Windows\\\\\\\\system32\\\\\\\\DriVerStoRe\\\\\\\\FiLeRePoSiToRy\\\\\\\\*\\\\\\\\MPDW-constraints.js\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\amd64_microsoft-windows-printing-printtopdf_*\\\\\\\\MPDW-constraints.js\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":203,\"merged_version\":203,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and\\n file.path : (\\\"?:\\\\\\\\*\\\\\\\\Windows\\\\\\\\system32\\\\\\\\DriVerStoRe\\\\\\\\FiLeRePoSiToRy\\\\\\\\*\\\\\\\\MPDW-constraints.js\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\amd64_microsoft-windows-printing-printtopdf_*\\\\\\\\MPDW-constraints.js\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.name : \\\"MPDW-constraints.js\\\" and\\n file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\Windows\\\\\\\\system32\\\\\\\\DriVerStoRe\\\\\\\\FiLeRePoSiToRy\\\\\\\\*\\\\\\\\MPDW-constraints.js\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\amd64_microsoft-windows-printing-printtopdf_*\\\\\\\\MPDW-constraints.js\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.name : \\\"MPDW-constraints.js\\\" and\\n file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\Windows\\\\\\\\system32\\\\\\\\DriVerStoRe\\\\\\\\FiLeRePoSiToRy\\\\\\\\*\\\\\\\\MPDW-constraints.js\\\",\\n \\\"?:\\\\\\\\*\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\amd64_microsoft-windows-printing-printtopdf_*\\\\\\\\MPDW-constraints.js\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"24390b22-6ad8-4af4-9c68-74d19392316c\",\"rule_id\":\"e052c845-48d0-4f46-8a13-7d0aba05df82\",\"revision\":0,\"current_rule\":{\"id\":\"24390b22-6ad8-4af4-9c68-74d19392316c\",\"updated_at\":\"2024-12-04T19:45:59.609Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.609Z\",\"created_by\":\"elastic\",\"name\":\"KRBTGT Delegation Backdoor\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e052c845-48d0-4f46-8a13-7d0aba05df82\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\"}]}],\"to\":\"now\",\"references\":[\"https://skyblue.team/posts/delegate-krbtgt\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md\"],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AllowedToDelegateTo\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nAccount Management >\\nAudit User Account Management (Success,Failure)\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:modified-user-account and event.code:4738 and\\n winlog.event_data.AllowedToDelegateTo:*krbtgt*\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"KRBTGT Delegation Backdoor\",\"description\":\"Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://skyblue.team/posts/delegate-krbtgt\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\"}]}],\"setup\":\"## Setup\\n\\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nAccount Management >\\nAudit User Account Management (Success,Failure)\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AllowedToDelegateTo\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"24390b22-6ad8-4af4-9c68-74d19392316c\",\"rule_id\":\"e052c845-48d0-4f46-8a13-7d0aba05df82\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.035Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.609Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where event.action == \\\"modified-user-account\\\" and event.code == \\\"4738\\\" and\\n winlog.event_data.AllowedToDelegateTo : \\\"*krbtgt*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"type\":{\"has_base_version\":false,\"current_version\":\"query\",\"target_version\":\"eql\",\"merged_version\":\"eql\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NON_SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"event.action:modified-user-account and event.code:4738 and\\n winlog.event_data.AllowedToDelegateTo:*krbtgt*\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"target_version\":{\"query\":\"iam where event.action == \\\"modified-user-account\\\" and event.code == \\\"4738\\\" and\\n winlog.event_data.AllowedToDelegateTo : \\\"*krbtgt*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"iam where event.action == \\\"modified-user-account\\\" and event.code == \\\"4738\\\" and\\n winlog.event_data.AllowedToDelegateTo : \\\"*krbtgt*\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":1}},{\"id\":\"4159bcfe-8411-48a5-a348-a973e52d1508\",\"rule_id\":\"e0881d20-54ac-457f-8733-fe0bc5d44c55\",\"revision\":0,\"current_rule\":{\"id\":\"4159bcfe-8411-48a5-a348-a973e52d1508\",\"updated_at\":\"2024-12-04T19:45:59.611Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.611Z\",\"created_by\":\"elastic\",\"name\":\"System Service Discovery through built-in Windows Utilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the usage of commonly used system service discovery techniques, which attackers may use during the reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or escalate privileges.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e0881d20-54ac-457f-8733-fe0bc5d44c55\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1007\",\"name\":\"System Service Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1007/\"}]}],\"to\":\"now\",\"references\":[],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n ((process.name: \\\"net.exe\\\" or process.pe.original_file_name == \\\"net.exe\\\" or (process.name : \\\"net1.exe\\\" and \\n not process.parent.name : \\\"net.exe\\\")) and process.args : (\\\"start\\\", \\\"use\\\") and process.args_count == 2) or\\n ((process.name: \\\"sc.exe\\\" or process.pe.original_file_name == \\\"sc.exe\\\") and process.args: (\\\"query\\\", \\\"q*\\\")) or\\n ((process.name: \\\"tasklist.exe\\\" or process.pe.original_file_name == \\\"tasklist.exe\\\") and process.args: \\\"/svc\\\") or\\n (process.name : \\\"psservice.exe\\\" or process.pe.original_file_name == \\\"psservice.exe\\\")\\n ) and not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"System Service Discovery through built-in Windows Utilities\",\"description\":\"Detects the usage of commonly used system service discovery techniques, which attackers may use during the reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or escalate privileges.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":109,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1007\",\"name\":\"System Service Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1007/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"4159bcfe-8411-48a5-a348-a973e52d1508\",\"rule_id\":\"e0881d20-54ac-457f-8733-fe0bc5d44c55\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.035Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.611Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n ((process.name: \\\"net.exe\\\" or process.pe.original_file_name == \\\"net.exe\\\" or (process.name : \\\"net1.exe\\\" and \\n not process.parent.name : \\\"net.exe\\\")) and process.args : (\\\"start\\\", \\\"use\\\") and process.args_count == 2) or\\n ((process.name: \\\"sc.exe\\\" or process.pe.original_file_name == \\\"sc.exe\\\") and process.args: (\\\"query\\\", \\\"q*\\\")) or\\n ((process.name: \\\"tasklist.exe\\\" or process.pe.original_file_name == \\\"tasklist.exe\\\") and process.args: \\\"/svc\\\") or\\n (process.name : \\\"psservice.exe\\\" or process.pe.original_file_name == \\\"psservice.exe\\\")\\n ) and not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":109,\"merged_version\":109,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Rule Type: BBR\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a5530889-c9ac-4026-84ee-ddd6e963e7ca\",\"rule_id\":\"e0cc3807-e108-483c-bf66-5a4fbe0d7e89\",\"revision\":0,\"current_rule\":{\"id\":\"a5530889-c9ac-4026-84ee-ddd6e963e7ca\",\"updated_at\":\"2024-12-04T19:45:59.616Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.616Z\",\"created_by\":\"elastic\",\"name\":\"Potentially Suspicious Process Started via tmux or screen\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux to execute commands while attempting to evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e0cc3807-e108-483c-bf66-5a4fbe0d7e89\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"to\":\"now\",\"references\":[],\"version\":4,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.parent.name in (\\\"screen\\\", \\\"tmux\\\") and process.name : (\\n \\\"nmap\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"socat\\\", \\\"nc.openbsd\\\", \\\"ngrok\\\", \\\"ping\\\", \\\"java\\\", \\\"python*\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\",\\n \\\"lua*\\\", \\\"openssl\\\", \\\"telnet\\\", \\\"awk\\\", \\\"wget\\\", \\\"curl\\\", \\\"id\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potentially Suspicious Process Started via tmux or screen\",\"description\":\"This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux to execute commands while attempting to evade detection.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":5,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a5530889-c9ac-4026-84ee-ddd6e963e7ca\",\"rule_id\":\"e0cc3807-e108-483c-bf66-5a4fbe0d7e89\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.035Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:59.616Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.parent.name in (\\\"screen\\\", \\\"tmux\\\") and process.name like (\\n \\\"nmap\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"socat\\\", \\\"nc.openbsd\\\", \\\"ngrok\\\", \\\"ping\\\", \\\"java\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\",\\n \\\"openssl\\\", \\\"telnet\\\", \\\"wget\\\", \\\"curl\\\", \\\"id\\\"\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":4,\"target_version\":5,\"merged_version\":5,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.parent.name in (\\\"screen\\\", \\\"tmux\\\") and process.name : (\\n \\\"nmap\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"socat\\\", \\\"nc.openbsd\\\", \\\"ngrok\\\", \\\"ping\\\", \\\"java\\\", \\\"python*\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\",\\n \\\"lua*\\\", \\\"openssl\\\", \\\"telnet\\\", \\\"awk\\\", \\\"wget\\\", \\\"curl\\\", \\\"id\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.parent.name in (\\\"screen\\\", \\\"tmux\\\") and process.name like (\\n \\\"nmap\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"socat\\\", \\\"nc.openbsd\\\", \\\"ngrok\\\", \\\"ping\\\", \\\"java\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\",\\n \\\"openssl\\\", \\\"telnet\\\", \\\"wget\\\", \\\"curl\\\", \\\"id\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.parent.name in (\\\"screen\\\", \\\"tmux\\\") and process.name like (\\n \\\"nmap\\\", \\\"nc\\\", \\\"ncat\\\", \\\"netcat\\\", \\\"socat\\\", \\\"nc.openbsd\\\", \\\"ngrok\\\", \\\"ping\\\", \\\"java\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\",\\n \\\"openssl\\\", \\\"telnet\\\", \\\"wget\\\", \\\"curl\\\", \\\"id\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"2d6cf7ff-ad9c-41e9-82b0-6e7a61e5f9a8\",\"rule_id\":\"e26f042e-c590-4e82-8e05-41e81bd822ad\",\"revision\":0,\"current_rule\":{\"id\":\"2d6cf7ff-ad9c-41e9-82b0-6e7a61e5f9a8\",\"updated_at\":\"2024-12-04T19:46:00.527Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.527Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious .NET Reflection via PowerShell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious .NET Reflection via PowerShell\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e26f042e-c590-4e82-8e05-41e81bd822ad\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1620\",\"name\":\"Reflective Code Loading\",\"reference\":\"https://attack.mitre.org/techniques/T1620/\"},{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\",\"subtechnique\":[{\"id\":\"T1055.001\",\"name\":\"Dynamic-link Library Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/001/\"},{\"id\":\"T1055.002\",\"name\":\"Portable Executable Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load\"],\"version\":213,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"[System.Reflection.Assembly]::Load\\\" or\\n \\\"[Reflection.Assembly]::Load\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n (\\\"CommonWorkflowParameters\\\" or \\\"RelatedLinksHelpInfo\\\") and\\n \\\"HelpDisplayStrings\\\"\\n ) and\\n not (powershell.file.script_block_text :\\n (\\\"Get-SolutionFiles\\\" or \\\"Get-VisualStudio\\\" or \\\"Select-MSBuildPath\\\") and\\n file.name : \\\"PathFunctions.ps1\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n \\\"Microsoft.PowerShell.Workflow.ServiceCore\\\" and \\\"ExtractPluginProperties([string]$pluginDir\\\"\\n ) and\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\Monitoring Host Temporary Files*\\\\\\\\AvailabilityGroupMonitoring.ps1\"}}}}],\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious .NET Reflection via PowerShell\",\"description\":\"Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious .NET Reflection via PowerShell\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\\n\\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Evaluate whether the user needs to use PowerShell to complete tasks.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the script using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\\n\\n### Related rules\\n\\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":316,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1620\",\"name\":\"Reflective Code Loading\",\"reference\":\"https://attack.mitre.org/techniques/T1620/\"},{\"id\":\"T1055\",\"name\":\"Process Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/\",\"subtechnique\":[{\"id\":\"T1055.001\",\"name\":\"Dynamic-link Library Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/001/\"},{\"id\":\"T1055.002\",\"name\":\"Portable Executable Injection\",\"reference\":\"https://attack.mitre.org/techniques/T1055/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"2d6cf7ff-ad9c-41e9-82b0-6e7a61e5f9a8\",\"rule_id\":\"e26f042e-c590-4e82-8e05-41e81bd822ad\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.035Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.527Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\Monitoring Host Temporary Files*\\\\\\\\AvailabilityGroupMonitoring.ps1\"}}}}],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"[System.Reflection.Assembly]::Load\\\" or\\n \\\"[Reflection.Assembly]::Load\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n (\\\"CommonWorkflowParameters\\\" or \\\"RelatedLinksHelpInfo\\\") and\\n \\\"HelpDisplayStrings\\\"\\n ) and\\n not (powershell.file.script_block_text :\\n (\\\"Get-SolutionFiles\\\" or \\\"Get-VisualStudio\\\" or \\\"Select-MSBuildPath\\\") and\\n file.name : \\\"PathFunctions.ps1\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n \\\"Microsoft.PowerShell.Workflow.ServiceCore\\\" and \\\"ExtractPluginProperties([string]$pluginDir\\\"\\n ) and \\n \\n not powershell.file.script_block_text : (\\\"reflection.assembly]::Load('System.\\\" or \\\"LoadWithPartialName('Microsoft.\\\" or \\\"::Load(\\\\\\\"Microsoft.\\\" or \\\"Microsoft.Build.Utilities.Core.dll\\\") and \\n \\n not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":213,\"target_version\":316,\"merged_version\":316,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"[System.Reflection.Assembly]::Load\\\" or\\n \\\"[Reflection.Assembly]::Load\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n (\\\"CommonWorkflowParameters\\\" or \\\"RelatedLinksHelpInfo\\\") and\\n \\\"HelpDisplayStrings\\\"\\n ) and\\n not (powershell.file.script_block_text :\\n (\\\"Get-SolutionFiles\\\" or \\\"Get-VisualStudio\\\" or \\\"Select-MSBuildPath\\\") and\\n file.name : \\\"PathFunctions.ps1\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n \\\"Microsoft.PowerShell.Workflow.ServiceCore\\\" and \\\"ExtractPluginProperties([string]$pluginDir\\\"\\n ) and\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\Monitoring Host Temporary Files*\\\\\\\\AvailabilityGroupMonitoring.ps1\"}}}}]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"[System.Reflection.Assembly]::Load\\\" or\\n \\\"[Reflection.Assembly]::Load\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n (\\\"CommonWorkflowParameters\\\" or \\\"RelatedLinksHelpInfo\\\") and\\n \\\"HelpDisplayStrings\\\"\\n ) and\\n not (powershell.file.script_block_text :\\n (\\\"Get-SolutionFiles\\\" or \\\"Get-VisualStudio\\\" or \\\"Select-MSBuildPath\\\") and\\n file.name : \\\"PathFunctions.ps1\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n \\\"Microsoft.PowerShell.Workflow.ServiceCore\\\" and \\\"ExtractPluginProperties([string]$pluginDir\\\"\\n ) and \\n \\n not powershell.file.script_block_text : (\\\"reflection.assembly]::Load('System.\\\" or \\\"LoadWithPartialName('Microsoft.\\\" or \\\"::Load(\\\\\\\"Microsoft.\\\" or \\\"Microsoft.Build.Utilities.Core.dll\\\") and \\n \\n not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\Monitoring Host Temporary Files*\\\\\\\\AvailabilityGroupMonitoring.ps1\"}}}}]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"[System.Reflection.Assembly]::Load\\\" or\\n \\\"[Reflection.Assembly]::Load\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n (\\\"CommonWorkflowParameters\\\" or \\\"RelatedLinksHelpInfo\\\") and\\n \\\"HelpDisplayStrings\\\"\\n ) and\\n not (powershell.file.script_block_text :\\n (\\\"Get-SolutionFiles\\\" or \\\"Get-VisualStudio\\\" or \\\"Select-MSBuildPath\\\") and\\n file.name : \\\"PathFunctions.ps1\\\"\\n ) and\\n not powershell.file.script_block_text : (\\n \\\"Microsoft.PowerShell.Workflow.ServiceCore\\\" and \\\"ExtractPluginProperties([string]$pluginDir\\\"\\n ) and \\n \\n not powershell.file.script_block_text : (\\\"reflection.assembly]::Load('System.\\\" or \\\"LoadWithPartialName('Microsoft.\\\" or \\\"::Load(\\\\\\\"Microsoft.\\\" or \\\"Microsoft.Build.Utilities.Core.dll\\\") and \\n \\n not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\",\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"file.path\":{\"case_insensitive\":true,\"value\":\"C:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\Monitoring Host Temporary Files*\\\\\\\\AvailabilityGroupMonitoring.ps1\"}}}}]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0c91f416-162a-44ad-a8df-e911c8cc88c3\",\"rule_id\":\"e28b8093-833b-4eda-b877-0873d134cf3c\",\"revision\":0,\"current_rule\":{\"id\":\"0c91f416-162a-44ad-a8df-e911c8cc88c3\",\"updated_at\":\"2024-12-04T19:46:00.530Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.530Z\",\"created_by\":\"elastic\",\"name\":\"Network Traffic Capture via CAP_NET_RAW\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the ability of a process to be able to create RAW and PACKET socket types for the available network namespaces by a non-root user. A malicious process with this capability may exploit routing between hosts, bypass network access controls, and otherwise tamper with host networking if a firewall is not in place to limit the packet types and contents. The CAP_NET_RAW capability allows the process to bind to any address within the available namespaces, which allows network traffic sniffing by a non root user. The rule identifies previously unknown processes executing with CAP_NET_RAW capabilities through the use of the new terms rule type.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e28b8093-833b-4eda-b877-0873d134cf3c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1040\",\"name\":\"Network Sniffing\",\"reference\":\"https://attack.mitre.org/techniques/T1040/\"}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.effective\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.permitted\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"new_terms\",\"query\":\"event.category:\\\"process\\\" and host.os.type:\\\"linux\\\" and event.type:\\\"start\\\" and event.action:\\\"exec\\\" and process.name:* and\\n(process.thread.capabilities.effective:\\\"CAP_NET_RAW\\\" or process.thread.capabilities.permitted:\\\"CAP_NET_RAW\\\") and\\nnot user.id:\\\"0\\\"\\n\",\"new_terms_fields\":[\"host.id\",\"user.id\",\"process.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Network Traffic Capture via CAP_NET_RAW\",\"description\":\"Identifies the ability of a process to be able to create RAW and PACKET socket types for the available network namespaces by a non-root user. A malicious process with this capability may exploit routing between hosts, bypass network access controls, and otherwise tamper with host networking if a firewall is not in place to limit the packet types and contents. The CAP_NET_RAW capability allows the process to bind to any address within the available namespaces, which allows network traffic sniffing by a non root user. The rule identifies previously unknown processes executing with CAP_NET_RAW capabilities through the use of the new terms rule type.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1040\",\"name\":\"Network Sniffing\",\"reference\":\"https://attack.mitre.org/techniques/T1040/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.effective\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.permitted\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0c91f416-162a-44ad-a8df-e911c8cc88c3\",\"rule_id\":\"e28b8093-833b-4eda-b877-0873d134cf3c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.035Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.530Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.category:\\\"process\\\" and host.os.type:\\\"linux\\\" and event.type:\\\"start\\\" and event.action:\\\"exec\\\" and process.name:* and\\n(process.thread.capabilities.effective:\\\"CAP_NET_RAW\\\" or process.thread.capabilities.permitted:\\\"CAP_NET_RAW\\\") and\\nnot user.id:\\\"0\\\"\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"target_version\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"merged_version\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"new_terms_fields\":{\"has_base_version\":false,\"current_version\":[\"host.id\",\"user.id\",\"process.executable\"],\"target_version\":[\"process.executable\"],\"merged_version\":[\"process.executable\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9c0a39d1-f2c9-47a2-8f66-5a1bc60ecdf6\",\"rule_id\":\"e2e0537d-7d8f-4910-a11d-559bcf61295a\",\"revision\":0,\"current_rule\":{\"id\":\"9c0a39d1-f2c9-47a2-8f66-5a1bc60ecdf6\",\"updated_at\":\"2024-12-04T19:46:00.537Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.537Z\",\"created_by\":\"elastic\",\"name\":\"Windows Subsystem for Linux Enabled via Dism Utility\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable and use WSL for Linux to avoid detection.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Subsystem for Linux Enabled via Dism Utility\\n\\nThe Windows Subsystem for Linux (WSL) lets developers install a Linux distribution (such as Ubuntu, OpenSUSE, Kali, Debian, Arch Linux, etc) and use Linux applications, utilities, and Bash command-line tools directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup. Attackers may abuse WSL to avoid security protections on a Windows host and perform a wide range of attacks.\\n\\nThis rule identifies attempts to enable WSL using the Dism utility. It monitors for the execution of Dism and checks if the command line contains the string \\\"Microsoft-Windows-Subsystem-Linux\\\". \\n\\n### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and WSL is homologated and approved in the environment.\\n\\n### Related Rules\\n\\n- Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\\n- Suspicious Execution via Windows Subsystem for Linux - 3e0eeb75-16e8-4f2f-9826-62461ca128b7\\n- Host Files System Changes via Windows Subsystem for Linux - e88d1fe9-b2f4-48d4-bace-a026dc745d4b\\n- Windows Subsystem for Linux Distribution Installed - a1699af0-8e1e-4ed0-8ec1-89783538a061\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e2e0537d-7d8f-4910-a11d-559bcf61295a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]}],\"to\":\"now\",\"references\":[\"https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/\"],\"version\":7,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type : \\\"start\\\" and\\n (process.name : \\\"Dism.exe\\\" or ?process.pe.original_file_name == \\\"DISM.EXE\\\") and \\n process.command_line : \\\"*Microsoft-Windows-Subsystem-Linux*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Windows Subsystem for Linux Enabled via Dism Utility\",\"description\":\"Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable and use WSL for Linux to avoid detection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Subsystem for Linux Enabled via Dism Utility\\n\\nThe Windows Subsystem for Linux (WSL) lets developers install a Linux distribution (such as Ubuntu, OpenSUSE, Kali, Debian, Arch Linux, etc) and use Linux applications, utilities, and Bash command-line tools directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup. Attackers may abuse WSL to avoid security protections on a Windows host and perform a wide range of attacks.\\n\\nThis rule identifies attempts to enable WSL using the Dism utility. It monitors for the execution of Dism and checks if the command line contains the string \\\"Microsoft-Windows-Subsystem-Linux\\\". \\n\\n### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and WSL is homologated and approved in the environment.\\n\\n### Related Rules\\n\\n- Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\\n- Suspicious Execution via Windows Subsystem for Linux - 3e0eeb75-16e8-4f2f-9826-62461ca128b7\\n- Host Files System Changes via Windows Subsystem for Linux - e88d1fe9-b2f4-48d4-bace-a026dc745d4b\\n- Windows Subsystem for Linux Distribution Installed - a1699af0-8e1e-4ed0-8ec1-89783538a061\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"9c0a39d1-f2c9-47a2-8f66-5a1bc60ecdf6\",\"rule_id\":\"e2e0537d-7d8f-4910-a11d-559bcf61295a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.035Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.537Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type : \\\"start\\\" and\\n (process.name : \\\"Dism.exe\\\" or ?process.pe.original_file_name == \\\"DISM.EXE\\\") and \\n process.command_line : \\\"*Microsoft-Windows-Subsystem-Linux*\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":7,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"94f9c0dc-8b5e-4333-8fde-043ec9cafcb3\",\"rule_id\":\"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2\",\"revision\":0,\"current_rule\":{\"id\":\"94f9c0dc-8b5e-4333-8fde-043ec9cafcb3\",\"updated_at\":\"2024-12-04T19:46:00.539Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.539Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Process Execution via Renamed PsExec Executable\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Process Execution via Renamed PsExec Executable\\n\\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. It operates by executing a service component `Psexecsvc` on a remote system, which then runs a specified process and returns the results to the local system. Microsoft develops PsExec as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\\n\\nThis rule identifies instances where the PsExec service component is executed using a custom name. This behavior can indicate an attempt to bypass security controls or detections that look for the default PsExec service component name.\\n\\n#### Possible investigation steps\\n\\n- Check if the usage of this tool complies with the organization's administration policy.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Identify the target computer and its role in the IT environment.\\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - Prioritize cases involving critical servers and users.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1569\",\"name\":\"System Services\",\"reference\":\"https://attack.mitre.org/techniques/T1569/\",\"subtechnique\":[{\"id\":\"T1569.002\",\"name\":\"Service Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1569/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.003\",\"name\":\"Rename System Utilities\",\"reference\":\"https://attack.mitre.org/techniques/T1036/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.pe.original_file_name : \\\"psexesvc.exe\\\" and not process.name : \\\"PSEXESVC.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Process Execution via Renamed PsExec Executable\",\"description\":\"Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Process Execution via Renamed PsExec Executable\\n\\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. It operates by executing a service component `Psexecsvc` on a remote system, which then runs a specified process and returns the results to the local system. Microsoft develops PsExec as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\\n\\nThis rule identifies instances where the PsExec service component is executed using a custom name. This behavior can indicate an attempt to bypass security controls or detections that look for the default PsExec service component name.\\n\\n#### Possible investigation steps\\n\\n- Check if the usage of this tool complies with the organization's administration policy.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Identify the target computer and its role in the IT environment.\\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - Prioritize cases involving critical servers and users.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":212,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1569\",\"name\":\"System Services\",\"reference\":\"https://attack.mitre.org/techniques/T1569/\",\"subtechnique\":[{\"id\":\"T1569.002\",\"name\":\"Service Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1569/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.003\",\"name\":\"Rename System Utilities\",\"reference\":\"https://attack.mitre.org/techniques/T1036/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"94f9c0dc-8b5e-4333-8fde-043ec9cafcb3\",\"rule_id\":\"e2f9fdf5-8076-45ad-9427-41e0e03dc9c2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.035Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.539Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.pe.original_file_name : \\\"psexesvc.exe\\\" and not process.name : \\\"PSEXESVC.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":212,\"merged_version\":212,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"39993620-12d5-4e1a-8aa2-0a72e5a06a4c\",\"rule_id\":\"e3343ab9-4245-4715-b344-e11c56b0a47f\",\"revision\":0,\"current_rule\":{\"id\":\"39993620-12d5-4e1a-8aa2-0a72e5a06a4c\",\"updated_at\":\"2024-12-04T19:46:00.549Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.549Z\",\"created_by\":\"elastic\",\"name\":\"Process Activity via Compiled HTML File\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Process Activity via Compiled HTML File\\n\\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\\n\\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate the parent process to gain understanding of what triggered this behavior.\\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code.\"],\"from\":\"now-9m\",\"rule_id\":\"e3343ab9-4245-4715-b344-e11c56b0a47f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.001\",\"name\":\"Compiled HTML File\",\"reference\":\"https://attack.mitre.org/techniques/T1218/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"hh.exe\\\" and\\n process.name : (\\\"mshta.exe\\\", \\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\", \\\"cscript.exe\\\", \\\"wscript.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Process Activity via Compiled HTML File\",\"description\":\"Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Process Activity via Compiled HTML File\\n\\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\\n\\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate the parent process to gain understanding of what triggered this behavior.\\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.001\",\"name\":\"Compiled HTML File\",\"reference\":\"https://attack.mitre.org/techniques/T1218/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"39993620-12d5-4e1a-8aa2-0a72e5a06a4c\",\"rule_id\":\"e3343ab9-4245-4715-b344-e11c56b0a47f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.036Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.549Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"hh.exe\\\" and\\n process.name : (\\\"mshta.exe\\\", \\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\", \\\"cscript.exe\\\", \\\"wscript.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"90d55a26-08d3-486c-909c-51b286b75f15\",\"rule_id\":\"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d\",\"revision\":0,\"current_rule\":{\"id\":\"90d55a26-08d3-486c-909c-51b286b75f15\",\"updated_at\":\"2024-12-04T19:46:00.558Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.558Z\",\"created_by\":\"elastic\",\"name\":\"Connection to Commonly Abused Free SSL Certificate Providers\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1573\",\"name\":\"Encrypted Channel\",\"reference\":\"https://attack.mitre.org/techniques/T1573/\"}]}],\"to\":\"now\",\"references\":[],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"network where host.os.type == \\\"windows\\\" and network.protocol == \\\"dns\\\" and\\n /* Add new free SSL certificate provider domains here */\\n dns.question.name : (\\\"*letsencrypt.org\\\", \\\"*.sslforfree.com\\\", \\\"*.zerossl.com\\\", \\\"*.freessl.org\\\") and\\n\\n /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\\n process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System\\\\\\\\*.exe\\\",\\n\\t \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe\\\",\\n\\t\\t \\\"C:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework*\\\\\\\\*.exe\\\",\\n\\t\\t \\\"C:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\n\\t\\t \\\"C:\\\\\\\\Windows\\\\\\\\notepad.exe\\\") and\\n\\n /* Insert noisy false positives here */\\n not process.name : (\\\"svchost.exe\\\", \\\"MicrosoftEdge*.exe\\\", \\\"msedge.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Connection to Commonly Abused Free SSL Certificate Providers\",\"description\":\"Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1573\",\"name\":\"Encrypted Channel\",\"reference\":\"https://attack.mitre.org/techniques/T1573/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"dns.question.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"90d55a26-08d3-486c-909c-51b286b75f15\",\"rule_id\":\"e3cf38fa-d5b8-46cc-87f9-4a7513e4281d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.036Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.558Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"network where host.os.type == \\\"windows\\\" and network.protocol == \\\"dns\\\" and\\n /* Add new free SSL certificate provider domains here */\\n dns.question.name : (\\\"*letsencrypt.org\\\", \\\"*.sslforfree.com\\\", \\\"*.zerossl.com\\\", \\\"*.freessl.org\\\") and\\n\\n /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\\n process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.exe\\\",\\n \\\"C:\\\\\\\\Windows\\\\\\\\System\\\\\\\\*.exe\\\",\\n\\t \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.exe\\\",\\n\\t\\t \\\"C:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework*\\\\\\\\*.exe\\\",\\n\\t\\t \\\"C:\\\\\\\\Windows\\\\\\\\explorer.exe\\\",\\n\\t\\t \\\"C:\\\\\\\\Windows\\\\\\\\notepad.exe\\\") and\\n\\n /* Insert noisy false positives here */\\n not process.name : (\\\"svchost.exe\\\", \\\"MicrosoftEdge*.exe\\\", \\\"msedge.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a0b5cfa9-a1c9-4257-859c-ab06bb412d46\",\"rule_id\":\"e3e904b3-0a8e-4e68-86a8-977a163e21d3\",\"revision\":0,\"current_rule\":{\"id\":\"a0b5cfa9-a1c9-4257-859c-ab06bb412d46\",\"updated_at\":\"2024-12-04T19:46:00.560Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.560Z\",\"created_by\":\"elastic\",\"name\":\"Persistence via KDE AutoStart Script or Desktop File Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Persistence via KDE AutoStart Script or Desktop File Modification\\n\\nK Desktop Environment (KDE) is a popular graphical desktop environment for Linux systems. It supports AutoStart scripts and desktop files that execute automatically upon user logon.\\n\\nAdversaries may exploit this feature to maintain persistence on a compromised system by creating or modifying these files.\\n\\nThe detection rule 'Persistence via KDE AutoStart Script or Desktop File Modification' is designed to identify such activities by monitoring file events on Linux systems. It specifically targets the creation or modification of files with extensions \\\".sh\\\" or \\\".desktop\\\" in various AutoStart directories. By detecting these events, the rule helps security analysts identify potential abuse of KDE AutoStart functionality by malicious actors.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n### Possible investigation steps\\n\\n- Investigate the file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE ( path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop'\\\\nOR path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR path LIKE\\\\n'/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR path LIKE '/root/.kde/Autostart/%.sh'\\\\nOR path LIKE '/root/.kde/Autostart/%.desktop' OR path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde4/Autostart/%.desktop' OR path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE\\\\n'/root/.kde4/Autostart/%.desktop' OR path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde/share/autostart/%.desktop' OR path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE\\\\n'/root/.kde/share/autostart/%.desktop' OR path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde4/share/autostart/%.desktop' OR path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE\\\\n'/root/.kde4/share/autostart/%.desktop' OR path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE\\\\n'/home/%/.local/share/autostart/%.desktop' OR path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE\\\\n'/root/.local/share/autostart/%.desktop' OR path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE\\\\n'/home/%/.config/autostart-scripts/%.desktop' OR path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE\\\\n'/root/.config/autostart-scripts/%.desktop' OR path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE\\\\n'/etc/xdg/autostart/%.desktop' OR path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' )\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/home/%/.config/autostart/%.sh' OR\\\\npath LIKE '/home/%/.config/autostart/%.desktop' OR path LIKE '/root/.config/autostart/%.sh' OR path LIKE\\\\n'/root/.config/autostart/%.desktop' OR path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde/Autostart/%.desktop' OR path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE\\\\n'/root/.kde/Autostart/%.desktop' OR path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde4/Autostart/%.desktop' OR path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE\\\\n'/root/.kde4/Autostart/%.desktop' OR path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde/share/autostart/%.desktop' OR path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE\\\\n'/root/.kde/share/autostart/%.desktop' OR path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde4/share/autostart/%.desktop' OR path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE\\\\n'/root/.kde4/share/autostart/%.desktop' OR path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE\\\\n'/home/%/.local/share/autostart/%.desktop' OR path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE\\\\n'/root/.local/share/autostart/%.desktop' OR path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE\\\\n'/home/%/.config/autostart-scripts/%.desktop' OR path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE\\\\n'/root/.config/autostart-scripts/%.desktop' OR path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE\\\\n'/etc/xdg/autostart/%.desktop' OR path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' )\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False positive analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e3e904b3-0a8e-4e68-86a8-977a163e21d3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\"}]}],\"to\":\"now\",\"references\":[\"https://userbase.kde.org/System_Settings/Autostart\",\"https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\",\"https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n#### Custom Ingest Pipeline\\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.type != \\\"deletion\\\" and\\n file.extension in (\\\"sh\\\", \\\"desktop\\\") and\\n file.path :\\n (\\n \\\"/home/*/.config/autostart/*\\\", \\\"/root/.config/autostart/*\\\",\\n \\\"/home/*/.kde/Autostart/*\\\", \\\"/root/.kde/Autostart/*\\\",\\n \\\"/home/*/.kde4/Autostart/*\\\", \\\"/root/.kde4/Autostart/*\\\",\\n \\\"/home/*/.kde/share/autostart/*\\\", \\\"/root/.kde/share/autostart/*\\\",\\n \\\"/home/*/.kde4/share/autostart/*\\\", \\\"/root/.kde4/share/autostart/*\\\",\\n \\\"/home/*/.local/share/autostart/*\\\", \\\"/root/.local/share/autostart/*\\\",\\n \\\"/home/*/.config/autostart-scripts/*\\\", \\\"/root/.config/autostart-scripts/*\\\",\\n \\\"/etc/xdg/autostart/*\\\", \\\"/usr/share/autostart/*\\\"\\n ) and\\n not process.name in (\\\"yum\\\", \\\"dpkg\\\", \\\"install\\\", \\\"dnf\\\", \\\"teams\\\", \\\"yum-cron\\\", \\\"dnf-automatic\\\", \\\"docker\\\", \\\"dockerd\\\", \\n \\\"rpm\\\", \\\"pacman\\\", \\\"podman\\\", \\\"nautilus\\\", \\\"remmina\\\", \\\"cinnamon-settings.py\\\", \\\"executor\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Persistence via KDE AutoStart Script or Desktop File Modification\",\"description\":\"Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Persistence via KDE AutoStart Script or Desktop File Modification\\n\\nK Desktop Environment (KDE) is a popular graphical desktop environment for Linux systems. It supports AutoStart scripts and desktop files that execute automatically upon user logon.\\n\\nAdversaries may exploit this feature to maintain persistence on a compromised system by creating or modifying these files.\\n\\nThe detection rule 'Persistence via KDE AutoStart Script or Desktop File Modification' is designed to identify such activities by monitoring file events on Linux systems. It specifically targets the creation or modification of files with extensions \\\".sh\\\" or \\\".desktop\\\" in various AutoStart directories. By detecting these events, the rule helps security analysts identify potential abuse of KDE AutoStart functionality by malicious actors.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n### Possible investigation steps\\n\\n- Investigate the file that was created or modified.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE ( path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop'\\\\nOR path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR path LIKE\\\\n'/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR path LIKE '/root/.kde/Autostart/%.sh'\\\\nOR path LIKE '/root/.kde/Autostart/%.desktop' OR path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde4/Autostart/%.desktop' OR path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE\\\\n'/root/.kde4/Autostart/%.desktop' OR path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde/share/autostart/%.desktop' OR path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE\\\\n'/root/.kde/share/autostart/%.desktop' OR path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde4/share/autostart/%.desktop' OR path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE\\\\n'/root/.kde4/share/autostart/%.desktop' OR path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE\\\\n'/home/%/.local/share/autostart/%.desktop' OR path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE\\\\n'/root/.local/share/autostart/%.desktop' OR path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE\\\\n'/home/%/.config/autostart-scripts/%.desktop' OR path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE\\\\n'/root/.config/autostart-scripts/%.desktop' OR path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE\\\\n'/etc/xdg/autostart/%.desktop' OR path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' )\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/home/%/.config/autostart/%.sh' OR\\\\npath LIKE '/home/%/.config/autostart/%.desktop' OR path LIKE '/root/.config/autostart/%.sh' OR path LIKE\\\\n'/root/.config/autostart/%.desktop' OR path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde/Autostart/%.desktop' OR path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE\\\\n'/root/.kde/Autostart/%.desktop' OR path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde4/Autostart/%.desktop' OR path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE\\\\n'/root/.kde4/Autostart/%.desktop' OR path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde/share/autostart/%.desktop' OR path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE\\\\n'/root/.kde/share/autostart/%.desktop' OR path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE\\\\n'/home/%/.kde4/share/autostart/%.desktop' OR path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE\\\\n'/root/.kde4/share/autostart/%.desktop' OR path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE\\\\n'/home/%/.local/share/autostart/%.desktop' OR path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE\\\\n'/root/.local/share/autostart/%.desktop' OR path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE\\\\n'/home/%/.config/autostart-scripts/%.desktop' OR path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE\\\\n'/root/.config/autostart-scripts/%.desktop' OR path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE\\\\n'/etc/xdg/autostart/%.desktop' OR path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' )\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False positive analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":114,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://userbase.kde.org/System_Settings/Autostart\",\"https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\",\"https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from one of the following integrations:\\n- Elastic Defend\\n- Auditbeat\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\n### Auditbeat Setup\\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\\n\\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\\n- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\\n\\n#### Custom Ingest Pipeline\\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a0b5cfa9-a1c9-4257-859c-ab06bb412d46\",\"rule_id\":\"e3e904b3-0a8e-4e68-86a8-977a163e21d3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.036Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.560Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.type != \\\"deletion\\\" and\\n file.extension in (\\\"sh\\\", \\\"desktop\\\") and\\n file.path :\\n (\\n \\\"/home/*/.config/autostart/*\\\", \\\"/root/.config/autostart/*\\\",\\n \\\"/home/*/.kde/Autostart/*\\\", \\\"/root/.kde/Autostart/*\\\",\\n \\\"/home/*/.kde4/Autostart/*\\\", \\\"/root/.kde4/Autostart/*\\\",\\n \\\"/home/*/.kde/share/autostart/*\\\", \\\"/root/.kde/share/autostart/*\\\",\\n \\\"/home/*/.kde4/share/autostart/*\\\", \\\"/root/.kde4/share/autostart/*\\\",\\n \\\"/home/*/.local/share/autostart/*\\\", \\\"/root/.local/share/autostart/*\\\",\\n \\\"/home/*/.config/autostart-scripts/*\\\", \\\"/root/.config/autostart-scripts/*\\\",\\n \\\"/etc/xdg/autostart/*\\\", \\\"/usr/share/autostart/*\\\"\\n ) and\\n not process.name in (\\n \\\"yum\\\", \\\"dpkg\\\", \\\"install\\\", \\\"dnf\\\", \\\"teams\\\", \\\"yum-cron\\\", \\\"dnf-automatic\\\", \\\"docker\\\", \\\"dockerd\\\", \\\"rpm\\\", \\\"pacman\\\",\\n \\\"podman\\\", \\\"nautilus\\\", \\\"remmina\\\", \\\"cinnamon-settings.py\\\", \\\"executor\\\", \\\"xfce4-clipman\\\", \\\"jetbrains-toolbox\\\",\\n \\\"ansible-admin\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":114,\"merged_version\":114,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://userbase.kde.org/System_Settings/Autostart\",\"https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\",\"https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/\"],\"target_version\":[\"https://userbase.kde.org/System_Settings/Autostart\",\"https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\",\"https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://userbase.kde.org/System_Settings/Autostart\",\"https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\",\"https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type != \\\"deletion\\\" and\\n file.extension in (\\\"sh\\\", \\\"desktop\\\") and\\n file.path :\\n (\\n \\\"/home/*/.config/autostart/*\\\", \\\"/root/.config/autostart/*\\\",\\n \\\"/home/*/.kde/Autostart/*\\\", \\\"/root/.kde/Autostart/*\\\",\\n \\\"/home/*/.kde4/Autostart/*\\\", \\\"/root/.kde4/Autostart/*\\\",\\n \\\"/home/*/.kde/share/autostart/*\\\", \\\"/root/.kde/share/autostart/*\\\",\\n \\\"/home/*/.kde4/share/autostart/*\\\", \\\"/root/.kde4/share/autostart/*\\\",\\n \\\"/home/*/.local/share/autostart/*\\\", \\\"/root/.local/share/autostart/*\\\",\\n \\\"/home/*/.config/autostart-scripts/*\\\", \\\"/root/.config/autostart-scripts/*\\\",\\n \\\"/etc/xdg/autostart/*\\\", \\\"/usr/share/autostart/*\\\"\\n ) and\\n not process.name in (\\\"yum\\\", \\\"dpkg\\\", \\\"install\\\", \\\"dnf\\\", \\\"teams\\\", \\\"yum-cron\\\", \\\"dnf-automatic\\\", \\\"docker\\\", \\\"dockerd\\\", \\n \\\"rpm\\\", \\\"pacman\\\", \\\"podman\\\", \\\"nautilus\\\", \\\"remmina\\\", \\\"cinnamon-settings.py\\\", \\\"executor\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type != \\\"deletion\\\" and\\n file.extension in (\\\"sh\\\", \\\"desktop\\\") and\\n file.path :\\n (\\n \\\"/home/*/.config/autostart/*\\\", \\\"/root/.config/autostart/*\\\",\\n \\\"/home/*/.kde/Autostart/*\\\", \\\"/root/.kde/Autostart/*\\\",\\n \\\"/home/*/.kde4/Autostart/*\\\", \\\"/root/.kde4/Autostart/*\\\",\\n \\\"/home/*/.kde/share/autostart/*\\\", \\\"/root/.kde/share/autostart/*\\\",\\n \\\"/home/*/.kde4/share/autostart/*\\\", \\\"/root/.kde4/share/autostart/*\\\",\\n \\\"/home/*/.local/share/autostart/*\\\", \\\"/root/.local/share/autostart/*\\\",\\n \\\"/home/*/.config/autostart-scripts/*\\\", \\\"/root/.config/autostart-scripts/*\\\",\\n \\\"/etc/xdg/autostart/*\\\", \\\"/usr/share/autostart/*\\\"\\n ) and\\n not process.name in (\\n \\\"yum\\\", \\\"dpkg\\\", \\\"install\\\", \\\"dnf\\\", \\\"teams\\\", \\\"yum-cron\\\", \\\"dnf-automatic\\\", \\\"docker\\\", \\\"dockerd\\\", \\\"rpm\\\", \\\"pacman\\\",\\n \\\"podman\\\", \\\"nautilus\\\", \\\"remmina\\\", \\\"cinnamon-settings.py\\\", \\\"executor\\\", \\\"xfce4-clipman\\\", \\\"jetbrains-toolbox\\\",\\n \\\"ansible-admin\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type != \\\"deletion\\\" and\\n file.extension in (\\\"sh\\\", \\\"desktop\\\") and\\n file.path :\\n (\\n \\\"/home/*/.config/autostart/*\\\", \\\"/root/.config/autostart/*\\\",\\n \\\"/home/*/.kde/Autostart/*\\\", \\\"/root/.kde/Autostart/*\\\",\\n \\\"/home/*/.kde4/Autostart/*\\\", \\\"/root/.kde4/Autostart/*\\\",\\n \\\"/home/*/.kde/share/autostart/*\\\", \\\"/root/.kde/share/autostart/*\\\",\\n \\\"/home/*/.kde4/share/autostart/*\\\", \\\"/root/.kde4/share/autostart/*\\\",\\n \\\"/home/*/.local/share/autostart/*\\\", \\\"/root/.local/share/autostart/*\\\",\\n \\\"/home/*/.config/autostart-scripts/*\\\", \\\"/root/.config/autostart-scripts/*\\\",\\n \\\"/etc/xdg/autostart/*\\\", \\\"/usr/share/autostart/*\\\"\\n ) and\\n not process.name in (\\n \\\"yum\\\", \\\"dpkg\\\", \\\"install\\\", \\\"dnf\\\", \\\"teams\\\", \\\"yum-cron\\\", \\\"dnf-automatic\\\", \\\"docker\\\", \\\"dockerd\\\", \\\"rpm\\\", \\\"pacman\\\",\\n \\\"podman\\\", \\\"nautilus\\\", \\\"remmina\\\", \\\"cinnamon-settings.py\\\", \\\"executor\\\", \\\"xfce4-clipman\\\", \\\"jetbrains-toolbox\\\",\\n \\\"ansible-admin\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e72486f1-5867-4489-9a32-ab6ed3b32479\",\"rule_id\":\"e468f3f6-7c4c-45bb-846a-053738b3fe5d\",\"revision\":0,\"current_rule\":{\"id\":\"e72486f1-5867-4489-9a32-ab6ed3b32479\",\"updated_at\":\"2024-12-04T19:46:00.563Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.563Z\",\"created_by\":\"elastic\",\"name\":\"First Time Seen NewCredentials Logon Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token forging capability that are often abused to bypass access control restrictions.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e468f3f6-7c4c-45bb-846a-053738b3fe5d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\",\"subtechnique\":[{\"id\":\"T1134.001\",\"name\":\"Token Impersonation/Theft\",\"reference\":\"https://attack.mitre.org/techniques/T1134/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.LogonProcessName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.category:\\\"authentication\\\" and host.os.type:\\\"windows\\\" and winlog.logon.type:\\\"NewCredentials\\\" and winlog.event_data.LogonProcessName:(Advapi* or \\\"Advapi \\\") and not winlog.event_data.SubjectUserName:*$ and not process.executable :???\\\\\\\\Program?Files*\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-7d\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"First Time Seen NewCredentials Logon Process\",\"description\":\"Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token forging capability that are often abused to bypass access control restrictions.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1134\",\"name\":\"Access Token Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1134/\",\"subtechnique\":[{\"id\":\"T1134.001\",\"name\":\"Token Impersonation/Theft\",\"reference\":\"https://attack.mitre.org/techniques/T1134/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.LogonProcessName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"e72486f1-5867-4489-9a32-ab6ed3b32479\",\"rule_id\":\"e468f3f6-7c4c-45bb-846a-053738b3fe5d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.036Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.563Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.category:\\\"authentication\\\" and host.os.type:\\\"windows\\\" and winlog.logon.type:\\\"NewCredentials\\\" and winlog.event_data.LogonProcessName:(Advapi* or \\\"Advapi \\\") and not winlog.event_data.SubjectUserName:*$ and not process.executable :???\\\\\\\\Program?Files*\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-7d\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"200dc80f-1443-4971-afd4-0c1da8fb2333\",\"rule_id\":\"e4e31051-ee01-4307-a6ee-b21b186958f4\",\"revision\":0,\"current_rule\":{\"id\":\"200dc80f-1443-4971-afd4-0c1da8fb2333\",\"updated_at\":\"2024-12-04T19:46:00.568Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.568Z\",\"created_by\":\"elastic\",\"name\":\"Service Creation via Local Kerberos Authentication\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Credential Access\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, followed by a sevice creation from the same LogonId. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e4e31051-ee01-4307-a6ee-b21b186958f4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/Dec0ne/KrbRelayUp\",\"https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html\",\"https://github.com/cube0x0/KrbRelay\",\"https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82\"],\"version\":105,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.AuthenticationPackageName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetLogonId\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"sequence by winlog.computer_name with maxspan=5m\\n [authentication where\\n\\n /* event 4624 need to be logged */\\n event.action == \\\"logged-in\\\" and event.outcome == \\\"success\\\" and\\n\\n /* authenticate locally using relayed kerberos Ticket */\\n winlog.event_data.AuthenticationPackageName :\\\"Kerberos\\\" and winlog.logon.type == \\\"Network\\\" and\\n cidrmatch(source.ip, \\\"127.0.0.0/8\\\", \\\"::1\\\") and source.port > 0] by winlog.event_data.TargetLogonId\\n\\n [any where\\n /* event 4697 need to be logged */\\n event.action : \\\"service-installed\\\"] by winlog.event_data.SubjectLogonId\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Service Creation via Local Kerberos Authentication\",\"description\":\"Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, followed by a sevice creation from the same LogonId. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Credential Access\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/Dec0ne/KrbRelayUp\",\"https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html\",\"https://github.com/cube0x0/KrbRelay\",\"https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.outcome\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.AuthenticationPackageName\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.TargetLogonId\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"200dc80f-1443-4971-afd4-0c1da8fb2333\",\"rule_id\":\"e4e31051-ee01-4307-a6ee-b21b186958f4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.036Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.568Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by winlog.computer_name with maxspan=5m\\n [authentication where\\n\\n /* event 4624 need to be logged */\\n event.action == \\\"logged-in\\\" and event.outcome == \\\"success\\\" and\\n\\n /* authenticate locally using relayed kerberos Ticket */\\n winlog.event_data.AuthenticationPackageName :\\\"Kerberos\\\" and winlog.logon.type == \\\"Network\\\" and\\n cidrmatch(source.ip, \\\"127.0.0.0/8\\\", \\\"::1\\\") and source.port > 0] by winlog.event_data.TargetLogonId\\n\\n [any where\\n /* event 4697 need to be logged */\\n event.action : \\\"service-installed\\\"] by winlog.event_data.SubjectLogonId\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":105,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Credential Access\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Credential Access\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Credential Access\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"63c92c36-4930-4c47-925e-8f671c1a6f08\",\"rule_id\":\"e514d8cd-ed15-4011-84e2-d15147e059f1\",\"revision\":0,\"current_rule\":{\"id\":\"63c92c36-4930-4c47-925e-8f671c1a6f08\",\"updated_at\":\"2024-12-04T19:46:00.570Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.570Z\",\"created_by\":\"elastic\",\"name\":\"Kerberos Pre-authentication Disabled for User\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Kerberos Pre-authentication Disabled for User\\n\\nKerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' – Enabled` should not be enabled for user accounts because it weakens security for the account’s Kerberos authentication.\\n\\nAS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that if the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that can be brute-forced offline, similarly to Kerberoasting.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Determine if the target account is sensitive or privileged.\\n- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe.\\n\\n### False positive analysis\\n\\n- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Reset the target account's password if there is any risk of TGTs having been retrieved.\\n- Re-enable the preauthentication option or disable the target account.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e514d8cd-ed15-4011-84e2-d15147e059f1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\",\"subtechnique\":[{\"id\":\"T1558.004\",\"name\":\"AS-REP Roasting\",\"reference\":\"https://attack.mitre.org/techniques/T1558/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://harmj0y.medium.com/roasting-as-reps-e6179a65216b\",\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"message\",\"type\":\"match_only_text\",\"ecs\":true},{\"name\":\"winlog.api\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nAccount Management >\\nAudit User Account Management (Success,Failure)\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.code:4738 and winlog.api:\\\"wineventlog\\\" and message:\\\"'Don't Require Preauth' - Enabled\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Kerberos Pre-authentication Disabled for User\",\"description\":\"Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Kerberos Pre-authentication Disabled for User\\n\\nKerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' – Enabled` should not be enabled for user accounts because it weakens security for the account’s Kerberos authentication.\\n\\nAS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that if the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that can be brute-forced offline, similarly to Kerberoasting.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Determine if the target account is sensitive or privileged.\\n- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe.\\n\\n### False positive analysis\\n\\n- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Reset the target account's password if there is any risk of TGTs having been retrieved.\\n- Re-enable the preauthentication option or disable the target account.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://harmj0y.medium.com/roasting-as-reps-e6179a65216b\",\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\",\"subtechnique\":[{\"id\":\"T1558.004\",\"name\":\"AS-REP Roasting\",\"reference\":\"https://attack.mitre.org/techniques/T1558/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1078\",\"name\":\"Valid Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/\",\"subtechnique\":[{\"id\":\"T1078.002\",\"name\":\"Domain Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nAccount Management >\\nAudit User Account Management (Success,Failure)\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"message\",\"type\":\"match_only_text\",\"ecs\":true},{\"name\":\"winlog.api\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"63c92c36-4930-4c47-925e-8f671c1a6f08\",\"rule_id\":\"e514d8cd-ed15-4011-84e2-d15147e059f1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.036Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.570Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.code:4738 and winlog.api:\\\"wineventlog\\\" and message:\\\"'Don't Require Preauth' - Enabled\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Defense Evasion\",\"Tactic: Privilege Escalation\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: Active Directory\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"84436b7d-15c5-4efd-b4df-effca376edf4\",\"rule_id\":\"e555105c-ba6d-481f-82bb-9b633e7b4827\",\"revision\":0,\"current_rule\":{\"id\":\"84436b7d-15c5-4efd-b4df-effca376edf4\",\"updated_at\":\"2024-12-04T19:46:00.573Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.573Z\",\"created_by\":\"elastic\",\"name\":\"MFA Disabled for Google Workspace Organization\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating MFA Disabled for Google Workspace Organization\\n\\nMulti-factor authentication (MFA) is a process in which users are prompted for an additional form of identification, such as a code on their cell phone or a fingerprint scan, during the sign-in process.\\n\\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the users's password is weak or has been exposed elsewhere, an attacker could use it to gain access. Requiring a second form of authentication increases security because attackers cannot easily obtain or duplicate the additional authentication factor.\\n\\nFor more information about using MFA in Google Workspace, access the [official documentation](https://support.google.com/a/answer/175197).\\n\\nThis rule identifies when MFA enforcement is turned off in Google Workspace. This modification weakens account security and can lead to accounts and other assets being compromised.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Contact the account and resource owners and confirm whether they are aware of this activity.\\n- Check if this operation was approved and performed according to the organization's change management policy.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Reactivate the multi-factor authentication enforcement.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"MFA settings may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"from\":\"now-130m\",\"rule_id\":\"e555105c-ba6d-481f-82bb-9b633e7b4827\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]}],\"to\":\"now\",\"references\":[],\"version\":205,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.new_value\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"MFA Disabled for Google Workspace Organization\",\"description\":\"Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization’s security controls.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating MFA Disabled for Google Workspace Organization\\n\\nMulti-factor authentication (MFA) is a process in which users are prompted for an additional form of identification, such as a code on their cell phone or a fingerprint scan, during the sign-in process.\\n\\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the users's password is weak or has been exposed elsewhere, an attacker could use it to gain access. Requiring a second form of authentication increases security because attackers cannot easily obtain or duplicate the additional authentication factor.\\n\\nFor more information about using MFA in Google Workspace, access the [official documentation](https://support.google.com/a/answer/175197).\\n\\nThis rule identifies when MFA enforcement is turned off in Google Workspace. This modification weakens account security and can lead to accounts and other assets being compromised.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Contact the account and resource owners and confirm whether they are aware of this activity.\\n- Check if this operation was approved and performed according to the organization's change management policy.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n- Reactivate the multi-factor authentication enforcement.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Identity and Access Audit\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"MFA settings may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.\"],\"references\":[\"https://support.google.com/a/answer/7061566\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1556\",\"name\":\"Modify Authentication Process\",\"reference\":\"https://attack.mitre.org/techniques/T1556/\"}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.provider\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.admin.new_value\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"84436b7d-15c5-4efd-b4df-effca376edf4\",\"rule_id\":\"e555105c-ba6d-481f-82bb-9b633e7b4827\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.036Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.573Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":205,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://support.google.com/a/answer/7061566\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://support.google.com/a/answer/7061566\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"856c61c5-0a0d-4838-b15a-2b78d7be7014\",\"rule_id\":\"e7125cea-9fe1-42a5-9a05-b0792cf86f5a\",\"revision\":0,\"current_rule\":{\"id\":\"856c61c5-0a0d-4838-b15a-2b78d7be7014\",\"updated_at\":\"2024-12-04T19:46:00.594Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.594Z\",\"created_by\":\"elastic\",\"name\":\"Execution of Persistent Suspicious Program\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and command line usage.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e7125cea-9fe1-42a5-9a05-b0792cf86f5a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */\\nsequence by host.id, user.name with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"userinit.exe\\\" and process.parent.name : \\\"winlogon.exe\\\"]\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"explorer.exe\\\"]\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"explorer.exe\\\" and\\n /* add suspicious programs here */\\n process.pe.original_file_name in (\\\"cscript.exe\\\",\\n \\\"wscript.exe\\\",\\n \\\"PowerShell.EXE\\\",\\n \\\"MSHTA.EXE\\\",\\n \\\"RUNDLL32.EXE\\\",\\n \\\"REGSVR32.EXE\\\",\\n \\\"RegAsm.exe\\\",\\n \\\"MSBuild.exe\\\",\\n \\\"InstallUtil.exe\\\") and\\n /* add potential suspicious paths here */\\n process.args : (\\\"C:\\\\\\\\Users\\\\\\\\*\\\", \\\"C:\\\\\\\\ProgramData\\\\\\\\*\\\", \\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\", \\\"C:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\", \\\"C:\\\\\\\\PerfLogs\\\\\\\\*\\\", \\\"C:\\\\\\\\Intel\\\\\\\\*\\\")\\n ]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Execution of Persistent Suspicious Program\",\"description\":\"Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and command line usage.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":207,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"856c61c5-0a0d-4838-b15a-2b78d7be7014\",\"rule_id\":\"e7125cea-9fe1-42a5-9a05-b0792cf86f5a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.036Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.594Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */\\nsequence by host.id, user.name with maxspan=1m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"userinit.exe\\\" and process.parent.name : \\\"winlogon.exe\\\"]\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"explorer.exe\\\"]\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"explorer.exe\\\" and\\n /* add suspicious programs here */\\n process.pe.original_file_name in (\\\"cscript.exe\\\",\\n \\\"wscript.exe\\\",\\n \\\"PowerShell.EXE\\\",\\n \\\"MSHTA.EXE\\\",\\n \\\"RUNDLL32.EXE\\\",\\n \\\"REGSVR32.EXE\\\",\\n \\\"RegAsm.exe\\\",\\n \\\"MSBuild.exe\\\",\\n \\\"InstallUtil.exe\\\") and\\n /* add potential suspicious paths here */\\n process.args : (\\\"C:\\\\\\\\Users\\\\\\\\*\\\", \\\"C:\\\\\\\\ProgramData\\\\\\\\*\\\", \\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*\\\", \\\"C:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*\\\", \\\"C:\\\\\\\\PerfLogs\\\\\\\\*\\\", \\\"C:\\\\\\\\Intel\\\\\\\\*\\\")\\n ]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":207,\"merged_version\":207,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8e32eb17-680b-4f22-acb6-09f4752e247f\",\"rule_id\":\"e72f87d0-a70e-4f8d-8443-a6407bc34643\",\"revision\":0,\"current_rule\":{\"id\":\"8e32eb17-680b-4f22-acb6-09f4752e247f\",\"updated_at\":\"2024-12-04T19:46:00.596Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.596Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious WMI Event Subscription Created\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects the creation of a WMI Event Subscription. Attackers can abuse this mechanism for persistence or to elevate to SYSTEM privileges.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e72f87d0-a70e-4f8d-8443-a6407bc34643\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.003\",\"name\":\"Windows Management Instrumentation Event Subscription\",\"reference\":\"https://attack.mitre.org/techniques/T1546/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf\",\"https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96\"],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.Consumer\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.Operation\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"any where event.dataset == \\\"windows.sysmon_operational\\\" and event.code == \\\"21\\\" and\\n winlog.event_data.Operation : \\\"Created\\\" and winlog.event_data.Consumer : (\\\"*subscription:CommandLineEventConsumer*\\\", \\\"*subscription:ActiveScriptEventConsumer*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious WMI Event Subscription Created\",\"description\":\"Detects the creation of a WMI Event Subscription. Attackers can abuse this mechanism for persistence or to elevate to SYSTEM privileges.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":206,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf\",\"https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.003\",\"name\":\"Windows Management Instrumentation Event Subscription\",\"reference\":\"https://attack.mitre.org/techniques/T1546/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.Consumer\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.Operation\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"8e32eb17-680b-4f22-acb6-09f4752e247f\",\"rule_id\":\"e72f87d0-a70e-4f8d-8443-a6407bc34643\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.036Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.596Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where event.dataset == \\\"windows.sysmon_operational\\\" and event.code == \\\"21\\\" and\\n winlog.event_data.Operation : \\\"Created\\\" and winlog.event_data.Consumer : (\\\"*subscription:CommandLineEventConsumer*\\\", \\\"*subscription:ActiveScriptEventConsumer*\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":206,\"merged_version\":206,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"eba51dd5-0e78-4607-ad88-feb077cb4586\",\"rule_id\":\"e760c72b-bb1f-44f0-9f0d-37d51744ee75\",\"revision\":0,\"current_rule\":{\"id\":\"eba51dd5-0e78-4607-ad88-feb077cb4586\",\"updated_at\":\"2024-12-04T19:46:04.795Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.795Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Execution via Microsoft Common Console File\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of a child process from a Microsoft Common Console file. Adversaries may embed a malicious command in an MSC file in order to trick victims into executing malicious commands.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Execution via Microsoft Common Console File\\n\\n- Investigate the source of the MSC file.\\n- Investigate the process execution chain (all spawned child processes and their descendants).\\n- Investigate the process and it's descendants network and file events.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n\\n### Response and remediation\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e760c72b-bb1f-44f0-9f0d-37d51744ee75\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.genians.co.kr/blog/threat_intelligence/facebook\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\" and endswith~(process.parent.args, \\\".msc\\\") and\\n not process.parent.args : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.msc\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.msc\\\", \\\"?:\\\\\\\\Program files\\\\\\\\*.msc\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.msc\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Execution via Microsoft Common Console File\",\"description\":\"Identifies the execution of a child process from a Microsoft Common Console file. Adversaries may embed a malicious command in an MSC file in order to trick victims into executing malicious commands.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Execution via Microsoft Common Console File\\n\\n- Investigate the source of the MSC file.\\n- Investigate the process execution chain (all spawned child processes and their descendants).\\n- Investigate the process and it's descendants network and file events.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n\\n### Response and remediation\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":201,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.genians.co.kr/blog/threat_intelligence/facebook\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"eba51dd5-0e78-4607-ad88-feb077cb4586\",\"rule_id\":\"e760c72b-bb1f-44f0-9f0d-37d51744ee75\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.036Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.795Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe\\\" and endswith~(process.parent.args, \\\".msc\\\") and\\n not process.parent.args : (\\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\*.msc\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\*.msc\\\", \\\"?:\\\\\\\\Program files\\\\\\\\*.msc\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.msc\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":201,\"merged_version\":201,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a7c4bb65-5ae3-49e2-b918-894b81071360\",\"rule_id\":\"e8571d5f-bea1-46c2-9f56-998de2d3ed95\",\"revision\":0,\"current_rule\":{\"id\":\"a7c4bb65-5ae3-49e2-b918-894b81071360\",\"updated_at\":\"2024-12-04T19:46:00.606Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.606Z\",\"created_by\":\"elastic\",\"name\":\"Service Control Spawned via Script Interpreter\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Service Control Spawned via Script Interpreter\\n\\nWindows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components.\\n\\nThe `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics.\\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service or restore it to the original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e8571d5f-bea1-46c2-9f56-998de2d3ed95\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"},{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"},{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.010\",\"name\":\"Regsvr32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/010/\"},{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-system.*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"],\"query\":\"/* This rule is not compatible with Sysmon due to user.id issues */\\n\\nprocess where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"sc.exe\\\" or process.pe.original_file_name == \\\"sc.exe\\\") and\\n process.parent.name : (\\\"cmd.exe\\\", \\\"wscript.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\",\\n \\\"wmic.exe\\\", \\\"mshta.exe\\\",\\\"powershell.exe\\\", \\\"pwsh.exe\\\") and\\n process.args:(\\\"config\\\", \\\"create\\\", \\\"start\\\", \\\"delete\\\", \\\"stop\\\", \\\"pause\\\") and\\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Service Control Spawned via Script Interpreter\",\"description\":\"Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Service Control Spawned via Script Interpreter\\n\\nWindows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components.\\n\\nThe `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics.\\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n\\n### False positive analysis\\n\\n- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service or restore it to the original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"},{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"},{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.010\",\"name\":\"Regsvr32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/010/\"},{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a7c4bb65-5ae3-49e2-b918-894b81071360\",\"rule_id\":\"e8571d5f-bea1-46c2-9f56-998de2d3ed95\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.036Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.606Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"/* This rule is not compatible with Sysmon due to user.id issues */\\n\\nprocess where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"sc.exe\\\" or ?process.pe.original_file_name == \\\"sc.exe\\\") and\\n process.parent.name : (\\\"cmd.exe\\\", \\\"wscript.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\",\\n \\\"wmic.exe\\\", \\\"mshta.exe\\\",\\\"powershell.exe\\\", \\\"pwsh.exe\\\") and\\n process.args:(\\\"config\\\", \\\"create\\\", \\\"start\\\", \\\"delete\\\", \\\"stop\\\", \\\"pause\\\") and\\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-system.security*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"merged_version\":[\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"/* This rule is not compatible with Sysmon due to user.id issues */\\n\\nprocess where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"sc.exe\\\" or process.pe.original_file_name == \\\"sc.exe\\\") and\\n process.parent.name : (\\\"cmd.exe\\\", \\\"wscript.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\",\\n \\\"wmic.exe\\\", \\\"mshta.exe\\\",\\\"powershell.exe\\\", \\\"pwsh.exe\\\") and\\n process.args:(\\\"config\\\", \\\"create\\\", \\\"start\\\", \\\"delete\\\", \\\"stop\\\", \\\"pause\\\") and\\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"/* This rule is not compatible with Sysmon due to user.id issues */\\n\\nprocess where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"sc.exe\\\" or ?process.pe.original_file_name == \\\"sc.exe\\\") and\\n process.parent.name : (\\\"cmd.exe\\\", \\\"wscript.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\",\\n \\\"wmic.exe\\\", \\\"mshta.exe\\\",\\\"powershell.exe\\\", \\\"pwsh.exe\\\") and\\n process.args:(\\\"config\\\", \\\"create\\\", \\\"start\\\", \\\"delete\\\", \\\"stop\\\", \\\"pause\\\") and\\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"/* This rule is not compatible with Sysmon due to user.id issues */\\n\\nprocess where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"sc.exe\\\" or ?process.pe.original_file_name == \\\"sc.exe\\\") and\\n process.parent.name : (\\\"cmd.exe\\\", \\\"wscript.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\",\\n \\\"wmic.exe\\\", \\\"mshta.exe\\\",\\\"powershell.exe\\\", \\\"pwsh.exe\\\") and\\n process.args:(\\\"config\\\", \\\"create\\\", \\\"start\\\", \\\"delete\\\", \\\"stop\\\", \\\"pause\\\") and\\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-system.*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-system.security*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-system.security*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9c8cb1fc-a6dc-4653-bd31-0fd2be3e3fea\",\"rule_id\":\"e86da94d-e54b-4fb5-b96c-cecff87e8787\",\"revision\":0,\"current_rule\":{\"id\":\"9c8cb1fc-a6dc-4653-bd31-0fd2be3e3fea\",\"updated_at\":\"2024-12-04T19:45:40.264Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.264Z\",\"created_by\":\"elastic\",\"name\":\"Installation of Security Support Provider\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e86da94d-e54b-4fb5-b96c-cecff87e8787\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.005\",\"name\":\"Security Support Provider\",\"reference\":\"https://attack.mitre.org/techniques/T1547/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security Packages*\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security Packages*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security Packages*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security Packages*\\\"\\n ) and\\n not process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Installation of Security Support Provider\",\"description\":\"Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.005\",\"name\":\"Security Support Provider\",\"reference\":\"https://attack.mitre.org/techniques/T1547/005/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"9c8cb1fc-a6dc-4653-bd31-0fd2be3e3fea\",\"rule_id\":\"e86da94d-e54b-4fb5-b96c-cecff87e8787\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.036Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.264Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security Packages*\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security Packages*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security Packages*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security Packages*\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security Packages*\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security Packages*\\\"\\n ) and\\n not process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security Packages*\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security Packages*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security Packages*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security Packages*\\\"\\n ) and\\n not process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security Packages*\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security Packages*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security Packages*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security Packages*\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security Packages*\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security Packages*\\\"\\n ) and\\n not process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security Packages*\\\",\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security Packages*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security Packages*\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security Packages*\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Security Packages*\\\",\\n \\\"MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\OSConfig\\\\\\\\Security Packages*\\\"\\n ) and\\n not process.executable : (\\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\", \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"93bc1b4e-8dfa-46b8-9ade-9e17b528a630\",\"rule_id\":\"e88d1fe9-b2f4-48d4-bace-a026dc745d4b\",\"revision\":0,\"current_rule\":{\"id\":\"93bc1b4e-8dfa-46b8-9ade-9e17b528a630\",\"updated_at\":\"2024-12-04T19:46:00.608Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.608Z\",\"created_by\":\"elastic\",\"name\":\"Host Files System Changes via Windows Subsystem for Linux\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e88d1fe9-b2f4-48d4-bace-a026dc745d4b\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/microsoft/WSL\"],\"version\":7,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id with maxspan=5m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"dllhost.exe\\\" and \\n /* Plan9FileSystem CLSID - WSL Host File System Worker */\\n process.command_line : \\\"*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*\\\"]\\n [file where host.os.type == \\\"windows\\\" and process.name : \\\"dllhost.exe\\\" and not file.path : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Host Files System Changes via Windows Subsystem for Linux\",\"description\":\"Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/microsoft/WSL\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1202\",\"name\":\"Indirect Command Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1202/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"93bc1b4e-8dfa-46b8-9ade-9e17b528a630\",\"rule_id\":\"e88d1fe9-b2f4-48d4-bace-a026dc745d4b\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.036Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.608Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id with maxspan=5m\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"dllhost.exe\\\" and \\n /* Plan9FileSystem CLSID - WSL Host File System Worker */\\n process.command_line : \\\"*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*\\\"]\\n [file where host.os.type == \\\"windows\\\" and process.name : \\\"dllhost.exe\\\" and not file.path : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*\\\"]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":7,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b66fded7-798c-49eb-a817-ea2098e04b30\",\"rule_id\":\"e9001ee6-2d00-4d2f-849e-b8b1fb05234c\",\"revision\":0,\"current_rule\":{\"id\":\"b66fded7-798c-49eb-a817-ea2098e04b30\",\"updated_at\":\"2024-12-04T19:46:00.613Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.613Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious System Commands Executed by Previously Unknown Executable\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for the execution of several commonly used system commands executed by a previously unknown executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e9001ee6-2d00-4d2f-849e-b8b1fb05234c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":106,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and\\nprocess.executable:(\\n (/etc/crontab or /bin/* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or\\n /etc/update-motd.d/* or /home/*/.* or /tmp/* or /usr/bin/* or /usr/lib/update-notifier/* or\\n /usr/share/* or /var/tmp/*) and not /tmp/go-build*\\n) and\\nprocess.args:(hostname or id or ifconfig or ls or netstat or ps or pwd or route or top or uptime or whoami) and\\nnot process.name:(\\n apt or dnf or docker or dockerd or dpkg or hostname or id or ls or netstat or ps or pwd or rpm or snap or snapd\\n or sudo or top or uptime or which or whoami or yum\\n) and\\nnot process.parent.executable:(\\n /opt/cassandra/bin/cassandra or /opt/nessus/sbin/nessusd or /opt/nessus_agent/sbin/nessus-agent-module or\\n /opt/puppetlabs/puppet/bin/puppet or /opt/puppetlabs/puppet/bin/ruby or /usr/libexec/platform-python or\\n /usr/local/cloudamize/bin/CCAgent or /usr/sbin/sshd or /bin/* or /etc/network/* or /opt/Elastic/* or\\n /run/k3s/* or /tmp/newroot/* or /usr/bin/*\\n)\\n\",\"new_terms_fields\":[\"process.parent.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious System Commands Executed by Previously Unknown Executable\",\"description\":\"This rule monitors for the execution of several commonly used system commands executed by a previously unknown executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.004\",\"name\":\"Unix Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/004/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b66fded7-798c-49eb-a817-ea2098e04b30\",\"rule_id\":\"e9001ee6-2d00-4d2f-849e-b8b1fb05234c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.036Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.613Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and\\nprocess.executable:(* and (\\n /etc/crontab or /bin/* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or /etc/update-motd.d/* or\\n /home/*/.* or /tmp/* or /usr/bin/* or /usr/lib/update-notifier/* or /usr/share/* or /var/tmp/*\\n) and not /tmp/go-build*) and\\nprocess.args:(hostname or id or ifconfig or ls or netstat or ps or pwd or route or top or uptime or whoami) and\\nnot (process.name:\\n (apt or dnf or docker or dockerd or dpkg or hostname or id or ls or netstat or ps or pwd or rpm or snap or\\n snapd or sudo or top or uptime or which or whoami or yum) or\\nprocess.parent.executable:(\\n /opt/cassandra/bin/cassandra or /opt/nessus/sbin/nessusd or /opt/nessus_agent/sbin/nessus-agent-module or /opt/puppetlabs/puppet/bin/puppet or\\n /opt/puppetlabs/puppet/bin/ruby or /usr/libexec/platform-python or /usr/local/cloudamize/bin/CCAgent or /usr/sbin/sshd or /bin/* or\\n /etc/network/* or /opt/Elastic/* or /opt/TrendMicro* or /opt/aws/* or /opt/eset/* or /opt/rapid7/* or /run/containerd/* or /run/k3s/* or\\n /snap/* or /tmp/dpkg-licenses* or /tmp/newroot/* or /usr/bin/* or /var/lib/amagent/* or /var/lib/docker/* or /vz/*\\n ) or\\n process.executable:(/run/containerd/* or /srv/snp/docker/* or /tmp/.criu*)\\n)\\n\",\"new_terms_fields\":[\"process.parent.executable\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":106,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and\\nprocess.executable:(\\n (/etc/crontab or /bin/* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or\\n /etc/update-motd.d/* or /home/*/.* or /tmp/* or /usr/bin/* or /usr/lib/update-notifier/* or\\n /usr/share/* or /var/tmp/*) and not /tmp/go-build*\\n) and\\nprocess.args:(hostname or id or ifconfig or ls or netstat or ps or pwd or route or top or uptime or whoami) and\\nnot process.name:(\\n apt or dnf or docker or dockerd or dpkg or hostname or id or ls or netstat or ps or pwd or rpm or snap or snapd\\n or sudo or top or uptime or which or whoami or yum\\n) and\\nnot process.parent.executable:(\\n /opt/cassandra/bin/cassandra or /opt/nessus/sbin/nessusd or /opt/nessus_agent/sbin/nessus-agent-module or\\n /opt/puppetlabs/puppet/bin/puppet or /opt/puppetlabs/puppet/bin/ruby or /usr/libexec/platform-python or\\n /usr/local/cloudamize/bin/CCAgent or /usr/sbin/sshd or /bin/* or /etc/network/* or /opt/Elastic/* or\\n /run/k3s/* or /tmp/newroot/* or /usr/bin/*\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and\\nprocess.executable:(* and (\\n /etc/crontab or /bin/* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or /etc/update-motd.d/* or\\n /home/*/.* or /tmp/* or /usr/bin/* or /usr/lib/update-notifier/* or /usr/share/* or /var/tmp/*\\n) and not /tmp/go-build*) and\\nprocess.args:(hostname or id or ifconfig or ls or netstat or ps or pwd or route or top or uptime or whoami) and\\nnot (process.name:\\n (apt or dnf or docker or dockerd or dpkg or hostname or id or ls or netstat or ps or pwd or rpm or snap or\\n snapd or sudo or top or uptime or which or whoami or yum) or\\nprocess.parent.executable:(\\n /opt/cassandra/bin/cassandra or /opt/nessus/sbin/nessusd or /opt/nessus_agent/sbin/nessus-agent-module or /opt/puppetlabs/puppet/bin/puppet or\\n /opt/puppetlabs/puppet/bin/ruby or /usr/libexec/platform-python or /usr/local/cloudamize/bin/CCAgent or /usr/sbin/sshd or /bin/* or\\n /etc/network/* or /opt/Elastic/* or /opt/TrendMicro* or /opt/aws/* or /opt/eset/* or /opt/rapid7/* or /run/containerd/* or /run/k3s/* or\\n /snap/* or /tmp/dpkg-licenses* or /tmp/newroot/* or /usr/bin/* or /var/lib/amagent/* or /var/lib/docker/* or /vz/*\\n ) or\\n process.executable:(/run/containerd/* or /srv/snp/docker/* or /tmp/.criu*)\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and\\nprocess.executable:(* and (\\n /etc/crontab or /bin/* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or /etc/update-motd.d/* or\\n /home/*/.* or /tmp/* or /usr/bin/* or /usr/lib/update-notifier/* or /usr/share/* or /var/tmp/*\\n) and not /tmp/go-build*) and\\nprocess.args:(hostname or id or ifconfig or ls or netstat or ps or pwd or route or top or uptime or whoami) and\\nnot (process.name:\\n (apt or dnf or docker or dockerd or dpkg or hostname or id or ls or netstat or ps or pwd or rpm or snap or\\n snapd or sudo or top or uptime or which or whoami or yum) or\\nprocess.parent.executable:(\\n /opt/cassandra/bin/cassandra or /opt/nessus/sbin/nessusd or /opt/nessus_agent/sbin/nessus-agent-module or /opt/puppetlabs/puppet/bin/puppet or\\n /opt/puppetlabs/puppet/bin/ruby or /usr/libexec/platform-python or /usr/local/cloudamize/bin/CCAgent or /usr/sbin/sshd or /bin/* or\\n /etc/network/* or /opt/Elastic/* or /opt/TrendMicro* or /opt/aws/* or /opt/eset/* or /opt/rapid7/* or /run/containerd/* or /run/k3s/* or\\n /snap/* or /tmp/dpkg-licenses* or /tmp/newroot/* or /usr/bin/* or /var/lib/amagent/* or /var/lib/docker/* or /vz/*\\n ) or\\n process.executable:(/run/containerd/* or /srv/snp/docker/* or /tmp/.criu*)\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b6c42178-5672-4f5c-8e33-4356718f520e\",\"rule_id\":\"e94262f2-c1e9-4d3f-a907-aeab16712e1a\",\"revision\":0,\"current_rule\":{\"id\":\"b6c42178-5672-4f5c-8e33-4356718f520e\",\"updated_at\":\"2024-12-04T19:46:00.627Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.627Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Executable File Creation by a System Critical Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Executable File Creation by a System Critical Process\\n\\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\\n\\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e94262f2-c1e9-4d3f-a907-aeab16712e1a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1211\",\"name\":\"Exploitation for Defense Evasion\",\"reference\":\"https://attack.mitre.org/techniques/T1211/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1203\",\"name\":\"Exploitation for Client Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1203/\"}]}],\"to\":\"now\",\"references\":[],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.extension : (\\\"exe\\\", \\\"dll\\\") and\\n process.name : (\\\"smss.exe\\\",\\n \\\"autochk.exe\\\",\\n \\\"csrss.exe\\\",\\n \\\"wininit.exe\\\",\\n \\\"services.exe\\\",\\n \\\"lsass.exe\\\",\\n \\\"winlogon.exe\\\",\\n \\\"userinit.exe\\\",\\n \\\"LogonUI.exe\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Executable File Creation by a System Critical Process\",\"description\":\"Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Executable File Creation by a System Critical Process\\n\\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\\n\\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1211\",\"name\":\"Exploitation for Defense Evasion\",\"reference\":\"https://attack.mitre.org/techniques/T1211/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1203\",\"name\":\"Exploitation for Client Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1203/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b6c42178-5672-4f5c-8e33-4356718f520e\",\"rule_id\":\"e94262f2-c1e9-4d3f-a907-aeab16712e1a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.036Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.627Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.extension : (\\\"exe\\\", \\\"dll\\\") and\\n process.name : (\\\"smss.exe\\\",\\n \\\"autochk.exe\\\",\\n \\\"csrss.exe\\\",\\n \\\"wininit.exe\\\",\\n \\\"services.exe\\\",\\n \\\"lsass.exe\\\",\\n \\\"winlogon.exe\\\",\\n \\\"userinit.exe\\\",\\n \\\"LogonUI.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f8f3e1bb-20eb-413b-8e87-c0bac60414fa\",\"rule_id\":\"e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb\",\"revision\":0,\"current_rule\":{\"id\":\"f8f3e1bb-20eb-413b-8e87-c0bac60414fa\",\"updated_at\":\"2024-12-04T19:46:00.630Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.630Z\",\"created_by\":\"elastic\",\"name\":\"Potential LSA Authentication Package Abuse\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.002\",\"name\":\"Authentication Package\",\"reference\":\"https://attack.mitre.org/techniques/T1547/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.002\",\"name\":\"Authentication Package\",\"reference\":\"https://attack.mitre.org/techniques/T1547/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":105,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Authentication Packages\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Authentication Packages\\\"\\n ) and\\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential LSA Authentication Package Abuse\",\"description\":\"Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":106,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.002\",\"name\":\"Authentication Package\",\"reference\":\"https://attack.mitre.org/techniques/T1547/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.002\",\"name\":\"Authentication Package\",\"reference\":\"https://attack.mitre.org/techniques/T1547/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"f8f3e1bb-20eb-413b-8e87-c0bac60414fa\",\"rule_id\":\"e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.038Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.630Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Authentication Packages\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Control\\\\\\\\Lsa\\\\\\\\Authentication Packages\\\"\\n ) and\\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\\n not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":105,\"target_version\":106,\"merged_version\":106,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c369dc43-5df6-4331-9c73-396ec3d567e3\",\"rule_id\":\"ea09ff26-3902-4c53-bb8e-24b7a5d029dd\",\"revision\":0,\"current_rule\":{\"id\":\"c369dc43-5df6-4331-9c73-396ec3d567e3\",\"updated_at\":\"2024-12-04T19:46:00.637Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.637Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Process Spawned by a Parent Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-45m\",\"rule_id\":\"ea09ff26-3902-4c53-bb8e-24b7a5d029dd\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"problem_child_rare_process_by_parent\"],\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Process Spawned by a Parent Process\",\"description\":\"A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\\n\",\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"c369dc43-5df6-4331-9c73-396ec3d567e3\",\"rule_id\":\"ea09ff26-3902-4c53-bb8e-24b7a5d029dd\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.038Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.637Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"problem_child_rare_process_by_parent\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c0c82ba1-65ef-4b3b-aeb5-84c35c5452b3\",\"rule_id\":\"eaef8a35-12e0-4ac0-bc14-81c72b6bd27c\",\"revision\":0,\"current_rule\":{\"id\":\"c0c82ba1-65ef-4b3b-aeb5-84c35c5452b3\",\"updated_at\":\"2024-12-04T19:46:00.644Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.644Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious APT Package Manager Network Connection\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Command and Control\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects suspicious network events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"eaef8a35-12e0-4ac0-bc14-81c72b6bd27c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name == \\\"apt\\\" and process.args == \\\"-c\\\" and process.name in (\\n \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\"\\n )\\n ] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and event.type == \\\"start\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\", \\\"172.31.0.0/16\\\"\\n )\\n ) and not process.executable == \\\"/usr/bin/apt-listbugs\\\"\\n ] by process.parent.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious APT Package Manager Network Connection\",\"description\":\"Detects suspicious network events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":4,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Command and Control\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c0c82ba1-65ef-4b3b-aeb5-84c35c5452b3\",\"rule_id\":\"eaef8a35-12e0-4ac0-bc14-81c72b6bd27c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.039Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.644Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name == \\\"apt\\\" and process.args == \\\"-c\\\" and process.name in (\\n \\\"bash\\\", \\\"dash\\\", \\\"sh\\\", \\\"tcsh\\\", \\\"csh\\\", \\\"zsh\\\", \\\"ksh\\\", \\\"fish\\\"\\n )\\n ] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and event.type == \\\"start\\\" and not (\\n destination.ip == null or destination.ip == \\\"0.0.0.0\\\" or cidrmatch(\\n destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\", \\\"192.0.0.0/29\\\",\\n \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\", \\\"192.0.2.0/24\\\",\\n \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\", \\\"100.64.0.0/10\\\",\\n \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\", \\\"FE80::/10\\\",\\n \\\"FF00::/8\\\", \\\"172.31.0.0/16\\\"\\n )\\n ) and not process.executable == \\\"/usr/bin/apt-listbugs\\\"\\n ] by process.parent.entity_id\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":4,\"merged_version\":4,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"}},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"}},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"}},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"}}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"262430f4-f263-4d58-8518-d50d6533f0b4\",\"rule_id\":\"eb44611f-62a8-4036-a5ef-587098be6c43\",\"revision\":0,\"current_rule\":{\"id\":\"262430f4-f263-4d58-8518-d50d6533f0b4\",\"updated_at\":\"2024-12-04T19:46:00.649Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.649Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Script with Webcam Video Capture Capabilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or spy on victims.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"eb44611f-62a8-4036-a5ef-587098be6c43\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1125\",\"name\":\"Video Capture\",\"reference\":\"https://attack.mitre.org/techniques/T1125/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py\"],\"version\":4,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"NewFrameEventHandler\\\" or\\n \\\"VideoCaptureDevice\\\" or\\n \\\"DirectX.Capture.Filters\\\" or\\n \\\"VideoCompressors\\\" or\\n \\\"Start-WebcamRecorder\\\" or\\n (\\n (\\\"capCreateCaptureWindowA\\\" or\\n \\\"capCreateCaptureWindow\\\" or\\n \\\"capGetDriverDescription\\\") and\\n (\\\"avicap32.dll\\\" or \\\"avicap32\\\")\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Script with Webcam Video Capture Capabilities\",\"description\":\"Detects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or spy on victims.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":106,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Collection\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0009\",\"name\":\"Collection\",\"reference\":\"https://attack.mitre.org/tactics/TA0009/\"},\"technique\":[{\"id\":\"T1125\",\"name\":\"Video Capture\",\"reference\":\"https://attack.mitre.org/techniques/T1125/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"262430f4-f263-4d58-8518-d50d6533f0b4\",\"rule_id\":\"eb44611f-62a8-4036-a5ef-587098be6c43\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.039Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.649Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"NewFrameEventHandler\\\" or\\n \\\"VideoCaptureDevice\\\" or\\n \\\"DirectX.Capture.Filters\\\" or\\n \\\"VideoCompressors\\\" or\\n \\\"Start-WebcamRecorder\\\" or\\n (\\n (\\\"capCreateCaptureWindowA\\\" or\\n \\\"capCreateCaptureWindow\\\" or\\n \\\"capGetDriverDescription\\\") and\\n (\\\"avicap32.dll\\\" or \\\"avicap32\\\")\\n )\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":4,\"target_version\":106,\"merged_version\":106,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"57acbe66-56b1-4502-a2fd-5ace25fe58a6\",\"rule_id\":\"eb610e70-f9e6-4949-82b9-f1c5bcd37c39\",\"revision\":0,\"current_rule\":{\"id\":\"57acbe66-56b1-4502-a2fd-5ace25fe58a6\",\"updated_at\":\"2024-12-04T19:46:00.652Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.652Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Kerberos Ticket Request\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is a common step in Kerberoasting toolkits to crack service accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Kerberos Ticket Request\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\\n\\nAccounts associated with a service principal name (SPN) are viable targets for Kerberoasting attacks, which use brute force to crack the user password, which is used to encrypt a Kerberos TGS ticket.\\n\\nAttackers can use PowerShell to request these Kerberos tickets, with the intent of extracting them from memory to perform Kerberoasting.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate if the script was executed, and if so, which account was targeted.\\n- Validate if the account has an SPN associated with it.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Check if the script has any other functionality that can be potentially malicious.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Review event ID [4769](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769) related to this account and service name for additional information.\\n\\n### False positive analysis\\n\\n- A possible false positive can be identified if the script content is not malicious/harmful or does not request Kerberos tickets for user accounts, as computer accounts are not vulnerable to Kerberoasting due to complex password requirements and policy.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"eb610e70-f9e6-4949-82b9-f1c5bcd37c39\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\",\"subtechnique\":[{\"id\":\"T1558.003\",\"name\":\"Kerberoasting\",\"reference\":\"https://attack.mitre.org/techniques/T1558/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://cobalt.io/blog/kerberoast-attack-techniques\",\"https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1\"],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n KerberosRequestorSecurityToken\\n ) and not user.id : (\\\"S-1-5-18\\\" or \\\"S-1-5-20\\\") and\\n not powershell.file.script_block_text : (\\n (\\\"sentinelbreakpoints\\\" and (\\\"Set-PSBreakpoint\\\" or \\\"Set-HookFunctionTabs\\\")) or\\n (\\\"function global\\\" and \\\"\\\\\\\\windows\\\\\\\\sentinel\\\\\\\\4\\\")\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Kerberos Ticket Request\",\"description\":\"Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is a common step in Kerberoasting toolkits to crack service accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Kerberos Ticket Request\\n\\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\\n\\nAccounts associated with a service principal name (SPN) are viable targets for Kerberoasting attacks, which use brute force to crack the user password, which is used to encrypt a Kerberos TGS ticket.\\n\\nAttackers can use PowerShell to request these Kerberos tickets, with the intent of extracting them from memory to perform Kerberoasting.\\n\\n#### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate if the script was executed, and if so, which account was targeted.\\n- Validate if the account has an SPN associated with it.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Check if the script has any other functionality that can be potentially malicious.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Review event ID [4769](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769) related to this account and service name for additional information.\\n\\n### False positive analysis\\n\\n- A possible false positive can be identified if the script content is not malicious/harmful or does not request Kerberos tickets for user accounts, as computer accounts are not vulnerable to Kerberoasting due to complex password requirements and policy.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://cobalt.io/blog/kerberoast-attack-techniques\",\"https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\",\"subtechnique\":[{\"id\":\"T1558.003\",\"name\":\"Kerberoasting\",\"reference\":\"https://attack.mitre.org/techniques/T1558/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"57acbe66-56b1-4502-a2fd-5ace25fe58a6\",\"rule_id\":\"eb610e70-f9e6-4949-82b9-f1c5bcd37c39\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.039Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:00.652Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n KerberosRequestorSecurityToken\\n ) and not user.id : (\\\"S-1-5-18\\\" or \\\"S-1-5-20\\\") and\\n not powershell.file.script_block_text : (\\n (\\\"sentinelbreakpoints\\\" and (\\\"Set-PSBreakpoint\\\" or \\\"Set-HookFunctionTabs\\\")) or\\n (\\\"function global\\\" and \\\"\\\\\\\\windows\\\\\\\\sentinel\\\\\\\\4\\\")\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"0cc41b75-deb3-4d2f-afd2-a5055f1af941\",\"rule_id\":\"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\",\"revision\":0,\"current_rule\":{\"id\":\"0cc41b75-deb3-4d2f-afd2-a5055f1af941\",\"updated_at\":\"2024-12-04T19:46:01.881Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.881Z\",\"created_by\":\"elastic\",\"name\":\"Mimikatz Memssp Log File Detected\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the password log file from the default Mimikatz memssp module.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Mimikatz Memssp Log File Detected\\n\\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.\\n\\nThis rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp module, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer account password, running service credentials, and any accounts that logon.\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\\n- Retrieve and inspect the log file contents.\\n- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.\\n - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.\\n - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n - Identify the process that created the DLL using file creation events.\\n\\n### False positive analysis\\n\\n- This file name `mimilsa.log` should not legitimately be created.\\n\\n### Related rules\\n\\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the host is a Domain Controller (DC):\\n - Activate your incident response plan for total Active Directory compromise.\\n - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is being followed and reduce the attack surface.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reboot the host to remove the injected SSP from memory.\\n- Reimage the host operating system or restore compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/security-labs/detect-credential-access\"],\"version\":311,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and file.name : \\\"mimilsa.log\\\" and process.name : \\\"lsass.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Mimikatz Memssp Log File Detected\",\"description\":\"Identifies the password log file from the default Mimikatz memssp module.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Mimikatz Memssp Log File Detected\\n\\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.\\n\\nThis rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp module, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer account password, running service credentials, and any accounts that logon.\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\\n- Retrieve and inspect the log file contents.\\n- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.\\n - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.\\n - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n - Identify the process that created the DLL using file creation events.\\n\\n### False positive analysis\\n\\n- This file name `mimilsa.log` should not legitimately be created.\\n\\n### Related rules\\n\\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the host is a Domain Controller (DC):\\n - Activate your incident response plan for total Active Directory compromise.\\n - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is being followed and reduce the attack surface.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Reboot the host to remove the injected SSP from memory.\\n- Reimage the host operating system or restore compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":412,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/detect-credential-access\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"0cc41b75-deb3-4d2f-afd2-a5055f1af941\",\"rule_id\":\"ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.039Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.881Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and file.name : \\\"mimilsa.log\\\" and process.name : \\\"lsass.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":311,\"target_version\":412,\"merged_version\":412,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"917d79ec-71d4-4068-bfec-1720edaf072a\",\"rule_id\":\"ebf1adea-ccf2-4943-8b96-7ab11ca173a5\",\"revision\":0,\"current_rule\":{\"id\":\"917d79ec-71d4-4068-bfec-1720edaf072a\",\"updated_at\":\"2024-12-04T19:46:01.648Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.648Z\",\"created_by\":\"elastic\",\"name\":\"IIS HTTP Logging Disabled\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating IIS HTTP Logging Disabled\\n\\nIIS (Internet Information Services) is a Microsoft web server software used to host websites and web applications on Windows. It provides features for serving dynamic and static content, and can be managed through a graphical interface or command-line tools.\\n\\nIIS logging is a data source that can be used for security monitoring, forensics, and incident response. It contains mainly information related to requests done to the web server, and can be used to spot malicious activities like webshells. Adversaries can tamper, clear, and delete this data to evade detection, cover their tracks, and slow down incident response.\\n\\nThis rule monitors commands that disable IIS logging.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Verify if any other anti-forensics behaviors were observed.\\n- Verify whether the logs stored in the `C:\\\\inetpub\\\\logs\\\\logfiles\\\\w3svc1` directory were deleted after this action.\\n- Check if this operation is done under change management and approved according to the organization's policy.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Re-enable affected logging components, services, and security monitoring.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ebf1adea-ccf2-4943-8b96-7ab11ca173a5\",\"max_signals\":33,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.002\",\"name\":\"Disable Windows Event Logging\",\"reference\":\"https://attack.mitre.org/techniques/T1562/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"appcmd.exe\\\" or ?process.pe.original_file_name == \\\"appcmd.exe\\\") and\\n process.args : \\\"/dontLog*:*True\\\" and\\n not process.parent.name : \\\"iissetup.exe\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"IIS HTTP Logging Disabled\",\"description\":\"Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating IIS HTTP Logging Disabled\\n\\nIIS (Internet Information Services) is a Microsoft web server software used to host websites and web applications on Windows. It provides features for serving dynamic and static content, and can be managed through a graphical interface or command-line tools.\\n\\nIIS logging is a data source that can be used for security monitoring, forensics, and incident response. It contains mainly information related to requests done to the web server, and can be used to spot malicious activities like webshells. Adversaries can tamper, clear, and delete this data to evade detection, cover their tracks, and slow down incident response.\\n\\nThis rule monitors commands that disable IIS logging.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Verify if any other anti-forensics behaviors were observed.\\n- Verify whether the logs stored in the `C:\\\\inetpub\\\\logs\\\\logfiles\\\\w3svc1` directory were deleted after this action.\\n- Check if this operation is done under change management and approved according to the organization's policy.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Re-enable affected logging components, services, and security monitoring.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":33,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.002\",\"name\":\"Disable Windows Event Logging\",\"reference\":\"https://attack.mitre.org/techniques/T1562/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"917d79ec-71d4-4068-bfec-1720edaf072a\",\"rule_id\":\"ebf1adea-ccf2-4943-8b96-7ab11ca173a5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.039Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.648Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"appcmd.exe\\\" or ?process.pe.original_file_name == \\\"appcmd.exe\\\") and\\n process.args : \\\"/dontLog*:*True\\\" and\\n not process.parent.name : \\\"iissetup.exe\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3062355f-82db-49d7-b903-4bb724ef54d9\",\"rule_id\":\"ebfe1448-7fac-4d59-acea-181bd89b1f7f\",\"revision\":0,\"current_rule\":{\"id\":\"3062355f-82db-49d7-b903-4bb724ef54d9\",\"updated_at\":\"2024-12-04T19:46:01.652Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.652Z\",\"created_by\":\"elastic\",\"name\":\"Process Execution from an Unusual Directory\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Process Execution from an Unusual Directory\\n\\nThis rule identifies processes that are executed from suspicious default Windows directories. Adversaries may abuse this technique by planting malware in trusted paths, making it difficult for security analysts to discern if their activities are malicious or take advantage of exceptions that may apply to these paths.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes, examining their executable files for prevalence, location, and valid digital signatures.\\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine arguments and working directory to determine the program's source or the nature of the tasks it is performing.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of executable and signature conditions.\\n\\n### Related Rules\\n\\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\\n- Execution from Unusual Directory - Command Line - cff92c41-2225-4763-b4ce-6f71e5bda5e6\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ebfe1448-7fac-4d59-acea-181bd89b1f7f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n /* add suspicious execution paths here */\\n process.executable : (\\n \\\"?:\\\\\\\\PerfLogs\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\AMD\\\\\\\\Temp\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\AppReadiness\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ServiceState\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\IdentityCRL\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Branding\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\csc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\DigitalLocker\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\en-US\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\wlansvc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Prefetch\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\diagnostics\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\INF\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Speech\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\windows\\\\\\\\tracing\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\IME\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Performance\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\windows\\\\\\\\intel\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\ms\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\dot3svc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\panther\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\RemotePackages\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\OCR\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\appcompat\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\apppatch\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\addins\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SKB\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Vss\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Web\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\CbsTemp\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Logs\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\WaaS\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\ShellExperiences\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ShellComponents\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PLA\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Migration\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\debug\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Cursors\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Containers\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Boot\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\bcastdvr\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\assembly\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\TextInput\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\schemas\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SchCache\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Resources\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\rescache\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Provisioning\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PrintDialog\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PolicyDefinitions\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\media\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Globalization\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\L2Schemas\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LiveKernelReports\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\ModemLogs\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\*.exe\\\"\\n ) and\\n \\n not process.name : (\\n \\\"SpeechUXWiz.exe\\\", \\\"SystemSettings.exe\\\", \\\"TrustedInstaller.exe\\\",\\n \\\"PrintDialog.exe\\\", \\\"MpSigStub.exe\\\", \\\"LMS.exe\\\", \\\"mpam-*.exe\\\"\\n ) and\\n not process.executable :\\n (\\\"?:\\\\\\\\Intel\\\\\\\\Wireless\\\\\\\\WUSetupLauncher.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\Wireless\\\\\\\\Setup.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\Move Mouse.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\Panther\\\\\\\\DiagTrackRunner.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\GC64\\\\\\\\tzupd.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\res\\\\\\\\RemoteLite.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\IBM\\\\\\\\ClientSolutions\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Documents\\\\\\\\syspin.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\res\\\\\\\\FileWatcher.exe\\\")\\n /* uncomment once in winlogbeat */\\n /* and not (process.code_signature.subject_name == \\\"Microsoft Corporation\\\" and process.code_signature.trusted == true) */\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Process Execution from an Unusual Directory\",\"description\":\"Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Process Execution from an Unusual Directory\\n\\nThis rule identifies processes that are executed from suspicious default Windows directories. Adversaries may abuse this technique by planting malware in trusted paths, making it difficult for security analysts to discern if their activities are malicious or take advantage of exceptions that may apply to these paths.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes, examining their executable files for prevalence, location, and valid digital signatures.\\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine arguments and working directory to determine the program's source or the nature of the tasks it is performing.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of executable and signature conditions.\\n\\n### Related Rules\\n\\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\\n- Execution from Unusual Directory - Command Line - cff92c41-2225-4763-b4ce-6f71e5bda5e6\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.005\",\"name\":\"Match Legitimate Name or Location\",\"reference\":\"https://attack.mitre.org/techniques/T1036/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3062355f-82db-49d7-b903-4bb724ef54d9\",\"rule_id\":\"ebfe1448-7fac-4d59-acea-181bd89b1f7f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.039Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.652Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n /* add suspicious execution paths here */\\n process.executable : (\\n \\\"?:\\\\\\\\PerfLogs\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\AMD\\\\\\\\Temp\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\AppReadiness\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ServiceState\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\IdentityCRL\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Branding\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\csc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\DigitalLocker\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\en-US\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\wlansvc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Prefetch\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\diagnostics\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\INF\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Speech\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\windows\\\\\\\\tracing\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\IME\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Performance\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\windows\\\\\\\\intel\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\ms\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\dot3svc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\panther\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\RemotePackages\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\OCR\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\appcompat\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\apppatch\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\addins\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SKB\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Vss\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Web\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\CbsTemp\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Logs\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\WaaS\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\ShellExperiences\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ShellComponents\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PLA\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Migration\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\debug\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Cursors\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Containers\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Boot\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\bcastdvr\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\assembly\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\TextInput\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\schemas\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SchCache\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Resources\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\rescache\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Provisioning\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PrintDialog\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PolicyDefinitions\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\media\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Globalization\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\L2Schemas\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LiveKernelReports\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\ModemLogs\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\*.exe\\\"\\n ) and\\n \\n not process.name : (\\n \\\"SpeechUXWiz.exe\\\", \\\"SystemSettings.exe\\\", \\\"TrustedInstaller.exe\\\",\\n \\\"PrintDialog.exe\\\", \\\"MpSigStub.exe\\\", \\\"LMS.exe\\\", \\\"mpam-*.exe\\\"\\n ) and\\n not process.executable :\\n (\\\"?:\\\\\\\\Intel\\\\\\\\Wireless\\\\\\\\WUSetupLauncher.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\Wireless\\\\\\\\Setup.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\Move Mouse.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\Panther\\\\\\\\DiagTrackRunner.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\GC64\\\\\\\\tzupd.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\res\\\\\\\\RemoteLite.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\IBM\\\\\\\\ClientSolutions\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Documents\\\\\\\\syspin.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\res\\\\\\\\FileWatcher.exe\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merged_version\":[\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n /* add suspicious execution paths here */\\n process.executable : (\\n \\\"?:\\\\\\\\PerfLogs\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\AMD\\\\\\\\Temp\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\AppReadiness\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ServiceState\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\IdentityCRL\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Branding\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\csc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\DigitalLocker\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\en-US\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\wlansvc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Prefetch\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\diagnostics\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\INF\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Speech\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\windows\\\\\\\\tracing\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\IME\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Performance\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\windows\\\\\\\\intel\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\ms\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\dot3svc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\panther\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\RemotePackages\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\OCR\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\appcompat\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\apppatch\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\addins\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SKB\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Vss\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Web\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\CbsTemp\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Logs\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\WaaS\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\ShellExperiences\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ShellComponents\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PLA\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Migration\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\debug\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Cursors\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Containers\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Boot\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\bcastdvr\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\assembly\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\TextInput\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\schemas\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SchCache\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Resources\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\rescache\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Provisioning\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PrintDialog\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PolicyDefinitions\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\media\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Globalization\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\L2Schemas\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LiveKernelReports\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\ModemLogs\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\*.exe\\\"\\n ) and\\n \\n not process.name : (\\n \\\"SpeechUXWiz.exe\\\", \\\"SystemSettings.exe\\\", \\\"TrustedInstaller.exe\\\",\\n \\\"PrintDialog.exe\\\", \\\"MpSigStub.exe\\\", \\\"LMS.exe\\\", \\\"mpam-*.exe\\\"\\n ) and\\n not process.executable :\\n (\\\"?:\\\\\\\\Intel\\\\\\\\Wireless\\\\\\\\WUSetupLauncher.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\Wireless\\\\\\\\Setup.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\Move Mouse.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\Panther\\\\\\\\DiagTrackRunner.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\GC64\\\\\\\\tzupd.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\res\\\\\\\\RemoteLite.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\IBM\\\\\\\\ClientSolutions\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Documents\\\\\\\\syspin.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\res\\\\\\\\FileWatcher.exe\\\")\\n /* uncomment once in winlogbeat */\\n /* and not (process.code_signature.subject_name == \\\"Microsoft Corporation\\\" and process.code_signature.trusted == true) */\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n /* add suspicious execution paths here */\\n process.executable : (\\n \\\"?:\\\\\\\\PerfLogs\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\AMD\\\\\\\\Temp\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\AppReadiness\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ServiceState\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\IdentityCRL\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Branding\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\csc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\DigitalLocker\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\en-US\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\wlansvc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Prefetch\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\diagnostics\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\INF\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Speech\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\windows\\\\\\\\tracing\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\IME\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Performance\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\windows\\\\\\\\intel\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\ms\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\dot3svc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\panther\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\RemotePackages\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\OCR\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\appcompat\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\apppatch\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\addins\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SKB\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Vss\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Web\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\CbsTemp\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Logs\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\WaaS\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\ShellExperiences\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ShellComponents\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PLA\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Migration\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\debug\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Cursors\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Containers\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Boot\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\bcastdvr\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\assembly\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\TextInput\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\schemas\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SchCache\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Resources\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\rescache\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Provisioning\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PrintDialog\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PolicyDefinitions\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\media\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Globalization\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\L2Schemas\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LiveKernelReports\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\ModemLogs\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\*.exe\\\"\\n ) and\\n \\n not process.name : (\\n \\\"SpeechUXWiz.exe\\\", \\\"SystemSettings.exe\\\", \\\"TrustedInstaller.exe\\\",\\n \\\"PrintDialog.exe\\\", \\\"MpSigStub.exe\\\", \\\"LMS.exe\\\", \\\"mpam-*.exe\\\"\\n ) and\\n not process.executable :\\n (\\\"?:\\\\\\\\Intel\\\\\\\\Wireless\\\\\\\\WUSetupLauncher.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\Wireless\\\\\\\\Setup.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\Move Mouse.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\Panther\\\\\\\\DiagTrackRunner.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\GC64\\\\\\\\tzupd.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\res\\\\\\\\RemoteLite.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\IBM\\\\\\\\ClientSolutions\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Documents\\\\\\\\syspin.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\res\\\\\\\\FileWatcher.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n /* add suspicious execution paths here */\\n process.executable : (\\n \\\"?:\\\\\\\\PerfLogs\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\AMD\\\\\\\\Temp\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\AppReadiness\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ServiceState\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\IdentityCRL\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Branding\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\csc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\DigitalLocker\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\en-US\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\wlansvc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Prefetch\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Fonts\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\diagnostics\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\TAPI\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\INF\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Speech\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\windows\\\\\\\\tracing\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\IME\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Performance\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\windows\\\\\\\\intel\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\ms\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\dot3svc\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\panther\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\RemotePackages\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\OCR\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\appcompat\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\apppatch\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\addins\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Setup\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Help\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SKB\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Vss\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Web\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\CbsTemp\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Logs\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\WaaS\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\ShellExperiences\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ShellComponents\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PLA\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Migration\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\debug\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Cursors\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Containers\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Boot\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\bcastdvr\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\assembly\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\TextInput\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\security\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\schemas\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SchCache\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Resources\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\rescache\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Provisioning\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PrintDialog\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\PolicyDefinitions\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\media\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Globalization\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\L2Schemas\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\LiveKernelReports\\\\\\\\*.exe\\\", \\\"?:\\\\\\\\Windows\\\\\\\\ModemLogs\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\*.exe\\\"\\n ) and\\n \\n not process.name : (\\n \\\"SpeechUXWiz.exe\\\", \\\"SystemSettings.exe\\\", \\\"TrustedInstaller.exe\\\",\\n \\\"PrintDialog.exe\\\", \\\"MpSigStub.exe\\\", \\\"LMS.exe\\\", \\\"mpam-*.exe\\\"\\n ) and\\n not process.executable :\\n (\\\"?:\\\\\\\\Intel\\\\\\\\Wireless\\\\\\\\WUSetupLauncher.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\Wireless\\\\\\\\Setup.exe\\\",\\n \\\"?:\\\\\\\\Intel\\\\\\\\Move Mouse.exe\\\",\\n \\\"?:\\\\\\\\windows\\\\\\\\Panther\\\\\\\\DiagTrackRunner.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\GC64\\\\\\\\tzupd.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\res\\\\\\\\RemoteLite.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\IBM\\\\\\\\ClientSolutions\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Documents\\\\\\\\syspin.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\Public\\\\\\\\res\\\\\\\\FileWatcher.exe\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"01c85f34-25e4-4cfe-b44c-ee1bcc57b058\",\"rule_id\":\"eda499b8-a073-4e35-9733-22ec71f57f3a\",\"revision\":0,\"current_rule\":{\"id\":\"01c85f34-25e4-4cfe-b44c-ee1bcc57b058\",\"updated_at\":\"2024-12-04T19:46:01.676Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.676Z\",\"created_by\":\"elastic\",\"name\":\"AdFind Command Activity\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating AdFind Command Activity\\n\\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of this tool being adopted by ransomware and criminal groups and used in compromises.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Examine the command line to determine what information was retrieved by the tool.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators.\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in isolation, so reviewing previous logs/activity from impacted machines can be very telling.\\n\\n### Related rules\\n\\n- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1\\n- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d\\n- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"eda499b8-a073-4e35-9733-22ec71f57f3a\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1016\",\"name\":\"System Network Configuration Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1016/\"},{\"id\":\"T1018\",\"name\":\"Remote System Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1018/\"},{\"id\":\"T1069\",\"name\":\"Permission Groups Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1069/\",\"subtechnique\":[{\"id\":\"T1069.002\",\"name\":\"Domain Groups\",\"reference\":\"https://attack.mitre.org/techniques/T1069/002/\"}]},{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\",\"subtechnique\":[{\"id\":\"T1087.002\",\"name\":\"Domain Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/002/\"}]},{\"id\":\"T1482\",\"name\":\"Domain Trust Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1482/\"}]}],\"to\":\"now\",\"references\":[\"http://www.joeware.net/freetools/tools/adfind/\",\"https://thedfirreport.com/2020/05/08/adfind-recon/\",\"https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\",\"https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\",\"https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html\",\"https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"AdFind.exe\\\" or ?process.pe.original_file_name == \\\"AdFind.exe\\\") and\\n process.args : (\\\"objectcategory=computer\\\", \\\"(objectcategory=computer)\\\",\\n \\\"objectcategory=person\\\", \\\"(objectcategory=person)\\\",\\n \\\"objectcategory=subnet\\\", \\\"(objectcategory=subnet)\\\",\\n \\\"objectcategory=group\\\", \\\"(objectcategory=group)\\\",\\n \\\"objectcategory=organizationalunit\\\", \\\"(objectcategory=organizationalunit)\\\",\\n \\\"objectcategory=attributeschema\\\", \\\"(objectcategory=attributeschema)\\\",\\n \\\"domainlist\\\", \\\"dcmodes\\\", \\\"adinfo\\\", \\\"dclist\\\", \\\"computers_pwnotreqd\\\", \\\"trustdmp\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AdFind Command Activity\",\"description\":\"This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating AdFind Command Activity\\n\\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of this tool being adopted by ransomware and criminal groups and used in compromises.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Examine the command line to determine what information was retrieved by the tool.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators.\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in isolation, so reviewing previous logs/activity from impacted machines can be very telling.\\n\\n### Related rules\\n\\n- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1\\n- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d\\n- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"http://www.joeware.net/freetools/tools/adfind/\",\"https://thedfirreport.com/2020/05/08/adfind-recon/\",\"https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\",\"https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\",\"https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html\",\"https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1016\",\"name\":\"System Network Configuration Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1016/\"},{\"id\":\"T1018\",\"name\":\"Remote System Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1018/\"},{\"id\":\"T1069\",\"name\":\"Permission Groups Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1069/\",\"subtechnique\":[{\"id\":\"T1069.002\",\"name\":\"Domain Groups\",\"reference\":\"https://attack.mitre.org/techniques/T1069/002/\"}]},{\"id\":\"T1087\",\"name\":\"Account Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1087/\",\"subtechnique\":[{\"id\":\"T1087.002\",\"name\":\"Domain Account\",\"reference\":\"https://attack.mitre.org/techniques/T1087/002/\"}]},{\"id\":\"T1482\",\"name\":\"Domain Trust Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1482/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"01c85f34-25e4-4cfe-b44c-ee1bcc57b058\",\"rule_id\":\"eda499b8-a073-4e35-9733-22ec71f57f3a\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.039Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.676Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"AdFind*.exe\\\" or ?process.pe.original_file_name == \\\"AdFind.exe\\\") and\\n process.args : (\\\"objectcategory=computer\\\", \\\"(objectcategory=computer)\\\",\\n \\\"objectcategory=person\\\", \\\"(objectcategory=person)\\\",\\n \\\"objectcategory=subnet\\\", \\\"(objectcategory=subnet)\\\",\\n \\\"objectcategory=group\\\", \\\"(objectcategory=group)\\\",\\n \\\"objectcategory=organizationalunit\\\", \\\"(objectcategory=organizationalunit)\\\",\\n \\\"objectcategory=attributeschema\\\", \\\"(objectcategory=attributeschema)\\\",\\n \\\"domainlist\\\", \\\"dcmodes\\\", \\\"adinfo\\\", \\\"dclist\\\", \\\"computers_pwnotreqd\\\", \\\"trustdmp\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"AdFind.exe\\\" or ?process.pe.original_file_name == \\\"AdFind.exe\\\") and\\n process.args : (\\\"objectcategory=computer\\\", \\\"(objectcategory=computer)\\\",\\n \\\"objectcategory=person\\\", \\\"(objectcategory=person)\\\",\\n \\\"objectcategory=subnet\\\", \\\"(objectcategory=subnet)\\\",\\n \\\"objectcategory=group\\\", \\\"(objectcategory=group)\\\",\\n \\\"objectcategory=organizationalunit\\\", \\\"(objectcategory=organizationalunit)\\\",\\n \\\"objectcategory=attributeschema\\\", \\\"(objectcategory=attributeschema)\\\",\\n \\\"domainlist\\\", \\\"dcmodes\\\", \\\"adinfo\\\", \\\"dclist\\\", \\\"computers_pwnotreqd\\\", \\\"trustdmp\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"AdFind*.exe\\\" or ?process.pe.original_file_name == \\\"AdFind.exe\\\") and\\n process.args : (\\\"objectcategory=computer\\\", \\\"(objectcategory=computer)\\\",\\n \\\"objectcategory=person\\\", \\\"(objectcategory=person)\\\",\\n \\\"objectcategory=subnet\\\", \\\"(objectcategory=subnet)\\\",\\n \\\"objectcategory=group\\\", \\\"(objectcategory=group)\\\",\\n \\\"objectcategory=organizationalunit\\\", \\\"(objectcategory=organizationalunit)\\\",\\n \\\"objectcategory=attributeschema\\\", \\\"(objectcategory=attributeschema)\\\",\\n \\\"domainlist\\\", \\\"dcmodes\\\", \\\"adinfo\\\", \\\"dclist\\\", \\\"computers_pwnotreqd\\\", \\\"trustdmp\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"AdFind*.exe\\\" or ?process.pe.original_file_name == \\\"AdFind.exe\\\") and\\n process.args : (\\\"objectcategory=computer\\\", \\\"(objectcategory=computer)\\\",\\n \\\"objectcategory=person\\\", \\\"(objectcategory=person)\\\",\\n \\\"objectcategory=subnet\\\", \\\"(objectcategory=subnet)\\\",\\n \\\"objectcategory=group\\\", \\\"(objectcategory=group)\\\",\\n \\\"objectcategory=organizationalunit\\\", \\\"(objectcategory=organizationalunit)\\\",\\n \\\"objectcategory=attributeschema\\\", \\\"(objectcategory=attributeschema)\\\",\\n \\\"domainlist\\\", \\\"dcmodes\\\", \\\"adinfo\\\", \\\"dclist\\\", \\\"computers_pwnotreqd\\\", \\\"trustdmp\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"038519a1-8ecd-432b-aed5-5c5d310017b1\",\"rule_id\":\"edf8ee23-5ea7-4123-ba19-56b41e424ae3\",\"revision\":0,\"current_rule\":{\"id\":\"038519a1-8ecd-432b-aed5-5c5d310017b1\",\"updated_at\":\"2024-12-04T19:46:01.692Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.692Z\",\"created_by\":\"elastic\",\"name\":\"ImageLoad via Windows Update Auto Update Client\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating ImageLoad via Windows Update Auto Update Client\\n\\nThe Windows Update Auto Update Client (wuauclt.exe) is the component responsible for managing system updates. However, adversaries may abuse this process to load a malicious DLL and execute malicious code while blending into a legitimate system mechanism. \\n\\nThis rule identifies potential abuse for code execution by monitoring for specific process arguments (\\\"/RunHandlerComServer\\\" and \\\"/UpdateDeploymentProvider\\\") and common writable paths where the target DLL can be placed (e.g., \\\"C:\\\\Users\\\\*.dll\\\", \\\"C:\\\\ProgramData\\\\*.dll\\\", etc.).\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the command line and identify the DLL location.\\n- Examine whether the DLL is signed.\\n- Retrieve the DLL and determine if it is malicious:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate the behavior of child processes, such as network connections, registry or file modifications, and any spawned processes.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timeline_id\":\"e70679c2-6cde-4510-9764-4823df18f7db\",\"timeline_title\":\"Comprehensive Process Timeline\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"edf8ee23-5ea7-4123-ba19-56b41e424ae3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"to\":\"now\",\"references\":[\"https://dtm.uk/wuauclt/\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (?process.pe.original_file_name == \\\"wuauclt.exe\\\" or process.name : \\\"wuauclt.exe\\\") and\\n /* necessary windows update client args to load a dll */\\n process.args : \\\"/RunHandlerComServer\\\" and process.args : \\\"/UpdateDeploymentProvider\\\" and\\n /* common paths writeable by a standard user where the target DLL can be placed */\\n process.args : (\\\"C:\\\\\\\\Users\\\\\\\\*.dll\\\", \\\"C:\\\\\\\\ProgramData\\\\\\\\*.dll\\\", \\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*.dll\\\", \\\"C:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*.dll\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"ImageLoad via Windows Update Auto Update Client\",\"description\":\"Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"timeline_id\":\"e70679c2-6cde-4510-9764-4823df18f7db\",\"timeline_title\":\"Comprehensive Process Timeline\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating ImageLoad via Windows Update Auto Update Client\\n\\nThe Windows Update Auto Update Client (wuauclt.exe) is the component responsible for managing system updates. However, adversaries may abuse this process to load a malicious DLL and execute malicious code while blending into a legitimate system mechanism. \\n\\nThis rule identifies potential abuse for code execution by monitoring for specific process arguments (\\\"/RunHandlerComServer\\\" and \\\"/UpdateDeploymentProvider\\\") and common writable paths where the target DLL can be placed (e.g., \\\"C:\\\\Users\\\\*.dll\\\", \\\"C:\\\\ProgramData\\\\*.dll\\\", etc.).\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the command line and identify the DLL location.\\n- Examine whether the DLL is signed.\\n- Retrieve the DLL and determine if it is malicious:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate the behavior of child processes, such as network connections, registry or file modifications, and any spawned processes.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://dtm.uk/wuauclt/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"038519a1-8ecd-432b-aed5-5c5d310017b1\",\"rule_id\":\"edf8ee23-5ea7-4123-ba19-56b41e424ae3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.039Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.692Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (?process.pe.original_file_name == \\\"wuauclt.exe\\\" or process.name : \\\"wuauclt.exe\\\") and\\n /* necessary windows update client args to load a dll */\\n process.args : \\\"/RunHandlerComServer\\\" and process.args : \\\"/UpdateDeploymentProvider\\\" and\\n /* common paths writeable by a standard user where the target DLL can be placed */\\n process.args : (\\\"C:\\\\\\\\Users\\\\\\\\*.dll\\\", \\\"C:\\\\\\\\ProgramData\\\\\\\\*.dll\\\", \\\"C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\*.dll\\\", \\\"C:\\\\\\\\Windows\\\\\\\\Tasks\\\\\\\\*.dll\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"02011518-721d-47d8-bb33-f91f9e864726\",\"rule_id\":\"edfd5ca9-9d6c-44d9-b615-1e56b920219c\",\"revision\":0,\"current_rule\":{\"id\":\"02011518-721d-47d8-bb33-f91f9e864726\",\"updated_at\":\"2024-12-04T19:46:01.696Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.696Z\",\"created_by\":\"elastic\",\"name\":\"Linux User Account Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to create new users. Attackers may add new users to establish persistence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Linux User Account Creation\\n\\nThe `useradd` and `adduser` commands are used to create new user accounts in Linux-based operating systems.\\n\\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\\n\\nThis rule identifies the usage of `useradd` and `adduser` to create new accounts.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n\\n- Investigate whether the user was created succesfully.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific Group\\\",\\\"query\\\":\\\"SELECT * FROM groups WHERE groupname = {{group.name}}\\\"}}\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Delete the created account.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"edfd5ca9-9d6c-44d9-b615-1e56b920219c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Filebeat.\\n\\n### Filebeat Setup\\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\\n\\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\\n- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\\n\\n#### Rule Specific Setup Note\\n- This rule requires the “Filebeat System Module” to be enabled.\\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-system.auth-*\"],\"query\":\"iam where host.os.type == \\\"linux\\\" and (event.type == \\\"user\\\" and event.type == \\\"creation\\\") and\\nprocess.name in (\\\"useradd\\\", \\\"adduser\\\") and user.name != null\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Linux User Account Creation\",\"description\":\"Identifies attempts to create new users. Attackers may add new users to establish persistence on a system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Linux User Account Creation\\n\\nThe `useradd` and `adduser` commands are used to create new user accounts in Linux-based operating systems.\\n\\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\\n\\nThis rule identifies the usage of `useradd` and `adduser` to create new accounts.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible investigation steps\\n\\n- Investigate whether the user was created succesfully.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific Group\\\",\\\"query\\\":\\\"SELECT * FROM groups WHERE groupname = {{group.name}}\\\"}}\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Delete the created account.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":6,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Filebeat.\\n\\n### Filebeat Setup\\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\\n\\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\\n- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\\n\\n#### Rule Specific Setup Note\\n- This rule requires the “Filebeat System Module” to be enabled.\\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"02011518-721d-47d8-bb33-f91f9e864726\",\"rule_id\":\"edfd5ca9-9d6c-44d9-b615-1e56b920219c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.039Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.696Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where host.os.type == \\\"linux\\\" and (event.type == \\\"user\\\" and event.type == \\\"creation\\\") and\\nprocess.name in (\\\"useradd\\\", \\\"adduser\\\") and user.name != null\\n\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-system.auth-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":6,\"merged_version\":6,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b714f7c6-f6ac-44e1-a261-c39c94bb53f3\",\"rule_id\":\"ee5300a7-7e31-4a72-a258-250abb8b3aa1\",\"revision\":0,\"current_rule\":{\"id\":\"b714f7c6-f6ac-44e1-a261-c39c94bb53f3\",\"updated_at\":\"2024-12-04T19:46:01.704Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.704Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Print Spooler Child Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information.\"],\"from\":\"now-9m\",\"rule_id\":\"ee5300a7-7e31-4a72-a258-250abb8b3aa1\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"to\":\"now\",\"references\":[\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.token.integrity_level_name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"spoolsv.exe\\\" and process.command_line != null and \\n (?process.Ext.token.integrity_level_name : \\\"System\\\" or ?winlog.event_data.IntegrityLevel : \\\"System\\\") and\\n\\n /* exclusions for FP control below */\\n not process.name : (\\\"splwow64.exe\\\", \\\"PDFCreator.exe\\\", \\\"acrodist.exe\\\", \\\"spoolsv.exe\\\", \\\"msiexec.exe\\\", \\\"route.exe\\\", \\\"WerFault.exe\\\") and\\n not process.command_line : \\\"*\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\spool\\\\\\\\DRIVERS*\\\" and\\n not (process.name : \\\"net.exe\\\" and process.command_line : (\\\"*stop*\\\", \\\"*start*\\\")) and\\n not (process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\") and process.command_line : (\\\"*.spl*\\\", \\\"*\\\\\\\\program files*\\\", \\\"*route add*\\\")) and\\n not (process.name : \\\"netsh.exe\\\" and process.command_line : (\\\"*add portopening*\\\", \\\"*rule name*\\\")) and\\n not (process.name : \\\"regsvr32.exe\\\" and process.command_line : \\\"*PrintConfig.dll*\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CutePDF Writer\\\\\\\\CPWriter2.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\GPLGS\\\\\\\\gswin32c.exe\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Print Spooler Child Process\",\"description\":\"Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":209,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information.\"],\"references\":[\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.token.integrity_level_name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"b714f7c6-f6ac-44e1-a261-c39c94bb53f3\",\"rule_id\":\"ee5300a7-7e31-4a72-a258-250abb8b3aa1\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.039Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.704Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"spoolsv.exe\\\" and process.command_line != null and \\n (?process.Ext.token.integrity_level_name : \\\"System\\\" or ?winlog.event_data.IntegrityLevel : \\\"System\\\") and\\n\\n /* exclusions for FP control below */\\n not process.name : (\\\"splwow64.exe\\\", \\\"PDFCreator.exe\\\", \\\"acrodist.exe\\\", \\\"spoolsv.exe\\\", \\\"msiexec.exe\\\", \\\"route.exe\\\", \\\"WerFault.exe\\\") and\\n not process.command_line : \\\"*\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\spool\\\\\\\\DRIVERS*\\\" and\\n not (process.name : \\\"net.exe\\\" and process.command_line : (\\\"*stop*\\\", \\\"*start*\\\")) and\\n not (process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\") and process.command_line : (\\\"*.spl*\\\", \\\"*\\\\\\\\program files*\\\", \\\"*route add*\\\")) and\\n not (process.name : \\\"netsh.exe\\\" and process.command_line : (\\\"*add portopening*\\\", \\\"*rule name*\\\")) and\\n not (process.name : \\\"regsvr32.exe\\\" and process.command_line : \\\"*PrintConfig.dll*\\\") and\\n not process.executable : (\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CutePDF Writer\\\\\\\\CPWriter2.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\GPLGS\\\\\\\\gswin32c.exe\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"logs-system.security*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":209,\"merged_version\":209,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Use Case: Vulnerability\",\"Data Source: Elastic Defend\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"e0e8651b-6a9c-4eca-a26d-079a7b956843\",\"rule_id\":\"ef862985-3f13-4262-a686-5f357bbb9bc2\",\"revision\":0,\"current_rule\":{\"id\":\"e0e8651b-6a9c-4eca-a26d-079a7b956843\",\"updated_at\":\"2024-12-04T19:46:01.724Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.724Z\",\"created_by\":\"elastic\",\"name\":\"Whoami Process Activity\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Whoami Process Activity\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current privileges, discover the current user, determine if a privilege escalation was successful, etc.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Related rules\\n\\n- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual.\"],\"from\":\"now-9m\",\"rule_id\":\"ef862985-3f13-4262-a686-5f357bbb9bc2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1033\",\"name\":\"System Owner/User Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1033/\"}]}],\"to\":\"now\",\"references\":[],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.domain\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"logs-system.*\",\"endgame-*\",\"logs-m365_defender.event-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"whoami.exe\\\" and\\n(\\n (\\n /* scoped for whoami execution under system privileges */\\n (\\n user.domain : (\\\"NT *\\\", \\\"* NT\\\", \\\"IIS APPPOOL\\\") and\\n user.id : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\", \\\"S-1-5-82-*\\\") and\\n not ?winlog.event_data.SubjectUserName : \\\"*$\\\"\\n ) and\\n not (\\n process.parent.name : \\\"cmd.exe\\\" and\\n process.parent.args : (\\n \\\"chcp 437>nul 2>&1 & C:\\\\\\\\WINDOWS\\\\\\\\System32\\\\\\\\whoami.exe /groups\\\",\\n \\\"chcp 437>nul 2>&1 & %systemroot%\\\\\\\\system32\\\\\\\\whoami /user\\\",\\n \\\"C:\\\\\\\\WINDOWS\\\\\\\\System32\\\\\\\\whoami.exe /groups\\\",\\n \\\"*WINDOWS\\\\\\\\system32\\\\\\\\config\\\\\\\\systemprofile*\\\"\\n )\\n ) and\\n not (process.parent.executable : \\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\inetsrv\\\\\\\\appcmd.exe\\\" and process.parent.args : \\\"LIST\\\") and\\n not process.parent.executable : (\\n \\\"C:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\\\",\\n \\\"C:\\\\\\\\Program Files\\\\\\\\Cohesity\\\\\\\\cohesity_windows_agent_service.exe\\\"\\n )\\n ) or\\n process.parent.name : (\\\"wsmprovhost.exe\\\", \\\"w3wp.exe\\\", \\\"wmiprvse.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\")\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Whoami Process Activity\",\"description\":\"Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Whoami Process Activity\\n\\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\\n\\nThis rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current privileges, discover the current user, determine if a privilege escalation was successful, etc.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\\n\\n### False positive analysis\\n\\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\\n\\n### Related rules\\n\\n- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual.\"],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1033\",\"name\":\"System Owner/User Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1033/\"}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.domain\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"e0e8651b-6a9c-4eca-a26d-079a7b956843\",\"rule_id\":\"ef862985-3f13-4262-a686-5f357bbb9bc2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.039Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.724Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"whoami.exe\\\" and\\n(\\n (\\n /* scoped for whoami execution under system privileges */\\n (\\n user.domain : (\\\"NT *\\\", \\\"* NT\\\", \\\"IIS APPPOOL\\\") and\\n user.id : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\", \\\"S-1-5-82-*\\\") and\\n not ?winlog.event_data.SubjectUserName : \\\"*$\\\"\\n ) and\\n not (\\n process.parent.name : \\\"cmd.exe\\\" and\\n process.parent.args : (\\n \\\"chcp 437>nul 2>&1 & C:\\\\\\\\WINDOWS\\\\\\\\System32\\\\\\\\whoami.exe /groups\\\",\\n \\\"chcp 437>nul 2>&1 & %systemroot%\\\\\\\\system32\\\\\\\\whoami /user\\\",\\n \\\"C:\\\\\\\\WINDOWS\\\\\\\\System32\\\\\\\\whoami.exe /groups\\\",\\n \\\"*WINDOWS\\\\\\\\system32\\\\\\\\config\\\\\\\\systemprofile*\\\"\\n )\\n ) and\\n not (process.parent.executable : \\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\inetsrv\\\\\\\\appcmd.exe\\\" and process.parent.args : \\\"LIST\\\") and\\n not process.parent.executable : (\\n \\\"C:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\MonitoringHost.exe\\\",\\n \\\"C:\\\\\\\\Program Files\\\\\\\\Cohesity\\\\\\\\cohesity_windows_agent_service.exe\\\"\\n )\\n ) or\\n process.parent.name : (\\\"wsmprovhost.exe\\\", \\\"w3wp.exe\\\", \\\"wmiprvse.exe\\\", \\\"rundll32.exe\\\", \\\"regsvr32.exe\\\")\\n)\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"logs-system.*\",\"endgame-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"727a714e-10d1-4b39-9664-7d3c917e7d15\",\"rule_id\":\"f036953a-4615-4707-a1ca-dc53bf69dcd5\",\"revision\":0,\"current_rule\":{\"id\":\"727a714e-10d1-4b39-9664-7d3c917e7d15\",\"updated_at\":\"2024-12-04T19:46:01.732Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.732Z\",\"created_by\":\"elastic\",\"name\":\"Unusual Child Processes of RunDLL32\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"30m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Child Processes of RunDLL32\\n\\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\\n\\nRunDLL32 is a legitimate Windows utility used to load and execute functions within dynamic-link libraries (DLLs). However, adversaries may abuse RunDLL32 to execute malicious code, bypassing security measures and evading detection. This rule identifies potential abuse by looking for an unusual process creation with no arguments followed by the creation of a child process.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate the behavior of child processes, such as network connections, registry or file modifications, and any spawned processes.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related Rules\\n\\n- Unusual Network Connection via RunDLL32 - 52aaab7b-b51c-441a-89ce-4387b3aea886\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-60m\",\"rule_id\":\"f036953a-4615-4707-a1ca-dc53bf69dcd5\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence with maxspan=1h\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"rundll32.exe\\\" or process.pe.original_file_name == \\\"RUNDLL32.EXE\\\") and\\n process.args_count == 1\\n ] by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"rundll32.exe\\\"\\n ] by process.parent.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Unusual Child Processes of RunDLL32\",\"description\":\"Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Unusual Child Processes of RunDLL32\\n\\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\\n\\nRunDLL32 is a legitimate Windows utility used to load and execute functions within dynamic-link libraries (DLLs). However, adversaries may abuse RunDLL32 to execute malicious code, bypassing security measures and evading detection. This rule identifies potential abuse by looking for an unusual process creation with no arguments followed by the creation of a child process.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\\n- Investigate the behavior of child processes, such as network connections, registry or file modifications, and any spawned processes.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related Rules\\n\\n- Unusual Network Connection via RunDLL32 - 52aaab7b-b51c-441a-89ce-4387b3aea886\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"30m\",\"from\":\"now-60m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.011\",\"name\":\"Rundll32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/011/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"727a714e-10d1-4b39-9664-7d3c917e7d15\",\"rule_id\":\"f036953a-4615-4707-a1ca-dc53bf69dcd5\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.039Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.732Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence with maxspan=1h\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"rundll32.exe\\\" or process.pe.original_file_name == \\\"RUNDLL32.EXE\\\") and\\n process.args_count == 1\\n ] by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"rundll32.exe\\\"\\n ] by process.parent.entity_id\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a938fafb-810b-4df9-8827-661e9eafdf3b\",\"rule_id\":\"f0493cb4-9b15-43a9-9359-68c23a7f2cf3\",\"revision\":0,\"current_rule\":{\"id\":\"a938fafb-810b-4df9-8827-661e9eafdf3b\",\"updated_at\":\"2024-12-04T19:46:01.736Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.736Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious HTML File Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f0493cb4-9b15-43a9-9359-68c23a7f2cf3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1027\",\"name\":\"Obfuscated Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1027/\",\"subtechnique\":[{\"id\":\"T1027.006\",\"name\":\"HTML Smuggling\",\"reference\":\"https://attack.mitre.org/techniques/T1027/006/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":107,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.entropy\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.size\",\"type\":\"long\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\"],\"query\":\"sequence by user.id with maxspan=5m\\n [file where host.os.type == \\\"windows\\\" and event.action in (\\\"creation\\\", \\\"rename\\\") and\\n file.extension : (\\\"htm\\\", \\\"html\\\") and\\n file.path : (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Content.Outlook\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Temp?_*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\7z*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Rar$*\\\") and\\n ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000)]\\n [process where host.os.type == \\\"windows\\\" and event.action == \\\"start\\\" and\\n (\\n (process.name in (\\\"chrome.exe\\\", \\\"msedge.exe\\\", \\\"brave.exe\\\", \\\"whale.exe\\\", \\\"browser.exe\\\", \\\"dragon.exe\\\", \\\"vivaldi.exe\\\", \\\"opera.exe\\\")\\n and process.args == \\\"--single-argument\\\") or\\n (process.name == \\\"iexplore.exe\\\" and process.args_count == 2) or\\n (process.name in (\\\"firefox.exe\\\", \\\"waterfox.exe\\\") and process.args == \\\"-url\\\")\\n )\\n and process.args : (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Content.Outlook\\\\\\\\*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Temp?_*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\7z*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Rar$*.htm*\\\")]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious HTML File Creation\",\"description\":\"Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"This rule may have a low to medium performance impact due variety of file paths potentially matching each EQL sequence.\",\"output_index\":\"\",\"version\":108,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"},{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1027\",\"name\":\"Obfuscated Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1027/\",\"subtechnique\":[{\"id\":\"T1027.006\",\"name\":\"HTML Smuggling\",\"reference\":\"https://attack.mitre.org/techniques/T1027/006/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.entropy\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.size\",\"type\":\"long\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args_count\",\"type\":\"long\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a938fafb-810b-4df9-8827-661e9eafdf3b\",\"rule_id\":\"f0493cb4-9b15-43a9-9359-68c23a7f2cf3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.039Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.736Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by user.id with maxspan=2m\\n\\n [file where host.os.type == \\\"windows\\\" and event.action in (\\\"creation\\\", \\\"rename\\\") and\\n\\n /* Check for HTML files with high entropy and size */\\n file.extension : (\\\"htm\\\", \\\"html\\\") and ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000) and\\n\\n /* Check for file paths in common download and temporary directories */\\n file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Content.Outlook\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Temp?_*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\7z*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Rar$*\\\")]\\n [process where host.os.type == \\\"windows\\\" and event.action == \\\"start\\\" and\\n (\\n /* Check for browser processes opening HTML files with single argument */\\n (process.name in (\\\"chrome.exe\\\", \\\"msedge.exe\\\", \\\"brave.exe\\\", \\\"whale.exe\\\", \\\"browser.exe\\\", \\\"dragon.exe\\\", \\\"vivaldi.exe\\\", \\\"opera.exe\\\")\\n and process.args == \\\"--single-argument\\\") or\\n\\n /* Optionally, check for browser processes opening HTML files with two arguments */\\n (process.name == \\\"iexplore.exe\\\" and process.args_count == 2) or\\n\\n /* Optionally, check for browser processes opening HTML files with URL argument */\\n (process.name in (\\\"firefox.exe\\\", \\\"waterfox.exe\\\") and process.args == \\\"-url\\\")\\n )\\n /* Check for file paths in common download and temporary directories targeted in the process arguments */\\n and process.args : (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Content.Outlook\\\\\\\\*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Temp?_*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\7z*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Rar$*.htm*\\\")]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":107,\"target_version\":108,\"merged_version\":108,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"note\":{\"has_base_version\":false,\"current_version\":\"\",\"target_version\":\"This rule may have a low to medium performance impact due variety of file paths potentially matching each EQL sequence.\",\"merged_version\":\"This rule may have a low to medium performance impact due variety of file paths potentially matching each EQL sequence.\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by user.id with maxspan=5m\\n [file where host.os.type == \\\"windows\\\" and event.action in (\\\"creation\\\", \\\"rename\\\") and\\n file.extension : (\\\"htm\\\", \\\"html\\\") and\\n file.path : (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Content.Outlook\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Temp?_*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\7z*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Rar$*\\\") and\\n ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000)]\\n [process where host.os.type == \\\"windows\\\" and event.action == \\\"start\\\" and\\n (\\n (process.name in (\\\"chrome.exe\\\", \\\"msedge.exe\\\", \\\"brave.exe\\\", \\\"whale.exe\\\", \\\"browser.exe\\\", \\\"dragon.exe\\\", \\\"vivaldi.exe\\\", \\\"opera.exe\\\")\\n and process.args == \\\"--single-argument\\\") or\\n (process.name == \\\"iexplore.exe\\\" and process.args_count == 2) or\\n (process.name in (\\\"firefox.exe\\\", \\\"waterfox.exe\\\") and process.args == \\\"-url\\\")\\n )\\n and process.args : (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Content.Outlook\\\\\\\\*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Temp?_*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\7z*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Rar$*.htm*\\\")]\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by user.id with maxspan=2m\\n\\n [file where host.os.type == \\\"windows\\\" and event.action in (\\\"creation\\\", \\\"rename\\\") and\\n\\n /* Check for HTML files with high entropy and size */\\n file.extension : (\\\"htm\\\", \\\"html\\\") and ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000) and\\n\\n /* Check for file paths in common download and temporary directories */\\n file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Content.Outlook\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Temp?_*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\7z*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Rar$*\\\")]\\n [process where host.os.type == \\\"windows\\\" and event.action == \\\"start\\\" and\\n (\\n /* Check for browser processes opening HTML files with single argument */\\n (process.name in (\\\"chrome.exe\\\", \\\"msedge.exe\\\", \\\"brave.exe\\\", \\\"whale.exe\\\", \\\"browser.exe\\\", \\\"dragon.exe\\\", \\\"vivaldi.exe\\\", \\\"opera.exe\\\")\\n and process.args == \\\"--single-argument\\\") or\\n\\n /* Optionally, check for browser processes opening HTML files with two arguments */\\n (process.name == \\\"iexplore.exe\\\" and process.args_count == 2) or\\n\\n /* Optionally, check for browser processes opening HTML files with URL argument */\\n (process.name in (\\\"firefox.exe\\\", \\\"waterfox.exe\\\") and process.args == \\\"-url\\\")\\n )\\n /* Check for file paths in common download and temporary directories targeted in the process arguments */\\n and process.args : (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Content.Outlook\\\\\\\\*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Temp?_*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\7z*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Rar$*.htm*\\\")]\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by user.id with maxspan=2m\\n\\n [file where host.os.type == \\\"windows\\\" and event.action in (\\\"creation\\\", \\\"rename\\\") and\\n\\n /* Check for HTML files with high entropy and size */\\n file.extension : (\\\"htm\\\", \\\"html\\\") and ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000) and\\n\\n /* Check for file paths in common download and temporary directories */\\n file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Content.Outlook\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Temp?_*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\7z*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Rar$*\\\")]\\n [process where host.os.type == \\\"windows\\\" and event.action == \\\"start\\\" and\\n (\\n /* Check for browser processes opening HTML files with single argument */\\n (process.name in (\\\"chrome.exe\\\", \\\"msedge.exe\\\", \\\"brave.exe\\\", \\\"whale.exe\\\", \\\"browser.exe\\\", \\\"dragon.exe\\\", \\\"vivaldi.exe\\\", \\\"opera.exe\\\")\\n and process.args == \\\"--single-argument\\\") or\\n\\n /* Optionally, check for browser processes opening HTML files with two arguments */\\n (process.name == \\\"iexplore.exe\\\" and process.args_count == 2) or\\n\\n /* Optionally, check for browser processes opening HTML files with URL argument */\\n (process.name in (\\\"firefox.exe\\\", \\\"waterfox.exe\\\") and process.args == \\\"-url\\\")\\n )\\n /* Check for file paths in common download and temporary directories targeted in the process arguments */\\n and process.args : (\\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Downloads\\\\\\\\*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\Content.Outlook\\\\\\\\*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Temp?_*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\7z*.htm*\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\Rar$*.htm*\\\")]\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"dc721cb0-766e-43b6-ae45-36ac1793d490\",\"rule_id\":\"f1a6d0f4-95b8-11ed-9517-f661ea17fbcc\",\"revision\":0,\"current_rule\":{\"id\":\"dc721cb0-766e-43b6-ae45-36ac1793d490\",\"updated_at\":\"2024-12-04T19:46:01.766Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.766Z\",\"created_by\":\"elastic\",\"name\":\"Forwarded Google Workspace Security Alert\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Log Auditing\",\"Use Case: Threat Detection\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning of a potential security issue that Google has detected.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\nThis is a promotion rule for Google Workspace security events, which are alertable events per the vendor.\\nConsult vendor documentation on interpreting specific events.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"rule_name_override\":\"google_workspace.alert.type\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"To tune this rule, add exceptions to exclude any google_workspace.alert.type which should not trigger this rule.\",\"For additional tuning, severity exceptions for google_workspace.alert.metadata.severity can be added.\"],\"from\":\"now-130m\",\"rule_id\":\"f1a6d0f4-95b8-11ed-9517-f661ea17fbcc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[{\"field\":\"google_workspace.alert.metadata.severity\",\"operator\":\"equals\",\"severity\":\"low\",\"value\":\"LOW\"},{\"field\":\"google_workspace.alert.metadata.severity\",\"operator\":\"equals\",\"severity\":\"medium\",\"value\":\"MEDIUM\"},{\"field\":\"google_workspace.alert.metadata.severity\",\"operator\":\"equals\",\"severity\":\"high\",\"value\":\"HIGH\"}],\"threat\":[],\"to\":\"now\",\"references\":[\"https://workspace.google.com/products/admin/alert-center/\"],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset: google_workspace.alert\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Forwarded Google Workspace Security Alert\",\"description\":\"Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning of a potential security issue that Google has detected.\",\"risk_score\":73,\"severity\":\"high\",\"rule_name_override\":\"google_workspace.alert.type\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\nThis is a promotion rule for Google Workspace security events, which are alertable events per the vendor.\\nConsult vendor documentation on interpreting specific events.\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Use Case: Log Auditing\",\"Use Case: Threat Detection\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[{\"field\":\"google_workspace.alert.metadata.severity\",\"operator\":\"equals\",\"severity\":\"low\",\"value\":\"LOW\"},{\"field\":\"google_workspace.alert.metadata.severity\",\"operator\":\"equals\",\"severity\":\"medium\",\"value\":\"MEDIUM\"},{\"field\":\"google_workspace.alert.metadata.severity\",\"operator\":\"equals\",\"severity\":\"high\",\"value\":\"HIGH\"}],\"interval\":\"10m\",\"from\":\"now-130m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"To tune this rule, add exceptions to exclude any google_workspace.alert.type which should not trigger this rule.\",\"For additional tuning, severity exceptions for google_workspace.alert.metadata.severity can be added.\"],\"references\":[\"https://workspace.google.com/products/admin/alert-center/\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"max_signals\":100,\"threat\":[],\"setup\":\"\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"dc721cb0-766e-43b6-ae45-36ac1793d490\",\"rule_id\":\"f1a6d0f4-95b8-11ed-9517-f661ea17fbcc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.039Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.766Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"event.dataset: google_workspace.alert\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://workspace.google.com/products/admin/alert-center/\"],\"target_version\":[\"https://workspace.google.com/products/admin/alert-center/\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merged_version\":[\"https://workspace.google.com/products/admin/alert-center/\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7c9551cd-c88f-4674-8ca0-36dad0d04f54\",\"rule_id\":\"f243fe39-83a4-46f3-a3b6-707557a102df\",\"revision\":0,\"current_rule\":{\"id\":\"7c9551cd-c88f-4674-8ca0-36dad0d04f54\",\"updated_at\":\"2024-12-04T19:46:01.774Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.774Z\",\"created_by\":\"elastic\",\"name\":\"Service Path Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies attempts to modify a service path by an unusual process. Attackers may attempt to modify existing services for persistence or privilege escalation.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"f243fe39-83a4-46f3-a3b6-707557a102df\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\"\\n ) and not (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\"\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Service Path Modification\",\"description\":\"Identifies attempts to modify a service path by an unusual process. Attackers may attempt to modify existing services for persistence or privilege escalation.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":105,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.003\",\"name\":\"Windows Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"7c9551cd-c88f-4674-8ca0-36dad0d04f54\",\"rule_id\":\"f243fe39-83a4-46f3-a3b6-707557a102df\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.040Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.774Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.path : (\\n \\\"HKLM\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\MACHINE\\\\\\\\SYSTEM\\\\\\\\*ControlSet*\\\\\\\\Services\\\\\\\\*\\\\\\\\ImagePath\\\"\\n ) and not (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\services.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":105,\"merged_version\":105,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6356c521-68c8-4d56-b0cd-7354e1ca9704\",\"rule_id\":\"f2c7b914-eda3-40c2-96ac-d23ef91776ca\",\"revision\":0,\"current_rule\":{\"id\":\"6356c521-68c8-4d56-b0cd-7354e1ca9704\",\"updated_at\":\"2024-12-04T19:45:40.273Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.273Z\",\"created_by\":\"elastic\",\"name\":\"SIP Provider Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f2c7b914-eda3-40c2-96ac-d23ef91776ca\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1553\",\"name\":\"Subvert Trust Controls\",\"reference\":\"https://attack.mitre.org/techniques/T1553/\",\"subtechnique\":[{\"id\":\"T1553.003\",\"name\":\"SIP and Trust Provider Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1553/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/mattifestation/PoCSubjectInterfacePackage\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : (\\\"Dll\\\", \\\"$Dll\\\") and\\n registry.path: (\\n \\\"*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Cryptography\\\\\\\\OID\\\\\\\\EncodingType 0\\\\\\\\CryptSIPDllPutSignedDataMsg\\\\\\\\{*}\\\\\\\\Dll\\\",\\n \\\"*\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Cryptography\\\\\\\\OID\\\\\\\\EncodingType 0\\\\\\\\CryptSIPDllPutSignedDataMsg\\\\\\\\{*}\\\\\\\\Dll\\\",\\n \\\"*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Cryptography\\\\\\\\Providers\\\\\\\\Trust\\\\\\\\FinalPolicy\\\\\\\\{*}\\\\\\\\$Dll\\\",\\n \\\"*\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Cryptography\\\\\\\\Providers\\\\\\\\Trust\\\\\\\\FinalPolicy\\\\\\\\{*}\\\\\\\\$Dll\\\"\\n ) and\\n registry.data.strings:\\\"*.dll\\\" and\\n not (process.name : \\\"msiexec.exe\\\" and registry.data.strings : \\\"mso.dll\\\") and\\n not (process.name : \\\"regsvr32.exe\\\" and registry.data.strings == \\\"WINTRUST.DLL\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"SIP Provider Modification\",\"description\":\"Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":310,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/mattifestation/PoCSubjectInterfacePackage\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1553\",\"name\":\"Subvert Trust Controls\",\"reference\":\"https://attack.mitre.org/techniques/T1553/\",\"subtechnique\":[{\"id\":\"T1553.003\",\"name\":\"SIP and Trust Provider Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1553/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"6356c521-68c8-4d56-b0cd-7354e1ca9704\",\"rule_id\":\"f2c7b914-eda3-40c2-96ac-d23ef91776ca\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.040Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.273Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : (\\\"Dll\\\", \\\"$Dll\\\") and\\n registry.path: (\\n \\\"*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Cryptography\\\\\\\\OID\\\\\\\\EncodingType 0\\\\\\\\CryptSIPDllPutSignedDataMsg\\\\\\\\{*}\\\\\\\\Dll\\\",\\n \\\"*\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Cryptography\\\\\\\\OID\\\\\\\\EncodingType 0\\\\\\\\CryptSIPDllPutSignedDataMsg\\\\\\\\{*}\\\\\\\\Dll\\\",\\n \\\"*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Cryptography\\\\\\\\Providers\\\\\\\\Trust\\\\\\\\FinalPolicy\\\\\\\\{*}\\\\\\\\$Dll\\\",\\n \\\"*\\\\\\\\SOFTWARE\\\\\\\\WOW6432Node\\\\\\\\Microsoft\\\\\\\\Cryptography\\\\\\\\Providers\\\\\\\\Trust\\\\\\\\FinalPolicy\\\\\\\\{*}\\\\\\\\$Dll\\\"\\n ) and\\n registry.data.strings:\\\"*.dll\\\" and\\n not (process.name : \\\"msiexec.exe\\\" and registry.data.strings : \\\"mso.dll\\\") and\\n not (process.name : \\\"regsvr32.exe\\\" and registry.data.strings == \\\"WINTRUST.DLL\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":310,\"merged_version\":310,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.registry-*\",\"endgame-*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"935fc687-c017-4b3f-b8e7-e2a08a9b9b7e\",\"rule_id\":\"f2f46686-6f3c-4724-bd7d-24e31c70f98f\",\"revision\":0,\"current_rule\":{\"id\":\"935fc687-c017-4b3f-b8e7-e2a08a9b9b7e\",\"updated_at\":\"2024-12-04T19:46:01.786Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.786Z\",\"created_by\":\"elastic\",\"name\":\"LSASS Memory Dump Creation\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating LSASS Memory Dump Creation\\n\\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\\n\\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the process responsible for creating the dump file.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timeline_id\":\"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c\",\"timeline_title\":\"Comprehensive File Timeline\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f2f46686-6f3c-4724-bd7d-24e31c70f98f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/outflanknl/Dumpert\",\"https://github.com/hoangprod/AndrewSpecial\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and\\n file.name : (\\\"lsass*.dmp\\\", \\\"dumpert.dmp\\\", \\\"Andrew.dmp\\\", \\\"SQLDmpr*.mdmp\\\", \\\"Coredump.dmp\\\") and\\n\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\Shared\\\\\\\\SqlDumper.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe\\\"\\n ) and\\n file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\Reporting Services\\\\\\\\Logfiles\\\\\\\\SQLDmpr*.mdmp\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\Shared\\\\\\\\ErrorDumps\\\\\\\\SQLDmpr*.mdmp\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\MSSQL\\\\\\\\LOG\\\\\\\\SQLDmpr*.mdmp\\\"\\n )\\n ) and\\n\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFaultSecure.exe\\\"\\n ) and\\n file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\AppData\\\\\\\\Local\\\\\\\\CrashDumps\\\\\\\\lsass.exe.*.dmp\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\%LOCALAPPDATA%\\\\\\\\CrashDumps\\\\\\\\lsass.exe.*.dmp\\\"\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"LSASS Memory Dump Creation\",\"description\":\"Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"timeline_id\":\"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c\",\"timeline_title\":\"Comprehensive File Timeline\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating LSASS Memory Dump Creation\\n\\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\\n\\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the process responsible for creating the dump file.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/outflanknl/Dumpert\",\"https://github.com/hoangprod/AndrewSpecial\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"935fc687-c017-4b3f-b8e7-e2a08a9b9b7e\",\"rule_id\":\"f2f46686-6f3c-4724-bd7d-24e31c70f98f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.040Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.786Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and\\n file.name : (\\\"lsass*.dmp\\\", \\\"dumpert.dmp\\\", \\\"Andrew.dmp\\\", \\\"SQLDmpr*.mdmp\\\", \\\"Coredump.dmp\\\") and\\n\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\Shared\\\\\\\\SqlDumper.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server Reporting Services\\\\\\\\SSRS\\\\\\\\ReportServer\\\\\\\\bin\\\\\\\\SqlDumper.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe\\\"\\n ) and\\n file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\Reporting Services\\\\\\\\Logfiles\\\\\\\\SQLDmpr*.mdmp\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server Reporting Services\\\\\\\\SSRS\\\\\\\\Logfiles\\\\\\\\SQLDmpr*.mdmp\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\Shared\\\\\\\\ErrorDumps\\\\\\\\SQLDmpr*.mdmp\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\MSSQL\\\\\\\\LOG\\\\\\\\SQLDmpr*.mdmp\\\"\\n )\\n ) and\\n\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFaultSecure.exe\\\"\\n ) and\\n file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\AppData\\\\\\\\Local\\\\\\\\CrashDumps\\\\\\\\lsass.exe.*.dmp\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\%LOCALAPPDATA%\\\\\\\\CrashDumps\\\\\\\\lsass.exe.*.dmp\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and\\n file.name : (\\\"lsass*.dmp\\\", \\\"dumpert.dmp\\\", \\\"Andrew.dmp\\\", \\\"SQLDmpr*.mdmp\\\", \\\"Coredump.dmp\\\") and\\n\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\Shared\\\\\\\\SqlDumper.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe\\\"\\n ) and\\n file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\Reporting Services\\\\\\\\Logfiles\\\\\\\\SQLDmpr*.mdmp\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\Shared\\\\\\\\ErrorDumps\\\\\\\\SQLDmpr*.mdmp\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\MSSQL\\\\\\\\LOG\\\\\\\\SQLDmpr*.mdmp\\\"\\n )\\n ) and\\n\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFaultSecure.exe\\\"\\n ) and\\n file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\AppData\\\\\\\\Local\\\\\\\\CrashDumps\\\\\\\\lsass.exe.*.dmp\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\%LOCALAPPDATA%\\\\\\\\CrashDumps\\\\\\\\lsass.exe.*.dmp\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and\\n file.name : (\\\"lsass*.dmp\\\", \\\"dumpert.dmp\\\", \\\"Andrew.dmp\\\", \\\"SQLDmpr*.mdmp\\\", \\\"Coredump.dmp\\\") and\\n\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\Shared\\\\\\\\SqlDumper.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server Reporting Services\\\\\\\\SSRS\\\\\\\\ReportServer\\\\\\\\bin\\\\\\\\SqlDumper.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe\\\"\\n ) and\\n file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\Reporting Services\\\\\\\\Logfiles\\\\\\\\SQLDmpr*.mdmp\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server Reporting Services\\\\\\\\SSRS\\\\\\\\Logfiles\\\\\\\\SQLDmpr*.mdmp\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\Shared\\\\\\\\ErrorDumps\\\\\\\\SQLDmpr*.mdmp\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\MSSQL\\\\\\\\LOG\\\\\\\\SQLDmpr*.mdmp\\\"\\n )\\n ) and\\n\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFaultSecure.exe\\\"\\n ) and\\n file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\AppData\\\\\\\\Local\\\\\\\\CrashDumps\\\\\\\\lsass.exe.*.dmp\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\%LOCALAPPDATA%\\\\\\\\CrashDumps\\\\\\\\lsass.exe.*.dmp\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.action != \\\"deletion\\\" and\\n file.name : (\\\"lsass*.dmp\\\", \\\"dumpert.dmp\\\", \\\"Andrew.dmp\\\", \\\"SQLDmpr*.mdmp\\\", \\\"Coredump.dmp\\\") and\\n\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\Shared\\\\\\\\SqlDumper.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server Reporting Services\\\\\\\\SSRS\\\\\\\\ReportServer\\\\\\\\bin\\\\\\\\SqlDumper.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe\\\"\\n ) and\\n file.path : (\\n \\\"?:\\\\\\\\*\\\\\\\\Reporting Services\\\\\\\\Logfiles\\\\\\\\SQLDmpr*.mdmp\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server Reporting Services\\\\\\\\SSRS\\\\\\\\Logfiles\\\\\\\\SQLDmpr*.mdmp\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\Shared\\\\\\\\ErrorDumps\\\\\\\\SQLDmpr*.mdmp\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\*\\\\\\\\MSSQL\\\\\\\\LOG\\\\\\\\SQLDmpr*.mdmp\\\"\\n )\\n ) and\\n\\n not (\\n process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\WerFault.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\WerFaultSecure.exe\\\"\\n ) and\\n file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\config\\\\\\\\systemprofile\\\\\\\\AppData\\\\\\\\Local\\\\\\\\CrashDumps\\\\\\\\lsass.exe.*.dmp\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\%LOCALAPPDATA%\\\\\\\\CrashDumps\\\\\\\\lsass.exe.*.dmp\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"8a5fe898-3cc2-4573-ba8a-ad48edde0f82\",\"rule_id\":\"f33e68a4-bd19-11ed-b02f-f661ea17fbcc\",\"revision\":0,\"current_rule\":{\"id\":\"8a5fe898-3cc2-4573-ba8a-ad48edde0f82\",\"updated_at\":\"2024-12-04T19:46:01.793Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.793Z\",\"created_by\":\"elastic\",\"name\":\"Google Workspace Object Copied to External Drive with App Consent\",\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects when a user copies a Google spreadsheet, form, document or script from an external drive. Sequence logic has been added to also detect when a user grants a custom Google application permission via OAuth shortly after. An adversary may send a phishing email to the victim with a Drive object link where \\\"copy\\\" is included in the URI, thus copying the object to the victim's drive. If a container-bound script exists within the object, execution will require permission access via OAuth in which the user has to accept.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Object Copied to External Drive with App Consent\\n\\nGoogle Workspace users can share access to Drive objects such as documents, sheets, and forms via email delivery or a shared link. Shared link URIs have parameters like `view` or `edit` to indicate the recipient's permissions. The `copy` parameter allows the recipient to copy the object to their own Drive, which grants the object with the same privileges as the recipient. Specific objects in Google Drive allow container-bound scripts that run on Google's Apps Script platform. Container-bound scripts can contain malicious code that executes with the recipient's privileges if in their Drive.\\n\\nThis rule aims to detect when a user copies an external Drive object to their Drive storage and then grants permissions to a custom application via OAuth prompt.\\n\\n#### Possible investigation steps\\n- Identify user account(s) associated by reviewing `user.name` or `source.user.email` in the alert.\\n- Identify the name of the file copied by reviewing `file.name` as well as the `file.id` for triaging.\\n- Identify the file type by reviewing `google_workspace.drive.file.type`.\\n- With the information gathered so far, query across data for the file metadata to determine if this activity is isolated or widespread.\\n- Within the OAuth token event, identify the application name by reviewing `google_workspace.token.app_name`.\\n - Review the application ID as well from `google_workspace.token.client.id`.\\n - This metadata can be used to report the malicious application to Google for permanent blacklisting.\\n- Identify the permissions granted to the application by the user by reviewing `google_workspace.token.scope.data.scope_name`.\\n - This information will help pivot and triage into what services may have been affected.\\n- If a container-bound script was attached to the copied object, it will also exist in the user's drive.\\n - This object should be removed from all users affected and investigated for a better understanding of the malicious code.\\n\\n### False positive analysis\\n- Communicate with the affected user to identify if these actions were intentional\\n- If a container-bound script exists, review code to identify if it is benign or malicious\\n\\n### Response and remediation\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n - Resetting passwords will revoke OAuth tokens which could have been stolen.\\n- Reactivate multi-factor authentication for the user.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n## Setup\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Google Workspace users typically share Drive resources with a shareable link where parameters are edited to indicate when it is viewable or editable by the intended recipient. It is uncommon for a user in an organization to manually copy a Drive object from an external drive to their corporate drive. This may happen where users find a useful spreadsheet in a public drive, for example, and replicate it to their Drive. It is uncommon for the copied object to execute a container-bound script either unless the user was intentionally aware, suggesting the object uses container-bound scripts to accomplish a legitimate task.\"],\"from\":\"now-9m\",\"rule_id\":\"f33e68a4-bd19-11ed-b02f-f661ea17fbcc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://developers.google.com/apps-script/guides/bound\",\"https://support.google.com/a/users/answer/13004165#share_make_a_copy_links\"],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.drive.copy_type\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"google_workspace.drive.file.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.drive.owner_is_team_drive\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"google_workspace.token.client.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"source.user.email\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"],\"query\":\"sequence by source.user.email with maxspan=3m\\n[file where event.dataset == \\\"google_workspace.drive\\\" and event.action == \\\"copy\\\" and\\n\\n /* Should only match if the object lives in a Drive that is external to the user's GWS organization */\\n google_workspace.drive.owner_is_team_drive == \\\"false\\\" and google_workspace.drive.copy_type == \\\"external\\\" and\\n\\n /* Google Script, Forms, Sheets and Document can have container-bound scripts */\\n google_workspace.drive.file.type: (\\\"script\\\", \\\"form\\\", \\\"spreadsheet\\\", \\\"document\\\")]\\n\\n[any where event.dataset == \\\"google_workspace.token\\\" and event.action == \\\"authorize\\\" and\\n\\n /* Ensures application ID references custom app in Google Workspace and not GCP */\\n google_workspace.token.client.id : \\\"*apps.googleusercontent.com\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Google Workspace Object Copied to External Drive with App Consent\",\"description\":\"Detects when a user copies a Google spreadsheet, form, document or script from an external drive. Sequence logic has been added to also detect when a user grants a custom Google application permission via OAuth shortly after. An adversary may send a phishing email to the victim with a Drive object link where \\\"copy\\\" is included in the URI, thus copying the object to the victim's drive. If a container-bound script exists within the object, execution will require permission access via OAuth in which the user has to accept.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Google Workspace Object Copied to External Drive with App Consent\\n\\nGoogle Workspace users can share access to Drive objects such as documents, sheets, and forms via email delivery or a shared link. Shared link URIs have parameters like `view` or `edit` to indicate the recipient's permissions. The `copy` parameter allows the recipient to copy the object to their own Drive, which grants the object with the same privileges as the recipient. Specific objects in Google Drive allow container-bound scripts that run on Google's Apps Script platform. Container-bound scripts can contain malicious code that executes with the recipient's privileges if in their Drive.\\n\\nThis rule aims to detect when a user copies an external Drive object to their Drive storage and then grants permissions to a custom application via OAuth prompt.\\n\\n#### Possible investigation steps\\n- Identify user account(s) associated by reviewing `user.name` or `source.user.email` in the alert.\\n- Identify the name of the file copied by reviewing `file.name` as well as the `file.id` for triaging.\\n- Identify the file type by reviewing `google_workspace.drive.file.type`.\\n- With the information gathered so far, query across data for the file metadata to determine if this activity is isolated or widespread.\\n- Within the OAuth token event, identify the application name by reviewing `google_workspace.token.app_name`.\\n - Review the application ID as well from `google_workspace.token.client.id`.\\n - This metadata can be used to report the malicious application to Google for permanent blacklisting.\\n- Identify the permissions granted to the application by the user by reviewing `google_workspace.token.scope.data.scope_name`.\\n - This information will help pivot and triage into what services may have been affected.\\n- If a container-bound script was attached to the copied object, it will also exist in the user's drive.\\n - This object should be removed from all users affected and investigated for a better understanding of the malicious code.\\n\\n### False positive analysis\\n- Communicate with the affected user to identify if these actions were intentional\\n- If a container-bound script exists, review code to identify if it is benign or malicious\\n\\n### Response and remediation\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Assess the criticality of affected services and servers.\\n - Work with your IT team to identify and minimize the impact on users.\\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\\n - Resetting passwords will revoke OAuth tokens which could have been stolen.\\n- Reactivate multi-factor authentication for the user.\\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\\n- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\\n## Setup\\n\\n### Important Information Regarding Google Workspace Event Lag Times\\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\\n- See the following references for further information:\\n - https://support.google.com/a/answer/7061566\\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Domain: Cloud\",\"Data Source: Google Workspace\",\"Tactic: Initial Access\",\"Resources: Investigation Guide\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Google Workspace users typically share Drive resources with a shareable link where parameters are edited to indicate when it is viewable or editable by the intended recipient. It is uncommon for a user in an organization to manually copy a Drive object from an external drive to their corporate drive. This may happen where users find a useful spreadsheet in a public drive, for example, and replicate it to their Drive. It is uncommon for the copied object to execute a container-bound script either unless the user was intentionally aware, suggesting the object uses container-bound scripts to accomplish a legitimate task.\"],\"references\":[\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\",\"https://developers.google.com/apps-script/guides/bound\",\"https://support.google.com/a/users/answer/13004165#share_make_a_copy_links\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.002\",\"name\":\"Spearphishing Link\",\"reference\":\"https://attack.mitre.org/techniques/T1566/002/\"}]}]}],\"setup\":\"The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"related_integrations\":[{\"package\":\"google_workspace\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.drive.copy_type\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"google_workspace.drive.file.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.drive.owner_is_team_drive\",\"type\":\"boolean\",\"ecs\":false},{\"name\":\"google_workspace.token.client.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"source.user.email\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"8a5fe898-3cc2-4573-ba8a-ad48edde0f82\",\"rule_id\":\"f33e68a4-bd19-11ed-b02f-f661ea17fbcc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.040Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.793Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by source.user.email with maxspan=3m\\n[file where event.dataset == \\\"google_workspace.drive\\\" and event.action == \\\"copy\\\" and\\n\\n /* Should only match if the object lives in a Drive that is external to the user's GWS organization */\\n google_workspace.drive.owner_is_team_drive == \\\"false\\\" and google_workspace.drive.copy_type == \\\"external\\\" and\\n\\n /* Google Script, Forms, Sheets and Document can have container-bound scripts */\\n google_workspace.drive.file.type: (\\\"script\\\", \\\"form\\\", \\\"spreadsheet\\\", \\\"document\\\")]\\n\\n[any where event.dataset == \\\"google_workspace.token\\\" and event.action == \\\"authorize\\\" and\\n\\n /* Ensures application ID references custom app in Google Workspace and not GCP */\\n google_workspace.token.client.id : \\\"*apps.googleusercontent.com\\\"]\\n\",\"language\":\"eql\",\"index\":[\"filebeat-*\",\"logs-google_workspace*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://developers.google.com/apps-script/guides/bound\",\"https://support.google.com/a/users/answer/13004165#share_make_a_copy_links\"],\"target_version\":[\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\",\"https://developers.google.com/apps-script/guides/bound\",\"https://support.google.com/a/users/answer/13004165#share_make_a_copy_links\"],\"merged_version\":[\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one\",\"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two\",\"https://developers.google.com/apps-script/guides/bound\",\"https://support.google.com/a/users/answer/13004165#share_make_a_copy_links\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.drive.copy_type\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"google_workspace.drive.file.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.drive.owner_is_team_drive\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"google_workspace.token.client.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"source.user.email\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.drive.copy_type\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"google_workspace.drive.file.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.drive.owner_is_team_drive\",\"type\":\"boolean\",\"ecs\":false},{\"name\":\"google_workspace.token.client.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"source.user.email\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"google_workspace.drive.copy_type\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"google_workspace.drive.file.type\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"google_workspace.drive.owner_is_team_drive\",\"type\":\"boolean\",\"ecs\":false},{\"name\":\"google_workspace.token.client.id\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"source.user.email\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"269b41b3-2c89-4461-ac3b-5761b321ea8e\",\"rule_id\":\"f3475224-b179-4f78-8877-c2bd64c26b88\",\"revision\":0,\"current_rule\":{\"id\":\"269b41b3-2c89-4461-ac3b-5761b321ea8e\",\"updated_at\":\"2024-12-04T19:46:01.840Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.840Z\",\"created_by\":\"elastic\",\"name\":\"WMI Incoming Lateral Movement\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f3475224-b179-4f78-8877-c2bd64c26b88\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.token.integrity_level_name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by host.id with maxspan = 2s\\n\\n /* Accepted Incoming RPC connection by Winmgmt service */\\n\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"svchost.exe\\\" and network.direction : (\\\"incoming\\\", \\\"ingress\\\") and\\n source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and source.port >= 49152 and destination.port >= 49152\\n ]\\n\\n /* Excluding Common FPs Nessus and SCCM */\\n\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"WmiPrvSE.exe\\\" and\\n not (?process.Ext.token.integrity_level_name : \\\"System\\\" or ?winlog.event_data.IntegrityLevel : \\\"System\\\") and\\n not user.id : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n not process.executable :\\n (\\\"?:\\\\\\\\Program Files\\\\\\\\HPWBEM\\\\\\\\Tools\\\\\\\\hpsum_swdiscovery.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\Ccm32BitLauncher.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\mofcomp.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework*\\\\\\\\csc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\powercfg.exe\\\") and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\" and process.args : \\\"REBOOT=ReallySuppress\\\") and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\appcmd.exe\\\" and process.args : \\\"uninstall\\\")\\n ]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"WMI Incoming Lateral Movement\",\"description\":\"Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":210,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.direction\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.token.integrity_level_name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"source.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"269b41b3-2c89-4461-ac3b-5761b321ea8e\",\"rule_id\":\"f3475224-b179-4f78-8877-c2bd64c26b88\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.040Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.840Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan = 2s\\n\\n /* Accepted Incoming RPC connection by Winmgmt service */\\n\\n [network where host.os.type == \\\"windows\\\" and process.name : \\\"svchost.exe\\\" and network.direction : (\\\"incoming\\\", \\\"ingress\\\") and\\n source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and source.port >= 49152 and destination.port >= 49152\\n ]\\n\\n /* Excluding Common FPs Nessus and SCCM */\\n\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.parent.name : \\\"WmiPrvSE.exe\\\" and\\n not (?process.Ext.token.integrity_level_name : \\\"System\\\" or ?winlog.event_data.IntegrityLevel : \\\"System\\\") and\\n not user.id : (\\\"S-1-5-18\\\", \\\"S-1-5-19\\\", \\\"S-1-5-20\\\") and\\n not process.executable :\\n (\\\"?:\\\\\\\\Program Files\\\\\\\\HPWBEM\\\\\\\\Tools\\\\\\\\hpsum_swdiscovery.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\Ccm32BitLauncher.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\mofcomp.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework*\\\\\\\\csc.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\powercfg.exe\\\") and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\" and process.args : \\\"REBOOT=ReallySuppress\\\") and\\n not (process.executable : \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\appcmd.exe\\\" and process.args : \\\"uninstall\\\")\\n ]\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":210,\"merged_version\":210,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"70a7c922-9799-43bd-b6e3-1fa8e70c72b4\",\"rule_id\":\"f3818c85-2207-4b51-8a28-d70fb156ee87\",\"revision\":0,\"current_rule\":{\"id\":\"70a7c922-9799-43bd-b6e3-1fa8e70c72b4\",\"updated_at\":\"2024-12-04T19:46:01.849Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.849Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Network Connection via systemd\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Command and Control\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects suspicious network events executed by systemd, potentially indicating persistence through a systemd backdoor. Systemd is a system and service manager for Linux operating systems, used to initialize and manage system processes. Attackers can backdoor systemd for persistence by creating or modifying systemd unit files to execute malicious scripts or commands, or by replacing legitimate systemd binaries with compromised ones, ensuring that their malicious code is automatically executed at system startup or during certain system events.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f3818c85-2207-4b51-8a28-d70fb156ee87\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name == \\\"systemd\\\" and process.name in (\\n \\\"python*\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\", \\\"openssl\\\", \\\"nc\\\", \\\"netcat\\\", \\\"ncat\\\", \\\"telnet\\\", \\\"awk\\\"\\n )\\n ] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and event.type == \\\"start\\\"\\n ] by process.parent.entity_id\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Network Connection via systemd\",\"description\":\"Detects suspicious network events executed by systemd, potentially indicating persistence through a systemd backdoor. Systemd is a system and service manager for Linux operating systems, used to initialize and manage system processes. Attackers can backdoor systemd for persistence by creating or modifying systemd unit files to execute malicious scripts or commands, or by replacing legitimate systemd binaries with compromised ones, ensuring that their malicious code is automatically executed at system startup or during certain system events.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Command and Control\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\",\"subtechnique\":[{\"id\":\"T1543.002\",\"name\":\"Systemd Service\",\"reference\":\"https://attack.mitre.org/techniques/T1543/002/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[]}],\"setup\":\"## Setup\\n\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"70a7c922-9799-43bd-b6e3-1fa8e70c72b4\",\"rule_id\":\"f3818c85-2207-4b51-8a28-d70fb156ee87\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.040Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.849Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name == \\\"systemd\\\" and process.name in (\\n \\\"python*\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\", \\\"openssl\\\", \\\"nc\\\", \\\"netcat\\\", \\\"ncat\\\", \\\"telnet\\\", \\\"awk\\\"\\n )\\n ] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and event.type == \\\"start\\\" and\\n not process.executable == \\\"/tmp/newroot/bin/curl\\\"] by process.parent.entity_id\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name == \\\"systemd\\\" and process.name in (\\n \\\"python*\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\", \\\"openssl\\\", \\\"nc\\\", \\\"netcat\\\", \\\"ncat\\\", \\\"telnet\\\", \\\"awk\\\"\\n )\\n ] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and event.type == \\\"start\\\"\\n ] by process.parent.entity_id\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name == \\\"systemd\\\" and process.name in (\\n \\\"python*\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\", \\\"openssl\\\", \\\"nc\\\", \\\"netcat\\\", \\\"ncat\\\", \\\"telnet\\\", \\\"awk\\\"\\n )\\n ] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and event.type == \\\"start\\\" and\\n not process.executable == \\\"/tmp/newroot/bin/curl\\\"] by process.parent.entity_id\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"sequence by host.id with maxspan=5s\\n [process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and\\n process.parent.name == \\\"systemd\\\" and process.name in (\\n \\\"python*\\\", \\\"php*\\\", \\\"perl\\\", \\\"ruby\\\", \\\"lua*\\\", \\\"openssl\\\", \\\"nc\\\", \\\"netcat\\\", \\\"ncat\\\", \\\"telnet\\\", \\\"awk\\\"\\n )\\n ] by process.entity_id\\n [network where host.os.type == \\\"linux\\\" and event.action == \\\"connection_attempted\\\" and event.type == \\\"start\\\" and\\n not process.executable == \\\"/tmp/newroot/bin/curl\\\"] by process.parent.entity_id\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"1462f3b9-0c67-4e51-ba83-79206e33690c\",\"rule_id\":\"f41296b4-9975-44d6-9486-514c6f635b2d\",\"revision\":0,\"current_rule\":{\"id\":\"1462f3b9-0c67-4e51-ba83-79206e33690c\",\"updated_at\":\"2024-12-04T19:46:01.854Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.854Z\",\"created_by\":\"elastic\",\"name\":\"Potential curl CVE-2023-38545 Exploitation\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Use Case: Vulnerability\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f41296b4-9975-44d6-9486-514c6f635b2d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1203\",\"name\":\"Exploitation for Client Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1203/\"}]}],\"to\":\"now\",\"references\":[\"https://curl.se/docs/CVE-2023-38545.html\",\"https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/\",\"https://twitter.com/_JohnHammond/status/1711986412554531015\"],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.env_vars\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\nElastic Defend integration does not collect environment variable logging by default.\\nIn order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the Elastic Defend integration.\\n #### To set up environment variable capture for an Elastic Agent policy:\\n- Go to “Security → Manage → Policies”.\\n- Select an “Elastic Agent policy”.\\n- Click “Show advanced settings”.\\n- Scroll down or search for “linux.advanced.capture_env_vars”.\\n- Enter the names of environment variables you want to capture, separated by commas.\\n- For this rule the linux.advanced.capture_env_vars variable should be set to \\\"http_proxy,HTTPS_PROXY,ALL_PROXY\\\".\\n- Click “Save”.\\nAfter saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly.\\nFor more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"curl\\\" \\nand (\\n process.args : (\\\"--socks5-hostname\\\", \\\"--proxy\\\", \\\"--preproxy\\\", \\\"socks5*\\\") or \\n process.env_vars: (\\\"http_proxy=socks5h://*\\\", \\\"HTTPS_PROXY=socks5h://*\\\", \\\"ALL_PROXY=socks5h://*\\\")\\n) and length(process.command_line) > 255 and \\nnot process.parent.name in (\\\"cf-agent\\\", \\\"agent-run\\\", \\\"agent-check\\\", \\\"rudder\\\", \\\"agent-inventory\\\", \\\"cf-execd\\\") and\\nnot process.args == \\\"/opt/rudder/bin/curl\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential curl CVE-2023-38545 Exploitation\",\"description\":\"Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":6,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Use Case: Vulnerability\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://curl.se/docs/CVE-2023-38545.html\",\"https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/\",\"https://twitter.com/_JohnHammond/status/1711986412554531015\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1203\",\"name\":\"Exploitation for Client Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1203/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\\nElastic Defend integration does not collect environment variable logging by default.\\nIn order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the Elastic Defend integration.\\n #### To set up environment variable capture for an Elastic Agent policy:\\n- Go to “Security → Manage → Policies”.\\n- Select an “Elastic Agent policy”.\\n- Click “Show advanced settings”.\\n- Scroll down or search for “linux.advanced.capture_env_vars”.\\n- Enter the names of environment variables you want to capture, separated by commas.\\n- For this rule the linux.advanced.capture_env_vars variable should be set to \\\"http_proxy,HTTPS_PROXY,ALL_PROXY\\\".\\n- Click “Save”.\\nAfter saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly.\\nFor more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.env_vars\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"1462f3b9-0c67-4e51-ba83-79206e33690c\",\"rule_id\":\"f41296b4-9975-44d6-9486-514c6f635b2d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.040Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.854Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"curl\\\" \\nand (\\n process.args like (\\\"--socks5-hostname\\\", \\\"--proxy\\\", \\\"--preproxy\\\", \\\"socks5*\\\") or \\n process.env_vars like (\\\"http_proxy=socks5h://*\\\", \\\"HTTPS_PROXY=socks5h://*\\\", \\\"ALL_PROXY=socks5h://*\\\")\\n) and length(process.command_line) > 255 and not (\\n process.parent.name in (\\\"cf-agent\\\", \\\"agent-run\\\", \\\"agent-check\\\", \\\"rudder\\\", \\\"agent-inventory\\\", \\\"cf-execd\\\") or\\n process.args like \\\"/opt/rudder/*\\\" or\\n process.parent.executable like (\\\"/vz/root/*\\\", \\\"/var/rudder/*\\\")\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":6,\"merged_version\":6,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.env_vars\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.env_vars\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.env_vars\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"curl\\\" \\nand (\\n process.args : (\\\"--socks5-hostname\\\", \\\"--proxy\\\", \\\"--preproxy\\\", \\\"socks5*\\\") or \\n process.env_vars: (\\\"http_proxy=socks5h://*\\\", \\\"HTTPS_PROXY=socks5h://*\\\", \\\"ALL_PROXY=socks5h://*\\\")\\n) and length(process.command_line) > 255 and \\nnot process.parent.name in (\\\"cf-agent\\\", \\\"agent-run\\\", \\\"agent-check\\\", \\\"rudder\\\", \\\"agent-inventory\\\", \\\"cf-execd\\\") and\\nnot process.args == \\\"/opt/rudder/bin/curl\\\"\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"curl\\\" \\nand (\\n process.args like (\\\"--socks5-hostname\\\", \\\"--proxy\\\", \\\"--preproxy\\\", \\\"socks5*\\\") or \\n process.env_vars like (\\\"http_proxy=socks5h://*\\\", \\\"HTTPS_PROXY=socks5h://*\\\", \\\"ALL_PROXY=socks5h://*\\\")\\n) and length(process.command_line) > 255 and not (\\n process.parent.name in (\\\"cf-agent\\\", \\\"agent-run\\\", \\\"agent-check\\\", \\\"rudder\\\", \\\"agent-inventory\\\", \\\"cf-execd\\\") or\\n process.args like \\\"/opt/rudder/*\\\" or\\n process.parent.executable like (\\\"/vz/root/*\\\", \\\"/var/rudder/*\\\")\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action == \\\"exec\\\" and process.name == \\\"curl\\\" \\nand (\\n process.args like (\\\"--socks5-hostname\\\", \\\"--proxy\\\", \\\"--preproxy\\\", \\\"socks5*\\\") or \\n process.env_vars like (\\\"http_proxy=socks5h://*\\\", \\\"HTTPS_PROXY=socks5h://*\\\", \\\"ALL_PROXY=socks5h://*\\\")\\n) and length(process.command_line) > 255 and not (\\n process.parent.name in (\\\"cf-agent\\\", \\\"agent-run\\\", \\\"agent-check\\\", \\\"rudder\\\", \\\"agent-inventory\\\", \\\"cf-execd\\\") or\\n process.args like \\\"/opt/rudder/*\\\" or\\n process.parent.executable like (\\\"/vz/root/*\\\", \\\"/var/rudder/*\\\")\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7ee02713-6604-47a0-a88d-55cd181146d9\",\"rule_id\":\"f44fa4b6-524c-4e87-8d9e-a32599e4fb7c\",\"revision\":0,\"current_rule\":{\"id\":\"7ee02713-6604-47a0-a88d-55cd181146d9\",\"updated_at\":\"2024-12-04T19:46:01.857Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.857Z\",\"created_by\":\"elastic\",\"name\":\"Persistence via Microsoft Office AddIns\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f44fa4b6-524c-4e87-8d9e-a32599e4fb7c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1137\",\"name\":\"Office Application Startup\",\"reference\":\"https://attack.mitre.org/techniques/T1137/\",\"subtechnique\":[{\"id\":\"T1137.006\",\"name\":\"Add-ins\",\"reference\":\"https://attack.mitre.org/techniques/T1137/006/\"}]}]}],\"to\":\"now\",\"references\":[\"https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.extension : (\\\"wll\\\",\\\"xll\\\",\\\"ppa\\\",\\\"ppam\\\",\\\"xla\\\",\\\"xlam\\\") and\\n file.path :\\n (\\n \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Word\\\\\\\\Startup\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\AddIns\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Excel\\\\\\\\XLSTART\\\\\\\\*\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Persistence via Microsoft Office AddIns\",\"description\":\"Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1137\",\"name\":\"Office Application Startup\",\"reference\":\"https://attack.mitre.org/techniques/T1137/\",\"subtechnique\":[{\"id\":\"T1137.006\",\"name\":\"Add-ins\",\"reference\":\"https://attack.mitre.org/techniques/T1137/006/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"7ee02713-6604-47a0-a88d-55cd181146d9\",\"rule_id\":\"f44fa4b6-524c-4e87-8d9e-a32599e4fb7c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.040Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.857Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n file.extension : (\\\"wll\\\",\\\"xll\\\",\\\"ppa\\\",\\\"ppam\\\",\\\"xla\\\",\\\"xlam\\\") and\\n file.path :\\n (\\n \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Word\\\\\\\\Startup\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\AddIns\\\\\\\\*\\\",\\n \\\"C:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Excel\\\\\\\\XLSTART\\\\\\\\*\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a352f8b9-1eb1-4c5c-9c07-c26f1684d8e3\",\"rule_id\":\"f494c678-3c33-43aa-b169-bb3d5198c41d\",\"revision\":0,\"current_rule\":{\"id\":\"a352f8b9-1eb1-4c5c-9c07-c26f1684d8e3\",\"updated_at\":\"2024-12-04T19:46:01.862Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.862Z\",\"created_by\":\"elastic\",\"name\":\"Sensitive Privilege SeEnableDelegationPrivilege assigned to a User\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the assignment of the SeEnableDelegationPrivilege sensitive \\\"user right\\\" to a user. The SeEnableDelegationPrivilege \\\"user right\\\" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Sensitive Privilege SeEnableDelegationPrivilege assigned to a User\\n\\nKerberos delegation is an Active Directory feature that allows user and computer accounts to impersonate other accounts, act on their behalf, and use their privileges. Delegation (constrained and unconstrained) can be configured for user and computer objects.\\n\\nEnabling unconstrained delegation for a computer causes the computer to store the ticket-granting ticket (TGT) in memory at any time an account connects to the computer, so it can be used by the computer for impersonation when needed. Risk is heightened if an attacker compromises computers with unconstrained delegation enabled, as they could extract TGTs from memory and then replay them to move laterally on the domain. If the attacker coerces a privileged user to connect to the server, or if the user does so routinely, the account will be compromised and the attacker will be able to pass-the-ticket to privileged assets.\\n\\nSeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a domain controller and is managed through Group Policy. This setting is named **Enable computer and user accounts to be trusted for delegation**.\\n\\nIt is critical to control the assignment of this privilege. A user with this privilege and write access to a computer can control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to the system.\\n\\n#### Possible investigation steps\\n\\n- Investigate how the privilege was assigned to the user and who assigned it.\\n- Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the `user.id` and `winlog.activity_id` fields as a filter during the past 48 hours.\\n- Investigate other alerts associated with the users/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- The SeEnableDelegationPrivilege privilege should not be assigned to users. If this rule is triggered in your environment legitimately, the security team should notify the administrators about the risks of using it.\\n\\n### Related rules\\n\\n- KRBTGT Delegation Backdoor - e052c845-48d0-4f46-8a13-7d0aba05df82\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Remove the privilege from the account.\\n- Review the privileges of the administrator account that performed the action.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f494c678-3c33-43aa-b169-bb3d5198c41d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"to\":\"now\",\"references\":[\"https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_alert_active_directory_user_control.yml\",\"https://twitter.com/_nwodtuhs/status/1454049485080907776\",\"https://www.thehacker.recipes/ad/movement/kerberos/delegations\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.PrivilegeList\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policy Configuration >\\nAudit Policies >\\nPolicy Change >\\nAudit Authorization Policy Change (Success,Failure)\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:\\\"Authorization Policy Change\\\" and event.code:4704 and\\n winlog.event_data.PrivilegeList:\\\"SeEnableDelegationPrivilege\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Sensitive Privilege SeEnableDelegationPrivilege assigned to a User\",\"description\":\"Identifies the assignment of the SeEnableDelegationPrivilege sensitive \\\"user right\\\" to a user. The SeEnableDelegationPrivilege \\\"user right\\\" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Sensitive Privilege SeEnableDelegationPrivilege assigned to a User\\n\\nKerberos delegation is an Active Directory feature that allows user and computer accounts to impersonate other accounts, act on their behalf, and use their privileges. Delegation (constrained and unconstrained) can be configured for user and computer objects.\\n\\nEnabling unconstrained delegation for a computer causes the computer to store the ticket-granting ticket (TGT) in memory at any time an account connects to the computer, so it can be used by the computer for impersonation when needed. Risk is heightened if an attacker compromises computers with unconstrained delegation enabled, as they could extract TGTs from memory and then replay them to move laterally on the domain. If the attacker coerces a privileged user to connect to the server, or if the user does so routinely, the account will be compromised and the attacker will be able to pass-the-ticket to privileged assets.\\n\\nSeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a domain controller and is managed through Group Policy. This setting is named **Enable computer and user accounts to be trusted for delegation**.\\n\\nIt is critical to control the assignment of this privilege. A user with this privilege and write access to a computer can control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to the system.\\n\\n#### Possible investigation steps\\n\\n- Investigate how the privilege was assigned to the user and who assigned it.\\n- Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the `user.id` and `winlog.activity_id` fields as a filter during the past 48 hours.\\n- Investigate other alerts associated with the users/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- The SeEnableDelegationPrivilege privilege should not be assigned to users. If this rule is triggered in your environment legitimately, the security team should notify the administrators about the risks of using it.\\n\\n### Related rules\\n\\n- KRBTGT Delegation Backdoor - e052c845-48d0-4f46-8a13-7d0aba05df82\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Remove the privilege from the account.\\n- Review the privileges of the administrator account that performed the action.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":213,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_alert_active_directory_user_control.yml\",\"https://twitter.com/_nwodtuhs/status/1454049485080907776\",\"https://www.thehacker.recipes/ad/movement/kerberos/delegations\",\"https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1098\",\"name\":\"Account Manipulation\",\"reference\":\"https://attack.mitre.org/techniques/T1098/\"}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policy Configuration >\\nAudit Policies >\\nPolicy Change >\\nAudit Authorization Policy Change (Success,Failure)\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.PrivilegeList\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"a352f8b9-1eb1-4c5c-9c07-c26f1684d8e3\",\"rule_id\":\"f494c678-3c33-43aa-b169-bb3d5198c41d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.040Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.862Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-system.*\",\"logs-windows.*\"],\"query\":\"event.action:\\\"Authorization Policy Change\\\" and event.code:4704 and\\n winlog.event_data.PrivilegeList:\\\"SeEnableDelegationPrivilege\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":213,\"merged_version\":213,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Persistence\",\"Data Source: Active Directory\",\"Resources: Investigation Guide\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"f2fbe5fc-635d-41fc-878a-31ed25163437\",\"rule_id\":\"f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c\",\"revision\":0,\"current_rule\":{\"id\":\"f2fbe5fc-635d-41fc-878a-31ed25163437\",\"updated_at\":\"2024-12-04T19:46:04.807Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.807Z\",\"created_by\":\"elastic\",\"name\":\"AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request\",\"tags\":[\"Domain: LLM\",\"Data Source: AWS Bedrock\",\"Data Source: AWS S3\",\"Resources: Investigation Guide\",\"Use Case: Policy Violation\",\"Mitre Atlas: T0051\",\"Mitre Atlas: T0054\"],\"interval\":\"10m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies multiple violations of AWS Bedrock guardrails within a single request, resulting in a block action, increasing the likelihood of malicious intent. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate misunderstanding by users or overly strict policies\"],\"from\":\"now-60m\",\"rule_id\":\"f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[],\"to\":\"now\",\"references\":[\"https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html\",\"https://atlas.mitre.org/techniques/AML.T0051\",\"https://atlas.mitre.org/techniques/AML.T0054\",\"https://www.elastic.co/security-labs/elastic-advances-llm-security\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\\n\\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\\n\",\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.policy.action == \\\"BLOCKED\\\"\\n| eval policy_violations = mv_count(gen_ai.policy.name)\\n| where policy_violations > 1\\n| stats total_unique_request_violations = count(*) by policy_violations, user.id, gen_ai.request.model.id, cloud.account.id\\n| sort total_unique_request_violations desc\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request\",\"description\":\"Identifies multiple violations of AWS Bedrock guardrails within a single request, resulting in a block action, increasing the likelihood of malicious intent. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Amazon Bedrock Guardrail Multiple Policy Violations Within a Single Blocked Request.\\n\\nAmazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.\\n\\nIt enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.\\n\\nThrough Guardrail, organizations can define \\\"denied topics\\\" to prevent the model from generating content on specific, undesired subjects,\\nand they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account and the user request that caused multiple policy violations and whether it should perform this kind of action.\\n- Investigate the user activity that might indicate a potential brute force attack.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's prompts and responses in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that caused multiple policy violations, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: LLM\",\"Data Source: AWS Bedrock\",\"Data Source: AWS S3\",\"Resources: Investigation Guide\",\"Use Case: Policy Violation\",\"Mitre Atlas: T0051\",\"Mitre Atlas: T0054\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"10m\",\"from\":\"now-60m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Legitimate misunderstanding by users or overly strict policies\"],\"references\":[\"https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html\",\"https://atlas.mitre.org/techniques/AML.T0051\",\"https://atlas.mitre.org/techniques/AML.T0054\",\"https://www.elastic.co/security-labs/elastic-advances-llm-security\"],\"max_signals\":100,\"threat\":[],\"setup\":\"## Setup\\n\\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\\n\\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\\n\",\"related_integrations\":[],\"required_fields\":[],\"id\":\"f2fbe5fc-635d-41fc-878a-31ed25163437\",\"rule_id\":\"f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.040Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.807Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"esql\",\"language\":\"esql\",\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.policy.action == \\\"BLOCKED\\\"\\n| eval policy_violations = mv_count(gen_ai.policy.name)\\n| where policy_violations > 1\\n| keep gen_ai.policy.action, policy_violations, user.id, gen_ai.request.model.id, cloud.account.id, user.id\\n| stats total_unique_request_violations = count(*) by policy_violations, user.id, gen_ai.request.model.id, cloud.account.id\\n| sort total_unique_request_violations desc\\n\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"note\":{\"has_base_version\":false,\"current_version\":\"\",\"target_version\":\"## Triage and analysis\\n\\n### Investigating Amazon Bedrock Guardrail Multiple Policy Violations Within a Single Blocked Request.\\n\\nAmazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.\\n\\nIt enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.\\n\\nThrough Guardrail, organizations can define \\\"denied topics\\\" to prevent the model from generating content on specific, undesired subjects,\\nand they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account and the user request that caused multiple policy violations and whether it should perform this kind of action.\\n- Investigate the user activity that might indicate a potential brute force attack.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's prompts and responses in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that caused multiple policy violations, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Investigating Amazon Bedrock Guardrail Multiple Policy Violations Within a Single Blocked Request.\\n\\nAmazon Bedrock Guardrail is a set of features within Amazon Bedrock designed to help businesses apply robust safety and privacy controls to their generative AI applications.\\n\\nIt enables users to set guidelines and filters that manage content quality, relevancy, and adherence to responsible AI practices.\\n\\nThrough Guardrail, organizations can define \\\"denied topics\\\" to prevent the model from generating content on specific, undesired subjects,\\nand they can establish thresholds for harmful content categories, including hate speech, violence, or offensive language.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account and the user request that caused multiple policy violations and whether it should perform this kind of action.\\n- Investigate the user activity that might indicate a potential brute force attack.\\n- Investigate other alerts associated with the user account during the past 48 hours.\\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\\n- Examine the account's prompts and responses in the last 24 hours.\\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking Amazon Bedrock model access, prompts generated, and responses to the prompts by the account in the last 24 hours.\\n\\n### False positive analysis\\n\\n- Verify the user account that caused multiple policy violations, is not testing any new model deployments or updated compliance policies in Amazon Bedrock guardrails.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Disable or limit the account during the investigation and response.\\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\\n - Identify the account role in the cloud environment.\\n - Identify if the attacker is moving laterally and compromising other Amazon Bedrock Services.\\n - Identify any regulatory or legal ramifications related to this activity.\\n- Review the permissions assigned to the implicated user group or role behind these requests to ensure they are authorized and expected to access bedrock and ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"esql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.policy.action == \\\"BLOCKED\\\"\\n| eval policy_violations = mv_count(gen_ai.policy.name)\\n| where policy_violations > 1\\n| stats total_unique_request_violations = count(*) by policy_violations, user.id, gen_ai.request.model.id, cloud.account.id\\n| sort total_unique_request_violations desc\\n\",\"language\":\"esql\"},\"target_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.policy.action == \\\"BLOCKED\\\"\\n| eval policy_violations = mv_count(gen_ai.policy.name)\\n| where policy_violations > 1\\n| keep gen_ai.policy.action, policy_violations, user.id, gen_ai.request.model.id, cloud.account.id, user.id\\n| stats total_unique_request_violations = count(*) by policy_violations, user.id, gen_ai.request.model.id, cloud.account.id\\n| sort total_unique_request_violations desc\\n\",\"language\":\"esql\"},\"merged_version\":{\"query\":\"from logs-aws_bedrock.invocation-*\\n| where gen_ai.policy.action == \\\"BLOCKED\\\"\\n| eval policy_violations = mv_count(gen_ai.policy.name)\\n| where policy_violations > 1\\n| keep gen_ai.policy.action, policy_violations, user.id, gen_ai.request.model.id, cloud.account.id, user.id\\n| stats total_unique_request_violations = count(*) by policy_violations, user.id, gen_ai.request.model.id, cloud.account.id\\n| sort total_unique_request_violations desc\\n\",\"language\":\"esql\"},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"111539a0-6f80-45b3-b41b-4ac808860a77\",\"rule_id\":\"f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee\",\"revision\":0,\"current_rule\":{\"id\":\"111539a0-6f80-45b3-b41b-4ac808860a77\",\"updated_at\":\"2024-12-04T19:46:04.809Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.809Z\",\"created_by\":\"elastic\",\"name\":\"DPKG Package Installed by Unusual Parent Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects the installation of a Debian package (dpkg) by an unusual parent process. The dpkg command is used to install, remove, and manage Debian packages on a Linux system. Attackers can abuse the dpkg command to install malicious packages on a system.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.makeuseof.com/how-deb-packages-are-backdoored-how-to-detect-it/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:dpkg and\\nprocess.args:(\\\"-i\\\" or \\\"--install\\\")\\n\",\"new_terms_fields\":[\"process.parent.executable\"],\"history_window_start\":\"now-7d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"DPKG Package Installed by Unusual Parent Process\",\"description\":\"This rule detects the installation of a Debian package (dpkg) by an unusual parent process. The dpkg command is used to install, remove, and manage Debian packages on a Linux system. Attackers can abuse the dpkg command to install malicious packages on a system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":2,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.makeuseof.com/how-deb-packages-are-backdoored-how-to-detect-it/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"111539a0-6f80-45b3-b41b-4ac808860a77\",\"rule_id\":\"f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.040Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.809Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:dpkg and\\nprocess.args:(\\\"-i\\\" or \\\"--install\\\")\\n\",\"new_terms_fields\":[\"process.parent.executable\"],\"history_window_start\":\"now-7d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":2,\"merged_version\":2,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"threat\":{\"has_base_version\":false,\"current_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"target_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"merged_version\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1543\",\"name\":\"Create or Modify System Process\",\"reference\":\"https://attack.mitre.org/techniques/T1543/\"},{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.016\",\"name\":\"Installer Packages\",\"reference\":\"https://attack.mitre.org/techniques/T1546/016/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1195\",\"name\":\"Supply Chain Compromise\",\"reference\":\"https://attack.mitre.org/techniques/T1195/\",\"subtechnique\":[{\"id\":\"T1195.002\",\"name\":\"Compromise Software Supply Chain\",\"reference\":\"https://attack.mitre.org/techniques/T1195/002/\"}]}]}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c83ce436-fad6-4947-a7c6-a91c5fa65152\",\"rule_id\":\"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc\",\"revision\":0,\"current_rule\":{\"id\":\"c83ce436-fad6-4947-a7c6-a91c5fa65152\",\"updated_at\":\"2024-12-04T19:46:01.867Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.867Z\",\"created_by\":\"elastic\",\"name\":\"Windows Script Executing PowerShell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Script Executing PowerShell\\n\\nThe Windows Script Host (WSH) is an Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\\n\\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\\n\\nThis rule looks for the spawn of the `powershell.exe` process with `cscript.exe` or `wscript.exe` as its parent process.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate commands executed by the spawned PowerShell process.\\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Determine how the script file was delivered (email attachment, dropped by other processes, etc.).\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Reimage the host operating system and restore compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"cscript.exe\\\", \\\"wscript.exe\\\") and process.name : \\\"powershell.exe\\\" and\\n not (\\n process.parent.name : \\\"wscript.exe\\\" and\\n process.parent.args : \\\"?:\\\\\\\\ProgramData\\\\\\\\intune-drive-mapping-generator\\\\\\\\IntuneDriveMapping-VBSHelper.vbs\\\" and\\n process.parent.args : \\\"?:\\\\\\\\ProgramData\\\\\\\\intune-drive-mapping-generator\\\\\\\\DriveMapping.ps1\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Windows Script Executing PowerShell\",\"description\":\"Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Script Executing PowerShell\\n\\nThe Windows Script Host (WSH) is an Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\\n\\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\\n\\nThis rule looks for the spawn of the `powershell.exe` process with `cscript.exe` or `wscript.exe` as its parent process.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate commands executed by the spawned PowerShell process.\\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Determine how the script file was delivered (email attachment, dropped by other processes, etc.).\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n\\n### False positive analysis\\n\\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- If the malicious file was delivered via phishing:\\n - Block the email sender from sending future emails.\\n - Block the malicious web pages.\\n - Remove emails from the sender from mailboxes.\\n - Consider improvements to the security awareness program.\\n- Reimage the host operating system and restore compromised files to clean versions.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/operation-bleeding-bear\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1566\",\"name\":\"Phishing\",\"reference\":\"https://attack.mitre.org/techniques/T1566/\",\"subtechnique\":[{\"id\":\"T1566.001\",\"name\":\"Spearphishing Attachment\",\"reference\":\"https://attack.mitre.org/techniques/T1566/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.005\",\"name\":\"Visual Basic\",\"reference\":\"https://attack.mitre.org/techniques/T1059/005/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c83ce436-fad6-4947-a7c6-a91c5fa65152\",\"rule_id\":\"f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.040Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.867Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : (\\\"cscript.exe\\\", \\\"wscript.exe\\\") and process.name : \\\"powershell.exe\\\" and\\n not (\\n process.parent.name : \\\"wscript.exe\\\" and\\n process.parent.args : \\\"?:\\\\\\\\ProgramData\\\\\\\\intune-drive-mapping-generator\\\\\\\\IntuneDriveMapping-VBSHelper.vbs\\\" and\\n process.parent.args : \\\"?:\\\\\\\\ProgramData\\\\\\\\intune-drive-mapping-generator\\\\\\\\DriveMapping.ps1\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/operation-bleeding-bear\"],\"merged_version\":[\"https://www.elastic.co/security-labs/operation-bleeding-bear\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6efb7d73-471a-4f3d-93d5-6d29fed99e7d\",\"rule_id\":\"f580bf0a-2d23-43bb-b8e1-17548bb947ec\",\"revision\":0,\"current_rule\":{\"id\":\"6efb7d73-471a-4f3d-93d5-6d29fed99e7d\",\"updated_at\":\"2024-12-04T19:46:01.872Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.872Z\",\"created_by\":\"elastic\",\"name\":\"Rare SMB Connection to the Internet\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f580bf0a-2d23-43bb-b8e1-17548bb947ec\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1048\",\"name\":\"Exfiltration Over Alternative Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1048/\"}]}],\"to\":\"now\",\"references\":[\"https://www.securify.nl/en/blog/living-off-the-land-stealing-netntlm-hashes/\"],\"version\":3,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"setup\":\"\",\"type\":\"new_terms\",\"query\":\"event.category:network and host.os.type:windows and process.pid:4 and \\n network.transport:tcp and destination.port:(139 or 445) and \\n source.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n ) and\\n not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n )\\n\",\"new_terms_fields\":[\"destination.ip\"],\"history_window_start\":\"now-7d\",\"index\":[\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Rare SMB Connection to the Internet\",\"description\":\"This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.securify.nl/en/blog/living-off-the-land-stealing-netntlm-hashes/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0010\",\"name\":\"Exfiltration\",\"reference\":\"https://attack.mitre.org/tactics/TA0010/\"},\"technique\":[{\"id\":\"T1048\",\"name\":\"Exfiltration Over Alternative Protocol\",\"reference\":\"https://attack.mitre.org/techniques/T1048/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"destination.port\",\"type\":\"long\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.transport\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pid\",\"type\":\"long\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true}],\"id\":\"6efb7d73-471a-4f3d-93d5-6d29fed99e7d\",\"rule_id\":\"f580bf0a-2d23-43bb-b8e1-17548bb947ec\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.040Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.872Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.category:network and host.os.type:windows and process.pid:4 and \\n network.transport:tcp and destination.port:(139 or 445) and \\n source.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n ) and\\n not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n )\\n\",\"new_terms_fields\":[\"destination.ip\"],\"history_window_start\":\"now-7d\",\"index\":[\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":3,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Exfiltration\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.network-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"77f1ba56-a564-40c6-9fd8-78f70dff4b8a\",\"rule_id\":\"f5861570-e39a-4b8a-9259-abd39f84cb97\",\"revision\":0,\"current_rule\":{\"id\":\"77f1ba56-a564-40c6-9fd8-78f70dff4b8a\",\"updated_at\":\"2024-12-04T19:46:01.875Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.875Z\",\"created_by\":\"elastic\",\"name\":\"WRITEDAC Access on Active Directory Object\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Rule Type: BBR\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the access on an object with WRITEDAC permissions. With the WRITEDAC permission, the user can perform a Write Discretionary Access Control List (WriteDACL) operation, which is used to modify the access control rules associated with a specific object within Active Directory. Attackers may abuse this privilege to grant themselves or other compromised accounts additional rights, ultimately compromising the target object, resulting in privilege escalation, lateral movement, and persistence.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"f5861570-e39a-4b8a-9259-abd39f84cb97\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1222\",\"name\":\"File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/\",\"subtechnique\":[{\"id\":\"T1222.001\",\"name\":\"Windows File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors.pdf\"],\"version\":4,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessMask\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Access (Success,Failure)\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.*\"],\"query\":\"host.os.type: \\\"windows\\\" and event.action : (\\\"Directory Service Access\\\" or \\\"object-operation-performed\\\") and\\n event.code : \\\"4662\\\" and winlog.event_data.AccessMask:\\\"0x40000\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"WRITEDAC Access on Active Directory Object\",\"description\":\"Identifies the access on an object with WRITEDAC permissions. With the WRITEDAC permission, the user can perform a Write Discretionary Access Control List (WriteDACL) operation, which is used to modify the access control rules associated with a specific object within Active Directory. Attackers may abuse this privilege to grant themselves or other compromised accounts additional rights, ultimately compromising the target object, resulting in privilege escalation, lateral movement, and persistence.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Rule Type: BBR\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors.pdf\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1222\",\"name\":\"File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/\",\"subtechnique\":[{\"id\":\"T1222.001\",\"name\":\"Windows File and Directory Permissions Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1222/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Access (Success,Failure)\\n```\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AccessMask\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"77f1ba56-a564-40c6-9fd8-78f70dff4b8a\",\"rule_id\":\"f5861570-e39a-4b8a-9259-abd39f84cb97\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.040Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.875Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.*\"],\"query\":\"host.os.type: \\\"windows\\\" and event.action : (\\\"Directory Service Access\\\" or \\\"object-operation-performed\\\") and\\n event.code : \\\"4662\\\" and winlog.event_data.AccessMask:\\\"0x40000\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":4,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Rule Type: BBR\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Rule Type: BBR\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Rule Type: BBR\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"9411a3ea-b6cf-4682-a4f9-9795fc0a5701\",\"rule_id\":\"f59668de-caa0-4b84-94c1-3a1549e1e798\",\"revision\":0,\"current_rule\":{\"id\":\"9411a3ea-b6cf-4682-a4f9-9795fc0a5701\",\"updated_at\":\"2024-12-04T19:46:01.878Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.878Z\",\"created_by\":\"elastic\",\"name\":\"WMIC Remote Command\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of wmic.exe to run commands on remote hosts. While this can be used by administrators legitimately, attackers can abuse this built-in utility to achieve lateral movement.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"f59668de-caa0-4b84-94c1-3a1549e1e798\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.006\",\"name\":\"Windows Remote Management\",\"reference\":\"https://attack.mitre.org/techniques/T1021/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"WMIC.exe\\\" and\\n process.args : \\\"*node:*\\\" and\\n process.args : (\\\"call\\\", \\\"set\\\", \\\"get\\\") and\\n not process.args : (\\\"*/node:localhost*\\\", \\\"*/node:\\\\\\\"127.0.0.1\\\\\\\"*\\\", \\\"/node:127.0.0.1\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"WMIC Remote Command\",\"description\":\"Identifies the use of wmic.exe to run commands on remote hosts. While this can be used by administrators legitimately, attackers can abuse this built-in utility to achieve lateral movement.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.006\",\"name\":\"Windows Remote Management\",\"reference\":\"https://attack.mitre.org/techniques/T1021/006/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1047\",\"name\":\"Windows Management Instrumentation\",\"reference\":\"https://attack.mitre.org/techniques/T1047/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"9411a3ea-b6cf-4682-a4f9-9795fc0a5701\",\"rule_id\":\"f59668de-caa0-4b84-94c1-3a1549e1e798\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.040Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:01.878Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : \\\"WMIC.exe\\\" and\\n process.args : \\\"*node:*\\\" and\\n process.args : (\\\"call\\\", \\\"set\\\", \\\"get\\\") and\\n not process.args : (\\\"*/node:localhost*\\\", \\\"*/node:\\\\\\\"127.0.0.1\\\\\\\"*\\\", \\\"/node:127.0.0.1\\\")\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Defend\",\"Rule Type: BBR\",\"Data Source: Sysmon\",\"Data Source: Elastic Endgame\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"winlogbeat-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"056c380c-f7be-43ff-9dac-b3df39554b9c\",\"rule_id\":\"f5c005d3-4e17-48b0-9cd7-444d48857f97\",\"revision\":0,\"current_rule\":{\"id\":\"056c380c-f7be-43ff-9dac-b3df39554b9c\",\"updated_at\":\"2024-12-04T19:46:02.758Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.758Z\",\"created_by\":\"elastic\",\"name\":\"Setcap setuid/setgid Capability Set\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Setcap setuid/setgid Capability Set\\n\\nSetuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group.\\n\\nThreat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions.\\n\\nThis rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the file that was targeted by the addition of the setuid/setgid capability through OSQuery.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f5c005d3-4e17-48b0-9cd7-444d48857f97\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.001\",\"name\":\"Setuid and Setgid\",\"reference\":\"https://attack.mitre.org/techniques/T1548/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.name == \\\"setcap\\\" and process.args : \\\"cap_set?id+ep\\\" and not process.parent.name in (\\\"jem\\\", \\\"vzctl\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Setcap setuid/setgid Capability Set\",\"description\":\"This rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Setcap setuid/setgid Capability Set\\n\\nSetuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group.\\n\\nThreat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions.\\n\\nThis rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the file that was targeted by the addition of the setuid/setgid capability through OSQuery.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n - Cron jobs, services and other persistence mechanisms.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Crontab Information\\\",\\\"query\\\":\\\"SELECT * FROM crontab\\\"}}\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":6,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.001\",\"name\":\"Setuid and Setgid\",\"reference\":\"https://attack.mitre.org/techniques/T1548/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"056c380c-f7be-43ff-9dac-b3df39554b9c\",\"rule_id\":\"f5c005d3-4e17-48b0-9cd7-444d48857f97\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.041Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.758Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.name == \\\"setcap\\\" and process.args : \\\"cap_set?id+ep\\\" and not (\\n process.parent.name in (\\\"jem\\\", \\\"vzctl\\\") or\\n process.args like \\\"/usr/bin/new?idmap\\\"\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":6,\"merged_version\":6,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.name == \\\"setcap\\\" and process.args : \\\"cap_set?id+ep\\\" and not process.parent.name in (\\\"jem\\\", \\\"vzctl\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.name == \\\"setcap\\\" and process.args : \\\"cap_set?id+ep\\\" and not (\\n process.parent.name in (\\\"jem\\\", \\\"vzctl\\\") or\\n process.args like \\\"/usr/bin/new?idmap\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\") and \\nprocess.name == \\\"setcap\\\" and process.args : \\\"cap_set?id+ep\\\" and not (\\n process.parent.name in (\\\"jem\\\", \\\"vzctl\\\") or\\n process.args like \\\"/usr/bin/new?idmap\\\"\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"54e56a2a-c7b2-4abe-9003-ae9b642c7365\",\"rule_id\":\"f5d9d36d-7c30-4cdb-a856-9f653c13d4e0\",\"revision\":0,\"current_rule\":{\"id\":\"54e56a2a-c7b2-4abe-9003-ae9b642c7365\",\"updated_at\":\"2024-12-04T19:46:02.625Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.625Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Windows Process Cluster Spawned by a Parent Process\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"interval\":\"15m\",\"enabled\":false,\"revision\":0,\"description\":\"A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-45m\",\"rule_id\":\"f5d9d36d-7c30-4cdb-a856-9f653c13d4e0\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"to\":\"now\",\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\\n\",\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"problem_child_high_sum_by_parent\"],\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Windows Process Cluster Spawned by a Parent Process\",\"description\":\"A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Living off the Land Attack Detection\",\"Rule Type: ML\",\"Rule Type: Machine Learning\",\"Tactic: Defense Evasion\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"15m\",\"from\":\"now-45m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\",\"https://docs.elastic.co/en/integrations/problemchild\",\"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\"}]}],\"setup\":\"## Setup\\n\\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \\n\\n### LotL Attack Detection Setup\\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for LotL Attack Detection.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\\n\\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\\n- Go to the Kibana homepage. Under Management, click Integrations.\\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\\n- Follow the instructions under the **Installation** section.\\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\\n\",\"related_integrations\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[],\"id\":\"54e56a2a-c7b2-4abe-9003-ae9b642c7365\",\"rule_id\":\"f5d9d36d-7c30-4cdb-a856-9f653c13d4e0\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.041Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.625Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"machine_learning\",\"anomaly_threshold\":75,\"machine_learning_job_id\":[\"problem_child_high_sum_by_parent\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"problemchild\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b36a105d-1aa0-41ed-81c1-350e7051837c\",\"rule_id\":\"f5fb4598-4f10-11ed-bdc3-0242ac120002\",\"revision\":0,\"current_rule\":{\"id\":\"b36a105d-1aa0-41ed-81c1-350e7051837c\",\"updated_at\":\"2024-12-04T19:46:02.627Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.627Z\",\"created_by\":\"elastic\",\"name\":\"Masquerading Space After Filename\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rules identifies a process created from an executable with a space appended to the end of the filename. This may indicate an attempt to masquerade a malicious file as benign to gain user execution. When a space is added to the end of certain files, the OS will execute the file according to it's true filetype instead of it's extension. Adversaries can hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name so that the OS automatically executes the file when it's double-clicked.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f5fb4598-4f10-11ed-bdc3-0242ac120002\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.006\",\"name\":\"Space after Filename\",\"reference\":\"https://attack.mitre.org/techniques/T1036/006/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1036-masquerading\"],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\"],\"query\":\"process where host.os.type:(\\\"linux\\\",\\\"macos\\\") and\\n event.type == \\\"start\\\" and\\n (process.executable regex~ \\\"\\\"\\\"/[a-z0-9\\\\s_\\\\-\\\\\\\\./]+\\\\s\\\"\\\"\\\") and not\\n process.name in (\\\"ls\\\", \\\"find\\\", \\\"grep\\\", \\\"xkbcomp\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Masquerading Space After Filename\",\"description\":\"This rules identifies a process created from an executable with a space appended to the end of the filename. This may indicate an attempt to masquerade a malicious file as benign to gain user execution. When a space is added to the end of certain files, the OS will execute the file according to it's true filetype instead of it's extension. Adversaries can hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name so that the OS automatically executes the file when it's double-clicked.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"OS: macOS\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1036-masquerading\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.006\",\"name\":\"Space after Filename\",\"reference\":\"https://attack.mitre.org/techniques/T1036/006/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b36a105d-1aa0-41ed-81c1-350e7051837c\",\"rule_id\":\"f5fb4598-4f10-11ed-bdc3-0242ac120002\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.041Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.627Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type:(\\\"linux\\\",\\\"macos\\\") and event.type == \\\"start\\\" and\\nprocess.executable regex~ \\\"\\\"\\\"/[a-z0-9\\\\s_\\\\-\\\\\\\\./]+\\\\s\\\"\\\"\\\" and not (\\n process.name in (\\\"ls\\\", \\\"find\\\", \\\"grep\\\", \\\"xkbcomp\\\") or\\n process.executable like (\\\"/opt/nessus_agent/*\\\", \\\"/opt/gitlab/sv/gitlab-exporter/*\\\", \\\"/tmp/ansible-admin/*\\\") or\\n process.parent.args in (\\n \\\"./check_rubrik\\\", \\\"/usr/bin/check_mk_agent\\\", \\\"/etc/rubrik/start_stop_bootstrap.sh\\\", \\\"/etc/rubrik/start_stop_agent.sh\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-endpoint.events.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type:(\\\"linux\\\",\\\"macos\\\") and\\n event.type == \\\"start\\\" and\\n (process.executable regex~ \\\"\\\"\\\"/[a-z0-9\\\\s_\\\\-\\\\\\\\./]+\\\\s\\\"\\\"\\\") and not\\n process.name in (\\\"ls\\\", \\\"find\\\", \\\"grep\\\", \\\"xkbcomp\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type:(\\\"linux\\\",\\\"macos\\\") and event.type == \\\"start\\\" and\\nprocess.executable regex~ \\\"\\\"\\\"/[a-z0-9\\\\s_\\\\-\\\\\\\\./]+\\\\s\\\"\\\"\\\" and not (\\n process.name in (\\\"ls\\\", \\\"find\\\", \\\"grep\\\", \\\"xkbcomp\\\") or\\n process.executable like (\\\"/opt/nessus_agent/*\\\", \\\"/opt/gitlab/sv/gitlab-exporter/*\\\", \\\"/tmp/ansible-admin/*\\\") or\\n process.parent.args in (\\n \\\"./check_rubrik\\\", \\\"/usr/bin/check_mk_agent\\\", \\\"/etc/rubrik/start_stop_bootstrap.sh\\\", \\\"/etc/rubrik/start_stop_agent.sh\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type:(\\\"linux\\\",\\\"macos\\\") and event.type == \\\"start\\\" and\\nprocess.executable regex~ \\\"\\\"\\\"/[a-z0-9\\\\s_\\\\-\\\\\\\\./]+\\\\s\\\"\\\"\\\" and not (\\n process.name in (\\\"ls\\\", \\\"find\\\", \\\"grep\\\", \\\"xkbcomp\\\") or\\n process.executable like (\\\"/opt/nessus_agent/*\\\", \\\"/opt/gitlab/sv/gitlab-exporter/*\\\", \\\"/tmp/ansible-admin/*\\\") or\\n process.parent.args in (\\n \\\"./check_rubrik\\\", \\\"/usr/bin/check_mk_agent\\\", \\\"/etc/rubrik/start_stop_bootstrap.sh\\\", \\\"/etc/rubrik/start_stop_agent.sh\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c0ae5ab3-a104-4b70-a65e-d2dc45db6663\",\"rule_id\":\"f63c8e3c-d396-404f-b2ea-0379d3942d73\",\"revision\":0,\"current_rule\":{\"id\":\"c0ae5ab3-a104-4b70-a65e-d2dc45db6663\",\"updated_at\":\"2024-12-04T19:46:02.632Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.632Z\",\"created_by\":\"elastic\",\"name\":\"Windows Firewall Disabled via PowerShell\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and network lateral communication restrictions.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Firewall Disabled via PowerShell\\n\\nWindows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\\n\\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\\n\\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Re-enable the firewall with its desired configurations.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Austin Songer\"],\"false_positives\":[\"Windows Firewall can be disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\"],\"from\":\"now-9m\",\"rule_id\":\"f63c8e3c-d396-404f-b2ea-0379d3942d73\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.004\",\"name\":\"Disable or Modify System Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps\",\"https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell\",\"http://powershellhelp.space/commands/set-netfirewallrule-psv5.php\",\"http://woshub.com/manage-windows-firewall-powershell/\"],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.action == \\\"start\\\" and\\n (process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or ?process.pe.original_file_name == \\\"PowerShell.EXE\\\") and\\n process.args : \\\"*Set-NetFirewallProfile*\\\" and\\n (process.args : \\\"*-Enabled*\\\" and process.args : \\\"*False*\\\") and\\n (process.args : \\\"*-All*\\\" or process.args : (\\\"*Public*\\\", \\\"*Domain*\\\", \\\"*Private*\\\"))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Windows Firewall Disabled via PowerShell\",\"description\":\"Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and network lateral communication restrictions.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Windows Firewall Disabled via PowerShell\\n\\nWindows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\\n\\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\\n\\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Re-enable the firewall with its desired configurations.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Austin Songer\"],\"false_positives\":[\"Windows Firewall can be disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.\"],\"references\":[\"https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps\",\"https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell\",\"http://powershellhelp.space/commands/set-netfirewallrule-psv5.php\",\"http://woshub.com/manage-windows-firewall-powershell/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.004\",\"name\":\"Disable or Modify System Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/004/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c0ae5ab3-a104-4b70-a65e-d2dc45db6663\",\"rule_id\":\"f63c8e3c-d396-404f-b2ea-0379d3942d73\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.041Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.632Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n process.args : \\\"*Set-NetFirewallProfile*\\\" and\\n process.args : \\\"*-Enabled*\\\" and process.args : \\\"*False*\\\" and\\n process.args : (\\\"*-All*\\\", \\\"*Public*\\\", \\\"*Domain*\\\", \\\"*Private*\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.action == \\\"start\\\" and\\n (process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or ?process.pe.original_file_name == \\\"PowerShell.EXE\\\") and\\n process.args : \\\"*Set-NetFirewallProfile*\\\" and\\n (process.args : \\\"*-Enabled*\\\" and process.args : \\\"*False*\\\") and\\n (process.args : \\\"*-All*\\\" or process.args : (\\\"*Public*\\\", \\\"*Domain*\\\", \\\"*Private*\\\"))\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n process.args : \\\"*Set-NetFirewallProfile*\\\" and\\n process.args : \\\"*-Enabled*\\\" and process.args : \\\"*False*\\\" and\\n process.args : (\\\"*-All*\\\", \\\"*Public*\\\", \\\"*Domain*\\\", \\\"*Private*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\")\\n ) and\\n process.args : \\\"*Set-NetFirewallProfile*\\\" and\\n process.args : \\\"*-Enabled*\\\" and process.args : \\\"*False*\\\" and\\n process.args : (\\\"*-All*\\\", \\\"*Public*\\\", \\\"*Domain*\\\", \\\"*Private*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"06e80b86-d513-4aca-8daa-e5ad3d552b77\",\"rule_id\":\"f675872f-6d85-40a3-b502-c0d2ef101e92\",\"revision\":0,\"current_rule\":{\"id\":\"06e80b86-d513-4aca-8daa-e5ad3d552b77\",\"updated_at\":\"2024-12-04T19:46:02.637Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.637Z\",\"created_by\":\"elastic\",\"name\":\"Delete Volume USN Journal with Fsutil\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Delete Volume USN Journal with Fsutil\\n\\nThe Update Sequence Number (USN) Journal is a feature in the NTFS file system used by Microsoft Windows operating systems to keep track of changes made to files and directories on a disk volume. The journal records metadata for changes such as file creation, deletion, modification, and permission changes. It is used by the operating system for various purposes, including backup and recovery, file indexing, and file replication.\\n\\nThis artifact can provide valuable information in forensic analysis, such as programs executed (prefetch file operations), file modification events in suspicious directories, deleted files, etc. Attackers may delete this artifact in an attempt to cover their tracks, and this rule identifies the usage of the `fsutil.exe` utility to accomplish it.\\n\\nConsider using the Elastic Defend integration instead of USN Journal, as the Elastic Defend integration provides more visibility and context in the file operations it records.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Verify if any other anti-forensics behaviors were observed.\\n- Review file operation logs from Elastic Defend for suspicious activity the attacker tried to hide.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f675872f-6d85-40a3-b502-c0d2ef101e92\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.004\",\"name\":\"File Deletion\",\"reference\":\"https://attack.mitre.org/techniques/T1070/004/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"fsutil.exe\\\" or ?process.pe.original_file_name == \\\"fsutil.exe\\\") and\\n process.args : \\\"deletejournal\\\" and process.args : \\\"usn\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Delete Volume USN Journal with Fsutil\",\"description\":\"Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Delete Volume USN Journal with Fsutil\\n\\nThe Update Sequence Number (USN) Journal is a feature in the NTFS file system used by Microsoft Windows operating systems to keep track of changes made to files and directories on a disk volume. The journal records metadata for changes such as file creation, deletion, modification, and permission changes. It is used by the operating system for various purposes, including backup and recovery, file indexing, and file replication.\\n\\nThis artifact can provide valuable information in forensic analysis, such as programs executed (prefetch file operations), file modification events in suspicious directories, deleted files, etc. Attackers may delete this artifact in an attempt to cover their tracks, and this rule identifies the usage of the `fsutil.exe` utility to accomplish it.\\n\\nConsider using the Elastic Defend integration instead of USN Journal, as the Elastic Defend integration provides more visibility and context in the file operations it records.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n - Verify if any other anti-forensics behaviors were observed.\\n- Review file operation logs from Elastic Defend for suspicious activity the attacker tried to hide.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1070\",\"name\":\"Indicator Removal\",\"reference\":\"https://attack.mitre.org/techniques/T1070/\",\"subtechnique\":[{\"id\":\"T1070.004\",\"name\":\"File Deletion\",\"reference\":\"https://attack.mitre.org/techniques/T1070/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"06e80b86-d513-4aca-8daa-e5ad3d552b77\",\"rule_id\":\"f675872f-6d85-40a3-b502-c0d2ef101e92\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.041Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.637Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"fsutil.exe\\\" or ?process.pe.original_file_name == \\\"fsutil.exe\\\") and\\n process.args : \\\"deletejournal\\\" and process.args : \\\"usn\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"092e7b91-32d4-4fe6-828e-2d6cb20b57de\",\"rule_id\":\"f7c4dc5a-a58d-491d-9f14-9b66507121c0\",\"revision\":0,\"current_rule\":{\"id\":\"092e7b91-32d4-4fe6-828e-2d6cb20b57de\",\"updated_at\":\"2024-12-04T19:46:02.655Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.655Z\",\"created_by\":\"elastic\",\"name\":\"Persistent Scripts in the Startup Directory\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Persistent Scripts in the Startup Directory\\n\\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\\n\\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f7c4dc5a-a58d-491d-9f14-9b66507121c0\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"},{\"id\":\"T1547.009\",\"name\":\"Shortcut Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1547/009/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":111,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.domain\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n\\n file.extension : (\\\"lnk\\\", \\\"vbs\\\", \\\"vbe\\\", \\\"wsh\\\", \\\"wsf\\\", \\\"js\\\") and\\n not (startsWith(user.domain, \\\"NT\\\") or endsWith(user.domain, \\\"NT\\\")) and\\n\\n /* detect shortcuts created by wscript.exe or cscript.exe */\\n (file.path : \\\"C:\\\\\\\\*\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.lnk\\\" and\\n process.name : (\\\"wscript.exe\\\", \\\"cscript.exe\\\")) or\\n\\n /* detect vbs or js files created by any process */\\n file.path : (\\\"C:\\\\\\\\*\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.vbs\\\",\\n \\\"C:\\\\\\\\*\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.vbe\\\",\\n \\\"C:\\\\\\\\*\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.wsh\\\",\\n \\\"C:\\\\\\\\*\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.wsf\\\",\\n \\\"C:\\\\\\\\*\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.js\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Persistent Scripts in the Startup Directory\",\"description\":\"Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Performance\\n\\nThis rule may have low to medium performance impact due to the generic nature of VBS and JS scripts being loaded by Windows script engines.\\n\\n### Investigating Persistent Scripts in the Startup Directory\\n\\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\\n\\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1547\",\"name\":\"Boot or Logon Autostart Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1547/\",\"subtechnique\":[{\"id\":\"T1547.001\",\"name\":\"Registry Run Keys / Startup Folder\",\"reference\":\"https://attack.mitre.org/techniques/T1547/001/\"},{\"id\":\"T1547.009\",\"name\":\"Shortcut Modification\",\"reference\":\"https://attack.mitre.org/techniques/T1547/009/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.domain\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"092e7b91-32d4-4fe6-828e-2d6cb20b57de\",\"rule_id\":\"f7c4dc5a-a58d-491d-9f14-9b66507121c0\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.041Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.655Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n\\n /* Call attention to file extensions that may be used for malicious purposes */\\n /* Optionally, Windows scripting engine processes targeting shortcut files */\\n (\\n file.extension : (\\\"vbs\\\", \\\"vbe\\\", \\\"wsh\\\", \\\"wsf\\\", \\\"js\\\") or\\n process.name : (\\\"wscript.exe\\\", \\\"cscript.exe\\\")\\n ) and not (startsWith(user.domain, \\\"NT\\\") or endsWith(user.domain, \\\"NT\\\"))\\n\\n /* Identify files created or changed in the startup folder */\\n and file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\StartUp\\\\\\\\*\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":111,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"note\":{\"has_base_version\":false,\"current_version\":\"## Triage and analysis\\n\\n### Investigating Persistent Scripts in the Startup Directory\\n\\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\\n\\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"target_version\":\"## Triage and analysis\\n\\n### Performance\\n\\nThis rule may have low to medium performance impact due to the generic nature of VBS and JS scripts being loaded by Windows script engines.\\n\\n### Investigating Persistent Scripts in the Startup Directory\\n\\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\\n\\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merged_version\":\"## Triage and analysis\\n\\n### Performance\\n\\nThis rule may have low to medium performance impact due to the generic nature of VBS and JS scripts being loaded by Windows script engines.\\n\\n### Investigating Persistent Scripts in the Startup Directory\\n\\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\\n\\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the file using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Related rules\\n\\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n\\n file.extension : (\\\"lnk\\\", \\\"vbs\\\", \\\"vbe\\\", \\\"wsh\\\", \\\"wsf\\\", \\\"js\\\") and\\n not (startsWith(user.domain, \\\"NT\\\") or endsWith(user.domain, \\\"NT\\\")) and\\n\\n /* detect shortcuts created by wscript.exe or cscript.exe */\\n (file.path : \\\"C:\\\\\\\\*\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.lnk\\\" and\\n process.name : (\\\"wscript.exe\\\", \\\"cscript.exe\\\")) or\\n\\n /* detect vbs or js files created by any process */\\n file.path : (\\\"C:\\\\\\\\*\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.vbs\\\",\\n \\\"C:\\\\\\\\*\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.vbe\\\",\\n \\\"C:\\\\\\\\*\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.wsh\\\",\\n \\\"C:\\\\\\\\*\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.wsf\\\",\\n \\\"C:\\\\\\\\*\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*.js\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n\\n /* Call attention to file extensions that may be used for malicious purposes */\\n /* Optionally, Windows scripting engine processes targeting shortcut files */\\n (\\n file.extension : (\\\"vbs\\\", \\\"vbe\\\", \\\"wsh\\\", \\\"wsf\\\", \\\"js\\\") or\\n process.name : (\\\"wscript.exe\\\", \\\"cscript.exe\\\")\\n ) and not (startsWith(user.domain, \\\"NT\\\") or endsWith(user.domain, \\\"NT\\\"))\\n\\n /* Identify files created or changed in the startup folder */\\n and file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\StartUp\\\\\\\\*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and\\n\\n /* Call attention to file extensions that may be used for malicious purposes */\\n /* Optionally, Windows scripting engine processes targeting shortcut files */\\n (\\n file.extension : (\\\"vbs\\\", \\\"vbe\\\", \\\"wsh\\\", \\\"wsf\\\", \\\"js\\\") or\\n process.name : (\\\"wscript.exe\\\", \\\"cscript.exe\\\")\\n ) and not (startsWith(user.domain, \\\"NT\\\") or endsWith(user.domain, \\\"NT\\\"))\\n\\n /* Identify files created or changed in the startup folder */\\n and file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\StartUp\\\\\\\\*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"085f1c62-934c-4d06-af93-f24d2b0832bb\",\"rule_id\":\"f7c70f2e-4616-439c-85ac-5b98415042fe\",\"revision\":0,\"current_rule\":{\"id\":\"085f1c62-934c-4d06-af93-f24d2b0832bb\",\"updated_at\":\"2024-12-04T19:46:02.657Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.657Z\",\"created_by\":\"elastic\",\"name\":\"Potential Privilege Escalation via Linux DAC permissions\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies potential privilege escalation exploitation of DAC (Discretionary access control) file permissions. The rule identifies exploitation of DAC checks on sensitive file paths via suspicious processes whose capabilities include CAP_DAC_OVERRIDE (where a process can bypass all read write and execution checks) or CAP_DAC_READ_SEARCH (where a process can read any file or perform any executable permission on the directories).\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f7c70f2e-4616-439c-85ac-5b98415042fe\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.thread.capabilities.effective\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.permitted\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"new_terms\",\"query\":\"event.category:process and host.os.type:linux and event.type:start and event.action:exec and\\n(process.thread.capabilities.permitted:CAP_DAC_* or process.thread.capabilities.effective: CAP_DAC_*) and\\nprocess.command_line:(*sudoers* or *passwd* or *shadow* or */root/*) and not user.id:\\\"0\\\"\\n\",\"new_terms_fields\":[\"host.id\",\"process.command_line\",\"process.executable\"],\"history_window_start\":\"now-10d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Privilege Escalation via Linux DAC permissions\",\"description\":\"Identifies potential privilege escalation exploitation of DAC (Discretionary access control) file permissions. The rule identifies exploitation of DAC checks on sensitive file paths via suspicious processes whose capabilities include CAP_DAC_OVERRIDE (where a process can bypass all read write and execution checks) or CAP_DAC_READ_SEARCH (where a process can read any file or perform any executable permission on the directories).\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1068\",\"name\":\"Exploitation for Privilege Escalation\",\"reference\":\"https://attack.mitre.org/techniques/T1068/\"}]}],\"setup\":\"## Setup\\n\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.effective\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.permitted\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"085f1c62-934c-4d06-af93-f24d2b0832bb\",\"rule_id\":\"f7c70f2e-4616-439c-85ac-5b98415042fe\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.041Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.657Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"event.category:process and host.os.type:linux and event.type:start and event.action:exec and\\n(process.thread.capabilities.permitted:CAP_DAC_* or process.thread.capabilities.effective: CAP_DAC_*) and\\nprocess.command_line:(*sudoers* or *passwd* or *shadow* or */root/*) and not (\\n user.id : \\\"0\\\" or\\n process.name : (\\n \\\"tar\\\" or \\\"getent\\\" or \\\"su\\\" or \\\"stat\\\" or \\\"dirname\\\" or \\\"chown\\\" or \\\"sudo\\\" or \\\"dpkg-split\\\" or \\\"dpkg-deb\\\" or \\\"dpkg\\\" or\\n \\\"podman\\\" or \\\"awk\\\" or \\\"passwd\\\" or \\\"dpkg-maintscript-helper\\\" or \\\"mutt_dotlock\\\" or \\\"nscd\\\" or \\\"logger\\\" or \\\"gpasswd\\\"\\n ) or\\n process.executable : /usr/lib/*/lxc/rootfs/* or\\n process.parent.name : (\\n \\\"dpkg\\\" or \\\"java\\\" or *postinst or \\\"dpkg-preconfigure\\\" or \\\"gnome-shell\\\"\\n )\\n)\\n\",\"new_terms_fields\":[\"process.executable\"],\"history_window_start\":\"now-10d\",\"index\":[\"logs-endpoint.events.*\"],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.thread.capabilities.effective\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.permitted\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.effective\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.permitted\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.effective\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.thread.capabilities.permitted\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"kql_query\":{\"has_base_version\":false,\"current_version\":{\"type\":\"inline_query\",\"query\":\"event.category:process and host.os.type:linux and event.type:start and event.action:exec and\\n(process.thread.capabilities.permitted:CAP_DAC_* or process.thread.capabilities.effective: CAP_DAC_*) and\\nprocess.command_line:(*sudoers* or *passwd* or *shadow* or */root/*) and not user.id:\\\"0\\\"\\n\",\"language\":\"kuery\",\"filters\":[]},\"target_version\":{\"type\":\"inline_query\",\"query\":\"event.category:process and host.os.type:linux and event.type:start and event.action:exec and\\n(process.thread.capabilities.permitted:CAP_DAC_* or process.thread.capabilities.effective: CAP_DAC_*) and\\nprocess.command_line:(*sudoers* or *passwd* or *shadow* or */root/*) and not (\\n user.id : \\\"0\\\" or\\n process.name : (\\n \\\"tar\\\" or \\\"getent\\\" or \\\"su\\\" or \\\"stat\\\" or \\\"dirname\\\" or \\\"chown\\\" or \\\"sudo\\\" or \\\"dpkg-split\\\" or \\\"dpkg-deb\\\" or \\\"dpkg\\\" or\\n \\\"podman\\\" or \\\"awk\\\" or \\\"passwd\\\" or \\\"dpkg-maintscript-helper\\\" or \\\"mutt_dotlock\\\" or \\\"nscd\\\" or \\\"logger\\\" or \\\"gpasswd\\\"\\n ) or\\n process.executable : /usr/lib/*/lxc/rootfs/* or\\n process.parent.name : (\\n \\\"dpkg\\\" or \\\"java\\\" or *postinst or \\\"dpkg-preconfigure\\\" or \\\"gnome-shell\\\"\\n )\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merged_version\":{\"type\":\"inline_query\",\"query\":\"event.category:process and host.os.type:linux and event.type:start and event.action:exec and\\n(process.thread.capabilities.permitted:CAP_DAC_* or process.thread.capabilities.effective: CAP_DAC_*) and\\nprocess.command_line:(*sudoers* or *passwd* or *shadow* or */root/*) and not (\\n user.id : \\\"0\\\" or\\n process.name : (\\n \\\"tar\\\" or \\\"getent\\\" or \\\"su\\\" or \\\"stat\\\" or \\\"dirname\\\" or \\\"chown\\\" or \\\"sudo\\\" or \\\"dpkg-split\\\" or \\\"dpkg-deb\\\" or \\\"dpkg\\\" or\\n \\\"podman\\\" or \\\"awk\\\" or \\\"passwd\\\" or \\\"dpkg-maintscript-helper\\\" or \\\"mutt_dotlock\\\" or \\\"nscd\\\" or \\\"logger\\\" or \\\"gpasswd\\\"\\n ) or\\n process.executable : /usr/lib/*/lxc/rootfs/* or\\n process.parent.name : (\\n \\\"dpkg\\\" or \\\"java\\\" or *postinst or \\\"dpkg-preconfigure\\\" or \\\"gnome-shell\\\"\\n )\\n)\\n\",\"language\":\"kuery\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"new_terms_fields\":{\"has_base_version\":false,\"current_version\":[\"host.id\",\"process.command_line\",\"process.executable\"],\"target_version\":[\"process.executable\"],\"merged_version\":[\"process.executable\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bbbf87fa-a57c-4cbf-a886-089a9a85e667\",\"rule_id\":\"f81ee52c-297e-46d9-9205-07e66931df26\",\"revision\":0,\"current_rule\":{\"id\":\"bbbf87fa-a57c-4cbf-a886-089a9a85e667\",\"updated_at\":\"2024-12-04T19:46:02.660Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.660Z\",\"created_by\":\"elastic\",\"name\":\"Microsoft Exchange Worker Spawning Suspicious Processes\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.\",\"risk_score\":73,\"severity\":\"high\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f81ee52c-297e-46d9-9205-07e66931df26\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers\",\"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities\",\"https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"w3wp.exe\\\" and process.parent.args : \\\"MSExchange*AppPool\\\" and\\n (process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\"))\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Microsoft Exchange Worker Spawning Suspicious Processes\",\"description\":\"Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers\",\"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities\",\"https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0001\",\"name\":\"Initial Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0001/\"},\"technique\":[{\"id\":\"T1190\",\"name\":\"Exploit Public-Facing Application\",\"reference\":\"https://attack.mitre.org/techniques/T1190/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"},{\"id\":\"T1059.003\",\"name\":\"Windows Command Shell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/003/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"bbbf87fa-a57c-4cbf-a886-089a9a85e667\",\"rule_id\":\"f81ee52c-297e-46d9-9205-07e66931df26\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.041Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.660Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.parent.name : \\\"w3wp.exe\\\" and process.parent.args : \\\"MSExchange*AppPool\\\" and\\n (process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.exe\\\", \\\"powershell_ise.exe\\\") or\\n ?process.pe.original_file_name in (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"pwsh.dll\\\", \\\"powershell_ise.exe\\\"))\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Initial Access\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b04fc522-01d5-497a-b717-a939587ca483\",\"rule_id\":\"f874315d-5188-4b4a-8521-d1c73093a7e4\",\"revision\":0,\"current_rule\":{\"id\":\"b04fc522-01d5-497a-b717-a939587ca483\",\"updated_at\":\"2024-12-04T19:45:40.267Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.267Z\",\"created_by\":\"elastic\",\"name\":\"Modification of AmsiEnable Registry Key\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An adversary can modify this key to disable AMSI protections.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Modification of AmsiEnable Registry Key\\n\\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\\n\\nSince AMSI is widely used across security products for increased visibility, attackers can disable it to evade detections that rely on it.\\n\\nThis rule monitors the modifications to the Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable registry key.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the execution of scripts and macros after the registry modification.\\n- Retrieve scripts or Microsoft Office files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Use process name, command line, and file hash to search for occurrences on other hosts.\\n\\n### False positive analysis\\n\\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\\n\\n### Related rules\\n\\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Delete or set the key to its default value.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f874315d-5188-4b4a-8521-d1c73093a7e4\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf\",\"https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal\"],\"version\":112,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"AmsiEnable\\\" and\\n registry.path : (\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows Script\\\\\\\\Settings\\\\\\\\AmsiEnable\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows Script\\\\\\\\Settings\\\\\\\\AmsiEnable\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows Script\\\\\\\\Settings\\\\\\\\AmsiEnable\\\"\\n ) and\\n registry.data.strings: (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Modification of AmsiEnable Registry Key\",\"description\":\"Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An adversary can modify this key to disable AMSI protections.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Modification of AmsiEnable Registry Key\\n\\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\\n\\nSince AMSI is widely used across security products for increased visibility, attackers can disable it to evade detections that rely on it.\\n\\nThis rule monitors the modifications to the Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable registry key.\\n\\n#### Possible investigation steps\\n\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the execution of scripts and macros after the registry modification.\\n- Retrieve scripts or Microsoft Office files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Use process name, command line, and file hash to search for occurrences on other hosts.\\n\\n### False positive analysis\\n\\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\\n\\n### Related rules\\n\\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Delete or set the key to its default value.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf\",\"https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b04fc522-01d5-497a-b717-a939587ca483\",\"rule_id\":\"f874315d-5188-4b4a-8521-d1c73093a7e4\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.041Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.267Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : \\\"AmsiEnable\\\" and registry.data.strings: (\\\"0\\\", \\\"0x00000000\\\")\\n\\n /*\\n Full registry key path omitted due to data source variations:\\n HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows Script\\\\\\\\Settings\\\\\\\\AmsiEnable\\\"\\n */\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":112,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : \\\"AmsiEnable\\\" and\\n registry.path : (\\n \\\"HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows Script\\\\\\\\Settings\\\\\\\\AmsiEnable\\\",\\n \\\"HKU\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows Script\\\\\\\\Settings\\\\\\\\AmsiEnable\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows Script\\\\\\\\Settings\\\\\\\\AmsiEnable\\\"\\n ) and\\n registry.data.strings: (\\\"0\\\", \\\"0x00000000\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : \\\"AmsiEnable\\\" and registry.data.strings: (\\\"0\\\", \\\"0x00000000\\\")\\n\\n /*\\n Full registry key path omitted due to data source variations:\\n HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows Script\\\\\\\\Settings\\\\\\\\AmsiEnable\\\"\\n */\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and\\n registry.value : \\\"AmsiEnable\\\" and registry.data.strings: (\\\"0\\\", \\\"0x00000000\\\")\\n\\n /*\\n Full registry key path omitted due to data source variations:\\n HKEY_USERS\\\\\\\\*\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows Script\\\\\\\\Settings\\\\\\\\AmsiEnable\\\"\\n */\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":7,\"num_fields_with_conflicts\":6,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"611de3ce-20c0-478e-bf29-4370514e7adf\",\"rule_id\":\"f8822053-a5d2-46db-8c96-d460b12c36ac\",\"revision\":0,\"current_rule\":{\"id\":\"611de3ce-20c0-478e-bf29-4370514e7adf\",\"updated_at\":\"2024-12-04T19:46:04.814Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.814Z\",\"created_by\":\"elastic\",\"name\":\"Potential Active Directory Replication Account Backdoor\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a user/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f8822053-a5d2-46db-8c96-d460b12c36ac\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.006\",\"name\":\"DCSync\",\"reference\":\"https://attack.mitre.org/techniques/T1003/006/\"}]}]}],\"to\":\"now\",\"references\":[\"https://twitter.com/menasec1/status/1111556090137903104\",\"https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml\",\"https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-all\",\"https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes\",\"https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-in-filtered-set\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"],\"query\":\"event.action:(\\\"Directory Service Changes\\\" or \\\"directory-service-object-modified\\\") and event.code:\\\"5136\\\" and\\n winlog.event_data.AttributeLDAPDisplayName:\\\"nTSecurityDescriptor\\\" and\\n winlog.event_data.AttributeValue : (\\n (\\n *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and\\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and\\n *89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-*\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Active Directory Replication Account Backdoor\",\"description\":\"Identifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a user/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://twitter.com/menasec1/status/1111556090137903104\",\"https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf\",\"https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml\",\"https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-all\",\"https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes\",\"https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-in-filtered-set\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.006\",\"name\":\"DCSync\",\"reference\":\"https://attack.mitre.org/techniques/T1003/006/\"}]}]}],\"setup\":\"The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nPolicies >\\nWindows Settings >\\nSecurity Settings >\\nAdvanced Audit Policies Configuration >\\nAudit Policies >\\nDS Access >\\nAudit Directory Service Changes (Success,Failure)\\n```\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.code\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.AttributeLDAPDisplayName\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"winlog.event_data.AttributeValue\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"611de3ce-20c0-478e-bf29-4370514e7adf\",\"rule_id\":\"f8822053-a5d2-46db-8c96-d460b12c36ac\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.041Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.814Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"],\"query\":\"event.action:(\\\"Directory Service Changes\\\" or \\\"directory-service-object-modified\\\") and event.code:\\\"5136\\\" and\\n winlog.event_data.AttributeLDAPDisplayName:\\\"nTSecurityDescriptor\\\" and\\n winlog.event_data.AttributeValue : (\\n (\\n *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and\\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and\\n *89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-*\\n )\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: Active Directory\",\"Use Case: Active Directory Monitoring\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"65c62703-8295-46ca-abd5-fe743ece7e8d\",\"rule_id\":\"f95972d3-c23b-463b-89a8-796b3f369b49\",\"revision\":0,\"current_rule\":{\"id\":\"65c62703-8295-46ca-abd5-fe743ece7e8d\",\"updated_at\":\"2024-12-04T19:46:02.667Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.667Z\",\"created_by\":\"elastic\",\"name\":\"Ingress Transfer via Windows BITS\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Ingress Transfer via Windows BITS\\n\\nWindows Background Intelligent Transfer Service (BITS) is a technology that allows the transfer of files between a client and a server, which makes it a dual-use mechanism, being used by both legitimate apps and attackers. When malicious applications create BITS jobs, files are downloaded or uploaded in the context of the service host process, which can bypass security protections, and it helps to obscure which application requested the transfer.\\n\\nThis rule identifies such abuse by monitoring for file renaming events involving \\\"svchost.exe\\\" and \\\"BIT*.tmp\\\" on Windows systems.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Gain context into the BITS transfer.\\n - Try to determine the process that initiated the BITS transfer.\\n - Search `bitsadmin.exe` processes and examine their command lines.\\n - Look for unusual processes loading `Bitsproxy.dll` and other BITS-related DLLs.\\n - Try to determine the origin of the file.\\n - Inspect network connections initiated by `svchost.exe`.\\n - Inspect `Microsoft-Windows-Bits-Client/Operational` Windows logs, specifically the event ID 59, for unusual events.\\n - Velociraptor can be used to extract these entries using the [bitsadmin artifact](https://docs.velociraptor.app/exchange/artifacts/pages/bitsadmin/).\\n - Check the reputation of the remote server involved in the BITS transfer, such as its IP address or domain, using threat intelligence platforms or online reputation services.\\n - Check if the domain is newly registered or unexpected.\\n - Use the identified domain as an indicator of compromise (IoCs) to scope other compromised hosts in the environment.\\n - [BitsParser](https://github.com/fireeye/BitsParser) can be used to parse BITS database files to extract BITS job information.\\n- Examine the details of the dropped file, and whether it was executed.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the involved executables using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n\\n### False positive analysis\\n\\n- Known false positives for the rule include legitimate software and system updates that use BITS for downloading files.\\n\\n### Related Rules\\n\\n- Persistence via BITS Job Notify Cmdline - c3b915e0-22f3-4bf7-991d-b643513c722f\\n- Unsigned BITS Service Client Process - 9a3884d0-282d-45ea-86ce-b9c81100f026\\n- Bitsadmin Activity - 8eec4df1-4b4b-4502-b6c3-c788714604c9\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f95972d3-c23b-463b-89a8-796b3f369b49\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1197\",\"name\":\"BITS Jobs\",\"reference\":\"https://attack.mitre.org/techniques/T1197/\"}]}],\"to\":\"now\",\"references\":[\"https://attack.mitre.org/techniques/T1197/\"],\"version\":7,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.header_bytes\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.Ext.original.name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.action == \\\"rename\\\" and\\n process.name : \\\"svchost.exe\\\" and file.Ext.original.name : \\\"BIT*.tmp\\\" and \\n (file.extension : (\\\"exe\\\", \\\"zip\\\", \\\"rar\\\", \\\"bat\\\", \\\"dll\\\", \\\"ps1\\\", \\\"vbs\\\", \\\"wsh\\\", \\\"js\\\", \\\"vbe\\\", \\\"pif\\\", \\\"scr\\\", \\\"cmd\\\", \\\"cpl\\\") or\\n file.Ext.header_bytes : \\\"4d5a*\\\") and \\n \\n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\\n not file.path : (\\\"?:\\\\\\\\Program Files\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\", \\\"?:\\\\\\\\Windows\\\\\\\\*\\\", \\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\\\\\\*\\\") and \\n \\n /* lot of third party SW use BITS to download executables with a long file name */\\n not length(file.name) > 30 and\\n not file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp*\\\\\\\\wct*.tmp\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Adobe\\\\\\\\ARM\\\\\\\\*\\\\\\\\RdrServicesUpdater*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Adobe\\\\\\\\ARM\\\\\\\\*\\\\\\\\AcroServicesUpdater2_x64.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Docker Desktop Installer\\\\\\\\update-*.exe\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Ingress Transfer via Windows BITS\",\"description\":\"Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Ingress Transfer via Windows BITS\\n\\nWindows Background Intelligent Transfer Service (BITS) is a technology that allows the transfer of files between a client and a server, which makes it a dual-use mechanism, being used by both legitimate apps and attackers. When malicious applications create BITS jobs, files are downloaded or uploaded in the context of the service host process, which can bypass security protections, and it helps to obscure which application requested the transfer.\\n\\nThis rule identifies such abuse by monitoring for file renaming events involving \\\"svchost.exe\\\" and \\\"BIT*.tmp\\\" on Windows systems.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Gain context into the BITS transfer.\\n - Try to determine the process that initiated the BITS transfer.\\n - Search `bitsadmin.exe` processes and examine their command lines.\\n - Look for unusual processes loading `Bitsproxy.dll` and other BITS-related DLLs.\\n - Try to determine the origin of the file.\\n - Inspect network connections initiated by `svchost.exe`.\\n - Inspect `Microsoft-Windows-Bits-Client/Operational` Windows logs, specifically the event ID 59, for unusual events.\\n - Velociraptor can be used to extract these entries using the [bitsadmin artifact](https://docs.velociraptor.app/exchange/artifacts/pages/bitsadmin/).\\n - Check the reputation of the remote server involved in the BITS transfer, such as its IP address or domain, using threat intelligence platforms or online reputation services.\\n - Check if the domain is newly registered or unexpected.\\n - Use the identified domain as an indicator of compromise (IoCs) to scope other compromised hosts in the environment.\\n - [BitsParser](https://github.com/fireeye/BitsParser) can be used to parse BITS database files to extract BITS job information.\\n- Examine the details of the dropped file, and whether it was executed.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the involved executables using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n\\n### False positive analysis\\n\\n- Known false positives for the rule include legitimate software and system updates that use BITS for downloading files.\\n\\n### Related Rules\\n\\n- Persistence via BITS Job Notify Cmdline - c3b915e0-22f3-4bf7-991d-b643513c722f\\n- Unsigned BITS Service Client Process - 9a3884d0-282d-45ea-86ce-b9c81100f026\\n- Bitsadmin Activity - 8eec4df1-4b4b-4502-b6c3-c788714604c9\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":8,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Tactic: Command and Control\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://attack.mitre.org/techniques/T1197/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1197\",\"name\":\"BITS Jobs\",\"reference\":\"https://attack.mitre.org/techniques/T1197/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.header_bytes\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.Ext.original.name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"65c62703-8295-46ca-abd5-fe743ece7e8d\",\"rule_id\":\"f95972d3-c23b-463b-89a8-796b3f369b49\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.041Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.667Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.action == \\\"rename\\\" and\\n process.name : \\\"svchost.exe\\\" and file.Ext.original.name : \\\"BIT*.tmp\\\" and \\n (file.extension : (\\\"exe\\\", \\\"zip\\\", \\\"rar\\\", \\\"bat\\\", \\\"dll\\\", \\\"ps1\\\", \\\"vbs\\\", \\\"wsh\\\", \\\"js\\\", \\\"vbe\\\", \\\"pif\\\", \\\"scr\\\", \\\"cmd\\\", \\\"cpl\\\") or\\n file.Ext.header_bytes : \\\"4d5a*\\\") and \\n \\n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\\n not file.path : (\\\"?:\\\\\\\\Program Files\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\", \\\"?:\\\\\\\\Windows\\\\\\\\*\\\", \\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\\\\\\*\\\") and \\n \\n /* lot of third party SW use BITS to download executables with a long file name */\\n not length(file.name) > 30 and\\n not file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp*\\\\\\\\wct*.tmp\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Adobe\\\\\\\\ARM\\\\\\\\*\\\\\\\\RdrServicesUpdater*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Adobe\\\\\\\\ARM\\\\\\\\*\\\\\\\\AcroServicesUpdater*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Docker Desktop Installer\\\\\\\\update-*.exe\\\"\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":7,\"target_version\":8,\"merged_version\":8,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.action == \\\"rename\\\" and\\n process.name : \\\"svchost.exe\\\" and file.Ext.original.name : \\\"BIT*.tmp\\\" and \\n (file.extension : (\\\"exe\\\", \\\"zip\\\", \\\"rar\\\", \\\"bat\\\", \\\"dll\\\", \\\"ps1\\\", \\\"vbs\\\", \\\"wsh\\\", \\\"js\\\", \\\"vbe\\\", \\\"pif\\\", \\\"scr\\\", \\\"cmd\\\", \\\"cpl\\\") or\\n file.Ext.header_bytes : \\\"4d5a*\\\") and \\n \\n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\\n not file.path : (\\\"?:\\\\\\\\Program Files\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\", \\\"?:\\\\\\\\Windows\\\\\\\\*\\\", \\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\\\\\\*\\\") and \\n \\n /* lot of third party SW use BITS to download executables with a long file name */\\n not length(file.name) > 30 and\\n not file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp*\\\\\\\\wct*.tmp\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Adobe\\\\\\\\ARM\\\\\\\\*\\\\\\\\RdrServicesUpdater*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Adobe\\\\\\\\ARM\\\\\\\\*\\\\\\\\AcroServicesUpdater2_x64.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Docker Desktop Installer\\\\\\\\update-*.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.action == \\\"rename\\\" and\\n process.name : \\\"svchost.exe\\\" and file.Ext.original.name : \\\"BIT*.tmp\\\" and \\n (file.extension : (\\\"exe\\\", \\\"zip\\\", \\\"rar\\\", \\\"bat\\\", \\\"dll\\\", \\\"ps1\\\", \\\"vbs\\\", \\\"wsh\\\", \\\"js\\\", \\\"vbe\\\", \\\"pif\\\", \\\"scr\\\", \\\"cmd\\\", \\\"cpl\\\") or\\n file.Ext.header_bytes : \\\"4d5a*\\\") and \\n \\n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\\n not file.path : (\\\"?:\\\\\\\\Program Files\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\", \\\"?:\\\\\\\\Windows\\\\\\\\*\\\", \\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\\\\\\*\\\") and \\n \\n /* lot of third party SW use BITS to download executables with a long file name */\\n not length(file.name) > 30 and\\n not file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp*\\\\\\\\wct*.tmp\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Adobe\\\\\\\\ARM\\\\\\\\*\\\\\\\\RdrServicesUpdater*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Adobe\\\\\\\\ARM\\\\\\\\*\\\\\\\\AcroServicesUpdater*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Docker Desktop Installer\\\\\\\\update-*.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.action == \\\"rename\\\" and\\n process.name : \\\"svchost.exe\\\" and file.Ext.original.name : \\\"BIT*.tmp\\\" and \\n (file.extension : (\\\"exe\\\", \\\"zip\\\", \\\"rar\\\", \\\"bat\\\", \\\"dll\\\", \\\"ps1\\\", \\\"vbs\\\", \\\"wsh\\\", \\\"js\\\", \\\"vbe\\\", \\\"pif\\\", \\\"scr\\\", \\\"cmd\\\", \\\"cpl\\\") or\\n file.Ext.header_bytes : \\\"4d5a*\\\") and \\n \\n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\\n not file.path : (\\\"?:\\\\\\\\Program Files\\\\\\\\*\\\", \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\*\\\", \\\"?:\\\\\\\\Windows\\\\\\\\*\\\", \\\"?:\\\\\\\\ProgramData\\\\\\\\*\\\\\\\\*\\\") and \\n \\n /* lot of third party SW use BITS to download executables with a long file name */\\n not length(file.name) > 30 and\\n not file.path : (\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp*\\\\\\\\wct*.tmp\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Adobe\\\\\\\\ARM\\\\\\\\*\\\\\\\\RdrServicesUpdater*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Adobe\\\\\\\\ARM\\\\\\\\*\\\\\\\\AcroServicesUpdater*.exe\\\",\\n \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Docker Desktop Installer\\\\\\\\update-*.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"557c76a6-262d-4032-979e-a0cf1f276496\",\"rule_id\":\"f97504ac-1053-498f-aeaa-c6d01e76b379\",\"revision\":0,\"current_rule\":{\"id\":\"557c76a6-262d-4032-979e-a0cf1f276496\",\"updated_at\":\"2024-12-04T19:46:02.669Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.669Z\",\"created_by\":\"elastic\",\"name\":\"Browser Extension Install\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f97504ac-1053-498f-aeaa-c6d01e76b379\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1176\",\"name\":\"Browser Extensions\",\"reference\":\"https://attack.mitre.org/techniques/T1176/\"}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.action : \\\"creation\\\" and \\n(\\n /* Firefox-Based Browsers */\\n (\\n file.name : \\\"*.xpi\\\" and\\n file.path : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\*\\\\\\\\Profiles\\\\\\\\*\\\\\\\\Extensions\\\\\\\\*.xpi\\\" and\\n not \\n (\\n process.name : \\\"firefox.exe\\\" and\\n file.name : (\\\"langpack-*@firefox.mozilla.org.xpi\\\", \\\"*@dictionaries.addons.mozilla.org.xpi\\\")\\n )\\n ) or\\n /* Chromium-Based Browsers */\\n (\\n file.name : \\\"*.crx\\\" and\\n file.path : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\*\\\\\\\\*\\\\\\\\User Data\\\\\\\\Webstore Downloads\\\\\\\\*\\\"\\n )\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Browser Extension Install\",\"description\":\"Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":202,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1176\",\"name\":\"Browser Extensions\",\"reference\":\"https://attack.mitre.org/techniques/T1176/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"557c76a6-262d-4032-979e-a0cf1f276496\",\"rule_id\":\"f97504ac-1053-498f-aeaa-c6d01e76b379\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.041Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.669Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type : \\\"creation\\\" and \\n(\\n /* Firefox-Based Browsers */\\n (\\n file.name : \\\"*.xpi\\\" and\\n file.path : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\*\\\\\\\\Profiles\\\\\\\\*\\\\\\\\Extensions\\\\\\\\*.xpi\\\" and\\n not \\n (\\n process.name : \\\"firefox.exe\\\" and\\n file.name : (\\\"langpack-*@firefox.mozilla.org.xpi\\\", \\\"*@dictionaries.addons.mozilla.org.xpi\\\")\\n )\\n ) or\\n /* Chromium-Based Browsers */\\n (\\n file.name : \\\"*.crx\\\" and\\n file.path : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\*\\\\\\\\*\\\\\\\\User Data\\\\\\\\Webstore Downloads\\\\\\\\*\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":202,\"merged_version\":202,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: SentinelOne\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.action : \\\"creation\\\" and \\n(\\n /* Firefox-Based Browsers */\\n (\\n file.name : \\\"*.xpi\\\" and\\n file.path : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\*\\\\\\\\Profiles\\\\\\\\*\\\\\\\\Extensions\\\\\\\\*.xpi\\\" and\\n not \\n (\\n process.name : \\\"firefox.exe\\\" and\\n file.name : (\\\"langpack-*@firefox.mozilla.org.xpi\\\", \\\"*@dictionaries.addons.mozilla.org.xpi\\\")\\n )\\n ) or\\n /* Chromium-Based Browsers */\\n (\\n file.name : \\\"*.crx\\\" and\\n file.path : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\*\\\\\\\\*\\\\\\\\User Data\\\\\\\\Webstore Downloads\\\\\\\\*\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type : \\\"creation\\\" and \\n(\\n /* Firefox-Based Browsers */\\n (\\n file.name : \\\"*.xpi\\\" and\\n file.path : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\*\\\\\\\\Profiles\\\\\\\\*\\\\\\\\Extensions\\\\\\\\*.xpi\\\" and\\n not \\n (\\n process.name : \\\"firefox.exe\\\" and\\n file.name : (\\\"langpack-*@firefox.mozilla.org.xpi\\\", \\\"*@dictionaries.addons.mozilla.org.xpi\\\")\\n )\\n ) or\\n /* Chromium-Based Browsers */\\n (\\n file.name : \\\"*.crx\\\" and\\n file.path : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\*\\\\\\\\*\\\\\\\\User Data\\\\\\\\Webstore Downloads\\\\\\\\*\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type : \\\"creation\\\" and \\n(\\n /* Firefox-Based Browsers */\\n (\\n file.name : \\\"*.xpi\\\" and\\n file.path : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\*\\\\\\\\Profiles\\\\\\\\*\\\\\\\\Extensions\\\\\\\\*.xpi\\\" and\\n not \\n (\\n process.name : \\\"firefox.exe\\\" and\\n file.name : (\\\"langpack-*@firefox.mozilla.org.xpi\\\", \\\"*@dictionaries.addons.mozilla.org.xpi\\\")\\n )\\n ) or\\n /* Chromium-Based Browsers */\\n (\\n file.name : \\\"*.crx\\\" and\\n file.path : \\\"?:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\*\\\\\\\\*\\\\\\\\User Data\\\\\\\\Webstore Downloads\\\\\\\\*\\\"\\n )\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"endgame-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.file-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-windows.sysmon_operational-*\",\"winlogbeat-*\",\"endgame-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"31359b29-3eeb-449d-a1fa-b5cd7fe08fdd\",\"rule_id\":\"f9790abf-bd0c-45f9-8b5f-d0b74015e029\",\"revision\":0,\"current_rule\":{\"id\":\"31359b29-3eeb-449d-a1fa-b5cd7fe08fdd\",\"updated_at\":\"2024-12-04T19:46:02.671Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.671Z\",\"created_by\":\"elastic\",\"name\":\"Privileged Account Brute Force\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies multiple consecutive logon failures targeting an Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Privileged Account Brute Force\\n\\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\\n\\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the logon failure reason code and the targeted user name.\\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\\n- Investigate the source IP address of the failed Network Logon attempts.\\n - Identify whether these attempts are coming from the internet or are internal.\\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\\n- Identify the source and the target computer and their roles in the IT environment.\\n- Check whether the involved credentials are used in automation or scheduled tasks.\\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\\n- Examine the source host for derived artifacts that indicate compromise:\\n - Observe and collect information about the following activities in the alert source host:\\n - Attempts to contact external domains and addresses.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\\n\\n### False positive analysis\\n\\n- Authentication misconfiguration or obsolete credentials.\\n- Service account password expired.\\n- Domain trust relationship issues.\\n- Infrastructure or availability issues.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the source host to prevent further post-compromise behavior.\\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"f9790abf-bd0c-45f9-8b5f-d0b74015e029\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.001\",\"name\":\"Password Guessing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/001/\"},{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625\"],\"version\":9,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.Status\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"],\"query\":\"sequence by winlog.computer_name, source.ip with maxspan=10s\\n [authentication where event.action == \\\"logon-failed\\\" and winlog.logon.type : \\\"Network\\\" and\\n source.ip != null and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and user.name : \\\"*admin*\\\" and\\n\\n /* noisy failure status codes often associated to authentication misconfiguration */\\n not winlog.event_data.Status : (\\\"0xC000015B\\\", \\\"0XC000005E\\\", \\\"0XC0000133\\\", \\\"0XC0000192\\\")] with runs=5\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Privileged Account Brute Force\",\"description\":\"Identifies multiple consecutive logon failures targeting an Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Privileged Account Brute Force\\n\\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\\n\\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the logon failure reason code and the targeted user name.\\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\\n- Investigate the source IP address of the failed Network Logon attempts.\\n - Identify whether these attempts are coming from the internet or are internal.\\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\\n- Identify the source and the target computer and their roles in the IT environment.\\n- Check whether the involved credentials are used in automation or scheduled tasks.\\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\\n- Examine the source host for derived artifacts that indicate compromise:\\n - Observe and collect information about the following activities in the alert source host:\\n - Attempts to contact external domains and addresses.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\\n\\n### False positive analysis\\n\\n- Authentication misconfiguration or obsolete credentials.\\n- Service account password expired.\\n- Domain trust relationship issues.\\n- Infrastructure or availability issues.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the source host to prevent further post-compromise behavior.\\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":110,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1110\",\"name\":\"Brute Force\",\"reference\":\"https://attack.mitre.org/techniques/T1110/\",\"subtechnique\":[{\"id\":\"T1110.001\",\"name\":\"Password Guessing\",\"reference\":\"https://attack.mitre.org/techniques/T1110/001/\"},{\"id\":\"T1110.003\",\"name\":\"Password Spraying\",\"reference\":\"https://attack.mitre.org/techniques/T1110/003/\"}]}]}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"related_integrations\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"user.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.computer_name\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.event_data.Status\",\"type\":\"keyword\",\"ecs\":false},{\"name\":\"winlog.logon.type\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"31359b29-3eeb-449d-a1fa-b5cd7fe08fdd\",\"rule_id\":\"f9790abf-bd0c-45f9-8b5f-d0b74015e029\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.041Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.671Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by winlog.computer_name, source.ip with maxspan=10s\\n [authentication where event.action == \\\"logon-failed\\\" and winlog.logon.type : \\\"Network\\\" and\\n source.ip != null and source.ip != \\\"127.0.0.1\\\" and source.ip != \\\"::1\\\" and user.name : \\\"*admin*\\\" and\\n\\n /* noisy failure status codes often associated to authentication misconfiguration */\\n not winlog.event_data.Status : (\\\"0xC000015B\\\", \\\"0XC000005E\\\", \\\"0XC0000133\\\", \\\"0XC0000192\\\")] with runs=5\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-system.security*\",\"logs-windows.forwarded*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":9,\"target_version\":110,\"merged_version\":110,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Resources: Investigation Guide\",\"Data Source: System\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"7b8ca9f0-c1c0-4532-9f27-3acf8e9edddf\",\"rule_id\":\"fa01341d-6662-426b-9d0c-6d81e33c8a9d\",\"revision\":0,\"current_rule\":{\"id\":\"7b8ca9f0-c1c0-4532-9f27-3acf8e9edddf\",\"updated_at\":\"2024-12-04T19:46:02.676Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.676Z\",\"created_by\":\"elastic\",\"name\":\"Remote File Copy to a Hidden Share\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"fa01341d-6662-426b-9d0c-6d81e33c8a9d\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"xcopy.exe\\\") and\\n process.args : (\\\"copy*\\\", \\\"move*\\\", \\\"cp\\\", \\\"mv\\\") or\\n process.name : \\\"robocopy.exe\\\"\\n ) and process.args : \\\"*\\\\\\\\\\\\\\\\*\\\\\\\\*$*\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Remote File Copy to a Hidden Share\",\"description\":\"Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0008\",\"name\":\"Lateral Movement\",\"reference\":\"https://attack.mitre.org/tactics/TA0008/\"},\"technique\":[{\"id\":\"T1021\",\"name\":\"Remote Services\",\"reference\":\"https://attack.mitre.org/techniques/T1021/\",\"subtechnique\":[{\"id\":\"T1021.002\",\"name\":\"SMB/Windows Admin Shares\",\"reference\":\"https://attack.mitre.org/techniques/T1021/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"7b8ca9f0-c1c0-4532-9f27-3acf8e9edddf\",\"rule_id\":\"fa01341d-6662-426b-9d0c-6d81e33c8a9d\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.041Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.676Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (\\n process.name : (\\\"cmd.exe\\\", \\\"powershell.exe\\\", \\\"xcopy.exe\\\") and\\n process.args : (\\\"copy*\\\", \\\"move*\\\", \\\"cp\\\", \\\"mv\\\") or\\n process.name : \\\"robocopy.exe\\\"\\n ) and process.args : \\\"*\\\\\\\\\\\\\\\\*\\\\\\\\*$*\\\"\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Lateral Movement\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merged_version\":[\"https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c658e6cb-a995-4571-a158-18f70bdbf38f\",\"rule_id\":\"fa488440-04cc-41d7-9279-539387bf2a17\",\"revision\":0,\"current_rule\":{\"id\":\"c658e6cb-a995-4571-a158-18f70bdbf38f\",\"updated_at\":\"2024-12-04T19:46:02.688Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.688Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious Antimalware Scan Interface DLL\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Antimalware Scan Interface DLL\\n\\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\\n\\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the process that created the DLL and which account was used.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the execution of scripts and macros after the registry modification.\\n- Investigate other processes launched from the directory that the DLL was created.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\\n - Observe and collect information about the following activities in the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n\\n### False positive analysis\\n\\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"fa488440-04cc-41d7-9279-539387bf2a17\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.001\",\"name\":\"DLL Search Order Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1574/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell\"],\"version\":212,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"],\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.path != null and\\n file.name : (\\\"amsi.dll\\\", \\\"amsi\\\") and not file.path : (\\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\amsi.dll\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Syswow64\\\\\\\\amsi.dll\\\", \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\NewOS\\\\\\\\Windows\\\\\\\\WinSXS\\\\\\\\*\\\", \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\NewOS\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\LCU\\\\\\\\*\\\", \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Work\\\\\\\\*\\\\\\\\*\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\*\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious Antimalware Scan Interface DLL\",\"description\":\"Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious Antimalware Scan Interface DLL\\n\\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\\n\\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Identify the process that created the DLL and which account was used.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the execution of scripts and macros after the registry modification.\\n- Investigate other processes launched from the directory that the DLL was created.\\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\\n - Observe and collect information about the following activities in the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n\\n### False positive analysis\\n\\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":313,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]},{\"id\":\"T1574\",\"name\":\"Hijack Execution Flow\",\"reference\":\"https://attack.mitre.org/techniques/T1574/\",\"subtechnique\":[{\"id\":\"T1574.001\",\"name\":\"DLL Search Order Hijacking\",\"reference\":\"https://attack.mitre.org/techniques/T1574/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c658e6cb-a995-4571-a158-18f70bdbf38f\",\"rule_id\":\"fa488440-04cc-41d7-9279-539387bf2a17\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.041Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.688Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.path != null and\\n file.name : (\\\"amsi.dll\\\", \\\"amsi\\\") and\\n not file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\amsi.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Syswow64\\\\\\\\amsi.dll\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\DUImageSandbox\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\NewOS\\\\\\\\Windows\\\\\\\\WinSXS\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\NewOS\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\LCU\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Work\\\\\\\\*\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\amd64_microsoft-antimalware-scan-interface_*\\\\\\\\amsi.dll\\\"\\n ) and\\n not\\n (\\n process.executable : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbengine.exe\\\" and\\n file.path : (\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume??\\\\\\\\Windows\\\\\\\\system32\\\\\\\\amsi.dll\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume??\\\\\\\\Windows\\\\\\\\syswow64\\\\\\\\amsi.dll\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume??\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\\\\\\amsi.dll\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":212,\"target_version\":313,\"merged_version\":313,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.path != null and\\n file.name : (\\\"amsi.dll\\\", \\\"amsi\\\") and not file.path : (\\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\amsi.dll\\\", \\\"?:\\\\\\\\Windows\\\\\\\\Syswow64\\\\\\\\amsi.dll\\\", \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\NewOS\\\\\\\\Windows\\\\\\\\WinSXS\\\\\\\\*\\\", \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\NewOS\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\LCU\\\\\\\\*\\\", \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Work\\\\\\\\*\\\\\\\\*\\\", \\\"?:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\*\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.path != null and\\n file.name : (\\\"amsi.dll\\\", \\\"amsi\\\") and\\n not file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\amsi.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Syswow64\\\\\\\\amsi.dll\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\DUImageSandbox\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\NewOS\\\\\\\\Windows\\\\\\\\WinSXS\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\NewOS\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\LCU\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Work\\\\\\\\*\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\amd64_microsoft-antimalware-scan-interface_*\\\\\\\\amsi.dll\\\"\\n ) and\\n not\\n (\\n process.executable : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbengine.exe\\\" and\\n file.path : (\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume??\\\\\\\\Windows\\\\\\\\system32\\\\\\\\amsi.dll\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume??\\\\\\\\Windows\\\\\\\\syswow64\\\\\\\\amsi.dll\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume??\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\\\\\\amsi.dll\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"windows\\\" and event.type != \\\"deletion\\\" and file.path != null and\\n file.name : (\\\"amsi.dll\\\", \\\"amsi\\\") and\\n not file.path : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\amsi.dll\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Syswow64\\\\\\\\amsi.dll\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\DUImageSandbox\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\NewOS\\\\\\\\Windows\\\\\\\\WinSXS\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\NewOS\\\\\\\\Windows\\\\\\\\servicing\\\\\\\\LCU\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\$WINDOWS.~BT\\\\\\\\Work\\\\\\\\*\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SoftwareDistribution\\\\\\\\Download\\\\\\\\*\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\amd64_microsoft-antimalware-scan-interface_*\\\\\\\\amsi.dll\\\"\\n ) and\\n not\\n (\\n process.executable : \\\"C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbengine.exe\\\" and\\n file.path : (\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume??\\\\\\\\Windows\\\\\\\\system32\\\\\\\\amsi.dll\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume??\\\\\\\\Windows\\\\\\\\syswow64\\\\\\\\amsi.dll\\\",\\n \\\"\\\\\\\\Device\\\\\\\\HarddiskVolume??\\\\\\\\Windows\\\\\\\\WinSxS\\\\\\\\*\\\\\\\\amsi.dll\\\"\\n )\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"710955b8-6220-4ddd-bac4-685b5b989d46\",\"rule_id\":\"fac52c69-2646-4e79-89c0-fd7653461010\",\"revision\":0,\"current_rule\":{\"id\":\"710955b8-6220-4ddd-bac4-685b5b989d46\",\"updated_at\":\"2024-12-04T19:46:02.690Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.690Z\",\"created_by\":\"elastic\",\"name\":\"Potential Disabling of AppArmor\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"fac52c69-2646-4e79-89c0-fd7653461010\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":6,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and (\\n (process.name == \\\"systemctl\\\" and process.args == \\\"disable\\\" and process.args == \\\"apparmor\\\") or\\n (process.name == \\\"ln\\\" and process.args : \\\"/etc/apparmor.d/*\\\" and process.args == \\\"/etc/apparmor.d/disable/\\\")\\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Disabling of AppArmor\",\"description\":\"This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":7,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Elastic Endgame\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.001\",\"name\":\"Disable or Modify Tools\",\"reference\":\"https://attack.mitre.org/techniques/T1562/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"710955b8-6220-4ddd-bac4-685b5b989d46\",\"rule_id\":\"fac52c69-2646-4e79-89c0-fd7653461010\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.041Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.690Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and (\\n (process.name == \\\"systemctl\\\" and process.args in (\\\"stop\\\", \\\"disable\\\", \\\"kill\\\") and process.args in (\\\"apparmor\\\", \\\"apparmor.service\\\")) or\\n (process.name == \\\"service\\\" and process.args == \\\"apparmor\\\" and process.args == \\\"stop\\\") or \\n (process.name == \\\"chkconfig\\\" and process.args == \\\"apparmor\\\" and process.args == \\\"off\\\") or\\n (process.name == \\\"ln\\\" and process.args : \\\"/etc/apparmor.d/*\\\" and process.args == \\\"/etc/apparmor.d/disable/\\\")\\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.*\",\"endgame-*\",\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":6,\"target_version\":7,\"merged_version\":7,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and (\\n (process.name == \\\"systemctl\\\" and process.args == \\\"disable\\\" and process.args == \\\"apparmor\\\") or\\n (process.name == \\\"ln\\\" and process.args : \\\"/etc/apparmor.d/*\\\" and process.args == \\\"/etc/apparmor.d/disable/\\\")\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and (\\n (process.name == \\\"systemctl\\\" and process.args in (\\\"stop\\\", \\\"disable\\\", \\\"kill\\\") and process.args in (\\\"apparmor\\\", \\\"apparmor.service\\\")) or\\n (process.name == \\\"service\\\" and process.args == \\\"apparmor\\\" and process.args == \\\"stop\\\") or \\n (process.name == \\\"chkconfig\\\" and process.args == \\\"apparmor\\\" and process.args == \\\"off\\\") or\\n (process.name == \\\"ln\\\" and process.args : \\\"/etc/apparmor.d/*\\\" and process.args == \\\"/etc/apparmor.d/disable/\\\")\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"process where host.os.type == \\\"linux\\\" and event.type == \\\"start\\\" and event.action in (\\\"exec\\\", \\\"exec_event\\\", \\\"executed\\\", \\\"process_started\\\")\\n and (\\n (process.name == \\\"systemctl\\\" and process.args in (\\\"stop\\\", \\\"disable\\\", \\\"kill\\\") and process.args in (\\\"apparmor\\\", \\\"apparmor.service\\\")) or\\n (process.name == \\\"service\\\" and process.args == \\\"apparmor\\\" and process.args == \\\"stop\\\") or \\n (process.name == \\\"chkconfig\\\" and process.args == \\\"apparmor\\\" and process.args == \\\"off\\\") or\\n (process.name == \\\"ln\\\" and process.args : \\\"/etc/apparmor.d/*\\\" and process.args == \\\"/etc/apparmor.d/disable/\\\")\\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bf569d29-bebe-492b-aa5f-6d155b54663e\",\"rule_id\":\"fb02b8d3-71ee-4af1-bacd-215d23f17efa\",\"revision\":0,\"current_rule\":{\"id\":\"bf569d29-bebe-492b-aa5f-6d155b54663e\",\"updated_at\":\"2024-12-04T19:46:02.695Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.695Z\",\"created_by\":\"elastic\",\"name\":\"Network Connection via Registration Utility\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Network Connection via Registration Utility\\n\\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity such as masquerading, and deserve further investigation.\\n\\nThis rule looks for the execution of `regsvr32.exe`, `RegAsm.exe`, or `RegSvcs.exe` utilities followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\\n- Investigate the target host that the signed binary is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of destination IP address and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"author\":[\"Elastic\"],\"false_positives\":[\"Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual.\"],\"from\":\"now-9m\",\"rule_id\":\"fb02b8d3-71ee-4af1-bacd-215d23f17efa\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.009\",\"name\":\"Regsvcs/Regasm\",\"reference\":\"https://attack.mitre.org/techniques/T1218/009/\"},{\"id\":\"T1218.010\",\"name\":\"Regsvr32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/010/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.token.integrity_level_name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"keyword\",\"ecs\":false}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"regsvr32.exe\\\", \\\"RegAsm.exe\\\", \\\"RegSvcs.exe\\\") and\\n not (\\n (?process.Ext.token.integrity_level_name : \\\"System\\\" or ?winlog.event_data.IntegrityLevel : \\\"System\\\") and\\n (process.parent.name : \\\"msiexec.exe\\\" or process.parent.executable : (\\\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\", \\\"C:\\\\\\\\Program Files\\\\\\\\*.exe\\\"))\\n )\\n ]\\n [network where host.os.type == \\\"windows\\\" and process.name : (\\\"regsvr32.exe\\\", \\\"RegAsm.exe\\\", \\\"RegSvcs.exe\\\") and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\",\\n \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\",\\n \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\",\\n \\\"FE80::/10\\\", \\\"FF00::/8\\\") and network.protocol != \\\"dns\\\"]\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Network Connection via Registration Utility\",\"description\":\"Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Network Connection via Registration Utility\\n\\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity such as masquerading, and deserve further investigation.\\n\\nThis rule looks for the execution of `regsvr32.exe`, `RegAsm.exe`, or `RegSvcs.exe` utilities followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\\n- Investigate the target host that the signed binary is communicating with.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of destination IP address and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":208,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual.\"],\"references\":[\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1218\",\"name\":\"System Binary Proxy Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1218/\",\"subtechnique\":[{\"id\":\"T1218.009\",\"name\":\"Regsvcs/Regasm\",\"reference\":\"https://attack.mitre.org/techniques/T1218/009/\"},{\"id\":\"T1218.010\",\"name\":\"Regsvr32\",\"reference\":\"https://attack.mitre.org/techniques/T1218/010/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.token.integrity_level_name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.entity_id\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"keyword\",\"ecs\":false}],\"id\":\"bf569d29-bebe-492b-aa5f-6d155b54663e\",\"rule_id\":\"fb02b8d3-71ee-4af1-bacd-215d23f17efa\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.042Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.695Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"sequence by process.entity_id\\n [process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.name : (\\\"regsvr32.exe\\\", \\\"RegAsm.exe\\\", \\\"RegSvcs.exe\\\") and\\n not (\\n (?process.Ext.token.integrity_level_name : \\\"System\\\" or ?winlog.event_data.IntegrityLevel : \\\"System\\\") and\\n (process.parent.name : \\\"msiexec.exe\\\" or process.parent.executable : (\\\"C:\\\\\\\\Program Files (x86)\\\\\\\\*.exe\\\", \\\"C:\\\\\\\\Program Files\\\\\\\\*.exe\\\"))\\n )\\n ]\\n [network where host.os.type == \\\"windows\\\" and process.name : (\\\"regsvr32.exe\\\", \\\"RegAsm.exe\\\", \\\"RegSvcs.exe\\\") and\\n not cidrmatch(destination.ip, \\\"10.0.0.0/8\\\", \\\"127.0.0.0/8\\\", \\\"169.254.0.0/16\\\", \\\"172.16.0.0/12\\\", \\\"192.0.0.0/24\\\",\\n \\\"192.0.0.0/29\\\", \\\"192.0.0.8/32\\\", \\\"192.0.0.9/32\\\", \\\"192.0.0.10/32\\\", \\\"192.0.0.170/32\\\", \\\"192.0.0.171/32\\\",\\n \\\"192.0.2.0/24\\\", \\\"192.31.196.0/24\\\", \\\"192.52.193.0/24\\\", \\\"192.168.0.0/16\\\", \\\"192.88.99.0/24\\\", \\\"224.0.0.0/4\\\",\\n \\\"100.64.0.0/10\\\", \\\"192.175.48.0/24\\\",\\\"198.18.0.0/15\\\", \\\"198.51.100.0/24\\\", \\\"203.0.113.0/24\\\", \\\"240.0.0.0/4\\\", \\\"::1\\\",\\n \\\"FE80::/10\\\", \\\"FF00::/8\\\") and network.protocol != \\\"dns\\\"]\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.network-*\",\"logs-windows.sysmon_operational-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":208,\"merged_version\":208,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"dd0dac56-cbaa-487d-9b4d-024453f08a63\",\"rule_id\":\"fc7c0fa4-8f03-4b3e-8336-c5feab0be022\",\"revision\":0,\"current_rule\":{\"id\":\"dd0dac56-cbaa-487d-9b4d-024453f08a63\",\"updated_at\":\"2024-12-04T19:46:02.700Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.700Z\",\"created_by\":\"elastic\",\"name\":\"UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"fc7c0fa4-8f03-4b3e-8336-c5feab0be022\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1559\",\"name\":\"Inter-Process Communication\",\"reference\":\"https://attack.mitre.org/techniques/T1559/\",\"subtechnique\":[{\"id\":\"T1559.001\",\"name\":\"Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1559/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html\"],\"version\":109,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : \\\"C:\\\\\\\\*\\\\\\\\AppData\\\\\\\\*\\\\\\\\Temp\\\\\\\\IDC*.tmp\\\\\\\\*.exe\\\" and\\n process.parent.name : \\\"ieinstal.exe\\\" and process.parent.args : \\\"-Embedding\\\"\\n\\n /* uncomment once in winlogbeat */\\n /* and not (process.code_signature.subject_name == \\\"Microsoft Corporation\\\" and process.code_signature.trusted == true) */\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer\",\"description\":\"Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":309,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1548\",\"name\":\"Abuse Elevation Control Mechanism\",\"reference\":\"https://attack.mitre.org/techniques/T1548/\",\"subtechnique\":[{\"id\":\"T1548.002\",\"name\":\"Bypass User Account Control\",\"reference\":\"https://attack.mitre.org/techniques/T1548/002/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1559\",\"name\":\"Inter-Process Communication\",\"reference\":\"https://attack.mitre.org/techniques/T1559/\",\"subtechnique\":[{\"id\":\"T1559.001\",\"name\":\"Component Object Model\",\"reference\":\"https://attack.mitre.org/techniques/T1559/001/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"dd0dac56-cbaa-487d-9b4d-024453f08a63\",\"rule_id\":\"fc7c0fa4-8f03-4b3e-8336-c5feab0be022\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.042Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.700Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n process.executable : \\\"C:\\\\\\\\*\\\\\\\\AppData\\\\\\\\*\\\\\\\\Temp\\\\\\\\IDC*.tmp\\\\\\\\*.exe\\\" and\\n process.parent.name : \\\"ieinstal.exe\\\" and process.parent.args : \\\"-Embedding\\\"\\n\\n /* uncomment once in winlogbeat */\\n /* and not (process.code_signature.subject_name == \\\"Microsoft Corporation\\\" and process.code_signature.trusted == true) */\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":109,\"target_version\":309,\"merged_version\":309,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Privilege Escalation\",\"Tactic: Defense Evasion\",\"Tactic: Execution\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"6f59d6a8-daef-457f-abff-282d4aa7c750\",\"rule_id\":\"fcf733d5-7801-4eb0-92ac-8ffacf3658f2\",\"revision\":0,\"current_rule\":{\"id\":\"6f59d6a8-daef-457f-abff-282d4aa7c750\",\"updated_at\":\"2024-12-04T19:46:02.702Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.702Z\",\"created_by\":\"elastic\",\"name\":\"User or Group Creation/Modification\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Auditd Manager\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule leverages the `auditd_manager` integration to detect user or group creation or modification events on Linux systems. Threat actors may attempt to create or modify users or groups to establish persistence on the system.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"fcf733d5-7801-4eb0-92ac-8ffacf3658f2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":2,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"auditd.result\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Auditd Manager.\\n\\n### Auditd Manager Integration Setup\\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"auditd_manager\\\" on a Linux System:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.\\n- Click “Add Auditd Manager”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\\n\\n#### Rule Specific Setup Note\\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\\n```\\n-w /usr/sbin/groupadd -p x -k group_modification\\n-w /sbin/groupadd -p x -k group_modification\\n-w /usr/sbin/groupmod -p x -k group_modification\\n-w /sbin/groupmod -p x -k group_modification\\n-w /usr/sbin/addgroup -p x -k group_modification\\n-w /sbin/addgroup -p x -k group_modification\\n-w /usr/sbin/usermod -p x -k user_modification\\n-w /sbin/usermod -p x -k user_modification\\n-w /usr/sbin/userdel -p x -k user_modification\\n-w /sbin/userdel -p x -k user_modification\\n-w /usr/sbin/useradd -p x -k user_modification\\n-w /sbin/useradd -p x -k user_modification\\n-w /usr/sbin/adduser -p x -k user_modification\\n-w /sbin/adduser -p x -k user_modification\\n```\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"],\"query\":\"iam where host.os.type == \\\"linux\\\" and event.type in (\\\"creation\\\", \\\"change\\\") and auditd.result == \\\"success\\\" and \\nevent.action in (\\\"changed-password\\\", \\\"added-user-account\\\", \\\"added-group-account-to\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"User or Group Creation/Modification\",\"description\":\"This rule leverages the `auditd_manager` integration to detect user or group creation or modification events on Linux systems. Threat actors may attempt to create or modify users or groups to establish persistence on the system.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":3,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Auditd Manager\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1136\",\"name\":\"Create Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/\",\"subtechnique\":[{\"id\":\"T1136.001\",\"name\":\"Local Account\",\"reference\":\"https://attack.mitre.org/techniques/T1136/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Auditd Manager.\\n\\n### Auditd Manager Integration Setup\\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\\n\\n#### The following steps should be executed in order to add the Elastic Agent System integration \\\"auditd_manager\\\" on a Linux System:\\n- Go to the Kibana home page and click “Add integrations”.\\n- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.\\n- Click “Add Auditd Manager”.\\n- Configure the integration name and optionally add a description.\\n- Review optional and advanced settings accordingly.\\n- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\\n- Click “Save and Continue”.\\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\\n\\n#### Rule Specific Setup Note\\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \\\"audit rules\\\" configuration box or the \\\"auditd rule files\\\" box by specifying a file to read the audit rules from.\\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\\n```\\n-w /usr/sbin/groupadd -p x -k group_modification\\n-w /sbin/groupadd -p x -k group_modification\\n-w /usr/sbin/groupmod -p x -k group_modification\\n-w /sbin/groupmod -p x -k group_modification\\n-w /usr/sbin/addgroup -p x -k group_modification\\n-w /sbin/addgroup -p x -k group_modification\\n-w /usr/sbin/usermod -p x -k user_modification\\n-w /sbin/usermod -p x -k user_modification\\n-w /usr/sbin/userdel -p x -k user_modification\\n-w /sbin/userdel -p x -k user_modification\\n-w /usr/sbin/useradd -p x -k user_modification\\n-w /sbin/useradd -p x -k user_modification\\n-w /usr/sbin/adduser -p x -k user_modification\\n-w /sbin/adduser -p x -k user_modification\\n```\\n\",\"related_integrations\":[{\"package\":\"auditd_manager\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"auditd.result\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"6f59d6a8-daef-457f-abff-282d4aa7c750\",\"rule_id\":\"fcf733d5-7801-4eb0-92ac-8ffacf3658f2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.042Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.702Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"iam where host.os.type == \\\"linux\\\" and event.type in (\\\"creation\\\", \\\"change\\\") and auditd.result == \\\"success\\\" and \\nevent.action in (\\\"changed-password\\\", \\\"added-user-account\\\", \\\"added-group-account-to\\\")\\n\",\"language\":\"eql\",\"index\":[\"auditbeat-*\",\"logs-auditd_manager.auditd-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":2,\"target_version\":3,\"merged_version\":3,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[],\"target_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b843aba0-219d-4e1f-a1b6-1c9f5596c1cd\",\"rule_id\":\"fd4a992d-6130-4802-9ff8-829b89ae801f\",\"revision\":0,\"current_rule\":{\"id\":\"b843aba0-219d-4e1f-a1b6-1c9f5596c1cd\",\"updated_at\":\"2024-12-04T19:46:02.707Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.707Z\",\"created_by\":\"elastic\",\"name\":\"Potential Application Shimming via Sdbinst\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.\",\"risk_score\":21,\"severity\":\"low\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"fd4a992d-6130-4802-9ff8-829b89ae801f\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.011\",\"name\":\"Application Shimming\",\"reference\":\"https://attack.mitre.org/techniques/T1546/011/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.011\",\"name\":\"Application Shimming\",\"reference\":\"https://attack.mitre.org/techniques/T1546/011/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":110,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"sdbinst.exe\\\" and\\n process.args : \\\"?*\\\" and\\n not (process.args : \\\"-m\\\" and process.args : \\\"-bg\\\") and\\n not process.args : \\\"-mm\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Potential Application Shimming via Sdbinst\",\"description\":\"The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":312,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.011\",\"name\":\"Application Shimming\",\"reference\":\"https://attack.mitre.org/techniques/T1546/011/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1546\",\"name\":\"Event Triggered Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1546/\",\"subtechnique\":[{\"id\":\"T1546.011\",\"name\":\"Application Shimming\",\"reference\":\"https://attack.mitre.org/techniques/T1546/011/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b843aba0-219d-4e1f-a1b6-1c9f5596c1cd\",\"rule_id\":\"fd4a992d-6130-4802-9ff8-829b89ae801f\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.042Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.707Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and process.name : \\\"sdbinst.exe\\\" and\\n process.args : \\\"?*\\\" and\\n not (process.args : \\\"-m\\\" and process.args : \\\"-bg\\\") and\\n not process.args : \\\"-mm\\\"\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":110,\"target_version\":312,\"merged_version\":312,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"b5f3f306-bf2e-40dc-9bc8-3c9b2205a610\",\"rule_id\":\"fd70c98a-c410-42dc-a2e3-761c71848acf\",\"revision\":0,\"current_rule\":{\"id\":\"b5f3f306-bf2e-40dc-9bc8-3c9b2205a610\",\"updated_at\":\"2024-12-04T19:46:02.709Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.709Z\",\"created_by\":\"elastic\",\"name\":\"Suspicious CertUtil Commands\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious CertUtil Commands\\n\\n`certutil.exe` is a command line utility program that is included with Microsoft Windows operating systems. It is used to manage and manipulate digital certificates and certificate services on computers running Windows.\\n\\nAttackers can abuse `certutil.exe` utility to download and/or deobfuscate malware, offensive security tools, and certificates from external sources to take the next steps in a compromised environment. This rule identifies command line arguments used to accomplish these behaviors.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the command line to determine the nature of the execution.\\n - If files were downloaded, retrieve them and check whether they were run, and under which security context.\\n - If files were obfuscated or deobfuscated, retrieve them.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the involved files using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timeline_id\":\"e70679c2-6cde-4510-9764-4823df18f7db\",\"timeline_title\":\"Comprehensive Process Timeline\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"fd70c98a-c410-42dc-a2e3-761c71848acf\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1140\",\"name\":\"Deobfuscate/Decode Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1140/\"}]}],\"to\":\"now\",\"references\":[\"https://twitter.com/Moriarty_Meng/status/984380793383370752\",\"https://twitter.com/egre55/status/1087685529016193025\",\"https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx\",\"https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil\"],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"],\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"certutil.exe\\\" or ?process.pe.original_file_name == \\\"CertUtil.exe\\\") and\\n process.args : (\\\"?decode\\\", \\\"?encode\\\", \\\"?urlcache\\\", \\\"?verifyctl\\\", \\\"?encodehex\\\", \\\"?decodehex\\\", \\\"?exportPFX\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Suspicious CertUtil Commands\",\"description\":\"Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"timeline_id\":\"e70679c2-6cde-4510-9764-4823df18f7db\",\"timeline_title\":\"Comprehensive Process Timeline\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Suspicious CertUtil Commands\\n\\n`certutil.exe` is a command line utility program that is included with Microsoft Windows operating systems. It is used to manage and manipulate digital certificates and certificate services on computers running Windows.\\n\\nAttackers can abuse `certutil.exe` utility to download and/or deobfuscate malware, offensive security tools, and certificates from external sources to take the next steps in a compromised environment. This rule identifies command line arguments used to accomplish these behaviors.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine the command line to determine the nature of the execution.\\n - If files were downloaded, retrieve them and check whether they were run, and under which security context.\\n - If files were obfuscated or deobfuscated, retrieve them.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the involved files using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":311,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\",\"Austin Songer\"],\"false_positives\":[],\"references\":[\"https://twitter.com/Moriarty_Meng/status/984380793383370752\",\"https://twitter.com/egre55/status/1087685529016193025\",\"https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx\",\"https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1140\",\"name\":\"Deobfuscate/Decode Files or Information\",\"reference\":\"https://attack.mitre.org/techniques/T1140/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.args\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"b5f3f306-bf2e-40dc-9bc8-3c9b2205a610\",\"rule_id\":\"fd70c98a-c410-42dc-a2e3-761c71848acf\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.042Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.709Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"process where host.os.type == \\\"windows\\\" and event.type == \\\"start\\\" and\\n (process.name : \\\"certutil.exe\\\" or ?process.pe.original_file_name == \\\"CertUtil.exe\\\") and\\n process.args : (\\\"?decode\\\", \\\"?encode\\\", \\\"?urlcache\\\", \\\"?verifyctl\\\", \\\"?encodehex\\\", \\\"?decodehex\\\", \\\"?exportPFX\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":311,\"merged_version\":311,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Endgame\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\",\"Data Source: Crowdstrike\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://twitter.com/Moriarty_Meng/status/984380793383370752\",\"https://twitter.com/egre55/status/1087685529016193025\",\"https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx\",\"https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil\"],\"target_version\":[\"https://twitter.com/Moriarty_Meng/status/984380793383370752\",\"https://twitter.com/egre55/status/1087685529016193025\",\"https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx\",\"https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merged_version\":[\"https://twitter.com/Moriarty_Meng/status/984380793383370752\",\"https://twitter.com/egre55/status/1087685529016193025\",\"https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx\",\"https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil\",\"https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"},{\"package\":\"crowdstrike\",\"version\":\"^1.1.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"endgame-*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"logs-crowdstrike.fdr*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5cb4336b-1ba0-4f45-a321-935b449fd68f\",\"rule_id\":\"fd7a6052-58fa-4397-93c3-4795249ccfa2\",\"revision\":0,\"current_rule\":{\"id\":\"5cb4336b-1ba0-4f45-a321-935b449fd68f\",\"updated_at\":\"2024-12-04T19:46:02.712Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.712Z\",\"created_by\":\"elastic\",\"name\":\"Svchost spawning Cmd\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Svchost spawning Cmd\\n\\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\\n\\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timeline_id\":\"e70679c2-6cde-4510-9764-4823df18f7db\",\"timeline_title\":\"Comprehensive Process Timeline\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"fd7a6052-58fa-4397-93c3-4795249ccfa2\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\"}]}],\"to\":\"now\",\"references\":[\"https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747\"],\"version\":212,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"new_terms\",\"query\":\"host.os.type:windows and event.category:process and event.type:start and process.parent.name:\\\"svchost.exe\\\" and\\nprocess.name:(\\\"cmd.exe\\\" or \\\"Cmd.exe\\\" or \\\"CMD.EXE\\\") and\\nnot process.command_line : \\\"\\\\\\\"cmd.exe\\\\\\\" /C sc control hptpsmarthealthservice 211\\\"\\n\",\"new_terms_fields\":[\"host.id\",\"process.command_line\",\"user.id\"],\"history_window_start\":\"now-14d\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"logs-system.security*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"process.args\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\silcollector.cmd\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"process.command_line\":{\"case_insensitive\":true,\"value\":\"*?:\\\\\\\\Program Files\\\\\\\\Npcap\\\\\\\\CheckStatus.bat*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"process.command_line\":{\"case_insensitive\":true,\"value\":\"*?:\\\\\\\\Program Files*\\\\\\\\Pulseway\\\\\\\\watchdog.bat*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"process.command_line\":{\"case_insensitive\":true,\"value\":\"cmd /C \\\".\\\\\\\\inetsrv\\\\\\\\iissetup.exe /keygen \\\"\"}}}}],\"language\":\"kuery\",\"actions\":[]},\"target_rule\":{\"name\":\"Svchost spawning Cmd\",\"description\":\"Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"timeline_id\":\"e70679c2-6cde-4510-9764-4823df18f7db\",\"timeline_title\":\"Comprehensive Process Timeline\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Svchost spawning Cmd\\n\\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\\n\\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the process executable using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\\n\\n\\n### False positive analysis\\n\\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":418,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.command_line\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.parent.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"5cb4336b-1ba0-4f45-a321-935b449fd68f\",\"rule_id\":\"fd7a6052-58fa-4397-93c3-4795249ccfa2\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.042Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.712Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"new_terms\",\"query\":\"host.os.type:windows and event.category:process and event.type:start and process.parent.name:\\\"svchost.exe\\\" and\\nprocess.name:(\\\"cmd.exe\\\" or \\\"Cmd.exe\\\" or \\\"CMD.EXE\\\") and\\nnot process.command_line : \\\"\\\\\\\"cmd.exe\\\\\\\" /C sc control hptpsmarthealthservice 211\\\"\\n\",\"new_terms_fields\":[\"host.id\",\"process.command_line\",\"user.id\"],\"history_window_start\":\"now-14d\",\"index\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"],\"filters\":[{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"process.args\":{\"case_insensitive\":true,\"value\":\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\silcollector.cmd\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"process.command_line\":{\"case_insensitive\":true,\"value\":\"*?:\\\\\\\\Program Files\\\\\\\\Npcap\\\\\\\\CheckStatus.bat*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"process.command_line\":{\"case_insensitive\":true,\"value\":\"*?:\\\\\\\\Program Files*\\\\\\\\Pulseway\\\\\\\\watchdog.bat*\"}}}},{\"meta\":{\"negate\":true},\"query\":{\"wildcard\":{\"process.command_line\":{\"case_insensitive\":true,\"value\":\"cmd /C \\\".\\\\\\\\inetsrv\\\\\\\\iissetup.exe /keygen \\\"\"}}}}],\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":212,\"target_version\":418,\"merged_version\":418,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Execution\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Elastic Defend\",\"Data Source: System\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: Sysmon\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"system\",\"version\":\"^1.6.4\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-windows.*\",\"logs-system.security*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"logs-endpoint.events.process-*\",\"winlogbeat-*\",\"logs-windows.forwarded*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-system.security*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":5,\"num_fields_with_conflicts\":4,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"63c52e74-5701-43d9-93b0-7298f97c46d7\",\"rule_id\":\"fda1d332-5e08-4f27-8a9b-8c802e3292a6\",\"revision\":0,\"current_rule\":{\"id\":\"63c52e74-5701-43d9-93b0-7298f97c46d7\",\"updated_at\":\"2024-12-04T19:45:40.276Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.276Z\",\"created_by\":\"elastic\",\"name\":\"System Binary Moved or Copied\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for the copying or moving of a system binary. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"fda1d332-5e08-4f27-8a9b-8c802e3292a6\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.003\",\"name\":\"Rename System Utilities\",\"reference\":\"https://attack.mitre.org/techniques/T1036/003/\"}]},{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\"}]}],\"to\":\"now\",\"references\":[\"https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\"],\"version\":11,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.Ext.original.path\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"change\\\" and event.action == \\\"rename\\\" and\\nfile.Ext.original.path : (\\n \\\"/bin/*\\\", \\\"/usr/bin/*\\\", \\\"/usr/local/bin/*\\\", \\\"/sbin/*\\\", \\\"/usr/sbin/*\\\", \\\"/usr/local/sbin/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/usr/bin/update-alternatives\\\", \\\"/bin/update-alternatives\\\", \\\"/usr/sbin/update-alternatives\\\",\\n \\\"/sbin/update-alternatives\\\", \\\"/usr/bin/pip3\\\", \\\"/bin/pip3\\\", \\\"/usr/local/bin/pip3\\\", \\\"/usr/local/bin/node\\\",\\n \\\"/bin/node\\\", \\\"/usr/bin/node\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\", \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/pip\\\", \\\"/bin/pip\\\",\\n \\\"/usr/local/bin/pip\\\", \\\"/usr/libexec/platform-python\\\", \\\"/usr/bin/platform-python\\\", \\\"/bin/platform-python\\\",\\n \\\"/usr/lib/systemd/systemd\\\", \\\"/usr/sbin/sshd\\\", \\\"/sbin/sshd\\\", \\\"/usr/local/sbin/sshd\\\", \\\"/usr/sbin/crond\\\", \\\"/sbin/crond\\\",\\n \\\"/usr/local/sbin/crond\\\", \\\"/usr/sbin/gdm\\\"\\n ) or\\n file.Ext.original.path : (\\n \\\"/bin/*.tmp\\\", \\\"/usr/bin/*.tmp\\\", \\\"/usr/local/bin/*.tmp\\\", \\\"/sbin/*.tmp\\\", \\\"/usr/sbin/*.tmp\\\", \\\"/usr/local/sbin/*.tmp\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\") or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"System Binary Moved or Copied\",\"description\":\"This rule monitors for the copying or moving of a system binary. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":13,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1036\",\"name\":\"Masquerading\",\"reference\":\"https://attack.mitre.org/techniques/T1036/\",\"subtechnique\":[{\"id\":\"T1036.003\",\"name\":\"Rename System Utilities\",\"reference\":\"https://attack.mitre.org/techniques/T1036/003/\"}]},{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\"}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.Ext.original.path\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"63c52e74-5701-43d9-93b0-7298f97c46d7\",\"rule_id\":\"fda1d332-5e08-4f27-8a9b-8c802e3292a6\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.042Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.276Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"change\\\" and event.action == \\\"rename\\\" and process.name != null and\\nfile.Ext.original.path : (\\n \\\"/bin/*\\\", \\\"/usr/bin/*\\\", \\\"/usr/local/bin/*\\\", \\\"/sbin/*\\\", \\\"/usr/sbin/*\\\", \\\"/usr/local/sbin/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/usr/bin/update-alternatives\\\", \\\"/bin/update-alternatives\\\", \\\"/usr/sbin/update-alternatives\\\",\\n \\\"/sbin/update-alternatives\\\", \\\"/usr/bin/pip3\\\", \\\"/bin/pip3\\\", \\\"/usr/local/bin/pip3\\\", \\\"/usr/local/bin/node\\\",\\n \\\"/bin/node\\\", \\\"/usr/bin/node\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\", \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/pip\\\", \\\"/bin/pip\\\",\\n \\\"/usr/local/bin/pip\\\", \\\"/usr/libexec/platform-python\\\", \\\"/usr/bin/platform-python\\\", \\\"/bin/platform-python\\\",\\n \\\"/usr/lib/systemd/systemd\\\", \\\"/usr/sbin/sshd\\\", \\\"/sbin/sshd\\\", \\\"/usr/local/sbin/sshd\\\", \\\"/usr/sbin/crond\\\", \\\"/sbin/crond\\\",\\n \\\"/usr/local/sbin/crond\\\", \\\"/usr/sbin/gdm\\\"\\n ) or\\n process.name like (\\n \\\"python*\\\", \\\"packagekitd\\\", \\\"systemd\\\", \\\"ln\\\", \\\"platform-python\\\", \\\"dnf_install\\\", \\\"runc\\\", \\\"apt-get\\\", \\\"ssm-agent-worker\\\",\\n \\\"convert-usrmerge\\\", \\\"updatenow.static-cpanelsync\\\", \\\"apk\\\", \\\"exe\\\", \\\"php\\\", \\\"containerd-shim-runc-v2\\\", \\\"dpkg\\\", \\\"sed\\\",\\n \\\"platform-python*\\\", \\\"gedit\\\", \\\"crond\\\", \\\"sshd\\\", \\\"ruby\\\", \\\"sudo\\\", \\\"chainctl\\\", \\\"update-alternatives\\\", \\\"pip*\\\"\\n ) or\\n file.Ext.original.path : (\\n \\\"/bin/*.tmp\\\", \\\"/usr/bin/*.tmp\\\", \\\"/usr/local/bin/*.tmp\\\", \\\"/sbin/*.tmp\\\", \\\"/usr/sbin/*.tmp\\\", \\\"/usr/local/sbin/*.tmp\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\") or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":11,\"target_version\":13,\"merged_version\":13,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\"],\"target_version\":[\"https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merged_version\":[\"https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/\",\"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"change\\\" and event.action == \\\"rename\\\" and\\nfile.Ext.original.path : (\\n \\\"/bin/*\\\", \\\"/usr/bin/*\\\", \\\"/usr/local/bin/*\\\", \\\"/sbin/*\\\", \\\"/usr/sbin/*\\\", \\\"/usr/local/sbin/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/usr/bin/update-alternatives\\\", \\\"/bin/update-alternatives\\\", \\\"/usr/sbin/update-alternatives\\\",\\n \\\"/sbin/update-alternatives\\\", \\\"/usr/bin/pip3\\\", \\\"/bin/pip3\\\", \\\"/usr/local/bin/pip3\\\", \\\"/usr/local/bin/node\\\",\\n \\\"/bin/node\\\", \\\"/usr/bin/node\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\", \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/pip\\\", \\\"/bin/pip\\\",\\n \\\"/usr/local/bin/pip\\\", \\\"/usr/libexec/platform-python\\\", \\\"/usr/bin/platform-python\\\", \\\"/bin/platform-python\\\",\\n \\\"/usr/lib/systemd/systemd\\\", \\\"/usr/sbin/sshd\\\", \\\"/sbin/sshd\\\", \\\"/usr/local/sbin/sshd\\\", \\\"/usr/sbin/crond\\\", \\\"/sbin/crond\\\",\\n \\\"/usr/local/sbin/crond\\\", \\\"/usr/sbin/gdm\\\"\\n ) or\\n file.Ext.original.path : (\\n \\\"/bin/*.tmp\\\", \\\"/usr/bin/*.tmp\\\", \\\"/usr/local/bin/*.tmp\\\", \\\"/sbin/*.tmp\\\", \\\"/usr/sbin/*.tmp\\\", \\\"/usr/local/sbin/*.tmp\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\") or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"change\\\" and event.action == \\\"rename\\\" and process.name != null and\\nfile.Ext.original.path : (\\n \\\"/bin/*\\\", \\\"/usr/bin/*\\\", \\\"/usr/local/bin/*\\\", \\\"/sbin/*\\\", \\\"/usr/sbin/*\\\", \\\"/usr/local/sbin/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/usr/bin/update-alternatives\\\", \\\"/bin/update-alternatives\\\", \\\"/usr/sbin/update-alternatives\\\",\\n \\\"/sbin/update-alternatives\\\", \\\"/usr/bin/pip3\\\", \\\"/bin/pip3\\\", \\\"/usr/local/bin/pip3\\\", \\\"/usr/local/bin/node\\\",\\n \\\"/bin/node\\\", \\\"/usr/bin/node\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\", \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/pip\\\", \\\"/bin/pip\\\",\\n \\\"/usr/local/bin/pip\\\", \\\"/usr/libexec/platform-python\\\", \\\"/usr/bin/platform-python\\\", \\\"/bin/platform-python\\\",\\n \\\"/usr/lib/systemd/systemd\\\", \\\"/usr/sbin/sshd\\\", \\\"/sbin/sshd\\\", \\\"/usr/local/sbin/sshd\\\", \\\"/usr/sbin/crond\\\", \\\"/sbin/crond\\\",\\n \\\"/usr/local/sbin/crond\\\", \\\"/usr/sbin/gdm\\\"\\n ) or\\n process.name like (\\n \\\"python*\\\", \\\"packagekitd\\\", \\\"systemd\\\", \\\"ln\\\", \\\"platform-python\\\", \\\"dnf_install\\\", \\\"runc\\\", \\\"apt-get\\\", \\\"ssm-agent-worker\\\",\\n \\\"convert-usrmerge\\\", \\\"updatenow.static-cpanelsync\\\", \\\"apk\\\", \\\"exe\\\", \\\"php\\\", \\\"containerd-shim-runc-v2\\\", \\\"dpkg\\\", \\\"sed\\\",\\n \\\"platform-python*\\\", \\\"gedit\\\", \\\"crond\\\", \\\"sshd\\\", \\\"ruby\\\", \\\"sudo\\\", \\\"chainctl\\\", \\\"update-alternatives\\\", \\\"pip*\\\"\\n ) or\\n file.Ext.original.path : (\\n \\\"/bin/*.tmp\\\", \\\"/usr/bin/*.tmp\\\", \\\"/usr/local/bin/*.tmp\\\", \\\"/sbin/*.tmp\\\", \\\"/usr/sbin/*.tmp\\\", \\\"/usr/local/sbin/*.tmp\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\") or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and event.type == \\\"change\\\" and event.action == \\\"rename\\\" and process.name != null and\\nfile.Ext.original.path : (\\n \\\"/bin/*\\\", \\\"/usr/bin/*\\\", \\\"/usr/local/bin/*\\\", \\\"/sbin/*\\\", \\\"/usr/sbin/*\\\", \\\"/usr/local/sbin/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/lib/snapd/snapd\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/usr/libexec/netplan/generate\\\",\\n \\\"/usr/bin/update-alternatives\\\", \\\"/bin/update-alternatives\\\", \\\"/usr/sbin/update-alternatives\\\",\\n \\\"/sbin/update-alternatives\\\", \\\"/usr/bin/pip3\\\", \\\"/bin/pip3\\\", \\\"/usr/local/bin/pip3\\\", \\\"/usr/local/bin/node\\\",\\n \\\"/bin/node\\\", \\\"/usr/bin/node\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\", \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/pip\\\", \\\"/bin/pip\\\",\\n \\\"/usr/local/bin/pip\\\", \\\"/usr/libexec/platform-python\\\", \\\"/usr/bin/platform-python\\\", \\\"/bin/platform-python\\\",\\n \\\"/usr/lib/systemd/systemd\\\", \\\"/usr/sbin/sshd\\\", \\\"/sbin/sshd\\\", \\\"/usr/local/sbin/sshd\\\", \\\"/usr/sbin/crond\\\", \\\"/sbin/crond\\\",\\n \\\"/usr/local/sbin/crond\\\", \\\"/usr/sbin/gdm\\\"\\n ) or\\n process.name like (\\n \\\"python*\\\", \\\"packagekitd\\\", \\\"systemd\\\", \\\"ln\\\", \\\"platform-python\\\", \\\"dnf_install\\\", \\\"runc\\\", \\\"apt-get\\\", \\\"ssm-agent-worker\\\",\\n \\\"convert-usrmerge\\\", \\\"updatenow.static-cpanelsync\\\", \\\"apk\\\", \\\"exe\\\", \\\"php\\\", \\\"containerd-shim-runc-v2\\\", \\\"dpkg\\\", \\\"sed\\\",\\n \\\"platform-python*\\\", \\\"gedit\\\", \\\"crond\\\", \\\"sshd\\\", \\\"ruby\\\", \\\"sudo\\\", \\\"chainctl\\\", \\\"update-alternatives\\\", \\\"pip*\\\"\\n ) or\\n file.Ext.original.path : (\\n \\\"/bin/*.tmp\\\", \\\"/usr/bin/*.tmp\\\", \\\"/usr/local/bin/*.tmp\\\", \\\"/sbin/*.tmp\\\", \\\"/usr/sbin/*.tmp\\\", \\\"/usr/local/sbin/*.tmp\\\"\\n ) or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\") or\\n process.executable == null or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5cffce90-b89a-4fa5-9ef4-44886b12acf9\",\"rule_id\":\"fddff193-48a3-484d-8d35-90bb3d323a56\",\"revision\":0,\"current_rule\":{\"id\":\"5cffce90-b89a-4fa5-9ef4-44886b12acf9\",\"updated_at\":\"2024-12-04T19:46:02.716Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.716Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Kerberos Ticket Dump\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: PowerShell Logs\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects PowerShell scripts that have the capability of dumping Kerberos tickets from LSA, which potentially indicates an attacker's attempt to acquire credentials for lateral movement.\",\"risk_score\":73,\"severity\":\"high\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Kerberos Ticket Dump\\n\\nKerberos is an authentication protocol that relies on tickets to grant access to network resources. Adversaries may abuse this protocol to acquire credentials for lateral movement within a network.\\n\\nThis rule indicates the use of scripts that contain code capable of dumping Kerberos tickets, which can indicate potential PowerShell abuse for credential theft.\\n\\n### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate if the script was executed, and if so, which account was targeted.\\n- Identify the account involved and contact the owner to confirm whether they are aware of this activity.\\n- Check if the script has any other functionality that can be potentially malicious.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate other potentially compromised accounts and hosts. Review login events (like 4624) for suspicious events involving the subject and target accounts.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of file path and user ID conditions.\\n\\n### Related Rules\\n\\n- PowerShell Kerberos Ticket Request - eb610e70-f9e6-4949-82b9-f1c5bcd37c39\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Disable or limit involved accounts during the investigation and response.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"fddff193-48a3-484d-8d35-90bb3d323a56\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[\"https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1\"],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"LsaCallAuthenticationPackage\\\" and\\n (\\n \\\"KerbRetrieveEncodedTicketMessage\\\" or\\n \\\"KerbQueryTicketCacheMessage\\\" or\\n \\\"KerbQueryTicketCacheExMessage\\\" or\\n \\\"KerbQueryTicketCacheEx2Message\\\" or\\n \\\"KerbRetrieveTicketMessage\\\" or\\n \\\"KerbDecryptDataMessage\\\"\\n )\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Kerberos Ticket Dump\",\"description\":\"Detects PowerShell scripts that have the capability of dumping Kerberos tickets from LSA, which potentially indicates an attacker's attempt to acquire credentials for lateral movement.\",\"risk_score\":73,\"severity\":\"high\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating PowerShell Kerberos Ticket Dump\\n\\nKerberos is an authentication protocol that relies on tickets to grant access to network resources. Adversaries may abuse this protocol to acquire credentials for lateral movement within a network.\\n\\nThis rule indicates the use of scripts that contain code capable of dumping Kerberos tickets, which can indicate potential PowerShell abuse for credential theft.\\n\\n### Possible investigation steps\\n\\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Investigate if the script was executed, and if so, which account was targeted.\\n- Identify the account involved and contact the owner to confirm whether they are aware of this activity.\\n- Check if the script has any other functionality that can be potentially malicious.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate other potentially compromised accounts and hosts. Review login events (like 4624) for suspicious events involving the subject and target accounts.\\n\\n### False positive analysis\\n\\n- If this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination of file path and user ID conditions.\\n\\n### Related Rules\\n\\n- PowerShell Kerberos Ticket Request - eb610e70-f9e6-4949-82b9-f1c5bcd37c39\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Disable or limit involved accounts during the investigation and response.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Data Source: PowerShell Logs\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\"},{\"id\":\"T1558\",\"name\":\"Steal or Forge Kerberos Tickets\",\"reference\":\"https://attack.mitre.org/techniques/T1558/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false}],\"id\":\"5cffce90-b89a-4fa5-9ef4-44886b12acf9\",\"rule_id\":\"fddff193-48a3-484d-8d35-90bb3d323a56\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.042Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.716Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category:process and host.os.type:windows and\\n powershell.file.script_block_text : (\\n \\\"LsaCallAuthenticationPackage\\\" and\\n (\\n \\\"KerbRetrieveEncodedTicketMessage\\\" or\\n \\\"KerbQueryTicketCacheMessage\\\" or\\n \\\"KerbQueryTicketCacheExMessage\\\" or\\n \\\"KerbQueryTicketCacheEx2Message\\\" or\\n \\\"KerbRetrieveTicketMessage\\\" or\\n \\\"KerbDecryptDataMessage\\\"\\n )\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"c4f42ce5-ae7c-455b-a315-ab56ea383ef0\",\"rule_id\":\"fe25d5bc-01fa-494a-95ff-535c29cc4c96\",\"revision\":0,\"current_rule\":{\"id\":\"c4f42ce5-ae7c-455b-a315-ab56ea383ef0\",\"updated_at\":\"2024-12-04T19:46:02.723Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.723Z\",\"created_by\":\"elastic\",\"name\":\"PowerShell Script with Password Policy Discovery Capabilities\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Execution\",\"Data Source: PowerShell Logs\",\"Rule Type: BBR\"],\"interval\":\"60m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.\",\"risk_score\":21,\"severity\":\"low\",\"building_block_type\":\"default\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-119m\",\"rule_id\":\"fe25d5bc-01fa-494a-95ff-535c29cc4c96\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1201\",\"name\":\"Password Policy Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1201/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":5,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category: \\\"process\\\" and host.os.type:windows and\\n(\\n powershell.file.script_block_text: (\\n \\\"Get-ADDefaultDomainPasswordPolicy\\\" or\\n \\\"Get-ADFineGrainedPasswordPolicy\\\" or\\n \\\"Get-ADUserResultantPasswordPolicy\\\" or\\n \\\"Get-DomainPolicy\\\" or\\n \\\"Get-GPPPassword\\\" or\\n \\\"Get-PassPol\\\"\\n )\\n or\\n powershell.file.script_block_text: (\\n (\\\"defaultNamingContext\\\" or \\\"ActiveDirectory.DirectoryContext\\\" or \\\"ActiveDirectory.DirectorySearcher\\\") and\\n (\\n (\\n \\\".MinLengthPassword\\\" or\\n \\\".MinPasswordAge\\\" or\\n \\\".MaxPasswordAge\\\"\\n ) or\\n (\\n \\\"minPwdAge\\\" or\\n \\\"maxPwdAge\\\" or\\n \\\"minPwdLength\\\"\\n ) or\\n (\\n \\\"msDS-PasswordSettings\\\"\\n )\\n )\\n )\\n) and not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\" and \\\"PowerSploitIndicators\\\"\\n )\\n and not \\n (\\n powershell.file.script_block_text : (\\\"43c15630-959c-49e4-a977-758c5cc93408\\\" and \\\"CmdletsToExport\\\" and \\\"ActiveDirectory.Types.ps1xml\\\")\\n )\\n and not user.id : \\\"S-1-5-18\\\"\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"PowerShell Script with Password Policy Discovery Capabilities\",\"description\":\"Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.\",\"risk_score\":21,\"severity\":\"low\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"building_block_type\":\"default\",\"output_index\":\"\",\"version\":107,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Discovery\",\"Tactic: Execution\",\"Data Source: PowerShell Logs\",\"Rule Type: BBR\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"60m\",\"from\":\"now-119m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0007\",\"name\":\"Discovery\",\"reference\":\"https://attack.mitre.org/tactics/TA0007/\"},\"technique\":[{\"id\":\"T1201\",\"name\":\"Password Policy Discovery\",\"reference\":\"https://attack.mitre.org/techniques/T1201/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1059\",\"name\":\"Command and Scripting Interpreter\",\"reference\":\"https://attack.mitre.org/techniques/T1059/\",\"subtechnique\":[{\"id\":\"T1059.001\",\"name\":\"PowerShell\",\"reference\":\"https://attack.mitre.org/techniques/T1059/001/\"}]}]}],\"setup\":\"## Setup\\n\\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\\nSteps to implement the logging policy with Advanced Audit Configuration:\\n\\n```\\nComputer Configuration >\\nAdministrative Templates >\\nWindows PowerShell >\\nTurn on PowerShell Script Block Logging (Enable)\\n```\\n\\nSteps to implement the logging policy via registry:\\n\\n```\\nreg add \\\"hklm\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\\n```\\n\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"powershell.file.script_block_text\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"user.id\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"c4f42ce5-ae7c-455b-a315-ab56ea383ef0\",\"rule_id\":\"fe25d5bc-01fa-494a-95ff-535c29cc4c96\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.042Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.723Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"winlogbeat-*\",\"logs-windows.powershell*\"],\"query\":\"event.category: \\\"process\\\" and host.os.type:windows and\\n(\\n powershell.file.script_block_text: (\\n \\\"Get-ADDefaultDomainPasswordPolicy\\\" or\\n \\\"Get-ADFineGrainedPasswordPolicy\\\" or\\n \\\"Get-ADUserResultantPasswordPolicy\\\" or\\n \\\"Get-DomainPolicy\\\" or\\n \\\"Get-GPPPassword\\\" or\\n \\\"Get-PassPol\\\"\\n )\\n or\\n powershell.file.script_block_text: (\\n (\\\"defaultNamingContext\\\" or \\\"ActiveDirectory.DirectoryContext\\\" or \\\"ActiveDirectory.DirectorySearcher\\\") and\\n (\\n (\\n \\\".MinLengthPassword\\\" or\\n \\\".MinPasswordAge\\\" or\\n \\\".MaxPasswordAge\\\"\\n ) or\\n (\\n \\\"minPwdAge\\\" or\\n \\\"maxPwdAge\\\" or\\n \\\"minPwdLength\\\"\\n ) or\\n (\\n \\\"msDS-PasswordSettings\\\"\\n )\\n )\\n )\\n) and not powershell.file.script_block_text : (\\n \\\"sentinelbreakpoints\\\" and \\\"Set-PSBreakpoint\\\" and \\\"PowerSploitIndicators\\\"\\n )\\n and not \\n (\\n powershell.file.script_block_text : (\\\"43c15630-959c-49e4-a977-758c5cc93408\\\" and \\\"CmdletsToExport\\\" and \\\"ActiveDirectory.Types.ps1xml\\\")\\n )\\n and not user.id : \\\"S-1-5-18\\\"\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":5,\"target_version\":107,\"merged_version\":107,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"bf5b46ab-b443-427c-b911-19df63fea65a\",\"rule_id\":\"fe794edd-487f-4a90-b285-3ee54f2af2d3\",\"revision\":0,\"current_rule\":{\"id\":\"bf5b46ab-b443-427c-b911-19df63fea65a\",\"updated_at\":\"2024-12-04T19:45:40.278Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.278Z\",\"created_by\":\"elastic\",\"name\":\"Microsoft Windows Defender Tampering\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Microsoft Windows Defender Tampering\\n\\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\\n\\nThis rule monitors the registry for modifications that disable Windows Defender features.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine which features have been disabled, and check if this operation is done under change management and approved according to the organization's policy.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\\n\\n### Related rules\\n\\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Take actions to restore the appropriate Windows Defender antivirus configurations.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Austin Songer\"],\"false_positives\":[\"Legitimate Windows Defender configuration changes\"],\"from\":\"now-9m\",\"rule_id\":\"fe794edd-487f-4a90-b285-3ee54f2af2d3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\"}]}],\"to\":\"now\",\"references\":[\"https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\",\"https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html\",\"https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html\",\"https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html\",\"https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html\",\"https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html\",\"https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html\",\"https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html\"],\"version\":113,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and process.executable != null and\\n (\\n (\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\PUAProtection\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender Security Center\\\\\\\\App and Browser protection\\\\\\\\DisallowExploitProtectionOverride\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Features\\\\\\\\TamperProtection\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Windows Defender Exploit Guard\\\\\\\\Controlled Folder Access\\\\\\\\EnableControlledFolderAccess\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\SpynetReporting\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\SubmitSamplesConsent\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n ) or\\n (\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\DisableAntiSpyware\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableRealtimeMonitoring\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableIntrusionPreventionSystem\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableScriptScanning\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableIOAVProtection\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Reporting\\\\\\\\DisableEnhancedNotifications\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\DisableBlockAtFirstSeen\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableBehaviorMonitoring\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")\\n )\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DeviceEnroller.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\Security Agent\\\\\\\\tmuninst.exe\\\"\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Microsoft Windows Defender Tampering\",\"description\":\"Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Microsoft Windows Defender Tampering\\n\\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\\n\\nThis rule monitors the registry for modifications that disable Windows Defender features.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the account owner and confirm whether they are aware of this activity.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Examine which features have been disabled, and check if this operation is done under change management and approved according to the organization's policy.\\n\\n### False positive analysis\\n\\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\\n\\n### Related rules\\n\\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved hosts to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Take actions to restore the appropriate Windows Defender antivirus configurations.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":314,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Austin Songer\"],\"false_positives\":[\"Legitimate Windows Defender configuration changes\"],\"references\":[\"https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\",\"https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html\",\"https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html\",\"https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html\",\"https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html\",\"https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html\",\"https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html\",\"https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html\",\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"},{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"bf5b46ab-b443-427c-b911-19df63fea65a\",\"rule_id\":\"fe794edd-487f-4a90-b285-3ee54f2af2d3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.042Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.278Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and process.executable != null and\\n (\\n (\\n registry.value : (\\n \\\"PUAProtection\\\", \\\"DisallowExploitProtectionOverride\\\", \\\"TamperProtection\\\", \\\"EnableControlledFolderAccess\\\",\\n \\\"SpynetReporting\\\", \\\"SubmitSamplesConsent\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n ) or\\n (\\n registry.path : (\\n \\\"DisableAntiSpyware\\\", \\\"DisableRealtimeMonitoring\\\", \\\"DisableIntrusionPreventionSystem\\\", \\\"DisableScriptScanning\\\",\\n \\\"DisableIOAVProtection\\\", \\\"DisableEnhancedNotifications\\\", \\\"DisableBlockAtFirstSeen\\\", \\\"DisableBehaviorMonitoring\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")\\n )\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DeviceEnroller.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\Security Agent\\\\\\\\tmuninst.exe\\\"\\n )\\n\\n/*\\n Full registry key paths omitted due to data source variations:\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\DisableAntiSpyware\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableRealtimeMonitoring\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableIntrusionPreventionSystem\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableScriptScanning\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableIOAVProtection\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Reporting\\\\\\\\DisableEnhancedNotifications\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\DisableBlockAtFirstSeen\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableBehaviorMonitoring\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\PUAProtection\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender Security Center\\\\\\\\App and Browser protection\\\\\\\\DisallowExploitProtectionOverride\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Features\\\\\\\\TamperProtection\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Windows Defender Exploit Guard\\\\\\\\Controlled Folder Access\\\\\\\\EnableControlledFolderAccess\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\SpynetReporting\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\SubmitSamplesConsent\\\"\\n*/\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":113,\"target_version\":314,\"merged_version\":314,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\",\"https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html\",\"https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html\",\"https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html\",\"https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html\",\"https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html\",\"https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html\",\"https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html\"],\"target_version\":[\"https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\",\"https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html\",\"https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html\",\"https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html\",\"https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html\",\"https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html\",\"https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html\",\"https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html\",\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"merged_version\":[\"https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/\",\"https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html\",\"https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html\",\"https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html\",\"https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html\",\"https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html\",\"https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html\",\"https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html\",\"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"required_fields\":{\"has_base_version\":false,\"current_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true}],\"target_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"merged_version\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and process.executable != null and\\n (\\n (\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\PUAProtection\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender Security Center\\\\\\\\App and Browser protection\\\\\\\\DisallowExploitProtectionOverride\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Features\\\\\\\\TamperProtection\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Windows Defender Exploit Guard\\\\\\\\Controlled Folder Access\\\\\\\\EnableControlledFolderAccess\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\SpynetReporting\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\SubmitSamplesConsent\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n ) or\\n (\\n registry.path : (\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\DisableAntiSpyware\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableRealtimeMonitoring\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableIntrusionPreventionSystem\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableScriptScanning\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableIOAVProtection\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Reporting\\\\\\\\DisableEnhancedNotifications\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\DisableBlockAtFirstSeen\\\",\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableBehaviorMonitoring\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")\\n )\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DeviceEnroller.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\Security Agent\\\\\\\\tmuninst.exe\\\"\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and process.executable != null and\\n (\\n (\\n registry.value : (\\n \\\"PUAProtection\\\", \\\"DisallowExploitProtectionOverride\\\", \\\"TamperProtection\\\", \\\"EnableControlledFolderAccess\\\",\\n \\\"SpynetReporting\\\", \\\"SubmitSamplesConsent\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n ) or\\n (\\n registry.path : (\\n \\\"DisableAntiSpyware\\\", \\\"DisableRealtimeMonitoring\\\", \\\"DisableIntrusionPreventionSystem\\\", \\\"DisableScriptScanning\\\",\\n \\\"DisableIOAVProtection\\\", \\\"DisableEnhancedNotifications\\\", \\\"DisableBlockAtFirstSeen\\\", \\\"DisableBehaviorMonitoring\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")\\n )\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DeviceEnroller.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\Security Agent\\\\\\\\tmuninst.exe\\\"\\n )\\n\\n/*\\n Full registry key paths omitted due to data source variations:\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\DisableAntiSpyware\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableRealtimeMonitoring\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableIntrusionPreventionSystem\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableScriptScanning\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableIOAVProtection\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Reporting\\\\\\\\DisableEnhancedNotifications\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\DisableBlockAtFirstSeen\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableBehaviorMonitoring\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\PUAProtection\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender Security Center\\\\\\\\App and Browser protection\\\\\\\\DisallowExploitProtectionOverride\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Features\\\\\\\\TamperProtection\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Windows Defender Exploit Guard\\\\\\\\Controlled Folder Access\\\\\\\\EnableControlledFolderAccess\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\SpynetReporting\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\SubmitSamplesConsent\\\"\\n*/\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and process.executable != null and\\n (\\n (\\n registry.value : (\\n \\\"PUAProtection\\\", \\\"DisallowExploitProtectionOverride\\\", \\\"TamperProtection\\\", \\\"EnableControlledFolderAccess\\\",\\n \\\"SpynetReporting\\\", \\\"SubmitSamplesConsent\\\"\\n ) and registry.data.strings : (\\\"0\\\", \\\"0x00000000\\\")\\n ) or\\n (\\n registry.path : (\\n \\\"DisableAntiSpyware\\\", \\\"DisableRealtimeMonitoring\\\", \\\"DisableIntrusionPreventionSystem\\\", \\\"DisableScriptScanning\\\",\\n \\\"DisableIOAVProtection\\\", \\\"DisableEnhancedNotifications\\\", \\\"DisableBlockAtFirstSeen\\\", \\\"DisableBehaviorMonitoring\\\"\\n ) and registry.data.strings : (\\\"1\\\", \\\"0x00000001\\\")\\n )\\n ) and\\n not process.executable : (\\n \\\"?:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\svchost.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\CCM\\\\\\\\CcmExec.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\DeviceEnroller.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\Security Agent\\\\\\\\tmuninst.exe\\\"\\n )\\n\\n/*\\n Full registry key paths omitted due to data source variations:\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\DisableAntiSpyware\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableRealtimeMonitoring\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableIntrusionPreventionSystem\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableScriptScanning\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableIOAVProtection\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Reporting\\\\\\\\DisableEnhancedNotifications\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\DisableBlockAtFirstSeen\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Real-Time Protection\\\\\\\\DisableBehaviorMonitoring\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\PUAProtection\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender Security Center\\\\\\\\App and Browser protection\\\\\\\\DisallowExploitProtectionOverride\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Features\\\\\\\\TamperProtection\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Windows Defender Exploit Guard\\\\\\\\Controlled Folder Access\\\\\\\\EnableControlledFolderAccess\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\SpynetReporting\\\"\\n \\\"HKLM\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\SpyNet\\\\\\\\SubmitSamplesConsent\\\"\\n*/\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.registry-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":8,\"num_fields_with_conflicts\":7,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a4887e93-132d-4c46-8af4-d6c6a0ee9f4e\",\"rule_id\":\"feeed87c-5e95-4339-aef1-47fd79bcfbe3\",\"revision\":0,\"current_rule\":{\"id\":\"a4887e93-132d-4c46-8af4-d6c6a0ee9f4e\",\"updated_at\":\"2024-12-04T19:45:40.281Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.281Z\",\"created_by\":\"elastic\",\"name\":\"MS Office Macro Security Registry Modifications\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Microsoft Office Products offer options for users and developers to control the security settings for running and using Macros. Adversaries may abuse these security settings to modify the default behavior of the Office Application to trust future macros and/or disable security warnings, which could increase their chances of establishing persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating MS Office Macro Security Registry Modifications\\n\\nMacros are small programs that are used to automate repetitive tasks in Microsoft Office applications. Historically, macros have been used for a variety of reasons -- from automating part of a job, to building entire processes and data flows. Macros are written in Visual Basic for Applications (VBA) and are saved as part of Microsoft Office files.\\n\\nMacros are often created for legitimate reasons, but they can also be written by attackers to gain access, harm a system, or bypass other security controls such as application allow listing. In fact, exploitation from malicious macros is one of the top ways that organizations are compromised today. These attacks are often conducted through phishing or spear phishing campaigns.\\n\\nAttackers can convince victims to modify Microsoft Office security settings, so their macros are trusted by default and no warnings are displayed when they are executed. These settings include:\\n\\n- *Trust access to the VBA project object model* - When enabled, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\\n- *VbaWarnings* - When set to 1, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\\n\\nThis rule looks for registry changes affecting the conditions above.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the user and check if the change was done manually.\\n- Verify whether malicious macros were executed after the registry change.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve recently executed Office documents and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Reset the registry key value.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Explore using GPOs to manage security settings for Microsoft Office macros.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"feeed87c-5e95-4339-aef1-47fd79bcfbe3\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]}],\"to\":\"now\",\"references\":[],\"version\":108,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"],\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : (\\\"AccessVBOM\\\", \\\"VbaWarnings\\\") and\\n registry.path : (\\n \\\"HKU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"HKU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\"\\n ) and\\n registry.data.strings : (\\\"0x00000001\\\", \\\"1\\\")\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"MS Office Macro Security Registry Modifications\",\"description\":\"Microsoft Office Products offer options for users and developers to control the security settings for running and using Macros. Adversaries may abuse these security settings to modify the default behavior of the Office Application to trust future macros and/or disable security warnings, which could increase their chances of establishing persistence.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating MS Office Macro Security Registry Modifications\\n\\nMacros are small programs that are used to automate repetitive tasks in Microsoft Office applications. Historically, macros have been used for a variety of reasons -- from automating part of a job, to building entire processes and data flows. Macros are written in Visual Basic for Applications (VBA) and are saved as part of Microsoft Office files.\\n\\nMacros are often created for legitimate reasons, but they can also be written by attackers to gain access, harm a system, or bypass other security controls such as application allow listing. In fact, exploitation from malicious macros is one of the top ways that organizations are compromised today. These attacks are often conducted through phishing or spear phishing campaigns.\\n\\nAttackers can convince victims to modify Microsoft Office security settings, so their macros are trusted by default and no warnings are displayed when they are executed. These settings include:\\n\\n- *Trust access to the VBA project object model* - When enabled, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\\n- *VbaWarnings* - When set to 1, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\\n\\nThis rule looks for registry changes affecting the conditions above.\\n\\n#### Possible investigation steps\\n\\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n- Identify the user account that performed the action and whether it should perform this kind of action.\\n- Contact the user and check if the change was done manually.\\n- Verify whether malicious macros were executed after the registry change.\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Retrieve recently executed Office documents and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - File and registry access, modification, and creation activities.\\n - Service creation and launch activities.\\n - Scheduled task creation.\\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n### False positive analysis\\n\\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Reset the registry key value.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Explore using GPOs to manage security settings for Microsoft Office macros.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":308,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1112\",\"name\":\"Modify Registry\",\"reference\":\"https://attack.mitre.org/techniques/T1112/\"}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1204\",\"name\":\"User Execution\",\"reference\":\"https://attack.mitre.org/techniques/T1204/\",\"subtechnique\":[{\"id\":\"T1204.002\",\"name\":\"Malicious File\",\"reference\":\"https://attack.mitre.org/techniques/T1204/002/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.data.strings\",\"type\":\"wildcard\",\"ecs\":true},{\"name\":\"registry.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"registry.value\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a4887e93-132d-4c46-8af4-d6c6a0ee9f4e\",\"rule_id\":\"feeed87c-5e95-4339-aef1-47fd79bcfbe3\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.042Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.281Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : (\\\"AccessVBOM\\\", \\\"VbaWarnings\\\") and\\n registry.path : (\\n /* Sysmon */\\n \\\"HKU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"HKU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n /* MDE */\\n \\\"HKCU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKCU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"HKCU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKCU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n /* Endgame */\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n /* SentinelOne */\\n \\\"USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\"\\n ) and\\n registry.data.strings : (\\\"0x00000001\\\", \\\"1\\\")\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":108,\"target_version\":308,\"merged_version\":308,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Resources: Investigation Guide\",\"Data Source: Elastic Endgame\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"setup\":{\"has_base_version\":false,\"current_version\":\"## Setup\\n\\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\\n`event.ingested` to @timestamp.\\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\\n\",\"target_version\":\"\",\"merged_version\":\"\",\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : (\\\"AccessVBOM\\\", \\\"VbaWarnings\\\") and\\n registry.path : (\\n \\\"HKU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"HKU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\"\\n ) and\\n registry.data.strings : (\\\"0x00000001\\\", \\\"1\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : (\\\"AccessVBOM\\\", \\\"VbaWarnings\\\") and\\n registry.path : (\\n /* Sysmon */\\n \\\"HKU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"HKU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n /* MDE */\\n \\\"HKCU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKCU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"HKCU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKCU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n /* Endgame */\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n /* SentinelOne */\\n \\\"USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\"\\n ) and\\n registry.data.strings : (\\\"0x00000001\\\", \\\"1\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"registry where host.os.type == \\\"windows\\\" and event.type == \\\"change\\\" and registry.value : (\\\"AccessVBOM\\\", \\\"VbaWarnings\\\") and\\n registry.path : (\\n /* Sysmon */\\n \\\"HKU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"HKU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n /* MDE */\\n \\\"HKCU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKCU\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"HKCU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"HKCU\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n /* Endgame */\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"\\\\\\\\REGISTRY\\\\\\\\USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n /* SentinelOne */\\n \\\"USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"USER\\\\\\\\S-1-5-21-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\",\\n \\\"USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\AccessVBOM\\\",\\n \\\"USER\\\\\\\\S-1-12-1-*\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Office\\\\\\\\*\\\\\\\\Security\\\\\\\\VbaWarnings\\\"\\n ) and\\n registry.data.strings : (\\\"0x00000001\\\", \\\"1\\\")\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-windows.sysmon_operational-*\",\"endgame-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":6,\"num_fields_with_conflicts\":5,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"5d957416-519c-4f6b-aa10-b1c642c28f1a\",\"rule_id\":\"ff013cb4-274d-434a-96bb-fe15ddd3ae92\",\"revision\":0,\"current_rule\":{\"id\":\"5d957416-519c-4f6b-aa10-b1c642c28f1a\",\"updated_at\":\"2024-12-04T19:46:02.730Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.730Z\",\"created_by\":\"elastic\",\"name\":\"Roshal Archive (RAR) or PowerShell File Downloaded from the Internet\",\"tags\":[\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Domain: Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Threat intel\\n\\nThis activity has been observed in FIN7 campaigns.\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[\"Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected.\"],\"from\":\"now-9m\",\"rule_id\":\"ff013cb4-274d-434a-96bb-fe15ddd3ae92\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"to\":\"now\",\"references\":[\"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html\",\"https://www.justice.gov/opa/press-release/file/1084361/download\",\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"version\":103,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"url.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"url.path\",\"type\":\"wildcard\",\"ecs\":true}],\"setup\":\"\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"],\"query\":\"(event.dataset: (network_traffic.http or network_traffic.tls) or\\n (event.category: (network or network_traffic) and network.protocol: http)) and\\n (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and\\n not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n ) and\\n source.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Roshal Archive (RAR) or PowerShell File Downloaded from the Internet\",\"description\":\"Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Threat intel\\n\\nThis activity has been observed in FIN7 campaigns.\",\"output_index\":\"\",\"version\":104,\"tags\":[\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Data Source: PAN-OS\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[\"Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected.\"],\"references\":[\"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html\",\"https://www.justice.gov/opa/press-release/file/1084361/download\",\"https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0011\",\"name\":\"Command and Control\",\"reference\":\"https://attack.mitre.org/tactics/TA0011/\"},\"technique\":[{\"id\":\"T1105\",\"name\":\"Ingress Tool Transfer\",\"reference\":\"https://attack.mitre.org/techniques/T1105/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"required_fields\":[{\"name\":\"destination.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"network.protocol\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"ecs\":true},{\"name\":\"url.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"url.path\",\"type\":\"wildcard\",\"ecs\":true}],\"id\":\"5d957416-519c-4f6b-aa10-b1c642c28f1a\",\"rule_id\":\"ff013cb4-274d-434a-96bb-fe15ddd3ae92\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.042Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.730Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"query\",\"index\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"],\"query\":\"(event.dataset: (network_traffic.http or network_traffic.tls) or\\n (event.category: (network or network_traffic) and network.protocol: http)) and\\n (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and\\n not destination.ip:(\\n 10.0.0.0/8 or\\n 127.0.0.0/8 or\\n 169.254.0.0/16 or\\n 172.16.0.0/12 or\\n 192.0.0.0/24 or\\n 192.0.0.0/29 or\\n 192.0.0.8/32 or\\n 192.0.0.9/32 or\\n 192.0.0.10/32 or\\n 192.0.0.170/32 or\\n 192.0.0.171/32 or\\n 192.0.2.0/24 or\\n 192.31.196.0/24 or\\n 192.52.193.0/24 or\\n 192.168.0.0/16 or\\n 192.88.99.0/24 or\\n 224.0.0.0/4 or\\n 100.64.0.0/10 or\\n 192.175.48.0/24 or\\n 198.18.0.0/15 or\\n 198.51.100.0/24 or\\n 203.0.113.0/24 or\\n 240.0.0.0/4 or\\n \\\"::1\\\" or\\n \\\"FE80::/10\\\" or\\n \\\"FF00::/8\\\"\\n ) and\\n source.ip:(\\n 10.0.0.0/8 or\\n 172.16.0.0/12 or\\n 192.168.0.0/16\\n )\\n\",\"language\":\"kuery\"},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":103,\"target_version\":104,\"merged_version\":104,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Domain: Endpoint\"],\"target_version\":[\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Data Source: PAN-OS\"],\"merged_version\":[\"Use Case: Threat Detection\",\"Tactic: Command and Control\",\"Domain: Endpoint\",\"Data Source: PAN-OS\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"}],\"target_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merged_version\":[{\"package\":\"network_traffic\",\"version\":\"^1.1.0\"},{\"package\":\"panw\",\"version\":\"^4.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"packetbeat-*\",\"auditbeat-*\",\"filebeat-*\",\"logs-network_traffic.*\",\"logs-panw.panos*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"3f1ed75a-6cc2-4f0c-9f96-fa924ddda6f7\",\"rule_id\":\"ff10d4d8-fea7-422d-afb1-e5a2702369a9\",\"revision\":0,\"current_rule\":{\"id\":\"3f1ed75a-6cc2-4f0c-9f96-fa924ddda6f7\",\"updated_at\":\"2024-12-04T19:46:02.735Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.735Z\",\"created_by\":\"elastic\",\"name\":\"Cron Job Created or Modified\",\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"This rule monitors for (ana)cron jobs being created or renamed. Linux cron jobs are scheduled tasks that can be leveraged by system administrators to set up scheduled tasks, but may be abused by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating Cron Job Created or Modified\\nLinux cron jobs are scheduled tasks that run at specified intervals or times, managed by the cron daemon. \\n\\nBy creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\\n\\nThis rule monitors the creation of cron jobs by monitoring for file creation and rename events in the most common cron job task location directories.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the cron job file that was created or modified.\\n- Investigate whether any other files in any of the available cron job directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/cron.allow.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/cron.hourly/%'\\\\nOR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR path LIKE '/etc/cron.monthly/%' OR path LIKE\\\\n'/var/spool/cron/crontabs/%')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Cron File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path = '/etc/cron.allow' OR path = '/etc/cron.deny' OR path = '/etc/crontab')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/cron.allow.d/%' OR path LIKE\\\\n'/etc/cron.d/%' OR path LIKE '/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR\\\\npath LIKE '/etc/cron.monthly/%' OR path LIKE '/var/spool/cron/crontabs/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\\n- Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\\n- Systemd Service Created - 17b0a495-4d9f-414c-8ad0-92f018b8e001\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ff10d4d8-fea7-422d-afb1-e5a2702369a9\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]}]}],\"to\":\"now\",\"references\":[\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\"],\"version\":12,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"],\"query\":\"file where host.os.type == \\\"linux\\\" and\\nevent.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/cron.allow\\\", \\\"/etc/cron.deny\\\", \\\"/etc/cron.d/*\\\", \\\"/etc/cron.hourly/*\\\", \\\"/etc/cron.daily/*\\\", \\\"/etc/cron.weekly/*\\\",\\n \\\"/etc/cron.monthly/*\\\", \\\"/etc/crontab\\\", \\\"/var/spool/cron/crontabs/*\\\", \\\"/var/spool/anacron/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/opt/elasticbeanstalk/bin/platform-engine\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/opt/imunify360/venv/bin/python3\\\",\\n \\\"/opt/eset/efs/lib/utild\\\", \\\"/usr/sbin/anacron\\\", \\\"/usr/bin/podman\\\", \\\"/kaniko/kaniko-executor\\\"\\n ) or\\n file.path : \\\"/var/spool/cron/crontabs/tmp.*\\\" or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/libexec/platform-python*\\\"\\n ) or\\n process.executable == null or\\n process.name in (\\\"crontab\\\", \\\"crond\\\", \\\"executor\\\", \\\"puppet\\\", \\\"droplet-agent.postinst\\\", \\\"cf-agent\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Cron Job Created or Modified\",\"description\":\"This rule monitors for (ana)cron jobs being created or renamed. Linux cron jobs are scheduled tasks that can be leveraged by system administrators to set up scheduled tasks, but may be abused by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating Cron Job Created or Modified\\nLinux cron jobs are scheduled tasks that run at specified intervals or times, managed by the cron daemon. \\n\\nBy creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\\n\\nThis rule monitors the creation of cron jobs by monitoring for file creation and rename events in the most common cron job task location directories.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\\n\\n#### Possible Investigation Steps\\n\\n- Investigate the cron job file that was created or modified.\\n- Investigate whether any other files in any of the available cron job directories have been altered through OSQuery.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve File Listing Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path LIKE '/etc/cron.allow.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/cron.hourly/%'\\\\nOR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR path LIKE '/etc/cron.monthly/%' OR path LIKE\\\\n'/var/spool/cron/crontabs/%')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Cron File Information\\\",\\\"query\\\":\\\"SELECT * FROM file WHERE (path = '/etc/cron.allow' OR path = '/etc/cron.deny' OR path = '/etc/crontab')\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Additional File Listing Information\\\",\\\"query\\\":\\\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/cron.allow.d/%' OR path LIKE\\\\n'/etc/cron.d/%' OR path LIKE '/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR\\\\npath LIKE '/etc/cron.monthly/%' OR path LIKE '/var/spool/cron/crontabs/%')\\\\n\\\"}}\\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Running Processes by User\\\",\\\"query\\\":\\\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\\\"}}\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\\n - Use a private sandboxed malware analysis system to perform analysis.\\n - Observe and collect information about the following activities:\\n - Attempts to contact external domains and addresses.\\n - Check if the domain is newly registered or unexpected.\\n - Check the reputation of the domain or IP address.\\n - File access, modification, and creation activities.\\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Listening Ports\\\",\\\"query\\\":\\\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Open Sockets\\\",\\\"query\\\":\\\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\\\"}}\\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Information for a Specific User\\\",\\\"query\\\":\\\"SELECT * FROM users WHERE username = {{user.name}}\\\"}}\\n- Investigate whether the user is currently logged in and active.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Investigate the Account Authentication Status\\\",\\\"query\\\":\\\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\\\"}}\\n\\n### False Positive Analysis\\n\\n- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions.\\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\\n\\n### Related Rules\\n\\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\\n- Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\\n- Systemd Service Created - 17b0a495-4d9f-414c-8ad0-92f018b8e001\\n\\n### Response and remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Delete the service/timer or restore its original configuration.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":14,\"tags\":[\"Domain: Endpoint\",\"OS: Linux\",\"Use Case: Threat Detection\",\"Tactic: Persistence\",\"Tactic: Privilege Escalation\",\"Tactic: Execution\",\"Data Source: Elastic Defend\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0003\",\"name\":\"Persistence\",\"reference\":\"https://attack.mitre.org/tactics/TA0003/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0004\",\"name\":\"Privilege Escalation\",\"reference\":\"https://attack.mitre.org/tactics/TA0004/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1053\",\"name\":\"Scheduled Task/Job\",\"reference\":\"https://attack.mitre.org/techniques/T1053/\",\"subtechnique\":[{\"id\":\"T1053.003\",\"name\":\"Cron\",\"reference\":\"https://attack.mitre.org/techniques/T1053/003/\"}]}]}],\"setup\":\"## Setup\\n\\nThis rule requires data coming in from Elastic Defend.\\n\\n### Elastic Defend Integration Setup\\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\\n\\n#### Prerequisite Requirements:\\n- Fleet is required for Elastic Defend.\\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\\n\\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\\n- Go to the Kibana home page and click \\\"Add integrations\\\".\\n- In the query bar, search for \\\"Elastic Defend\\\" and select the integration to see more details about it.\\n- Click \\\"Add Elastic Defend\\\".\\n- Configure the integration name and optionally add a description.\\n- Select the type of environment you want to protect, either \\\"Traditional Endpoints\\\" or \\\"Cloud Workloads\\\".\\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\\n- We suggest selecting \\\"Complete EDR (Endpoint Detection and Response)\\\" as a configuration setting, that provides \\\"All events; all preventions\\\"\\n- Enter a name for the agent policy in \\\"New agent policy name\\\". If other agent policies already exist, you can click the \\\"Existing hosts\\\" tab and select an existing policy instead.\\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\\n- Click \\\"Save and Continue\\\".\\n- To complete the integration, select \\\"Add Elastic Agent to your hosts\\\" and continue to the next section to install the Elastic Agent on your hosts.\\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\\n\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.Ext.original.extension\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"file.extension\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.name\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.name\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"3f1ed75a-6cc2-4f0c-9f96-fa924ddda6f7\",\"rule_id\":\"ff10d4d8-fea7-422d-afb1-e5a2702369a9\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.042Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.735Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"file where host.os.type == \\\"linux\\\" and\\nevent.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/cron.allow\\\", \\\"/etc/cron.deny\\\", \\\"/etc/cron.d/*\\\", \\\"/etc/cron.hourly/*\\\", \\\"/etc/cron.daily/*\\\", \\\"/etc/cron.weekly/*\\\",\\n \\\"/etc/cron.monthly/*\\\", \\\"/etc/crontab\\\", \\\"/var/spool/cron/crontabs/*\\\", \\\"/var/spool/anacron/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/opt/elasticbeanstalk/bin/platform-engine\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/opt/imunify360/venv/bin/python3\\\",\\n \\\"/opt/eset/efs/lib/utild\\\", \\\"/usr/sbin/anacron\\\", \\\"/usr/bin/podman\\\", \\\"/kaniko/kaniko-executor\\\"\\n ) or\\n file.path like (\\\"/var/spool/cron/crontabs/tmp.*\\\", \\\"/etc/cron.d/jumpcloud-updater\\\") or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/libexec/platform-python*\\\"\\n ) or\\n process.executable == null or\\n process.name in (\\n \\\"crond\\\", \\\"executor\\\", \\\"puppet\\\", \\\"droplet-agent.postinst\\\", \\\"cf-agent\\\", \\\"schedd\\\", \\\"imunify-notifier\\\", \\\"perl\\\",\\n \\\"jumpcloud-agent\\\", \\\"crio\\\", \\\"dnf_install\\\", \\\"utild\\\"\\n ) or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.file*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":12,\"target_version\":14,\"merged_version\":14,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"references\":{\"has_base_version\":false,\"current_version\":[\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\"],\"target_version\":[\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merged_version\":[\"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/\",\"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and\\nevent.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/cron.allow\\\", \\\"/etc/cron.deny\\\", \\\"/etc/cron.d/*\\\", \\\"/etc/cron.hourly/*\\\", \\\"/etc/cron.daily/*\\\", \\\"/etc/cron.weekly/*\\\",\\n \\\"/etc/cron.monthly/*\\\", \\\"/etc/crontab\\\", \\\"/var/spool/cron/crontabs/*\\\", \\\"/var/spool/anacron/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/opt/elasticbeanstalk/bin/platform-engine\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/opt/imunify360/venv/bin/python3\\\",\\n \\\"/opt/eset/efs/lib/utild\\\", \\\"/usr/sbin/anacron\\\", \\\"/usr/bin/podman\\\", \\\"/kaniko/kaniko-executor\\\"\\n ) or\\n file.path : \\\"/var/spool/cron/crontabs/tmp.*\\\" or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/libexec/platform-python*\\\"\\n ) or\\n process.executable == null or\\n process.name in (\\\"crontab\\\", \\\"crond\\\", \\\"executor\\\", \\\"puppet\\\", \\\"droplet-agent.postinst\\\", \\\"cf-agent\\\") or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and\\nevent.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/cron.allow\\\", \\\"/etc/cron.deny\\\", \\\"/etc/cron.d/*\\\", \\\"/etc/cron.hourly/*\\\", \\\"/etc/cron.daily/*\\\", \\\"/etc/cron.weekly/*\\\",\\n \\\"/etc/cron.monthly/*\\\", \\\"/etc/crontab\\\", \\\"/var/spool/cron/crontabs/*\\\", \\\"/var/spool/anacron/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/opt/elasticbeanstalk/bin/platform-engine\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/opt/imunify360/venv/bin/python3\\\",\\n \\\"/opt/eset/efs/lib/utild\\\", \\\"/usr/sbin/anacron\\\", \\\"/usr/bin/podman\\\", \\\"/kaniko/kaniko-executor\\\"\\n ) or\\n file.path like (\\\"/var/spool/cron/crontabs/tmp.*\\\", \\\"/etc/cron.d/jumpcloud-updater\\\") or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/libexec/platform-python*\\\"\\n ) or\\n process.executable == null or\\n process.name in (\\n \\\"crond\\\", \\\"executor\\\", \\\"puppet\\\", \\\"droplet-agent.postinst\\\", \\\"cf-agent\\\", \\\"schedd\\\", \\\"imunify-notifier\\\", \\\"perl\\\",\\n \\\"jumpcloud-agent\\\", \\\"crio\\\", \\\"dnf_install\\\", \\\"utild\\\"\\n ) or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"file where host.os.type == \\\"linux\\\" and\\nevent.action in (\\\"rename\\\", \\\"creation\\\") and file.path : (\\n \\\"/etc/cron.allow\\\", \\\"/etc/cron.deny\\\", \\\"/etc/cron.d/*\\\", \\\"/etc/cron.hourly/*\\\", \\\"/etc/cron.daily/*\\\", \\\"/etc/cron.weekly/*\\\",\\n \\\"/etc/cron.monthly/*\\\", \\\"/etc/crontab\\\", \\\"/var/spool/cron/crontabs/*\\\", \\\"/var/spool/anacron/*\\\"\\n) and not (\\n process.executable in (\\n \\\"/bin/dpkg\\\", \\\"/usr/bin/dpkg\\\", \\\"/bin/dockerd\\\", \\\"/usr/bin/dockerd\\\", \\\"/usr/sbin/dockerd\\\", \\\"/bin/microdnf\\\",\\n \\\"/usr/bin/microdnf\\\", \\\"/bin/rpm\\\", \\\"/usr/bin/rpm\\\", \\\"/bin/snapd\\\", \\\"/usr/bin/snapd\\\", \\\"/bin/yum\\\", \\\"/usr/bin/yum\\\",\\n \\\"/bin/dnf\\\", \\\"/usr/bin/dnf\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/bin/dnf-automatic\\\", \\\"/usr/bin/dnf-automatic\\\",\\n \\\"/bin/pacman\\\", \\\"/usr/bin/pacman\\\", \\\"/usr/bin/dpkg-divert\\\", \\\"/bin/dpkg-divert\\\", \\\"/sbin/apk\\\", \\\"/usr/sbin/apk\\\",\\n \\\"/usr/local/sbin/apk\\\", \\\"/usr/bin/apt\\\", \\\"/usr/sbin/pacman\\\", \\\"/bin/podman\\\", \\\"/usr/bin/podman\\\", \\\"/usr/bin/puppet\\\",\\n \\\"/bin/puppet\\\", \\\"/opt/puppetlabs/puppet/bin/puppet\\\", \\\"/usr/bin/chef-client\\\", \\\"/bin/chef-client\\\",\\n \\\"/bin/autossl_check\\\", \\\"/usr/bin/autossl_check\\\", \\\"/proc/self/exe\\\", \\\"/dev/fd/*\\\", \\\"/usr/bin/pamac-daemon\\\",\\n \\\"/bin/pamac-daemon\\\", \\\"/usr/local/bin/dockerd\\\", \\\"/opt/elasticbeanstalk/bin/platform-engine\\\",\\n \\\"/opt/puppetlabs/puppet/bin/ruby\\\", \\\"/usr/libexec/platform-python\\\", \\\"/opt/imunify360/venv/bin/python3\\\",\\n \\\"/opt/eset/efs/lib/utild\\\", \\\"/usr/sbin/anacron\\\", \\\"/usr/bin/podman\\\", \\\"/kaniko/kaniko-executor\\\"\\n ) or\\n file.path like (\\\"/var/spool/cron/crontabs/tmp.*\\\", \\\"/etc/cron.d/jumpcloud-updater\\\") or\\n file.extension in (\\\"swp\\\", \\\"swpx\\\", \\\"swx\\\", \\\"dpkg-remove\\\") or\\n file.Ext.original.extension == \\\"dpkg-new\\\" or\\n process.executable : (\\n \\\"/nix/store/*\\\", \\\"/var/lib/dpkg/*\\\", \\\"/tmp/vmis.*\\\", \\\"/snap/*\\\", \\\"/dev/fd/*\\\", \\\"/usr/libexec/platform-python*\\\"\\n ) or\\n process.executable == null or\\n process.name in (\\n \\\"crond\\\", \\\"executor\\\", \\\"puppet\\\", \\\"droplet-agent.postinst\\\", \\\"cf-agent\\\", \\\"schedd\\\", \\\"imunify-notifier\\\", \\\"perl\\\",\\n \\\"jumpcloud-agent\\\", \\\"crio\\\", \\\"dnf_install\\\", \\\"utild\\\"\\n ) or\\n (process.name == \\\"sed\\\" and file.name : \\\"sed*\\\") or\\n (process.name == \\\"perl\\\" and file.name : \\\"e2scrub_all.tmp*\\\") \\n)\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":3,\"num_fields_with_conflicts\":2,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"a24b9d97-c29b-4456-b0a8-6a439c043964\",\"rule_id\":\"ff4599cb-409f-4910-a239-52e4e6f532ff\",\"revision\":0,\"current_rule\":{\"id\":\"a24b9d97-c29b-4456-b0a8-6a439c043964\",\"updated_at\":\"2024-12-04T19:46:02.740Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.740Z\",\"created_by\":\"elastic\",\"name\":\"LSASS Process Access via Windows API\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.\",\"risk_score\":47,\"severity\":\"medium\",\"note\":\"## Triage and analysis\\n\\n### Investigating LSASS Process Access via Windows API\\n\\nThe Local Security Authority Subsystem Service (LSASS) is a critical Windows component responsible for managing user authentication and security policies. Adversaries may attempt to access the LSASS handle to dump credentials from its memory, which can be used for lateral movement and privilege escalation.\\n\\nThis rule identifies attempts to access LSASS by monitoring for specific API calls (OpenProcess, OpenThread) targeting the \\\"lsass.exe\\\" process.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) of the process that accessed the LSASS handle.\\n - Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Determine the first time the process executable was seen in the environment and if this behavior happened in the past.\\n - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n - Investigate any abnormal behavior by the subject process, such as network connections, DLLs loaded, registry or file modifications, and any spawned child processes.\\n- Assess the access rights (`process.Ext.api.parameters.desired_access`field) requested by the process. This [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights) may be useful to help the interpretation.\\n- If there are traces of LSASS memory being successfully dumped, investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the executables of the processes using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n\\n### False positive analysis\\n\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of `process.executable`, `process.code_signature.subject_name` and `process.Ext.api.parameters.desired_access_numeric` conditions.\\n\\n### Related Rules\\n\\n- Suspicious Lsass Process Access - 128468bf-cab1-4637-99ea-fdf3780a4609\\n- Potential Credential Access via DuplicateHandle in LSASS - 02a4576a-7480-4284-9327-548a806b5e48\\n- LSASS Memory Dump Handle Access - 208dbe77-01ed-4954-8d44-1e5751cb20de\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ff4599cb-409f-4910-a239-52e4e6f532ff\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"to\":\"now\",\"references\":[\"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md\"],\"version\":9,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"Target.process.name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.api.name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.api-*\",\"logs-m365_defender.event-*\"],\"query\":\"api where host.os.type == \\\"windows\\\" and \\n process.Ext.api.name in (\\\"OpenProcess\\\", \\\"OpenThread\\\") and Target.process.name : \\\"lsass.exe\\\" and \\n not \\n (\\n process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\GetSupportService*\\\\\\\\Updates\\\\\\\\Update_*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Asiainfo Security\\\\\\\\OfficeScan Client\\\\\\\\NTRTScan.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Blackpoint\\\\\\\\SnapAgent\\\\\\\\SnapAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\eScan\\\\\\\\reload.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Update\\\\\\\\GoogleUpdate.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky Lab\\\\\\\\*\\\\\\\\avp.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\N-able Technologies\\\\\\\\Reactive\\\\\\\\bin\\\\\\\\NableReactiveManagement.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\N-able Technologies\\\\\\\\Windows Agent\\\\\\\\bin\\\\\\\\agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\*\\\\\\\\CCSF\\\\\\\\TmCCSF.exe\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\Windows Defender\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Bitdefender\\\\\\\\Endpoint Security\\\\\\\\EPSecurityService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Cisco\\\\\\\\AMP\\\\\\\\*\\\\\\\\sfc.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Common Files\\\\\\\\McAfee\\\\\\\\AVSolution\\\\\\\\mcshield.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\EA\\\\\\\\AC\\\\\\\\EAAntiCheat.GameService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\agentbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\metricbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\osqueryd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\packetbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\ESET\\\\\\\\ESET Security\\\\\\\\ekrn.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Fortinet\\\\\\\\FortiClient\\\\\\\\FortiProxy.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Huntress\\\\\\\\HuntressAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\LogicMonitor\\\\\\\\Agent\\\\\\\\bin\\\\\\\\sbshutdown.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Security Client\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Qualys\\\\\\\\QualysAgent\\\\\\\\QualysAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\TDAgent\\\\\\\\ossec-agent\\\\\\\\ossec-agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Topaz OFD\\\\\\\\Warsaw\\\\\\\\core.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\VMware\\\\\\\\VMware Tools\\\\\\\\vmtoolsd.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\AdminArsenal\\\\\\\\PDQDeployRunner\\\\\\\\*\\\\\\\\exec\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\csrss.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MRT.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RtkAudUService64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\\\", \\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\*\\\\\\\\pmfexe.exe\\\", \\n \\\"?:\\\\\\\\Program Files\\\\\\\\Goverlan Inc\\\\\\\\GoverlanAgent\\\\\\\\GovAgentx64.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CheckPoint\\\\\\\\Endpoint Security\\\\\\\\EFR\\\\\\\\EFRService.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CyberCNSAgent\\\\\\\\osqueryi.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\Security Agent\\\\\\\\TMASutility.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky Lab\\\\\\\\KES*\\\\\\\\avp.exe\\\", \\n \\\"?:\\\\\\\\Program Files\\\\\\\\Wise\\\\\\\\Wise Memory Optimizer\\\\\\\\WiseMemoryOptimzer.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe\\\"\\n ) and not ?process.code_signature.trusted == false\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"LSASS Process Access via Windows API\",\"description\":\"Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"note\":\"## Triage and analysis\\n\\n### Investigating LSASS Process Access via Windows API\\n\\nThe Local Security Authority Subsystem Service (LSASS) is a critical Windows component responsible for managing user authentication and security policies. Adversaries may attempt to access the LSASS handle to dump credentials from its memory, which can be used for lateral movement and privilege escalation.\\n\\nThis rule identifies attempts to access LSASS by monitoring for specific API calls (OpenProcess, OpenThread) targeting the \\\"lsass.exe\\\" process.\\n\\n> **Note**:\\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\\n\\n### Possible investigation steps\\n\\n- Investigate other alerts associated with the user/host during the past 48 hours.\\n- Investigate the process execution chain (parent process tree) of the process that accessed the LSASS handle.\\n - Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\\n - Determine the first time the process executable was seen in the environment and if this behavior happened in the past.\\n - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\\n - Investigate any abnormal behavior by the subject process, such as network connections, DLLs loaded, registry or file modifications, and any spawned child processes.\\n- Assess the access rights (`process.Ext.api.parameters.desired_access`field) requested by the process. This [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights) may be useful to help the interpretation.\\n- If there are traces of LSASS memory being successfully dumped, investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\\n- Examine the host for derived artifacts that indicate suspicious activities:\\n - Analyze the executables of the processes using a private sandboxed analysis system.\\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\\n - Attempts to contact external domains and addresses.\\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\\n - Examine the DNS cache for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve DNS Cache\\\",\\\"query\\\":\\\"SELECT * FROM dns_cache\\\"}}\\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\\n - Examine the host services for suspicious or anomalous entries.\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve All Services\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Services Running on User Accounts\\\",\\\"query\\\":\\\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\\\nuser_account == null)\\\\n\\\"}}\\n - !{osquery{\\\"label\\\":\\\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\\\",\\\"query\\\":\\\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\\\n\\\"}}\\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\\n\\n\\n### False positive analysis\\n\\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions — preferably with a combination of `process.executable`, `process.code_signature.subject_name` and `process.Ext.api.parameters.desired_access_numeric` conditions.\\n\\n### Related Rules\\n\\n- Suspicious Lsass Process Access - 128468bf-cab1-4637-99ea-fdf3780a4609\\n- Potential Credential Access via DuplicateHandle in LSASS - 02a4576a-7480-4284-9327-548a806b5e48\\n- LSASS Memory Dump Handle Access - 208dbe77-01ed-4954-8d44-1e5751cb20de\\n\\n### Response and Remediation\\n\\n- Initiate the incident response process based on the outcome of the triage.\\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\\n- Isolate the involved host to prevent further post-compromise behavior.\\n- If the triage identified malware, search the environment for additional compromised hosts.\\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\\n - Stop suspicious processes.\\n - Immediately block the identified indicators of compromise (IoCs).\\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\\n- Remove and block malicious artifacts identified during triage.\\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\\n- Reimage the host operating system or restore the compromised files to clean versions.\\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\\n\",\"output_index\":\"\",\"version\":10,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Credential Access\",\"Tactic: Execution\",\"Data Source: Elastic Defend\",\"Data Source: Microsoft Defender for Endpoint\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0006\",\"name\":\"Credential Access\",\"reference\":\"https://attack.mitre.org/tactics/TA0006/\"},\"technique\":[{\"id\":\"T1003\",\"name\":\"OS Credential Dumping\",\"reference\":\"https://attack.mitre.org/techniques/T1003/\",\"subtechnique\":[{\"id\":\"T1003.001\",\"name\":\"LSASS Memory\",\"reference\":\"https://attack.mitre.org/techniques/T1003/001/\"}]}]},{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0002\",\"name\":\"Execution\",\"reference\":\"https://attack.mitre.org/tactics/TA0002/\"},\"technique\":[{\"id\":\"T1106\",\"name\":\"Native API\",\"reference\":\"https://attack.mitre.org/techniques/T1106/\"}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"}],\"required_fields\":[{\"name\":\"Target.process.name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.Ext.api.name\",\"type\":\"unknown\",\"ecs\":false},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"a24b9d97-c29b-4456-b0a8-6a439c043964\",\"rule_id\":\"ff4599cb-409f-4910-a239-52e4e6f532ff\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.042Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:02.740Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"api where host.os.type == \\\"windows\\\" and \\n process.Ext.api.name in (\\\"OpenProcess\\\", \\\"OpenThread\\\") and Target.process.name : \\\"lsass.exe\\\" and \\n not \\n (\\n process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\GetSupportService*\\\\\\\\Updates\\\\\\\\Update_*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Asiainfo Security\\\\\\\\OfficeScan Client\\\\\\\\NTRTScan.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Blackpoint\\\\\\\\SnapAgent\\\\\\\\SnapAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CheckPoint\\\\\\\\Endpoint Security\\\\\\\\EFR\\\\\\\\EFRService.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CyberCNSAgent\\\\\\\\osqueryi.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\cisco\\\\\\\\cisco anyconnect secure mobility client\\\\\\\\vpnagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\cisco\\\\\\\\cisco anyconnect secure mobility client\\\\\\\\aciseagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\cisco\\\\\\\\cisco anyconnect secure mobility client\\\\\\\\vpndownloader.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\eScan\\\\\\\\reload.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Update\\\\\\\\GoogleUpdate.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky Lab\\\\\\\\*\\\\\\\\avp.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\microsoft intune management extension\\\\\\\\microsoft.management.services.intunewindowsagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\N-able Technologies\\\\\\\\Reactive\\\\\\\\bin\\\\\\\\NableReactiveManagement.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\N-able Technologies\\\\\\\\Windows Agent\\\\\\\\bin\\\\\\\\agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Tanium\\\\\\\\Tanium Client\\\\\\\\TaniumClient.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\*\\\\\\\\CCSF\\\\\\\\TmCCSF.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\Security Agent\\\\\\\\TMASutility.exe\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\Windows Defender\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Bitdefender\\\\\\\\Endpoint Security\\\\\\\\EPSecurityService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Cisco\\\\\\\\AMP\\\\\\\\*\\\\\\\\sfc.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Common Files\\\\\\\\McAfee\\\\\\\\AVSolution\\\\\\\\mcshield.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\EA\\\\\\\\AC\\\\\\\\EAAntiCheat.GameService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\agentbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\metricbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\osqueryd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\packetbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\ESET\\\\\\\\ESET Security\\\\\\\\ekrn.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Fortinet\\\\\\\\FortiClient\\\\\\\\FortiProxy.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Fortinet\\\\\\\\FortiClient\\\\\\\\FortiSSLVPNdaemon.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Goverlan Inc\\\\\\\\GoverlanAgent\\\\\\\\GovAgentx64.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Huntress\\\\\\\\HuntressAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\LogicMonitor\\\\\\\\Agent\\\\\\\\bin\\\\\\\\sbshutdown.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Malwarebytes\\\\\\\\Anti-Malware\\\\\\\\MBAMService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\*\\\\\\\\pmfexe.exe\\\", \\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Security Client\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Qualys\\\\\\\\QualysAgent\\\\\\\\QualysAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\smart-x\\\\\\\\controlupagent\\\\\\\\version*\\\\\\\\cuagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\TDAgent\\\\\\\\ossec-agent\\\\\\\\ossec-agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Topaz OFD\\\\\\\\Warsaw\\\\\\\\core.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Trend Micro\\\\\\\\Deep Security Agent\\\\\\\\netagent\\\\\\\\tm_netagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\VMware\\\\\\\\VMware Tools\\\\\\\\vmtoolsd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\MsSense.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Wise\\\\\\\\Wise Memory Optimizer\\\\\\\\WiseMemoryOptimzer.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\AdminArsenal\\\\\\\\PDQDeployRunner\\\\\\\\*\\\\\\\\exec\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\csrss.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MRT.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RtkAudUService64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe\\\"\\n ) and not ?process.code_signature.trusted == false\\n )\\n\",\"language\":\"eql\",\"index\":[\"logs-endpoint.events.api-*\",\"logs-m365_defender.event-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":9,\"target_version\":10,\"merged_version\":10,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"eql_query\":{\"has_base_version\":false,\"current_version\":{\"query\":\"api where host.os.type == \\\"windows\\\" and \\n process.Ext.api.name in (\\\"OpenProcess\\\", \\\"OpenThread\\\") and Target.process.name : \\\"lsass.exe\\\" and \\n not \\n (\\n process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\GetSupportService*\\\\\\\\Updates\\\\\\\\Update_*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Asiainfo Security\\\\\\\\OfficeScan Client\\\\\\\\NTRTScan.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Blackpoint\\\\\\\\SnapAgent\\\\\\\\SnapAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\eScan\\\\\\\\reload.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Update\\\\\\\\GoogleUpdate.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky Lab\\\\\\\\*\\\\\\\\avp.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\N-able Technologies\\\\\\\\Reactive\\\\\\\\bin\\\\\\\\NableReactiveManagement.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\N-able Technologies\\\\\\\\Windows Agent\\\\\\\\bin\\\\\\\\agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\*\\\\\\\\CCSF\\\\\\\\TmCCSF.exe\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\Windows Defender\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Bitdefender\\\\\\\\Endpoint Security\\\\\\\\EPSecurityService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Cisco\\\\\\\\AMP\\\\\\\\*\\\\\\\\sfc.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Common Files\\\\\\\\McAfee\\\\\\\\AVSolution\\\\\\\\mcshield.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\EA\\\\\\\\AC\\\\\\\\EAAntiCheat.GameService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\agentbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\metricbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\osqueryd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\packetbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\ESET\\\\\\\\ESET Security\\\\\\\\ekrn.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Fortinet\\\\\\\\FortiClient\\\\\\\\FortiProxy.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Huntress\\\\\\\\HuntressAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\LogicMonitor\\\\\\\\Agent\\\\\\\\bin\\\\\\\\sbshutdown.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Security Client\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Qualys\\\\\\\\QualysAgent\\\\\\\\QualysAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\TDAgent\\\\\\\\ossec-agent\\\\\\\\ossec-agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Topaz OFD\\\\\\\\Warsaw\\\\\\\\core.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\VMware\\\\\\\\VMware Tools\\\\\\\\vmtoolsd.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\AdminArsenal\\\\\\\\PDQDeployRunner\\\\\\\\*\\\\\\\\exec\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\csrss.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MRT.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RtkAudUService64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\\\", \\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\*\\\\\\\\pmfexe.exe\\\", \\n \\\"?:\\\\\\\\Program Files\\\\\\\\Goverlan Inc\\\\\\\\GoverlanAgent\\\\\\\\GovAgentx64.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CheckPoint\\\\\\\\Endpoint Security\\\\\\\\EFR\\\\\\\\EFRService.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CyberCNSAgent\\\\\\\\osqueryi.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\Security Agent\\\\\\\\TMASutility.exe\\\", \\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky Lab\\\\\\\\KES*\\\\\\\\avp.exe\\\", \\n \\\"?:\\\\\\\\Program Files\\\\\\\\Wise\\\\\\\\Wise Memory Optimizer\\\\\\\\WiseMemoryOptimzer.exe\\\", \\n \\\"?:\\\\\\\\Windows\\\\\\\\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe\\\"\\n ) and not ?process.code_signature.trusted == false\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"target_version\":{\"query\":\"api where host.os.type == \\\"windows\\\" and \\n process.Ext.api.name in (\\\"OpenProcess\\\", \\\"OpenThread\\\") and Target.process.name : \\\"lsass.exe\\\" and \\n not \\n (\\n process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\GetSupportService*\\\\\\\\Updates\\\\\\\\Update_*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Asiainfo Security\\\\\\\\OfficeScan Client\\\\\\\\NTRTScan.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Blackpoint\\\\\\\\SnapAgent\\\\\\\\SnapAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CheckPoint\\\\\\\\Endpoint Security\\\\\\\\EFR\\\\\\\\EFRService.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CyberCNSAgent\\\\\\\\osqueryi.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\cisco\\\\\\\\cisco anyconnect secure mobility client\\\\\\\\vpnagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\cisco\\\\\\\\cisco anyconnect secure mobility client\\\\\\\\aciseagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\cisco\\\\\\\\cisco anyconnect secure mobility client\\\\\\\\vpndownloader.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\eScan\\\\\\\\reload.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Update\\\\\\\\GoogleUpdate.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky Lab\\\\\\\\*\\\\\\\\avp.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\microsoft intune management extension\\\\\\\\microsoft.management.services.intunewindowsagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\N-able Technologies\\\\\\\\Reactive\\\\\\\\bin\\\\\\\\NableReactiveManagement.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\N-able Technologies\\\\\\\\Windows Agent\\\\\\\\bin\\\\\\\\agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Tanium\\\\\\\\Tanium Client\\\\\\\\TaniumClient.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\*\\\\\\\\CCSF\\\\\\\\TmCCSF.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\Security Agent\\\\\\\\TMASutility.exe\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\Windows Defender\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Bitdefender\\\\\\\\Endpoint Security\\\\\\\\EPSecurityService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Cisco\\\\\\\\AMP\\\\\\\\*\\\\\\\\sfc.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Common Files\\\\\\\\McAfee\\\\\\\\AVSolution\\\\\\\\mcshield.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\EA\\\\\\\\AC\\\\\\\\EAAntiCheat.GameService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\agentbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\metricbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\osqueryd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\packetbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\ESET\\\\\\\\ESET Security\\\\\\\\ekrn.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Fortinet\\\\\\\\FortiClient\\\\\\\\FortiProxy.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Fortinet\\\\\\\\FortiClient\\\\\\\\FortiSSLVPNdaemon.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Goverlan Inc\\\\\\\\GoverlanAgent\\\\\\\\GovAgentx64.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Huntress\\\\\\\\HuntressAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\LogicMonitor\\\\\\\\Agent\\\\\\\\bin\\\\\\\\sbshutdown.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Malwarebytes\\\\\\\\Anti-Malware\\\\\\\\MBAMService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\*\\\\\\\\pmfexe.exe\\\", \\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Security Client\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Qualys\\\\\\\\QualysAgent\\\\\\\\QualysAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\smart-x\\\\\\\\controlupagent\\\\\\\\version*\\\\\\\\cuagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\TDAgent\\\\\\\\ossec-agent\\\\\\\\ossec-agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Topaz OFD\\\\\\\\Warsaw\\\\\\\\core.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Trend Micro\\\\\\\\Deep Security Agent\\\\\\\\netagent\\\\\\\\tm_netagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\VMware\\\\\\\\VMware Tools\\\\\\\\vmtoolsd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\MsSense.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Wise\\\\\\\\Wise Memory Optimizer\\\\\\\\WiseMemoryOptimzer.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\AdminArsenal\\\\\\\\PDQDeployRunner\\\\\\\\*\\\\\\\\exec\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\csrss.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MRT.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RtkAudUService64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe\\\"\\n ) and not ?process.code_signature.trusted == false\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merged_version\":{\"query\":\"api where host.os.type == \\\"windows\\\" and \\n process.Ext.api.name in (\\\"OpenProcess\\\", \\\"OpenThread\\\") and Target.process.name : \\\"lsass.exe\\\" and \\n not \\n (\\n process.executable : (\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\GetSupportService*\\\\\\\\Updates\\\\\\\\Update_*.exe\\\",\\n \\\"?:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows Defender\\\\\\\\Platform\\\\\\\\*\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Asiainfo Security\\\\\\\\OfficeScan Client\\\\\\\\NTRTScan.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Blackpoint\\\\\\\\SnapAgent\\\\\\\\SnapAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CheckPoint\\\\\\\\Endpoint Security\\\\\\\\EFR\\\\\\\\EFRService.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\CyberCNSAgent\\\\\\\\osqueryi.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\cisco\\\\\\\\cisco anyconnect secure mobility client\\\\\\\\vpnagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\cisco\\\\\\\\cisco anyconnect secure mobility client\\\\\\\\aciseagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\cisco\\\\\\\\cisco anyconnect secure mobility client\\\\\\\\vpndownloader.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\eScan\\\\\\\\reload.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Google\\\\\\\\Update\\\\\\\\GoogleUpdate.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Kaspersky Lab\\\\\\\\*\\\\\\\\avp.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\microsoft intune management extension\\\\\\\\microsoft.management.services.intunewindowsagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\N-able Technologies\\\\\\\\Reactive\\\\\\\\bin\\\\\\\\NableReactiveManagement.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\N-able Technologies\\\\\\\\Windows Agent\\\\\\\\bin\\\\\\\\agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Tanium\\\\\\\\Tanium Client\\\\\\\\TaniumClient.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\*\\\\\\\\CCSF\\\\\\\\TmCCSF.exe\\\",\\n \\\"?:\\\\\\\\Program Files (x86)\\\\\\\\Trend Micro\\\\\\\\Security Agent\\\\\\\\TMASutility.exe\\\",\\n \\\"?:\\\\\\\\Program Files*\\\\\\\\Windows Defender\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Bitdefender\\\\\\\\Endpoint Security\\\\\\\\EPSecurityService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Cisco\\\\\\\\AMP\\\\\\\\*\\\\\\\\sfc.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Common Files\\\\\\\\McAfee\\\\\\\\AVSolution\\\\\\\\mcshield.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\EA\\\\\\\\AC\\\\\\\\EAAntiCheat.GameService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\agentbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\metricbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\osqueryd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Elastic\\\\\\\\Agent\\\\\\\\data\\\\\\\\elastic-agent-*\\\\\\\\components\\\\\\\\packetbeat.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\ESET\\\\\\\\ESET Security\\\\\\\\ekrn.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Fortinet\\\\\\\\FortiClient\\\\\\\\FortiProxy.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Fortinet\\\\\\\\FortiClient\\\\\\\\FortiSSLVPNdaemon.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Goverlan Inc\\\\\\\\GoverlanAgent\\\\\\\\GovAgentx64.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Huntress\\\\\\\\HuntressAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\LogicMonitor\\\\\\\\Agent\\\\\\\\bin\\\\\\\\sbshutdown.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Malwarebytes\\\\\\\\Anti-Malware\\\\\\\\MBAMService.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Monitoring Agent\\\\\\\\Agent\\\\\\\\Health Service State\\\\\\\\*\\\\\\\\pmfexe.exe\\\", \\n \\\"?:\\\\\\\\Program Files\\\\\\\\Microsoft Security Client\\\\\\\\MsMpEng.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Qualys\\\\\\\\QualysAgent\\\\\\\\QualysAgent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\smart-x\\\\\\\\controlupagent\\\\\\\\version*\\\\\\\\cuagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\TDAgent\\\\\\\\ossec-agent\\\\\\\\ossec-agent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Topaz OFD\\\\\\\\Warsaw\\\\\\\\core.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Trend Micro\\\\\\\\Deep Security Agent\\\\\\\\netagent\\\\\\\\tm_netagent.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\VMware\\\\\\\\VMware Tools\\\\\\\\vmtoolsd.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Windows Defender Advanced Threat Protection\\\\\\\\MsSense.exe\\\",\\n \\\"?:\\\\\\\\Program Files\\\\\\\\Wise\\\\\\\\Wise Memory Optimizer\\\\\\\\WiseMemoryOptimzer.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\AdminArsenal\\\\\\\\PDQDeployRunner\\\\\\\\*\\\\\\\\exec\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\Sysmon64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\csrss.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\MRT.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\taskhostw.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RtkAudUService64.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe\\\",\\n \\\"?:\\\\\\\\Windows\\\\\\\\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe\\\"\\n ) and not ?process.code_signature.trusted == false\\n )\\n\",\"language\":\"eql\",\"filters\":[]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"}},\"num_fields_with_updates\":2,\"num_fields_with_conflicts\":1,\"num_fields_with_non_solvable_conflicts\":0}},{\"id\":\"88e24f90-a29d-493b-a681-fd7c5eca7ddc\",\"rule_id\":\"ff6cf8b9-b76c-4cc1-ac1b-4935164d1029\",\"revision\":0,\"current_rule\":{\"id\":\"88e24f90-a29d-493b-a681-fd7c5eca7ddc\",\"updated_at\":\"2024-12-04T19:46:04.826Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.826Z\",\"created_by\":\"elastic\",\"name\":\"Alternate Data Stream Creation/Execution at Volume Root Directory\",\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":0,\"description\":\"Identifies the creation of an Alternate Data Stream (ADS) at a volume root directory, which can indicate the attempt to hide tools and malware, as ADSs created in this directory are not displayed by system utilities.\",\"risk_score\":47,\"severity\":\"medium\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"author\":[\"Elastic\"],\"false_positives\":[],\"from\":\"now-9m\",\"rule_id\":\"ff6cf8b9-b76c-4cc1-ac1b-4935164d1029\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\",\"subtechnique\":[{\"id\":\"T1564.004\",\"name\":\"NTFS File Attributes\",\"reference\":\"https://attack.mitre.org/techniques/T1564/004/\"}]}]}],\"to\":\"now\",\"references\":[\"https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/\"],\"version\":1,\"exceptions_list\":[],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"\",\"type\":\"eql\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\"],\"query\":\"any where host.os.type == \\\"windows\\\" and event.category in (\\\"file\\\", \\\"process\\\") and \\n (\\n (event.type == \\\"creation\\\" and file.path regex~ \\\"\\\"\\\"[A-Z]:\\\\\\\\:.+\\\"\\\"\\\") or \\n (event.type == \\\"start\\\" and process.executable regex~ \\\"\\\"\\\"[A-Z]:\\\\\\\\:.+\\\"\\\"\\\")\\n )\\n\",\"actions\":[]},\"target_rule\":{\"name\":\"Alternate Data Stream Creation/Execution at Volume Root Directory\",\"description\":\"Identifies the creation of an Alternate Data Stream (ADS) at a volume root directory, which can indicate the attempt to hide tools and malware, as ADSs created in this directory are not displayed by system utilities.\",\"risk_score\":47,\"severity\":\"medium\",\"timestamp_override\":\"event.ingested\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"version\":201,\"tags\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"enabled\":false,\"risk_score_mapping\":[],\"severity_mapping\":[],\"interval\":\"5m\",\"from\":\"now-9m\",\"to\":\"now\",\"actions\":[],\"exceptions_list\":[],\"author\":[\"Elastic\"],\"false_positives\":[],\"references\":[\"https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/\"],\"max_signals\":100,\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1564\",\"name\":\"Hide Artifacts\",\"reference\":\"https://attack.mitre.org/techniques/T1564/\",\"subtechnique\":[{\"id\":\"T1564.004\",\"name\":\"NTFS File Attributes\",\"reference\":\"https://attack.mitre.org/techniques/T1564/004/\"}]}]}],\"setup\":\"\",\"related_integrations\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"required_fields\":[{\"name\":\"event.category\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"file.path\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"host.os.type\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"process.executable\",\"type\":\"keyword\",\"ecs\":true}],\"id\":\"88e24f90-a29d-493b-a681-fd7c5eca7ddc\",\"rule_id\":\"ff6cf8b9-b76c-4cc1-ac1b-4935164d1029\",\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":false},\"updated_at\":\"2024-12-06T16:51:21.042Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:46:04.826Z\",\"created_by\":\"elastic\",\"revision\":1,\"type\":\"eql\",\"query\":\"any where host.os.type == \\\"windows\\\" and event.category in (\\\"file\\\", \\\"process\\\") and \\n (\\n (event.type == \\\"creation\\\" and file.path regex~ \\\"\\\"\\\"[A-Z]:\\\\\\\\:.+\\\"\\\"\\\") or \\n (event.type == \\\"start\\\" and process.executable regex~ \\\"\\\"\\\"[A-Z]:\\\\\\\\:.+\\\"\\\"\\\")\\n )\\n\",\"language\":\"eql\",\"index\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"diff\":{\"fields\":{\"version\":{\"has_base_version\":false,\"current_version\":1,\"target_version\":201,\"merged_version\":201,\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"NONE\"},\"tags\":{\"has_base_version\":false,\"current_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\"],\"target_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"merged_version\":[\"Domain: Endpoint\",\"OS: Windows\",\"Use Case: Threat Detection\",\"Tactic: Defense Evasion\",\"Data Source: Elastic Defend\",\"Data Source: Sysmon\",\"Data Source: Microsoft Defender for Endpoint\",\"Data Source: SentinelOne\",\"Data Source: Elastic Endgame\"],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true},\"related_integrations\":{\"has_base_version\":false,\"current_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^1.5.0\"}],\"target_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merged_version\":[{\"package\":\"endpoint\",\"version\":\"^8.2.0\"},{\"package\":\"windows\",\"version\":\"^2.0.0\"},{\"package\":\"m365_defender\",\"version\":\"^2.0.0\"},{\"package\":\"sentinel_one_cloud_funnel\",\"version\":\"^1.0.0\"}],\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"has_update\":true,\"conflict\":\"SOLVABLE\"},\"data_source\":{\"has_base_version\":false,\"current_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\"]},\"target_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"merged_version\":{\"type\":\"index_patterns\",\"index_patterns\":[\"winlogbeat-*\",\"logs-endpoint.events.process-*\",\"logs-endpoint.events.file-*\",\"logs-windows.sysmon_operational-*\",\"logs-m365_defender.event-*\",\"logs-sentinel_one_cloud_funnel.*\",\"endgame-*\"]},\"merge_outcome\":\"TARGET\",\"diff_outcome\":\"BASE=-, CURRENT=A, TARGET=B\",\"conflict\":\"SOLVABLE\",\"has_update\":true}},\"num_fields_with_updates\":4,\"num_fields_with_conflicts\":3,\"num_fields_with_non_solvable_conflicts\":0}}]}" }, "redirectURL": "", "headersSize": 1392, "bodySize": 986096, "_transferSize": 987488, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "127.0.0.1", "startedDateTime": "2024-12-06T16:51:19.017Z", "time": 2198.119999957271, "timings": { "blocked": 0.8789999695830047, "dns": -1, "ssl": -1, "connect": -1, "send": 0.02100000000000002, "wait": 2142.2830000087247, "receive": 54.936999978963286, "_blocked_queueing": 0.3399999695830047, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } }, { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "fetchResponse", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19594, "columnNumber": 30 }, { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19518, "columnNumber": 39 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19514, "columnNumber": 13 }, { "functionName": "getPrebuiltRulesStatus", "scriptId": "9051", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js", "lineNumber": 142115, "columnNumber": 83 }, { "functionName": "Object", "scriptId": "9051", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js", "lineNumber": 142307, "columnNumber": 94 }, { "functionName": "fetchFn", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197509, "columnNumber": 26 }, { "functionName": "run", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198971, "columnNumber": 30 }, { "functionName": "createRetryer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 199019, "columnNumber": 4 }, { "functionName": "fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197564, "columnNumber": 88 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198077, "columnNumber": 19 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198074, "columnNumber": 171 }, { "functionName": "batch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196861, "columnNumber": 15 }, { "functionName": "refetchQueries", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198074, "columnNumber": 89 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198068, "columnNumber": 18 }, { "functionName": "batch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196861, "columnNumber": 15 }, { "functionName": "invalidateQueries", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198054, "columnNumber": 79 }, { "functionName": "", "scriptId": "9051", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js", "lineNumber": 142327, "columnNumber": 16 }, { "functionName": "onSettled", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 276606, "columnNumber": 6 }, { "functionName": "execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196444, "columnNumber": 122 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "mutate", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196777, "columnNumber": 32 }, { "functionName": "", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299145, "columnNumber": 12 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299185, "columnNumber": 12 }, { "functionName": "onClick", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 299923, "columnNumber": 21 }, { "functionName": "callCallback", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335355, "columnNumber": 13 }, { "functionName": "invokeGuardedCallbackDev", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335404, "columnNumber": 15 }, { "functionName": "invokeGuardedCallback", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335466, "columnNumber": 30 }, { "functionName": "invokeGuardedCallbackAndCatchFirstError", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335480, "columnNumber": 24 }, { "functionName": "executeDispatch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339653, "columnNumber": 2 }, { "functionName": "processDispatchQueueItemsInOrder", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339685, "columnNumber": 6 }, { "functionName": "processDispatchQueue", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339698, "columnNumber": 4 }, { "functionName": "dispatchEventsForPlugins", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339709, "columnNumber": 2 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339918, "columnNumber": 11 }, { "functionName": "batchedEventUpdates$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 353801, "columnNumber": 11 }, { "functionName": "batchedEventUpdates", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335155, "columnNumber": 11 }, { "functionName": "dispatchEventForPluginEventSystem", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 339917, "columnNumber": 2 }, { "functionName": "attemptToDispatchEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337415, "columnNumber": 2 }, { "functionName": "dispatchEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337334, "columnNumber": 18 }, { "functionName": "unstable_runWithPriority", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 416192, "columnNumber": 11 }, { "functionName": "runWithPriority$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 342686, "columnNumber": 9 }, { "functionName": "discreteUpdates$1", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 353818, "columnNumber": 13 }, { "functionName": "discreteUpdates", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 335166, "columnNumber": 11 }, { "functionName": "dispatchDiscreteEvent", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 337299, "columnNumber": 2 } ] } } } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "connection": "2395214", "request": { "method": "GET", "url": "http://localhost:5601/internal/detection_engine/prebuilt_rules/status", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Accept", "value": "*/*" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br, zstd" }, { "name": "Accept-Language", "value": "en-US,en;q=0.9" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Content-Type", "value": "application/json" }, { "name": "Host", "value": "localhost:5601" }, { "name": "Referer", "value": "http://localhost:5601/app/security/rules/updates?rulesTable=(searchTerm:%27Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%27)&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(.alerts-security.alerts-default)))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)),timeline:(linkTo:!(global),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)))&timeline=(activeTab:query,graphEventId:%27%27,isOpen:!f)" }, { "name": "Sec-Fetch-Dest", "value": "empty" }, { "name": "Sec-Fetch-Mode", "value": "cors" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "elastic-api-version", "value": "1" }, { "name": "kbn-build-number", "value": "9007199254740991" }, { "name": "kbn-version", "value": "9.0.0" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "x-elastic-internal-origin", "value": "Kibana" }, { "name": "x-kbn-context", "value": "%7B%22type%22%3A%22application%22%2C%22name%22%3A%22securitySolutionUI%22%2C%22url%22%3A%22%2Fapp%2Fsecurity%2Frules%2Fid%2F52c14042-8edf-4151-b8dd-5b0fe95da87d%2Falerts%22%2C%22page%22%3A%22%2Frules%2Fupdates%22%7D" } ], "queryString": [], "cookies": [], "headersSize": 2005, "bodySize": 0 }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Connection", "value": "keep-alive" }, { "name": "Date", "value": "Fri, 06 Dec 2024 16:51:21 GMT" }, { "name": "Keep-Alive", "value": "timeout=120" }, { "name": "accept-ranges", "value": "bytes" }, { "name": "cache-control", "value": "private, no-cache, no-store, must-revalidate" }, { "name": "content-length", "value": "161" }, { "name": "content-security-policy", "value": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'" }, { "name": "content-security-policy-report-only", "value": "form-action 'report-sample' 'self'" }, { "name": "content-type", "value": "application/json; charset=utf-8" }, { "name": "cross-origin-opener-policy", "value": "same-origin" }, { "name": "elastic-api-version", "value": "1" }, { "name": "kbn-license-sig", "value": "c34833e07d48ee883c2bd846933c4c336916c9888243f9e5a9793597b858595c" }, { "name": "kbn-name", "value": "Paulas-MacBook-Pro.local" }, { "name": "permissions-policy", "value": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()" }, { "name": "referrer-policy", "value": "strict-origin-when-cross-origin" }, { "name": "x-content-type-options", "value": "nosniff" } ], "cookies": [], "content": { "size": 161, "mimeType": "application/json", "compression": 0, "text": "{\"stats\":{\"num_prebuilt_rules_installed\":1191,\"num_prebuilt_rules_to_install\":65,\"num_prebuilt_rules_to_upgrade\":660,\"num_prebuilt_rules_total_in_package\":1256}}" }, "redirectURL": "", "headersSize": 1360, "bodySize": 161, "_transferSize": 1521, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "127.0.0.1", "startedDateTime": "2024-12-06T16:51:19.017Z", "time": 2144.296000013128, "timings": { "blocked": 0.7840000037699938, "dns": -1, "ssl": -1, "connect": -1, "send": 0.013000000000000012, "wait": 2142.002000019163, "receive": 1.496999990195036, "_blocked_queueing": 0.3980000037699938, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } }, { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "fetchResponse", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19594, "columnNumber": 30 }, { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19518, "columnNumber": 39 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19514, "columnNumber": 13 }, { "functionName": "fetchActiveMaintenanceWindows", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 80723, "columnNumber": 28 }, { "functionName": "Object.enabled.enabled", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 80994, "columnNumber": 82 }, { "functionName": "fetchFn", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197509, "columnNumber": 26 }, { "functionName": "run", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198971, "columnNumber": 30 }, { "functionName": "createRetryer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 199019, "columnNumber": 4 }, { "functionName": "fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197564, "columnNumber": 88 }, { "functionName": "executeFetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198444, "columnNumber": 36 }, { "functionName": "fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198432, "columnNumber": 16 }, { "functionName": "refetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198415, "columnNumber": 16 }, { "functionName": "onFocus", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197360, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197861, "columnNumber": 14 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197860, "columnNumber": 19 }, { "functionName": "batch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196861, "columnNumber": 15 }, { "functionName": "onFocus", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197859, "columnNumber": 72 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197932, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 195764, "columnNumber": 6 }, { "functionName": "onFocus", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 195761, "columnNumber": 19 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 195747, "columnNumber": 13 }, { "functionName": "listener", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 195707, "columnNumber": 31 } ] } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "connection": "2395210", "request": { "method": "GET", "url": "http://localhost:5601/internal/alerting/rules/maintenance_window/_active", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Accept", "value": "*/*" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br, zstd" }, { "name": "Accept-Language", "value": "en-US,en;q=0.9" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Content-Type", "value": "application/json" }, { "name": "Host", "value": "localhost:5601" }, { "name": "Referer", "value": "http://localhost:5601/app/security/rules/updates?rulesTable=(searchTerm:%27Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%27)&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(.alerts-security.alerts-default)))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)),timeline:(linkTo:!(global),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)))&timeline=(activeTab:query,graphEventId:%27%27,isOpen:!f)" }, { "name": "Sec-Fetch-Dest", "value": "empty" }, { "name": "Sec-Fetch-Mode", "value": "cors" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "kbn-build-number", "value": "9007199254740991" }, { "name": "kbn-version", "value": "9.0.0" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "x-elastic-internal-origin", "value": "Kibana" }, { "name": "x-kbn-context", "value": "%7B%22type%22%3A%22application%22%2C%22name%22%3A%22securitySolutionUI%22%2C%22url%22%3A%22%2Fapp%2Fsecurity%2Frules%2Fid%2F52c14042-8edf-4151-b8dd-5b0fe95da87d%2Falerts%22%2C%22page%22%3A%22%2Frules%2Fupdates%22%7D" } ], "queryString": [], "cookies": [], "headersSize": 1984, "bodySize": 0 }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Connection", "value": "keep-alive" }, { "name": "Date", "value": "Fri, 06 Dec 2024 16:51:50 GMT" }, { "name": "Keep-Alive", "value": "timeout=120" }, { "name": "accept-ranges", "value": "bytes" }, { "name": "cache-control", "value": "private, no-cache, no-store, must-revalidate" }, { "name": "content-length", "value": "2" }, { "name": "content-security-policy", "value": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'" }, { "name": "content-security-policy-report-only", "value": "form-action 'report-sample' 'self'" }, { "name": "content-type", "value": "application/json; charset=utf-8" }, { "name": "cross-origin-opener-policy", "value": "same-origin" }, { "name": "kbn-license-sig", "value": "c34833e07d48ee883c2bd846933c4c336916c9888243f9e5a9793597b858595c" }, { "name": "kbn-name", "value": "Paulas-MacBook-Pro.local" }, { "name": "permissions-policy", "value": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()" }, { "name": "referrer-policy", "value": "strict-origin-when-cross-origin" }, { "name": "x-content-type-options", "value": "nosniff" } ], "cookies": [], "content": { "size": 2, "mimeType": "application/json", "compression": 0, "text": "[]" }, "redirectURL": "", "headersSize": 1334, "bodySize": 2, "_transferSize": 1336, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "127.0.0.1", "startedDateTime": "2024-12-06T16:51:50.844Z", "time": 84.37900000717491, "timings": { "blocked": 26.28399997425452, "dns": -1, "ssl": -1, "connect": -1, "send": 0.1259999999999999, "wait": 57.62499997467175, "receive": 0.3440000582486391, "_blocked_queueing": 23.93099997425452, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } }, { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "fetchResponse", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19594, "columnNumber": 30 }, { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19518, "columnNumber": 39 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19514, "columnNumber": 13 }, { "functionName": "fetchRules", "scriptId": "9051", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js", "lineNumber": 141804, "columnNumber": 86 }, { "functionName": "Object", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 277380, "columnNumber": 82 }, { "functionName": "fetchFn", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197509, "columnNumber": 26 }, { "functionName": "run", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198971, "columnNumber": 30 }, { "functionName": "createRetryer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 199019, "columnNumber": 4 }, { "functionName": "fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197564, "columnNumber": 88 }, { "functionName": "executeFetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198444, "columnNumber": 36 }, { "functionName": "fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198432, "columnNumber": 16 }, { "functionName": "refetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198415, "columnNumber": 16 }, { "functionName": "onFocus", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197360, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197861, "columnNumber": 14 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197860, "columnNumber": 19 }, { "functionName": "batch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196861, "columnNumber": 15 }, { "functionName": "onFocus", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197859, "columnNumber": 72 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197932, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 195764, "columnNumber": 6 }, { "functionName": "onFocus", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 195761, "columnNumber": 19 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 195747, "columnNumber": 13 }, { "functionName": "listener", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 195707, "columnNumber": 31 } ] } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "connection": "2395214", "request": { "method": "GET", "url": "http://localhost:5601/api/detection_engine/rules/_find?page=1&per_page=20&sort_field=enabled&sort_order=desc&filter=(alert.attributes.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.index%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.tactic.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.tactic.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.subtechnique.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.subtechnique.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22)", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Accept", "value": "*/*" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br, zstd" }, { "name": "Accept-Language", "value": "en-US,en;q=0.9" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Content-Type", "value": "application/json" }, { "name": "Host", "value": "localhost:5601" }, { "name": "Referer", "value": "http://localhost:5601/app/security/rules/updates?rulesTable=(searchTerm:%27Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%27)&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(.alerts-security.alerts-default)))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)),timeline:(linkTo:!(global),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)))&timeline=(activeTab:query,graphEventId:%27%27,isOpen:!f)" }, { "name": "Sec-Fetch-Dest", "value": "empty" }, { "name": "Sec-Fetch-Mode", "value": "cors" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "elastic-api-version", "value": "2023-10-31" }, { "name": "kbn-build-number", "value": "9007199254740991" }, { "name": "kbn-version", "value": "9.0.0" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "x-elastic-internal-origin", "value": "Kibana" }, { "name": "x-kbn-context", "value": "%7B%22type%22%3A%22application%22%2C%22name%22%3A%22securitySolutionUI%22%2C%22url%22%3A%22%2Fapp%2Fsecurity%2Frules%2Fid%2F52c14042-8edf-4151-b8dd-5b0fe95da87d%2Falerts%22%2C%22page%22%3A%22%2Frules%2Fupdates%22%7D" } ], "queryString": [ { "name": "page", "value": "1" }, { "name": "per_page", "value": "20" }, { "name": "sort_field", "value": "enabled" }, { "name": "sort_order", "value": "desc" }, { "name": "filter", "value": "(alert.attributes.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.index%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.tactic.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.tactic.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.subtechnique.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.subtechnique.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22)" } ], "cookies": [], "headersSize": 2941, "bodySize": 0 }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Connection", "value": "keep-alive" }, { "name": "Date", "value": "Fri, 06 Dec 2024 16:51:50 GMT" }, { "name": "Keep-Alive", "value": "timeout=120" }, { "name": "Transfer-Encoding", "value": "chunked" }, { "name": "cache-control", "value": "private, no-cache, no-store, must-revalidate" }, { "name": "content-encoding", "value": "gzip" }, { "name": "content-security-policy", "value": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'" }, { "name": "content-security-policy-report-only", "value": "form-action 'report-sample' 'self'" }, { "name": "content-type", "value": "application/json; charset=utf-8" }, { "name": "cross-origin-opener-policy", "value": "same-origin" }, { "name": "elastic-api-version", "value": "2023-10-31" }, { "name": "kbn-license-sig", "value": "c34833e07d48ee883c2bd846933c4c336916c9888243f9e5a9793597b858595c" }, { "name": "kbn-name", "value": "Paulas-MacBook-Pro.local" }, { "name": "permissions-policy", "value": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()" }, { "name": "referrer-policy", "value": "strict-origin-when-cross-origin" }, { "name": "vary", "value": "accept-encoding" }, { "name": "x-content-type-options", "value": "nosniff" } ], "cookies": [], "content": { "size": 5239, "mimeType": "application/json", "compression": 2887, "text": "{\"page\":1,\"perPage\":20,\"total\":1,\"data\":[{\"id\":\"561cb5f3-6c26-4547-8959-681ac9b83e2b\",\"updated_at\":\"2024-12-06T16:51:18.436Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.284Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Modify an Okta Policy Rule\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Defense Evasion\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":2,\"description\":\"Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Modify an Okta Policy Rule\\n\\nThe modification of an Okta policy rule can be an indication of malicious activity as it may aim to weaken an organization's security controls.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\\n- Check the `okta.outcome.result` field to confirm the rule modification attempt.\\n- Check if there are multiple rule modification attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the modification attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized modification is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"timestamp_override_fallback_disabled\":false,\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization.\"],\"from\":\"now-60s\",\"rule_id\":\"000047bb-b27a-47ec-8b62-ef1a5d2c9e19\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"version\":310,\"exceptions_list\":[{\"id\":\"82679834-e475-499c-a873-2bc20692221e\",\"list_id\":\"6e519c12-80ab-4e69-894f-e5cec55be127\",\"type\":\"rule_default\",\"namespace_type\":\"single\"}],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":true},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.rule.update\\n\",\"filters\":[],\"actions\":[]}]}" }, "redirectURL": "", "headersSize": 1401, "bodySize": 2352, "_transferSize": 3753, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "127.0.0.1", "startedDateTime": "2024-12-06T16:51:50.845Z", "time": 120.13200001092628, "timings": { "blocked": 25.973000009264798, "dns": -1, "ssl": -1, "connect": -1, "send": 0.07200000000000006, "wait": 93.65400002242252, "receive": 0.43299997923895717, "_blocked_queueing": 23.798000009264797, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } }, { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "fetchResponse", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19594, "columnNumber": 30 }, { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19518, "columnNumber": 39 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19514, "columnNumber": 13 }, { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19634, "columnNumber": 18 }, { "functionName": "http", "scriptId": "8843", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/usageCollection/1.0.0/usageCollection.plugin.js", "lineNumber": 624, "columnNumber": 35 }, { "functionName": "", "scriptId": "8845", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-src/kbn-ui-shared-deps-src.js", "lineNumber": 16791, "columnNumber": 21 }, { "functionName": "", "scriptId": "8845", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-src/kbn-ui-shared-deps-src.js", "lineNumber": 16763, "columnNumber": 15 } ] } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "connection": "2395214", "request": { "method": "POST", "url": "http://localhost:5601/api/ui_counters/_report", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Accept", "value": "*/*" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br, zstd" }, { "name": "Accept-Language", "value": "en-US,en;q=0.9" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Content-Length", "value": "2191" }, { "name": "Content-Type", "value": "application/json" }, { "name": "Host", "value": "localhost:5601" }, { "name": "Origin", "value": "http://localhost:5601" }, { "name": "Referer", "value": "http://localhost:5601/app/security/rules/updates?rulesTable=(searchTerm:%27Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%27)&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(.alerts-security.alerts-default)))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)),timeline:(linkTo:!(global),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)))&timeline=(activeTab:query,graphEventId:%27%27,isOpen:!f)" }, { "name": "Sec-Fetch-Dest", "value": "empty" }, { "name": "Sec-Fetch-Mode", "value": "cors" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "kbn-build-number", "value": "9007199254740991" }, { "name": "kbn-system-request", "value": "true" }, { "name": "kbn-version", "value": "9.0.0" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "x-elastic-internal-origin", "value": "Kibana" }, { "name": "x-kbn-context", "value": "%7B%22type%22%3A%22application%22%2C%22name%22%3A%22securitySolutionUI%22%2C%22url%22%3A%22%2Fapp%2Fsecurity%2Frules%2Fid%2F52c14042-8edf-4151-b8dd-5b0fe95da87d%2Falerts%22%2C%22page%22%3A%22%2Frules%2Fupdates%22%7D" } ], "queryString": [], "cookies": [], "headersSize": 2037, "bodySize": 2191, "postData": { "mimeType": "application/json", "text": "{\"report\":{\"reportVersion\":3,\"uiCounter\":{\"securitySolutionUI-click-navigation_rules-landing\":{\"key\":\"securitySolutionUI-click-navigation_rules-landing\",\"appName\":\"securitySolutionUI\",\"eventName\":\"navigation_rules-landing\",\"type\":\"click\",\"total\":1},\"ebt_counters.client-enqueued_enqueued-click\":{\"key\":\"ebt_counters.client-enqueued_enqueued-click\",\"appName\":\"ebt_counters.client\",\"eventName\":\"click\",\"type\":\"enqueued_enqueued\",\"total\":11},\"ebt_counters.client-sent_to_shipper_OK-click\":{\"key\":\"ebt_counters.client-sent_to_shipper_OK-click\",\"appName\":\"ebt_counters.client\",\"eventName\":\"click\",\"type\":\"sent_to_shipper_OK\",\"total\":11},\"ebt_counters.elastic_v3_browser-succeeded_200-click\":{\"key\":\"ebt_counters.elastic_v3_browser-succeeded_200-click\",\"appName\":\"ebt_counters.elastic_v3_browser\",\"eventName\":\"click\",\"type\":\"succeeded_200\",\"total\":11},\"securitySolutionUI-click-landing_card_rules\":{\"key\":\"securitySolutionUI-click-landing_card_rules\",\"appName\":\"securitySolutionUI\",\"eventName\":\"landing_card_rules\",\"type\":\"click\",\"total\":1},\"securitySolutionUI-click-tab_updates\":{\"key\":\"securitySolutionUI-click-tab_updates\",\"appName\":\"securitySolutionUI\",\"eventName\":\"tab_updates\",\"type\":\"click\",\"total\":1},\"ebt_counters.client-enqueued_enqueued-viewport_resize\":{\"key\":\"ebt_counters.client-enqueued_enqueued-viewport_resize\",\"appName\":\"ebt_counters.client\",\"eventName\":\"viewport_resize\",\"type\":\"enqueued_enqueued\",\"total\":1},\"ebt_counters.client-sent_to_shipper_OK-viewport_resize\":{\"key\":\"ebt_counters.client-sent_to_shipper_OK-viewport_resize\",\"appName\":\"ebt_counters.client\",\"eventName\":\"viewport_resize\",\"type\":\"sent_to_shipper_OK\",\"total\":1},\"ebt_counters.elastic_v3_browser-succeeded_200-viewport_resize\":{\"key\":\"ebt_counters.elastic_v3_browser-succeeded_200-viewport_resize\",\"appName\":\"ebt_counters.elastic_v3_browser\",\"eventName\":\"viewport_resize\",\"type\":\"succeeded_200\",\"total\":1}},\"application_usage\":{\"securitySolutionUI-rules\":{\"minutesOnScreen\":0.7311833333333333,\"numberOfClicks\":6,\"appId\":\"securitySolutionUI\",\"viewId\":\"rules\"},\"securitySolutionUI-rules-landing\":{\"minutesOnScreen\":0.021416666666666667,\"numberOfClicks\":0,\"appId\":\"securitySolutionUI\",\"viewId\":\"rules-landing\"}}}}" } }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Connection", "value": "keep-alive" }, { "name": "Date", "value": "Fri, 06 Dec 2024 16:51:57 GMT" }, { "name": "Keep-Alive", "value": "timeout=120" }, { "name": "cache-control", "value": "private, no-cache, no-store, must-revalidate" }, { "name": "content-length", "value": "15" }, { "name": "content-security-policy", "value": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'" }, { "name": "content-security-policy-report-only", "value": "form-action 'report-sample' 'self'" }, { "name": "content-type", "value": "application/json; charset=utf-8" }, { "name": "cross-origin-opener-policy", "value": "same-origin" }, { "name": "kbn-license-sig", "value": "c34833e07d48ee883c2bd846933c4c336916c9888243f9e5a9793597b858595c" }, { "name": "kbn-name", "value": "Paulas-MacBook-Pro.local" }, { "name": "permissions-policy", "value": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()" }, { "name": "referrer-policy", "value": "strict-origin-when-cross-origin" }, { "name": "x-content-type-options", "value": "nosniff" } ], "cookies": [], "content": { "size": 15, "mimeType": "application/json", "compression": 0, "text": "{\"status\":\"ok\"}" }, "redirectURL": "", "headersSize": 815, "bodySize": 15, "_transferSize": 830, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "127.0.0.1", "startedDateTime": "2024-12-06T16:51:56.850Z", "time": 231.62900004535913, "timings": { "blocked": 2.7160000235587356, "dns": -1, "ssl": -1, "connect": -1, "send": 0.2350000000000001, "wait": 227.56800000982358, "receive": 1.1100000119768083, "_blocked_queueing": 1.7460000235587358, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } }, { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "fetchResponse", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19594, "columnNumber": 30 }, { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19518, "columnNumber": 39 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19514, "columnNumber": 13 }, { "functionName": "", "scriptId": "8972", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/security/1.0.0/security.plugin.js", "lineNumber": 8167, "columnNumber": 44 }, { "functionName": "", "scriptId": "8972", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/security/1.0.0/security.plugin.js", "lineNumber": 8091, "columnNumber": 13 } ] } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "connection": "2395214", "request": { "method": "POST", "url": "http://localhost:5601/internal/security/session", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Accept", "value": "*/*" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br, zstd" }, { "name": "Accept-Language", "value": "en-US,en;q=0.9" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Content-Length", "value": "0" }, { "name": "Content-Type", "value": "application/json" }, { "name": "Host", "value": "localhost:5601" }, { "name": "Origin", "value": "http://localhost:5601" }, { "name": "Referer", "value": "http://localhost:5601/app/security/rules/updates?rulesTable=(searchTerm:%27Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%27)&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(.alerts-security.alerts-default)))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)),timeline:(linkTo:!(global),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)))&timeline=(activeTab:query,graphEventId:%27%27,isOpen:!f)" }, { "name": "Sec-Fetch-Dest", "value": "empty" }, { "name": "Sec-Fetch-Mode", "value": "cors" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "kbn-build-number", "value": "9007199254740991" }, { "name": "kbn-version", "value": "9.0.0" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "x-elastic-internal-origin", "value": "Kibana" }, { "name": "x-kbn-context", "value": "%7B%22type%22%3A%22application%22%2C%22name%22%3A%22securitySolutionUI%22%2C%22url%22%3A%22%2Fapp%2Fsecurity%2Frules%2Fid%2F52c14042-8edf-4151-b8dd-5b0fe95da87d%2Falerts%22%2C%22page%22%3A%22%2Frules%2Fupdates%22%7D" } ], "queryString": [], "cookies": [], "headersSize": 2010, "bodySize": 0 }, "response": { "status": 302, "statusText": "Found", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Connection", "value": "keep-alive" }, { "name": "Date", "value": "Fri, 06 Dec 2024 16:52:06 GMT" }, { "name": "Keep-Alive", "value": "timeout=120" }, { "name": "cache-control", "value": "private, no-cache, no-store, must-revalidate" }, { "name": "content-length", "value": "0" }, { "name": "content-security-policy", "value": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'" }, { "name": "content-security-policy-report-only", "value": "form-action 'report-sample' 'self'" }, { "name": "cross-origin-opener-policy", "value": "same-origin" }, { "name": "kbn-license-sig", "value": "c34833e07d48ee883c2bd846933c4c336916c9888243f9e5a9793597b858595c" }, { "name": "kbn-name", "value": "Paulas-MacBook-Pro.local" }, { "name": "location", "value": "/internal/security/session" }, { "name": "permissions-policy", "value": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()" }, { "name": "referrer-policy", "value": "strict-origin-when-cross-origin" }, { "name": "x-content-type-options", "value": "nosniff" } ], "cookies": [], "content": { "size": 0, "mimeType": "x-unknown", "compression": 0 }, "redirectURL": "/internal/security/session", "headersSize": 1306, "bodySize": 0, "_transferSize": 1306, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "127.0.0.1", "startedDateTime": "2024-12-06T16:52:06.533Z", "time": 32.279000035487115, "timings": { "blocked": 0.9680000242590905, "dns": -1, "ssl": -1, "connect": -1, "send": 0.07800000000000001, "wait": 30.802999996624887, "receive": 0.43000001460313797, "_blocked_queueing": 0.5230000242590904, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } }, { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "fetchResponse", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19594, "columnNumber": 30 }, { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19518, "columnNumber": 39 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19514, "columnNumber": 13 }, { "functionName": "", "scriptId": "8972", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/security/1.0.0/security.plugin.js", "lineNumber": 8167, "columnNumber": 44 }, { "functionName": "", "scriptId": "8972", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/security/1.0.0/security.plugin.js", "lineNumber": 8091, "columnNumber": 13 } ] } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "connection": "2395214", "request": { "method": "GET", "url": "http://localhost:5601/internal/security/session", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Accept", "value": "*/*" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br, zstd" }, { "name": "Accept-Language", "value": "en-US,en;q=0.9" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Host", "value": "localhost:5601" }, { "name": "Referer", "value": "http://localhost:5601/app/security/rules/updates?rulesTable=(searchTerm:%27Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%27)&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(.alerts-security.alerts-default)))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)),timeline:(linkTo:!(global),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)))&timeline=(activeTab:query,graphEventId:%27%27,isOpen:!f)" }, { "name": "Sec-Fetch-Dest", "value": "empty" }, { "name": "Sec-Fetch-Mode", "value": "cors" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "kbn-build-number", "value": "9007199254740991" }, { "name": "kbn-version", "value": "9.0.0" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "x-elastic-internal-origin", "value": "Kibana" }, { "name": "x-kbn-context", "value": "%7B%22type%22%3A%22application%22%2C%22name%22%3A%22securitySolutionUI%22%2C%22url%22%3A%22%2Fapp%2Fsecurity%2Frules%2Fid%2F52c14042-8edf-4151-b8dd-5b0fe95da87d%2Falerts%22%2C%22page%22%3A%22%2Frules%2Fupdates%22%7D" } ], "queryString": [], "cookies": [], "headersSize": 1927, "bodySize": 0 }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Connection", "value": "keep-alive" }, { "name": "Date", "value": "Fri, 06 Dec 2024 16:52:06 GMT" }, { "name": "Keep-Alive", "value": "timeout=120" }, { "name": "accept-ranges", "value": "bytes" }, { "name": "cache-control", "value": "private, no-cache, no-store, must-revalidate" }, { "name": "content-length", "value": "89" }, { "name": "content-security-policy", "value": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'" }, { "name": "content-security-policy-report-only", "value": "form-action 'report-sample' 'self'" }, { "name": "content-type", "value": "application/json; charset=utf-8" }, { "name": "cross-origin-opener-policy", "value": "same-origin" }, { "name": "kbn-license-sig", "value": "c34833e07d48ee883c2bd846933c4c336916c9888243f9e5a9793597b858595c" }, { "name": "kbn-name", "value": "Paulas-MacBook-Pro.local" }, { "name": "permissions-policy", "value": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()" }, { "name": "referrer-policy", "value": "strict-origin-when-cross-origin" }, { "name": "x-content-type-options", "value": "nosniff" } ], "cookies": [], "content": { "size": 89, "mimeType": "application/json", "compression": 0, "text": "{\"expiresInMs\":259199974,\"canBeExtended\":true,\"provider\":{\"type\":\"basic\",\"name\":\"basic\"}}" }, "redirectURL": "", "headersSize": 1335, "bodySize": 89, "_transferSize": 1424, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "127.0.0.1", "startedDateTime": "2024-12-06T16:52:06.565Z", "time": 20.118999993428588, "timings": { "blocked": 0.3019999873228371, "dns": -1, "ssl": -1, "connect": -1, "send": 0.032, "wait": 19.499999989658594, "receive": 0.28500001644715667, "_blocked_queueing": 0.11299998732283711, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } }, { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "fetchResponse", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19594, "columnNumber": 30 }, { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19518, "columnNumber": 39 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19514, "columnNumber": 13 }, { "functionName": "fetchActiveMaintenanceWindows", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 80723, "columnNumber": 28 }, { "functionName": "Object.enabled.enabled", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 80994, "columnNumber": 82 }, { "functionName": "fetchFn", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197509, "columnNumber": 26 }, { "functionName": "run", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198971, "columnNumber": 30 }, { "functionName": "createRetryer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 199019, "columnNumber": 4 }, { "functionName": "fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197564, "columnNumber": 88 }, { "functionName": "executeFetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198444, "columnNumber": 36 }, { "functionName": "fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198432, "columnNumber": 16 }, { "functionName": "refetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198415, "columnNumber": 16 }, { "functionName": "onFocus", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197360, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197861, "columnNumber": 14 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197860, "columnNumber": 19 }, { "functionName": "batch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196861, "columnNumber": 15 }, { "functionName": "onFocus", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197859, "columnNumber": 72 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197932, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 195764, "columnNumber": 6 }, { "functionName": "onFocus", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 195761, "columnNumber": 19 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 195747, "columnNumber": 13 }, { "functionName": "listener", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 195707, "columnNumber": 31 } ] } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "connection": "2395214", "request": { "method": "GET", "url": "http://localhost:5601/internal/alerting/rules/maintenance_window/_active", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Accept", "value": "*/*" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br, zstd" }, { "name": "Accept-Language", "value": "en-US,en;q=0.9" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Content-Type", "value": "application/json" }, { "name": "Host", "value": "localhost:5601" }, { "name": "Referer", "value": "http://localhost:5601/app/security/rules/updates?rulesTable=(searchTerm:%27Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%27)&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(.alerts-security.alerts-default)))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)),timeline:(linkTo:!(global),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)))&timeline=(activeTab:query,graphEventId:%27%27,isOpen:!f)" }, { "name": "Sec-Fetch-Dest", "value": "empty" }, { "name": "Sec-Fetch-Mode", "value": "cors" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "kbn-build-number", "value": "9007199254740991" }, { "name": "kbn-version", "value": "9.0.0" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "x-elastic-internal-origin", "value": "Kibana" }, { "name": "x-kbn-context", "value": "%7B%22type%22%3A%22application%22%2C%22name%22%3A%22securitySolutionUI%22%2C%22url%22%3A%22%2Fapp%2Fsecurity%2Frules%2Fid%2F52c14042-8edf-4151-b8dd-5b0fe95da87d%2Falerts%22%2C%22page%22%3A%22%2Frules%2Fupdates%22%7D" } ], "queryString": [], "cookies": [], "headersSize": 1984, "bodySize": 0 }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Connection", "value": "keep-alive" }, { "name": "Date", "value": "Fri, 06 Dec 2024 16:52:50 GMT" }, { "name": "Keep-Alive", "value": "timeout=120" }, { "name": "accept-ranges", "value": "bytes" }, { "name": "cache-control", "value": "private, no-cache, no-store, must-revalidate" }, { "name": "content-length", "value": "2" }, { "name": "content-security-policy", "value": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'" }, { "name": "content-security-policy-report-only", "value": "form-action 'report-sample' 'self'" }, { "name": "content-type", "value": "application/json; charset=utf-8" }, { "name": "cross-origin-opener-policy", "value": "same-origin" }, { "name": "kbn-license-sig", "value": "c34833e07d48ee883c2bd846933c4c336916c9888243f9e5a9793597b858595c" }, { "name": "kbn-name", "value": "Paulas-MacBook-Pro.local" }, { "name": "permissions-policy", "value": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()" }, { "name": "referrer-policy", "value": "strict-origin-when-cross-origin" }, { "name": "x-content-type-options", "value": "nosniff" } ], "cookies": [], "content": { "size": 2, "mimeType": "application/json", "compression": 0, "text": "[]" }, "redirectURL": "", "headersSize": 1334, "bodySize": 2, "_transferSize": 1336, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "127.0.0.1", "startedDateTime": "2024-12-06T16:52:50.446Z", "time": 93.68900000117719, "timings": { "blocked": 26.50299995497614, "dns": -1, "ssl": -1, "connect": -1, "send": 0.1419999999999999, "wait": 66.70400001841038, "receive": 0.3400000277906656, "_blocked_queueing": 22.60599995497614, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } }, { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "fetchResponse", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19594, "columnNumber": 30 }, { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19518, "columnNumber": 39 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19514, "columnNumber": 13 }, { "functionName": "fetchRules", "scriptId": "9051", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_application_dependencies.js", "lineNumber": 141804, "columnNumber": 86 }, { "functionName": "Object", "scriptId": "9053", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/securitySolution/1.0.0/securitySolution.chunk.lazy_sub_plugins.js", "lineNumber": 277380, "columnNumber": 82 }, { "functionName": "fetchFn", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197509, "columnNumber": 26 }, { "functionName": "run", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198971, "columnNumber": 30 }, { "functionName": "createRetryer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 199019, "columnNumber": 4 }, { "functionName": "fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197564, "columnNumber": 88 }, { "functionName": "executeFetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198444, "columnNumber": 36 }, { "functionName": "fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198432, "columnNumber": 16 }, { "functionName": "refetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 198415, "columnNumber": 16 }, { "functionName": "onFocus", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197360, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197861, "columnNumber": 14 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197860, "columnNumber": 19 }, { "functionName": "batch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 196861, "columnNumber": 15 }, { "functionName": "onFocus", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197859, "columnNumber": 72 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 197932, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 195764, "columnNumber": 6 }, { "functionName": "onFocus", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 195761, "columnNumber": 19 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 195747, "columnNumber": 13 }, { "functionName": "listener", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 195707, "columnNumber": 31 } ] } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "connection": "2395210", "request": { "method": "GET", "url": "http://localhost:5601/api/detection_engine/rules/_find?page=1&per_page=20&sort_field=enabled&sort_order=desc&filter=(alert.attributes.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.index%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.tactic.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.tactic.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.subtechnique.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.subtechnique.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22)", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Accept", "value": "*/*" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br, zstd" }, { "name": "Accept-Language", "value": "en-US,en;q=0.9" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Content-Type", "value": "application/json" }, { "name": "Host", "value": "localhost:5601" }, { "name": "Referer", "value": "http://localhost:5601/app/security/rules/updates?rulesTable=(searchTerm:%27Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%27)&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(.alerts-security.alerts-default)))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)),timeline:(linkTo:!(global),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)))&timeline=(activeTab:query,graphEventId:%27%27,isOpen:!f)" }, { "name": "Sec-Fetch-Dest", "value": "empty" }, { "name": "Sec-Fetch-Mode", "value": "cors" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "elastic-api-version", "value": "2023-10-31" }, { "name": "kbn-build-number", "value": "9007199254740991" }, { "name": "kbn-version", "value": "9.0.0" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "x-elastic-internal-origin", "value": "Kibana" }, { "name": "x-kbn-context", "value": "%7B%22type%22%3A%22application%22%2C%22name%22%3A%22securitySolutionUI%22%2C%22url%22%3A%22%2Fapp%2Fsecurity%2Frules%2Fid%2F52c14042-8edf-4151-b8dd-5b0fe95da87d%2Falerts%22%2C%22page%22%3A%22%2Frules%2Fupdates%22%7D" } ], "queryString": [ { "name": "page", "value": "1" }, { "name": "per_page", "value": "20" }, { "name": "sort_field", "value": "enabled" }, { "name": "sort_order", "value": "desc" }, { "name": "filter", "value": "(alert.attributes.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.index%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.tactic.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.tactic.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.subtechnique.id%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22%20OR%20alert.attributes.params.threat.technique.subtechnique.name%3A%20%22Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%22)" } ], "cookies": [], "headersSize": 2941, "bodySize": 0 }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Connection", "value": "keep-alive" }, { "name": "Date", "value": "Fri, 06 Dec 2024 16:52:50 GMT" }, { "name": "Keep-Alive", "value": "timeout=120" }, { "name": "Transfer-Encoding", "value": "chunked" }, { "name": "cache-control", "value": "private, no-cache, no-store, must-revalidate" }, { "name": "content-encoding", "value": "gzip" }, { "name": "content-security-policy", "value": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'" }, { "name": "content-security-policy-report-only", "value": "form-action 'report-sample' 'self'" }, { "name": "content-type", "value": "application/json; charset=utf-8" }, { "name": "cross-origin-opener-policy", "value": "same-origin" }, { "name": "elastic-api-version", "value": "2023-10-31" }, { "name": "kbn-license-sig", "value": "c34833e07d48ee883c2bd846933c4c336916c9888243f9e5a9793597b858595c" }, { "name": "kbn-name", "value": "Paulas-MacBook-Pro.local" }, { "name": "permissions-policy", "value": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()" }, { "name": "referrer-policy", "value": "strict-origin-when-cross-origin" }, { "name": "vary", "value": "accept-encoding" }, { "name": "x-content-type-options", "value": "nosniff" } ], "cookies": [], "content": { "size": 5239, "mimeType": "application/json", "compression": 2887, "text": "{\"page\":1,\"perPage\":20,\"total\":1,\"data\":[{\"id\":\"561cb5f3-6c26-4547-8959-681ac9b83e2b\",\"updated_at\":\"2024-12-06T16:51:18.436Z\",\"updated_by\":\"elastic\",\"created_at\":\"2024-12-04T19:45:40.284Z\",\"created_by\":\"elastic\",\"name\":\"Attempt to Modify an Okta Policy Rule\",\"tags\":[\"Use Case: Identity and Access Audit\",\"Tactic: Defense Evasion\",\"Data Source: Okta\"],\"interval\":\"5m\",\"enabled\":false,\"revision\":2,\"description\":\"Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.\",\"risk_score\":21,\"severity\":\"low\",\"note\":\"## Triage and analysis\\n\\n### Investigating Attempt to Modify an Okta Policy Rule\\n\\nThe modification of an Okta policy rule can be an indication of malicious activity as it may aim to weaken an organization's security controls.\\n\\n#### Possible investigation steps:\\n\\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\\n- Check the `okta.outcome.result` field to confirm the rule modification attempt.\\n- Check if there are multiple rule modification attempts from the same actor or IP address (`okta.client.ip`).\\n- Check for successful logins immediately following the modification attempt.\\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\\n\\n### False positive analysis:\\n\\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\\n- Verify the actor's administrative rights to ensure they are correctly configured.\\n\\n### Response and remediation:\\n\\n- If unauthorized modification is confirmed, initiate the incident response process.\\n- Immediately lock the affected actor account and require a password change.\\n- Consider resetting MFA tokens for the actor and require re-enrollment.\\n- Check if the compromised account was used to access or alter any sensitive data or systems.\\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\\n- Assess the criticality of affected services and servers.\\n- Work with your IT team to minimize the impact on users and maintain business continuity.\\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\",\"license\":\"Elastic License v2\",\"output_index\":\"\",\"timestamp_override\":\"event.ingested\",\"timestamp_override_fallback_disabled\":false,\"author\":[\"Elastic\"],\"false_positives\":[\"Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization.\"],\"from\":\"now-60s\",\"rule_id\":\"000047bb-b27a-47ec-8b62-ef1a5d2c9e19\",\"max_signals\":100,\"risk_score_mapping\":[],\"severity_mapping\":[],\"threat\":[{\"framework\":\"MITRE ATT&CK\",\"tactic\":{\"id\":\"TA0005\",\"name\":\"Defense Evasion\",\"reference\":\"https://attack.mitre.org/tactics/TA0005/\"},\"technique\":[{\"id\":\"T1562\",\"name\":\"Impair Defenses\",\"reference\":\"https://attack.mitre.org/techniques/T1562/\",\"subtechnique\":[{\"id\":\"T1562.007\",\"name\":\"Disable or Modify Cloud Firewall\",\"reference\":\"https://attack.mitre.org/techniques/T1562/007/\"}]}]}],\"to\":\"now\",\"references\":[\"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm\",\"https://developer.okta.com/docs/reference/api/system-log/\",\"https://developer.okta.com/docs/reference/api/event-types/\",\"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy\",\"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security\",\"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta\"],\"version\":310,\"exceptions_list\":[{\"id\":\"82679834-e475-499c-a873-2bc20692221e\",\"list_id\":\"6e519c12-80ab-4e69-894f-e5cec55be127\",\"type\":\"rule_default\",\"namespace_type\":\"single\"}],\"immutable\":true,\"rule_source\":{\"type\":\"external\",\"is_customized\":true},\"related_integrations\":[{\"package\":\"okta\",\"version\":\"^3.0.0\"}],\"required_fields\":[{\"name\":\"event.action\",\"type\":\"keyword\",\"ecs\":true},{\"name\":\"event.dataset\",\"type\":\"keyword\",\"ecs\":true}],\"setup\":\"The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\",\"type\":\"query\",\"language\":\"kuery\",\"index\":[\"filebeat-*\",\"logs-okta*\"],\"query\":\"event.dataset:okta.system and event.action:policy.rule.update\\n\",\"filters\":[],\"actions\":[]}]}" }, "redirectURL": "", "headersSize": 1401, "bodySize": 2352, "_transferSize": 3753, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "127.0.0.1", "startedDateTime": "2024-12-06T16:52:50.446Z", "time": 136.9210000266321, "timings": { "blocked": 26.346000040818005, "dns": -1, "ssl": -1, "connect": -1, "send": 0.1589999999999998, "wait": 110.04199999016896, "receive": 0.37399999564513564, "_blocked_queueing": 23.053000040818006, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } }, { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "fetchResponse", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19594, "columnNumber": 30 }, { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19518, "columnNumber": 39 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19514, "columnNumber": 13 }, { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19634, "columnNumber": 18 }, { "functionName": "getAll", "scriptId": "8953", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/savedObjectsTagging/1.0.0/savedObjectsTagging.plugin.js", "lineNumber": 2616, "columnNumber": 24 }, { "functionName": "refreshHandler", "scriptId": "8953", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/savedObjectsTagging/1.0.0/savedObjectsTagging.plugin.js", "lineNumber": 2182, "columnNumber": 43 }, { "functionName": "refresh", "scriptId": "8953", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/savedObjectsTagging/1.0.0/savedObjectsTagging.plugin.js", "lineNumber": 2463, "columnNumber": 30 }, { "functionName": "", "scriptId": "8953", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/savedObjectsTagging/1.0.0/savedObjectsTagging.plugin.js", "lineNumber": 2457, "columnNumber": 13 } ] } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "connection": "2395210", "request": { "method": "GET", "url": "http://localhost:5601/api/saved_objects_tagging/tags", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Accept", "value": "*/*" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br, zstd" }, { "name": "Accept-Language", "value": "en-US,en;q=0.9" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Content-Type", "value": "application/json" }, { "name": "Host", "value": "localhost:5601" }, { "name": "Referer", "value": "http://localhost:5601/app/security/rules/updates?rulesTable=(searchTerm:%27Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%27)&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(.alerts-security.alerts-default)))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)),timeline:(linkTo:!(global),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)))&timeline=(activeTab:query,graphEventId:%27%27,isOpen:!f)" }, { "name": "Sec-Fetch-Dest", "value": "empty" }, { "name": "Sec-Fetch-Mode", "value": "cors" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "kbn-build-number", "value": "9007199254740991" }, { "name": "kbn-system-request", "value": "true" }, { "name": "kbn-version", "value": "9.0.0" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "x-elastic-internal-origin", "value": "Kibana" }, { "name": "x-kbn-context", "value": "%7B%22type%22%3A%22application%22%2C%22name%22%3A%22securitySolutionUI%22%2C%22url%22%3A%22%2Fapp%2Fsecurity%2Frules%2Fid%2F52c14042-8edf-4151-b8dd-5b0fe95da87d%2Falerts%22%2C%22page%22%3A%22%2Frules%2Fupdates%22%7D" } ], "queryString": [], "cookies": [], "headersSize": 1990, "bodySize": 0 }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Connection", "value": "keep-alive" }, { "name": "Date", "value": "Fri, 06 Dec 2024 16:53:17 GMT" }, { "name": "Keep-Alive", "value": "timeout=120" }, { "name": "accept-ranges", "value": "bytes" }, { "name": "cache-control", "value": "private, no-cache, no-store, must-revalidate" }, { "name": "content-length", "value": "220" }, { "name": "content-security-policy", "value": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'" }, { "name": "content-security-policy-report-only", "value": "form-action 'report-sample' 'self'" }, { "name": "content-type", "value": "application/json; charset=utf-8" }, { "name": "cross-origin-opener-policy", "value": "same-origin" }, { "name": "kbn-license-sig", "value": "c34833e07d48ee883c2bd846933c4c336916c9888243f9e5a9793597b858595c" }, { "name": "kbn-name", "value": "Paulas-MacBook-Pro.local" }, { "name": "permissions-policy", "value": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()" }, { "name": "referrer-policy", "value": "strict-origin-when-cross-origin" }, { "name": "x-content-type-options", "value": "nosniff" } ], "cookies": [], "content": { "size": 220, "mimeType": "application/json", "compression": 0, "text": "{\"tags\":[{\"id\":\"fleet-managed-default\",\"managed\":true,\"name\":\"Managed\",\"description\":\"\",\"color\":\"#FFFFFF\"},{\"id\":\"security-solution-default\",\"managed\":true,\"name\":\"Security Solution\",\"description\":\"\",\"color\":\"#D36086\"}]}" }, "redirectURL": "", "headersSize": 838, "bodySize": 220, "_transferSize": 1058, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "127.0.0.1", "startedDateTime": "2024-12-06T16:53:17.817Z", "time": 53.57799999183044, "timings": { "blocked": 2.5739999793618917, "dns": -1, "ssl": -1, "connect": -1, "send": 0.1140000000000001, "wait": 50.63800001446903, "receive": 0.2519999979995191, "_blocked_queueing": 1.4649999793618917, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } }, { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "", "scriptId": "8966", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/telemetry/1.0.0/telemetry.plugin.js", "lineNumber": 413, "columnNumber": 49 }, { "functionName": "step", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420580, "columnNumber": 22 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420561, "columnNumber": 52 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420554, "columnNumber": 70 }, { "functionName": "__awaiter", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420550, "columnNumber": 11 }, { "functionName": "../../../node_modules/@elastic/ebt/shippers/elastic_v3/browser/src/browser_shipper.js.ElasticV3BrowserShipper.makeRequest", "scriptId": "8966", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/telemetry/1.0.0/telemetry.plugin.js", "lineNumber": 409, "columnNumber": 23 }, { "functionName": "", "scriptId": "8966", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/telemetry/1.0.0/telemetry.plugin.js", "lineNumber": 394, "columnNumber": 50 }, { "functionName": "step", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420580, "columnNumber": 22 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420561, "columnNumber": 52 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420554, "columnNumber": 70 }, { "functionName": "__awaiter", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420550, "columnNumber": 11 }, { "functionName": "../../../node_modules/@elastic/ebt/shippers/elastic_v3/browser/src/browser_shipper.js.ElasticV3BrowserShipper.sendEvents", "scriptId": "8966", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/telemetry/1.0.0/telemetry.plugin.js", "lineNumber": 388, "columnNumber": 23 }, { "functionName": "", "scriptId": "8966", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/telemetry/1.0.0/telemetry.plugin.js", "lineNumber": 377, "columnNumber": 50 }, { "functionName": "step", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420580, "columnNumber": 22 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420561, "columnNumber": 52 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420554, "columnNumber": 70 }, { "functionName": "__awaiter", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 420550, "columnNumber": 11 }, { "functionName": "", "scriptId": "8966", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/telemetry/1.0.0/telemetry.plugin.js", "lineNumber": 372, "columnNumber": 65 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 80 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409345, "columnNumber": 28 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ], "parent": { "description": "setInterval", "callFrames": [ { "functionName": "setInterval", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414362, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.requestAsyncId", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413851, "columnNumber": 82 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413846, "columnNumber": 71 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Scheduler.js.Scheduler.schedule", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406720, "columnNumber": 56 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408749, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 15 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "doInnerSub", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410787, "columnNumber": 105 }, { "functionName": "outerNext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410782, "columnNumber": 69 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408272, "columnNumber": 23 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable._trySubscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406556, "columnNumber": 24 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406550, "columnNumber": 30 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "mergeInternals", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410821, "columnNumber": 11 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410862, "columnNumber": 179 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 415198, "columnNumber": 27 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406545, "columnNumber": 29 }, { "functionName": "errorContext", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 414879, "columnNumber": 8 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Observable.js.Observable.subscribe", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406541, "columnNumber": 79 }, { "functionName": "openBuffer", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 409346, "columnNumber": 103 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 410793, "columnNumber": 27 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 412102, "columnNumber": 212 }, { "functionName": "OperatorSubscriber._this._next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408895, "columnNumber": 20 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/Subscriber.js.Subscriber.next", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 406968, "columnNumber": 17 }, { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 408751, "columnNumber": 27 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction._execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413880, "columnNumber": 17 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncAction.js.AsyncAction.execute", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413868, "columnNumber": 25 }, { "functionName": "__kbnSharedDeps_npm__.../../node_modules/rxjs/dist/esm5/internal/scheduler/AsyncScheduler.js.AsyncScheduler.flush", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 413945, "columnNumber": 32 } ] } } } } } } } } } } } } } } } } } } } } } } } } } } } } } } } } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "request": { "method": "POST", "url": "https://telemetry-staging.elastic.co/v3/send/kibana-browser", "httpVersion": "h3", "headers": [ { "name": ":authority", "value": "telemetry-staging.elastic.co" }, { "name": ":method", "value": "POST" }, { "name": ":path", "value": "/v3/send/kibana-browser" }, { "name": ":scheme", "value": "https" }, { "name": "accept", "value": "*/*" }, { "name": "accept-encoding", "value": "gzip, deflate, br, zstd" }, { "name": "accept-language", "value": "en-US,en;q=0.9" }, { "name": "content-length", "value": "1165" }, { "name": "content-type", "value": "application/x-ndjson" }, { "name": "origin", "value": "http://localhost:5601" }, { "name": "priority", "value": "u=1, i" }, { "name": "referer", "value": "http://localhost:5601/" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "sec-fetch-dest", "value": "empty" }, { "name": "sec-fetch-mode", "value": "cors" }, { "name": "sec-fetch-site", "value": "cross-site" }, { "name": "user-agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "x-elastic-cluster-id", "value": "EHqtcAR2QhGSP7yHLfNlwg" }, { "name": "x-elastic-license-id", "value": "3c8db61e-5e38-46f9-9136-ef1d1e649473" }, { "name": "x-elastic-stack-version", "value": "9.0.0" } ], "queryString": [], "cookies": [], "headersSize": -1, "bodySize": 1165, "postData": { "mimeType": "application/x-ndjson", "text": "{\"timestamp\":\"2024-12-06T16:53:17.871Z\",\"event_type\":\"performance_metric\",\"context\":{\"isDev\":true,\"isDistributable\":false,\"version\":\"9.0.0\",\"branch\":\"main\",\"buildNum\":9007199254740991,\"buildSha\":\"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\",\"session_id\":\"954374bc-5779-4072-8be3-6c6c157902a0\",\"user_agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36\",\"preferred_language\":\"en-US\",\"preferred_languages\":[\"en-US\",\"en\"],\"viewport_width\":1613,\"viewport_height\":546,\"cluster_name\":\"elasticsearch\",\"cluster_uuid\":\"EHqtcAR2QhGSP7yHLfNlwg\",\"cluster_version\":\"9.0.0-SNAPSHOT\",\"cluster_build_flavor\":\"default\",\"pageName\":\"application:securitySolutionUI:/rules/updates\",\"applicationId\":\"securitySolutionUI\",\"page\":\"/rules/updates\",\"page_title\":\"Elastic\",\"page_url\":\"/app/security/rules/updates\",\"license_id\":\"3c8db61e-5e38-46f9-9136-ef1d1e649473\",\"license_status\":\"active\",\"license_type\":\"trial\",\"labels\":{},\"discoverProfiles\":[],\"userId\":\"986051385feae5b9850804db2d701c0b029ad24f09bce340c12aee7a5c8a0391\",\"isElasticCloudUser\":false},\"properties\":{\"eventName\":\"getAllTag\",\"duration\":56.299999952316284}}\n" } }, "response": { "status": 200, "statusText": "", "httpVersion": "h3", "headers": [ { "name": "access-control-allow-origin", "value": "*" }, { "name": "alt-svc", "value": "h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000" }, { "name": "alt-svc", "value": "h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000" }, { "name": "content-encoding", "value": "gzip" }, { "name": "content-type", "value": "application/json" }, { "name": "date", "value": "Fri, 06 Dec 2024 16:53:18 GMT" }, { "name": "function-execution-id", "value": "gs3eix4cugii" }, { "name": "server", "value": "Google Frontend" }, { "name": "via", "value": "1.1 google" }, { "name": "x-cloud-trace-context", "value": "fd19e94af8f0cf7f74a0b341baa49b32" } ], "cookies": [], "content": { "size": 16, "mimeType": "application/json", "text": "{\"status\": \"ok\"}" }, "redirectURL": "", "headersSize": -1, "bodySize": -1, "_transferSize": 53, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "[2600:1901:0:2fb7::]", "startedDateTime": "2024-12-06T16:53:18.172Z", "time": 336.8159999954514, "timings": { "blocked": 96.74400001127646, "dns": -1, "ssl": -1, "connect": -1, "send": 0.5049999999999999, "wait": 238.27000000347942, "receive": 1.2969999806955457, "_blocked_queueing": 96.08300001127645, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } }, { "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3721, "columnNumber": 30 }, { "functionName": "window.fetch", "scriptId": "8885", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-npm/kbn-ui-shared-deps-npm.dll.js", "lineNumber": 3715, "columnNumber": 11 }, { "functionName": "fetchResponse", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19594, "columnNumber": 30 }, { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19518, "columnNumber": 39 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19514, "columnNumber": 13 }, { "functionName": "", "scriptId": "8816", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/core/core.entry.js", "lineNumber": 19634, "columnNumber": 18 }, { "functionName": "http", "scriptId": "8843", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/plugin/usageCollection/1.0.0/usageCollection.plugin.js", "lineNumber": 624, "columnNumber": 35 }, { "functionName": "", "scriptId": "8845", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-src/kbn-ui-shared-deps-src.js", "lineNumber": 16791, "columnNumber": 21 }, { "functionName": "", "scriptId": "8845", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-src/kbn-ui-shared-deps-src.js", "lineNumber": 16763, "columnNumber": 15 } ], "parent": { "description": "setTimeout", "callFrames": [ { "functionName": "", "scriptId": "8845", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-src/kbn-ui-shared-deps-src.js", "lineNumber": 16761, "columnNumber": 24 }, { "functionName": "", "scriptId": "8845", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-src/kbn-ui-shared-deps-src.js", "lineNumber": 16802, "columnNumber": 11 } ], "parent": { "description": "await", "callFrames": [ { "functionName": "", "scriptId": "8845", "url": "http://localhost:5601/XXXXXXXXXXXX/bundles/kbn-ui-shared-deps-src/kbn-ui-shared-deps-src.js", "lineNumber": 16763, "columnNumber": 15 } ] } } } } }, "_priority": "High", "_resourceType": "fetch", "cache": {}, "connection": "2395210", "request": { "method": "POST", "url": "http://localhost:5601/api/ui_counters/_report", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Accept", "value": "*/*" }, { "name": "Accept-Encoding", "value": "gzip, deflate, br, zstd" }, { "name": "Accept-Language", "value": "en-US,en;q=0.9" }, { "name": "Connection", "value": "keep-alive" }, { "name": "Content-Length", "value": "755" }, { "name": "Content-Type", "value": "application/json" }, { "name": "Host", "value": "localhost:5601" }, { "name": "Origin", "value": "http://localhost:5601" }, { "name": "Referer", "value": "http://localhost:5601/app/security/rules/updates?rulesTable=(searchTerm:%27Attempt%20to%20Modify%20an%20Okta%20Policy%20Rule%27)&sourcerer=(default:(id:security-solution-default,selectedPatterns:!(.alerts-security.alerts-default)))&timerange=(global:(linkTo:!(timeline),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)),timeline:(linkTo:!(global),timerange:(from:%272024-12-06T08:00:00.000Z%27,fromStr:now%2Fd,kind:relative,to:%272024-12-07T07:59:59.999Z%27,toStr:now%2Fd)))&timeline=(activeTab:query,graphEventId:%27%27,isOpen:!f)" }, { "name": "Sec-Fetch-Dest", "value": "empty" }, { "name": "Sec-Fetch-Mode", "value": "cors" }, { "name": "Sec-Fetch-Site", "value": "same-origin" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" }, { "name": "kbn-build-number", "value": "9007199254740991" }, { "name": "kbn-system-request", "value": "true" }, { "name": "kbn-version", "value": "9.0.0" }, { "name": "sec-ch-ua", "value": "\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"" }, { "name": "sec-ch-ua-mobile", "value": "?0" }, { "name": "sec-ch-ua-platform", "value": "\"macOS\"" }, { "name": "x-elastic-internal-origin", "value": "Kibana" }, { "name": "x-kbn-context", "value": "%7B%22type%22%3A%22application%22%2C%22name%22%3A%22securitySolutionUI%22%2C%22url%22%3A%22%2Fapp%2Fsecurity%2Frules%2Fid%2F52c14042-8edf-4151-b8dd-5b0fe95da87d%2Falerts%22%2C%22page%22%3A%22%2Frules%2Fupdates%22%7D" } ], "queryString": [], "cookies": [], "headersSize": 2036, "bodySize": 755, "postData": { "mimeType": "application/json", "text": "{\"report\":{\"reportVersion\":3,\"uiCounter\":{\"ebt_counters.client-enqueued_enqueued-performance_metric\":{\"key\":\"ebt_counters.client-enqueued_enqueued-performance_metric\",\"appName\":\"ebt_counters.client\",\"eventName\":\"performance_metric\",\"type\":\"enqueued_enqueued\",\"total\":1},\"ebt_counters.client-sent_to_shipper_OK-performance_metric\":{\"key\":\"ebt_counters.client-sent_to_shipper_OK-performance_metric\",\"appName\":\"ebt_counters.client\",\"eventName\":\"performance_metric\",\"type\":\"sent_to_shipper_OK\",\"total\":1},\"ebt_counters.elastic_v3_browser-succeeded_200-performance_metric\":{\"key\":\"ebt_counters.elastic_v3_browser-succeeded_200-performance_metric\",\"appName\":\"ebt_counters.elastic_v3_browser\",\"eventName\":\"performance_metric\",\"type\":\"succeeded_200\",\"total\":1}}}}" } }, "response": { "status": 200, "statusText": "OK", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Connection", "value": "keep-alive" }, { "name": "Date", "value": "Fri, 06 Dec 2024 16:53:27 GMT" }, { "name": "Keep-Alive", "value": "timeout=120" }, { "name": "cache-control", "value": "private, no-cache, no-store, must-revalidate" }, { "name": "content-length", "value": "15" }, { "name": "content-security-policy", "value": "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'" }, { "name": "content-security-policy-report-only", "value": "form-action 'report-sample' 'self'" }, { "name": "content-type", "value": "application/json; charset=utf-8" }, { "name": "cross-origin-opener-policy", "value": "same-origin" }, { "name": "kbn-license-sig", "value": "c34833e07d48ee883c2bd846933c4c336916c9888243f9e5a9793597b858595c" }, { "name": "kbn-name", "value": "Paulas-MacBook-Pro.local" }, { "name": "permissions-policy", "value": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()" }, { "name": "referrer-policy", "value": "strict-origin-when-cross-origin" }, { "name": "x-content-type-options", "value": "nosniff" } ], "cookies": [], "content": { "size": 15, "mimeType": "application/json", "compression": 0, "text": "{\"status\":\"ok\"}" }, "redirectURL": "", "headersSize": 815, "bodySize": 15, "_transferSize": 830, "_error": null, "_fetchedViaServiceWorker": false }, "serverIPAddress": "127.0.0.1", "startedDateTime": "2024-12-06T16:53:27.087Z", "time": 317.7399999694899, "timings": { "blocked": 3.2859999917671083, "dns": -1, "ssl": -1, "connect": -1, "send": 0.20100000000000007, "wait": 313.7380000143796, "receive": 0.5149999633431435, "_blocked_queueing": 1.9099999917671084, "_workerStart": -1, "_workerReady": -1, "_workerFetchStart": -1, "_workerRespondWithSettled": -1 } } ] } }